Complete Software Guide for Junos® OS for EX ... - Juniper Networks

Complete Software Guide for Junos® OS for EX Series Ethernet Switches, Release 12.1

Published: 2012-06-08 Revision 2

Copyright © 2012, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

®

Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1 Copyright © 2012, Juniper Networks, Inc. All rights reserved. Revision History June 2012—Revision 2 March 2012—Revision 1 The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.

ii


END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.


iii

iv


Table of Contents About This Topic Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxv How to Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxv List of EX Series Guides for Junos OS Release 12.1 . . . . . . . . . . . . . . . . . . . . . . . . . cxv Downloading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxvii Documentation Symbols Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxviii Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxix Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxx Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxx Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cxx

Part 1

Junos OS for EX Series Switches Product Overview

Chapter 1

Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 EX Series Switch Software Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Layer 3 Protocols Supported on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . 28 Layer 3 Protocols Not Supported on EX Series Switches . . . . . . . . . . . . . . . . . . . . 29 Security Features for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . . 31 High Availability Features for EX Series Switches Overview . . . . . . . . . . . . . . . . . . 33 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Graceful Protocol Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Redundant Routing Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Graceful Routing Engine Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Nonstop Active Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Nonstop Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Redundant Power System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Understanding Software Infrastructure and Processes . . . . . . . . . . . . . . . . . . . . . 37 Routing Engine and Packet Forwarding Engine . . . . . . . . . . . . . . . . . . . . . . . . 38 Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 2

Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 EX2200 Switches Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 EX2200 Switches First View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Uplink Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Cable Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Security Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Power over Ethernet (PoE) Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Front Panel of an EX2200 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


v

®

Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1

Rear Panel of an EX2200 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 EX2200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 EX3200 Switches Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 EX3200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Uplink Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Power over Ethernet (PoE) Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 EX3200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 EX3300 Switches Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 EX3300 Switches First View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Uplink Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Power over Ethernet Plus Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 EX3300 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 EX4200 Switches Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 EX4200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Uplink Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Power over Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 EX4200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 EX4500 Switches Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 EX4500 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Intraconnect Module and Virtual Chassis Module . . . . . . . . . . . . . . . . . . . . . . 57 Uplink Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 EX4500 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 EX6210 Switch Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Chassis Physical Specifications, LCD Panel, and Backplane . . . . . . . . . . . . . . 61 Switch Fabric and Routing Engine Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Cooling System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 EX8208 Switch Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Chassis Physical Specifications, LCD Panel, and Backplane . . . . . . . . . . . . . 66 Routing Engines and Switch Fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Cooling System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 EX8216 Switch Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Chassis Physical Specifications, LCD Panel, and Midplane . . . . . . . . . . . . . . 70 Routing Engines and Switch Fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Cooling System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 XRE200 External Routing Engine Hardware Overview . . . . . . . . . . . . . . . . . . . . . . 76 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Virtual Chassis Control Interface Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Hard Disk Drive Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

vi


Table of Contents

Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Fan Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Part 2

Complete Software Configuration Statement Hierarchy

Chapter 3

Complete Software Configuration Statement Hierarchy . . . . . . . . . . . . . . . . 81 [edit access] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 81 [edit chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . 82 [edit class-of-service] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 83 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . . . 85 [edit firewall] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . 88 [edit forwarding-options] Configuration Statement Hierarchy . . . . . . . . . . . . . . . 89 [edit interfaces] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 90 [edit poe] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 96 [edit routing-instances] Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . 105 [edit snmp] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 105 [edit virtual-chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 105 [edit vlans] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Part 3

Software Installation

Chapter 4

Software Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Understanding Software Installation on EX Series Switches . . . . . . . . . . . . . 111 Overview of the Software Installation Process . . . . . . . . . . . . . . . . . . . . . 111 Software Package Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Installing Software on a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Installing Software on Switches with Redundant Routing Engines . . . . 112 Installing Software Using Automatic Software Download . . . . . . . . . . . 113 Troubleshooting Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Junos OS Package Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Understanding System Snapshot on EX Series Switches . . . . . . . . . . . . . . . 114 Understanding Resilient Dual-Root Partitions on Switches . . . . . . . . . . . . . . 115 Resilient Dual-Root Partition Scheme (Junos OS Release 10.4R3 and Later) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Earlier Partition Scheme (Junos OS Release 10.4R2 and Earlier) . . . . . . 116 Understanding Upgrading or Downgrading Between Resilient Dual-Root Partition Releases and Earlier Releases . . . . . . . . . . . . . . . . . . . . . . 116 Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Understanding Software Licenses for EX Series Switches . . . . . . . . . . . . . . . 117 Purchasing a Software Feature License . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Features Requiring a License on EX2200 Switches . . . . . . . . . . . . . . . . . 118 Features Requiring a License on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Features Requiring a License on EX3300 Switches . . . . . . . . . . . . . . . . 120 License Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 License Key Components for the EX Series Switch . . . . . . . . . . . . . . . . . . . . . 121


vii

®


Chapter 5

Installing Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Downloading Software Packages from Juniper Networks . . . . . . . . . . . . . . . . . . 123 Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Preparing the Switch for the Software Installation . . . . . . . . . . . . . . . . . . . . . 127 Installing Software on the Backup Routing Engine . . . . . . . . . . . . . . . . . . . . 128 Installing Software on the Default Master Routing Engine . . . . . . . . . . . . . . 128 Returning Routing Control to the Default Master Routing Engine (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Installing Software on EX Series Switches (J-Web Procedure) . . . . . . . . . . . . . . 130 Installing Software Upgrades from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Installing Software Upgrades by Uploading Files . . . . . . . . . . . . . . . . . . . . . . 131 Rebooting or Halting the EX Series Switch (J-Web Procedure) . . . . . . . . . . . . . . 132

Chapter 6

Registering the Switch, Booting the Switch, Upgrading Software, and Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Registering the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Registering the EX Series Switch with the J-Web Interface . . . . . . . . . . . . . . 135 Booting the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Creating a Snapshot and Using It to Boot an EX Series Switch . . . . . . . . . . . 137 Creating a Snapshot on a USB Flash Drive and Using It to Boot the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Creating a Snapshot on an Internal Flash Drive and Using it to Boot the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Upgrading Software Using Automatic Software Download on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Managing Licenses for the EX Series Switch (CLI Procedure) . . . . . . . . . . . . 139 Adding New Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Deleting Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Saving License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Managing Licenses for the EX Series Switch (J-Web Procedure) . . . . . . . . . 140 Adding New Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Deleting Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Displaying License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Downloading Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

viii


Table of Contents

Chapter 7

Verifying Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Routine Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Verifying That Automatic Software Download Is Working Correctly . . . . . . . 143 Verifying That a System Snapshot Was Created on an EX Series Switch . . . 144 Verifying Junos OS and Boot Loader Software Versions on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Verifying the Number of Partitions and File System Mountings . . . . . . . 145 Verifying the Loader Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Verifying Which Root Partition Is Active . . . . . . . . . . . . . . . . . . . . . . . . . 146 Verifying the Junos OS Version in Each Root Partition . . . . . . . . . . . . . . 147 Monitoring Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Monitoring Licenses for the EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . 148 Displaying Installed Licenses and License Usage Details . . . . . . . . . . . . 148 Displaying Installed License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter 8

Troubleshooting Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Troubleshooting Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Recovering from a Failed Software Upgrade on an EX Series Switch . . . . . . 151 Rebooting from the Inactive Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Freeing Disk Space for Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . 153 Installation from the Boot Loader Generates ’cannot open package’ Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Troubleshooting a Switch That Has Booted from the Backup Junos OS Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Resilient Dual-Root Partitions Frequently Asked Questions . . . . . . . . . . . . . . . . . 155 How Does Upgrading to Junos OS Release 10.4R3 and Later Differ from Normal Upgrades? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 What Happens If I Do Not Upgrade Both the Loader Software and Junos OS at the Same Time? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Can I Downgrade Junos OS Without Downgrading the Loader Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Can I Upgrade to a Resilient Dual-Root Partition Release by Using the CLI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Will I Lose My Configuration During an Upgrade? . . . . . . . . . . . . . . . . . . . . . 157 How Long Will the Upgrade Process Take? . . . . . . . . . . . . . . . . . . . . . . . . . . 157 What Happens to My Files If the System Detects a File System Corruption? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 How Will I Be Informed If My Switch Boots from the Alternate Slice Due to Corruption in the Root File System? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Can I Use Automatic Software Update and Download to Upgrade to a Resilient Dual-Root Partition Release? . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Why Is the Message "At least one package installed on this device has limited support" Displayed When Users Log In to a Switch? . . . . . . . . . 159 Where Can I Find Instructions for Upgrading? . . . . . . . . . . . . . . . . . . . . . . . . 159

Chapter 9

Configuration Statements for Software Installation . . . . . . . . . . . . . . . . . . . 161 [edit chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . 161 auto-image-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163


ix

®


Chapter 10

Operational Commands for Software Installation . . . . . . . . . . . . . . . . . . . . 165 request system license add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 request system license delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 request system license save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 request system snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 request system software add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 request system software delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 request system software rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 request system software validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 request system software validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 request system zeroize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 show system autoinstallation status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 show system boot-messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 show system license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 show system snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 show system storage partitions (EX Series Switches Only) . . . . . . . . . . . . . . . . . 217

Part 4

User Interfaces

Chapter 11

User Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 User Interfaces—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 CLI User Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 CLI Help and Command Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 J-Web User Interface for EX Series Switches Overview . . . . . . . . . . . . . . . . . 223 Understanding J-Web Configuration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Understanding J-Web User Interface Sessions . . . . . . . . . . . . . . . . . . . . . . . 227

Chapter 12

Using the Configuration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Using the CLI Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Starting the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Chapter 13

Operational Commands for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 231 set cli complete-on-space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 set cli directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 set cli idle-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 set cli prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 set cli restart-on-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 set cli screen-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 set cli screen-width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 set cli terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 set cli timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 show cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 show cli authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 show cli directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 show cli history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 start shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

x


Table of Contents

Part 5

Junos OS for EX Series Switches System Setup

Chapter 14

System Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Junos OS—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Understanding Software Infrastructure and Processes . . . . . . . . . . . . . . . . 253 Routing Engine and Packet Forwarding Engine . . . . . . . . . . . . . . . . . . . 253 Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Chapter 15

Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Connecting and Configuring an EX Series Switch (CLI Procedure) . . . . . . . . . . . 257 Connecting and Configuring an EX Series Switch (J-Web Procedure) . . . . . . . . 259 Configuring the LCD Panel on EX Series Switches (CLI Procedure) . . . . . . . . . . . 262 Disabling or Enabling Menus and Menu Options on the LCD Panel . . . . . . . 263 Configuring a Custom Display Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Configuring Date and Time for the EX Series Switch (J-Web Procedure) . . . . . . 264 Configuring System Identity for an EX Series Switch (J-Web Procedure) . . . . . . 265 Configuring the Console Port Type (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 266

Chapter 16

Configuration Statements for System Setup . . . . . . . . . . . . . . . . . . . . . . . . 269 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 auxiliary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 boot-server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 broadcast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 console (Physical Port) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 default-address-selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 gre-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 host-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 icmpv4-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 icmpv6-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 inet6-backup-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 internet-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 ipip-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 ipv6-duplicate-addr-detection-transmits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 ipv6-path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 ipv6-path-mtu-discovery-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 ipv6-reject-zero-hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 lcd-menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 menu-item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 multicast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 no-multicast-echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 no-ping-record-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 no-ping-time-stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 no-redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 no-tcp-rfc1323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 no-tcp-rfc1323-paws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297


xi

®


path-mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 port-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 tcp-drop-synfin-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 traceoptions (SBC Configuration Process) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 trusted-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Chapter 17

Operational Commands for System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 309 clear chassis display message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 clear system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 op . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 request chassis pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 request chassis routing-engine master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 request system halt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 request system logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 request system power-off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 request system scripts convert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 request system scripts refresh-from commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 request system scripts refresh-from event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 request system scripts refresh-from op . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 request system storage cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 set chassis display message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 set date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 show chassis firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 show chassis lcd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 show configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 show host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 show ntp associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 show ntp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 show system firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 show system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 show system software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 show system storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 show system switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 show system uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 show system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 show system virtual-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 show task replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

xii


Table of Contents

Part 6

Junos OS for EX Series Switches Configuration Management

Chapter 18

Configuration Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Configuration Files—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Understanding Configuration Files for EX Series Switches . . . . . . . . . . . . . . 497 Configuration Files Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Understanding Automatic Refreshing of Scripts on EX Series Switches . . . 499 Understanding Autoinstallation of Configuration Files on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Typical Uses for Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Autoinstallation Configuration Files and IP Addresses . . . . . . . . . . . . . 500 Typical Autoinstallation Process on a New Switch . . . . . . . . . . . . . . . . 500 EX Series Switches Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 EX2200 Switch Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 EX3200 Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 EX3300 Switch Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 EX4200 Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 EX4500 Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 EX6200 Switch Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 EX8200 Switch Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Chapter 19

Managing Junos OS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Using the Configuration Tools in J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Using the CLI Viewer in the J-Web Interface to View Configuration Text . . . 527 Using the CLI Editor in the J-Web Interface to Edit Configuration Text . . . . . 527 Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 Using the Commit Options to Commit Configuration Changes (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Managing Junos OS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Uploading a Configuration File (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 532 Uploading a Configuration File (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . 533 Managing Configuration Files Through the Configuration History (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Displaying Configuration History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Displaying Users Editing the Configuration . . . . . . . . . . . . . . . . . . . . . . . 535 Comparing Configuration Files with the J-Web Interface . . . . . . . . . . . . 535 Downloading a Configuration File with the J-Web Interface . . . . . . . . . 536 Loading a Previous Configuration File with the J-Web Interface . . . . . . 536 Loading a Previous Configuration File (CLI Procedure) . . . . . . . . . . . . . . . . . 537 Reverting to the Default Factory Configuration for the EX Series Switch . . . 537 Reverting to the Default Factory Configuration by Using the LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Reverting to the Default Factory Configuration by Using the request system zeroize Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Reverting to the Default Factory Configuration by Using the load factory-default Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Reverting to the Rescue Configuration for the EX Series Switch . . . . . . . . . 540 Setting or Deleting the Rescue Configuration (CLI Procedure) . . . . . . . . . . . 541 Setting or Deleting the Rescue Configuration (J-Web Procedure) . . . . . . . . 542


xiii

®


Configuring Autoinstallation of Configuration Files (CLI Procedure) . . . . . . 543

Chapter 20

Verifying Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Verifying Autoinstallation Status on an EX Series Switch . . . . . . . . . . . . . . . . . . 545

Chapter 21

Configuration Statements for Configuration File Management . . . . . . . . . 547 archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 archive-sites (Configuration File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 commit synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 configuration-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 transfer-interval (Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 transfer-on-commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Chapter 22

Operational Commands for Configuration File Management . . . . . . . . . . 557 clear log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 clear system commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 file archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 file checksum md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 file checksum sha1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 file checksum sha-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 file compare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 file delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 file list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 file rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 file show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 request system configuration rescue delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 request system configuration rescue save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 request system scripts refresh-from commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 request system scripts refresh-from event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 request system scripts refresh-from op . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 show system commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 show system configuration archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 show system configuration rescue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 show system rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 test configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Part 7

Access and User Management on EX Series Switches

Chapter 23

Access and User Management on EX Series Switches Overview . . . . . . . 593 Understanding Software Infrastructure and Processes . . . . . . . . . . . . . . . . . . . . 593 Routing Engine and Packet Forwarding Engine . . . . . . . . . . . . . . . . . . . . . . . 593 Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Chapter 24

Access and User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . 597 Configuring Management Access for the EX Series Switch (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Generating SSL Certificates to Be Used for Secure Web Access . . . . . . . . . . . . 600

xiv


Table of Contents

Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 Managing Users (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Chapter 25

Troubleshooting Access and User Management . . . . . . . . . . . . . . . . . . . . . 605 Troubleshooting Loss of the Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

Chapter 26

Configuration Statements for Access and User Management . . . . . . . . . 609 allow-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 allow-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 authentication (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 class (Assigning a Class to an Individual User) . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 class (Defining Login Classes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 deny-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 deny-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 full-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 idle-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 login-alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 login-tip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 maximum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622 message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 minimum-changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 minimum-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 password (Login) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 radius-options (edit system) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 retry-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 root-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 root-login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 tacplus-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 tacplus-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 traceoptions (Address-Assignment Pool) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 uid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 user (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Chapter 27

Operational Commands for Access and User Management . . . . . . . . . . . . 637 request message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 show subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639


xv

®


Part 8

Junos OS for EX Series Switches System Services

Chapter 28

System Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Understanding DHCP Services for EX Series Switches . . . . . . . . . . . . . . . . . 655 DHCP Client/Server Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Why Use DHCP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 How Are DHCP Relay Servers Different from DHCP Servers? . . . . . . . . 656 Legacy DHCP and Extended DHCP for Server Versions . . . . . . . . . . . . . 657 How Do I Configure DHCP on a Switch? . . . . . . . . . . . . . . . . . . . . . . . . . 657 How Does DHCP Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 DHCP/BOOTP Relay for EX Series Switches Overview . . . . . . . . . . . . . . . . . 659 Understanding Public Key Cryptography on Switches . . . . . . . . . . . . . . . . . . . . . 660 Public Key Infrastructure (PKI) and Digital Certificates . . . . . . . . . . . . . . . . 660 Understanding Self-Signed Certificates on EX Series Switches . . . . . . . . . . . . . 661 Understanding Extended DHCP Relay Agent for EX Series Switches . . . . . . . . . 662 Extended DHCP Relay and Legacy DHCP/BOOTP Relay . . . . . . . . . . . . . . . 662 Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

Chapter 29

System Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Configuring DHCP Services (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Configuring a DHCP SIP Server (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 668 Manually Generating Self-Signed Certificates on Switches (CLI Procedure) . . . 668 Generating a Public-Private Key Pair on Switches . . . . . . . . . . . . . . . . . . . . 669 Generating Self-Signed Certificates on Switches . . . . . . . . . . . . . . . . . . . . . 669 Enabling HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 Deleting Self-Signed Certificates (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 670 Configuring a DHCP Client (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 Configuring a DHCP Server on EX Series Switches (CLI Procedure) . . . . . . . . . . 672 Configuring an Extended DHCP Server on a Switch . . . . . . . . . . . . . . . . . . . 672 Configuring a Legacy DHCP Server on a Switch (CLI Procedure) . . . . . . . . . 673 Configuring an Extended DHCP Relay Server on EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674

Chapter 30

Monitoring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Monitoring DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Verifying and Managing DHCP Relay Configuration for EX Series Switches . . . . 680

Chapter 31

Configuration Statements for System Services . . . . . . . . . . . . . . . . . . . . . . 681 active-server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 address-assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 address-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 aggregate-clients (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 always-write-giaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 boot-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 boot-server (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 bootp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 ca-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

xvi


Table of Contents

cache-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 cache-timeout-negative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 certification-authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 client-identifier (DHCP Client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 client-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 connection-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 crl (Encryption Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 default-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 default-local-server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 default-relay-server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 dhcp (DHCP Client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 dhcp (DHCP Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 dhcp-local-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 dhcp-relay (EX Series switches only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 domain-name (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 domain-search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 dynamic-profile (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 enrollment-retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 enrollment-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 family (for EX Series switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 group (Extended DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 group (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 helpers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 interface (BOOTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 interface (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 interface (DNS and TFTP Packet Forwarding or Relay Agent) . . . . . . . . . . . . . . 729 interface-client-limit (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 interface-client-limit (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 interfaces (for EX Series switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 ip-address-first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 layer2-unicast-replies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 ldap-url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 load-key-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744 maximum-certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744 maximum-hop-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 maximum-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745


xvii

®


minimum-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 no-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 no-arp (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 no-listen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 option (DHCP server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 outbound-ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 overrides (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754 path-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755 pool (Extended DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757 pool-match-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758 port (HTTP/HTTPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758 port (SRC Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 process-inform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 protocol-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 reconfigure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 relay-option-60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 retransmission-attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 retransmission-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765 server (DHCP and BOOTP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 server (DNS and TFTP Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 server-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 server-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 service-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 service-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 service-profile (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773 session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 sip-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 source-address (SRC Software) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 source-address-giaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 static-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 system-generated-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 trace (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 traceoptions (DHCP Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 traceoptions (DNS and TFTP Packet Forwarding) . . . . . . . . . . . . . . . . . . . . . . . 788 update-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790 use-primary (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791 vendor-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

xviii


Table of Contents

vendor-option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 web-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 wins-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

Chapter 32

Operational Commands for System Services . . . . . . . . . . . . . . . . . . . . . . . . 797 clear dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 clear security pki local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 clear system services dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 clear system services dhcp conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 clear system services dhcp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 request ipsec switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 request security certificate (signed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806 request security certificate (unsigned) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 request security key-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 request security pki generate-key-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 request security pki local-certificate generate-self-signed . . . . . . . . . . . . . . . . . 810 show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 show security pki local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 show system services dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 show system services dhcp conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 show system services dhcp global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 show system services dhcp pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 show system services dhcp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 show system services service-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830

Part 9

Junos OS for EX Series Switches System Monitoring

Chapter 33

System Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Understanding Alarm Types and Severity Levels on EX Series Switches . . . . . . 835 Dashboard for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 System Information Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 Health Status Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 Capacity Utilization Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 Alarms Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 Chassis Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 EX Series Switches Hardware and CLI Terminology Mapping . . . . . . . . . . . . . . . 847

Chapter 34

Administering and Monitoring System Functions . . . . . . . . . . . . . . . . . . . . 849 Monitoring System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 Checking Active Alarms with the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . 852 Monitoring Chassis Alarms for an EX8200 Switch . . . . . . . . . . . . . . . . . . . . . . . . 852 Monitoring Switch Control Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 Monitoring System Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858 Monitoring Chassis Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 Monitoring System Process Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862 Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure) . . 863 Cleaning Up Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863 Downloading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864


xix

®


Deleting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864

Chapter 35

Configuration Statements for System Monitoring . . . . . . . . . . . . . . . . . . . . 867 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 file (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870 interface (Accounting or Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872 match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873 size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 structured-data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876 time-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878 time-zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879 user (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882

Chapter 36

Operational Commands for System Monitoring . . . . . . . . . . . . . . . . . . . . . . 883 clear log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 file archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 file checksum md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887 file checksum sha1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 file checksum sha-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889 file compare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890 file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893 file delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895 file list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 file rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898 file show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900 monitor list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902 monitor start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 monitor stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905 request chassis cb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906 request chassis fabric plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 request chassis fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910 request system configuration rescue delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913 request system configuration rescue save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 request system scripts refresh-from commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 request system scripts refresh-from event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 916 request system scripts refresh-from op . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917 show chassis alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918 show chassis environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924 show chassis environment cb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952 show chassis environment fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967 show chassis environment routing-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 show chassis ethernet-switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989 show chassis fabric fpcs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 show chassis fabric map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 show chassis fabric plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036

xx


Table of Contents

show chassis fabric plane-location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059 show chassis fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1062 show chassis hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083 show chassis led . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1145 show chassis location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151 show chassis pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 show chassis routing-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165 show chassis temperature-thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 show pfe next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1188 show pfe route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 show pfe statistics ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197 show pfe statistics ip6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1200 show pfe terse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 show system alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 show system audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206 show system buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 show system connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219 show system core-dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1237 show system directory-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1250 show system processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254

Part 10

EX3300, EX4200, and EX4500 Virtual Chassis

Chapter 37

EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281 EX3300, EX4200, and EX4500 Virtual Chassis Overview . . . . . . . . . . . . . . . . . 1281 Basic Configuration of a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282 Expanding Configurations—Within a Single Wiring Closet and Across Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282 Global Management of Member Switches in a Virtual Chassis . . . . . . . . . . 1284 High Availability Through Redundant Routing Engines . . . . . . . . . . . . . . . . 1284 Adaptability as an Access Switch or Distribution Switch . . . . . . . . . . . . . . . 1284 Understanding EX3300, EX4200, and EX4500 Virtual Chassis Components . . 1285 Number of Switches per Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285 Virtual Chassis Ports (VCPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285 Master Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1286 Backup Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 Linecard Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 Member Switch and Member ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 Mastership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 Virtual Chassis Identifier (VCID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 Understanding Software Upgrade in an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291 Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291


xxi

®


Understanding Nonvolatile Storage in an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294 Nonvolatile Memory Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294 Understanding the High-Speed Interconnection of the EX4200 and EX4500 Virtual Chassis Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294 Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294 Understanding EX3300, EX4200, and EX4500 Virtual Chassis Configuration . . 1296 Understanding EX3300, EX4200, and EX4500 Virtual Chassis Switch Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1298 Understanding Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1298 Supported Topologies for Fast Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299 How Fast Failover Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299 Fast Failover in a Ring Topology Using Dedicated VCPs . . . . . . . . . . . . 1299 Fast Failover in a Ring Topology Using Uplink Module VCPs . . . . . . . . . 1301 Fast Failover in a Virtual Chassis Configuration Using Multiple Ring Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303 Effects of Topology Changes on a Fast Failover Configuration . . . . . . . . . . 1304 Understanding Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1305 What Happens When a Virtual Chassis Configuration Splits . . . . . . . . . . . 1305 Merging Virtual Chassis Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1306 Understanding Automatic Software Update on EX3300, EX4200, and EX4500 Virtual Chassis Member Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308 Automatic Software Update Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308 Automatic Software Update Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 1308

Chapter 38

EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Example: Configuring an EX4200 Virtual Chassis with a Master and Backup in a Single Wiring Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312 Example: Configuring an EX4500 Virtual Chassis with a Master and Backup in a Single Wiring Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1317 Example: Expanding an EX4200 Virtual Chassis in a Single Wiring Closet . . . . . 1321 Example: Adding an EX4500 Switch to a Nonprovisioned Virtual Chassis . . . . 1326 Example: Adding EX4500 Switches to a Preprovisioned Virtual Chassis . . . . . . 1331 Example: Setting Up a Multimember EX4200 Virtual Chassis Access Switch with a Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335 Example: Configuring an EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 Example: Connecting EX4500 Member Switches in a Virtual Chassis Across Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1348 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1354 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1360

xxii


Table of Contents

Example: Configuring an EX4200 Virtual Chassis Using a Preprovisioned Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1365 Example: Configuring a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376 Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When an EX4200 Virtual Chassis Switch or Intermember Link Fails . . . . . 1380 Example: Assigning the Virtual Chassis ID to Determine Precedence During an EX4200 Virtual Chassis Merge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384 Example: Configuring Link Aggregation Groups Using EX4200 Uplink Virtual Chassis Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1386 Example: Configuring Automatic Software Update on EX4200 Virtual Chassis Member Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1394 Example: Configuring an EX3300 Virtual Chassis with a Master and Backup . . 1397 Example: Expanding an EX3300 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . 1400

Chapter 39

Configuring EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . . . . . 1407 Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . 1408 Configuring an EX4200 or EX4500 Virtual Chassis with a Preprovisioned Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1409 Configuring an EX4200 or EX4500 Virtual Chassis with a Nonprovisioned Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1410 Configuring an EX3300, EX4200, and EX4500 Virtual Chassis (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1412 Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) . . . 1414 Installing Software on a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417 Adding a New EX4200 Switch to an Existing EX4200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1418 Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419 Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1420 Adding a New Switch to an Existing Preprovisioned Virtual Chassis Using Autoprovisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422 Adding an EX4200 Switch to a Preprovisioned EX4500 Virtual Chassis or a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424 Adding an EX4500 Switch to a Preprovisioned EX4200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1425 Adding an EX4500 Switch to a Nonprovisioned EX4200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1427 Replacing a Member Switch of an EX3300, EX4200, or EX4500 Virtual Chassis Configuration (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1429 Remove, Repair, and Reinstall the Same Switch . . . . . . . . . . . . . . . . . . . . . 1429 Remove a Member Switch, Replace It with a Different Switch, and Reapply the Old Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1430 Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431


xxiii

®


Removing an EX4200 or EX4500 Switch From a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431 Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1432 Configuring Mastership Using a Preprovisioned Configuration File . . . . . . . 1432 Configuring Mastership Using a Configuration File That Is Not Preprovisioned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1433 Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1434 Setting an Uplink VCP Between Two EX3300 or EX4200 Member Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1436 Setting an Uplink VCP on a Standalone Switch . . . . . . . . . . . . . . . . . . . . . . 1436 Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1438 Setting an EX3300 or EX4200 Uplink Port as a Virtual Chassis Port Using the LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1439 Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) . . . . . 1440 Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of the EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1441 Configuring Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis . . 1442 Disabling Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis . . . 1443 Disabling Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443 Assigning the Virtual Chassis ID to Determine Precedence During an EX3300, EX4200, or EX4500 Virtual Chassis Merge (CLI Procedure) . . . . . . . . . . . 1444 Configuring Automatic Software Update on EX3300, EX4200, or EX4500 Virtual Chassis Member Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 1444 Configuring Graceful Routing Engine Switchover in a Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1445 Configuring an EX3300 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . 1446 Configuring an EX3300 Virtual Chassis with a Preprovisioned Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1447 Configuring an EX3300 Virtual Chassis with a Nonprovisioned Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448 Adding a New Switch to an Existing EX3300 Virtual Chassis (CLI Procedure) . . 1450

Chapter 40

Verifying EX3300, EX4200, and EX4500 Virtual Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453 Command Forwarding Usage with an EX3300, EX4200, or EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453 Verifying the Member ID, Role, and Neighbor Member Connections of an EX3300, EX4200, or EX4500 Virtual Chassis Member . . . . . . . . . . . . . . . . . . . . . . . 1456 Verifying That Virtual Chassis Ports on an EX3300, EX4200, or EX4500 Switch Are Operational . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1458 Monitoring EX3300, EX4200 and EX4500 Virtual Chassis Status and Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1459

xxiv


Table of Contents

Verifying the Setting for the Virtual Chassis Mode on EX4200 and EX4500 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1461 Verifying the Setting for the PIC Mode on an EX4500 Switch in a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1461 Verifying That Graceful Routing Engine Switchover Is Working in the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1462

Chapter 41

Troubleshooting EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . 1465 Troubleshooting an EX3300, EX4200 or EX4500 Virtual Chassis . . . . . . . . . . 1465 A Disconnected Member Switch's ID Is Not Available for Reassignment . . 1465 Load Factory Default Does Not Commit on a Multimember Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1466 The Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1466 A Member Switch or Multiple Member Switches are Not Participating in an EX4200 Virtual Chassis or an EX4500 Virtual Chassis . . . . . . . . . . . . 1466 A Member Switch Is Not Participating in a Mixed EX4200 and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1468

Chapter 42

Configuration Statements for EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1471 [edit virtual-chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 1471 auto-sw-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1472 fast-failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1473 graceful-switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1474 id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1475 lag-hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1476 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1477 mac-persistence-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1478 mastership-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1479 member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1480 no-management-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1481 no-split-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1482 package-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1483 preprovisioned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1484 redundancy (Graceful Switchover) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1485 role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1486 serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1488 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1489 vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1491 virtual-chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1492

Chapter 43

Operational Commands for EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1495 clear virtual-chassis vc-port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496 request chassis pic-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1498 request session member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1500 request virtual-chassis mode mixed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1501 request virtual-chassis recycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1503 request virtual-chassis renumber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1504


xxv

®


request virtual-chassis vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1505 request virtual-chassis vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1507 show chassis pic-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1509 show system uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1510 show virtual-chassis active-topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1512 show virtual-chassis fast-failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1515 show virtual-chassis login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516 show virtual-chassis mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1517 show virtual-chassis status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1519 show virtual-chassis vc-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1522 show virtual-chassis vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1524 show virtual-chassis vc-port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1528

Part 11

EX8200 Virtual Chassis

Chapter 44

EX8200 Virtual Chassis—Overview, Components, and Configurations . . 1537 EX8200 Virtual Chassis Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1538 Understanding EX8200 Virtual Chassis Components . . . . . . . . . . . . . . . . . . . . 1538 Virtual Chassis Ports (VCPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1539 Master External Routing Engine Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1539 Backup External Routing Engine Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1540 Linecard Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1540 Member Switch and Member ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1540 Virtual Chassis Identifier (VCID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1541 Understanding EX8200 Virtual Chassis Topologies . . . . . . . . . . . . . . . . . . . . . . 1541 Understanding the Full Mesh EX8200 Virtual Chassis Topology . . . . . . . . . 1541 Understanding the Ring EX8200 Virtual Chassis Topology . . . . . . . . . . . . 1543 The Role of XRE200 External Routing Engine Redundancy in a Virtual Chassis Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1544 EX8200 Virtual Chassis Basic Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 1544 Understanding Virtual Chassis Member ID Numbering in an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545 Understanding Virtual Chassis Roles in an EX8200 Virtual Chassis . . . . . . . . . 1546 Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis . . . . . . . . . . 1547 Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1548 Understanding Link Aggregation into an EX8200 Virtual Chassis . . . . . . . . . . . 1549 Understanding Global Management of an EX8200 Virtual Chassis . . . . . . . . . 1549 Understanding File Storage in an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . 1550 Understanding EX8200 Virtual Chassis Compatibility Requirements . . . . . . . . 1551 Understanding the Virtual Chassis Control Protocol in an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551 Understanding Software Upgrades in an EX8200 Virtual Chassis . . . . . . . . . . . 1551 Virtual Chassis Port (VCP) Interface Names in an EX8200 Virtual Chassis . . . 1552 Virtual Chassis Control Interface (VCCI) Module VCP Name on the XRE200 External Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1552 Native VCP Name on the XRE200 External Routing Engine . . . . . . . . . . . . 1552 EX8200 Switch to XRE200 External Routing Engine VCP Name . . . . . . . . 1553 EX8200 Switch to EX8200 Switch VCP Name . . . . . . . . . . . . . . . . . . . . . . 1553

xxvi


Table of Contents

Network Port Interface Names on an EX8200 Virtual Chassis . . . . . . . . . . . . . . 1553 Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1554 Understanding Virtual Chassis Device Reachability Testing . . . . . . . . . . . . . . . . 1555

Chapter 45

EX8200 Virtual Chassis—Configuration Example . . . . . . . . . . . . . . . . . . . 1557 Example: Setting Up a Full Mesh EX8200 Virtual Chassis with Two EX8200 Switches and Redundant XRE200 External Routing Engines . . . . . . . . . . . 1557

Chapter 46

Configuring EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1563 Configuring an EX8200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . 1563 Adding or Replacing a Member Switch or an External Routing Engine in an EX8200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565 Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1567 Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1568 Installing Software for All Devices in an EX8200 Virtual Chassis . . . . . . . . . . . . 1571 Installing Software for a Single Device in an EX8200 Virtual Chassis . . . . . . . . 1573 Performing a Software Recovery Installation for an XRE200 External Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1574

Chapter 47

Verifying EX8200 Virtual Chassis Configuration . . . . . . . . . . . . . . . . . . . . . 1577 Verifying the Member ID, Role, and Neighbor Member Connections of an EX8200 Virtual Chassis Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577 Verifying Virtual Chassis Ports in an EX8200 Virtual Chassis . . . . . . . . . . . . . . . 1578 Verifying Connectivity Between Virtual Chassis Member Devices . . . . . . . . . . . 1579 Verifying Hard Disk Memory Status on an XRE200 External Routing Engine . . . 1579

Chapter 48

Configuration Statements for EX8200 Virtual Chassis . . . . . . . . . . . . . . . 1583 [edit virtual-chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . 1583 id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1584 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1585 mac-persistence-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1586 member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1587 no-split-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1588 preprovisioned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1589 role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1590 serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1592 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1593 virtual-chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596

Chapter 49

Operational Commands for EX8200 Virtual Chassis . . . . . . . . . . . . . . . . 1599 clear virtual-chassis protocol statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1600 clear virtual-chassis vc-port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1601 request chassis routing-engine hard-disk-test . . . . . . . . . . . . . . . . . . . . . . . . . . 1603 request session member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1606 request session member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1607 request virtual-chassis device-reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1608 request virtual-chassis reactivate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1610 request virtual-chassis recycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611


xxvii

®


request virtual-chassis renumber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1612 request virtual-chassis vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1613 set chassis virtual-chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615 show system uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1616 show virtual-chassis active-topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618 show virtual-chassis device-topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1621 show virtual-chassis protocol adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1624 show virtual-chassis protocol database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1628 show virtual-chassis protocol interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1632 show virtual-chassis protocol route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634 show virtual-chassis protocol statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637 show virtual-chassis status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640 show virtual-chassis vc-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643 show virtual-chassis vc-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645 show virtual-chassis vc-port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1649

Part 12

High Availability

Chapter 50

High Availability—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659 High Availability Features for EX Series Switches Overview . . . . . . . . . . . . . . . . 1659 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659 Graceful Protocol Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1660 Redundant Routing Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1660 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1661 Graceful Routing Engine Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1661 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1661 Nonstop Active Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662 Nonstop Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662 Redundant Power System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662 Understanding VRRP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 1663 Overview of VRRP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 1663 Examples of VRRP Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1664 Understanding Nonstop Active Routing on EX Series Switches . . . . . . . . . . . . 1666 Understanding Nonstop Bridging on EX Series Switches . . . . . . . . . . . . . . . . . . 1667 Understanding Nonstop Software Upgrade on EX Series Switches . . . . . . . . . 1668 Requirements for Performing an NSSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1669 How an NSSU Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1669 EX4200, EX4500, and Mixed EX4200 and EX4500 Virtual Chassis . . 1670 EX8200 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1670 EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1671 NSSU Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1672 NSSU and Junos OS Release Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1672 Overview of NSSU Configuration and Operation . . . . . . . . . . . . . . . . . . . . . 1673 Understanding Power Management on EX Series Switches . . . . . . . . . . . . . . . . 1673 Power Priority of Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1674 How a Line Card’s Power Priority Is Determined . . . . . . . . . . . . . . . . . . 1675 Line Card Priority and Line Card Power . . . . . . . . . . . . . . . . . . . . . . . . . 1675 Line Card Priority and PoE Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1676

xxviii


Table of Contents

Line Card Priority and Changes in the Power Budget . . . . . . . . . . . . . . 1676 Power Supply Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1677

Chapter 51

Examples of High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1681 Example: Configuring Nonstop Active Routing on EX Series Switches . . . . . . . . 1681 Example: Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1684

Chapter 52

Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687 Configuring VRRP for IPv6 (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687 Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure) . . 1688 Configuring Nonstop Bridging on EX Series Switches (CLI Procedure) . . . . . . . 1689 Tracing Nonstop Active Routing Synchronization Events . . . . . . . . . . . . . . . . . . 1690 Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692 Configuring Power Supply Redundancy (CLI Procedure) . . . . . . . . . . . . . . . . . . 1694 Configuring the Power Priority of Line Cards (CLI Procedure) . . . . . . . . . . . . . . 1695

Chapter 53

Administering High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697 Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697 Preparing the Switch for Software Installation . . . . . . . . . . . . . . . . . . . . . . 1697 Upgrading Both Routing Engines Using NSSU . . . . . . . . . . . . . . . . . . . . . . 1699 Upgrading One Routing Engine Using NSSU . . . . . . . . . . . . . . . . . . . . . . . . 1702 Upgrading the Original Master Routing Engine . . . . . . . . . . . . . . . . . . . . . . 1704 Upgrading Software on an EX8200 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1705 Preparing the Switch for Software Installation . . . . . . . . . . . . . . . . . . . . . . 1706 Upgrading the Software Using NSSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707 Upgrading Software on an EX4200 Virtual Chassis, EX4500 Virtual Chassis, or Mixed EX4200 and EX4500 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1710 Preparing the Switch for Software Installation . . . . . . . . . . . . . . . . . . . . . . . 1710 Upgrading the Software Using NSSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1711 Verifying Power Configuration and Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1713

Chapter 54

Configuration Statements for High Availability . . . . . . . . . . . . . . . . . . . . . . 1717 [edit redundant-power-system] Configuration Statement Hierarchy . . . . . . . . . 1717 commit synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1718 disk-failure-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1719 failover (Chassis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1720 fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721 fpcs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1722 graceful-switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1723 inet6-advertise-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1723 keepalive-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1724 member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725 n-plus-n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725 nonstop-bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1726 nonstop-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1726


xxix

®


nssu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727 on-disk-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728 on-loss-of-keepalives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1729 power-budget-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1730 preempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1731 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1732 psu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733 redundancy (Graceful Switchover) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1734 redundancy (Power Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1735 routing-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1735 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1736 upgrade-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1738 virtual-inet6-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1739 virtual-link-local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1740 vrrp-inet6-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1741

Chapter 55

Operational Commands for High Availability . . . . . . . . . . . . . . . . . . . . . . . . 1743 request system software nonstop-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744 show chassis nonstop-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1752 show chassis power-budget-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1754 show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758

Part 13

Interfaces on EX Series Switches

Chapter 56

Interfaces—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769 EX Series Switches Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769 Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769 Special Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1770 Understanding Interface Naming Conventions on EX Series Switches . . . . . . . . 1772 Physical Part of an Interface Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1772 Logical Part of an Interface Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1773 Wildcard Characters in Interface Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774 Understanding Aggregated Ethernet Interfaces and LACP . . . . . . . . . . . . . . . . . 1774 Link Aggregation Group (LAG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774 Link Aggregation Control Protocol (LACP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1776 Understanding Interface Ranges on EX Series Switches . . . . . . . . . . . . . . . . . . . 1777 Understanding Layer 3 Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1778 Understanding Unicast RPF for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . 1779 Unicast RPF for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . 1780 Unicast RPF Implementation for EX Series Switches . . . . . . . . . . . . . . . . . 1780 Unicast RPF Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1780 Bootstrap Protocol (BOOTP) and DHCP Requests . . . . . . . . . . . . . . . 1780 Default Route Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781 When to Enable Unicast RPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781 When Not to Enable Unicast RPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1782 Limitations of the Unicast RPF Implementation on EX3200 and EX4200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1782 Understanding IP Directed Broadcast for EX Series Switches . . . . . . . . . . . . . . 1783 IP Directed Broadcast for EX Series Switches Overview . . . . . . . . . . . . . . . 1783 IP Directed Broadcast Implementation for EX Series Switches . . . . . . . . . . 1784

xxx


Table of Contents

When to Enable IP Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1784 When Not to Enable IP Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . 1784 802.1Q VLANs Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1785 Understanding Generic Routing Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . 1786 Overview of GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1786 GRE Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1786 Encapsulation and De-Encapsulation on the Switch . . . . . . . . . . . . . . 1787 Number of Source and Destination Tunnels Allowed on a Switch . . . . 1787 Class of Service on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1787 Firewall Filters on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1788 Configuration Limitations for GRE on EX Series Switches . . . . . . . . . . . . . . 1788

Chapter 57

Examples of Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1797 Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1802 Example: Configuring Unicast RPF on an EX Series Switch . . . . . . . . . . . . . . . . 1809 Example: Configuring IP Directed Broadcast on an EX Series Switch . . . . . . . . . 1813

Chapter 58

Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1817 Configuring Gigabit Ethernet Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . 1818 Configuring VLAN Options and Port Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 1818 Configuring the Link Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1819 Configuring the IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1821 Configuring Gigabit Ethernet Interfaces (J-Web Procedure) . . . . . . . . . . . . . . . . 1821 Port Role Configuration with the J-Web Interface (with CLI References) . . . . . 1828 Adding an Interface Description to the Configuration . . . . . . . . . . . . . . . . . . . . . 1832 Example: Adding an Interface Description to the Configuration . . . . . . . . . 1832 Adding a Logical Unit Description to the Configuration . . . . . . . . . . . . . . . . . . . 1833 Disabling a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834 Example: Disabling a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834 Disabling a Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1835 Configuring Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1835 Configuring the Interface Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836 Configuring Interface IPv4 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1837 Configuring Interface IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838 Configuring the Interface Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1839 Configuring the Media MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1839 Setting the Protocol MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1850 Interface Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1850 Configuring Interface Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1851 Expanding Interface Range Member and Member Range Statements . . . 1854 Configuration Inheritance for Member Interfaces . . . . . . . . . . . . . . . . . . . . 1856 Member Interfaces Inheriting Configuration from Configuration Groups . . 1857 Interfaces Inheriting Common Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1858


xxxi

®


Configuring Inheritance Range Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . 1858 Configuration Expansion Where Interface Range Is Used . . . . . . . . . . . . . . 1859 Configuring Accounting for the Physical Interface . . . . . . . . . . . . . . . . . . . . . . . 1860 Applying an Accounting Profile to the Physical Interface . . . . . . . . . . . . . . 1860 Example: Applying an Accounting Profile to the Physical Interface . . 1860 Configuring Accounting for the Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . 1861 Applying an Accounting Profile to the Logical Interface . . . . . . . . . . . . . . . . 1861 Example: Applying an Accounting Profile to the Logical Interface . . . . 1861 Configuring Ethernet Loopback Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1862 Configuring Gratuitous ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863 Configuring Static ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1864 Example: Configuring Static ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . 1865 Disabling the Transmission of Redirect Messages on an Interface . . . . . . . . . . 1865 Configuring Restricted and Unrestricted Proxy ARP . . . . . . . . . . . . . . . . . . . . . . 1865 Enabling or Disabling SNMP Notifications on Logical Interfaces . . . . . . . . . . . . 1866 Enabling or Disabling SNMP Notifications on Physical Interfaces . . . . . . . . . . . 1867 Configuring Aggregated Ethernet Interfaces (CLI Procedure) . . . . . . . . . . . . . . 1867 Configuring Aggregated Ethernet Interfaces (J-Web Procedure) . . . . . . . . . . . . 1868 Configuring Aggregated Ethernet LACP (CLI Procedure) . . . . . . . . . . . . . . . . . . . 1871 Configuring Aggregated Ethernet Link Protection . . . . . . . . . . . . . . . . . . . . . . . . 1872 Configuring Link Protection for Aggregated Ethernet Interfaces . . . . . . . . . 1872 Configuring Primary and Backup Links for Link Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1872 Reverting Traffic to a Primary Link When Traffic is Passing Through a Backup Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1873 Disabling Link Protection for Aggregated Ethernet Interfaces . . . . . . . . . . . 1873 Configuring Aggregated Ethernet Link Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . 1873 Configuring Aggregated Ethernet Minimum Links . . . . . . . . . . . . . . . . . . . . . . . . 1874 Configuring Tagged Aggregated Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . 1875 Configuring a Layer 3 Subinterface (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 1875 Configuring Unicast RPF (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1876 Disabling Unicast RPF (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1877 Configuring IP Directed Broadcast (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 1878 Tracing Operations of an Individual Router or Switch Interface . . . . . . . . . . . . . 1879 Tracing Operations of the Interface Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879 Setting the Mode on an SFP+ Uplink Module (CLI Procedure) . . . . . . . . . . . . . 1880 Configuring the Media Type on Dual-Purpose Uplink Ports (CLI Procedure) . . . 1881 Configuring Generic Routing Encapsulation Tunneling (CLI Procedure) . . . . . . 1882 Configuring a GRE Tunnel Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1882 Configuring Tunnels to Use Generic Routing Encapsulation . . . . . . . . . . . . 1882 Damping Interface Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1883

Chapter 59

Verifying Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1885 Monitoring Interface Status and Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1885 Verifying the Status of a LAG Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1886 Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1887 Verifying the LACP Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1887 Verifying That LACP Packets Are Being Exchanged . . . . . . . . . . . . . . . . . . . 1887

xxxii


Table of Contents

Verifying That Layer 3 Subinterfaces Are Working . . . . . . . . . . . . . . . . . . . . . . . 1888 Verifying Unicast RPF Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1889 Verifying IP Directed Broadcast Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1891 Verifying That Generic Routing Encapsulation Tunneling Is Working Correctly . . 1891

Chapter 60

Troubleshooting Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1893 Troubleshooting Network Interfaces on EX3200 Switches . . . . . . . . . . . . . . . . 1893 The interface on one of the last four built-in network ports in an EX3200 switch (for example, interface ge-0/0/23) is down . . . . . . . . . . . . . . . 1893 The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1894 Troubleshooting Network Interfaces on EX4200 Switches . . . . . . . . . . . . . . . . 1894 The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1894 Troubleshooting an Aggregated Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . 1895 Show Interfaces Command Shows the LAG is Down . . . . . . . . . . . . . . . . . 1895 Logical Interface Statistics Do Not Reflect All Traffic . . . . . . . . . . . . . . . . . 1895 Troubleshooting Interface Configuration and Cable Faults . . . . . . . . . . . . . . . . 1896 Interface Configuration or Connectivity Is Not Working . . . . . . . . . . . . . . . . 1896 Troubleshooting Unicast RPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897 Legitimate Packets Are Discarded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897 Troubleshooting Virtual Chassis Port Connectivity on an EX4200 Switch . . . . 1897 Virtual Chassis port (VCP) connection does not work . . . . . . . . . . . . . . . . 1898 Diagnosing a Faulty Twisted-Pair Cable (CLI Procedure) . . . . . . . . . . . . . . . . . 1898

Chapter 61

Configuration Statements for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1901 [edit chassis] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 1901 [edit interfaces] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . 1902 802.3ad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1908 accounting-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1909 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1910 aggregated-devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1912 aggregated-ether-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1913 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1914 auto-negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1915 bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1917 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1918 chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1919 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1920 destination (Tunnels) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1921 device-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1922 disable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1923 ether-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1924 ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925 eui-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925 family (for EX Series switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1926 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1930 flow-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931 force-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931 gratuitous-arp-reply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1932


xxxiii

®


hold-time (Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1933 interface-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1934 interfaces (for EX Series switches) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1936 lacp (802.3ad) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1943 lacp (Aggregated Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1944 link-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1945 link-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1946 link-speed (Aggregated Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947 loopback (Aggregated Ethernet, Fast Ethernet, and Gigabit Ethernet) . . . . . . . 1948 media-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949 member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949 members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1950 member-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1952 minimum-links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1953 mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1954 native-vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955 no-redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955 periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1956 pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1957 pic-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1958 port-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1959 preferred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1960 primary (Address on Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1961 proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1962 rpf-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1963 sfpplus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1964 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1965 speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1966 targeted-broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1967 traceoptions (Individual Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1968 traceoptions (Interface Process) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1970 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1971 ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1972 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1972 tunnel-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1973 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1973 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1974 vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1975 vlan-tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1976

Chapter 62

Operational Commands for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1977 clear ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1978 monitor interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1979 request diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1989 show diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991 show ethernet-switching interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1996 show interfaces (GRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2000 show interfaces diagnostics optics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2007 show interfaces ge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014

xxxiv


Table of Contents

show interfaces me0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2025 show interfaces queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2032 show interfaces vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2038 show interfaces xe- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2050 show ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063 show lacp interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2065 test interface restart-auto-negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2069

Part 14

Ethernet Switching

Chapter 63

Ethernet Switching—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073 Understanding Bridging and VLANs on EX Series Switches . . . . . . . . . . . . . . . 2073 History of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2074 How Bridging of VLAN Traffic Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2074 Packets Are Either Tagged or Untagged . . . . . . . . . . . . . . . . . . . . . . . . . . . 2075 Switch Interface Modes—Access, Trunk, or Tagged Access . . . . . . . . . . . . 2076 Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2076 Trunk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2076 Trunk Mode and Native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2076 Tagged-Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077 Additional Advantages of Using VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077 Maximum VLANs and VLAN Members Per Switch . . . . . . . . . . . . . . . . . . . 2078 A Default VLAN Is Configured on Most Switches . . . . . . . . . . . . . . . . . . . . 2078 Assigning Traffic to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2079 Assign VLAN Traffic According to the Interface Port Source . . . . . . . . 2079 Assign VLAN Traffic According to the Source MAC Address . . . . . . . . 2079 Forwarding VLAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2079 VLANs Communicate with RVIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2079 Understanding Private VLANs on EX Series Switches . . . . . . . . . . . . . . . . . . . . 2080 Typical Structure and Primary Application of PVLANs . . . . . . . . . . . . . . . . 2081 PVLANs Use 802.1Q Tags to Identify Packets . . . . . . . . . . . . . . . . . . . . . . . 2082 PVLANs Use IP Addresses Efficiently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2083 PVLANs Use Four Different Ethernet Switch Port Types . . . . . . . . . . . . . . 2083 Creating a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2085 Understanding Virtual Routing Instances on EX Series Switches . . . . . . . . . . . 2088 Understanding Redundant Trunk Links on EX Series Switches . . . . . . . . . . . . . 2089 Understanding Q-in-Q Tunneling on EX Series Switches . . . . . . . . . . . . . . . . . . 2091 How Q-in-Q Tunneling Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2091 Disabling MAC Address Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2092 Mapping C-VLANs to S-VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2092 All-in-One Bundling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093 Many-to-One Bundling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093 Mapping a Specific Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093 Routed VLAN Interfaces on Q-in-Q VLANs . . . . . . . . . . . . . . . . . . . . . . . . . 2093 Limitations for Q-in-Q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2094 Understanding Multiple VLAN Registration Protocol (MVRP) on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2094 How MVRP Updates, Creates, and Deletes VLANs on the Switches . . . . . 2094 MVRP Is Disabled by Default on the Switches . . . . . . . . . . . . . . . . . . . . . . 2095


xxxv

®


MRP Timers Control MVRP Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2095 MVRP Uses MRP Messages to Transmit Switch and VLAN States . . . . . . 2095 Compatibility Issues With Junos OS Release 11.3 and Later . . . . . . . . . . . . 2096 Understanding Layer 2 Protocol Tunneling on EX Series Switches . . . . . . . . . . 2096 Layer 2 Protocols Supported by L2PT on EX Series Switches . . . . . . . . . . 2097 How L2PT Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2098 L2PT Basics on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2099 Understanding Proxy ARP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . 2100 What Is ARP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2100 Proxy ARP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2100 Best Practices for Proxy ARP on EX Series Switches . . . . . . . . . . . . . . . . . . 2101 Understanding MAC Notification on EX Series Switches . . . . . . . . . . . . . . . . . . . 2101 Understanding MAC Address Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2102 Understanding Reflective Relay for Use with VEPA Technology . . . . . . . . . . . . . 2103 What Is VEPA and Why Does It Require Reflective Relay? . . . . . . . . . . . . . 2103 How Does Reflective Relay Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2104 Understanding Routed VLAN Interfaces on EX Series Switches . . . . . . . . . . . . 2105 When Should I Use an RVI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2106 How Does an RVI Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2106 Creating an RVI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2106 Viewing RVI Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107 RVI Functions and Other Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2108 Understanding Edge Virtual Bridging for Use with VEPA Technology . . . . . . . . 2108 What Is EVB? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2109 What Is VEPA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2109 Why Use VEPA Instead of VEB? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2109 How Does EVB Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2109 How Do I Implement EVB? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2110 Ethernet Ring Protection Switching Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 2110 Understanding Ethernet Ring Protection Switching Functionality . . . . . . . . . . . . 2111 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2111 Ring Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2112 Ring Node States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2112 Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2112 Logical Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2112 FDB Flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2113 Traffic Blocking and Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2113 RAPS Message Blocking and Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . 2113 Dedicated Signaling Control Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2114 RAPS Message Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2115 Multiple Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2115 Node ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2115 Bridge Domains with the Ring Port (MX Series Routers Only) . . . . . . . . . . . 2115

Chapter 64

Examples: Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . 2117 Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch . . . . . . 2117 Example: Setting Up Bridging with Multiple VLANs for EX Series Switches . . . . 2124 Example: Connecting an Access Switch to a Distribution Switch . . . . . . . . . . . . 2131 Example: Configuring Redundant Trunk Links for Faster Recovery . . . . . . . . . . . 2141

xxxvi


Table of Contents

Example: Setting Up Q-in-Q Tunneling on EX Series Switches . . . . . . . . . . . . . 2146 Example: Configuring a Private VLAN on a Single EX Series Switch . . . . . . . . . 2149 Example: Configuring a Private VLAN Spanning Multiple EX Series Switches . . 2155 Example: Using Virtual Routing Instances to Route Among VLANs on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2170 Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2172 Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches . . . . . 2184 Example: Configuring Reflective Relay for Use with VEPA Technology . . . . . . . 2189 Example: Configuring Proxy ARP on an EX Series Switch . . . . . . . . . . . . . . . . . . 2193 Example: Configuring Edge Virtual Bridging for Use with VEPA Technology . . . 2196 Example: Configuring Ethernet Ring Protection Switching on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2202

Chapter 65

Configuring Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2217 Configuring VLANs for EX Series Switches (J-Web Procedure) . . . . . . . . . . . . . 2217 Configuring VLANs for EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . 2220 Why Create a VLAN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2220 Create a VLAN Using the Minimum Procedure . . . . . . . . . . . . . . . . . . . . . . 2220 Create a VLAN Using All of the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2221 Configuration Guidelines for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2222 Configuring Routed VLAN Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . . . 2223 Configuring MAC Table Aging (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 2224 Configuring the Native VLAN Identifier (CLI Procedure) . . . . . . . . . . . . . . . . . . . 2225 Creating a Series of Tagged VLANs (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . 2226 Configuring Virtual Routing Instances (CLI Procedure) . . . . . . . . . . . . . . . . . . . 2227 Creating a Private VLAN on a Single EX Series Switch (CLI Procedure) . . . . . . 2228 Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2230 Configuring Q-in-Q Tunneling (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 2231 Configuring Redundant Trunk Groups (J-Web Procedure) . . . . . . . . . . . . . . . . . 2232 Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure) . . . 2233 Enabling MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2233 Disabling MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234 Disabling Dynamic VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234 Configuring Timer Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2234 Configuring MVRP Registration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2235 Using MVRP in a Mixed-Release Network . . . . . . . . . . . . . . . . . . . . . . . . . . 2236 Configuring Layer 2 Protocol Tunneling on EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2236 Configuring MAC Notification (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 2238 Enabling MAC Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2238 Disabling MAC Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2239 Setting the MAC Notification Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2239 Configuring Proxy ARP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2239 Configuring Reflective Relay (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2240 Adding a Static MAC Address Entry to the Ethernet Switching Table (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2240 Configuring Redundant Trunk Links for Faster Recovery (CLI Procedure) . . . . . 2241


xxxvii

®


Configuring Edge Virtual Bridging (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 2242 Configuring Ethernet Ring Protection Switching (CLI Procedure) . . . . . . . . . . . 2244

Chapter 66

Verifying Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 2247 Verifying That a Series of Tagged VLANs Has Been Created . . . . . . . . . . . . . . . 2247 Verifying That Virtual Routing Instances Are Working . . . . . . . . . . . . . . . . . . . . 2249 Verifying That Q-in-Q Tunneling Is Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2250 Verifying That a Private VLAN Is Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2250 Monitoring Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2255 Verifying That MVRP Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2257 Verifying That MAC Notification Is Working Properly . . . . . . . . . . . . . . . . . . . . . 2258 Verifying That Proxy ARP Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . 2258

Chapter 67

Troubleshooting Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . 2261 Troubleshooting Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2261 MAC Address in the Switch’s Ethernet Switching Table Is Not Updated After a MAC Address Move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2261

Chapter 68

Configuration Statements for Ethernet Switching . . . . . . . . . . . . . . . . . . . 2263 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . 2263 [edit interfaces] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . 2266 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . 2271 [edit routing-instances] Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 2280 [edit vlans] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 2280 arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2281 control-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2282 control-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283 customer-vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2284 data-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2285 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286 disable (MVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2286 dot1q-tunneling (Ethernet Switching) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2287 dot1q-tunneling (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2288 drop-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289 east-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2290 edge-virtual-bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2291 ether-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2292 ethernet-ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2293 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2294 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2297 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2298 guard-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2299 instance-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2300 interface (MVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2301 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2302 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2303 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2304 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2304 join-timer (MVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2305 l3-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2306

xxxviii


Table of Contents

layer2-protocol-tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2307 leave-timer (MVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2309 leaveall-timer (MVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2310 mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2310 mac-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2311 mac-notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2312 mac-table-aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2313 mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2314 members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2315 mvrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2317 native-vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2318 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2318 no-dynamic-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2319 no-local-switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2319 no-mac-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2320 no-mac-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2320 node-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2321 notification-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2321 port-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2322 preempt-cutover-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2323 primary-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2324 protection-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2325 proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2327 pvlan-trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2328 redundant-trunk-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2328 registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2329 restore-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2329 ring-protection-link-end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2330 ring-protection-link-owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2330 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2331 shutdown-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2332 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333 traceoptions (Edge Virtual Bridging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2334 traceoptions (Ethernet Ring Protection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2336 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2337 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2337 vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2338 vlan-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2339 vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2340 routing-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2341 vsi-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2342 vsi-policy (EVB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343 west-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2344

Chapter 69

Operational Commands for Ethernet Switching . . . . . . . . . . . . . . . . . . . . 2345 clear ethernet-switching layer2-protocol-tunneling error . . . . . . . . . . . . . . . . . 2346 clear ethernet-switching layer2-protocol-tunneling statistics . . . . . . . . . . . . . . 2347 clear ethernet-switching table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2348 clear gvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2350


xxxix

®


clear mvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2351 show edge-virtual-bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2352 show ethernet-switching interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2355 show ethernet-switching layer2-protocol-tunneling interface . . . . . . . . . . . . . 2359 show ethernet-switching layer2-protocol-tunneling statistics . . . . . . . . . . . . . 2361 show ethernet-switching layer2-protocol-tunneling vlan . . . . . . . . . . . . . . . . . 2364 show ethernet-switching mac-learning-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2366 show ethernet-switching mac-notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2368 show ethernet-switching statistics aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2369 show ethernet-switching statistics mac-learning . . . . . . . . . . . . . . . . . . . . . . . . 2371 show ethernet-switching table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2374 show mvrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2379 show mvrp dynamic-vlan-memberships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2381 show mvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2382 show protection-group ethernet-ring aps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2385 show protection-group ethernet-ring configuration . . . . . . . . . . . . . . . . . . . . . . 2387 show protection-group ethernet-ring interface . . . . . . . . . . . . . . . . . . . . . . . . . 2389 show protection-group ethernet-ring node-state . . . . . . . . . . . . . . . . . . . . . . . . 2391 show protection-group ethernet-ring statistics . . . . . . . . . . . . . . . . . . . . . . . . . 2394 show redundant-trunk-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2397 show system statistics arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2398 show vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2399

Part 15

Spanning-Tree Protocols

Chapter 70

Spanning-Tree Protocols—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2413 Understanding STP for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2413 Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2413 Understanding RSTP for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 2415 Spanning-Tree Protocols Help Prevent Broadcast Storms . . . . . . . . . . . . . 2415 RSTP is an Enhancement of the Original STP . . . . . . . . . . . . . . . . . . . . . . . 2415 Port Roles Determine Participation in The Spanning-Tree . . . . . . . . . . . . . 2416 Port States Determine How a Port Processes a Frame . . . . . . . . . . . . . . . . 2416 Edge Ports Connect to Devices That Cannot Be Part of a Spanning-Tree . . 2416 BPDUs Maintain the Spanning-Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2417 When an RSTP Root Bridge Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2417 Switches Must Relearn MAC Addresses After a Link Failure . . . . . . . . . . . . 2418 Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2418 Understanding MSTP for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 2419 MSTP Maps Multiple VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2420 Configuring MSTP Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2420 Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2420 Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2422 Different Kinds of BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2422 Protecting Switches With STP From Outside BPDUs . . . . . . . . . . . . . . . . . 2422 Understanding Loop Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2423

xl


Table of Contents

Understanding Root Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2424 Understanding VSTP for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 2425 Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2425

Chapter 71

Examples of Spanning-Tree Protocols Configuration . . . . . . . . . . . . . . . . 2427 Example: Faster Convergence and Improved Network Stability with RSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2427 Example: Configuring Network Regions for VLANs with MSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2444 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2464 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2468 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX Series Switches . . 2472 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2476

Chapter 72

Configuring Spanning-Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2483 Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) . . . . . . 2483 Configuring STP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2484 Configuring Spanning-Tree Protocols (J-Web Procedure) . . . . . . . . . . . . . . . . 2485 Configuring MSTP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2488 Configuring RSTP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2489 Configuring VSTP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2491

Chapter 73

Verifying Spanning-Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2493 Monitoring Spanning-Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2493

Chapter 74

Configuration Statements for Spanning-Tree Protocols . . . . . . . . . . . . . 2497 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . 2497 arp-on-stp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2506 block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2507 bpdu-block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2508 bpdu-block-on-edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2509 bpdu-timeout-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2510 bridge-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2511 configuration-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2512 cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2513 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2514 disable-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2515 edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2516 force-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2517 forward-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2518 hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2519 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2520 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2521 log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2522 max-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2523


xli

®


max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2524 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2525 msti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2526 mstp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2527 no-root-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2529 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2530 revision-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2531 rstp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2532 stp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2534 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2536 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2539 vlan (VSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2541 vstp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2543

Chapter 75

Operational Commands for Spanning-Tree Protocols . . . . . . . . . . . . . . . 2545 clear ethernet-switching bpdu-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2546 clear spanning-tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2547 clear spanning-tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2548 show spanning-tree bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2549 show spanning-tree interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2554 show spanning-tree interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2560 show spanning-tree mstp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2564 show spanning-tree mstp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2566 show spanning-tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2567 show spanning-tree statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2569

Part 16

Layer 3 Protocols

Chapter 76

Layer 3 Protocols—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2573 Layer 3 Protocols Supported on EX Series Switches . . . . . . . . . . . . . . . . . . . . . 2573 Layer 3 Protocols Not Supported on EX Series Switches . . . . . . . . . . . . . . . . . . 2574 Understanding Distributed Periodic Packet Management on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2576 Understanding IPsec Authentication for OSPF Packets on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2577 Authentication Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2577 Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2578 IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2578 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2579 IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2579

Chapter 77

Configuring Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2581 Configuring BGP Sessions (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 2581 Configuring an OSPF Network (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . 2585 Configuring a RIP Network (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 2589 Configuring Static Routing (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2594 Configuring Static Routing (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 2594

xlii


Table of Contents

Configuring Routing Policies (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 2596 Configuring Distributed Periodic Packet Management on an EX Series Switch (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2601 Disabling or Enabling Distributed Periodic Packet Management Globally . . 2601 Disabling or Enabling Distributed Periodic Packet Management for LACP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2602 Using IPsec to Secure OSPFv3 Networks (CLI Procedure) . . . . . . . . . . . . . . . . 2602 Configuring Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2602 Securing OPSFv3 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2603

Chapter 78

Verifying Layer 3 Protocols Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 2605 Monitoring Monitoring Monitoring Monitoring

Chapter 79

BGP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2605 OSPF Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2607 RIP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2610 Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2611

Configuration Statements for Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . 2615 accept-remote-nexthop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2615 active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2616 advertise-external . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2617 advertise-inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2618 advertise-peer-as . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2619 aggregate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2620 aggregate-label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2621 allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2622 any-sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2623 area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2624 area-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2625 as-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2627 as-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2628 asm-override-ssm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2630 authentication-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2631 authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2632 authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2633 authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2634 authentication-key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2635 authentication-key-chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2636 authentication-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2637 authentication-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2638 autonomous-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2639 backup-pe-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2641 backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2642 bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2643 bandwidth-based-metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2644 bfd-liveness-detection (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2646 bfd-liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2648 bfd-liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2651 bfd-liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2655 bfd-liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2658 bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2662


xliii

®


bgp-orf-cisco-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2663 bmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2664 brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2665 centralized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2666 check-zero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2667 checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2668 cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2669 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2671 confederation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2673 csnp-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2674 damping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2675 dead-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2676 default-lsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2677 default-metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2678 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2679 disable (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2680 disable (IS-IS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2681 disable (OSPF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2682 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2683 discard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2684 domain-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2685 domain-vpn-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2685 explicit-null . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2686 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2687 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2688 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2689 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2690 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2690 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2691 export-rib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2692 external-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2693 external-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2694 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2695 fate-sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2698 flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2699 flow-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2700 forwarding-cache (Flow Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2701 forwarding-cache (Multicast) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2701 forwarding-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2702 generate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2703 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2705 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2706 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2707 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2708 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2709 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2710 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2711 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2714 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2716

xliv


Table of Contents

hello-authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2717 hello-authentication-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2718 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2719 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2720 hello-padding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2721 holddown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2722 holddown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2723 hold-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2723 hold-time (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2724 hold-time (IS-IS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2725 idle-after-switch-over . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2726 ignore-attached-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2727 ignore-lsp-metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2727 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2728 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2729 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2730 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2731 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2732 import-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2733 import-rib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2734 include-mp-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2735 indirect-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2736 install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2737 instance-export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2738 instance-import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2738 inter-area-prefix-export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2739 inter-area-prefix-import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2740 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2741 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2743 interface (Routing Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2745 interface (Multicast Static Routes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2746 interface-routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2747 interface-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2749 ipv4-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2750 ipv4-multicast-metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2751 ipv6-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2751 ipv6-multicast-metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2752 ipv6-unicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2752 ipv6-unicast-metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2753 isis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2754 keep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2755 labeled-unicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2756 level (Global IS-IS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2757 link-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2758 local-address (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2759 local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2761 local-as . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2762 local-interface (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2764 local-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2765


xlv

®


log-updown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2766 loose-authentication-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2767 lsp-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2767 lsp-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2768 lsp-metric-into-summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2769 martians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2770 max-areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2771 maximum-bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2772 maximum-paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2773 maximum-prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2775 med-igp-update-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2776 mesh-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2777 message-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2778 metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2779 metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2780 metric (Aggregate, Generated, or Static Route) . . . . . . . . . . . . . . . . . . . . . . . . . 2781 metric-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2782 metric-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2783 metric-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2784 metric-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2786 metric-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2787 metric-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2788 mtu-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2789 multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2791 multihop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2792 multipath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2793 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2794 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2797 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2798 no-adjacency-holddown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2799 no-aggregator-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2800 no-authentication-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2801 no-client-reflect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2802 no-csnp-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2803 no-eligible-backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2803 no-hello-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2804 no-ipv4-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2804 no-ipv4-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2805 no-ipv6-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2805 no-ipv6-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2806 no-ipv6-unicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2806 no-nssa-abr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2807 no-psnp-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2808 no-qos-adjust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2809 no-rfc-1583 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2810 no-unicast-topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2811 no-validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2812 node-link-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2813 nssa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2814

xlvi


Table of Contents

options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2815 ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2816 ospf3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2817 out-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2818 outbound-route-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2819 overload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2821 overload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2823 passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2824 passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2825 passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2826 peer-as . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2828 pim-to-igmp-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2830 pim-to-mld-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2831 point-to-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2832 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2833 policy (Flow Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2834 policy (SSM Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2835 ppm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2836 ppm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2837 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2838 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2839 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2840 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2841 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2842 preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2843 prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2844 prefix-export-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2844 prefix-export-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2845 prefix-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2846 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2847 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2848 qualified-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2849 readvertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2851 realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2852 receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2853 receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2854 redundant-sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2855 reference-bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2856 reference-bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2857 remove-private . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2858 resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2859 resolution-ribs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2860 resolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2861 restart-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2862 retain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2863 retransmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2864 reverse-oif-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2865 rib (General) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2866 rib (Route Resolution) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2868


xlvii

®


rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2869 rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2870 rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2871 rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2872 rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2873 rib-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2874 rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2876 ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2876 route-distinguisher-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2877 route-record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2877 route-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2878 route-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2879 route-type-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2879 router-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2880 routing-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2881 rpf-check-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2881 scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2882 scope-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2883 send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2884 send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2885 shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2886 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2887 source-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2888 spf-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2889 spf-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2890 ssm-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2891 ssm-map (Multicast Routing Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2892 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2893 stub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2899 subscriber-leave-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2900 summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2901 tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2902 tcp-mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2903 threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2904 timeout (Flow Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2905 timeout (Multicast) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2906 topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2907 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2908 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2911 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2914 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2917 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2920 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2923 traffic-engineering (OSPF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2925 transit-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2927 type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2928 type-7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2929 update-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2930 update-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2931

xlviii


Table of Contents

upstream-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2932 virtual-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2933 wide-metrics-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2934

Chapter 80

Operational Commands for Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . 2935 clear (ospf | ospf3) database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2936 clear (ospf | ospf3) io-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2939 clear (ospf | ospf3) neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2940 clear (ospf | ospf3) statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2942 clear bgp damping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2944 clear bgp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2945 clear bgp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2947 clear ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2949 clear isis adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2950 clear isis database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2952 clear isis overload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2954 clear isis statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2956 clear (ospf | ospf3) overload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2958 clear rip general-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2959 clear rip statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2960 clear ripng general-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2961 clear ripng statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2962 show (ospf | ospf3) interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2963 show (ospf | ospf3) io-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2969 show (ospf | ospf3) log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2971 show (ospf | ospf3) neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2974 show (ospf | ospf3) overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2980 show (ospf | ospf3) route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2985 show (ospf | ospf3) statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2990 show as-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2994 show as-path domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2998 show as-path summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3000 show bgp bmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3001 show bgp group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3002 show bgp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3009 show bgp summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3023 show ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3028 show isis adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3030 show isis authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3034 show isis backup coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3036 show isis backup label-switched-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3038 show isis backup spf results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3040 show isis database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3044 show isis hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3051 show isis interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3052 show isis overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3056 show isis route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3059 show isis spf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3063 show isis statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3069


xlix

®


show ospf3 database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3072 show ospf database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3082 show policy damping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3090 show rip general-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3092 show rip neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3094 show rip statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3096 show ripng general-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3099 show ripng neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3100 show ripng statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3102 show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3104 show route active-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3109 show route all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3114 show route aspath-regex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3116 show route best . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3118 show route brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3121 show route community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3123 show route community-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3125 show route damping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3127 show route detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3132 show route exact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3147 show route export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3149 show route extensive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3151 show route flow validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3165 show route inactive-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3167 show route inactive-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3170 show route instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3172 show route label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3179 show route label-switched-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3181 show route martians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3183 show route next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3185 show route no-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3191 show route protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3194 show route range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3203 show route receive-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3207 show route resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3215 show route snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3218 show route source-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3226 show route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3232 show route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3234 show route terse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3243

Part 17

Multicast

Chapter 81

Understanding Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3249 IGMP Snooping on EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . 3249 How IGMP Snooping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3249 IGMP Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3250 How Hosts Join and Leave Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . 3251 Support for IGMPv3 Multicast Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3251

l


Table of Contents

IGMP Snooping and Forwarding Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 3252 General Forwarding Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3252 Examples of IGMP Snooping Multicast Forwarding . . . . . . . . . . . . . . . . . . 3253 Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3253 Scenario 2: Switch Forwarding Multicast Traffic to Another Switch . . 3254 Scenario 3: Switch Connected to Hosts Only (No IGMP Querier) . . . . 3255 Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3256 Understanding Multicast VLAN Registration on EX Series Switches . . . . . . . . . 3257 How MVR Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3258 MVR Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3258 Understanding MLD Snooping on EX Series Switches . . . . . . . . . . . . . . . . . . . . 3259 How MLD Snooping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3260 MLD Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3261 How Hosts Join and Leave Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . 3261 Support for MLDv2 Multicast Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3262 MLD Snooping and Forwarding Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 3262 General Forwarding Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3263 Examples of MLD Snooping Multicast Forwarding . . . . . . . . . . . . . . . . . . . 3263 Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3263 Scenario 2: Switch Forwarding Multicast Traffic to Another Switch . . 3264 Scenario 3: Switch Connected to Hosts Only (No MLD Querier) . . . . 3266 Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3266

Chapter 82

Examples: Multicast Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3269 Example: Configuring IGMP Snooping on EX Series Switches . . . . . . . . . . . . . . 3269 Example: Configuring Multicast VLAN Registration on EX Series Switches . . . . 3272 Example: Configuring MLD Snooping on EX Series Switches . . . . . . . . . . . . . . . 3276

Chapter 83

Configuring Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3281 Configuring IGMP Snooping (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3281 Enabling or Disabling IGMP Snooping on VLANs . . . . . . . . . . . . . . . . . . . . 3282 Configuring the IGMP Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3283 Enabling Immediate Leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3284 Configuring an Interface as a Multicast-Router Interface . . . . . . . . . . . . . . 3285 Configuring Static Group Membership on an Interface . . . . . . . . . . . . . . . . 3286 Changing the Timer and Counter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 3286 Configuring IGMP Snooping (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 3288 Configuring Multicast VLAN Registration (CLI Procedure) . . . . . . . . . . . . . . . . . 3291 Configuring MLD Snooping on a VLAN (CLI Procedure) . . . . . . . . . . . . . . . . . . . 3292 Enabling or Disabling MLD Snooping on VLANs . . . . . . . . . . . . . . . . . . . . . 3293 Configuring the MLD Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3294 Enabling Immediate Leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3295 Configuring an Interface as a Multicast-Router Interface . . . . . . . . . . . . . . 3296 Configuring Static Group Membership on an Interface . . . . . . . . . . . . . . . . 3296 Changing the Timer and Counter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 3297


li

®


Configuring MLD Snooping Tracing Operations (CLI Procedure) . . . . . . . . . . . 3299 Configuring Tracing Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3300 Viewing, Stopping, and Restarting Tracing Operations . . . . . . . . . . . . . . . . 3301 Configuring IGMP Snooping Tracing Operations (CLI Procedure) . . . . . . . . . . . 3301 Configuring Tracing Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3302 Viewing, Stopping, and Restarting Tracing Operations . . . . . . . . . . . . . . . . 3303

Chapter 84

Verifying Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3305 Monitoring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3305 Verifying MLD Snooping (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3306 Verifying MLD Snooping Memberships . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3306 Verifying MLD Snooping VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3307 Viewing MLD Snooping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3308 Viewing MLD Snooping Routing Information . . . . . . . . . . . . . . . . . . . . . . . 3308 Verifying IGMP Snooping (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3309 Verifying IGMP Snooping Memberships . . . . . . . . . . . . . . . . . . . . . . . . . . . 3309 Verifying IGMP Snooping VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3310 Viewing IGMP Snooping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3310 Viewing IGMP Snooping Routing Information . . . . . . . . . . . . . . . . . . . . . . . . 3311

Chapter 85

Configuration Statements for Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3313 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . 3313 accounting (Per Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3322 accounting (Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3322 address (Anycast RPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3323 address (Local RPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3323 anycast-pim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3324 assert-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3325 auto-rp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3326 bootstrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3327 bootstrap-export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3328 bootstrap-import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3329 bootstrap-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3330 data-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3331 dense-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3332 disable (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3332 disable (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3333 disable (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3334 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3335 dr-election-on-p2p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3335 dr-register-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3336 embedded-rp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3337 export (Bootstrap) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3338 family (Bootstrap) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3339 family (Local RP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3340 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3341 group (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3341 group (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3342 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3343 group-ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3344

lii


Table of Contents

groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3345 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3345 hold-time (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3346 igmp-snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3347 immediate-leave (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3348 immediate-leave (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3349 immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3350 import (Bootstrap) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3351 import (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3352 infinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3353 install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3353 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3354 interface (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3355 interface (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3356 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3357 join-load-balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3358 local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3359 local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3360 mapping-agent-election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3361 maximum-rps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3362 mld-snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3363 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3364 multicast-router-interface (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3365 multicast-router-interface (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3366 neighbor-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3367 pim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3368 priority (Bootstrap) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3371 priority (PIM Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3372 priority (PIM RPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3373 promiscuous-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3374 proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3374 query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3375 query-last-member-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3376 query-response-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3377 receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3377 restart-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3378 rib-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3379 robust-count (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3380 robust-count (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3380 robust-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3381 rp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3382 rp-register-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3384 rp-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3385 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3385 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3386 source-vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3386 spt-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3387 ssm-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3388 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3389


liii

®


static (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3390 static (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3390 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3391 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3392 traceoptions (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3395 traceoptions (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3397 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3399 version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3401 version (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3402 version (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3403 version (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3404 vlan (IGMP Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3405 vlan (MLD Snooping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3407

Chapter 86

Operational Commands for Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3409 clear igmp membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3410 clear igmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3413 clear igmp-snooping membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3415 clear igmp-snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3416 clear mld-snooping membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3417 clear mld-snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3418 clear multicast bandwidth-admission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3419 clear multicast scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3421 clear multicast sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3422 clear multicast statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3423 clear pim join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3424 clear pim register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3425 clear pim statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3427 mtrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3429 mtrace from-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3432 mtrace monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3435 mtrace to-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3437 show igmp group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3440 show igmp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3444 show igmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3447 show igmp-snooping membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3450 show igmp-snooping route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3453 show igmp-snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3455 show igmp-snooping vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3457 show mld-snooping membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3459 show mld-snooping route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3462 show mld-snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3465 show mld-snooping vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3467 show multicast flow-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3469 show multicast interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3471 show multicast mrinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3473 show multicast next-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3475 show multicast pim-to-igmp-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3478 show multicast pim-to-mld-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3480

liv


Table of Contents

show multicast route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3482 show multicast rpf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3488 show multicast scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3492 show multicast sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3494 show multicast usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3497 show pim bootstrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3500 show pim interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3502 show pim join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3505 show pim neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3514 show pim rps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3518 show pim source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3524 show pim statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3526

Part 18

Access Control

Chapter 87

802.1X and MAC RADIUS Authentication Overview . . . . . . . . . . . . . . . . . 3539 Understanding Authentication on EX Series Switches . . . . . . . . . . . . . . . . . . . 3540 A Basic Authentication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3540 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3541 MAC RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3542 Captive Portal Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3543 Static MAC Bypass of Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3544 Fallback of Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3544 802.1X for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3545 How 802.1X Authentication Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3545 802.1X Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3546 Supported Features Related to 802.1X Authentication . . . . . . . . . . . . . . . . 3547 Authentication Process Flow for EX Series Switches . . . . . . . . . . . . . . . . . . . . . 3547 Understanding Server Fail Fallback and Authentication on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3549 Understanding Dynamic VLANs for 802.1X on EX Series Switches . . . . . . . . . . 3550 Understanding Guest VLANs for 802.1X on EX Series Switches . . . . . . . . . . . . 3550 Understanding 802.1X and RADIUS Accounting on EX Series Switches . . . . . . 3551 Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches . . . . . 3552 Understanding 802.1X and VoIP on EX Series Switches . . . . . . . . . . . . . . . . . . 3554 Understanding 802.1X and VSAs on EX Series Switches . . . . . . . . . . . . . . . . . . 3557 Understanding Authentication Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . 3558 Understanding NetBIOS Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3559 What Is a NetBIOS Name? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3559 How NetBIOS Snooping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3559

Chapter 88

Examples: Access Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 3561 Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch . . . . 3561 Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3565 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . 3570 Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3575 Example: Configuring MAC RADIUS Authentication on an EX Series Switch . . 3578


lv

®


Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3583 Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch . . . . . . . . . . . . . . . . . . . 3588 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3595 Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3602 Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3608 Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 3611 Example: Setting Up Captive Portal Authentication on an EX Series Switch . . 3616 Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients . . . . . . . . . . . . . . . . . . . . . . . . 3621

Chapter 89

Configuring Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3627 Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3628 Configuring 802.1X Interface Settings (CLI Procedure) . . . . . . . . . . . . . . . . . . . 3629 Configuring 802.1X Authentication (J-Web Procedure) . . . . . . . . . . . . . . . . . . . 3630 Configuring Static MAC Bypass of Authentication (CLI Procedure) . . . . . . . . . 3633 Configuring MAC RADIUS Authentication (CLI Procedure) . . . . . . . . . . . . . . . . 3634 Configuring Server Fail Fallback (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 3636 Configuring 802.1X RADIUS Accounting (CLI Procedure) . . . . . . . . . . . . . . . . . 3637 Filtering 802.1X Supplicants Using RADIUS Server Attributes . . . . . . . . . . . . . . 3638 Configuring Match Statements on the RADIUS Server . . . . . . . . . . . . . . . . 3639 Applying a Port Firewall Filter from the RADIUS Server . . . . . . . . . . . . . . . . 3641 Configuring LLDP (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3641 Enabling LLDP on Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3642 Adjusting LLDP Advertisement Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 3642 Adjusting SNMP Notification Settings of LLDP Changes . . . . . . . . . . . . . . 3643 Specifying a Management Address for the LLDP Management TLV . . . . . 3643 Configuring LLDP (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3643 Configuring LLDP-MED (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3644 Enabling LLDP-MED on Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3645 Configuring Location Information Advertised by the Switch . . . . . . . . . . . 3645 Configuring for Fast Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3645 VSA Match Conditions and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3646 Configuring Captive Portal Authentication (CLI Procedure) . . . . . . . . . . . . . . . 3648 Configuring Secure Access for Captive Portal . . . . . . . . . . . . . . . . . . . . . . . 3648 Enabling an Interface for Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . 3649 Configuring Bypass of Captive Portal Authentication . . . . . . . . . . . . . . . . 3649 Designing a Captive Portal Authentication Login Page on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3650 Controlling Authentication Session Timeouts (CLI Procedure) . . . . . . . . . . . . . 3652 Configuring NetBIOS Snooping (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 3653 Enabling NetBIOS Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3653 Disabling NetBIOS Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3653

lvi


Table of Contents

Chapter 90

Verifying 802.1X and MAC RADIUS Authentication . . . . . . . . . . . . . . . . . . 3655 Monitoring 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3655 Verifying 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3656

Chapter 91

Configuration Statements for Access Control . . . . . . . . . . . . . . . . . . . . . . 3659 [edit access] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 3659 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . 3659 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . 3662 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3672 accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3673 accounting (access profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3674 accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3675 accounting-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3676 accounting-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3677 accounting-session-id-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3678 accounting-stop-on-access-deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3679 accounting-stop-on-access-deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3679 accounting-stop-on-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3680 accounting-stop-on-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3680 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3681 address-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3681 address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3682 advertisement-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3683 attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3684 authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3685 authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3686 authentication-profile-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3687 authentication-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3688 authentication-whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3688 authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3689 block-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3690 captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3691 ca-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3692 ca-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3693 civic-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3694 country-code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3695 custom-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3696 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3698 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3699 disable (LLDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3700 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3700 dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3701 eapol-block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3702 elin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3703 ethernet-port-type-virtual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3704 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3705 events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3708 exclude (RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3709 fast-start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3711


lvii

®


forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3712 guest-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3713 hold-multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3714 ignore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3715 immediate-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3715 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3716 interface-description-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3717 interface (Captive Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3718 interface (LLDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3719 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3720 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3721 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3722 lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3723 lldp-configuration-notification-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3724 lldp-med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3725 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3726 mac-radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3727 management-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3728 maximum-requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3729 nas-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3729 nas-port-extended-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3730 netbios-snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3731 no-mac-table-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3731 no-reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3732 options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3733 order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3734 order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3735 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3735 port (RADIUS Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3736 port (TACACS+ Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3736 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3737 ptopo-configuration-maximum-hold-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3738 ptopo-configuration-trap-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3738 quiet-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3739 quiet-period (Captive Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3739 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3740 radius (Access Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3741 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3742 radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3743 reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3744 retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3744 retries (Captive Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3745 retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3746 retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3747 revert-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3748 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3748 secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3749 secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3750 secure-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3750

lviii


Table of Contents

server (RADIUS Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3751 server (TACACS+ Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3751 server-fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3752 server-reject-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3753 server-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3754 server-timeout (Captive Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3755 session-expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3755 single-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3756 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3756 source-address (NTP, RADIUS, System Logging, or TACACS+) . . . . . . . . . . . . . 3757 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3758 statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3759 supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3760 supplicant-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3761 tacplus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3762 timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3763 timeout (RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3764 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3765 traceoptions (LLDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3767 transmit-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3769 update-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3770 vlan-assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3771 vlan-nas-port-stacked-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3771 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3772 voip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3773 what . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3774

Chapter 92

Operational Commands for Access Control . . . . . . . . . . . . . . . . . . . . . . . . 3775 clear captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3776 clear dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3778 clear lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3780 clear lldp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3781 show captive-portal authentication-failed-users . . . . . . . . . . . . . . . . . . . . . . . . 3782 show captive-portal firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3783 show captive-portal interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3785 show dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3788 show dot1x authentication-failed-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3793 show dot1x firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3794 show dot1x static-mac-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3795 show ethernet-switching interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3797 show lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3801 show lldp local-information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3806 show lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3808 show lldp remote-global-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3815 show lldp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3817 show network-access aaa statistics accounting . . . . . . . . . . . . . . . . . . . . . . . . 3819 show network-access aaa statistics authentication . . . . . . . . . . . . . . . . . . . . . 3820 show network-access aaa statistics dynamic-requests . . . . . . . . . . . . . . . . . . . 3821


lix

®


Part 19

Access Privileges

Chapter 93

Access Privileges—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3825 Understanding Junos OS Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . 3825 Junos OS Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3825 Allowing or Denying Individual Commands for Junos OS Login Classes . . 3828 Junos OS Login Classes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3829 Access Privilege User Permission Flags Overview . . . . . . . . . . . . . . . . . . . . . . . 3830 Specifying Access Privileges for Junos OS Configuration Mode Hierarchies . . . 3832

Chapter 94

Examples: Access Privileges Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 3835 Example: Configuring Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . 3835 Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3835 Example: Configuring Access Privileges for Operational Mode Commands . . . 3839 Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3840

Chapter 95

Configuring Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3845 Configuring Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3845 Specifying Access Privileges for Junos OS Operational Mode Commands . . . . 3845 Specifying Access Privileges for Junos OS Configuration Mode Hierarchies . . . 3847

Chapter 96

Configuration Statements for Access Privileges . . . . . . . . . . . . . . . . . . . . 3849 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3850 access-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3851 admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3852 admin-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3852 all-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3853 clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3853 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3887 control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3887 field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3887 firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3888 firewall-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3889 floppy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3889 flow-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3890 flow-tap-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3890 flow-tap-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3891 idp-profiler-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3891 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3891 interface-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3892 maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3893 network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3899 pgcp-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3901 pgcp-session-mirroring-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3901 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3902 rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3902 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3903 routing-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3907

lx


Table of Contents

secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3911 secret-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3912 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3913 security-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3916 shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3920 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3920 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3921 system-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3922 trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3924 trace-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3929 view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3934 view-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3997

Chapter 97

Operational Commands for Access Privileges . . . . . . . . . . . . . . . . . . . . . . 3999 show cli authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4000

Part 20

Device Security

Chapter 98

Device Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4005 Understanding Storm Control on EX Series Switches . . . . . . . . . . . . . . . . . . . . 4005 Understanding Unknown Unicast Forwarding on EX Series Switches . . . . . . . 4007

Chapter 99

Example: Device Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 4009 Example: Configuring Storm Control to Prevent Network Outages on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4009

Chapter 100

Configuring Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4013 Configuring Unknown Unicast Forwarding (CLI Procedure) . . . . . . . . . . . . . . . . 4013 Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4014

Chapter 101

Verifying Device Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4015 Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface . . 4015 Verifying That the Port Error Disable Setting Is Working Correctly . . . . . . . . . . . 4016

Chapter 102

Configuration Statements for Device Security . . . . . . . . . . . . . . . . . . . . . . 4017 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . 4017 action-shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4020 bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4021 disable-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4022 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4023 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4026 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4027 no-broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4027 no-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4028 no-registered-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4029 no-unknown-unicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4029 no-unregistered-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4030 port-error-disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4031 storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4032 unknown-unicast-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4033


lxi

®


vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4034

Chapter 103

Operational Commands for Device Security . . . . . . . . . . . . . . . . . . . . . . . . 4035 show ethernet-switching interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4036 show ethernet-switching table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4040

Part 21

Port Security

Chapter 104

Port Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4047 Port Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4047 Understanding How to Protect Access Ports on EX Series Switches from Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4049 Mitigation of Ethernet Switching Table Overflow Attacks . . . . . . . . . . . . . 4049 Mitigation of Rogue DHCP Server Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 4050 Protection Against ARP Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 4050 Protection Against DHCP Snooping Database Alteration Attacks . . . . . . . 4051 Protection Against DHCP Starvation Attacks . . . . . . . . . . . . . . . . . . . . . . . 4051 Understanding DHCP Snooping for Port Security . . . . . . . . . . . . . . . . . . . . . . . 4052 DHCP Snooping Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4052 DHCP Snooping Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4053 DHCP Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4054 Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN . . 4054 Switch Acts as DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4055 Switch Acts as Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4056 DHCP Snooping Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4057 Static IP Address Additions to the DHCP Snooping Database . . . . . . . . . . 4057 Snooping DHCP Packets That Have Invalid IP Addresses . . . . . . . . . . . . . 4057 Prioritizing Snooped Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4058 Understanding DAI for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4059 Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4059 ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4059 Dynamic ARP Inspection (DAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4060 Prioritizing Inspected Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4060 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4061 MAC Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4061 MAC Move Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4062 Actions for MAC Limiting and MAC Move Limiting . . . . . . . . . . . . . . . . . . . 4062 MAC Addresses That Exceed the MAC Limit or MAC Move Limit . . . . . . . . 4062 Understanding Trusted DHCP Servers for Port Security . . . . . . . . . . . . . . . . . . 4063 Understanding DHCP Option 82 for Port Security on EX Series Switches . . . . 4064 DHCP Option 82 Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4064 Suboption Components of Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4065 Configurations of the EX Series Switch That Support Option 82 . . . . . . . 4065 Switch and Clients Are on Same VLAN as DHCP Server . . . . . . . . . . . 4065 Switch Acts as Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4066 Understanding IP Source Guard for Port Security on EX Series Switches . . . . . 4067 IP Address Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4068 How IP Source Guard Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4068 The IP Source Guard Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4068

lxii


Table of Contents

Typical Uses of Other Junos Operating System (Junos OS) Features with IP Source Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4069 Understanding Persistent MAC Learning (Sticky MAC) . . . . . . . . . . . . . . . . . . . 4070

Chapter 105

Examples: Port Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4073 Example: Configuring Basic Port Security Features . . . . . . . . . . . . . . . . . . . . . . 4073 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4080 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4084 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4088 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4091 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4095 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch . . . . . . . . . . . . . . . . . 4098 Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces . . . . . 4106 Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4114 Example: Setting Up DHCP Option 82 with a Switch as a Relay Agent Between Clients and a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4120 Example: Setting Up DHCP Option 82 with a Switch with No Relay Agent Between Clients and a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4123 Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4127

Chapter 106

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4133 Configuring Port Security (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4133 Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4134 Enabling Dynamic ARP Inspection (DAI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4135 Limiting Dynamic MAC Addresses on an Interface . . . . . . . . . . . . . . . . . . . 4135 Enabling Persistent MAC Learning on an Interface . . . . . . . . . . . . . . . . . . . 4135 Limiting MAC Address Movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4135 Configuring Trusted DHCP Servers on an Interface . . . . . . . . . . . . . . . . . . . 4136 Configuring Port Security (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4136 Enabling DHCP Snooping (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4138 Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4139 Applying CoS Forwarding Classes to Prioritize Snooped Packets . . . . . . . . 4139 Enabling DHCP Snooping (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 4140 Enabling a Trusted DHCP Server (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 4141 Enabling a Trusted DHCP Server (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . 4142 Enabling Dynamic ARP Inspection (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 4142 Enabling DAI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4143 Applying CoS Forwarding Classes to Prioritize Inspected Packets . . . . . . . 4143 Enabling Dynamic ARP Inspection (J-Web Procedure) . . . . . . . . . . . . . . . . . . . 4144 Configuring MAC Limiting (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4145


lxiii

®


Configuring MAC Limiting (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4147 Configuring MAC Move Limiting (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 4150 Configuring MAC Move Limiting (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . 4152 Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4153 Configuring IP Source Guard (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4154 Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4156 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4157 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4159 Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4162 Configuring Persistent MAC Learning (CLI Procedure) . . . . . . . . . . . . . . . . . . . . 4162

Chapter 107

Verifying Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4165 Monitoring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4165 Verifying That DHCP Snooping Is Working Correctly . . . . . . . . . . . . . . . . . . . . . 4166 Verifying That a Trusted DHCP Server Is Working Correctly . . . . . . . . . . . . . . . . 4167 Verifying That DAI Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4168 Verifying That MAC Limiting Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . 4169 Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4169 Verifying That Allowed MAC Addresses Are Working Correctly . . . . . . . . . . 4170 Verifying Results of Various Action Settings When the MAC Limit Is Exceeded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4170 Customizing the Ethernet Switching Table Display to View Information for a Specific Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4172 Verifying That MAC Move Limiting Is Working Correctly . . . . . . . . . . . . . . . . . . . 4173 Verifying That IP Source Guard Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . 4173 Verifying That the Port Error Disable Setting Is Working Correctly . . . . . . . . . . . 4174 Verifying That Persistent MAC Learning Is Working Correctly . . . . . . . . . . . . . . . 4175

Chapter 108

Troubleshooting Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4177 Troubleshooting Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4177 MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table . . . . . . . . . . . . . . . . . . . . . . . . . . 4177 Multiple DHCP Server Packets Have Been Received on Untrusted Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4177

Chapter 109

Configuration Statements for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . 4179 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . . 4179 [edit forwarding-options] Configuration Statement Hierarchy . . . . . . . . . . . . . 4182 allowed-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4184 arp-inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4185 circuit-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4186 dhcp-option82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4187 dhcp-snooping-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4188 dhcp-trusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4189

lxiv


Table of Contents

disable-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4190 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4191 examine-dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4194 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4195 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4196 ip-source-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4197 mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4198 mac-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4199 mac-move-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4201 no-allowed-mac-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4202 no-gratuitous-arp-request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4203 persistent-learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4203 port-error-disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4204 prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4205 prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4206 remote-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4207 secure-access-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4208 static-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4209 timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4210 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4211 use-interface-description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4213 use-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4214 use-vlan-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4215 vendor-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4216 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4217 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4218 write-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4219

Chapter 110

Operational Commands for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . 4221 clear arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4222 clear dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4223 clear dhcp snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4224 show arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4225 show dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4226 show dhcp snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4227 show ethernet-switching table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4228 show ip-source-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4233

Part 22

Routing Policy and Packet Filtering (Firewall Filters)

Chapter 111

Firewall Filters—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4237 Firewall Filters for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4237 Firewall Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4238 Firewall Filter Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4239 Firewall Filter Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4240 Understanding Planning of Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4241 Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4243


lxv

®


Understanding How Firewall Filters Control Packet Flows . . . . . . . . . . . . . . . . 4245 Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4246 Firewall Filter Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4247 Match Conditions Supported on Switches . . . . . . . . . . . . . . . . . . . . . . . . . 4247 Actions for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4253 Action Modifiers for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4254 Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4256 Firewall Filter Types and Their Bind Points . . . . . . . . . . . . . . . . . . . . . . . . . 4256 Support for IPv4 and IPv6 Firewall Filters Per Switch . . . . . . . . . . . . . . . . . 4257 Platform Support for Match Conditions for IPv4 Traffic . . . . . . . . . . . . . . . 4257 Platform Support for Match Conditions for IPv6 Traffic . . . . . . . . . . . . . . . 4268 Platform Support for Match Conditions for Non-IP Traffic . . . . . . . . . . . . . 4272 Platform Support for Actions for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . 4273 Platform Support for Actions for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . 4275 Platform Support for Action Modifiers for IPv4 Traffic . . . . . . . . . . . . . . . . 4276 Platform Support for Action Modifiers for IPv6 Traffic . . . . . . . . . . . . . . . . 4280 Support for Match Conditions and Actions for Loopback Firewall Filters on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4282 Understanding How Firewall Filters Are Evaluated . . . . . . . . . . . . . . . . . . . . . . 4286 Understanding Firewall Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . 4288 Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4288 Numeric Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4288 Interface Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4289 IP Address Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4289 MAC Address Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4290 Bit-Field Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4290 Understanding How Firewall Filters Test a Packet's Protocol . . . . . . . . . . . . . . 4292 Understanding the Use of Policers in Firewall Filters . . . . . . . . . . . . . . . . . . . . . 4292 Policers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4292 Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4293 Policer Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4294 Policer Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4294 Color Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4294 Naming Conventions for Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4295 Understanding Tricolor Marking Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 4295 Understanding Filter-Based Forwarding for EX Series Switches . . . . . . . . . . . . 4296

Chapter 112

Examples of Firewall Filters Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 4297 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4297 Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4315 Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4319

lxvi


Table of Contents

Chapter 113

Configuring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4323 Configuring Firewall Filters (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4323 Configuring a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4323 Applying a Firewall Filter to a Port on a Switch . . . . . . . . . . . . . . . . . . . . . . 4327 Applying a Firewall Filter to a Management Interface on a Switch . . . . . . 4328 Applying a Firewall Filter to a VLAN on a Network . . . . . . . . . . . . . . . . . . . 4329 Applying a Firewall Filter to a Layer 3 (Routed) Interface . . . . . . . . . . . . . . 4329 Configuring Firewall Filters (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 4331 Configuring Policers to Control Traffic Rates (CLI Procedure) . . . . . . . . . . . . . . 4335 Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4335 Specifying Policers in a Firewall Filter Configuration . . . . . . . . . . . . . . . . . . 4336 Applying a Firewall Filter That Is Configured with a Policer . . . . . . . . . . . . 4336 Configuring Tricolor Marking Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4337 Configuring a Tricolor Marking Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4337 Applying Tricolor Marking Policers to Firewall Filters . . . . . . . . . . . . . . . . . 4338 Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4339 Configuring Routing Policies (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 4340

Chapter 114

Verifying Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4347 Verifying That Firewall Filters Are Operational . . . . . . . . . . . . . . . . . . . . . . . . . . 4347 Verifying That Policers Are Operational . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4348 Monitoring Firewall Filter Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4348 Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4349 Monitoring Traffic for a Specific Firewall Filter . . . . . . . . . . . . . . . . . . . . . . 4349 Monitoring Traffic for a Specific Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4349

Chapter 115

Troubleshooting Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4351 Troubleshooting Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4351 A Firewall Filter Configuration Returns a “No Space Available in TCAM” Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4351

Chapter 116

Configuration Statements for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . 4355 [edit firewall] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 4355 Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4356 action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4359 apply-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4359 as-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4360 as-path-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4361 bandwidth-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4362 burst-size-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4363 color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4364 color-blind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4364 committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4365 committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4366 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4367 condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4369 damping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4370


lxvii

®


dynamic-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4371 excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4372 family (Firewall Filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4373 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4374 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4375 filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4375 firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4376 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4377 if-exceeding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4378 interface-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4379 loss-priority high then discard (Three-Color Policer) . . . . . . . . . . . . . . . . . . . . . 4379 peak-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4380 policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4381 policy-statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4382 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4384 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4385 single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4386 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4387 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4388 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4389 three-color-policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4390 two-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4391

Chapter 117

Operational Commands for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . 4393 clear firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4394 clear firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4395 show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4396 show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4399 show firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4402 show interfaces filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4405 show interfaces policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4407 show policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4409 show policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4411 show policy conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4413 test policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4415

Part 23

Class of Service

Chapter 118

Class of Service (CoS)—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4419 Junos OS CoS for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . 4420 How Junos OS CoS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4420 Default CoS Behavior on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . 4421 Understanding Junos OS CoS Components for EX Series Switches . . . . . . . . . 4422 Code-Point Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4422 Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4422 Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4422 Forwarding Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4423 Tail Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4423 Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4423 Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4423

lxviii


Table of Contents

Understanding CoS Code-Point Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4424 Default Code-Point Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4424 Understanding CoS Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4427 Behavior Aggregate Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4427 Default Behavior Aggregate Classification . . . . . . . . . . . . . . . . . . . . . . 4428 Multifield Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4429 Understanding CoS Forwarding Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4430 Default Forwarding Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4430 Understanding CoS Tail Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4433 Understanding CoS Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4434 Default Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4434 Transmission Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4435 Scheduler Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4435 Priority Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4435 Scheduler Drop-Profile Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4436 Scheduler Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4436 Understanding CoS Two-Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4439 Understanding CoS Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4440 How Rewrite Rules Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4440 Default Rewrite Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4441 Understanding Port Shaping and Queue Shaping for CoS on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4442 Port Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4442 Queue Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4442 Understanding Junos OS EZQoS for CoS Configurations on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4442 Understanding Using CoS with MPLS Networks on EX Series Switches . . . . . 4443 EXP Classifiers and EXP rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4444 Guidelines for Using CoS Classifiers on CCCs . . . . . . . . . . . . . . . . . . . . . . . 4444 Using CoS Classifiers with IP over MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 4445 Setting CoS Bits in an MPLS Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4445 EXP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4446 Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4447 Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4447 Understanding CoS Queues on EX8200 Line Cards That Include Oversubscribed Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4448 Oversubscribed Ports on Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4448 EX8200 Line Cards That Include Oversubscribed Ports . . . . . . . . . . . . . . 4448 Ingress Queueing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4449 Preclassification of Packets and Port Ingress Queuing . . . . . . . . . . . . 4449 Full Classification of Packets and Fabric Ingress Queuing . . . . . . . . . 4450 Egress Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4450 Understanding Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4451 Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4451 Calculations for Buffer Requirements When Using PFC PAUSE . . . . . . . . . 4451 How PFC and Congestion Notification Profiles Work With or Without DCBX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4452


lxix

®


Chapter 119

Examples: CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4455 Example: Configuring CoS on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . 4455 Example: Combining CoS with MPLS on EX Series Switches . . . . . . . . . . . . . . 4470

Chapter 120

Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4483 Configuring CoS (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4483 Defining CoS Code-Point Aliases (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . 4484 Defining CoS Code-Point Aliases (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 4486 Defining CoS Classifiers (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4487 Defining CoS Classifiers (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4489 Defining CoS Forwarding Classes (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 4491 Defining CoS Forwarding Classes (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . 4491 Defining CoS Schedulers (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4493 Configuring CoS Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4493 Assigning Scheduler Maps to Interfaces on a 40-port SFP+ Line Card . . . 4494 Defining CoS Schedulers (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 4494 Defining CoS Scheduler Maps (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . 4496 Defining CoS Drop Profiles (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 4497 Configuring CoS Tail Drop Profiles (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . 4499 Defining CoS Rewrite Rules (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4500 Defining CoS Rewrite Rules (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 4501 Assigning CoS Components to Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . 4503 Assigning CoS Components to Interfaces (J-Web Procedure) . . . . . . . . . . . . . 4503 Configuring Junos OS EZQoS for CoS (CLI Procedure) . . . . . . . . . . . . . . . . . . . 4505 Configuring CoS on an MPLS Provider Edge Switch Using IP Over MPLS (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4506 Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4506 Configuring an LSP Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4507 Configuring CoS on an MPLS Provider Edge Switch Using Circuit Cross-Connect (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4507 Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4508 Configuring an LSP Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4509 Configuring CoS Traffic Classification for Ingress Queuing on Oversubscribed Ports on EX8200 Line Cards (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 4510 Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) . . 4511

Chapter 121

Verifying CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4513 Monitoring CoS Classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4513 Monitoring CoS Forwarding Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4514 Monitoring Interfaces That Have CoS Components . . . . . . . . . . . . . . . . . . . . . . 4515 Monitoring CoS Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4516 Monitoring CoS Scheduler Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4517 Monitoring CoS Value Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4519 Monitoring CoS Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4519

Chapter 122

Troubleshooting CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4521 Troubleshooting CoS Schedulers on a 40-port SFP+ Line Card in an EX8200 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4521 Troubleshooting a CoS Classifier Configuration for a TCAM Space Error . . . . . 4522

lxx


Table of Contents

Chapter 123

Configuration Statements for CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4525 [edit class-of-service] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . 4525 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4527 buffer-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4528 class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4529 class-of-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4530 classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4532 code-point-aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4533 code-points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4533 drop-profile-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4534 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4535 dscp-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4536 ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4537 exp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4538 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4539 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4540 forwarding-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4541 ieee-802.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4542 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4543 inet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4544 inet-precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4545 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4546 loss-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4547 multi-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4548 policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4549 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4550 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4550 rewrite-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4551 scheduler-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4552 scheduler-maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4553 schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4554 shaping-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4555 shared-buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4556 transmit-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4557 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4558

Chapter 124

Operational Commands for CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4559 show class-of-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4560 show class-of-service classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4565 show class-of-service code-point-aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4567 show class-of-service drop-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4569 show class-of-service forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4572 show class-of-service interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4574 show pfe statistics traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4597 show pfe statistics traffic cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4600 show pfe statistics traffic egress-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4604 show pfe statistics traffic multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4606


lxxi

®


Part 24

Power over Ethernet

Chapter 125

Power over Ethernet (PoE)—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4613 PoE and EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4613 PoE, PoE+, and Enhanced PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4613 PoE Power Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4614 PoE Power Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4614 Power Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4616 PoE Interface Power Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4617

Chapter 126

Examples: PoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4619 Example: Configuring PoE Interfaces on an EX Series Switch . . . . . . . . . . . . . . 4619 Example: Configuring PoE Interfaces with Different Priorities on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4621 Example: Configuring PoE on an EX6200 or EX8200 Switch . . . . . . . . . . . . . . 4626

Chapter 127

Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4635 Configuring PoE (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4635 PoE Configurable Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4636 Configuring the PoE Controller on EX2200, EX3200, EX3300, and EX4200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4638 Configuring the PoE Controllers on EX6200 and EX8200 Switches . . . . . 4639 Configuring PoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4640 Configuring PoE (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4641 Configuring PoE on EX2200, EX2200-C, EX3200, EX3300, EX4200, EX4500 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4641 Configuring PoE on EX6200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4642

Chapter 128

Administering PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4645 Monitoring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4645 Monitoring PoE Power Consumption (CLI Procedure) . . . . . . . . . . . . . . . . . . . 4646 PoE Power Consumption on a Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4646 Current Power Consumption for PoE Interfaces . . . . . . . . . . . . . . . . . . . . . 4647 Power Consumption for PoE Interfaces over Time . . . . . . . . . . . . . . . . . . . 4648 Verifying PoE Configuration and Status (CLI Procedure) . . . . . . . . . . . . . . . . . 4649 PoE Controller Configuration and Status . . . . . . . . . . . . . . . . . . . . . . . . . . 4649 PoE Interface Configuration and Status . . . . . . . . . . . . . . . . . . . . . . . . . . . 4650 PoE SNMP Trap Generation Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4651 Upgrading the PoE Controller Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4652 Determining Whether the PoE Controller Software Needs Upgrading . . . 4652 Upgrading the PoE Controller Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 4653 Monitoring the Upgrade Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4653

Chapter 129

Troubleshooting PoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4655 Troubleshooting PoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4655

Chapter 130

Configuration Statements for PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4657 [edit poe] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 4657 af-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4658 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4659 duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4660

lxxii


Table of Contents

fpc (Line Card) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4661 fpc (Notification Control) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4662 guard-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4663 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4664 interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4665 management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4666 maximum-power (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4667 maximum-power (Line Card) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4669 notification-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4670 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4671 telemetries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4672

Chapter 131

Operational Commands for PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4673 request system firmware upgrade poe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4674 show poe controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4676 show poe interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4678 show poe notification-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4681 show poe telemetries interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4683

Part 25

Converged Networks (LAN and SAN)

Chapter 132

Converged Networks (LAN and SAN)—Overview . . . . . . . . . . . . . . . . . . . 4687 Understanding FIP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4687 FC Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4688 FIP Snooping Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4688 FIP Snooping Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4688 FIP Snooping Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4689 Server ENode-Facing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4689 FCF-Facing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4689 FCoE Mapped Address Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4689 T11 FIP Snooping Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4690 Understanding Using an FCoE Transit Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 4690 Understanding Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4691 Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4691 Calculations for Buffer Requirements When Using PFC PAUSE . . . . . . . . 4692 How PFC and Congestion Notification Profiles Work With or Without DCBX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4692 Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4694 Basic DCBX Functioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4694 DCBX and PFC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4695 DCBX and FCoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4695 DCBX and iSCSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4695 How DCBX Is Implemented on the Switches . . . . . . . . . . . . . . . . . . . . . . . 4696 Features That Are Not Supported in DCBX on the Switches . . . . . . . . . . . 4696 Understanding DCB Features and Requirements on EX Series Switches . . . . . 4697 EX Series Switch DCB Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4697 Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698 DCBX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698


lxxiii

®


Lossless Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698 PFC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698 Buffer Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698 Understanding DCBX Application Protocol TLV Exchange on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4699 Basic Steps for Setting Up Application Protocol TLV Exchange . . . . . . . . 4699 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4700 Application Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4700 Classifying and Prioritizing Application Traffic . . . . . . . . . . . . . . . . . . . . . . . 4701 Requirements for Interfaces in Non-FCoE Applications to Exchange Application Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4701

Chapter 133

Example: Converged Networks (LAN and SAN) Configuration . . . . . . . . 4703 Example: Configuring an FCoE Transit Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 4703 Example: Configuring DCBX to Support an iSCSI Application . . . . . . . . . . . . . . 4715

Chapter 134

Configuring Converged Networks (LAN and SAN) . . . . . . . . . . . . . . . . . . . 4721 Configuring FIP Snooping on an FCoE Transit Switch . . . . . . . . . . . . . . . . . . . . . 4721 Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4723 Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4726 Disabling DCBX Application Protocol Exchange on EX Series Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4726 Defining an Application for DCBX Application Protocol TLV Exchange . . . . . . . 4727 Configuring an Application Map for DCBX Application Protocol TLV Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4728 Applying an Application Map to an Interface for DCBX Application Protocol TLV Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4729

Chapter 135

Configuration Statements for Converged Networks (LAN and SAN) . . . 4731 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . . 4731 [edit class-of-service] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . 4734 application (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4736 application (Application Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4737 applications (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4738 application-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4739 application-maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4740 code-point (Congestion Notification) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4741 code-points (Application Maps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4742 congestion-notification-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4743 dcbx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4744 destination-port (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4745 disable (DCBX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4746 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4747 ether-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4750 examine-fip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4751 fc-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4752 fcoe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4753 fcoe-trusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4754

lxxiv


Table of Contents

ieee-802.1 (Congestion Notification) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4755 input (Congestion Notification) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4755 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4756 interface (DCBX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4757 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4758 policy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4759 priority-flow-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4760 protocol (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4761 secure-access-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4762 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4764

Chapter 136

Operational Commands for Converged Networks (LAN and SAN) . . . . . 4767 clear fip snooping enode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4768 clear fip snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4769 clear fip snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4770 show dcbx neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4771 show fip snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4785 show fip snooping enode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4788 show fip snooping fcf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4790 show fip snooping statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4792 show fip snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4794

Part 26

MPLS

Chapter 137

MPLS—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4799 Junos OS MPLS for EX Series Switches Overview . . . . . . . . . . . . . . . . . . . . . . . 4799 Benefits of MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4800 Additional Benefits of MPLS and Traffic Engineering . . . . . . . . . . . . . . . . 4800 Understanding Junos OS MPLS Components for EX Series Switches . . . . . . . . 4801 Provider Edge Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4801 MPLS Protocol and Label-Switched Paths . . . . . . . . . . . . . . . . . . . . . 4801 Circuit Cross-Connect for Customer Edge Interfaces . . . . . . . . . . . . . 4802 IP Over MPLS for Customer Edge Interfaces . . . . . . . . . . . . . . . . . . . . 4802 BGP for Layer 2 VPN and Layer 3 VPN Configurations (EX8200 Switches Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4803 Routing Instances for Layer 2 VPN and Layer 3 VPN (EX8200 Switches Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4803 Ethernet Encapsulation for Layer 2 VPN (EX8200 Switches Only) . . 4803 LDP for Layer 2 Circuits (EX8200 Switches Only) . . . . . . . . . . . . . . . . 4803 Provider Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4803 Components Required for All Switches in the MPLS Network . . . . . . . . . . 4803 Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4804 Traffic Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4804 MPLS Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4804 RSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4804 LDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4805 Family mpls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4805 Understanding MPLS and Path Protection on EX Series Switches . . . . . . . . . . 4806


lxxv

®


Understanding Using CoS with MPLS Networks on EX Series Switches . . . . . 4807 EXP Classifiers and EXP rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4807 Guidelines for Using CoS Classifiers on CCCs . . . . . . . . . . . . . . . . . . . . . . . 4807 Using CoS Classifiers with IP over MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . 4808 Setting CoS Bits in an MPLS Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4808 EXP Rewrite Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4810 Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4810 Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4810 Understanding MPLS Label Operations on EX Series Switches . . . . . . . . . . . . . 4811 MPLS Label-Switched Paths and MPLS Labels on the Switches . . . . . . . . 4811 Reserved Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4812 MPLS Label Operations on the Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 4813 Penultimate-Hop Popping and Ultimate-Hop Popping . . . . . . . . . . . . . . . 4814 Understanding Using MPLS-Based Layer 2 and Layer 3 VPNs on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4815 MPLS-Based Layer 2 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4815 Layer 2 Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4816 MPLS-Based Layer 3 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4816 Comparing an MPLS-Based Layer 3 VPN and an MPLS-Based Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4817

Chapter 138

Examples of MPLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4819 Example: Configuring MPLS on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . 4819 Example: Combining CoS with MPLS on EX Series Switches . . . . . . . . . . . . . . 4834 Example: Configuring MPLS-Based Layer 2 VPNs . . . . . . . . . . . . . . . . . . . . . . . 4845 Example: Configuring MPLS-Based Layer 3 VPNs on EX Series Switches . . . . 4858

Chapter 139

Configuring MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4869 Configuring MPLS on Provider Switches (CLI Procedure) . . . . . . . . . . . . . . . . . 4870 Configuring Path Protection in an MPLS Network (CLI Procedure) . . . . . . . . . . 4871 Configuring the Primary Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4873 Configuring the Secondary Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4873 Configuring the Revert Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4874 Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4875 Configuring the Ingress PE Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4875 Configuring the Egress PE Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4877 Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4879 Configuring CoS on an MPLS Provider Edge Switch Using IP Over MPLS (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4882 Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4882 Configuring an LSP Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4883 Configuring CoS on an MPLS Provider Edge Switch Using Circuit Cross-Connect (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4883 Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4884 Configuring an LSP Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4885 Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) . . 4886 Configuring CoS Bits for an MPLS Network (CLI Procedure) . . . . . . . . . . . . . . . 4887 Configuring an MPLS-Based Layer 2 VPN (CLI Procedure) . . . . . . . . . . . . . . . . 4888

lxxvi


Table of Contents

Configuring an MPLS-Based Layer 3 VPN (CLI Procedure) . . . . . . . . . . . . . . . . 4891 Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure) . . 4893 Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4896 Configuring an MPLS-Based VLAN CCC Using the Connection Method (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4899 Configuring IPv6 Tunneling for MPLS (CLI Procedure) . . . . . . . . . . . . . . . . . . . 4900 Configuring Static Label Switched Paths for MPLS (CLI Procedure) . . . . . . . . 4902 Configuring the Ingress PE Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4902 Configuring the Provider and the Egress PE Switch . . . . . . . . . . . . . . . . . . 4903

Chapter 140

Verifying MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4905 Verifying That MPLS Is Working Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4905 Verifying the Physical Layer on the Switches . . . . . . . . . . . . . . . . . . . . . . . 4905 Verifying the Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4906 Verifying the Core Interfaces Being Used for the MPLS Traffic . . . . . . . . . 4906 Verifying RSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4906 Verifying the Assignment of Interfaces for MPLS Label Operations . . . . . 4907 Verifying the Status of the CCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4907 Verifying Path Protection in an MPLS Network . . . . . . . . . . . . . . . . . . . . . . . . . 4908 Verifying the Primary Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4908 Verifying the RSVP-Enabled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4909 Verifying a Secondary Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4909

Chapter 141

Configuration Statements for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4911 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . 4911 connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4920 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4921 encapsulation (Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4922 encapsulation-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4925 exp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4927 instance-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4928 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4929 label-switched-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4930 ldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4931 l2circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4932 l2vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4933 mpls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4934 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4936 path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4937 policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4938 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4938 remote-interface-switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4939 remote-site-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4940 revert-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4941 route-distinguisher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4942 rsvp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4943 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4944 signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4945 site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4946


lxxvii

®


site-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4947 standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4947 traffic-engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4948 traffic-engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4949 vrf-table-label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4950 vrf-target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4951

Chapter 142

Operational Commands for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4953 clear mpls lsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4954 clear rsvp session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4956 clear rsvp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4958 ping mpls l2circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4959 ping mpls l2vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4962 ping mpls l3vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4965 ping mpls ldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4967 ping mpls lsp-end-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4970 ping mpls rsvp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4972 request mpls lsp adjust-autobandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4977 show connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4979 show connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4982 show link-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4986 show link-management peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4990 show link-management routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4992 show link-management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4995 show link-management te-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4997 show mpls admin-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4999 show mpls call-admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5000 show mpls cspf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5002 show mpls diffserv-te . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5004 show mpls interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5006 show mpls interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5007 show mpls lsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5008 show mpls path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018 show route forwarding-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5019 show rsvp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5026 show rsvp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5031 show rsvp session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5036 show rsvp session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5041 show rsvp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5049 show rsvp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5053 show ted database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5056 show ted link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5060 show ted protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5062

lxxviii


Table of Contents

Part 27

Network Management and Monitoring

Chapter 143

Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5067 Port Mirroring—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5067 Understanding Port Mirroring on EX Series Switches . . . . . . . . . . . . . . . . . 5067 Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5068 Port Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5069 Configuration Guidelines for Port Mirroring on the Switches . . . . . . . . 5070 Examples: Port Mirroring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5073 Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 5073 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 5078 Example: Configuring Port Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX Series Switches . . . . . . 5088 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX Series Switches . . . . . 5097 Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5104 Configuring Port Mirroring to Analyze Traffic (CLI Procedure) . . . . . . . . . . 5104 Configuring Port Mirroring for Local Traffic Analysis . . . . . . . . . . . . . . . 5105 Configuring Port Mirroring for Remote Traffic Analysis . . . . . . . . . . . . 5106 Filtering the Traffic Entering an Analyzer . . . . . . . . . . . . . . . . . . . . . . . 5106 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) . . . . . . . . 5108 Verifying Port Mirroring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5109 Verifying Input and Output for Port Mirroring Analyzers on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5109 Troubleshooting Port Mirroring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 5110 Troubleshooting Port Mirroring Configuration Error Messages . . . . . . . . . . . 5111 An Analyzer Configuration Returns a “Multiple interfaces cannot be configured as a member of Analyzer output VLAN” Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5111 Configuration Statements for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5112 [edit ethernet-switching-options] Configuration Statement Hierarchy . . . 5112 analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5116 egress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5117 egress (Interface or VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5117 ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118 ingress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5121 ingress (Interface or VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5121 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5122 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5123 loss-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5124 no-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5124 output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5125 ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5126 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5127 Operational Commands for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5127 show analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5128


lxxix

®


Chapter 144

sFlow Monitoring Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 sFlow Technology—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 Sampling Mechanism and Architecture of sFlow Technology on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 Adaptive Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5132 sFlow Agent Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5133 Example: sFlow Technology Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5134 Example: Configuring sFlow Technology to Monitor Network Traffic on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5134 Configuring sFlow Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5138 Configuring sFlow Technology for Network Monitoring (CLI Procedure) . . 5138 Configuration Statements for sFlow Technology . . . . . . . . . . . . . . . . . . . . . . . . 5140 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 5140 collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5149 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5149 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5150 polling-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5151 sample-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5152 sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5153 udp-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5154 Operational Commands for sFlow Technology . . . . . . . . . . . . . . . . . . . . . . . . . . 5154 show sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5155 show sflow collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5157 show sflow interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5158

Chapter 145

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5161 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5161 Configuring SNMP (J-Web Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5161 Configuration Statements for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5164 [edit snmp] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . 5164 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5165 address-mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5165 agent-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5166 alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5167 authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5168 bucket-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5168 categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5169 client-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5169 client-list-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5170 clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5170 commit-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5171 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5172 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5173 community-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5174 contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5175 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5175 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5176

lxxx


Table of Contents

destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5176 engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5177 event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5178 falling-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5178 falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5179 falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5180 falling-threshold-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5181 filter-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5181 filter-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5182 group (Configuring Group Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5183 group (Defining Access Privileges for an SNMPv3 Group) . . . . . . . . . . . . . 5184 health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5184 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5185 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5186 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5186 interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5187 interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5187 interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5188 location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5188 logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5189 message-processing-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5190 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5190 nonvolatile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5191 notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5192 notify-filter (Configuring the Profile Name) . . . . . . . . . . . . . . . . . . . . . . . . . 5193 notify-filter (Applying to the Management Target) . . . . . . . . . . . . . . . . . . . 5193 notify-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5194 oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5194 oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5195 owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5195 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5196 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5196 read-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5197 request-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5198 rising-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5199 rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5200 rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5201 rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5201 rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5202 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5203 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5204 sample-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5204 security-level (Generating SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . 5205 security-level (Defining Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . 5206 security-model (Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5207 security-model (Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5208 security-model (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5208 security-name (Security Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5209 security-name (Community String) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5209


lxxxi

®


security-name (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5210 security-to-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5211 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5211 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5212 snmp-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5212 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5213 startup-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5214 syslog-subtag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5214 tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5215 tag-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5215 target-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5216 target-parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5217 targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5219 trap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5221 trap-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5222 type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5222 type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5223 v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5224 vacm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5226 variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5227 version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5227 view (Configuring a MIB View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5228 view (Associating a MIB View with a Community) . . . . . . . . . . . . . . . . . . . 5229 write-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5229 Operational Commands for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5229 clear snmp rmon history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5230 clear snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5231 request snmp spoof-trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5233 show snmp health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5239 show snmp inform-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5246 show snmp rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5248 show snmp rmon history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5252 show snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5256 show snmp v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5260

Chapter 146

Real-Time Performance Monitoring (RPM) . . . . . . . . . . . . . . . . . . . . . . . . 5263 RPM—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5263 Understanding Real-Time Performance Monitoring on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5264 RPM Packet Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5264 Tests and Probe Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5264 Hardware Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5265 Limitations of RPM on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . 5267 Configuring Real-Time Performance Monitoring (RPM) . . . . . . . . . . . . . . . . . . 5267 Configuring Real-Time Performance Monitoring (J-Web Procedure) . . . . . 5267 Configuring the Interface for RPM Timestamping for Client/Server on an EX Series Switch (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5274

lxxxii


Table of Contents

Verifying Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 5276 Viewing Real-Time Performance Monitoring Information . . . . . . . . . . . . . 5276 Configuration Statements for Real-Time Performance Monitoring . . . . . . . . . . 5276 data-fill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5276 data-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5277 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5278 dscp-code-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5279 hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5280 history-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5280 moving-average-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5281 one-way-hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5281 port (RPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5282 probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5283 probe-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5284 probe-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5284 probe-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5285 probe-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5285 probe-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5286 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5287 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5287 rpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5288 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5288 target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5289 tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5289 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5290 test-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5291 thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5292 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5293 udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5294 Operational Commands for Real-Time Performance Monitoring . . . . . . . . . . . 5294 show services rpm active-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5295 show services rpm history-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5296 show services rpm probe-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5299

Chapter 147

Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5305 Ethernet OAM Link Fault Management—Overview . . . . . . . . . . . . . . . . . . . . . . 5305 Understanding Ethernet OAM Link Fault Management for an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5305 Example of Ethernet OAM Link Fault Management Configuration . . . . . . . . . . 5306 Example: Configuring Ethernet OAM Link Fault Management on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5307 Configuring Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . 5309 Configuring Ethernet OAM Link Fault Management (CLI Procedure) . . . . 5309 Configuration Statements for Ethernet OAM Link Fault Management . . . . . . . . 5311 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 5311 action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5320 action-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5321 allow-remote-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5322 ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5323


lxxxiii

®


event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5326 event-thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5326 frame-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5327 frame-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5327 frame-period-summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5328 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5329 link-adjacency-loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5330 link-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5330 link-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5331 link-event-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5331 link-fault-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5332 negotiation-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5333 no-allow-link-events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5333 oam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5334 pdu-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5336 pdu-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5337 remote-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5337 symbol-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5338 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5338 traceoptions (OAM LFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . 5339 Operational Commands for Ethernet OAM Link Fault Management . . . . . . . . 5340 show oam ethernet link-fault-management . . . . . . . . . . . . . . . . . . . . . . . . 5341

Chapter 148

Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . 5347 Ethernet OAM Connectivity Fault Management—Overview . . . . . . . . . . . . . . . . 5347 Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5347 Understanding Ethernet Frame Delay Measurements on Switches . . . . . 5348 Ethernet Frame Delay Measurements . . . . . . . . . . . . . . . . . . . . . . . . . 5349 Types of Ethernet Frame Delay Measurements . . . . . . . . . . . . . . . . . . 5350 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5350 Example of Ethernet OAM Connectivity Fault Management Configuration . . . . 5351 Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5351 Configuring Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . 5354 Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5354 Creating the Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5355 Configuring the Maintenance Domain MIP Half Function . . . . . . . . . . 5355 Creating a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . 5356 Configuring the Continuity Check Protocol . . . . . . . . . . . . . . . . . . . . . 5356 Configuring a Maintenance Association End Point . . . . . . . . . . . . . . . 5356 Configuring a Connectivity Fault Management Action Profile . . . . . . . 5357 Configuring the Linktrace Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5358 Configuring MEP Interfaces on Switches to Support Ethernet Frame Delay Measurements (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5358 Configuring One-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5359

lxxxiv


Table of Contents

Configuring an Iterator Profile on a Switch (CLI Procedure) . . . . . . . . . . . . 5360 Triggering an Ethernet Frame Delay Measurement Session on a Switch . . 5361 Configuring Two-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5362 Configuration Statements for Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5362 [edit protocols] Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . 5362 action-profile (Applying to OAM CFM, for EX Series Switch Only) . . . . . . . 5372 age (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5373 auto-discovery (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 5373 connectivity-fault-management (EX Series Switch Only) . . . . . . . . . . . . . 5374 continuity-check (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 5375 data-tlv-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5376 direction (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5376 esp-traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5377 hold-interval (OAM CFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . 5378 interface (OAM CFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . 5379 interval (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5380 iteration-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5381 level (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5381 linktrace (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5382 loss-threshold (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5382 maintenance-association (EX Series Switch Only) . . . . . . . . . . . . . . . . . . 5383 maintenance-domain (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . 5384 measurement-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5385 mep (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5386 mip-half-function (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . 5387 name-format (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5388 path-database-size (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . 5388 performance-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5389 priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5390 priority (OAM Connectivity-Fault Management) . . . . . . . . . . . . . . . . . . . . 5390 remote-mep (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5391 short-name-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5392 sla-iterator-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5393 sla-iterator-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5394 traceoptions (OAM CFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . 5395 Operational Commands for Ethernet OAM Connectivity Fault Management . . 5396 clear oam ethernet connectivity-fault-management delay-statistics . . . . 5397 clear oam ethernet connectivity-fault-management sla-iterator-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5398 clear oam ethernet connectivity-fault-management statistics . . . . . . . . . 5399 monitor ethernet delay-measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5400 show oam ethernet connectivity-fault-management delay-statistics . . . 5404 show oam ethernet connectivity-fault-management forwarding-state . . 5408 show oam ethernet connectivity-fault-management interfaces . . . . . . . . 5412 show oam ethernet connectivity-fault-management linktrace path-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5418 show oam ethernet connectivity-fault-management mep-database . . . 5420


lxxxv

®


show oam ethernet connectivity-fault-management mip . . . . . . . . . . . . . 5426 show oam ethernet connectivity-fault-management sla-iterator-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5427

Chapter 149

Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Uplink Failure Detection—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Understanding Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Uplink Failure Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Failure Detection Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5432 Configuring Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5433 Configuring Interfaces for Uplink Failure Detection (CLI Procedure) . . . . . 5433 Verifying Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5434 Verifying That Uplink Failure Detection Is Working Correctly . . . . . . . . . . . 5434 Configuration Statements for Uplink Failure Detection . . . . . . . . . . . . . . . . . . . 5435 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5435 link-to-disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5436 link-to-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5436 uplink-failure-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5437 Operational Commands for Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . 5437 show uplink-failure-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5438

Chapter 150

Monitoring General Network Traffic and Hosts . . . . . . . . . . . . . . . . . . . . . . 5441 Monitoring Hosts Using the J-Web Ping Host Tool . . . . . . . . . . . . . . . . . . . . . . . 5441 Monitoring Network Traffic Using Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . 5443

Chapter 151

Configuration Statements for General Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5445 archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5445 class-usage-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5446 counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5447 destination-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5447 fields (for Interface Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5448 file (Associating with a Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5449 file (Configuring a Log File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5450 files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5451 filter-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5452 interface-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5453 interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5454 mib-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5455 object-names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5456 operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5456 routing-engine-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5457 size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5458 source-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5458 start-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5459 transfer-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5459

Chapter 152

Operational Commands for General Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5461 monitor traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5462 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5471

lxxxvi


Table of Contents

show pfe statistics bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5475 show snmp mib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5478 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5481


lxxxvii

®


lxxxviii


List of Figures Part 1


Chapter 2

Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Figure 1: Front Panel of an EX2200 Switch with 48 Gigabit Ethernet Ports . . . . . 44 Figure 2: Front Panel of an EX2200 Switch with 24 Gigabit Ethernet Ports . . . . . 44 Figure 3: Front Panel of an EX2200-C Switch with 12 Gigabit Ethernet Ports (PoE+) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 4: Front Panel of an EX2200-C Switch with 12 Gigabit Ethernet Ports (non-PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 5: Rear Panel of an EX2200 Switch With an AC Power Supply . . . . . . . . . 46 Figure 6: Rear Panel of an EX2200-C-12P Switch with Heatsink . . . . . . . . . . . . . . 46 Figure 7: EX4500 Switch Front . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Figure 8: EX4500 Switch Rear with Intraconnect Module Installed . . . . . . . . . . . 56 Figure 9: EX4500 Switch Rear with Virtual Chassis Module Installed . . . . . . . . . . 56 Figure 10: EX6210 Switch Front . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Figure 11: EX6210 Switch Rear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Figure 12: EX8208 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Figure 13: EX8216 Switch Front . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Figure 14: EX8216 Switch Rear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Figure 15: XRE200 External Routing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Part 5


Chapter 15

Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Figure 16: LCD Panel in an EX3200, EX4200, EX4500, or EX8200 Switch . . . . . 260

Part 6


Chapter 19

Managing Junos OS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Figure 17: EX Series Switch LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

Part 7


Chapter 25

Troubleshooting Access and User Management . . . . . . . . . . . . . . . . . . . . . 605 Figure 18: Connecting to the Console Port on the EX Series Switch . . . . . . . . . . 605

Part 8


Chapter 28

System Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Figure 19: DHCP Client/Server Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Figure 20: DHCP Four-Step Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658


lxxxix

®


Part 10


Chapter 37

EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281 Figure 21: Console Session Redirection (EX4200 Virtual Chassis Pictured) . . . 1292 Figure 22: Management Ethernet Port Redirection to the VME Interface . . . . . . 1293 Figure 23: Normal Traffic Flow in a Ring Topology Using Dedicated VCPs . . . . 1300 Figure 24: Traffic Redirected by Fast Failover After a Dedicated VCP Link Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301 Figure 25: Normal Traffic Flow in a Ring Topology Using SFP Uplink VCPs . . . . 1302 Figure 26: Traffic Redirected by Fast Failover After SFP Uplink VCP Link Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303 Figure 27: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304

Chapter 38

EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Figure 28: Basic EX4200 Virtual Chassis with Master and Backup . . . . . . . . . . . 1314 Figure 29: Basic EX4500 Virtual Chassis with Master and Backup . . . . . . . . . . . 1318 Figure 30: Expanded EX4200 Virtual Chassis in a Single Wiring Closet . . . . . . . 1323 Figure 31: Mixed EX4200 and EX4500 Virtual Chassis Topology (Nonprovisioned Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 Figure 32: Mixed EX4200 and EX4500 Virtual Chassis Topology (Preprovisioned Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333 Figure 33: Default Configuration of a Multimember EX4200 Virtual Chassis in a Single Wiring Closet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 Figure 34: EX4200 Virtual Chassis Interconnected Across Wiring Closets . . . . 1344 Figure 35: Mixed EX4200 and EX4500 Virtual Chassis Interconnected Across Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 Figure 36: Topology for LAGs Connecting an EX4200 Virtual Chassis Access Switch to an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . 1356 Figure 37: Maximum Size EX4200 Virtual Chassis Interconnected Across Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370 Figure 38: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382 Figure 39: EX4200 Virtual Chassis Interconnected Across Wiring Closets to Form LAGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388

Part 11


Chapter 44

EX8200 Virtual Chassis—Overview, Components, and Configurations . . 1537 Figure 40: EX8200 Virtual Chassis Full Mesh Topology with Four EX8200 Member Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1542 Figure 41: EX8200 Virtual Chassis Full Mesh Topology with Two EX8200 Member Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543 Figure 42: EX8200 Virtual Chassis Ring Topology . . . . . . . . . . . . . . . . . . . . . . . 1544 Figure 43: EX8200 Virtual Chassis Basic Topology . . . . . . . . . . . . . . . . . . . . . . . 1545 Figure 44: EX8200 Virtual Chassis Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1548

Chapter 46

xc

Configuring EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1563


List of Figures

Figure 45: Long Distance EX8200 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . 1569

Part 12

High Availability

Chapter 50

High Availability—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659 Figure 46: Basic VRRP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 1664 Figure 47: VRRP on Virtual Chassis Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 1665

Chapter 51

Examples of High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1681 Figure 48: Example Line-Card Upgrade Group Topology . . . . . . . . . . . . . . . . . . 1685

Part 13


Chapter 56

Interfaces—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769 Figure 49: Symmetrically Routed Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781 Figure 50: Asymmetrically Routed Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1782

Chapter 57

Examples of Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791 Figure 51: Topology for LAGs Connecting an EX4200 Virtual Chassis Access Switch to an EX4200 Virtual Chassis Distribution Switch . . . . . . . . . . . . . . 1793 Figure 52: Topology for IP Directed Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . 1814

Part 14

Ethernet Switching

Chapter 63

Ethernet Switching—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073 Figure 53: Subdomains in a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2081 Figure 54: PVLAN Spanning Multiple Switches . . . . . . . . . . . . . . . . . . . . . . . . . 2082 Figure 55: PVLAN Spanning Multiple Switches . . . . . . . . . . . . . . . . . . . . . . . . . 2084 Figure 56: Configuring a PVLAN on a Single Switch . . . . . . . . . . . . . . . . . . . . . 2086 Figure 57: Configuring a PVLAN on a Multiple Switches . . . . . . . . . . . . . . . . . . . 2087 Figure 58: Redundant Trunk Group, Link 1 Active . . . . . . . . . . . . . . . . . . . . . . . . 2090 Figure 59: Redundant Trunk Group, Link 2 Active . . . . . . . . . . . . . . . . . . . . . . . 2090 Figure 60: L2PT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2098 Figure 61: An RVI on a Switch Providing Routing Between Two Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2105 Figure 62: Creating an RVI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107 Figure 63: Protocol Packets from the Network to the Router . . . . . . . . . . . . . . . 2113 Figure 64: Protocol Packets from the Router or Switch to the Network . . . . . . . 2113

Chapter 64

Examples: Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . 2117 Figure 65: Topology for Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2133 Figure 66: Topology for Configuring the Redundant Trunk Links . . . . . . . . . . . . 2144 Figure 67: Topology of a Private VLAN on a Single EX Series Switch . . . . . . . . . . 2151 Figure 68: PVLAN Topology Spanning Multiple Switches . . . . . . . . . . . . . . . . . . 2157 Figure 69: MVRP Configured on Two Access Switches and One Distribution Switch for Automatic VLAN Administration . . . . . . . . . . . . . . . . . . . . . . . . . 2175 Figure 70: L2PT Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2186 Figure 71: Reflective Relay Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2191 Figure 72: Edge Virtual Bridging Example Topology . . . . . . . . . . . . . . . . . . . . . . 2198 Figure 73: Ethernet Ring Protection Switching Example . . . . . . . . . . . . . . . . . . 2203


xci

®


Part 15


Chapter 71

Examples of Spanning-Tree Protocols Configuration . . . . . . . . . . . . . . . . 2427 Figure 74: Network Topology for RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2429 Figure 75: Network Topology for MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2445 Figure 76: BPDU Protection Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2465 Figure 77: BPDU Protection Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2470 Figure 78: Network Topology for Loop Protection . . . . . . . . . . . . . . . . . . . . . . . . 2474 Figure 79: Network Topology for Root Protection . . . . . . . . . . . . . . . . . . . . . . . . 2478

Part 17

Multicast

Chapter 81

Understanding Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3249 Figure 80: Multicast Traffic Flow with IGMP Snooping Enabled . . . . . . . . . . . . 3250 Figure 81: Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3254 Figure 82: Scenario 2: Switch Forwarding Multicast Traffic to Another Switch . . 3255 Figure 83: Scenario 3: Switch Connected to Hosts Only (No IGMP Querier) . . . 3256 Figure 84: Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3257 Figure 85: Multicast Traffic Flow with MLD Snooping Enabled . . . . . . . . . . . . . 3260 Figure 86: Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3264 Figure 87: Scenario 2: Switch Forwarding Multicast Traffic to Another Switch . . 3265 Figure 88: Scenario 3: Switch Connected to Hosts Only (No MLD Querier) . . . 3266 Figure 89: Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3267

Chapter 82

Examples: Multicast Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3269 Figure 90: Example IGMP Snooping Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 3270 Figure 91: MVR Topology in Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 3274 Figure 92: MVR Topology in Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3275 Figure 93: Example MLD Snooping Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 3277

Part 18

Access Control

Chapter 87

802.1X and MAC RADIUS Authentication Overview . . . . . . . . . . . . . . . . . 3539 Figure 94: Example Authentication Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 3541 Figure 95: Authentication Process Flow for an EX Series Switch . . . . . . . . . . . 3548 Figure 96: VoIP Multiple Supplicant Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 3555 Figure 97: VoIP Single Supplicant Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3556

Chapter 88

Examples: Access Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 3561 Figure 98: Topology for Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3563 Figure 99: Topology for Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3567 Figure 100: Topology for Guest VLAN Example . . . . . . . . . . . . . . . . . . . . . . . . . . 3572 Figure 101: Topology for Static MAC Authentication Configuration . . . . . . . . . . 3576 Figure 102: Topology for MAC RADIUS Authentication Configuration . . . . . . . . 3580 Figure 103: Topology for Configuring Supplicant Modes . . . . . . . . . . . . . . . . . . 3585

xcii


List of Figures

Figure 104: Topology for Firewall Filter and RADIUS Server Attributes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3591 Figure 105: VoIP Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3597 Figure 106: Conceptual Model: Dynamic Filter Updated for Each New User . . . 3613 Figure 107: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3614 Figure 108: EX Series Switch Connecting OAC to RADIUS Server Using EAP-TTLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3623

Chapter 89

Configuring Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3627 Figure 109: Example of a Captive Portal Login Page . . . . . . . . . . . . . . . . . . . . . 3650

Part 21

Port Security

Chapter 104

Port Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4047 Figure 110: DHCP Server Connected Directly to Switch . . . . . . . . . . . . . . . . . . . 4055 Figure 111: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to Switch 1 Through a Trusted Trunk Port . . . . . . . . . . . . . . . . . . . . . . . . . . 4055 Figure 112: Switch Is the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4056 Figure 113: Switch Acting as Relay Agent Through Router to DHCP Server . . . . 4057 Figure 114: DHCP Clients, Switch, and DHCP Server Are All on Same VLAN . . 4066 Figure 115: Switch Relays DHCP Requests to Server . . . . . . . . . . . . . . . . . . . . . . 4067

Chapter 105

Examples: Port Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4073 Figure 116: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . . 4075 Figure 117: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . . 4082 Figure 118: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . 4086 Figure 119: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . 4089 Figure 120: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . 4092 Figure 121: Network Topology for Basic Port Security . . . . . . . . . . . . . . . . . . . . . 4096 Figure 122: Network Topology for Port Security Setup with Two Switches on the Same VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4100 Figure 123: Network Topology for Configuring DHCP Option 82 on a Switch That Is on the Same VLAN as the DHCP Clients and the DHCP Server . . . . . . . . 4125 Figure 124: Network Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4128

Part 22


Chapter 111

Firewall Filters—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4237 Figure 125: Firewall Filter Processing Points in the Packet Forwarding Path . . . 4244 Figure 126: Application of Firewall Filters to Control Packet Flow . . . . . . . . . . . 4246 Figure 127: Evaluation of Terms Within a Firewall Filter . . . . . . . . . . . . . . . . . . . 4287

Chapter 112

Examples of Firewall Filters Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 4297 Figure 128: Application of Port, VLAN, and Layer 3 Routed Firewall Filters . . . . 4299 Figure 129: SSH Connection From a Management PC to an EX Series Switch . . 4320

Part 23

Class of Service

Chapter 118

Class of Service (CoS)—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4419


xciii

®


Figure 130: Packet Flow Across the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4421

Chapter 119

Examples: CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4455 Figure 131: Topology for Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4456

Part 26

MPLS

Chapter 137

MPLS—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4799 Figure 132: Label Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4812 Figure 133: MPLS Label Swapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4813 Figure 134: Layer 2 VPN Connecting CE Switches . . . . . . . . . . . . . . . . . . . . . . . . 4816

Chapter 138

Examples of MPLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4819 Figure 135: Configuring MPLS on EX Series Switches . . . . . . . . . . . . . . . . . . . . . 4821 Figure 136: MPLS-Based Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4847 Figure 137: MPLS-Based Layer 3 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4860

Part 27


Chapter 143

Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5067 Figure 138: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . 5075 Figure 139: Remote Port Mirroring Example Network Topology . . . . . . . . . . . . 5080 Figure 140: Remote Port Mirroring Example Network Topology Using Multiple VLAN Member Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5090 Figure 141: Remote Port Mirroring Example Through a Transit Switch Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5098

Chapter 144

sFlow Monitoring Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 Figure 142: sFlow Technology Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . 5135

Chapter 146

Real-Time Performance Monitoring (RPM) . . . . . . . . . . . . . . . . . . . . . . . . 5263 Figure 143: RPM Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5266

Chapter 148

Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . 5347 Figure 144: Relationship Among MEPs, MIPs, and Maintenance Domain Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5348

Chapter 149

Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Figure 145: Uplink Failure Detection Configuration on Switches . . . . . . . . . . . . 5432

xciv


List of Tables Part 1


Chapter 1

Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Table 1: First Junos OS Release for Each EX Series Switch . . . . . . . . . . . . . . . . . . . . 4 Table 2: Access Control Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . 5 Table 3: Administration Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . 6 Table 4: Class-of-Service (CoS) Features by Junos OS Release . . . . . . . . . . . . . . . 6 Table 5: Converged Networks (LAN and SAN) Features by Junos OS Release . . . . 7 Table 6: Device Security Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . 8 Table 7: High Availability and Resiliency Features by Junos OS Release . . . . . . . . . 8 Table 8: Interfaces Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Table 9: IP Address Management Features by Junos OS Release . . . . . . . . . . . . . . 12 Table 10: IPv6 Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Table 11: Layer 2 Network Protocols Features by Junos OS Release . . . . . . . . . . . . 13 Table 12: Layer 3 Protocols Features by Junos OS Release . . . . . . . . . . . . . . . . . . . 15 Table 13: MPLS Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 14: Multicast Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . 19 Table 15: Network Management and Monitoring Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 16: Power over Ethernet (PoE) Features by Junos OS Release . . . . . . . . . . . 22 Table 17: Port Security Features by Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . 22 Table 18: Routing Policy and Packet Filtering Features by Junos OS Release . . . . 24 Table 19: Spanning-Tree Protocols Features by Junos OS Release . . . . . . . . . . . . 24 Table 20: System Management Features by Junos OS Release . . . . . . . . . . . . . . . 25 Table 21: Virtual Chassis Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Table 22: Supported Junos OS Layer 3 Protocol Statements and Features . . . . . 28 Table 23: Junos OS Layer 3 Protocol Statements and Features That Are Not Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Table 24: Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 2

Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Table 25: EX2200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Table 26: EX3200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Table 27: EX3300 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Table 28: EX4200 Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Table 29: EX4500 Switch Models, Components, and Supported Junos OS Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Table 30: EX6200 Line Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Table 31: Power Supplies Supported on EX6200 Switches . . . . . . . . . . . . . . . . . . 64 Table 32: Line Cards Available for EX8200 Switches . . . . . . . . . . . . . . . . . . . . . . . 67 Table 33: Power Supplies Supported on EX8208 Switches . . . . . . . . . . . . . . . . . 69


xcv

®


Table 34: Line Cards Available for EX8200 Switches . . . . . . . . . . . . . . . . . . . . . . . 73 Table 35: Power Supplies Supported on EX8216 Switches . . . . . . . . . . . . . . . . . . 75

Part 3

Software Installation

Chapter 4

Software Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Table 36: Resilient Dual-Root Partition Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Table 37: Earlier Partition Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Table 38: Junos OS EFL Part Number on EX2200 Switches . . . . . . . . . . . . . . . . . 118 Table 39: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Table 40: Junos OS AFL Part Number on EX3300 Switches . . . . . . . . . . . . . . . . 120 Table 41: Junos OS EFL Part Number on EX3300 Switches . . . . . . . . . . . . . . . . . 120

Chapter 5

Installing Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Table 42: Install Remote Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Table 43: Upload Package Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Chapter 8

Troubleshooting Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Table 44: Combinations of Junos OS Versions and Loader Software Versions . . 156 Table 45: Actions If Corrupt Files Are Found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Chapter 10

Operational Commands for Software Installation . . . . . . . . . . . . . . . . . . . . 165 Table 46: show system autoinstallation status Output Fields . . . . . . . . . . . . . . . 203 Table 47: show system license Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Table 48: show system snapshot Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Table 49: show system storage partitions Output Fields . . . . . . . . . . . . . . . . . . . 217

Part 4

User Interfaces

Chapter 11

User Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Table 50: J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Table 51: Switching Platform Configuration Interfaces . . . . . . . . . . . . . . . . . . . . . 226

Chapter 13

Operational Commands for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Table 52: show cli Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Table 53: show cli authorization Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Table 54: show cli directory Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Table 55: show cli history Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Part 5


Chapter 14

System Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Table 56: Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Chapter 15

Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Table 57: Date and Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Table 58: System Identity Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . 265

Chapter 16

Configuration Statements for System Setup . . . . . . . . . . . . . . . . . . . . . . . . 269 Table 59: Menu Options of the LCD Menus Supported on the Switches . . . . . . . 291

Chapter 17

xcvi

Operational Commands for System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 309


List of Tables

Table 60: request system storage cleanup Output Fields . . . . . . . . . . . . . . . . . . 348 Table 61: show chassis firmware Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Table 62: show chassis lcd Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Table 63: show ntp associations Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Table 64: show system firmware Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Table 65: show system storage Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Table 66: show system switchover Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 415 Table 67: show system uptime Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Table 68: show system users Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Table 69: show system virtual-memory Output Fields . . . . . . . . . . . . . . . . . . . . 428 Table 70: show task replication Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Part 6


Chapter 18

Configuration Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Table 71: Configuration File Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Chapter 19

Managing Junos OS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Table 72: J-Web Edit Point & Click Configuration Links . . . . . . . . . . . . . . . . . . . . 528 Table 73: J-Web Edit Point & Click Configuration Icons . . . . . . . . . . . . . . . . . . . . 529 Table 74: J-Web Edit Point & Click Configuration Buttons . . . . . . . . . . . . . . . . . . 529 Table 75: Commit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Table 76: Commit Preference Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Table 77: Options for the load command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Table 78: J-Web Configuration History Summary . . . . . . . . . . . . . . . . . . . . . . . . . 534 Table 79: J-Web Configuration Database Information Summary . . . . . . . . . . . . 535

Chapter 22

Operational Commands for Configuration File Management . . . . . . . . . . 557 Table 80: show system commit Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Part 7


Chapter 23

Access and User Management on EX Series Switches Overview . . . . . . . 593 Table 81: Junos OS Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Chapter 24

Access and User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . 597 Table 82: Secure Management Access Configuration Summary . . . . . . . . . . . . 598 Table 83: User Management Configuration Page Summary . . . . . . . . . . . . . . . . 602 Table 84: Add an Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Chapter 27

Operational Commands for Access and User Management . . . . . . . . . . . . 637 Table 85: show subscribers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

Part 8


Chapter 28

System Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Table 86: Legacy DHCP and Extended DHCP Server Hierarchy Levels . . . . . . . . 657

Chapter 29

System Services Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Table 87: DHCP Server Configuration Pages Summary . . . . . . . . . . . . . . . . . . . . 666 Table 88: DHCP Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671


xcvii

®


Chapter 30

Monitoring System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Table 89: Summary of DHCP Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

Chapter 31

Configuration Statements for System Services . . . . . . . . . . . . . . . . . . . . . . 681 Table 90: Protocol Families and Supported Interface Types . . . . . . . . . . . . . . . . 715 Table 91: Interface Types and Their Supported Protocol Families . . . . . . . . . . . . 738

Chapter 32

Operational Commands for System Services . . . . . . . . . . . . . . . . . . . . . . . . 797 Table 92: clear dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 799 Table 93: show dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 812 Table 94: show security pki local-certificate Output Fields . . . . . . . . . . . . . . . . . 814 Table 95: show system services dhcp binding Output Fields . . . . . . . . . . . . . . . . 817 Table 96: show system services dhcp conflict Output Fields . . . . . . . . . . . . . . . 820 Table 97: show system services dhcp global Output Fields . . . . . . . . . . . . . . . . . 821 Table 98: show system services dhcp pool Output Fields . . . . . . . . . . . . . . . . . . 823 Table 99: show system services dhcp statistics Output Fields . . . . . . . . . . . . . . 825 Table 100: show system services service-deployment Output Fields . . . . . . . . . 827

Part 9

Junos OS for EX Series Switches System Monitoring

Chapter 33

System Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Table 101: Alarm Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Table 102: System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 Table 103: Health Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 Table 104: Capacity Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 Table 105: Chassis Viewer for EX2200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . 840 Table 106: Chassis Viewer for EX2200-C Switches . . . . . . . . . . . . . . . . . . . . . . . 841 Table 107: Chassis Viewer for EX3200, EX3300, and EX4200 Switches . . . . . . . 841 Table 108: Chassis Viewer for EX4500 Switches . . . . . . . . . . . . . . . . . . . . . . . . . 843 Table 109: Chassis Viewer for EX6210 Switches . . . . . . . . . . . . . . . . . . . . . . . . . 844 Table 110: Chassis Viewer for EX8208 Switches . . . . . . . . . . . . . . . . . . . . . . . . . 844 Table 111: Chassis Viewer for EX8216 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . 846

Chapter 34

Administering and Monitoring System Functions . . . . . . . . . . . . . . . . . . . . 849 Table 112: Filtering System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 Table 113: Viewing System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 Table 114: Summary of Key Alarm Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 852 Table 115: Chassis Alarms for EX8200 Switches . . . . . . . . . . . . . . . . . . . . . . . . . 853 Table 116: Packet Capture Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 Table 117: Summary of Key System Properties Output Fields . . . . . . . . . . . . . . . 858 Table 118: Summary of the Key Output Fields for Chassis Information . . . . . . . . 860 Table 119: Summary of System Process Information Output Fields . . . . . . . . . . 862

Chapter 36

Operational Commands for System Monitoring . . . . . . . . . . . . . . . . . . . . . . 883 Table 120: monitor list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902 Table 121: monitor start Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 Table 122: show chassis alarms Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 920 Table 123: show chassis environment Output Fields . . . . . . . . . . . . . . . . . . . . . . 928 Table 124: show chassis environment cb Output Fields . . . . . . . . . . . . . . . . . . . . 953 Table 125: show chassis environment fpc Output Fields . . . . . . . . . . . . . . . . . . . 969

xcviii


List of Tables

Table 126: show chassis environment routing-engine Output Fields . . . . . . . . . 986 Table 127: show chassis ethernet-switch Output Fields . . . . . . . . . . . . . . . . . . . . 991 Table 128: show chassis fabric fpcs Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 1011 Table 129: show chassis fabric map Output Fields . . . . . . . . . . . . . . . . . . . . . . . 1030 Table 130: show chassis fabric plane Output Fields . . . . . . . . . . . . . . . . . . . . . . 1037 Table 131: show chassis fabric plane-location Output Fields . . . . . . . . . . . . . . . 1060 Table 132: show chassis fpc Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067 Table 133: Routing Engines Displaying DIMM Information . . . . . . . . . . . . . . . . . 1085 Table 134: show chassis hardware Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 1087 Table 135: show chassis led Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 Table 136: show chassis location Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1152 Table 137: show chassis pic Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 Table 138: show chassis routing-engine Output Fields . . . . . . . . . . . . . . . . . . . . 1167 Table 139: show chassis temperature-thresholds Output Fields . . . . . . . . . . . . 1180 Table 140: show pfe statistics ip Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1198 Table 141: show pfe statistics ip6 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Table 142: show system buffers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215 Table 143: show system connections Output Fields . . . . . . . . . . . . . . . . . . . . . . . 1221 Table 144: show system core-dumps Output Fields . . . . . . . . . . . . . . . . . . . . . . 1239 Table 145: show system directory-usage Output Fields . . . . . . . . . . . . . . . . . . . 1252 Table 146: show system processes Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 1259

Part 10


Chapter 37

EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281 Table 147: Automatic Software Update Support . . . . . . . . . . . . . . . . . . . . . . . . 1309

Chapter 38

EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Table 148: Components of the Basic Virtual Chassis Access Switch Topology . . 1313 Table 149: Components of the Basic Virtual Chassis Access Switch Topology . . 1318 Table 150: Components of the Expanded Virtual Chassis Access Switch . . . . . 1322 Table 151: Components of the EX4200 Virtual Chassis Before the EX4500 Member Switches Are Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328 Table 152: Final Mixed EX4200 and EX4500 Virtual Chassis Components . . . . 1328 Table 153: Components of the EX4200 Virtual Chassis Before the EX4500 Member Switches Are Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 Table 154: Final Mixed EX4200 and EX4500 Virtual Chassis Components . . . . 1333 Table 155: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1343 Table 156: Components of a Virtual Chassis Interconnected Across Wiring Closets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1350 Table 157: Components of the Topology for Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . 1357 Table 158: Components of a Preprovisioned EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets . . . . . . . . . . . . . . . . . . . . . . 1368 Table 159: Components of a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378


xcix

®


Table 160: Components of the Basic Virtual Chassis Access Switch Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1398 Table 161: Components of the Expanded Virtual Chassis Access Switch . . . . . 1402

Chapter 39

Configuring EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . . . . . 1407 Table 162: Virtual Chassis Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1413

Chapter 40

Verifying EX3300, EX4200, and EX4500 Virtual Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453 Table 163: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1454 Table 164: Commands Relevant Only to the Master . . . . . . . . . . . . . . . . . . . . . . 1456

Chapter 43

Operational Commands for EX3300, EX4200, and EX4500 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1495 Table 165: show system uptime Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1510 Table 166: show virtual-chassis active-topology Output Fields . . . . . . . . . . . . . 1512 Table 167: show virtual-chassis fast-failover Output Fields . . . . . . . . . . . . . . . . . 1515 Table 168: show virtual-chassis mode Output Fields . . . . . . . . . . . . . . . . . . . . . . 1517 Table 169: show virtual-chassis status Output Fields . . . . . . . . . . . . . . . . . . . . . 1519 Table 170: show virtual-chassis vc-path Output Fields . . . . . . . . . . . . . . . . . . . . 1522 Table 171: show virtual-chassis vc-port Output Fields . . . . . . . . . . . . . . . . . . . . . 1524 Table 172: show virtual-chassis vc-port statistics Output Fields . . . . . . . . . . . . 1529

Part 11


Chapter 44

EX8200 Virtual Chassis—Overview, Components, and Configurations . . 1537 Table 173: EX8200 Virtual Chassis Roles and Member IDs . . . . . . . . . . . . . . . . 1540 Table 174: EX8200 Virtual Chassis Roles and Member IDs . . . . . . . . . . . . . . . . . 1546 Table 175: EX8200 Virtual Chassis Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546

Chapter 45

EX8200 Virtual Chassis—Configuration Example . . . . . . . . . . . . . . . . . . . 1557 Table 176: Components of the EX8200 Virtual Chassis Topology . . . . . . . . . . . 1558

Chapter 49

Operational Commands for EX8200 Virtual Chassis . . . . . . . . . . . . . . . . 1599 Table 177: request chassis routing-engine hard-disk-test Output Fields . . . . . . 1603 Table 178: request virtual chassis device reachability Output Fields . . . . . . . . . 1609 Table 179: show system uptime Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 1616 Table 180: show virtual-chassis active-topology Output Fields . . . . . . . . . . . . . 1618 Table 181: show virtual-chassis device-topology Output Fields . . . . . . . . . . . . . 1621 Table 182: show virtual-chassis protocol adjacency Output Fields . . . . . . . . . . 1625 Table 183: show virtual-chassis protocol database Output Fields . . . . . . . . . . . 1628 Table 184: show virtual-chassis protocol interface Output Fields . . . . . . . . . . . 1632 Table 185: show virtual-chassis protocol route Output Fields . . . . . . . . . . . . . . 1634 Table 186: show virtual-chassis protocol statistics Output Fields . . . . . . . . . . . 1637 Table 187: show virtual-chassis status Output Fields . . . . . . . . . . . . . . . . . . . . . 1640 Table 188: show virtual-chassis vc-path Output Fields . . . . . . . . . . . . . . . . . . . 1643 Table 189: show virtual-chassis vc-port Output Fields . . . . . . . . . . . . . . . . . . . . 1645 Table 190: show virtual-chassis vc-port statistics Output Fields . . . . . . . . . . . . 1650

c


List of Tables

Part 12

High Availability

Chapter 50

High Availability—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659 Table 191: Platform and Release Support for NSSU . . . . . . . . . . . . . . . . . . . . . . 1672 Table 192: Available Operating Power in N+1 and N+N Redundancy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678

Chapter 55

Operational Commands for High Availability . . . . . . . . . . . . . . . . . . . . . . . . 1743 Table 193: show chassis nonstop-upgrade Output Fields . . . . . . . . . . . . . . . . . . 1752 Table 194: show chassis power-budget-statistics Output Fields . . . . . . . . . . . . 1754 Table 195: show vrrp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758

Part 13


Chapter 56

Interfaces—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769 Table 196: Network Interface Types and Purposes . . . . . . . . . . . . . . . . . . . . . . . 1769 Table 197: Special Interface Types and Purposes . . . . . . . . . . . . . . . . . . . . . . . . 1770 Table 198: Maximum Interfaces per LAG and Maximum LAGs per Switch . . . . . 1775

Chapter 57

Examples of Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791 Table 199: Components of the Topology for Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch . . . . . . . . . . . . . . . . . . . . . . 1793 Table 200: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . 1803 Table 201: Components of the IP Directed Broadcast Topology . . . . . . . . . . . . . 1814

Chapter 58

Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1817 Table 202: Port Edit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1824 Table 203: Recommended CoS Settings for Port Roles . . . . . . . . . . . . . . . . . . . 1827 Table 204: Port Role Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828 Table 205: Recommended CoS Settings for Port Roles . . . . . . . . . . . . . . . . . . . 1831 Table 206: Media MTU Sizes by Interface Type for M5, M7i with CFEB, M10, M10i with CFEB, M20, and M40 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1840 Table 207: Media MTU Sizes by Interface Type for M40e Routers . . . . . . . . . . . 1840 Table 208: Media MTU Sizes by Interface Type for M160 Routers . . . . . . . . . . . 1841 Table 209: Media MTU Sizes by Interface Type for M7i with CFEB-E, M10i with CFEB-E, M320 and M120 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1842 Table 210: Media MTU Sizes by Interface Type for MX Series Routers . . . . . . . . 1843 Table 211: Media MTU Sizes by Interface Type for T320 Routers . . . . . . . . . . . . 1843 Table 212: Media MTU Sizes by Interface Type for T640 Platforms . . . . . . . . . . 1844 Table 213: Media MTU Sizes by Interface Type for J2300 Platforms . . . . . . . . . 1844 Table 214: Media MTU Sizes by Interface Type for J4300 and J6300 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1845 Table 215: Media MTU Sizes by Interface Type for J4350 and J6350 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1845 Table 216: Media MTU Sizes by Interface Type for EX Series Switches . . . . . . . 1847 Table 217: Encapsulation Overhead by Encapsulation Type . . . . . . . . . . . . . . . . 1847 Table 218: Aggregated Ethernet Interface Options . . . . . . . . . . . . . . . . . . . . . . . 1869 Table 219: VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870 Table 220: IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870


ci

®


Chapter 61

Configuration Statements for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1901 Table 221: Protocol Families and Supported Interface Types . . . . . . . . . . . . . . . 1929 Table 222: Interface Types and Their Supported Protocol Families . . . . . . . . . . 1942

Chapter 62

Operational Commands for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1977 Table 223: Output Control Keys for the monitor interface interface-name Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1979 Table 224: Output Control Keys for the monitor interface traffic Command . . 1980 Table 225: monitor interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1981 Table 226: request diagnostics tdr Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 1990 Table 227: show diagnostics tdr Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1992 Table 228: show ethernet-switching interfaces Output Fields . . . . . . . . . . . . . . 1997 Table 229: GRE show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2000 Table 230: show interfaces diagnostics optics Output Fields . . . . . . . . . . . . . . 2007 Table 231: show interfaces ge- Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014 Table 232: show interfaces me0 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2025 Table 233: show interfaces queue Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 2032 Table 234: show interfaces vlan Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2039 Table 235: show interfaces xe- Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051 Table 236: show ipv6 neighbors Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2063 Table 237: show lacp interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 2066

Part 14

Ethernet Switching

Chapter 63

Ethernet Switching—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073 Table 238: When VLANs in a PVLAN Need 802.1Q Tags . . . . . . . . . . . . . . . . . . 2082 Table 239: PVLAN Ports and Layer 2 Connectivity . . . . . . . . . . . . . . . . . . . . . . . 2085 Table 240: Protocol Destination MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . 2098 Table 241: Tracking RVI Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107

Chapter 64

Examples: Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . 2117 Table 242: Components of the Basic Bridging Configuration Topology . . . . . . . 2119 Table 243: Components of the Multiple VLAN Topology . . . . . . . . . . . . . . . . . . 2126 Table 244: Components of the Topology for Connecting an Access Switch to a Distribution Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2133 Table 245: Components of the Redundant Trunk Link Topology . . . . . . . . . . . . 2144 Table 246: Components of the Topology for Setting Up Q-in-Q Tunneling . . . . 2147 Table 247: Components of the Topology for Configuring a PVLAN . . . . . . . . . . 2150 Table 248: Components of Switch 1 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2158 Table 249: Components of Switch 2 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2158 Table 250: Components of Switch 3 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2159 Table 251: Components of the Network Topology . . . . . . . . . . . . . . . . . . . . . . . . 2175 Table 252: Components of the Topology for Configuring Reflective Relay . . . . . 2191 Table 253: Components of the Topology for Configuring EVB . . . . . . . . . . . . . . 2198 Table 254: Components to Configure for This Example . . . . . . . . . . . . . . . . . . . 2204

Chapter 65

cii

Configuring Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2217


List of Tables

Table 255: VLAN Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2218 Table 256: RTG Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2233

Chapter 66

Verifying Ethernet Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 2247 Table 257: Ethernet Switching Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256

Chapter 69

Operational Commands for Ethernet Switching . . . . . . . . . . . . . . . . . . . . 2345 Table 258: show edge-virtual-bridging Output Field Descriptions . . . . . . . . . . 2352 Table 259: show ethernet-switching interfaces Output Fields . . . . . . . . . . . . . 2356 Table 260: show ethernet-switching layer2-protocol-tunneling interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2359 Table 261: show ethernet-switching layer2-protocol-tunneling statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2362 Table 262: show ethernet-switching layer2-protocol-tunneling vlan Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2364 Table 263: show ethernet-switching mac-learning-log Output Fields . . . . . . . 2366 Table 264: show ethernet-switching mac-notification Output Fields . . . . . . . 2368 Table 265: show ethernet-switching statistics aging Output Fields . . . . . . . . . 2369 Table 266: show ethernet-switching statistics mac-learning Output Fields . . . 2372 Table 267: show ethernet-switching table Output Fields . . . . . . . . . . . . . . . . . . 2375 Table 268: show mvrp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2379 Table 269: show mvrp dynamic-vlan-memberships Output Fields . . . . . . . . . . 2381 Table 270: show mvrp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 2382 Table 271: show protection-group ethernet-ring aps Output Fields . . . . . . . . . 2385 Table 272: show protection-group ethernet-ring configuration Output Fields . . 2387 Table 273: MX Series Routers show protection-group ethernet-ring interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2389 Table 274: show protection-group ethernet-ring node-state Output Fields . . . 2391 Table 275: show protection-group ethernet-ring statistics Output Fields . . . . 2394 Table 276: show redundant-trunk-group Output Fields . . . . . . . . . . . . . . . . . . . 2397 Table 277: show vlans Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2400

Part 15


Chapter 70

Spanning-Tree Protocols—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2413 Table Table Table Table

Chapter 71

278: Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2414 279: Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2418 280: Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2421 281: Selecting a Spanning-Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2426

Examples of Spanning-Tree Protocols Configuration . . . . . . . . . . . . . . . . 2427 Table 282: Components of the Topology for Configuring RSTP . . . . . . . . . . . . 2429 Table 283: Components of the Topology for Configuring MSTP on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2446 Table 284: Components of the Topology for Configuring BPDU Protection on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2465 Table 285: Components of the Topology for Configuring BPDU Protection on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2470 Table 286: Components of the Topology for Configuring Loop Protection on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2474


ciii

®


Table 287: Components of the Topology for Configuring Root Protection on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2478

Chapter 72

Configuring Spanning-Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2483 Table 288: Spanning-Tree Protocol Configuration Parameters . . . . . . . . . . . . . 2485

Chapter 73

Verifying Spanning-Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2493 Table 289: Summary of Spanning-Tree Protocols Output Fields . . . . . . . . . . . 2493

Chapter 75

Operational Commands for Spanning-Tree Protocols . . . . . . . . . . . . . . . 2545 Table 290: show spanning-tree bridge Output Fields . . . . . . . . . . . . . . . . . . . . 2549 Table 291: show spanning-tree Interface Output Fields . . . . . . . . . . . . . . . . . . . 2554 Table 292: show spanning-tree interface Output Fields . . . . . . . . . . . . . . . . . . . 2561 Table 293: show spanning-tree mstp configuration Output Fields . . . . . . . . . . 2564 Table 294: show spanning-tree mstp configuration Output Fields . . . . . . . . . . 2566 Table 295: show spanning-tree statistics Output Fields . . . . . . . . . . . . . . . . . . 2567 Table 296: show spanning-tree statistics Output Fields . . . . . . . . . . . . . . . . . . 2569

Part 16

Layer 3 Protocols

Chapter 76

Layer 3 Protocols—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2573 Table 297: Supported Junos OS Layer 3 Protocol Statements and Features . . 2573 Table 298: Junos OS Layer 3 Protocol Statements and Features That Are Not Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2574

Chapter 77

Configuring Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2581 Table 299: BGP Routing Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . 2582 Table 300: BGP Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2584 Table 301: OSPF Routing Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . 2586 Table 302: Edit OSPF Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2588 Table 303: RIP Routing Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . 2590 Table 304: Edit RIP Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2591 Table 305: Static Routing Configuration Summary . . . . . . . . . . . . . . . . . . . . . . 2595 Table 306: Policies Global Configuration Parameters . . . . . . . . . . . . . . . . . . . . 2597 Table 307: Terms Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2597

Chapter 78

Verifying Layer 3 Protocols Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 2605 Table 308: Summary of Key BGP Routing Output Fields . . . . . . . . . . . . . . . . . 2605 Table 309: Summary of Key OSPF Routing Output Fields . . . . . . . . . . . . . . . . 2608 Table 310: Summary of Key RIP Routing Output Fields . . . . . . . . . . . . . . . . . . . 2610 Table 311: Filtering Route Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2612 Table 312: Summary of Key Routing Information Output Fields . . . . . . . . . . . . . 2612

Chapter 80

Operational Commands for Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . 2935 Table 313: show (ospf | ospf3) interface Output Fields . . . . . . . . . . . . . . . . . . . 2964 Table 314: show (ospf | ospf3) io-statistics Output Fields . . . . . . . . . . . . . . . . 2969 Table 315: show (ospf | ospf3) log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 2971 Table 316: show (ospf | ospf3) neighbor Output Fields . . . . . . . . . . . . . . . . . . . 2975 Table 317: show ospf overview Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 2980 Table 318: show (ospf | ospf3) route Output Fields . . . . . . . . . . . . . . . . . . . . . . 2986 Table 319: show (ospf | ospf3) statistics Output Fields . . . . . . . . . . . . . . . . . . 2990 Table 320: show as-path Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2994

civ


List of Tables

Table 321: show as-path domain Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2998 Table 322: show as-path summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . 3000 Table 323: show bgp bmp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3001 Table 324: show bgp group Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3003 Table 325: show bgp neighbor Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3010 Table 326: show bgp summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3023 Table 327: show ipv6 neighbors Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3028 Table 328: show isis adjacency Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3030 Table 329: show isis authentication Output Fields . . . . . . . . . . . . . . . . . . . . . . 3034 Table 330: show isis backup coverage Output Fields . . . . . . . . . . . . . . . . . . . . 3036 Table 331: show isis backup label-switched-path Output Fields . . . . . . . . . . . 3038 Table 332: show isis backup spf results Output Fields . . . . . . . . . . . . . . . . . . . . 3041 Table 333: show isis database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3045 Table 334: show isis hostname Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3051 Table 335: show isis interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3053 Table 336: show isis overview Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3056 Table 337: show isis route Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3059 Table 338: show isis spf Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3063 Table 339: show isis statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3070 Table 340: show ospf3 database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3073 Table 341: show ospf database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3083 Table 342: show policy damping Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3090 Table 343: show rip general-statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 3092 Table 344: show rip neighbor Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3094 Table 345: show rip statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3097 Table 346: show ripng general-statistics Output Fields . . . . . . . . . . . . . . . . . . 3099 Table 347: show ripng neighbor Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3100 Table 348: show ripng statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3102 Table 349: show route Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3104 Table 350: show route damping Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3127 Table 351: show route detail Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3132 Table 352: Next-hop Types Output Field Values . . . . . . . . . . . . . . . . . . . . . . . . . 3136 Table 353: State Output Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3138 Table 354: Communities Output Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 3140 Table 355: show route export Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3149 Table 356: show route extensive Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3151 Table 357: show route flow validation Output Fields . . . . . . . . . . . . . . . . . . . . . 3165 Table 358: show route instance Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3172 Table 359: show route martians Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3183 Table 360: show route receive-protocol Output Fields . . . . . . . . . . . . . . . . . . . 3207 Table 361: show route resolution Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3216 Table 362: show route summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3232 Table 363: show route terse Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3243

Part 17

Multicast

Chapter 83

Configuring Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3281 Table 364: IGMP Snooping Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . 3289 Table 365: Supported Tracing Operations for MLD Snooping . . . . . . . . . . . . . . 3299


cv

®


Table 366: Supported Tracing Operations for IGMP Snooping . . . . . . . . . . . . . 3301

Chapter 84

Verifying Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3305 Table 367: Summary of IGMP Snooping Output Fields . . . . . . . . . . . . . . . . . . . 3305

Chapter 86

Operational Commands for Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3409 Table 368: mtrace Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3429 Table 369: mtrace from-source Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3433 Table 370: mtrace monitor Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3435 Table 371: mtrace to-gateway Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3438 Table 372: show igmp group Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3440 Table 373: show igmp interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3444 Table 374: show igmp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3447 Table 375: show igmp-snooping membership Output Fields . . . . . . . . . . . . . . 3450 Table 376: show igmp-snooping route Output Fields . . . . . . . . . . . . . . . . . . . . 3453 Table 377: show igmp-snooping statistics Output Fields . . . . . . . . . . . . . . . . . 3455 Table 378: show igmp-snooping vlans Output Fields . . . . . . . . . . . . . . . . . . . . 3457 Table 379: show mld-snooping membership Output Fields . . . . . . . . . . . . . . . 3459 Table 380: show mld-snooping route Output Fields . . . . . . . . . . . . . . . . . . . . . 3462 Table 381: show mld-snooping statistics Output Fields . . . . . . . . . . . . . . . . . . 3465 Table 382: show mld-snooping vlans Output Fields . . . . . . . . . . . . . . . . . . . . . 3467 Table 383: show multicast flow-map Output Fields . . . . . . . . . . . . . . . . . . . . . 3469 Table 384: show multicast interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . 3471 Table 385: show multicast mrinfo Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 3473 Table 386: show multicast next-hops Output Fields . . . . . . . . . . . . . . . . . . . . . 3476 Table 387: show multicast pim-to-igmp-proxy Output Fields . . . . . . . . . . . . . . 3478 Table 388: show multicast pim-to-mld-proxy Output Fields . . . . . . . . . . . . . . 3480 Table 389: show multicast route Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3483 Table 390: show multicast rpf Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3489 Table 391: show multicast scope Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3492 Table 392: show multicast sessions Output Fields . . . . . . . . . . . . . . . . . . . . . . 3494 Table 393: show multicast usage Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3497 Table 394: show pim bootstrap Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 3500 Table 395: show pim interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3502 Table 396: show pim join Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3506 Table 397: show pim neighbors Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3514 Table 398: show pim rps Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3519 Table 399: show pim source Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3525 Table 400: show pim statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3527

Part 18

Access Control

Chapter 88

Examples: Access Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 3561 Table 401: Components of the Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3563 Table 402: Components of the Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3567 Table 403: Components of the Guest VLAN Topology . . . . . . . . . . . . . . . . . . . . 3572 Table 404: Components of the Static MAC Authentication Configuration Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3576 Table 405: Components of the MAC RADIUS Authentication Configuration Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3580

cvi


List of Tables

Table 406: Components of the Supplicant Mode Configuration Topology . . . 3585 Table 407: Components of the Firewall Filter and RADIUS Server Attributes Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3591 Table 408: Components of the VoIP Configuration Topology . . . . . . . . . . . . . . 3597 Table 409: Components of the OAC Deployment . . . . . . . . . . . . . . . . . . . . . . . 3623

Chapter 89

Configuring Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3627 Table 410: RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3631 Table 411: 802.1X Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3631 Table 412: 802.1X Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3632 Table 413: Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3644 Table 414: Edit Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3644 Table 415: Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3647 Table 416: Actions for VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3647 Table 417: Configurable Elements of a Captive Portal Login Page . . . . . . . . . . 3650

Chapter 92

Operational Commands for Access Control . . . . . . . . . . . . . . . . . . . . . . . . 3775 Table 418: clear captive-portal interface Output Fields . . . . . . . . . . . . . . . . . . . 3776 Table 419: show captive-portal authentication-failed-users Output Fields . . . 3782 Table 420: show captive-portal interface Output Fields . . . . . . . . . . . . . . . . . . 3785 Table 421: show dot1x Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3788 Table 422: show dot1x authentication-failed-users Output Fields . . . . . . . . . . 3793 Table 423: show dot1x static-mac-address Output Fields . . . . . . . . . . . . . . . . . 3795 Table 424: show ethernet-switching interfaces Output Fields . . . . . . . . . . . . . 3798 Table 425: show lldp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3802 Table 426: show lldp local-information Output Fields . . . . . . . . . . . . . . . . . . . 3806 Table 427: show lldp neighbors Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 3808 Table 428: show lldp remote-global-statistics Output Fields . . . . . . . . . . . . . . 3815 Table 429: show lldp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 3817 Table 430: show network-access aaa statistics accounting Output Fields . . . 3819 Table 431: show network-access aaa statistics authentication Output Fields . . 3820 Table 432: show network-access aaa statistics dynamic-requests Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3821

Part 19

Access Privileges

Chapter 93

Access Privileges—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3825 Table 433: Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3826 Table 434: Predefined System Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . 3830

Part 20

Device Security

Chapter 103

Operational Commands for Device Security . . . . . . . . . . . . . . . . . . . . . . . . 4035 Table 435: show ethernet-switching interfaces Output Fields . . . . . . . . . . . . . 4037 Table 436: show ethernet-switching table Output Fields . . . . . . . . . . . . . . . . . 4041

Part 21

Port Security

Chapter 105

Examples: Port Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4073 Table 437: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . . 4075 Table 438: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . . 4082


cvii

®


Table 439: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . 4086 Table 440: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . 4089 Table 441: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . . 4093 Table 442: Components of the Port Security Topology . . . . . . . . . . . . . . . . . . . 4096 Table 443: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4100 Table 444: Components of the Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 4128

Chapter 106

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4133 Table 445: Port Security Settings on VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4137 Table 446: Port Security on Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4137

Chapter 110

Operational Commands for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . 4221 Table 447: show arp inspection statistics Output Fields . . . . . . . . . . . . . . . . . . 4225 Table 448: show dhcp snooping binding Output Fields . . . . . . . . . . . . . . . . . . . 4226 Table 449: show dhcp snooping statistics Output Fields . . . . . . . . . . . . . . . . . . 4227 Table 450: show ethernet-switching table Output Fields . . . . . . . . . . . . . . . . . 4229 Table 451: show ip-source-guard Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 4233

Part 22


Chapter 111

Firewall Filters—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4237 Table 452: Elements of a Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . 4247 Table 453: Firewall Filter Match Conditions Supported on Switches . . . . . . . . . 4247 Table 454: Actions for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4253 Table 455: Action Modifiers for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 4254 Table 456: Bind Points Associated With Firewall Filter Types . . . . . . . . . . . . . . 4257 Table 457: Support for IPv4 and IPv6 Firewall Filters on Switches . . . . . . . . . . 4257 Table 458: Firewall Filter Match Conditions Supported for IPv4 Traffic on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4258 Table 459: Firewall Filter Match Conditions Supported For IPv6 Traffic on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4269 Table 460: Firewall Filter Match Condition Supported For Non-IP Traffic on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4272 Table 461: Firewall Filter Actions Supported For IPv4 Traffic on Switches . . . . 4273 Table 462: Firewall Filter Actions Supported For IPv6 Traffic on Switches . . . . 4275 Table 463: Firewall Filter Action Modifiers Supported For IPv4 Traffic on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4276 Table 464: Firewall Filter Action Modifiers Supported For IPv6 Traffic on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4280 Table 465: Match Conditions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4283 Table 466: Actions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4284 Table 467: Action Modifiers for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4285 Table 468: Logical Operators for Matching Multiple Bit-Field Operators . . . . . . 4291 Table 469: Policer Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4294

Chapter 112

cviii

Examples of Firewall Filters Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 4297


List of Tables

Table 470: Configuration Components: Firewall Filters . . . . . . . . . . . . . . . . . . . 4298 Table 471: Configuration Components: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . 4300 Table 472: Configuration Components: Switch Ports on a 48-Port All-PoE Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4300

Chapter 113

Configuring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4323 Table 473: Create a New Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4331 Table 474: Create a New Term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4332 Table 475: Advanced Options for Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4333 Table 476: Policies Global Configuration Parameters . . . . . . . . . . . . . . . . . . . . . 4341 Table 477: Terms Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4342

Chapter 116

Configuration Statements for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . 4355 Table 478: Supported Options for Firewall Filter Statements . . . . . . . . . . . . . . 4356 Table 479: Firewall Filter Statements That Are Not Supported by Junos OS for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4358

Chapter 117

Operational Commands for Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . 4393 Table 480: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4397 Table 481: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4399 Table 482: show firewall log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4402 Table 483: show interfaces filters Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 4405 Table 484: show interfaces policers Output Fields . . . . . . . . . . . . . . . . . . . . . . 4407 Table 485: show policer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4409 Table 486: show policy Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4411 Table 487: show policy conditions Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 4413

Part 23

Class of Service

Chapter 118

Class of Service (CoS)—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4419 Table 488: Default Code-Point Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4424 Table 489: Default BA Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4428 Table 490: Allowed BA Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4428 Table 491: Default Forwarding Classes for Unicast Traffic . . . . . . . . . . . . . . . . . 4431 Table 492: Default Forwarding Classes for Multicast Traffic . . . . . . . . . . . . . . . 4431 Table 493: Support for Scheduler Maps on Switches and Line Cards . . . . . . . . 4437 Table 494: Default Packet Header Rewrite Mappings . . . . . . . . . . . . . . . . . . . . 4441 Table 495: MPLS CoS Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4446 Table 496: EX8200 Line Cards That Include Oversubscribed Ports . . . . . . . . . 4448 Table 497: Input for PFC Congestion Notification Profile and Mapping to Traffic Class and Egress Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4453

Chapter 119

Examples: CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4455 Table 498: Configuration Components: VLANs . . . . . . . . . . . . . . . . . . . . . . . Table 499: Configuration Components: Switch Ports on a 48-Port All-PoE Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 500: CoS Configuration Components on the Ingress PE Switch . . . . . Table 501: CoS Configuration Components of the Egress PE Switch . . . . . . Table 502: CoS Configuration Components of the Provider Switch . . . . . . .

Chapter 120

. . 4457 . . . .

. . . .

4457 4472 4472 4473

Configuring CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4483


cix

®


Table 503: CoS Value Aliases Configuration Fields . . . . . . . . . . . . . . . . . . . . . . 4485 Table 504: BA-classifier Loss Priority Assignments . . . . . . . . . . . . . . . . . . . . . . 4487 Table 505: Classifiers Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4489 Table 506: Forwarding Classes Configuration Fields . . . . . . . . . . . . . . . . . . . . . 4492 Table 507: Schedulers Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4495 Table 508: Scheduler Maps Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . 4497 Table 509: Drop Profiles Configuration parameters . . . . . . . . . . . . . . . . . . . . . 4498 Table 510: Rewrite Rules Configuration Page Summary . . . . . . . . . . . . . . . . . . 4502 Table 511: Assigning CoS Components to Logical Interfaces . . . . . . . . . . . . . . . 4504

Chapter 121

Verifying CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4513 Table 512: Summary of Key CoS Classifier Output Fields . . . . . . . . . . . . . . . . . . 4513 Table 513: Summary of Key CoS Forwarding Class Output Fields . . . . . . . . . . . 4515 Table 514: Summary of Key CoS Interfaces Output Fields . . . . . . . . . . . . . . . . . 4516 Table 515: Summary of Key CoS Rewrite Rules Output Fields . . . . . . . . . . . . . . 4517 Table 516: Summary of Key CoS Scheduler Maps Output Fields . . . . . . . . . . . . 4518 Table 517: Summary of Key CoS Value Alias Output Fields . . . . . . . . . . . . . . . . 4519 Table 518: Summary of the Key Output Fields for CoS Red Drop Profiles . . . . . 4520

Chapter 124

Operational Commands for CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4559 Table 519: show class-of-service Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 4560 Table 520: show class-of-service classifier Output Fields . . . . . . . . . . . . . . . . 4565 Table 521: show class-of-service code-point-aliases Output Fields . . . . . . . . . 4567 Table 522: show class-of-service drop-profile Output Fields . . . . . . . . . . . . . . 4569 Table 523: show class-of-service forwarding-class Output Fields . . . . . . . . . . 4572 Table 524: show class-of-service interface Output Fields . . . . . . . . . . . . . . . . . 4575 Table 525: show pfe statistics traffic Output Fields . . . . . . . . . . . . . . . . . . . . . . 4597 Table 526: show pfe statistics traffic cpu Output Fields . . . . . . . . . . . . . . . . . . 4600 Table 527: show pfe statistics traffic egress-queues Output Fields . . . . . . . . . 4604 Table 528: show pfe statistics traffic multicast Output Fields . . . . . . . . . . . . . 4607

Part 24

Power over Ethernet

Chapter 125

Power over Ethernet (PoE)—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4613 Table 529: PoE Version Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4613 Table 530: Class of Powered Device and Power Levels . . . . . . . . . . . . . . . . . . . 4616 Table 531: Maximum Power Per Port in Static Mode . . . . . . . . . . . . . . . . . . . . . . 4617

Chapter 126

Examples: PoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4619 Table 532: Components of the PoE Configuration Topology . . . . . . . . . . . . . . . 4620 Table 533: Components of the PoE Configuration Topology . . . . . . . . . . . . . . . 4622 Table 534: Components of the PoE Configuration Topology . . . . . . . . . . . . . . . 4627 Table 535: Line Card PoE Power Budget and Power Priority . . . . . . . . . . . . . . . 4629

Chapter 127

Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4635 Table 536: Configurable PoE Options and Default Settings . Table 537: PoE Edit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . Table 538: System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . Table 539: Edit PoE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . Table 540: FPC PoE Settings . . . . . . . . . . . . . . . . . . . . . . . . .

cx

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

4636 4642 4642 4643 4643


List of Tables

Chapter 129

Troubleshooting PoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4655 Table 541: Troubleshooting a PoE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4655

Chapter 131

Operational Commands for PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4673 Table 542: show poe controller Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 4676 Table 543: show poe interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 4678 Table 544: show poe notification-control Output Fields . . . . . . . . . . . . . . . . . . 4681 Table 545: show poe telemetries interface Output Fields . . . . . . . . . . . . . . . . . 4683

Part 25

Converged Networks (LAN and SAN)

Chapter 132

Converged Networks (LAN and SAN)—Overview . . . . . . . . . . . . . . . . . . . 4687 Table 546: Input for PFC Congestion Notification Profile and Mapping to Traffic Class and Egress Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4693

Chapter 133

Example: Converged Networks (LAN and SAN) Configuration . . . . . . . . 4703 Table 547: Components of the FCoE Security Topology . . . . . . . . . . . . . . . . . . 4705 Table 548: Components of the DCBX iSCSI Topology . . . . . . . . . . . . . . . . . . . . 4716

Chapter 136

Operational Commands for Converged Networks (LAN and SAN) . . . . . 4767 Table 549: show dcbx neighbors Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 4771 Table 550: show fip snooping Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 4785 Table 551: show fip snooping enode Output Fields . . . . . . . . . . . . . . . . . . . . . . 4788 Table 552: show fip snooping fcf Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 4790 Table 553: show fip snooping statistics Output Fields . . . . . . . . . . . . . . . . . . . . 4792 Table 554: show fip snooping vlan Output Fields . . . . . . . . . . . . . . . . . . . . . . . 4794

Part 26

MPLS

Chapter 137

MPLS—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4799 Table 555: MPLS CoS Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4809

Chapter 138

Examples of MPLS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4819 Table 556: Components of the Ingress PE Switch in the Topology for MPLS with Interface-Based CCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4821 Table 557: Components of the Egress PE Switch in the Topology for MPLS with Interface-Based CCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4822 Table 558: Components of the Provider Switch in the Topology for MPLS with Interface-Based CCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4823 Table 559: CoS Configuration Components on the Ingress PE Switch . . . . . . . 4835 Table 560: CoS Configuration Components of the Egress PE Switch . . . . . . . 4836 Table 561: CoS Configuration Components of the Provider Switch . . . . . . . . . 4836 Table 562: Local CE Routing Device in the MPLS-Based Layer 2 VPN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4847 Table 563: Remote CE Routing Device in the MPLS-Based Layer 2 VPN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4847 Table 564: Layer 2 VPN Components of the Local PE Routing Device . . . . . . . 4848 Table 565: Layer 2 VPN Components of the Remote PE Routing Device . . . . . 4849 Table 566: Local CE Switch in the MPLS-Based Layer 3 VPN Topology . . . . . 4860 Table 567: Remote CE Switch in the MPLS-Based Layer 3 VPN Topology . . . . 4860 Table 568: Layer 3 VPN Components of the Local PE Switch . . . . . . . . . . . . . 4860


cxi

®


Table 569: Layer 3 VPN Components of the Remote PE Switch . . . . . . . . . . . 4862

Chapter 142

Operational Commands for MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4953 Table 570: show connections Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 4980 Table 571: show connections Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4983 Table 572: show link-management Output Fields . . . . . . . . . . . . . . . . . . . . . . . 4986 Table 573: show link-management peer Output Fields . . . . . . . . . . . . . . . . . . 4990 Table 574: show link-management routing Output Fields . . . . . . . . . . . . . . . . . 4992 Table 575: show link-management statistics Output Fields . . . . . . . . . . . . . . . 4995 Table 576: show link-management te-link Output Fields . . . . . . . . . . . . . . . . . 4997 Table 577: show mpls admin-groups Output Fields . . . . . . . . . . . . . . . . . . . . . 4999 Table 578: show mpls call-admission-control Output Fields . . . . . . . . . . . . . . 5000 Table 579: show mpls cspf Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5002 Table 580: show mpls diffserv-te Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 5004 Table 581: show mpls interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5006 Table 582: show mpls interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5007 Table 583: show mpls lsp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5009 Table 584: show mpls path Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018 Table 585: show route forwarding-table Output Fields . . . . . . . . . . . . . . . . . . 5020 Table 586: show rsvp interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5026 Table 587: show rsvp neighbor Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 5031 Table 588: show rsvp session Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 5037 Table 589: show rsvp session Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 5042 Table 590: show rsvp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5049 Table 591: show rsvp version Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5053 Table 592: show ted database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5056 Table 593: show ted link Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5060 Table 594: show ted protocol Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 5062

Part 27


Chapter 143

Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5067 Table 595: Port Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5069 Table 596: Configuration Guidelines for Port Mirroring . . . . . . . . . . . . . . . . . . . . 5071 Table 597: Port Mirroring Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . 5109 Table 598: show analyzer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5128

Chapter 144

sFlow Monitoring Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5131 Table 599: show sflow Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5155 Table 600: show sflow collector Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5157 Table 601: show sflow interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 5158

Chapter 145

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5161 Table 602: SNMP Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5161 Table 603: show snmp health-monitor Output Fields . . . . . . . . . . . . . . . . . . . . 5239 Table 604: show snmp inform-statistics Output Fields . . . . . . . . . . . . . . . . . . 5246 Table 605: show snmp rmon Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5248 Table 606: show smp rmon history Output Fields . . . . . . . . . . . . . . . . . . . . . . . 5252 Table 607: show snmp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 5256 Table 608: show snmp v3 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5261

cxii


List of Tables

Chapter 146

Real-Time Performance Monitoring (RPM) . . . . . . . . . . . . . . . . . . . . . . . . 5263 Table 609: RPM Probe Owner, Concurrent Probes, and Probe Servers Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5269 Table 610: Performance Probe Tests Configuration Fields . . . . . . . . . . . . . . . . . 5270 Table 611: show services rpm active-servers Output Fields . . . . . . . . . . . . . . . . 5295 Table 612: show services rpm history-results Output Fields . . . . . . . . . . . . . . . 5296 Table 613: show services rpm probe-results Output Fields . . . . . . . . . . . . . . . . 5299

Chapter 147

Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5305 Table 614: show oam ethernet link-fault-management Output Fields . . . . . . . 5341

Chapter 148

Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . 5347 Table 615: monitor ethernet delay-measurement one-way Output Fields . . . . 5402 Table 616: monitor ethernet delay-measurement two-way Output Fields . . . . 5402 Table 617: show oam ethernet connectivity-fault-management delay-statistics and mep-statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5405 Table 618: show oam ethernet connectivity-fault-management forwarding-state Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5408 Table 619: show oam ethernet connectivity-fault-management interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5412 Table 620: show oam ethernet connectivity-fault-management linktrace path-database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5418 Table 621: show oam ethernet connectivity-fault-management mep-database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5420 Table 622: show oam ethernet connectivity-fault-management mip Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5426 Table 623: show oam ethernet connectivity-fault-management sla-iterator-statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5427

Chapter 149

Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5431 Table 624: show uplink-failure-detection Output Fields . . . . . . . . . . . . . . . . . . 5438

Chapter 150

Monitoring General Network Traffic and Hosts . . . . . . . . . . . . . . . . . . . . . . 5441 Table 625: J-Web Ping Host Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5441 Table 626: Traceroute field summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5443

Chapter 152

Operational Commands for General Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5461 Table 627: Match Conditions for the monitor traffic Command . . . . . . . . . . . . 5464 Table 628: Logical Operators for the monitor traffic Command . . . . . . . . . . . . 5465 Table 629: Arithmetic and Relational Operators for the monitor traffic Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5467 Table 630: show pfe statistics bridge Output Fields . . . . . . . . . . . . . . . . . . . . . 5475 Table 631: show snmp mib Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5479 Table 632: traceroute Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5483


cxiii

®


cxiv


About This Topic Collection •

How to Use This Guide on page cxv

•

List of EX Series Guides for Junos OS Release 12.1 on page cxv

•

Downloading Software on page cxvii

•

Documentation Symbols Key on page cxviii

•

Documentation Feedback on page cxix

•

Requesting Technical Support on page cxx

How to Use This Guide Complete documentation for the EX Series product family is provided on webpages at http://www.juniper.net/techpubs/en_US/release-independent/information-products/ pathway-pages/ex-series/product/index.html. We have selected content from these

webpages and created a number of EX Series guides that collect related topics into a book-like format so that the information is easy to print and easy to download to your local computer. Software features for EX Series switches are listed by platform and by Junos OS release in a standalone document. See EX Series Switch Software Features Overview. ®

This guide, Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1, collects together the software feature descriptions, configuration examples, and tasks for Junos OS for EX Series Ethernet switches, Release 12.1. The release notes are at http://www.juniper.net/techpubs/en_US/junos12.1/ information-products/topic-collections/release-notes/12.1/junos-release-notes-12.1.pdf.

List of EX Series Guides for Junos OS Release 12.1 Title

Description

Complete Hardware Guide for EX2200 Ethernet Switches

Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX2200 Ethernet switches




cxv

®


Title

Description













Complete Hardware Guide for the XRE200 External Routing Engine

Component descriptions, site preparation, installation, replacement, and safety and compliance information for the XRE200 External Routing Engine

®


Software feature descriptions, configuration examples, and tasks for Junos OS for EX Series switches

Software Topic Collections

Software feature descriptions, configuration examples and tasks, and reference pages for configuration statements and operational commands (This information ® also appears in the Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1.)

®

Junos OS Access Privilege Configuration Guide ®

Junos OS for EX Series Ethernet Switches: Access and User Management ®

Junos OS for EX Series Ethernet Switches: Access Control ®

Junos OS for EX Series Ethernet Switches: Configuration Management ®

Junos OS for EX Series Ethernet Switches: Class of Service ®

Junos OS for EX Series Ethernet Switches: Converged Networks (LAN and SAN)

cxvi


About This Topic Collection

Title

Description ®

Junos OS for EX Series Ethernet Switches: Device Security ®

Junos OS for EX Series Ethernet Switches: Ethernet Switching ®

Junos OS for EX Series Ethernet Switches: EX3300, EX4200, and EX4500 Virtual Chassis ®

Junos OS for EX Series Ethernet Switches: EX8200 Virtual Chassis ®

Junos OS for EX Series Ethernet Switches: High Availability ®

Junos OS for EX Series Ethernet Switches: Interfaces ®

Junos OS for EX Series Ethernet Switches: Layer 3 Protocols ®

Junos OS for EX Series Ethernet Switches: MPLS ®

Junos OS for EX Series Ethernet Switches: Multicast ®

Junos OS for EX Series Switches: Network Management and Monitoring ®

Junos OS for EX Series Switches: Port Security ®

Junos OS for EX Series Switches: Power over Ethernet ®

Junos OS for EX Series Ethernet Switches: Routing Policy and Packet Filtering ®

Junos OS for EX Series Ethernet Switches: Software Installation ®

Junos OS for EX Series Ethernet Switches: Spanning-Tree Protocols ®

Junos OS for EX Series Ethernet Switches: System Monitoring ®

Junos OS for EX Series Ethernet Switches: System Services ®

Junos OS for EX Series Ethernet Switches: System Setup ®

Junos OS for EX Series Ethernet Switches: User Interfaces

Downloading Software You can download Junos OS for EX Series switches from the Download Software area at http://www.juniper.net/customers/support/ . To download the software, you must have a Juniper Networks user account. For information about obtaining an account, see http://www.juniper.net/entitlement/setupAccountInfo.do.


cxvii

®


Documentation Symbols Key Notice Icons Icon

Meaning

Description

Informational note

Indicates important features or instructions.

Caution

Indicates a situation that might result in loss of data or hardware damage.

Warning

Alerts you to the risk of personal injury or death.

Laser warning

Alerts you to the risk of personal injury from a laser.

Text and Syntax Conventions Convention

Description

Examples

Bold text like this

Represents text that you type.

To enter configuration mode, type the configure command: user@host> configure

Fixed-width text like this

Italic text like this

Italic text like this

Plain text like this

< > (angle brackets)

cxviii

Represents output that appears on the terminal screen.

user@host> show chassis alarms

•

Introduces important new terms.

•

•

Identifies book names.

A policy term is a named structure that defines match conditions and actions.

•

Identifies RFC and Internet draft titles.

•

Junos OS System Basics Configuration Guide

•

RFC 1997, BGP Communities Attribute

No alarms currently active

Represents variables (options for which you substitute a value) in commands or configuration statements.

Configure the machine’s domain name:

Represents names of configuration statements, commands, files, and directories; IP addresses; configuration hierarchy levels; or labels on routing platform components.

•

To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.

•

The console port is labeled CONSOLE.

Enclose optional keywords or variables.

stub ;

[edit] root@# set system domain-name domain-name


About This Topic Collection

Text and Syntax Conventions Convention

Description

Examples

| (pipe symbol)

Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.

broadcast | multicast

# (pound sign)

Indicates a comment specified on the same line as the configuration statement to which it applies.

rsvp { # Required for dynamic MPLS only

[ ] (square brackets)

Enclose a variable for which you can substitute one or more values.

community name members [ community-ids ]

Indention and braces ( { } )

Identify a level in the configuration hierarchy.

; (semicolon)

Identifies a leaf statement at a configuration hierarchy level.

(string1 | string2 | string3)

[edit] routing-options { static { route default { nexthop address; retain; } } }

J-Web GUI Conventions Bold text like this

Represents J-Web graphical user interface (GUI) items you click or select.

> (bold right angle bracket)

Separates levels in a hierarchy of J-Web selections.

•

In the Logical Interfaces box, select All Interfaces.

•

To cancel the configuration, click Cancel.

In the configuration editor hierarchy, select Protocols>Ospf.

Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send e-mail to [email protected] with the following: •

Document URL or title

•

Page number if applicable

•

Software version

•

Your name and company


cxix

®


Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. •

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: •

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. •

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html .

cxx


PART 1

Junos OS for EX Series Switches Product Overview •

Software Overview on page 3

•

Supported Hardware on page 41


1

®


2


CHAPTER 1

Software Overview •

EX Series Switch Software Features Overview on page 3

•

Layer 3 Protocols Supported on EX Series Switches on page 28

•

Layer 3 Protocols Not Supported on EX Series Switches on page 29

•

Security Features for EX Series Switches Overview on page 31

•

High Availability Features for EX Series Switches Overview on page 33

•

Understanding Software Infrastructure and Processes on page 37

EX Series Switch Software Features Overview This topic lists the Juniper Networks EX Series Ethernet Switches software features, the Juniper Networks Junos operating system (Junos OS) release in which they were introduced, and the first Junos OS release for each switch: •

Table 1 on page 4—First Junos OS Release for Each EX Series Switch

•

Table 2 on page 5—Access Control Features

•

Table 3 on page 6—Administration Features

•

Table 4 on page 6—Class-of-Service (CoS) Features

•

Table 5 on page 7—Converged Networks (LAN and SAN) Features

•

Table 6 on page 8—Device Security Features

•

Table 7 on page 8—High Availability and Resiliency Features

•

Table 8 on page 11—Interfaces Features

•

Table 9 on page 12—IP Address Management Features

•

Table 10 on page 12—IPv6 Features

•

Table 11 on page 13—Layer 2 Network Protocols Features

•

Table 12 on page 15—Layer 3 Protocols Features

•

Table 13 on page 16—MPLS Features

•

Table 14 on page 19—Multicast Features

•

Table 15 on page 20—Network Management and Monitoring Features


3

®


•

Table 16 on page 22—Power over Ethernet (PoE) Features

•

Table 17 on page 22—Port Security Features

•

Table 18 on page 24—Routing Policy and Packet Filtering Features

•

Table 19 on page 24—Spanning-Tree Protocols Features

•

Table 20 on page 25—System Management Features

•

Table 21 on page 26—Virtual Chassis Features

The Junos OS release for software features on a switch cannot be earlier than the first Junos OS release for that switch.

Table 1: First Junos OS Release for Each EX Series Switch Switch

Junos OS Release

EX2200 switches*

Junos OS Release 10.1R1 *EX2200-C models: Junos OS Release 11.3R1

EX3200 switches

Junos OS Release 9.0R1

EX3300 switches




EX4200 switches




EX4500 switches*

Junos OS Release 10.2R1* *EX4500-C models: Junos OS Release 10.3R2

EX4500 Virtual Chassis and mixed EX4200 and EX4500 Virtual Chassis

Junos OS Release 11.1R1 NOTE: A mixed EX4200 and EX4500 Virtual Chassis supports the same features as an EX4500 Virtual Chassis. The supported features for a mixed EX4200 and EX4500 Virtual Chassis are exactly the same whether an EX4200 switch or an EX4500 switch is configured in the master role.

4

EX6200 switch


EX8208 switches


EX8216 switches





Chapter 1: Software Overview

NOTE: In the features tables, software features that run on EX4200 Virtual Chassis are indicated in the column headed "EX3200, EX4200 Switches" and software features that run on EX3300 Virtual Chassis are indicated in the column headed “EX3300 Switches”. If a software feature only runs on an EX3300 or EX4200 Virtual Chassis and not on a standalone switch, the column entry includes a note making this distinction.

Table 2: Access Control Features by Junos OS Release EX2200 Switches

EX3200, EX4200 Switches

EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


802.1X authentication (port-based, multiple supplicant)

10.1R1

9.0R2

11.3R1

12.1R1

12.1R1

11.3R2

10.2R1

11.2R1

802.1X authentication with authentication bypass

10.1R1

9.0R2

11.3R1

12.1R1

12.1R1

11.3R2

10.2R1

11.2R1

802.1X authentication with VLAN assignment, VoIP VLAN support

10.1R1

9.0R1

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

802.1X user-based dynamic firewall filters

10.1R1

9.0R2

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

802.1X user-based dynamic firewall filters on multiple-supplicant ports

10.1R1

9.5R2

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

802.1X per-user statistics

10.1R1

9.2R1

11.3R1

12.1R1

12.1R1

11.3R1

10.3R1

11.2R1

Authentication fallback

11.3R1

10.3R1

Not supported

12.1R1

12.1R1

11.3R2

Not supported

Not supported

Captive portal authentication for Layer 3 interfaces

11.3R1

10.1R1

Not supported

12.1R1

12.1R1

12.1R1

Not supported

Not supported

Captive portal authentication for Layer 2 interfaces

11.3R1

10.3R1

Not supported

12.1R1

12.1R1

11.3R2

Not supported

Not supported

MAC RADIUS authentication

10.1R1

9.3R2

11.3R1

10.2R1

Not supported

11.3R2

10.3R1

11.2R1

NetBIOS snooping

11.3R5

11.1R1

11.3R5

Not supported

Not supported

11.3R5

11.1R1

11.3R5

Server fail fallback

10.1R1

9.3R2

11.3R1

10.2R1

Not supported

Not supported

10.2R1

Not supported

TACACS+

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Feature


5

®


Table 3: Administration Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


System logging (syslog) over IPv4

10.1R1

9.0R2

11.3R1

10.2R1

System logging (syslog) over IPv6

10.3R1

9.3R2

11.3R1

System snapshot

Not supported

10.0R1

Not supported

Feature

EX6200 Switches

EX8200 Switches


11.1R1

Not supported

9.4R1

10.4R1

10.4R1

11.2R1

11.3R2

10.1R1

11.2R1

10.2R1

Not supported

Not supported

10.0R1

Not supported

Table 4: Class-of-Service (CoS) Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Class of service (CoS)—Class-based queuing with prioritization, Layer 2 and Layer 3 classification, rewrite, and queueing; strict priority queuing on egress

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

CoS—DSCP, IEEE 802.1p, and IP precedence packet rewrites on routed VLAN interfaces (RVIs)

Not supported

9.5R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

CoS—Interface-specific classifiers on routed VLAN interfaces (RVIs)

Not supported

9.4R1

11.3R1

11.3R1

11.3R1

Not supported

10.2R1

11.1R1

CoS—Multidestination

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not supported

9.5R1

11.1R1

CoS—Per-interface classification

Not supported

9.3R1

11.3R1

10.2R1

11.1R1

11.3R2

10.2R1

11.2R1

CoS support on Link Aggregation Groups (LAGs)

10.1R1

9.2R1

11.3R1

10.2R1

11.2R1

Not supported

9.4R1

11.1R1

Feature

6



Table 4: Class-of-Service (CoS) Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


CoS support on routed VLAN interfaces (RVIs)

10.3R1

9.4R1

11.3R1

10.4R1

11.1R1

Not supported

9.4R1

11.1R1

Flexible CoS-Outer 802.1p Marking

Not Supported

9.6R1

Not supported

12.1R1

12.1R1

Not supported

Not supported

Not supported

Interface-specific CoS rewrite rules

10.3R1

9.4R1

Not supported

Not supported

Not supported

Not supported

10.2R1

11.1R1

Junos EZQoS for CoS

10.1R1

9.3R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Port shaping and queue shaping

10.1R1

9.3R2

11.3R1

10.2R1

11.1R1

11.3R2

10.1R1

11.2R1

Re-marking of bridged packets

Not supported

9.4R1

Not supported

10.2R1

11.1R1

11.3R2

10.2R1

11.2R1

Shaped-deficit weighted round-robin (SDWRR)

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Single-rate two-color marking

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Feature

Table 5: Converged Networks (LAN and SAN) Features by Junos OS Release

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


NOTE: The EX4500 switch models that support Fibre Channel over Ethernet features must be Converged Enhanced Ethernet (CEE) capable. The CEE-capable EX4500 switch models have a “–C” in the hardware model number. See “EX4500 Switch Models” on page 58. Data Center Bridging Capability Exchange protocol (DCBX)

Not supported

Not supported

Not supported

11.3R1

11.3R1

Not supported

Not supported

Not supported

DCBX application protocol TLV exchange

Not supported

Not supported

Not supported

12.1R1

12.1R1

Not supported

Not supported

Not supported

FIP snooping

Not supported

Not supported

Not supported

10.4R1

11.3R1

Not supported

Not supported

Not supported


7

®


Table 5: Converged Networks (LAN and SAN) Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


Priority-based flow control (PFC)

Not supported

Not supported

Not supported

10.4R1

11.3R1

EX6200 Switches

EX8200 Switches


Not supported

Not supported

Not supported

Table 6: Device Security Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Automatic recovery for port error disable conditions

10.1R1

9.6R1

11.3R1

10.2R1

11.1R1

11.3R2

10.0R1

11.2R1

Storm control (broadcast and unicast)

10.1R1

9.1R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Storm control (multicast)

10.3R2

10.3R2

Not supported

10.3R2

11.1R1

11.3R2

10.3R2

12.1R1

Unknown Layer 2 unicast forwarding

10.1R1

9.3R2

11.3R1

10.2R1

Not supported

Not supported

10.0R1

11.1R1

Feature

Table 7: High Availability and Resiliency Features by Junos OS Release

8


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Feature

EX2200 Switches

Graceful protocol restart for BGP

Not applicable

9.0R2

Not supported

Not applicable

11.1R1

11.3R2

9.4R1

11.1R1

Graceful protocol restart for IS-IS

Not applicable

9.3R2

Not supported

Not applicable

11.1R1

11.3R2

9.4R1

11.1R1

Graceful protocol restart for OSPF

Not applicable

9.0R2

Not supported

Not applicable

11.1R1

11.3R2

9.4R1

11.1R1

GRES for ARP entries, forwarding database, and Layer 3 protocols

Not applicable

9.2R1 (EX4200 Virtual Chassis only)

11.3R1

Not applicable

11.2R1

11.3R2

9.4R1

11.1R1

GRES for IGMP snooping

Not applicable



Not applicable

12.1R1

Not supported

11.3R1

11.3R1



Table 7: High Availability and Resiliency Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


GRES for LACP

Not supported

11.3R1

Not supported

11.3R1

11.3R1

Not supported

11.3R1

11.3R1

GRES for port security (DHCP snooping, DAI, and IP source guard)

Not applicable


Not supported

Not applicable

Not supported

11.3R2

9.6R1

Not supported

LACP support for dual-homing applications in data centers

10.1R1

10.0R1

Not supported

10.2R1

Not supported

Not supported

10.0R1

Not supported

Link Aggregation Control Protocol (LACP)

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Link aggregation groups (LAGs)

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Nonstop active routing (NSR) for BGP, IS-IS, IGMP with BFD, and RIP

Not applicable

11.1R1 (EX4200 Virtual Chassis)


Not applicable

11.1R1

11.3R2

11.1R1

11.1R1

Nonstop active routing (NSR) for IPv4 and IPv6

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

Nonstop active routing (NSR) for IPv6 IS-IS, RIPng, and OSPFv3

Not applicable

Not supported

Not supported

Not applicable

Not supported

Not supported

11.2R1

11.3R1

Nonstop active routing (NSR) for OSPFv2

Not applicable

11.1R1


Not applicable

Not applicable

11.3R2

10.4R1

11.1R1

Nonstop active routing (NSR) for Protocol Independent Multicast (PIM)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.4R2

11.4R2


9

®


Table 7: High Availability and Resiliency Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Nonstop bridging (NSB) for LAGs and LACP

Not applicable


Not supported

Not applicable

11.4R1

12.1R1

11.3R1

11.3R1

Nonstop bridging (NSB) for LLDP and LLDP-MED

Not applicable


Not supported

Not applicable

11.3R1

Not supported

11.3R1

11.3R1

Nonstop bridging (NSB) for spanning-tree protocols

Not applicable


Not supported

Not applicable

Not supported

12.1R1

11.3R1

12.1R1

Nonstop software upgrade (NSSU)

Not applicable


Not supported

Not applicable

12.1R1

Not supported

10.4R1

11.1R1

Power budget management

Not applicable

Not applicable

Not supported

Not applicable

Not supported

11.3R2

10.2R1

Not supported

Virtual Router—Network Time Protocol (NTP), system logging, Simple Network Management Protocol (SNMP), RADIUS, and TACACS support in a virtual router

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.4R1

Not supported

Virtual Router Redundancy Protocol (VRRP)

Not supported

9.0R2

12.1R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Virtual Router Redundancy Protocol (VRRP) for IPv6 (except authentication type and authentication key)

Not supported

10.2R1

Not supported

11.2R1

11.2R1

12.1R1

10.1R1

11.2R1

10



Table 8: Interfaces Features by Junos OS Release EX3200, EX4200 Switches

EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Feature

EX2200 Switches

Digital optical monitoring (DOM)

Not supported

10.0R1

11.3R1

Not supported

Not supported

Not supported

10.0R1

11.1R1

Interface ranges

10.1R1.

10.0R1

11.3R1

10.2R1

Not supported

11.3R2

10.1R1

Not supported

IPv4 over generic routing encapsulation (GRE) tunnels—encapsulation support

Not supported

12.1R1

Not supported

Not supported

Not supported

Not supported

12.1R1

Not supported

IPv4 over generic routing encapsulation (GRE) tunnels—de-encapsulation support

Not supported

12.1R1

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

IPv6 over generic routing encapsulation (GRE) tunnels using IPv4 transport—encapsulation support

Not supported

12.1R1

Not supported

Not supported

Not supported

Not supported

12.1R1

Not supported

IPv6 over generic routing encapsulation (GRE) tunnels using IPv4 transport—de-encapsulation support

Not supported

12.1R1

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

IP directed broadcast

Not supported

9.4R1

Not supported

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Time domain reflectometry (TDR)

10.1R1

9.0R2

11.3R1

Not supported

Not supported

11.3R2

9.4R1

11.2R1

Unicast reverse-path forwarding (RPF)

Not supported

9.3R2

Not supported

11.2R1

11.2R1

11.3R2

10.1R1

11.2R1

VLAN-tagged Layer 3 subinterfaces

Not supported

9.2R1

Not supported

11.2R1

11.2R1

11.3R2

9.4R1

10.4R1


11

®


Table 9: IP Address Management Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


DHCP server and relay with option 82 for Layer 2 VLANs

10.1R1

9.3R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.2R1

DHCP server and relay with option 82 for Layer 3 interfaces

10.1R1

9.0R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.2R1

DNS for IPv6

Not supported

9.3R2

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

Local DHCP server

10.1R1

9.3R2

11.3R1

12.1R1

12.1R1

11.3R2

9.4R1

11.2R1

Virtual router aware DHCP (VR-aware DHCP)

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

Static addresses

10.1R1

9.0R2

11.3R1

10.2R1

Not supported

Not supported

9.4R1

11.1R1

Feature

Table 10: IPv6 Features by Junos OS Release

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


NOTE: A separate software license is required for IPv6. See “Understanding Software Licenses for EX Series Switches” on page 117. BGP for IPv6

Not supported

9.4R1

Not supported

11.1R1

11.2R1

12.1R1

10.1R1

11.2R1

IPv6 CoS (multifield classification and rewrite)

Not supported

10.2R1

Not supported

12.1R1

12.1R1

12.1R1

10.4R1

11.3R1

IPv6 management

10.3R1

9.3R2

11.3R1

10.4R1

Not supported

Not supported

10.1R1

11.2R1

IPv6 multicast protocols (PIM, MLDv1/v2)

Not supported

10.1R1

Not supported

11.2R1

11.2R1

12.1R1

10.2R1

11.2R1

IPv6 path MTU discovery

10.3R1

9.3R1

Not supported

10.4R1

Not supported

12.1R1

10.2R1

11.2R1

12



Table 10: IPv6 Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


IS-IS for IPv6

Not supported

9.4R1

Not supported

11.2R1

11.2R1

12.1R1

10.1R1

11.2R1

MBGP for IPv6

Not supported

9.3R1

Not supported

Not supported

Not supported

12.1R1

10.1R1

12.1R1

OSPFv3

Not supported

9.3R1

Not supported

11.1R1

11.2R1

12.1R1

10.1R1

11.2R1

RIPng

Not supported

9.3R1

Not supported

11.1R1

11.2R1

12.1R1

10.1R1

11.2R1

Table 11: Layer 2 Network Protocols Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


802.1Q VLAN tagging

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Edge virtual bridging (EVB) support with virtual Ethernet port aggregator (VEPA)

Not supported

12.1R1 (EX4200 only)

Not supported

12.1R1

12.1R1

Not supported

12.1R1

12.1R1

Ethernet ring protection switching (ERPS, G.8032/Y.1344)

12.1R1

12.1R1 (EX4200 only)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

Layer 2 protocol tunneling (L2PT)

11.1R1

10.0R1

11.4R1

11.2R1

11.2R1

12.1R1

Not supported

Not supported

Link Layer Discovery Protocol (LLDP)

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) with voice over IP (VoIP) integration

10.1R1

9.0R2

11.3R1

Not supported

Not supported

Not supported

Not supported

Not supported

MAC-based VLANs

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

12.1R1

Feature


13

®


Table 11: Layer 2 Network Protocols Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Multiple VLAN Registration Protocol (MVRP, IEEE 802.1ak)

11.3R1

10.0R1

11.3R1

11.2R1

11.2R1

12.1R1

10.0R1

11.2R1

Private VLANs (PVLANs)

11.1R1

9.3R2

12.1R1

11.2R1

11.2R1

11.3R2

10.1R1

11.2R1

Private VLANs (PVLANs) support across switches

11.1R1

10.4R1

12.1R1

11.2R1

11.2R1

11.3R2

11.2R1

11.2R1

Proxy ARP—Restricted

10.1R1

10.0R1

11.3R1

10.2R1

Not supported

Not supported

10.0R1

11.2R1

Proxy ARP—Unrestricted

10.1R1

9.6R1

11.3R1

10.2R1

11.1R1

12.1R1

10.0R1

11.2R1

Proxy ARP per VLAN

10.1R1

10.1R1

Not supported

10.2R1

Not supported

Not supported

10.1R1

11.2R1

Q-in-Q tunneling

11.1R1

9.3R2

11.4R1

11.2R1

11.2R1

12.1R1

11.1R1

11.2R1

Q-in-Q VLAN extended support for multiple S-VLANs per access interface, firewall-filter-based VLAN assignment, and routed VLAN interfaces (RVIs)

Not supported

9.6R1

Not supported

11.2R1

11.2R1

12.1R1

11.1R1

11.2R1

Redundant trunk groups

10.1R1

9.0R2

11.3R1

11.2R1

11.2R1

11.3R2

9.4R1

11.1R1

Reflective relay

Not supported

Not supported

Not supported

11.1R1

Not supported

Not supported

Not supported

Not supported

Routed VLAN interfaces (RVIs)

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

VLAN ID translation

11.1R1

10.0R1

Not supported

11.2R1

11.2R1

Not supported

11.1R1

11.2R1

VLAN ranges

10.1R1

9.2R1

11.3R1

10.2R1

Not supported

11.3R2

9.4R1

10.4R1

Feature

14



Table 12: Layer 3 Protocols Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Bidirectional Forwarding Detection (BFD)

11.3R1

9.0R2

12.1R1

10.2R1

11.1R1

12.1R1

9.4R1

11.2R1

Border Gateway Protocol (BGP)

Not supported

9.0R2

12.1R1

11.1R1

11.1R1

11.3R2

9.4R1

11.1R1

Multiprotocol Border Gateway Protocol (MBGP)

Not supported

9.3R1

Not supported

11.2R1

11.2R1

12.1R1

9.4R1

12.1R1

Feature

A separate software license is required for BGP and MBGP. See “Understanding Software Licenses for EX Series Switches” on page 117. Distributed periodic packet management (PPM) with BFD

Not supported

10.4R1

Not supported

Not supported

11.2R1

12.1R1

10.4R1

11.2R1

Distributed periodic packet management (PPM) with LACP

Not supported

10.2R1

Not supported

11.1R1

11.1R1

11.3R2

10.2R1

10.4R1

Filter-based forwarding

Not supported

9.4R1

Not supported

11.2R1

11.2R1

11.3R2

9.6R1

11.1R1

Filter-based forwarding over IPv6

Not supported

10.1R1

Not supported

Not supported

Not supported

Not supported

10.3R1

11.2R1

Intermediate System-toIntermediate System (IS-IS)

Not supported

9.0R2

Not supported

11.1R1

11.2R1

11.3R2

9.4R1

11.1R1

A separate software license is required for IS-IS. See “Understanding Software Licenses for EX Series Switches” on page 117. IPv6 Layer 3 multicast protocols

Not supported

10.1R1

Not supported

Not supported

Not supported

Not supported

10.2R1

11.2R1

Jumbo frames on routed VLAN interfaces (RVIs)

Not supported

9.4R1

11.3R1

10.2R1

11.2R1

Not supported

9.4R1

10.4R1

OSPF Multitopology Routing (MT-OSPF)

Not supported

9.5R1

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported


15

®


Table 12: Layer 3 Protocols Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


See the Junos OS Routing Protocols Configuration Guide. OSPFv2

11.1R1

9.0R2

11.4R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

OSPFv3 IPSec support

Not supported

10.3R1

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

Routing Information Protocol version 1 (RIPv1) and RIPv2

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Static routes

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Virtual routing and forwarding (VRF) with IPv4—Virtual routing instances

Not supported

9.2R1

Not supported

11.1R1

11.1R1

11.3R2

9.6R1

11.1R1

VRF with IPv4—Virtual routing instances for PIM and IGMP

Not supported

10.0R1

Not supported

11.1R1

11.1R1

11.3R2

10.0R1

11.2R1

VRF with IPv4—Virtual routing instances for IGMP Snooping

Not supported

11.4R1

Not supported

12.1R1

12.1R1

Not supported

11.3R1

11.3R1

VRF with IPv6—Virtual routing instances for multicast traffic

Not supported

10.1R1

Not supported

Not supported

Not supported

Not supported

10.1R1

11.2R1

VRF with IPv6—Virtual routing instances for unicast traffic

Not supported

10.1R1

Not supported

Not supported

Not supported

Not supported

10.1R1

11.2R1

Table 13: MPLS Features by Junos OS Release

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


A separate software license is required for MPLS. See “Understanding Software Licenses for EX Series Switches” on page 117.

16



Table 13: MPLS Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Aggregated Ethernet interfaces (LAGs) on circuit cross-connects (CCCs)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

CCC with a beginning and an ending on the same switch

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Interior gateway protocol IGP IS-IS and OSPF shortcuts

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

IP over MPLS

Not supported

10.1R1

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

IPv6 over MPLS label-switched paths (LSPs)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

12.1R1

12.1R1

LDP-based MPLS

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

LDP Tunneling (LDP over RSVP)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS-based circuit cross-connects (CCC)

Not supported

9.5R1

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS label-switched router (LSR) support

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS OAM-LSP ping

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS with class of service (CoS)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

12.1R1

12.1R1

MPLS Layer 2 VPN CCC and Layer 2 circuit CCC on Ethernet-encapsulated interfaces

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Feature


17

®


Table 13: MPLS Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


MPLS Layer 2 VPN CCC and Layer 2 circuit CCC on VLAN-encapsulated interfaces

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.3R1

12.1R1

MPLS with Layer 3 VPNs—Includes support for RVIs on customer-edge interfaces

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS with RSVP-based label-switched paths (LSPs)

Not supported

9.5R1

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MPLS over Layer 3 subinterfaces

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

12.1R1

12.1R1

MPLS over routed VLAN interfaces (MPLS over RVIs)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

12.1R1

12.1R1

Path maximum transmission unit (MTU) and unicast reverse-path forwarding (RPF) checks for VPNs

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Resource Reservation Protocol—Traffic engineering (RSVP-TE)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Standby secondary path protection

Not supported

12.1R1

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Static label-switched paths (LSPs)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

12.1R1

12.1R1

Feature

18



Table 14: Multicast Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


IGMP (Internet Group Management Protocol) version 1 (IGMPv1) and IGMPv2

11.1R1

9.0R2

12.1R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

IGMP filtering

11.3R1

9.5R1

Not supported

Not supported

Not supported

11.3R1

9.5R1

12.1R1

IGMP snooping with routed VLAN interfaces (RVIs)

10.1R1

9.2R1

12.1R1

10.2R1

Not supported

Not supported

9.4R1

11.1R1

IGMPv3

11.1R1

9.3R2

Not supported

10.2R1

11.1R1

11.3R2

9.6R1

11.1R1

IGMPv1 and IGMPv2 snooping

10.1R1

9.1R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

IGMPv3 snooping

10.1R1

9.6R1

11.3R1

10.2R1

11.1R1

11.3R2

9.6R1

11.1R1

Multicast Listener Discovery version 1 and 2 (MLDv1 and MLDv2)

Not supported

10.1R1

Not supported

11.2R1

11.2R1

12.1R1

10.2R1

11.2R1

Multicast Listener Discovery version 1 (MLDv1) snooping (MLDv1 snooping)

12.1R1

12.1R1

Not supported

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

Multicast Listener Discovery version 2 (MLDv2) snooping (MLDv2 snooping)

12.1R1

12.1R1

Not supported

12.1R1

12.1R1

12.1R1

12.1R1

12.1R1

Multicast Source Discovery Protocol (MSDP)

Not supported

9.4R1

Not supported

10.2R1

11.1R1

12.1R1

9.4R1

12.1R1

Feature

See the Junos OS Multicast Protocols Configuration Guide. Multicast VLAN registration (MVR)

11.3R1

9.6R1

12.1R1

Not supported

Not supported

Not supported

Not supported

Not supported

Protocol Independent Multicast dense mode (PIM DM)

11.1R1

9.2R1

12.1R1

11.2R1

11.2R1

11.3R2

9.4R1

11.1R1


19

®


Table 14: Multicast Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Not supported

Not supported

Not supported

9.4R1

11.R1

See the Junos OS Multicast Protocols Configuration Guide. Protocol Independent Multicast sparse mode (PIM SM)

11.1R1

9.0R2

12.1R1

See the Junos OS Multicast Protocols Configuration Guide. Protocol Independent Multicast source-specific multicast (PIM SSM)

11.1R1

9.3R1

12.1R1

See the Junos OS Multicast Protocols Configuration Guide. Single-source multicast

Not supported

9.0R2

Not supported

Table 15: Network Management and Monitoring Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


802.1ag Ethernet OAM connectivity fault management (CFM)

11.2R1

10.2R1

Not supported

Not supported

Ethernet frame delay measurement (ETH-DM, Y.1731)

Not supported

11.4R1 (EX4200 only)

Not supported

Ethernet OAM link fault management (LFM)

11.1R1

9.4R1

Port mirroring

10.1R1

9.0R2

Feature

20

EX6200 Switches

EX8200 Switches


Not supported

12.1R1

11.4R1

12.1R1

11.4R1

Not supported

Not supported

11.4R1

11.4R1

Not supported

Not supported

Not supported

Not supported

10.0R1

11.2R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1



Table 15: Network Management and Monitoring Features by Junos OS Release (continued) EX3200, EX4200 Switches

EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Feature

EX2200 Switches

Port mirroring enhancements

Not supported

9.5R1

Not supported

Not supported

Not supported

Not supported

9.5R1

Not supported

Not supported

10.0R1

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

Port mirroring support for multiple analyzers per session

Not supported

Not supported

Not supported

11.2R1

11.2R1

Not supported

Not supported

Not supported

Real-time performance monitoring (RPM)

10.1R1

9.3R2

11.3R1

10.2R1

11.1R1

12.1R1

10.1R1

11.2R1

Real-time performance monitoring (RPM)—hardware timestamps with routed VLAN interfaces (RVIs)

Not supported

10.3R1

Not supported

10.2R1

11.1R1

12.1R1

10.3R1

11.2R1

RMON

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

•

Layer 3 interface support

•

Multiple VLAN support

Port mirroring enhancements •

For remote port mirroring, ingress and egress options on VLAN member interfaces on the intermediate (transit) switch to avoid flooding mirrored traffic to those interfaces

NOTE: A separate software license is required for sFlow technology. See “Understanding Software Licenses for EX Series Switches” on page 117. sFlow monitoring technology

11.1R1

9.3R2


12.1R1

11.2R1

11.2R1

12.1R1

10.0R1

12.1R1

21

®


Table 15: Network Management and Monitoring Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches

sFlow monitoring technology—Egress sampling

11.1R1

10.4R1

Not supported

Not supported

Not supported

Not supported

10.4R1

Not supported

sFlow monitoring technology—Persistent IP addresses for agent IDs and use in datagrams

11.1R1

10.2R1

Not supported

Not supported

Not supported

12.1R1

10.2R1

Not supported

Simple Network Management Protocol version 1 (SNMPv1), SNMPv2, and SNMPv3

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Uplink failure detection

11.1R1

11.1R1

Not supported

11.1R1

Not supported

Not supported

12.1R1

12.1R1

Feature


Table 16: Power over Ethernet (PoE) Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


Power over Ethernet (PoE)

10.1R1

9.0R2

11.3R1

Not applicable

Power over Ethernet Plus (PoE+)

10.3R1

Not supported

11.3R1

Power over Ethernet (PoE) power management mode

10.1R1

9.3R2

11.3R1

Feature

EX6200 Switches

EX8200 Switches


Not applicable

11.3R2

11.2R1

11.4R1

Not applicable

Not applicable

11.3R2

11.2R1

11.4R1

Not applicable

Not applicable

11.3R2

11.2R1

11.2R1

Table 17: Port Security Features by Junos OS Release

Feature Automatic recovery for port error disable conditions

22

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


10.1R1

9.6R1

11.3R1

10.2R1

11.1R1

11.3R2

10.0R1

11.2R1



Table 17: Port Security Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


DHCP option 82

10.1R1

9.3R2

11.3R1

10.2R1

Not supported

Not supported

9.4R1

11.2R1

DHCP snooping

10.1R1

9.0R2

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

Dynamic ARP inspection (DAI)

10.1R1

9.0R2

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

IP source guard

10.1R1

9.2R1

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

Layer 3 virtual private network (VPN) for IPv4 (RFC 2547 and 4364)

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

Layer 3 virtual private network (VPN) for IPv6 through IPv4 MPLS

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

11.1R1

12.1R1

MAC limiting

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

MAC address limit per port

10.1R1

9.0R1

11.3R1

10.2R1

11.1R1

11.3R2

10.3R1

11.2R1

MAC move limiting

10.1R1

9.0R2

11.3R1

Not supported

Not supported

11.3R2

Not supported

12.1R1

Persistent MAC learning (sticky MAC)

11.4R1

11.4R1

Not supported

11.4R1

11.4R1

11.4R1

11.4R1

12.1R1

Persistent storage for DHCP snooping

10.1R1

9.4R1

11.3R1

12.1R1

12.1R1

11.3R2

10.3R1

11.2R1

Self-signed digital certificates for enabling SSL services

11.1R1

11.1R1

Not supported

11.1R1

11.1R1

12.1R1

11.1R1

11.2R1

Static ARP support

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1


23

®


Table 18: Routing Policy and Packet Filtering Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


Dynamic allocation of TCAM memory to firewall filters

10.1R1

10.0R1

11.3R1

10.2R1

Firewall filters and rate limiting

10.1R1

9.0R2

11.3R1

10.2R1

Feature

EX6200 Switches

EX8200 Switches


11.1R1

Not supported

10.3R1

10.4R1

11.1R1

11.3R2

9.4R1

11.1R1

For a list of supported firewall filter match conditions and actions, see “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. Firewall filters on LAGs

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

Not supported

10.0R1

11.1R1

Firewall filters on the loopback interface

10.1R1

9.2R1

11.3R1

11.1R1

11.1R1

12.1R1

9.6R1

11.2R1

For a list of supported firewall filter match conditions and actions on a loopback interface, see “Support for Match Conditions and Actions for Loopback Firewall Filters on Switches” on page 4282. Firewall filters on the management interface

11.3R1

10.4R1

Not supported

10.4R1

Not supported

12.1R1

10.4R1

11.2R1

Firewall filters on the virtual management interface

Not applicable


Not supported

Not applicable

11.1R1

Not applicable

Not applicable

Not applicable

Firewall filters with IPv6

Not supported

10.1R1

Not supported

12.1R1

12.1R1

12.1R1

10.3R1

11.2R1

Policing

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

11.1R1

Table 19: Spanning-Tree Protocols Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


BPDU protection for spanning-tree protocols

10.1R1

9.1R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Loop protection for spanning-tree protocols

10.1R1

9.1R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Feature

24



Table 19: Spanning-Tree Protocols Features by Junos OS Release (continued) EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


Root protection for spanning-tree protocols

10.1R1

9.1R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

Spanning tree:

Not supported

10.2R1

11.3R1

10.2R1

11.1R1

11.3R2

10.2R1

11.2R1

10.1R1

9.0R2

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

10.1R1

9.4R1

11.3R1

10.2R1

11.1R1

11.3R2

9.6R1

11.2R1

Feature

•

RSTP and VSTP concurrent configuration

Spanning tree: •

Spanning Tree Protocol (STP)

•

Rapid Spanning Tree Protocol (RSTP)

•

Multiple Spanning Tree Protocol (MSTP)

Spanning tree: •

VLAN Spanning Tree Protocol (VSTP)

Table 20: System Management Features by Junos OS Release EX2200 Switches


EX3300 Switches

EX4500 Switches

Autoinstallation of configuration files

10.1R1

9.4R1

11.3R1

10.2R1

Automatic software download

10.1R1

9.6R1

11.3R1

Configuration rollback

10.1R1

9.0R2

J-Web interface, for switch configuration and management

10.1R1 (12.1R1 for EX2200-C switches)

9.0R2

Feature




EX6200 Switches

EX8200 Switches

Not supported

11.3R2

Not supported

11.2R1

10.2R1

Not supported

11.3R2

9.6R1

11.2R1

11.3R1

10.2R1

11.1R1

11.3R2

9.4R1

10.4R1

12.1R1

10.2R1

Not supported

12.1R1

9.4R1

Not supported

25

®


Table 20: System Management Features by Junos OS Release (continued)

Feature

EX2200 Switches


EX3300 Switches

EX4500 Switches


EX6200 Switches

EX8200 Switches


LCD panel management support

Not applicable

9.0R1

11.3R1

10.2R1

11.1R1

11.3R1

9.4R1

12.1R1

Online insertion and removal (OIR) of uplink modules

Not applicable

10.0R1

Not applicable

11.1R1

11.1R1

Not applicable

Not applicable

Not applicable

Table 21: Virtual Chassis Features EX3300 Virtual Chassis


Mixed EX4200 and EX4500 Virtual Chassis



Automatic software update on prospective member switches

11.3R1

10.0R1

Not supported

11.1R1

Not supported

Front-panel configuration of uplink module ports as Virtual Chassis ports (VCPs)

11.3R1

10.0R1

11.1R1

11.1R1

Not supported

Graceful Routing Engine switchover (GRES) for Virtual Chassis

11.3R1

9.1R1

11.1R1

11.1R1

11.1R1

Link aggregation groups (LAGs) over Virtual Chassis ports (VCPs)

11.3R1

9.6R1

11.1R1

11.1R1

10.4R1

Role requirements for mixed EX4200 and EX4500 Virtual Chassis—master and backup can be any combination of EX4200 and EX4500 switches

Not applicable

Not applicable

11.4R1

Not applicable

Not applicable

Role requirements for mixed EX4200 and EX4500 Virtual Chassis—master and backup must be either two EX4200 switches or two EX4500 switches

Not applicable

Not applicable

11.2R1

Not applicable

Not applicable

Role requirements for mixed EX4200 and EX4500 Virtual Chassis—master and backup must be two EX4500 switches

Not applicable

Not applicable

11.1R1

Not applicable

Not applicable

Feature

26



Table 21: Virtual Chassis Features (continued) EX3300 Virtual Chassis





Support for two EX4500 member switches in Virtual Chassis

Not applicable

Not applicable

11.1R1

11.1R1

Not applicable

Support for up to ten EX4500 member switches in Virtual Chassis

Not applicable

Not applicable

11.4R1

11.4R1

Not applicable

Support for two EX8200 member switches in Virtual Chassis

Not applicable

Not applicable

Not applicable

Not applicable

10.4R1

Support for up to four EX8200 member switches in Virtual Chassis

Not applicable

Not applicable

Not applicable

Not applicable

12.1R1

Virtual Chassis fast failover

11.3R1

9.3R2

12.1R1

12.1R1

Not supported

Virtual Chassis split and merge

11.3R1

9.3R2

11.1R1

11.1R1

10.4R1

Virtual Chassis—Autoprovisioning of Virtual Chassis ports (VCPs)

11.3R1

9.5R1

11.1R1

11.1R1

Not supported

Virtual Chassis preprovisioning

11.3R1

9.0R1

11.1R1

11.1R1

10.4R1

Virtual Chassis—SFP uplink port interconnection of member switches

11.3R1

9.2R1

11.1R1 (EX4200 to EX4200 and EX4500 to EX4500 only)

11.1R1

10.4R1

Not applicable

12.1R1

Feature

11.3R1 (EX4200 to EX4500) XRE200 Hard Disk Drive (HDD) monitoring

Related Documentation

Not applicable

Not applicable

Not applicable

•

EX2200 Switches Hardware Overview on page 41

•


•


•


•


•

EX6210 Switch Hardware Overview on page 61


27

®


•


•


•

Line Card Model and Version Compatibility in an EX6200 Switch

•


•

XRE200 External Routing Engine Hardware Overview on page 76

•


•


Layer 3 Protocols Supported on EX Series Switches EX Series switches support the Junos OS Layer 3 features and configuration statements listed in Table 22 on page 28:

Table 22: Supported Junos OS Layer 3 Protocol Statements and Features Protocol

Notes

For More Information

BGP

Fully supported.

Junos OS Routing Protocols Configuration Guide

BFD

Fully supported.


ICMP

Fully supported.


IGMPv1, v2, and v3

Fully supported.

Junos OS Multicast Protocols Configuration Guide

IS-IS

Supported, with the exceptions noted in “Layer 3 Protocols Not Supported on EX Series Switches” on page 29.


MLD

Fully supported (MLD versions 1 and 2).


MPLS


Junos OS MPLS Applications Configuration Guide

OSPFv1, v2 and v3



PIM

Fully supported on EX3200, EX3300, EX4200, EX6200, and EX8200 switches.


PPM

Supported. See “EX Series Switch Software Features Overview” on page 3 for specific platform information.


RIP

Fully supported.


28



Table 22: Supported Junos OS Layer 3 Protocol Statements and Features (continued) Protocol

Notes


RIPng

Fully supported.


SNMP

Fully supported.

Junos OS Network Management Configuration Guide

VRRP

Fully supported.

See “Understanding VRRP on EX Series Switches” on page 1663. See also Junos OS High Availability Guide.


•


•


Layer 3 Protocols Not Supported on EX Series Switches EX Series switches do not support the Junos OS Layer 3 protocols and features listed in Table 23 on page 29:

Table 23: Junos OS Layer 3 Protocol Statements and Features That Are Not Supported Feature

Configuration Statements Not Supported on EX Series Switches

DVMRP

•

dvmrp and subordinate statements

Flow aggregation (cflowd)

•

cflow and subordinate statements

IPsec

•

[edit services] statements related to IPsec

IS-IS:

•

clns-routing statement

•

ipv6-multicast statement

•

lsp-interval statement

•

label-switched-path statement

•

lsp-lifetime statement

•

te-metric statement

•

logical-routers and subordinate statements

•

ES-IS

•

IPv6 in multicast routing protocols

Logical routers


29

®


Table 23: Junos OS Layer 3 Protocol Statements and Features That Are Not Supported (continued) Feature


MPLS:

•

ldp and all subordinate statements (except on EX8200 switches)

Network Address Translation (NAT)

•

nat and subordinate statements

•

Policy statements related to NAT

OSPF

•

demand-circuit statement

•

label-switched-path and subordinate statements

•

neighbor statement within an OSPF area

•

peer-interface and subordinate statements within an OSPF area

•

sham-link statement

•

te-metric statement

PIM SM

•

Not supported on EX2200 switches

PIM SSM

•


PIM DM

•

Not supported on EX2200 or EX4500 switches

PIM:

•

inet6 family (EX2200 and EX4500 switches)

PPM

•

Not supported on EX2200 and EX3300 switches

Routing instances:

•

l2vpn and subordinate statements (except on EX8200 switches)

•

ldp and subordinate statements (except on EX8200 switches)

•

vpls and subordinate statements

•

family mpls statement

•

Fast Reroute (FRR)

•

Label Distribution Protocol (LDP) (except on EX8200 switches)

•

Layer 3 VPNs (except on EX8200 switches)

•

Multiprotocol BGP (MP-BGP) for VPN-IPv4 family

•

Pseudowire emulation (PWE3)

•

Routing policy statements related to Layer 3 VPNs and MPLS (except on EX8200 switches)

•

Virtual Private LAN Service (VPLS)

•

•

IPv6

Routing instance forwarding


30





SAP and SDP

•

sap and all subordinate statements

General routing options in the routing-options hierarchy:

•

auto-export and subordinate statements

•

dynamic-tunnels and subordinate statements

•

•

lsp-next-hop and subordinate statements

•

multicast and subordinate statements

•

p2mp-lsp-next-hop and subordinate statements

•

route-distinguisher-id statement (except on EX8200 switches)

•

accounting and subordinate statements

•

family mpls and family multiservice under hash-key hierarchy

•

Under monitoring group-name family inet output hierarchy:

MPLS and label-switched-paths

Traffic sampling and fowarding in the forwarding-options hierarchy


•

cflowd statement

•

export-format-cflowd-version-5 statement

•

flow-active-timeout statement

•

flow-export-destination statement

•

flow-inactive-timeout statement

•

interface statement

•

port-mirroring statement (On EX Series switches, port mirroring is implemented using the analyzer statement.)

•

sampling and subordinate statements

•


•


Security Features for EX Series Switches Overview Juniper Networks Junos operating system (Junos OS) is a network operating system that has been hardened through the separation of control forwarding and services planes, with each function running in protected memory. The control-plane CPU is protected by rate limiting, routing policy, and firewall filters to ensure switch uptime even under severe attack. In addition, the switches fully integrate with the Juniper Networks Unified Access Control (UAC) product to provide both standards-based 802.1X port-level access and Layer 2 through Layer 4 policy enforcement based on user identity. Access port security features such as dynamic Address Resolution Protocol (ARP) inspection, DHCP snooping, and MAC limiting are controlled through a single Junos OS CLI command. Juniper Networks EX Series Ethernet Switches provide the following hardware and software security features: Console Port—Allows use of the console port to connect to the Routing Engine through an RJ-45 cable. You then use the command-line interface (CLI) to configure the switch.


31

®


Out-of-Band Management—A dedicated management Ethernet port on the rear panel allows out-of-band management. Software Images—All Junos OS images are signed by Juniper Networks certificate authority (CA) with public key infrastructure (PKI). User Authentication, Authorization, and Accounting (AAA)—Features include: •

User and group accounts with password encryption and authentication.

•

Access privilege levels configurable for login classes and user templates.

•

RADIUS authentication, TACACS+ authentication, or both, for authenticating users who attempt to access the switch.

•

Auditing of configuration changes through system logging or RADIUS/TACACS+.

802.1X Authentication—Provides network access control. Supplicants (hosts) are authenticated when they initially connect to a LAN. Authenticating supplicants before they receive an IP address from a DHCP server prevents unauthorized supplicants from gaining access to the LAN. EX Series switches support Extensible Authentication Protocol (EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. Port Security—Access port security features include:

32

•

DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database).

•

Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons.

•

MAC limiting—Protects against flooding of the Ethernet switching table.

•

MAC move limiting—Detects MAC movement and MAC spoofing on access ports.

•

Trusted DHCP server—With a DHCP server on a trusted port, protects against rogue DHCP servers sending leases.

•

IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet LAN. The source IP address in the packet sent from an untrusted access interface is validated against the source MAC address in the DHCP snooping database. The packet is allowed for further processing if the source IP address to source MAC address binding is valid; if the binding is not valid, the packet is discarded.

•

DHCP option 82—Also known as the DHCP relay agent information option. Helps protect the EX Series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.

•

Unrestricted proxy ARP—The switch responds to all ARP messages with its own MAC address. Hosts that are connected to the switch’s interfaces cannot communicate



directly with other hosts. Instead, all communications between hosts go through the switch. •

Restricted proxy ARP—The switch does not respond to an ARP request if the physical networks of the source and target of the ARP request are the same. It does not matter whether the destination host has the same IP address as the incoming interface or a different (remote) IP address. An ARP request for a broadcast address elicits no reply.

Device Security—Storm control permits the switch to monitor unknown unicast and broadcast traffic and drop packets, or shut down, or temporarily disable the interface when a specified traffic level is exceeded, thus preventing packets from proliferating and degrading the LAN. You can enable storm control on access interfaces or trunk interfaces. Firewall Filters—Allow auditing of various types of security violations, including attempts to access the switch from unauthorized locations. Firewall filters can detect such attempts and create audit log entries when they occur. The filters can also restrict access by limiting traffic to source and destination MAC addresses, specific protocols, or, in combination with policers, to specified data rates to prevent denial of service (DoS) attacks. Policers—Provide rate-limiting capability to control the amount of traffic that enters an interface, which acts to counter DoS attacks. Encryption Standards—Supported standards include:


•

128-, 192-, and 256-bit Advanced Encryption Standard (AES)

•

56-bit Data Encryption Standard (DES) and 168-bit 3DES

•

802.1X for EX Series Switches Overview on page 3545

•

Firewall Filters for EX Series Switches Overview on page 4237

•

Port Security Overview on page 4047

•

Understanding Proxy ARP on EX Series Switches on page 2100

•

Understanding Storm Control on EX Series Switches on page 4005

•

Understanding the Use of Policers in Firewall Filters on page 4292

High Availability Features for EX Series Switches Overview High availability refers to the hardware and software components that provide redundancy and reliability for packet-based communications. This topic covers the following high availability features of Juniper Networks EX Series Ethernet Switches: •

VRRP on page 34

•

Graceful Protocol Restart on page 34

•

Redundant Routing Engines on page 35

•

Virtual Chassis on page 35

•

Graceful Routing Engine Switchover on page 35


33

®


•

Link Aggregation on page 36

•

Nonstop Active Routing on page 36

•

Nonstop Software Upgrade on page 36

•

Redundant Power System on page 37

VRRP You can configure Virtual Router Redundancy Protocol (VRRP) for IP and IPv6 on Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces on the switches. When VRRP is configured, the switches act as virtual routing platforms. VRRP enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. The VRRP routing platforms share the IP address corresponding to the default route configured on the hosts. At any time, one of the VRRP routing platforms is the master (active) and the others are backups. If the master routing platform fails, one of the backup routing platforms becomes the new master, providing a virtual default routing platform and enabling traffic on the LAN to be routed without relying on a single routing platform. Using VRRP, a backup switch can take over a failed default switch within a few seconds. This is done with minimum loss of VRRP traffic and without any interaction with the hosts.

Graceful Protocol Restart With standard implementations of routing protocols, any service interruption requires an affected switch to recalculate adjacencies with neighboring switches, restore routing table entries, and update other protocol-specific information. An unprotected restart of a switch can result in forwarding delays, route flapping, wait times stemming from protocol reconvergence, and even dropped packets. Graceful protocol restart allows a restarting switch and its neighbors to continue forwarding packets without disrupting network performance. Because neighboring switches assist in the restart (these neighbors are called helper switches), the restarting switch can quickly resume full operation without recalculating algorithms from scratch. On the switches, graceful protocol restart can be applied to aggregate and static routes and for routing protocols (BGP, IS-IS, OSPF, and RIP). Graceful protocol restart works similarly for the different routing protocols. The main benefits of graceful protocol restart are uninterrupted packet forwarding and temporary suppression of all routing protocol updates. Graceful protocol restart thus allows a switch to pass through intermediate convergence states that are hidden from the rest of the network. Most graceful restart implementations define two types of switches—the restarting switch and the helper switch. The restarting switch requires rapid restoration of forwarding state information so that it can resume the forwarding of network traffic. The helper switch assists the restarting switch in this process. Individual graceful restart configuration statements typically apply to either the restarting switch or the helper switch.

34



Redundant Routing Engines Redundant Routing Engines are two Routing Engines that are installed in a switch or a Virtual Chassis. When a switch has two Routing Engines, one functions as the master, while the other stands by as a backup should the master Routing Engine fail. When a Virtual Chassis has two Routing Engines, the switch in the master role functions as the master Routing Engine and the switch in the backup role functions as the backup Routing Engine. Redundant Routing Engines are supported on Juniper Networks EX6200 Ethernet Switches, Juniper Networks EX8200 Ethernet Switches, and on all EX Series Virtual Chassis configurations. The master Routing Engine receives and transmits routing information, builds and maintains routing tables, communicates with interfaces and Packet Forwarding Engine components of the switch, and has full control over the control plane of the switch. The backup Routing Engine stays in sync with the master Routing Engine in terms of protocol states, forwarding tables, and so forth. If the master becomes unavailable, the backup Routing Engine takes over the functions that the master Routing Engine performs. Network reconvergence takes place more quickly on switches and on Virtual Chassis with redundant Routing Engines than on switches and on Virtual Chassis with a single Routing Engine.

Virtual Chassis A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols such as Spanning Tree Protocol (STP). A Virtual Chassis improves high availability by introducing a variety of failover mechanisms; if a member switch, a line card, or an interface fails on a switch that is a member of a Virtual Chassis, for instance, traffic to that switch, line card, or interface can be rerouted within the Virtual Chassis. Juniper Networks EX3300 Ethernet Switches, Juniper Networks EX4200 Ethernet Switches, Juniper Networks EX4500 Ethernet Switches, or EX8200 switches can form a Virtual Chassis. An EX4200 switch and an EX4500 switch can be connected together to form a mixed EX4200 and EX4500 Virtual Chassis.

Graceful Routing Engine Switchover You can configure graceful Routing Engine switchover (GRES) on a switch with redundant Routing Engines or on a Virtual Chassis, allowing control to switch from the master Routing Engine to the backup Routing Engine with minimal interruption to network communications. When you configure graceful Routing Engine switchover, the backup Routing Engine automatically synchronizes with the master Routing Engine to preserve kernel state information and forwarding state. Any updates to the master Routing Engine are replicated to the backup Routing Engine as soon as they occur. If the kernel on the master Routing Engine stops operating, the master Routing Engine experiences a hardware


35

®


failure, or the administrator initiates a manual switchover, mastership switches to the backup Routing Engine. When the backup Routing Engine assumes mastership in a redundant failover configuration (that is, when graceful Routing Engine switchover is not enabled), the Packet Forwarding Engines initialize their state to the boot state before they connect to the new master Routing Engine. In contrast, in a graceful switchover configuration, the Packet Forwarding Engines do not reinitialize their state, but resynchronize their state to that of the new master Routing Engine. The interruption to traffic is minimal.

Link Aggregation You can combine multiple physical Ethernet ports to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links. In a Virtual Chassis, LAGs can be used to load-balance network traffic between member switches. The number of Ethernet interfaces you can include in a LAG and the number of LAGs you can configure on a switch depend on the switch model. For information on LAGs, see “Understanding Aggregated Ethernet Interfaces and LACP” on page 1774.

Nonstop Active Routing Nonstop active routing (NSR) provides high availability in a switch with redundant Routing Engines by enabling transparent switchover of the Routing Engines without requiring restart of supported routing protocols. Both Routing Engines are fully active in processing protocol sessions, and so each can take over for the other. The switchover is transparent to neighbor routing devices, which do not detect that a change has occurred. To use nonstop active routing, you must also configure graceful Routing Engine switchover.

Nonstop Software Upgrade Nonstop software upgrade (NSSU) allows you to upgrade the software on a switch with dual Routing Engines or on a Virtual Chassis in an automated manner with minimal traffic disruption. NSSU takes advantage of graceful Routing Engine switchover and nonstop active routing to enable upgrading the Junos OS version with no disruption to the control plane. In addition, NSSU minimizes traffic disruption by: •

Upgrading line cards one at a time in an EX8200 switch or EX8200 Virtual Chassis, permitting traffic to continue to flow through the line cards that are not being upgraded.

•

Upgrading member switches one at a time in an EX4200, EX4500, or mixed EX4200 and EX4500 Virtual Chassis, permitting traffic to continue to flow through the members that are not being upgraded.

By configuring LAGs such that the member links reside on different line cards or Virtual Chassis members, you can achieve minimal traffic disruption when performing an NSSU.

36



Redundant Power System Most Juniper Networks Ethernet Switches have a built-in capability for redundant power supplies—therefore if one power supply fails on those switches, the other power supply takes over. However, EX2200 switches and EX3300 switches have only one internal fixed power supply. If an EX2200 switch or EX3300 switch is deployed in a critical situation, we recommend that you connect a Redundant Power System (RPS) to that switch to supply backup power if the internal power supply fails. RPS is not a primary power supply—it only provides backup power to switches when the single dedicated power supply fails. An RPS operates in parallel with the single dedicated power supplies of the switches connected to it and provides all connected switches enough power to support either power over Ethernet (PoE) or non-PoE devices. For more information on RPS, see EX Series Redundant Power System Hardware Overview. Related Documentation

•

For more information on high availability features, see the Junos OS High Availability Configuration Guide.

•

EX3300, EX4200, and EX4500 Virtual Chassis Overview on page 1281

•

EX8200 Virtual Chassis Overview on page 1538

•

Understanding VRRP on EX Series Switches on page 1663

•

Understanding Aggregated Ethernet Interfaces and LACP on page 1774

•

Understanding Nonstop Active Routing on EX Series Switches on page 1666

•

Understanding Nonstop Software Upgrade on EX Series Switches on page 1668

•

EX Series Redundant Power System (RPS) Documentation

Understanding Software Infrastructure and Processes Each switch runs the Juniper Networks Junos operating system (Junos OS) for Juniper Networks EX Series Ethernet Switches on its general-purpose processors. Junos OS includes processes for Internet Protocol (IP) routing and for managing interfaces, networks, and the chassis. The Junos OS runs on the Routing Engine. The Routing Engine kernel coordinates communication among the Junos OS processes and provides a link to the Packet Forwarding Engine. With the J-Web interface and the command-line interface (CLI) to the Junos OS, you configure switching features and routing protocols and set the properties of network interfaces on your switch. After activating a software configuration, use either the J-Web or CLI user interface to monitor the switch, manage operations, and diagnose protocol and network connectivity problems. •

Routing Engine and Packet Forwarding Engine on page 38

•

Junos OS Processes on page 38


37

®


Routing Engine and Packet Forwarding Engine A switch has two primary software processing components: •

Packet Forwarding Engine—Processes packets; applies filters, routing policies, and other features; and forwards packets to the next hop along the route to their final destination.

•

Routing Engine—Provides three main functions: •

Creates the packet forwarding switch fabric for the switch, providing route lookup, filtering, and switching on incoming data packets, then directing outbound packets to the appropriate interface for transmission to the network

•

Maintains the routing tables used by the switch and controls the routing protocols that run on the switch.

•

Provides control and monitoring functions for the switch, including controlling power and monitoring system status.

Junos OS Processes The Junos OS running on the Routing Engine and Packet Forwarding Engine consists of multiple processes that are responsible for individual functions. The separation of functions provides operational stability, because each process accesses its own protected memory space. In addition, because each process is a separate software package, you can selectively upgrade all or part of the Junos OS, for added flexibility. Table 24 on page 38 describes the primary Junos OS processes.

Table 24: Junos OS Processes Process

Name

Description

Chassis process

chassisd

Detects hardware on the system that is used to configure network interfaces. Monitors the physical status of hardware components and field-replaceable units (FRUs), detecting when environment sensors such as temperature sensors are triggered. Relays signals and interrupts—for example, when devices are taken offline, so that the system can close sessions and shut down gracefully.

Ethernet switching process

eswd

Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree protocol and access port security. The process is also responsible for managing Ethernet switching interfaces, VLANs, and VLAN interfaces. Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.

Forwarding process

pfem

Defines how routing protocols operate on the switch. The overall performance of the switch is largely determined by the effectiveness of the forwarding process.

Interface process

dcd

Configures and monitors network interfaces by defining physical characteristics such as link encapsulation, hold times, and keepalive timers.

38



Table 24: Junos OS Processes (continued) Process

Name

Description

Management process

mgd

Provides communication between the other processes and an interface to the configuration database. Populates the configuration database with configuration information and retrieves the information when queried by other processes to ensure that the system operates as configured. Interacts with the other processes when commands are issued through one of the user interfaces on the switch. If a process terminates or fails to start when called, the management process attempts to restart it a limited number of times to prevent thrashing and logs any failure information for further investigation.

Routing protocol process

rpd


Defines how routing protocols such as RIP, OSPF, and BGP operate on the device, including selecting routes and maintaining forwarding tables.

•

For more information about processes, see Junos OS Network Operations Guide

•

For more information about basic system parameters, supported protocols, and software processes, see Junos OS System Basics Configuration Guide


39

®


40


CHAPTER 2

Supported Hardware •


•

EX2200 Switch Models on page 47

•


•


•


•


•


•


•


•


•


•


•


•


EX2200 Switches Hardware Overview Juniper Networks EX Series Ethernet Switches provide scalable connectivity for the enterprise market, including branch offices, campus locations, and data centers. The switches run the Juniper Networks Junos operating system (Junos OS), which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series services gateways. Juniper Networks EX2200 Ethernet Switches provide connectivity for low-density environments. This topic describes: •

EX2200 Switches First View on page 42

•

Uplink Ports on page 42

•

Console Port on page 42


41

®


•

Cable Guard on page 43

•

Security Slots on page 43

•

Power over Ethernet (PoE) Ports on page 43

•

Front Panel of an EX2200 Switch on page 43

•

Rear Panel of an EX2200 Switch on page 45

EX2200 Switches First View EX2200 switches are available in models with 12 , 24, or 48 built-in network ports. The compact, fanless model, EX2200-C switches have 12 network ports. EX2200 switches provide: •

Up to four uplink ports

•

12 (compact, fanless model) 24, or 48 built-in network ports with 10/100/100BASE-T Gigabit Ethernet connectors

•

Power over Ethernet (PoE or PoE+) on all network ports (in PoE-capable models)

Uplink Ports Each EX2200 switch except the EX2200-C switch model has four uplink ports that support 1-gigabit small form-factor pluggable (SFP) transceivers for use with fiber connections and copper connections. Each EX2200-C switch has two dual-purpose uplink ports. Each dual uplink port consists of an RJ-45 port (in which you can connect a copper Ethernet cable) and an SFP port (into which you can plug a transceiver). Only one of the ports can be active at a time. By default, if you connect a copper Ethernet cable to the RJ-45 port, this port becomes the active port provided that there is no connection made on the other port. If you plug a transceiver into the SFP port, this port becomes the active port whether or not a copper Ethernet cable is connected to the other port. You can change this default behavior by explicitly configuring a media type--copper or fiber---for the dual-purpose port using the media-type command. For more information, see “Configuring the Media Type on Dual-Purpose Uplink Ports (CLI Procedure)” on page 1881 For information about the supported optical and copper interfaces, see Optical Interface Support in EX2200 Switches.

Console Port Each EX2200 switch except the EX2200-C switch model has an RJ-45 console port that accepts a cable with RJ-45 connector. The EX2200-C switch has two console ports: an RJ-45 port and a Mini-USB Type-B port. The RJ-45 console port accepts a cable with an RJ-45 connector and the Mini-USB Type-B console port accepts a Mini-B plug (5-pin) connector to connect to the console management device. The switch activates only one console port at a time, either the RJ-45 console port or the Mini USB type-B console port. By default, the RJ-45 port is the active console port and the Mini-USB Type-B port is the passive console port. You can

42


Chapter 2: Supported Hardware

change the default setting of a console port using the port-type command. See “Configuring the Console Port Type (CLI Procedure)” on page 266.

Cable Guard On an EX2200-C switch model you can install a cable guard to secure the cables connected to the switch. The cable guard has slots in the front of it through which you can pass all the cables to prevent them from being accidently unplugged or removed after they are connected. See Mounting an EX2200 Switch on a Desk or Other Level Surface.

Security Slots Each EX2200-C switch model has security slots on the left and right panels of the chassis. The security slots allow you to lock and secure the chassis in the installation site using a standard cable lock . See Mounting an EX2200 Switch on a Desk or Other Level Surface.

Power over Ethernet (PoE) Ports EX2200 switches are available in models with or without PoE/PoE+ capability. Models that support PoE/PoE+ provide that support on all network ports. PoE ports provide electrical current to devices—such as IP phones, wireless access points, and security cameras—through network cables, thus eliminating the need for separate power cords for those devices. EX2200 switches with DC power supply do not provide PoE. EX2200 switches running Junos OS Release 10.3 or later support powered devices that comply with IEEE 802.3af (PoE) and IEEE 802.3at (PoE+).

NOTE: IEEE 802.3at class 4 powered devices require category 5 or higher Ethernet cables.

EX2200 switches running Junos OS Release 10.2 or earlier support powered devices that comply with IEEE 802.3af (PoE). The remainder of this topic uses the term PoE to refer to both PoE and PoE+ unless there is a need to distinguish between the two.

Front Panel of an EX2200 Switch The front panel of an EX2200 switch except the EX2200-C switch models consists of the following components: •

Network ports—depending on the switch model, either of: •

24 or 48 10/100/1000BASE-T Gigabit Ethernet ports, with Power over Ethernet (PoE) not available in EX2200-24T, EX2200-24T-DC, and EX2200-48T


43

®


•

24 or 48 10/100/1000BASE-T Gigabit Ethernet ports, with Power over Ethernet (PoE) available in EX2200-24P and EX2200-48P

•

4 built-in SFP uplink ports

•

2 chassis status LEDs

•

4 port status mode LEDs

•

Mode button

Figure 1 on page 44 shows the front panel of an EX2200 switch with 48 Gigabit Ethernet ports. Figure 2 on page 44 shows the front panel of an EX2200 switch with 24 Gigabit Ethernet ports.

Figure 1: Front Panel of an EX2200 Switch with 48 Gigabit Ethernet Ports Chassis status LEDs

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47 S SY

ALM

SPD DX

0

1

2

3

EN

Port status mode LEDs

Network ports

Mode button

SFP uplink ports

g027000

POE

Figure 2: Front Panel of an EX2200 Switch with 24 Gigabit Ethernet Ports Chassis status LEDs

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23 S SY

ALM

SPD DX

0

1

2

3

EN

Port status mode LEDs

Network ports

SFP uplink ports

Mode button

g027002

POE

The front panel of an EX2200-C switch consists of the following components: •

44

Network ports—depending on the switch model, either of: •

12 10/100/1000BASE-T Ethernet ports, (non-PoE) in EX2200-C-12T

•

12 10/100/1000BASE-T Ethernet ports, (PoE+) in EX2200-C-12P

•

2 built-in dual-purpose uplink ports, each of which includes one 10/100/1000 RJ-45 Ethernet port and one SFP port

•

1 USB port

•

1 Mini-USB console port

•

1 RJ-45 console port



•

1 Management Ethernet port

•

2 chassis status LEDs

•

4 port status mode LEDs in PoE+ and 3 port status mode LEDs in non-PoE

•

Mode button

Figure 3 on page 45 shows the front panel of an EX2200-C Switch with 12 Gigabit Ethernet PoE+ ports and Figure 4 on page 45 shows the front panel of an EX2200-C Switch with 12 Gigabit Ethernet non-PoE ports.

Figure 3: Front Panel of an EX2200-C Switch with 12 Gigabit Ethernet Ports (PoE+) Dual-purpose uplink ports 0

Console port

g021150

USB port

Network ports

Dual-purpose uplink ports 1

Management port

Mini USB port

g021151

Figure 4: Front Panel of an EX2200-C Switch with 12 Gigabit Ethernet Ports (non-PoE)

Rear Panel of an EX2200 Switch The rear panel of the EX2200 switch except the EX2200-C switch models consists of the following components: •

Management Ethernet port

•

USB port

•

Console port

•

Protective earthing terminal

•

ESD point

•

Air exhaust

•

Serial number ID label

•

AC power cord inlet or DC power terminals

Figure 5 on page 46 shows the rear panel of an EX2200 switch with an AC power supply.


45

®


All EX2200 switches except the EX2200-C switch model have three exhaust openings on the rear panel. The two exhaust openings on the left have fans behind them and are open. The exhaust opening on the right is open on Power over Ethernet (PoE) models and closed on non-PoE models. On PoE models, this opening exhausts the air from the fan at the air intake for the power supply on the side panel. The power cord retainer clips extend out of the chassis by 3 in.

Figure 5: Rear Panel of an EX2200 Switch With an AC Power Supply Management Ethernet port

Protective ESD earthing terminal point

Air intake with fan for power supply (fan on PoE models only)

EX2200-24-4G REV: X1 Mfg. Date 20090227

g027001

750-026464 REV: X3 MAC: 00:23:9C:oE:19:00

MADE IN CHINA

USB port

Console port

Air exhaust with fan

Air exhaust without fan Serial number (closed on non-PoE models) ID label

AC power cord inlet

The rear panel of an EX2200-C switch consists of the following components: •

Protective earthing terminal

•

ESD point

•

Serial number ID label

•

AC power cord inlet

•

Heatsink-only in PoE+ models

Figure 6 on page 46 shows the rear panel of an EX2200-C-12P switch with heatsink. EX2200-C switches being fanless models have no exhaust openings. The switch has vents on the top and on both the sides of the chassis. The PoE+ models have heatsink installed in the rear panel to dissipate the heat, while non-PoE models have no heatsink.

g021152

Figure 6: Rear Panel of an EX2200-C-12P Switch with Heatsink

Heatsink


46

•


•

Site Preparation Checklist for EX2200 Switches



EX2200 Switch Models The EX2200 switch is available with 12, 24, or 48 built-in network ports with full Power over Ethernet (PoE) capability (all 12, 24, or 48 built-in network ports support PoE) or no PoE capability. EX2200 switches with DC power supply do not provide PoE. Table 25 on page 47 lists the EX2200 switch models.

Table 25: EX2200 Switch Models Maximum PoE Power pport PoEAvailable

Model

Access Ports

Ports in Which PoE Is Available

EX2200-C-12T-2G

12 Gigabit Ethernet

–

–

EX2200-C-12P-2G

12 Gigabit Ethernet

All 12 ports

100 W

EX2200-24T-4G

24 Gigabit Ethernet

–

–

EX2200-24P-4G

24 Gigabit Ethernet

All 24 ports

405 W

EX2200-24T-4G-DC

24 Gigabit Ethernet

–

–

EX2200-48T-4G

48 Gigabit Ethernet

–

–

EX2200-48P-4G

48 Gigabit Ethernet

All 48 ports

405 W


•

First Junos OS Release


EX3200 Switches Hardware Overview Juniper Networks EX Series Ethernet Switches provide scalable connectivity for the enterprise market, including branch offices, campus locations, and data centers. The switches run the Juniper Networks Junos operating system (Junos OS), which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers. •

EX3200 Switches on page 47

•

Uplink Modules on page 48

•

Power over Ethernet (PoE) Ports on page 48

EX3200 Switches Juniper Networks EX3200 Ethernet Switches provide connectivity for low-density environments. Typically, you deploy these switches in branch environments or wiring closets where only one switch is required.


47

®


EX3200 switches are available in models with either 24 or 48 ports and with either all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. EX3200 switches with a DC power supply installed do not provide PoE. All models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and optional 1-gigabit small form-factor pluggable (SFP) transceivers, 10-gigabit small form-factor pluggable (SFP+) transceivers, or 10-gigabit small form-factor pluggable (XFP) transceivers for use with fiber connections. EX3200 switches include: •

A field-replaceable power supply and an optional additional connection to an external power source.

•

A field-replaceable fan tray with single fan.

•

Junos OS with its modular design that enables failed system processes to gracefully restart.

EX3200 switches have these features: •

Run Junos OS for EX Series switches

•

Have options of 24-port and 48-port models

•

Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE) capability

•

Have optional uplink modules that provide connection to distribution switches

Uplink Modules Optional uplink modules are available for all EX3200 switches. Uplink modules provide two 10-gigabit small form-factor pluggable (XFP) transceivers, four 1-gigabit small form-factor pluggable (SFP) transceivers, or two 10-gigabit small form-factor pluggable (SFP+) transceivers. You can use XFP, SFP, or SFP+ ports to connect an access switch to a distribution switch.

Power over Ethernet (PoE) Ports PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. PoE is defined in the IEEE 802.3af standard. In this standard, the amount of power that can be supplied to a powered device is limited to 15.4 W. Starting with Junos OS Release 11.1, EX3200 switches support enhanced PoE, a Juniper Networks extension to the IEEE 302.3af PoE standard that permits up to 18.6 W per PoE port. EX3200 switches with an AC power supply installed have options of full (all 24 or 48 ports) or partial (8 ports) PoE capability. EX3200 switches with a DC power supply installed do not provide PoE. Full PoE models are primarily used in IP telephony environments. Partial PoE models are used in environments where, for example, only a few ports for wireless access points or security cameras are required.

48




•


•

Field-Replaceable Units in EX3200 Switches

•


EX3200 Switch Models The EX3200 switch is available with 24 or 48 ports with partial or full Power over Ethernet (PoE) capability. EX3200 switches with a DC power supply installed do not provide PoE. Table 26 on page 49 lists the EX3200 switch models.

Table 26: EX3200 Switch Models Model

Typical Deployment

Access Ports

Number of PoE-enabled Ports

Power Supply (Minimum)

EX3200-24T

Access or Distribution switch

24 Gigabit Ethernet

First 8 ports

320 W

EX3200-48T


48 Gigabit Ethernet

First 8 ports

320 W

EX3200-24P

Access switch

24 Gigabit Ethernet

All 24 ports

600 W

EX3200-48P

Access switch

48 Gigabit Ethernet

All 48 ports

930 W

EX3200-24T-DC


24 Gigabit Ethernet

0

190 W

EX3200-48T-DC


48 Gigabit Ethernet

0

190 W


•

Front Panel of an EX3200 Switch

•

Rear Panel of an EX3200 Switch

•


EX3300 Switches Hardware Overview Juniper Networks EX Series Ethernet Switches provide scalable connectivity for the enterprise market, including branch offices, campus locations, and data centers. The switches run the Juniper Networks Junos operating system (Junos OS), which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series services gateways. Juniper Networks EX3300 Ethernet Switches provide connectivity for low-density environments.


49

®


This topic describes: •

EX3300 Switches First View on page 50

•

Uplink Ports on page 50

•

Power over Ethernet Plus Ports on page 50

EX3300 Switches First View EX3300 switches provide: •

Either 24 or 48 built-in network ports with 10/100/1000BASE-T Gigabit Ethernet connectors (ports labeled 0 through 23 or 0 through 47)

•

Four uplink ports (ports labeled 0 through 3)

•

Virtual Chassis capability—You can connect up to six EX3300 switches together to form one unit that you manage as a single chassis, called a Virtual Chassis.

•

Power over Ethernet Plus (PoE+) on all network ports (in PoE+-capable models only)

Uplink Ports Each EX3300 switch has four autosensing uplink ports. You can use the uplink ports on the switch to: •

Connect an access switch to a distribution switch

•

Interconnect member switches of a Virtual Chassis

The uplink ports labeled 0 and 1 (interfaces ge-0/1/0 and ge-0/1/1 or xe-0/1/0 and xe-0/1/1) are configured by default as network ports. To use uplink ports 0 and 1 to interconnect Virtual Chassis members, you must configure them as Virtual Chassis ports (VCPs). The uplink ports labeled 2 and 3 (interfaces ge-0/1/2 and ge-0/1/3 or xe-0/1/2 and xe-0/1/3) are configured by default as VCPs. You can use these uplink ports to interconnect Virtual Chassis members. To use uplink ports 2 and 3 as network ports, you must configure them as network ports. The uplink ports support SFP and SFP+ transceivers. For a list of supported transceivers, see Optical Interface Support in EX3300 Switches.

Power over Ethernet Plus Ports EX3300 switches are available in models with or without PoE+ capability. Models that support PoE+ provide that support on all network ports. PoE+ ports provide electrical current to devices—such as IP phones, wireless access points, and security cameras—through network cables, thus eliminating the need for separate power cords for those devices.

50



NOTE: IEEE 802.3af and IEEE 802.3at powered devices require category 5 or higher Ethernet cables.


•


•


EX3300 Switch Models The EX3300 switch models are available: •

With 24 or 48 network ports

•

With or without PoE+ capability

•

With front-to-back or back-to-front airflow

•

With AC or DC power supplies

Table 27 on page 51 lists the EX3300 switch models.

Table 27: EX3300 Switch Models

Model

Access Ports

Ports in Which PoE+ Is Available

Maximum System Power Available for PoE

EX3300-24T

24 Gigabit Ethernet

–

–

Front-to-back

11.3R1

EX3300-24P

24 Gigabit Ethernet

All 24 ports

405 W

Front-to-back

11.3R1

EX3300-24T-DC

24 Gigabit Ethernet

–

–

Front-to-back

11.3R1

EX3300-48T

48 Gigabit Ethernet

–

–

Front-to-back

11.3R1

EX3300-48T-BF

48 Gigabit Ethernet

–

–

Back-to-front

11.3R1

EX3300-48P

48 Gigabit Ethernet

All 48 ports

740 W

Front-to-back

11.3R1

Direction of Airflow


NOTE: In rare cases, EX3300 switches running a Junos OS release prior to Release 11.3R4 or Release 11.4R2 might experience some traffic loss or a link failure as a result of non-user-configurable settings that are not optimized. To resolve this issue, upgrade to one of the following Junos OS releases:


•

Junos OS Release 11.3—R4 and later

•


•


51

®



•


•


EX4200 Switches Hardware Overview Juniper Networks EX Series Ethernet Switches provide scalable connectivity for the enterprise market, including branch offices, campus locations, and data centers. The switches run the Juniper Networks Junos operating system (Junos OS), which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series devices. •


•


•

Power over Ethernet Ports on page 53

EX4200 Switches Juniper Networks EX4200 Ethernet Switches provide connectivity for medium- and high-density environments and scalability for growing networks. These switches can be deployed wherever you need high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy. Typically, EX4200 switches are used in large branch offices, campus wiring closets, and data centers where they can be positioned as the top device in a rack to provide connectivity for all the devices in the rack. You can connect individual EX4200 switches together to form one unit and manage the unit as a single chassis, called a Virtual Chassis. You can add more member switches to the Virtual Chassis as needed, up to a total of 10 members. EX4200 switches are available in models with 24 or 48 ports with either all ports equipped for Power over Ethernet (PoE/PoE+) or only 8 ports equipped for PoE. All models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and optional 1-gigabit small form-factor pluggable (SFP) transceivers, 10-gigabit small form-factor pluggable (SFP+) transceivers, or 10-gigabit small form-factor pluggable (XFP) transceivers for use with fiber connections. Additionally, a 24-port model provides 100Base-FX/1000Base-X SFP ports. This model is typically used as a small distribution switch. All EX4200 switches have dedicated 64-Gbps Virtual Chassis ports (VCPs) that allow you to connect the switches to each other. You can also use optional uplink module ports to connect members of a Virtual Chassis across multiple wiring closets. To provide carrier-class reliability, EX4200 switches include:

52

•

Dual redundant power supplies that are field-replaceable and hot-swappable. An optional additional connection to an external power source is also available.

•

A field-replaceable fan tray with three fans. The switch remains operational if a single fan fails.



•

Redundant Routing Engines in a Virtual Chassis configuration. This redundancy enables graceful Routing Engine switchover (GRES) and nonstop active routing (NSR).

•


EX4200 switches have these features: •

Run under Junos OS for EX Series switches

•

Have options of 24-port and 48-port models

•

Have options of full (all ports) PoE/PoE+ capability or partial (8 ports) PoE capability

•

Have optional uplink modules that provide connection to distribution switches

Uplink Modules Optional uplink modules are available for all EX4200 switches. Uplink modules provide two ports for installing 10-gigabit small form-factor pluggable (XFP) transceivers, four ports for installing 1-gigabit small form-factor pluggable (SFP) transceivers, or two ports for installing 10-gigabit small form-factor pluggable (SFP+) transceivers. You can use XFP, SFP, or SFP+ ports to connect an access switch to a distribution switch or to interconnect member switches of a Virtual Chassis across multiple wiring closets.

Power over Ethernet Ports PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. PoE was first defined in the IEEE 802.3af standard. Starting with Junos OS Release 11.1, EX4200 switches support enhanced PoE, a Juniper Networks extension to the IEEE 302.3af PoE standard that increases the amount of power per PoE port. A later standard, IEEE 802.3at, defined PoE+. An IEEE 802.3af powered device operates normally when connected to an IEEE 802.3at (PoE+) power sourcing equipment. EX4200 switches with an AC power supply installed have options of full (all 24 or 48 ports) PoE/PoE+ capability or partial (8 ports) PoE capability. EX4200 switches with a DC power supply installed do not provide PoE. Full PoE/PoE+ models are primarily used in IP telephony environments. Partial PoE models are used in environments where, for example, only a few ports for wireless access points or security cameras are required. Related Documentation

•


•


•


•

Understanding PoE on EX Series Switches on page 4613


53

®


EX4200 Switch Models The EX4200 switch is available with 24 or 48 ports and with partial or full Power over Ethernet (PoE) capability. EX4200 switches with a DC power supply installed do not provide PoE.

NOTE: This topic uses the term PoE to refer to both PoE and PoE+ unless there is a need to distinguish between the two.

Table 28 on page 54 lists the EX4200 switch models.

Table 28: EX4200 Switch Models Model

Ports

Number of PoE-enabled Ports

Power Supply (Minimum)

Junos OS Release Required

EX4200-24T

24 Gigabit Ethernet

First 8 ports

320 W

9.0R2 or later

EX4200-48T

48 Gigabit Ethernet

First 8 ports

320 W

9.0R2 or later

EX4200-24P

24 Gigabit Ethernet

All 24 ports

600 W

9.0R2 or later

EX4200-48P

48 Gigabit Ethernet

All 48 ports

930 W

9.0R2 or later

EX4200-24F

24 small form-factor pluggable (SFP) transceivers

–

320 W

9.0R2 or later

EX4200-24T-DC

24 Gigabit Ethernet

0

190 W

9.0R2 or later

EX4200-48T-DC

48 Gigabit Ethernet

0

190 W

9.0R2 or later

EX4200-24F-DC

24 small form-factor pluggable (SFP) transceivers

–

190 W

9.0R2 or later

EX4200-24PX

24 Gigabit Ethernet

All 24 ports (PoE+)

930 W

9.0R2 or later

EX4200-48PX

48 Gigabit Ethernet

All 48 ports (PoE+)

930 W

9.0R2 or later

CAUTION: Mixing different types (AC and DC) of power supplies in the same chassis is not supported.


54

•


•


•




EX4500 Switches Hardware Overview Juniper Networks EX4500 Ethernet Switches provide high performance, scalable connectivity, and carrier-class reliability for high-density environments such as campus-aggregation and data-center networks.

NOTE: The Virtual Chassis module is supported on EX4500 switches in Junos OS Releases 11.1 and later.

You can manage EX4500 switches using the same interfaces that you use for managing other devices running the Juniper Networks Junos operating system (Junos OS)—the command-line interface (CLI) and the J-Web graphical interface. The Juniper Networks EX Series Ethernet Switches run Junos OS, which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers. •


•

Intraconnect Module and Virtual Chassis Module on page 57

•


•

Power Supplies on page 58

EX4500 Switches EX4500 switches provide connectivity for high-density 10-Gigabit Ethernet data center top-of-rack and aggregation deployments. Typically, EX4500 switches are used in data centers where they can be positioned as the top device in a rack to provide connectivity for all devices in the rack. The EX4500 switch is 2 rack units (2 U) in size. Each EX4500 switch is designed to optimize rack space utilization and cabling. See Figure 7 on page 55, Figure 8 on page 56, and Figure 9 on page 56.

g020845

Figure 7: EX4500 Switch Front


55

®


Figure 8: EX4500 Switch Rear with Intraconnect Module Installed AC power supply

Intraconnect module

ST

1 EX4500-LB

g020846

0

Fan tray Fan tray handle

Figure 9: EX4500 Switch Rear with Virtual Chassis Module Installed

EX4500 switches are available in models with either front-to back airflow or back-to-front airflow and hardware that is Converged Enhanced Ethernet (CEE) capable or not. All eight models provide 40 wire-speed 10-gigabit small form-factor pluggable (SFP+) network ports that can house either 1-Gigabit Ethernet connectors or 10-Gigabit Ethernet connectors. All models support two optional high-speed uplink modules. See “EX4500 Switch Models” on page 58.

NOTE: The side of the switch where the network ports are located is the front of the switch.

To provide carrier-class reliability, EX4500 switches include:

56

•

Dual redundant, load-sharing power supplies that are hot-insertable and hot-removable field-replaceable units.

•

A FRU fan tray with five fans. The switch remains operational if a single fan fails.



•

Redundant Routing Engines in a Virtual Chassis configuration. This redundancy enables graceful Routing Engine switchover (GRES).

•


Intraconnect Module and Virtual Chassis Module EX4500 switches ship with either the intraconnect module or the Virtual Chassis module preinstalled in the switch. Only one of the modules can be installed on the rear side of the switch chassis at a given time. Both modules are offline FRUs. The intraconnect module helps the switch achieve line rate on all its ports. See Figure 8 on page 56. The Virtual Chassis module has two dedicated Virtual Chassis ports (VCPs) that can be used to interconnect the EX4500 switch with EX4200 switches or EX4500 switches to form a Virtual Chassis. The Virtual Chassis module must be installed in an EX4500 switch to form a Virtual Chassis. The number of EX4500 switches that can be interconnected into a Virtual Chassis composed exclusively of EX4500 switches depends on the Junos OS release running on the switches. See Understanding EX4200, EX4500, and EX4550 Virtual Chassis Hardware Configurations. EX4200 and EX4500 switches can be connected together into the same Virtual Chassis to form a mixed EX4200 and EX4500 Virtual Chassis. You can interconnect EX4200 and EX4500 switches through the dedicated Virtual Chassis ports (VCPs) to form a mixed Virtual Chassis. You can also interconnect EX4500 switches through SFP+ uplink module ports or SFP+network ports configured as VCPs to form a Virtual Chassis. The number of EX4200 and EX4500 switches that can be interconnected into a mixed Virtual Chassis depends on the Junos OS release running on the switches. See Understanding EX4200, EX4500, and EX4550 Virtual Chassis Hardware Configurations.

NOTE: Operating an EX4500 switch without the intraconnect module or the Virtual Chassis module is not supported. EX4500 switches running Junos OS Release 10.4R2 or later 10.4 releases will not boot if you do not install the intraconnect module in the switch. EX4500 switches running Junos OS Release 11.1R1 or later releases will not boot if you install neither the intraconnect module nor the Virtual Chassis module in the switch.

Uplink Modules Optional uplink modules are available for EX4500 switches. Two uplink modules can be installed in an EX4500 switch. Each uplink module provides four SFP+ ports for connecting to core devices in a data center. You can install SFP or SFP+ transceivers in these ports. You can also configure the uplink module ports as VCPs to form a Virtual Chassis.


57

®


Power Supplies EX4500 switches support both AC and DC power supplies. EX4500 switches ship with one AC or DC power supply installed. You can install a second AC or DC power supply in your EX4500 switch. See AC Power Supply in EX4500 Switches and DC Power Supply in EX4500 Switches.

CAUTION: Mixing different types (AC and DC) of power supplies or power supplies with front-to-back and back-to-front airflow in the same chassis is not supported.


•


•


•


EX4500 Switch Models The EX4500 switch is available in eight models. Table 29 on page 58 lists the models for an EX4500 switch, the airflow direction of the switch, the components included in each model, and the Junos OS Release in which they were introduced.

NOTE: The side of the switch where the network ports are located is the front of the switch.

Table 29: EX4500 Switch Models, Components, and Supported Junos OS Release Model EX4500-40F-FB

58

Access Port Configuration


Switch Components


40-port GbE/10GbE SFP/SFP+

Front-to-back

•

Chassis

10.2R1

•

One fan tray (with green exhaust label visible)

•

One AC power supply (with green ejector lever)

•

One power cord

•

One power supply cover panel

•

Two uplink module cover panels

•

One intraconnect module



Table 29: EX4500 Switch Models, Components, and Supported Junos OS Release (continued) Model EX4500-40F-BF

EX4500-40F-FB-C (Converged Enhanced Ethernet (CEE) capable)

EX4500-40F-BF-C (CEE capable)

EX4500-40F-DC-C (CEE capable)



Switch Components



Back-to-front

•

Chassis

10.2R1

•

One fan tray (with orange intake label visible)

•

One AC power supply (with orange ejector lever)

•

One power cord

•


•


•


•

Chassis

•


•


•

One power cord

•


•


•


•

Chassis

•


•


•

One power cord

•


•


•


•

Chassis

•


•

One DC power supply (with green ejector lever)

•


•


•






Front-to-back

Back-to-front

Front-to-back

10.3R1

10.3R1

10.3R2

59

®


Table 29: EX4500 Switch Models, Components, and Supported Junos OS Release (continued) Model EX4500-40F-VC1-FB

EX4500-40F-VC1-BF

EX4500-40F-VC1-DC



Switch Components



Front-to-back

•

Chassis

11.1R1

•


•


•

One power cord

•


•


•

One Virtual Chassis module

•

Chassis

•


•


•

One power cord

•


•


•


•

Chassis

•


•

One DC power supply (with green ejector lever)

•


•


•




Back-to-front

Front-to-back

11.1R1

11.1R1

NOTE: The CEE capable EX4500 switches have a Virtual Chassis label on the front panel.

NOTE: Uplink modules, transceivers, Virtual Chassis cables, and Virtual Chassis cable connector retainers are not part of the EX4500 switch’s shipping configuration. If you want to purchase any of these, or additional power supplies for your switch, you must order them separately.

CAUTION: Mixing different types (AC and DC) of power supplies or power supplies with front-to-back and back-to-front airflow in the same chassis is not supported.

60




•

Chassis Physical Specifications for EX4500 Switches

•


•


•


EX6210 Switch Hardware Overview Juniper Networks EX6210 Ethernet Switches provide high performance, scalable connectivity, and carrier-class reliability for high-density environments such as campus-access and data-center networks. The EX6210 switch is a modular system that provides high availability and redundancy for all major hardware components, including Routing Engines, switch fabric, fan tray (redundant fans), and power supplies. You can manage EX6210 switches using the same interfaces that you use for managing other devices running Juniper Networks Junos operating system (Junos OS)—the command-line interface (CLI), the J-Web graphical interface, and Junos Space. This topic describes: •

Software on page 61

•

Chassis Physical Specifications, LCD Panel, and Backplane on page 61

•

Switch Fabric and Routing Engine Modules on page 63

•

Line Cards on page 64

•

Cooling System on page 64

•


Software Juniper Networks EX Series Ethernet Switches run Junos OS, which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series Services Gateways.

NOTE: EX6200 switches support Junos OS Release 11.3R2 or later.

Chassis Physical Specifications, LCD Panel, and Backplane The EX6210 switch is 14 rack units (14 U) in size (1/3 rack). Three EX6210 switches can fit in a standard 42 U rack. Each EX6210 switch is designed to optimize rack space and cabling. See Figure 10 on page 62 and Figure 11 on page 63.


61

®


Figure 10: EX6210 Switch Front ESD point

Frontmounting bracket Line cards (slots 0-3)

0

1

2

SRE modules (slots 4-5)

3

4

5

Line cards (slots 6-9)

6

7

8

9 9

100-120V /200-240 47-63Hz V-15A

ENABLE

100-120V /200-240 47-63Hz V-15A

STAND BY

ON

100-120V/200-24 47-63Hz 0V-15A

STAND BY

ON

100-120V/200-24 47-63Hz 0V-15A

STAND BY

ON

INPUT OUTPUT FAIL OK OK

ENABLE


ENABLE


ENABLE

Power supplies

STAND BY

ON

g021100


62



Figure 11: EX6210 Switch Rear

Fan tray

ESD point

g021101

Earthing terminal

The EX6210 switch can have up to two chassis-level LCD panels, one on each Switch Fabric and Routing Engine (SRE) module. The LCD panel on the master SRE module displays Routing Engine and chassis components’ alarm information for rapid problem identification. This LCD panel provides a user-friendly interface for performing initial switch configuration, rolling back a configuration, or restoring the switch to its default settings. See LCD Panel in an EX6200 Switch. The EX6210 chassis backplane distributes the data, control, and management signals to various system components as well as distributes power throughout the system. See Chassis Physical Specifications of an EX6210 Switch.

Switch Fabric and Routing Engine Modules Switching functionality, system management, and system control functions of an EX6210 switch are performed by a Switch Fabric and Routing Engine (SRE) module. See Switch Fabric and Routing Engine (SRE) Module in an EX6200 Switch. An SRE module contains a Routing Engine and switch fabric. The SRE modules are field-replaceable units (FRUs). A nonredundant EX6210 switch configuration has one SRE module. A redundant configuration EX6210 switch has two SRE modules installed. See EX6210 Switch Configurations.


63

®


Each SRE module provides 64 Gbps of full-duplex bandwidth per line card slot. If only one SRE module is installed in a chassis, it supports 384 ports on eight line cards with 3:2 oversubscription. If two SRE modules are installed in a chassis, they provide 128 Gbps of full-duplex bandwidth to each line card slot, allowing all 384 ports to operate at wire speed.

Line Cards The EX6210 switch supports line rate for each line card installed. You can install upto nine line cards in an EX6210 switch. The line cards in EX6200 switches combine a Packet Forwarding Engine and Ethernet interfaces on a single assembly. All line cards are hot-removable and hot-insertable FRUs. Table 30 on page 64 shows the model numbers and descriptions of the EX6200 line cards.

Table 30: EX6200 Line Cards Model

Description

Additional Information

EX6200-48P

48-port PoE+ line card

All 48 ports on this line card support PoE (IEEE 802.3af) and PoE+ (IEEE 802.3at). See 48-Port PoE+ Line Card in an EX6200 Switch

EX6200-48T

48-port RJ-45 line card

48-Port RJ-45 Line Card in an EX6200 Switch

Cooling System The cooling system in an EX6210 switch consists of a hot-removable and hot-insertable FRU fan tray. The fan tray contains six fans, three rows of two fans each. The fan tray installs vertically on the right side on the rear of the chassis and provides front-to-back chassis cooling. See Cooling System and Airflow in an EX6210 Switch.

Power Supplies Power supplies for the EX6210 switch are fully redundant, load-sharing, and hot-removable and hot-insertable FRUs. An EX6210 switch chassis can hold up to four AC or DC power supplies. Table 31 on page 64 shows the details of the power supplies available for EX6200 switches.

Table 31: Power Supplies Supported on EX6200 Switches Power Supply

Input Voltage Supported

Output Power

2500 W AC

Low-voltage line (100-120 VAC)

1250 W

High-voltage line (200-240 VAC)

2500 W

64



Table 31: Power Supplies Supported on EX6200 Switches (continued) Power Supply

Input Voltage Supported

Output Power

5000 W AC

Low-voltage line

•

With one power feed connected: 1250 W

•

With two power feed connected: 2500 W

•

With one power feed connected: 2500 W

•

With two power feed connected: 5000 W

High-voltage line

2100 W DC

–48 VDC through –60 VDC

2100 W

Only one power supply (either AC or DC) is shipped with the different chassis shipping configurations. You can purchase additional power supplies separately. See AC Power Supplies in an EX6200 Switch and DC Power Supply in an EX6200 Switch.

CAUTION: Mixing different types of power supplies (AC and DC or AC power supplies of different wattage) in the same chassis is not supported. Mixing low-voltage input line and high-voltage input line power feeds in the same chassis is not supported.


•

Connecting and Configuring an EX Series Switch (CLI Procedure) on page 257

•

Field-Replaceable Units in an EX6210 Switch

EX8208 Switch Hardware Overview Juniper Networks EX8208 Ethernet Switches provide high performance, scalable connectivity, and carrier-class reliability for high-density environments such as campus-aggregation and data-center networks. The EX8208 switch is a modular system that provides high availability and redundancy for all major hardware components, including Routing Engines, switch fabric, fan tray (redundant fans), and power supplies. You can form an EX8200 Virtual Chassis by connecting individual EX8200 switches to an XRE200 External Routing Engine. A Virtual Chassis is multiple switches connected together that operate as a single network entity. You can manage EX8208 switches using the same interfaces that you use for managing other devices running the Juniper Networks Junos operating system (Junos OS)—the command-line interface (CLI), the J-Web graphical interface, and the Network and Security Manager (NSM). •

Software on page 66

•

Chassis Physical Specifications, LCD Panel, and Backplane on page 66

•

Routing Engines and Switch Fabric on page 67

•



65

®


•


•


Software The Juniper Networks EX Series Ethernet Switches run Junos OS, which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series devices.

Chassis Physical Specifications, LCD Panel, and Backplane The EX8208 switch is 14 rack units (14 U) in size (1/3 rack). Three EX8208 switches can fit in a standard 42 U rack. Each EX8208 switch is designed to optimize rack space and cabling. See Figure 12 on page 66.

Figure 12: EX8208 Switch

The EX8208 switch has a chassis-level LCD panel that displays Routing Engine and switch fabric status as well as chassis components’ alarm information for rapid problem identification. The LCD panel provides a user-friendly interface for performing initial

66



switch configuration, rolling back a configuration, or restoring the switch to its default settings. See LCD Panel in an EX8200 Switch. The EX8208 chassis backplane distributes the data, control, and management signals to various system components along with distributing power throughout the system. See Chassis Physical Specifications of an EX8208 Switch.

Routing Engines and Switch Fabric Switching functionality, system management, and system control functions of an EX8208 switch are performed by a Switch Fabric and Routing Engine (SRE) module. See Switch Fabric and Routing Engine (SRE) Module in an EX8208 Switch. An SRE module contains a Routing Engine and switch fabric. The SRE modules are field-replaceable units (FRUs) that are installed in the front of the chassis in the slots labeled SRE0 and SRE1. See Slot Numbering for an EX8208 Switch. A base configuration EX8208 switch has one SRE module. A redundant configuration EX8208 switch has a second SRE module. See EX8208 Switch Configurations. The Switch Fabric (SF) module, working with the SRE module, provides the necessary switching functionality to a base configuration EX8208 switch. The SF module is installed in the front of the chassis in the slot labeled SF. In a redundant configuration, the SF module provides full 2+1 switch fabric redundancy to the switch. See Switch Fabric (SF) Module in an EX8208 Switch. The EX8208 switch can also be connected to an XRE200 External Routing Engine. An XRE200 External Routing Engine is used to connect multiple EX8200 switches into a Virtual Chassis. See “XRE200 External Routing Engine Hardware Overview” on page 76.

Line Cards The EX8208 switch features eight horizontal line card slots and supports line rate for each line card. The line cards in EX8200 switches combine a Packet Forwarding Engine and Ethernet interfaces on a single assembly. Line cards are FRUs that can be installed in the line card slots labeled 0 through 7 on the front of the switch chassis. See Slot Numbering for an EX8208 Switch. All line cards are hot-removable and hot-insertable. Twelve line cards are available for EX8200 switches. The extra-scale line card models provide larger IPv4 and IPv6 route table sizes than the non-extra-scale models to store more unicast routes. Table 32 on page 67 shows the model numbers and descriptions of the line cards available for EX8200 switches.

Table 32: Line Cards Available for EX8200 Switches Model

Description


EX8200-8XS

8-port SFP+ line card

8-port SFP+ Line Card in an EX8200 Switch

EX8200-8XS-ES

8-port SFP+ line card, extra-scale


EX8200-40XS




67

®


Table 32: Line Cards Available for EX8200 Switches (continued) Model

Description


EX8200-40XS-ES



EX8200-2XS-40P

40-port PoE+ with 4-port SFP and 2-port SFP+ line card

EX8200-2XS-40P Line Card

EX8200-2XS-40T

40-port RJ-45 with 4-port SFP and 2-port SFP+ line card

EX8200-2XS-40T Line Card

EX8200-48PL

48-port PoE+ 20 Gbps line card

EX8200-48PL Line Card

EX8200-48TL

48-port RJ-45 20 Gbps line card

EX8200-48TL Line Card

EX8200-48T


48-port RJ-45 Line Card in an EX8200 Switch

EX8200-48T-ES

48-port RJ-45 line card, extra-scale


EX8200-48F

48-port SFP line card

48-port SFP Line Card in an EX8200 Switch

EX8200-48F-ES

48-port SFP line card, extra-scale


NOTE: We recommend that you do not install extra-scale line card models and non-extra-scale models in the same switch or Virtual Chassis. If you install extra-scale line cards in a switch or Virtual Chassis that has non-extra-scale models installed, the IPv4 and IPv6 route table sizes default to those of the non-extra-scale models and you will not get the benefit of the increased table sizes of the extra-scale models. You will experience these decreased route table sizes in a Virtual Chassis even when the non-extra-scale line cards are installed in one member switch and the extra-scale line cards are installed in another member switch.

Cooling System The cooling system in an EX8208 switch consists of a hot-removable and hot-insertable FRU fan tray. The fan tray contains 12 fans. The fan tray installs vertically on the left front of the chassis and provides side-to-side chassis cooling. See Cooling System and Airflow in an EX8208 Switch.

Power Supplies Power supplies for the EX8208 switch are fully redundant, load-sharing, and hot-removable and hot-insertable (FRUs. Each EX8208 switch chassis can hold up to six AC or DC power supplies. Table 33 on page 69 shows the details of the power supplies available for EX8208 switches.

68




Input Voltage

Output Power

2000 W AC


1200 W


2000 W


Not supported


3000 W

-40 VDC through -72VDC

2000 W

3000 W AC

2000 W DC

Only two AC power supplies (provided) are required to power on the base AC configuration switch. The redundant AC configuration ships with six AC power supplies to provide the capacity to power the system using N+1 or N+N power redundancy. See AC Power Supply in an EX8200 Switch and EX8208 Switch Configurations. The redundant DC configuration ships with four DC power supplies. The dual inputs of the DC supplies provide direct support for N+N power redundancy. The redundant configuration also provides sufficient capacity for N+1 redundancy in most configurations; if necessary, up to two additional DC supplies can be added to the system. See DC Power Supply in an EX8200 Switch and EX8208 Switch Configurations.

CAUTION: Mixing different types of power supplies (AC and DC) in the same chassis is not supported.


•


•

Connecting and Configuring an EX Series Switch (J-Web Procedure) on page 259

•


•


•


EX8216 Switch Hardware Overview Juniper Networks EX8216 Ethernet Switches provide high performance, scalable connectivity, and carrier-class reliability. The EX8216 switch is a half-rack, midplane architecture, modular Ethernet switch that is designed for ultra high-density environments such as campus aggregation, data center, or high performance core switching environments. EX8216 switches provide high-availability and redundancy for all major hardware components, including Routing Engine (RE) modules, Switch Fabric (SF) modules, fan trays (with redundant fans), and load-sharing 2000 W AC, 3000 W AC, and 3000 W DC power supplies.


69

®


You can form an EX8200 Virtual Chassis by connecting individual EX8200 switches to an XRE200 External Routing Engine. A Virtual Chassis is multiple switches connected together that operate as a single network entity. You can manage EX8216 switches using the same interfaces that you use for managing other devices running the Juniper Networks Junos operating system (Junos OS)—the command-line interface (CLI), the J-Web graphical interface, and the Network and Security Manager (NSM). •

Software on page 70

•

Chassis Physical Specifications, LCD Panel, and Midplane on page 70

•

Routing Engines and Switch Fabric on page 72

•


•


•


Software The Juniper Networks EX Series Ethernet Switches run Junos OS, which provides Layer 2 and Layer 3 switching, routing, and security services. The same Junos OS code base that runs on EX Series switches also runs on all Juniper Networks J Series, M Series, MX Series, and T Series routers and SRX Series devices.

Chassis Physical Specifications, LCD Panel, and Midplane EX8216 switches are designed to optimize rack space and cabling. The EX8216 switch is 21 rack units (21 U) in size (1/2 rack). Two EX8216 switches can fit in a standard 42 U rack. See Figure 13 on page 71 and Figure 14 on page 72 and Chassis Physical Specifications of an EX8216 Switch.

70



Figure 13: EX8216 Switch Front


71

®


Figure 14: EX8216 Switch Rear

The EX8216 switch has a chassis-level LCD panel that displays Routing Engine and switch fabric status as well as chassis components’ alarm information for rapid problem identification. The LCD panel provides a user-friendly interface for performing initial switch configuration, rolling back a configuration, or restoring the switch to the factory default configuration. See LCD Panel in an EX8200 Switch. The EX8216 chassis midplane distributes the data, control, and management signals to system components and distributes power throughout the system. See Midplane in an EX8216 Switch.

Routing Engines and Switch Fabric System management and system control functions of an EX8216 switch are performed by the Routing Engine (RE) module. An RE module contains a Routing Engine. The RE modules are hot-insertable and hot-removable field-replaceable units (FRUs) that are

72



installed in the front of the chassis in the slots labeled RE0 and RE1. A base configuration (AC version) EX8216 switch has one RE module. A redundant configuration (AC and DC versions) EX8216 switch has a second RE module for redundancy. See Routing Engine (RE) Module in an EX8216 Switch and EX8216 Switch Configurations. The Switch Fabric (SF) modules provide the switching functionality to an EX8216 switch. The SF modules are hot-insertable and hot-removable FRUs. All eight SF modules are installed in the rear of the chassis in the slots labeled SF7 through SF0. In an EX8216 switch, all eight SF modules are active and must be installed in the switch for normal operation. If a single SF module fails, the input/output traffic for that module is load-balanced among the remaining SF modules, providing graceful degradation in midplane performance. The impact of an SF module failure on the performance of an EX8216 switch varies based on the type of line cards installed in the switch and the traffic mix flowing through them. In an EX8216 switch configuration that is fully loaded with 8-port 10-Gigabit Ethernet SFP+ line cards, if one SF module fails, the remaining seven SF modules still have sufficient switching capacity to maintain continuous switch operation at full wire-rate performance. See Switch Fabric (SF) Modules in an EX8216 Switch. The EX8216 switch can also be connected to an XRE200 External Routing Engine. An XRE200 External Routing Engine is used to connect multiple EX8200 switches into a Virtual Chassis. See “XRE200 External Routing Engine Hardware Overview” on page 76.

Line Cards The EX8216 switch features 16 horizontal line card slots and supports wire-rate performance for all packet sizes for the installed line cards. The line cards in EX8200 switches combine a Packet Forwarding Engine and Ethernet interfaces on a single assembly. They are FRUs, and you can install them in the slots labeled 0 through 15 on the front of the switch chassis. All line cards are hot-insertable and hot-removable. Twelve line cards are available for EX8200 switches. The extra-scale line card models provide larger IPv4 and IPv6 route table sizes than the non-extra-scale models to store more unicast routes. Table 34 on page 73 shows the model numbers and descriptions of the line cards available for EX8200 switches.

Table 34: Line Cards Available for EX8200 Switches Model

Description


EX8200-8XS



EX8200-8XS-ES



EX8200-40XS



EX8200-40XS-ES



EX8200-2XS-40P

40-port PoE+ with 4-port SFP and 2-port SFP+ line card

EX8200-2XS-40P Line Card


73

®


Table 34: Line Cards Available for EX8200 Switches (continued) Model

Description


EX8200-2XS-40T

40-port RJ-45 with 4-port SFP and 2-port SFP+ line card

EX8200-2XS-40T Line Card

EX8200-48PL

48-port PoE+ 20 Gbps line card

EX8200-48PL Line Card

EX8200-48TL

48-port RJ-45 20 Gbps line card

EX8200-48TL Line Card

EX8200-48T



EX8200-48T-ES

48-port RJ-45 line card, extra-scale


EX8200-48F

48-port SFP line card


EX8200-48F-ES

48-port SFP line card, extra-scale


NOTE: We recommend that you do not install extra-scale line card models and non-extra-scale models in the same switch or Virtual Chassis. If you install extra-scale line cards in a switch or Virtual Chassis that has non-extra-scale models installed, the IPv4 and IPv6 route table sizes default to those of the non-extra-scale models and you will not get the benefit of the increased table sizes of the extra-scale models. You will experience these decreased route table sizes in a Virtual Chassis even when the non-extra-scale line cards are installed in one member switch and the extra-scale line cards are installed in another member switch.

Cooling System The cooling system in an EX8216 switch consists of two hot-insertable and hot-removable FRU fan trays. Each fan tray contains nine fans. Both fan trays install vertically on the left front of the chassis and provide side-to-side chassis cooling and front-to-side cooling. The top and bottom fan trays are identical and interchangeable. However, only the top fan tray cools the SF modules installed in the rear of the chassis. See Cooling System and Airflow in an EX8216 Switch.

Power Supplies Power supplies for the EX8216 switch are fully redundant, load-sharing, and hot-insertable and hot-removable FRUs. Each EX8216 switch chassis can hold up to six AC or DC power supplies. Table 35 on page 75 shows the details of the power supplies available for EX8216 switches.

74




Input Voltage

Output Power

2000 W AC


1200 W


2000 W


Not supported


3000 W

-40 VDC through -72VDC

3000 W

3000 W AC

3000 W DC

The redundant AC configuration ships with six AC power supplies to provide the capacity to power the system using N+1 or N+N power redundancy. See AC Power Supply in an EX8200 Switch and EX8216 Switch Configurations. The redundant DC configuration ships with four DC power supplies. The dual inputs of the DC supplies provide direct support for N+N power redundancy. The redundant configuration also provides sufficient capacity for N+1 redundancy in most configurations; if necessary, up to two additional DC supplies can be added to the system. See DC Power Supply in an EX8200 Switch and EX8216 Switch Configurations.

CAUTION: Mixing different types of power supplies (AC and DC) in the same chassis is not supported.


•


•

Slot Numbering for an EX8216 Switch

•


•


•


•



75

®


XRE200 External Routing Engine Hardware Overview The XRE200 External Routing Engine is used to create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols such as Spanning Tree Protocol (STP). You connect Virtual Chassis ports (VCPs) on an XRE200 External Routing Engine to the management (labeled MGMT) ports on the internal Routing Engines of EX8200 switches to form an EX8200 Virtual Chassis. The Virtual Chassis is formed automatically when these connections are established. See “Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis” on page 1547. An EX8200 Virtual Chassis supports up to two external Routing Engines and up to four EX8200 switches. A second XRE200 External Routing Engine can be added to the Virtual Chassis configuration to provide external Routing Engine redundancy. Juniper Networks EX8208 and EX8216 Ethernet Switches can be part of the same EX8200 Virtual Chassis. See “Understanding EX8200 Virtual Chassis Topologies” on page 1541. This topic describes: •

Software on page 76

•

Physical Specifications on page 77

•

Virtual Chassis Control Interface Modules on page 77

•

Hard Disk Drive Modules on page 78

•


•

Fan Modules on page 78

Software All devices in an EX8200 Virtual Chassis run the Juniper Networks Junos operating system (Junos OS). The same Junos OS code base that runs on the devices in the EX8200 Virtual Chassis also runs on many other Juniper products, including all EX Series switches, the Juniper Networks J Series, M Series, MX Series, and T Series routers, and SRX Series Services Gateways. In an EX8200 Virtual Chassis, most Routing Engine tasks for all switches in the Virtual Chassis run on the XRE200 External Routing Engine. The internal Routing Engines continue to be responsible for functions local to their own switches, such as environmental monitoring, system loading, and power management. The internal Routing Engines communicate with the external Routing Engine by using the Virtual Chassis Control Protocol (VCCP). You must configure all switches and external Routing Engines that will be part of the same EX8200 Virtual Chassis to run the same version of Junos OS before connecting

76



the devices into a Virtual Chassis. See “Configuring an EX8200 Virtual Chassis (CLI Procedure)” on page 1563. After you connect an EX8200 Virtual Chassis, all switches and external Routing Engines that are part of the Virtual Chassis should be upgraded simultaneously. See “Installing Software for All Devices in an EX8200 Virtual Chassis” on page 1571. An EX8200 Virtual Chassis supports a subset of the software features available for the EX8200 switch. For a list of software features available on an EX8200 Virtual Chassis, see EX Series Switch Software Features Overview.

Physical Specifications The XRE200 External Routing Engine is a 2 rack unit (2 U) Routing Engine. See Figure 15 on page 77.

g020950

Figure 15: XRE200 External Routing Engine

The XRE200 External Routing Engine has an LCD panel that provides hardware status information. The LCD panel displays a variety of information about the external Routing Engine and, if your external Routing Engine is running Junos OS Release 12.1 or later, provides menu options to perform basic operations such as initial configuration and external Routing Engine reboot. See LCD Panel in an XRE200 External Routing Engine.

Virtual Chassis Control Interface Modules The XRE200 External Routing Engine supports up to two Virtual Chassis Control Interface (VCCI) modules. Each VCCI module contains either four 10/100/1000BASE-T Gigabit Ethernet VCPs with RJ-45 connectors or four 1000BASE-X Gigabit Ethernet VCPs with small form-factor pluggable (SFP) connections. The RJ-45 VCPs connect to the management (MGMT) ports on the internal Routing Engines of the EX8200 member switches to form an EX8200 Virtual Chassis. The VCPs on the RJ-45 VCCI modules can also be used to connect external Routing Engines together to provide a connection between a master and a backup external Routing Engine. The SFP VCPs are used to connect two XRE200 External Routing Engines together over a long distance in the same EX8200 Virtual Chassis. You can use the SFP ports to connect XRE200 External Routing Engines over distances up to 43.5 miles (70 km). You can also use the SFP VCPs to connect an XRE200 External Routing Engine to an EX8200 switch within a Virtual Chassis only if an intermediary switch is used. The intermediary switch is required because the management (MGMT) port on the Routing Engine (RE) modules


77

®


or Switch Fabric and Routing Engine (SRE) modules of an EX8200 switch do not support SFP connections. See “Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis” on page 1554. VCCI modules are installed in the VCCI module slots on the XRE200 External Routing Engines. Both VCCI module slots support RJ-45 and SFP VCCI modules. RJ-45 and SFP VCCI modules can be installed simultaneously. In configurations using one RJ-45 and one SFP VCCI module, either VCCI module can be installed in either VCCI module slot. All XRE200 External Routing Engines are shipped with one preinstalled RJ-45 VCCI module. VCCI modules are field-replaceable units (FRUs). See Installing a VCCI Module in an XRE200 External Routing Engine.

Hard Disk Drive Modules The XRE200 External Routing Engine ships with two 160 GB hard disk drive (HDD) modules that provide storage for the EX8200 Virtual Chassis. The HDD modules provide a fully redundant storage system on the external Routing Engine; all directories and files saved on one HDD module are also saved on the other HDD module. The HDD modules are installed in the HDD module slots. HDD modules are hot-removable and hot-insertable FRUs. See Installing an HDD Module in an XRE200 External Routing Engine.

Power Supplies The XRE200 External Routing Engine ships with redundant AC or DC power supplies that provide power for the external Routing Engine. The power supply slots are located on the far right side of the rear panel of the external Routing Engine. AC and DC power supplies are hot-removable and hot-insertable FRUs. See Installing an AC or DC Power Supply in an XRE200 External Routing Engine.

Fan Modules The XRE200 External Routing Engine ships with two fan modules. The fan modules provide cooling to the system and are installed in the fan module slots on the rear panel of the XRE200 External Routing Engine. Fan modules are hot-removable and hot-insertable FRUs. See Installing a Fan Module in an XRE200 External Routing Engine. Related Documentation

78

•

XRE200 External Routing Engine Hardware Configurations

•

AC Power Supply in an XRE200 External Routing Engine

•

DC Power Supply in an XRE200 External Routing Engine

•

Hard Disk Drive (HDD) Module in an XRE200 External Routing Engine

•

Virtual Chassis Control Interface (VCCI) Modules in an XRE200 External Routing Engine


PART 2

Complete Software Configuration Statement Hierarchy •

Complete Software Configuration Statement Hierarchy on page 81


79

®


80


CHAPTER 3

Complete Software Configuration Statement Hierarchy •

[edit access] Configuration Statement Hierarchy on page 81

•

[edit chassis] Configuration Statement Hierarchy on page 82

•

[edit class-of-service] Configuration Statement Hierarchy on page 83

•

[edit ethernet-switching-options] Configuration Statement Hierarchy on page 85

•

[edit firewall] Configuration Statement Hierarchy on page 88

•

[edit forwarding-options] Configuration Statement Hierarchy on page 89

•

[edit interfaces] Configuration Statement Hierarchy on page 90

•

[edit poe] Configuration Statement Hierarchy on page 95

•

[edit protocols] Configuration Statement Hierarchy on page 96

•

[edit routing-instances] Configuration Hierarchy on page 105

•

[edit snmp] Configuration Statement Hierarchy on page 105

•

[edit virtual-chassis] Configuration Statement Hierarchy on page 105

•

[edit vlans] Configuration Statement Hierarchy on page 106

[edit access] Configuration Statement Hierarchy access { profile profile-name { accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; order [ radius | none ]; } authentication-order [ authentication-method ]; radius { accounting-server [ server-address ]; authentication-server [ server-address ]; } } }


•

Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch on page 3561


81

®


•

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 3637

[edit chassis] Configuration Statement Hierarchy chassis { aggregated-devices { ethernet (Aggregated Devices) { device-count number; } } auto-image-upgrade; fpc slot { pic pic-number { sfpplus { pic-modemode; } } power (off | on); power-budget-priority priority; } lcd-menu { fpc slot-number { menu-item (menu-name | menu-option) { disable; } } } nssu { upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } } psu { redundancy { n-plus-n (Power Management); } } redundancy { graceful-switchover; } }


82

•

Configuring Aggregated Ethernet Links (CLI Procedure) on page 1867

•

Upgrading Software Using Automatic Software Download on EX Series Switches on page 138

•

Configuring the LCD Panel on EX Series Switches (CLI Procedure) on page 262

•

Configuring Graceful Routing Engine Switchover in an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) on page 1445


Chapter 3: Complete Software Configuration Statement Hierarchy

•

Configuring Power Supply Redundancy (CLI Procedure) on page 1694

•

Configuring the Power Priority of Line Cards (CLI Procedure) on page 1695

•

Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure) on page 1692

[edit class-of-service] Configuration Statement Hierarchy class-of-service { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) classifier-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority { code-points [aliases] [6 bit-patterns]; } } import (classifier-name | default); } } code-point-aliases { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) { alias-name bits; } } congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } forwarding-classes { class class-name queue-num queue-number priority ( high | low ); } interfaces { interface-name { congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } scheduler-map map-name; unit logical-unit-number { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) (classifier-name | default); } forwarding-class class-name; } } } multi-destination {


83

®


family { ethernet (CoS for Multidestination Traffic) { broadcast forwarding-class-name; } inet (CoS) { classifiers { (dscp | dscp-ipv6 | inet-precedence) classifier-name; } } } scheduler-map map-name; } rewrite-rules { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) rewrite-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority code-point (alias | bits); } import (rewrite-name | default); } } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers (CoS) { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map drop-profile profile-name; loss-priority (Classifiers and Rewrite Rules) loss-priority; priority (Schedulers) priority; protocol (Drop Profiles) protocol; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }


84

•

Example: Configuring CoS on EX Series Switches on page 4455

•

Defining CoS Code-Point Aliases (CLI Procedure) on page 4486 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 4484

•

Defining CoS Classifiers (CLI Procedure) on page 4487 or Defining CoS Classifiers (J-Web Procedure) on page 4489

•

Defining CoS Forwarding Classes (CLI Procedure) on page 4491 or Defining CoS Forwarding Classes (J-Web Procedure) on page 4491

•

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 4499

•

Defining CoS Schedulers (CLI Procedure) on page 4493 or Defining CoS Schedulers (J-Web Procedure) on page 4494

•

Defining CoS Rewrite Rules (CLI Procedure) on page 4500 or Defining CoS Rewrite Rules (J-Web Procedure) on page 4501



•

Assigning CoS Components to Interfaces (CLI Procedure) on page 4503 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 4503

•

Configuring CoS Traffic Classification for Ingress Queuing on Oversubscribed Ports on EX8200 Line Cards (CLI Procedure) on page 4510

[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary;


85

®


} interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; }

86



} } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•

Understanding Port Mirroring on EX Series Switches on page 5067

•


•

Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches on page 2422

•

Understanding Redundant Trunk Links on EX Series Switches on page 2089

•


•

Understanding 802.1X and VoIP on EX Series Switches on page 3554

•

Understanding Q-in-Q Tunneling on EX Series Switches on page 2091

•

Understanding Unknown Unicast Forwarding on EX Series Switches on page 4007

•

Understanding MAC Notification on EX Series Switches on page 2101

•

Understanding FIP Snooping on page 4687

•

Understanding Nonstop Bridging on EX Series Switches on page 1667

•

Understanding Persistent MAC Learning (Sticky MAC) on page 4070


87

®


[edit firewall] Configuration Statement Hierarchy firewall { family family-name { filter (Firewall Filters) filter-name { interface-specific; term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } } } policer policer-name { filter-specific; if-exceeding { bandwidth-limit bps; burst-size-limit bytes; } then (Policer Action) { policer-action; } } } three-color-policer policer-name { action { loss-priority high then discard; } single-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; excess-burst-size bytes; } two-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; peak-information-rate bps; peak-burst-size bytes; } }


88

•

Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches on page 4356

•

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches on page 4297

•

Configuring Firewall Filters (CLI Procedure) on page 4323



•

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 4335

•


[edit forwarding-options] Configuration Statement Hierarchy helpers { bootp { dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } interface interface-name { dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } source-address-giaddr; } source-address-giaddr; } }


•

Example: Setting Up DHCP Option 82 with a Switch as a Relay Agent Between Clients and a DHCP Server on page 4120

•

Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 4157

•

Understanding DHCP Option 82 for Port Security on EX Series Switches on page 4064

•

DHCP/BOOTP Relay for EX Series Switches Overview on page 659

•

For more information about the [edit forwarding-options] hierarchy and its options, see Junos OS Policy Framework Configuration Guide


89

®


[edit interfaces] Configuration Statement Hierarchy interfaces { aex { accounting-profile name; aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } ge-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode;

90



(loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; media-type (Dual-Purpose Uplink Ports); mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } interface-range name { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes;


91

®


no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } lo0 { accounting-profile name; description text; disable; hold-time up milliseconds down milliseconds; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); } } me0 { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number {

92



accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } vlan { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); } } traceoptions { file ; flag flag ; no-remote-trace; } vme { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...}


93

®


(traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } xe-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } }


94

•

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 1818

•




•

Configuring a Layer 3 Subinterface (CLI Procedure) on page 1875

•

Configuring Routed VLAN Interfaces (CLI Procedure) on page 2223

•

Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) on page 1440

•

EX Series Switches Interfaces Overview on page 1769

•

Junos OS Interfaces Fundamentals Configuration Guide

•

Junos OS Ethernet Interfaces Configuration Guide

[edit poe] Configuration Statement Hierarchy For switches other than EX6200 and EX8200 switches: poe { guard-band watts; interface (Power over Ethernet) (all | interface-name) { disable (Power over Ethernet); maximum-power (Interface) watts; priority (Power over Ethernet) (high | low); telemetries { disable (Power over Ethernet); duration hours; interval (Power over Ethernet) minutes; } } management (class | static); notification-control { fpc slot-number { disable (Power over Ethernet); } } }

For EX6200 and EX8200 switches: poe { fpc (all | slot-number) { guard-band watts; management (class | static); maximum-power watts; } interface (Power over Ethernet) (all | interface-name) { af-mode; disable (Power over Ethernet); maximum-power (Interface) watts; priority (Power over Ethernet) (high | low); telemetries { disable (Power over Ethernet); duration hours; interval (Power over Ethernet) minutes; } }


95

®


notification-control { fpc slot-number { disable (Power over Ethernet); } } }


•

Example: Configuring PoE Interfaces with Different Priorities on an EX Series Switch on page 4621

•


•

Configuring PoE (CLI Procedure) on page 4635

•

Example: Configuring PoE on an EX6200 or EX8200 Switch on page 4626

[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) {

96



multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable;


97

®


immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions {

98



file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable;


99

®


disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number;

100



mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count;


101

®


symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number;

102



} source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds;


103

®


interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


104

•


•

Understanding Authentication on EX Series Switches on page 3540

•

Understanding Server Fail Fallback and Authentication on EX Series Switches on page 3549

•

IGMP Snooping on EX Series Switches Overview on page 3249

•

Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches on page 3552

•

Understanding MLD Snooping on EX Series Switches on page 3259

•

Understanding MSTP for EX Series Switches on page 2419

•

Understanding Multiple VLAN Registration Protocol (MVRP) on EX Series Switches on page 2094

•

Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch on page 5347

•

Understanding Ethernet OAM Link Fault Management for an EX Series Switch on page 5305

•

Understanding RSTP for EX Series Switches on page 2415

•

Understanding STP for EX Series Switches on page 2413

•

Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch on page 5131

•

Understanding VSTP for EX Series Switches on page 2425

•

Understanding Uplink Failure Detection on page 5431

•

Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches on page 4694



•

Understanding Ethernet Frame Delay Measurements on Switches on page 5348

[edit routing-instances] Configuration Hierarchy routing-instances routing-instance-name { instance-type virtual-router interface (Routing Instances) interface-name }


•

Example: Using Virtual Routing Instances to Route Among VLANs on EX Series Switches on page 2170

•

Configuring Virtual Routing Instances (CLI Procedure) on page 2227

[edit snmp] Configuration Statement Hierarchy snmp { rmon { history index { bucket-size number; interface (SNMP RMON History) interface-name; interval seconds; owner owner-name; } } }


•

Configuring SNMP (J-Web Procedure) on page 5161

•


[edit virtual-chassis] Configuration Statement Hierarchy virtual-chassis { auto-sw-update { package-name package-name; } fast-failover (ge | vcp disable | xe); id id; mac-persistence-timer seconds; member member-id { location location; mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions (Virtual Chassis) { file filename ;


105

®


flag flag ; } }


•

Example: Configuring an EX4200 Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 1312

•

Example: Configuring an EX3300 Virtual Chassis with a Master and Backup on page 1397

•

Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure) on page 1408

•


[edit vlans] Configuration Statement Hierarchy vlans { vlan-name { description (VLANs) text-description; dot1q-tunneling (VLANs) { customer-vlans (id | native | range); layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; } } filter (VLANs); input filter-name output filter-name } interface (VLANs) interface-name { egress; ingress (vlans); mapping (native (push | swap) | policy | tag (push | swap)); pvlan-trunk; } isolation-id id-number; l3-interface (VLANs) vlan.logical-interface-number; l3-interface-ingress-counting layer-3-interface-name; mac-limit (VLANs) limit action action; mac-table-aging-time seconds; no-local-switching; no-mac-learning (Q-in-Q VLANs); primary-vlan vlan-name; vlan-id (802.1Q Tagging) number; vlan-range vlan-id-low-vlan-id-high; } }


106

•

Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch on page 2117

•

Example: Setting Up Bridging with Multiple VLANs for EX Series Switches on page 2124

•

Example: Connecting an Access Switch to a Distribution Switch on page 2131

•

Example: Setting Up Q-in-Q Tunneling on EX Series Switches on page 2146



•

Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches on page 2184

•

Creating a Private VLAN on a Single EX Series Switch (CLI Procedure) on page 2228

•



107

®


108


PART 3

Software Installation •

Software Installation Overview on page 111

•

Installing Junos OS on page 123

•

Registering the Switch, Booting the Switch, Upgrading Software, and Managing Licenses on page 135

•

Verifying Software Installation on page 143

•

Troubleshooting Software Installation on page 151

•

Configuration Statements for Software Installation on page 161

•

Operational Commands for Software Installation on page 165


109

®


110


CHAPTER 4

Software Installation Overview •

Installation Overview on page 111

•

Licenses Overview on page 117

Installation Overview •

Understanding Software Installation on EX Series Switches on page 111

•

Junos OS Package Names on page 113

•

Understanding System Snapshot on EX Series Switches on page 114

•

Understanding Resilient Dual-Root Partitions on Switches on page 115

Understanding Software Installation on EX Series Switches A Juniper Networks EX Series Ethernet Switch is delivered with the Juniper Networks Junos operating system (Junos OS) preinstalled. As new features and software fixes become available, you must upgrade your software to use them. You can also downgrade Junos OS to a previous release. This topic covers: •

Overview of the Software Installation Process on page 111

•

Software Package Security on page 112

•

Installing Software on a Virtual Chassis on page 112

•

Installing Software on Switches with Redundant Routing Engines on page 112

•

Installing Software Using Automatic Software Download on page 113

•


Overview of the Software Installation Process An EX Series switch is delivered with Junos OS preinstalled. When you connect power to the switch, it starts (boots) from the installed software. You upgrade Junos OS on an EX Series switch by copying a software package to your switch or another system on your local network, then use either the J-Web interface or the command-line interface (CLI) to install the new software package on the switch. Finally, you reboot the switch; it boots from the upgraded software. After a successful upgrade, you should back up the new current configuration to a secondary device.


111

®


During a successful upgrade, the upgrade package removes all files from /var/tmp and completely reinstalls the existing software. It retains configuration files, and similar information, such as secure shell and host keys, from the previous version. The previous software package is preserved in a separate disk partition, and you can manually revert back to it if necessary. If the software installation fails for any reason, such as loss of power during the installation process, the system returns to the originally active installation when you reboot.

Software Package Security All Junos OS releases are delivered in signed packages that contain digital signatures to ensure official Juniper Networks software. For more information about signed software packages, see the Junos OS Installation and Upgrade Guide.

Installing Software on a Virtual Chassis You can connect individual EX Series switches together to form one unit and manage the unit as a single device, called a Virtual Chassis. The Virtual Chassis operates as a single network entity composed of member switches. Each member switch in a Virtual Chassis must be running the same version of Junos OS. See EX Series Switch Software Features Overview for a list of switches that can be used in a Virtual Chassis. For ease of management, a Virtual Chassis provides flexible methods to upgrade software releases. You can deploy a new software release to all member switches of a Virtual Chassis or to only a particular member switch You can also upgrade the software on an EX4200, EX4500, mixed EX4200 and EX4500, and EX8200 Virtual Chassis using nonstop software upgrade (NSSU). NSSU takes advantage of graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) to ensure no disruption to the control plane during the upgrade. You can minimize disruption to network traffic by defining link aggregation groups (LAGs) such that the member links of each LAG reside on different line cards (on EX8200 Virtual Chassis) or on different members (on EX4200, EX4500, mixed EX4200 and EX4500 Virtual Chassis). During an NSSU, the line cards and Virtual Chassis members are upgraded one at a time, so that traffic continues to flow through the other line cards or members while that line card or member is being upgraded.

Installing Software on Switches with Redundant Routing Engines You can install software on a switch with redundant Routing Engines in one of two ways: •

Perform an NSSU—An NSSU upgrades both Routing Engines with a single command and with a minimum of network disruption. An NSSU takes advantage of GRES and NSR to ensure no disruption to the control plane. You can minimize disruption to network traffic by defining LAGs such that the member links of each LAG reside on different line cards. The line cards are upgraded one at a time, so that traffic continues to flow through the other line cards while a line card is being upgraded. You cannot use NSSU to downgrade the software running on a switch.

112


Chapter 4: Software Installation Overview

For more information about NSSU, see “Understanding Nonstop Software Upgrade on EX Series Switches” on page 1668. See EX Series Switch Software Features Overview for a list of switches that support NSSU. •

Upgrade each Routing Engine manually—You can perform a Junos OS installation on each Routing Engine separately, starting with the backup Routing Engine. You can use this procedure to downgrade the software running on a switch. See “Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126.

Installing Software Using Automatic Software Download The automatic software download feature uses the DHCP message exchange process to download and install software packages. Users can define a path to a software package on the DHCP server and then the DHCP server communicates this path to EX Series switches acting as DHCP clients as part of the DHCP message exchange process. The DHCP clients that have been configured for automatic software download receive these messages and, when the software package name in the DHCP server message is different from that of the software package that booted the DHCP client switch, download and install the software package. See “Upgrading Software Using Automatic Software Download on EX Series Switches” on page 138.

Troubleshooting Software Installation If Junos OS loads but the CLI is not working for any reason, or if the switch has no software installed, you can use the recovery installation procedure to install the software on the switch. See “Troubleshooting Software Installation” on page 151.

NOTE: You can also use this procedure to load two versions of Junos OS in separate partitions on the switch.


•

Downloading Software Packages from Juniper Networks on page 123

•

Installing Software on EX Series Switches (J-Web Procedure) on page 130

•

Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure) on page 124

•

Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure) on page 126

•


Junos OS Package Names You upgrade the Juniper Networks Junos operating system (Junos OS) on a Juniper Networks EX Series Ethernet Switch by copying a software package to your switch or another system on your local network, then install the new software package on the switch. A software package name is in the following format:


113

®


package-name-m.nZx.y-domestic-signed.tgz

where: •

package-name is the name of the package—for example, jinstall-ex-4200.

•

m.n is the software release, with m representing the major release number and n

representing the minor release number—for example, 9.5. •

Z indicates the type of software release, where R indicates released software and B

indicates beta-level software. •

x.y represents the version of the major software release (x) and an internal tracking

number (y)—for example, 1.6. •

domestic-signed is appended to all EX Series package names. For most Junos packages, domestic is used for the United States and Canada and export for worldwide distribution.

However, for EX Series software, domestic is used for worldwide distribution as well. A sample EX Series software package name is: jinstall-ex-4200-9.5R1.6-domestic-signed.tgz


•


•


•


•


•


Understanding System Snapshot on EX Series Switches You can create copies of the software running a Juniper Networks EX Series Ethernet Switch using the system snapshot feature. The system snapshot feature takes a “snapshot” of the files currently used to run the switch—the complete contents of the /config and /var directories, which include the running Juniper Networks Juniper operating system (Junos OS), the active configuration, and the rescue configuration—and copies all of these files into an alternate (internal, meaning internal flash, or an external, meaning USB flash) memory source. You can then use this snapshot to boot the switch at the next bootup or as a backup boot option. You can only use snapshots to move files to external memory if the switch was booted from internal memory, or to move files to internal memory if the switch was booted from external memory. You cannot create a snapshot in the memory source that booted the switch even if the snapshot is being created on a different partition in the same memory source. Snapshots are particularly useful for moving files onto USB flash drives. You cannot use the copy command or any other file-moving technique to move files from an internal memory source to USB memory on the switch.

114



System snapshots on EX Series switches have the following limitations:


•

You cannot use snapshots to move files to any destination outside of the switch other than an installed external USB flash drive or to move files between switches that are members of the same virtual chassis.

•

Snapshot commands, like other virtual chassis commands, are always executed on a local switch. In cases where a different member switches of the same virtual chassis requests the snapshot, the snapshot command is pushed to the VC member creating the snapshot, executed, and the output is then returned to the switch that initiated the process. For instance, if the command to create an external snapshot on virtual chassis member 3 is entered from virtual chassis member 1, the snapshot of internal memory on virtual chassis member 3 is taken on external memory on virtual chassis member 3. The output of the process is seen from virtual chassis member 1. No files move between the switches.

•


•

Creating a Snapshot and Using It to Boot an EX Series Switch on page 137

Understanding Resilient Dual-Root Partitions on Switches Resilient dual-root partitioning, introduced on Juniper Networks EX Series Ethernet Switches in Junos operating system (Junos OS) Release 10.4R3, provides additional resiliency to switches in the following ways: •

Allows the switch to boot transparently from the second root partition if the system fails to boot from the primary root partition.

•

Provides separation of the root Junos OS file system from the /var file system. If corruption occurs in the /var file system (a higher probability than in the root file system due to the greater frequency in /var of reads and writes), the root file system is insulated from the corruption.

NOTE: For instructions on upgrading to release that supports resilient dual-root partitions from a release that does not, see the Release Notes. The procedure for upgrading to a resilient dual-root partition release is different from the normal upgrade procedure.

This topic covers: •

Resilient Dual-Root Partition Scheme (Junos OS Release 10.4R3 and Later) on page 116

•

Earlier Partition Scheme (Junos OS Release 10.4R2 and Earlier) on page 116

•

Understanding Upgrading or Downgrading Between Resilient Dual-Root Partition Releases and Earlier Releases on page 116


115

®


Resilient Dual-Root Partition Scheme (Junos OS Release 10.4R3 and Later) EX Series switches that ship with Junos OS Release 10.4R3 or later are configured with a root partition scheme that is optimized for resiliency, as shown in Table 36 on page 116.

Table 36: Resilient Dual-Root Partition Scheme Slice 1

Slice 2

Slice 3

s1a

s2a

s3e

s3d

s4d

/

/

/var

/var/tmp

/config

(root Junos OS )

(root Junos OS )

Slice 4

In the resilient dual-root partition scheme, the /var file system is contained in a separate slice from the root file systems, the /config directory is contained in its own slice, and switches ship from the factory with identical Junos OS images in slice 1 and slice 2. The /var file system, which has a greater frequency of reads and writes than the root file systems and is therefore more likely to have corruption issues, is isolated from the root directories and the /config directory. If the switch fails to boot, the system automatically boots from the alternate root partition. (If the switch fails to boot from the active root partition and instead boots from the alternate root partition, an alarm is triggered.)

Earlier Partition Scheme (Junos OS Release 10.4R2 and Earlier) The earlier partition scheme is shown in Table 37 on page 116.

Table 37: Earlier Partition Scheme Slice 2

Slice 1

Slice 3

s1a

s1f

s2a

s2f

s3d

s3e

/

/var

(empty until initial software upgrade)

(empty until initial software upgrade)

/var/tmp

/config

(root Junos OS)

This is the partitioning scheme for a switch shipped with Release 10.4R2 or earlier (or after you reformat the disk during a downgrade from Release 10.4R3 or later to Release 10.4R2 or earlier). In this partitioning scheme, the switch comes from the factory with only one Junos OS image installed in the root Junos OS partition of slice 1. The first time that you perform a software upgrade, the new Junos OS image is installed in slice 2. If the switch fails to boot, you must manually trigger it to boot from the alternate partition (rebooting from the alternate partition does not occur automatically).

Understanding Upgrading or Downgrading Between Resilient Dual-Root Partition Releases and Earlier Releases Upgrading from Release 10.4R2 or earlier to Release 10.4R3 or later differs from other upgrades in two important ways:

116



•

You must install a new loader software package in addition to installing the new Junos OS image.

•

Rebooting after the upgrade reformats the disk from three partitions to four partitions.

You can perform all operations for this special software upgrade from the CLI.

CAUTION: Back up any important log files because the /var/log files are not saved or restored during an upgrade from a nonresilient dual-root partition release to a release that supports resilient dual-root partitions. We recommend that you also save your /config files and any important log files to an external medium because if there is a power interruption during the upgrade process, they could be lost.


•

Resilient Dual-Root Partitions Frequently Asked Questions on page 155

•

Understanding Software Licenses for EX Series Switches on page 117

•

License Key Components for the EX Series Switch on page 121

Licenses Overview

Understanding Software Licenses for EX Series Switches To enable and use some of the Juniper Networks operating system (Junos OS) features, you must purchase, install, and manage separate software licenses. If the switch has the appropriate software license, you can configure and use these features. The Junos OS feature license (that is, the purchased authorization code) is universal. However, to conform to Junos OS feature licensing requirements, you must install a unique license key (a combination of the authorization code and the switch’s serial number) on each switch. For a Virtual Chassis deployment, two license keys are recommended for redundancy—one for the device in the master role and the other for the device in the backup role: •

In an EX8200 Virtual Chassis, the devices in the master and backup roles are always XRE200 External Routing Engines.

•

In all other Virtual Chassis, the devices in the master and backup roles are switches.

You do not need additional license keys for Virtual Chassis member switches that are in the linecard role or for the redundant Routing Engine (RE) modules or the redundant Switch Fabric and Routing Engine (SRE) modules in an EX8200 member switch. This topic describes: •

Purchasing a Software Feature License on page 118

•

Features Requiring a License on EX2200 Switches on page 118


117

®


•

Features Requiring a License on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches on page 119

•

Features Requiring a License on EX3300 Switches on page 120

•

License Warning Messages on page 121

Purchasing a Software Feature License The following sections list features that require separate licenses on EX Series switches. To purchase a software license, contact your Juniper Networks sales representative (http://www.juniper.net/us/en/contact-us/sales-offices). You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

NOTE: You are required to provide a 12-digit serial number when purchasing a license for an XRE200 External Routing Engine in an EX8200 Virtual Chassis. The serial number listed on the XRE200 External Routing Engine serial ID label is 16 digits long. Use the last 12 digits of the 16-digit serial number to purchase the license. You can use the show chassis hardware command output to display the 12-digit serial number of the XRE200 External Routing Engine to use when you purchase the license.

Features Requiring a License on EX2200 Switches For Juniper Networks EX2200 Ethernet Switches, the following features can be added to basic Junos OS by installing an enhanced feature license (EFL): •

Bidirectional forwarding detection (BFD)

•

Connectivity fault management (IEEE 802.1ag)

•

IGMP (Internet Group Management Protocol) version 1 (IGMPv1), IGMPv2, and IGMPv3

•

OSPFv1/v2 (with four active interfaces)

•

Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

•

Q-in-Q tunneling (IEEE 802.1ad)

•

Real-time performance monitoring (RPM)

Table 38 on page 118 lists the EFLs that you can purchase for EX2200 switch models. If you have the license, you can run all the enhanced software features on your switch.

Table 38: Junos OS EFL Part Number on EX2200 Switches

118

Switch Model

EFL Part Number

EX2200-C-12P-2G EX2200-C-12T-2G

EX-12-EFL



Table 38: Junos OS EFL Part Number on EX2200 Switches (continued) Switch Model

EFL Part Number

EX2200-24T-4G EX2200-24P-4G

EX-24-EFL

EX2200-48T-4G EX2200-48P-4G

EX-48-EFL

Features Requiring a License on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches To use the following features on Juniper Networks EX3200, EX4200, EX4500, EX6200, and EX8200 Ethernet Switches, you must install an advanced feature license (AFL): •

Border Gateway Protocol (BGP) and multiprotocol BGP (MBGP)

•

Intermediate System-to-Intermediate System (IS-IS)

•

IPv6 protocols: OSPFv3, RIPng, IS-IS for IPv6, IPv6 BGP

•

MPLS with RSVP-based label-switched paths (LSPs) and MPLS-based circuit cross-connects (CCCs)

Table 39 on page 119 lists the AFLs that you can purchase for EX3200, EX4200, EX4500, EX6200, and EX8200 switches. If you have the license, you can run all the advanced software features on your switch.

Table 39: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches Switch Model

AFL Part Number

EX3200-24P EX3200-24T EX4200-24F EX4200-24P EX4200-24T

EX-24-AFL

EX3200-48P EX3200-48T EX4200-48F EX4200-48P EX4200-48T

EX-48-AFL

EX4500-40F-BF EX4500-40F-BF-C EX4500-40F-FB EX4500-40F-FB-C

EX-48-AFL

EX6210

EX6210-AFL

EX8208

EX8208-AFL


119

®


Table 39: Junos OS AFL Part Number on EX3200, EX4200, EX4500, EX6200, and EX8200 Switches (continued) Switch Model

AFL Part Number

EX8216

EX8216-AFL

Features Requiring a License on EX3300 Switches Two types of licenses are available on Juniper Networks EX3300 Ethernet Switches: advanced feature licenses (AFLs) and enhanced feature licenses (EFLs). To use the following feature on EX3300 switches, you must install an AFL: •

Border Gateway Protocol (BGP)

Table 40 on page 120 lists the AFLs that you can purchase for EX3300 switch models. If you have the license, you can run BGP on your switch.

Table 40: Junos OS AFL Part Number on EX3300 Switches Switch Model

AFL Part Number

EX3300-24T EX3300-24P EX3300-24T-DC

EX-24-AFL

EX3300-48T EX3300-48T-BF EX3300-48P

EX-48-AFL

To use the following features on the EX3300 switches, you must install an EFL: •

Bidirectional forwarding detection (BFD)

•

IGMP (Internet Group Management Protocol) version 1 (IGMPv1) and IGMPv2

•

OSPFv1/v2 (with four active interfaces)

•

Protocol Independent Multicast (PIM) dense mode, PIM source-specific mode, PIM sparse mode

•

Q-in-Q tunneling (IEEE 802.1ad)

Table 41 on page 120 lists the EFLs that you can purchase for EX3300 switch models. If you have the license, you can run all the above-mentioned enhanced software features on your switch.

Table 41: Junos OS EFL Part Number on EX3300 Switches

120

Switch Model

EFL Part Number

EX3300-24T EX3300-24P EX3300-24T-DC

EX-24-EFL



Table 41: Junos OS EFL Part Number on EX3300 Switches (continued) Switch Model

EFL Part Number

EX3300-48T EX3300-48T-BF EX3300-48P

EX-48-EFL

License Warning Messages For using features that require a license, you must install and configure a license key. To obtain a license key, use the contact information provided in your certificate. If you have not purchased the AFL or EFL and installed the license key, you receive warnings when you try to commit the configuration: [edit protocols] 'bgp' warning: requires 'bgp' license error: commit failed: (statements constraint check failed)

The system generates system log (syslog) alarm messages notifying you that the feature requires a license—for example: Sep 3 05:59:11 craftd[806]: Minor alarm set, BGP Routing Protocol usage requires a license Sep 3 05:59:11 alarmd[805]: Alarm set: License color=YELLOW, class=CHASSIS, reason=BGP Routing Protocol usage requires a license Sep 3 05:59:11 alarmd[805]: LICENSE_EXPIRED: License for feature bgp(47) expired

Output of the show system alarms command displays the active alarms: user@switch> show system alarms 1 alarm currently active Alarm time Class 2009-09-03 06:00:11 UTC Minor


Description BGP Routing Protocol usage requires a license

•

Managing Licenses for the EX Series Switch (CLI Procedure) on page 139

•

Managing Licenses for the EX Series Switch (J-Web Procedure) on page 140

•

Monitoring Licenses for the EX Series Switch on page 148

•

License Key Components for the EX Series Switch on page 121

•


License Key Components for the EX Series Switch When you purchase a license for a Junos OS feature that requires a separate license, you receive a license key. A license key consists of two parts: •

License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated, it is given a license ID.

•

License data—Block of binary data that defines and stores all license key objects.


121

®


For example, in the following typical license key, the string Junos204558 is the license ID, and the trailing block of data is the license data: Junos204558 aeaqea qmijhd amrqha ztfmbu gqzama uqceds ra32zr lsevik ftvjed o4jy5u fynzzj mgviyl kgioyf ardb5g sj7wnt rsfked wbjf5a sg

The license data defines the device ID for which the license is valid and the version of the license. Related Documentation

122

•


•


•



CHAPTER 5

Installing Junos OS •


•


•


•


•

Rebooting or Halting the EX Series Switch (J-Web Procedure) on page 132

Downloading Software Packages from Juniper Networks You can download Junos OS packages from the Juniper Networks website to upgrade software on your EX Series switch. Before you begin to download software upgrades, ensure that you have a Juniper Networks Web account and a valid support contract. To obtain an account, complete the registration form at the Juniper Networks website: https://www.juniper.net/registration/Register.jsp. To download software upgrades from Juniper Networks: 1.

Using a Web browser, follow the links to the download URL on the Juniper Networks webpage. For EX Series, there are not separate software packages for Canada the U.S. and other locations. Therefore, select Canada and U.S. Version regardless of your location: •

https://www.juniper.net/support/csc/swdist-domestic/

2. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives. 3. Using the J-Web interface or the CLI, select the appropriate software package for your

application. See “Junos OS Package Names” on page 113. 4. Download the software to a local host or to an internal software distribution site.


•


•



123

®


•


Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure) You can use this procedure to upgrade Junos OS on a single routing engine in any EX Series switch, including all switches that do not support redundant Routing Engines. You can also use this procedure to upgrade software on all EX Series Virtual Chassis, with the exception of the EX8200 Virtual Chassis. This procedure can be used to upgrade the following switches or Virtual Chassis: •

EX2200 switch

•

EX3200 switch

•

EX3300 switch

•

EX4200 switch

•

EX4500 switch

•

EX6200 switch (single Routing Engine upgrade only)

•

EX8200 switch (single Routing Engine upgrade only)

•

All Virtual Chassis except EX8200 Virtual Chassis

To upgrade software on an EX6200 or EX8200 switch running two Routing Engines, see “Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126 or “Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure)” on page 1697. To upgrade software on an EX8200 Virtual Chassis, see “Installing Software for All Devices in an EX8200 Virtual Chassis” on page 1571. To install software upgrades on a switch with a single Routing Engine: 1.

Download the software package as described in “Downloading Software Packages from Juniper Networks” on page 123.

2. (Optional) Back up the current software configuration to a second storage option.

See the Junos OS Installation and Upgrade Guide for instructions on performing this task. 3. (Optional) Copy the software package to the switch. We recommend that you use

FTP to copy the file to the /var/tmp directory. This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location. These instructions describe the software upgrade process for both scenarios. 4. Install the new package on the switch:

user@switch> request system software add package

Replace package with one of the following paths: •

124

For a software package in a local directory on the switch—/var/tmp/package.tgz.


Chapter 5: Installing Junos OS

•

For a software package on a remote server: •

ftp://hostname/pathname/package.tgz

•

http://hostname/pathname/package.tgz

where package.tgz is, for example, jinstall-ex-4200-9.4R1.8-domestic-signed.tgz. Include the optional member option to install the software package on only one member of an EX4200 Virtual Chassis: user@switch> request system software add source member member-id reboot

Other members of the Virtual Chassis are not affected. To install the software on all members of the Virtual Chassis, do not include the member option.

NOTE: To abort the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-ex-4200-10.2R1.8-domestic-signed.tgz. This is your last chance to stop the installation.

5. Reboot to start the new software:

user@switch> request system reboot 6. After the reboot has completed, log in and verify that the new version of the software

is properly installed: user@switch> show version 7. To ensure that the resilient dual-root partitions feature operates correctly, execute

the following command to copy the new Junos OS image into the alternate root partition: user@switch> request system snapshot slice alternate

To update the alternate root partitions on all members of a Virtual Chassis, use this command: user@switch> request system snapshot slice alternate all-members

Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition. Related Documentation

•


•


•


•



125

®


Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure) For an EX6200 switch or an EX8200 switch with redundant Routing Engines, you can minimize disruption to network operation during a Junos OS upgrade by upgrading the Routing Engines separately, starting with the backup Routing Engine.

NOTE: If your EX8200 switch is running Junos OS Release 10.4R3 or later, you can upgrade the software packages on both Routing Engines with a single command and with minimal network disruption by using nonstop software upgrade (NSSU) instead of this procedure. See “Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure)” on page 1697.

WARNING: If graceful routing engine switchover (GRES) or nonstop active routing (NSR) is enabled when you initiate a software installation, the software does not install properly. Make sure you disable GRES before you begin the software installation by using the deactivate chassis redundancy graceful-switchover command in configuration mode. If GRES is enabled, it will be removed with the redundancy command. By default, NSR is disabled. If NSR is enabled, remove the nonstop-routing statement from the [edit routing-options] hierarchy level to disable it.

To upgrade the software package on an EX6200 switch or an EX8200 switch with one installed Routing Engine, see “Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)” on page 124. To upgrade redundant Routing Engines, you first install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine. After making sure that the new software version is running correctly on the backup Routing Engine, you switch device control to the backup Routing Engine. Finally, you install the new software on the new backup Routing Engine. To upgrade Junos OS on the switch, perform the following tasks: 1.

Preparing the Switch for the Software Installation on page 127

2. Installing Software on the Backup Routing Engine on page 128 3. Installing Software on the Default Master Routing Engine on page 128 4. Returning Routing Control to the Default Master Routing Engine (Optional) on page 130

126



Preparing the Switch for the Software Installation Perform the following steps before installing the software: 1.

Log in to the master Routing Engine’s console. For information on logging in to the Routing Engine through the console port, see “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257.

2. Enter the Junos OS CLI configuration mode: a. Start the CLI from the shell prompt:

user@switch:RE% cli

You will see: {master} user@switch> b. Enter configuration mode:

user@switch> configure

You will see: {master}[edit] user@switch# 3. Disable nonstop active routing (NSR) (supported on switches running Junos OS

Release 10.4 or later): {master}[edit] user@switch# delete routing-options nonstop-routing 4. Disable graceful Routing Engine switchover (GRES):

{master}[edit] user@switch# deactivate chassis redundancy graceful-switchover 5. Save the configuration change on both Routing Engines:

{master}[edit] user@switch# commit synchronize

NOTE: To ensure the most recent configuration changes are committed before the software upgrade, perform this step even if nonstop active routing and graceful Routing Engine switchover were previously disabled.

6. Exit the CLI configuration mode:

[edit] user@switch# exit 7. (Optional) Back up the current software configuration to a second storage option.

See the Junos OS Installation and Upgrade Guide for instructions on performing this task.


127

®


Installing Software on the Backup Routing Engine After you have prepared the switch for software installation, install the software on the backup Routing Engine. During the installation, the master Routing Engine continues operations, minimizing the disruption to network traffic. 1.

Download the software by following the procedures in “Downloading Software Packages from Juniper Networks” on page 123.

2. Copy the software package to the switch. We recommend that you use FTP to copy

the file to the /var/tmp directory. 3. Log in to the console of the backup Routing Engine. 4. Install the new software package:

user@switch> request system software add /var/tmp/package.tgz

where package.tgz is, for example, jinstall-ex-8200-10.2R1.8-domestic-signed.tgz.

NOTE: To abort the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-ex-8200-10.2R1.8-domestic-signed.tgz. This is your last chance to stop the installation.

5. Reboot to start the new software:

user@switch> request system reboot Reboot the system? [yes, no] (no) yes

NOTE: You must reboot the switch to load the new installation of the Junos OS.

6. After the reboot has completed, log in and verify the new version of the software is

properly installed: user@switch> show version

Installing Software on the Default Master Routing Engine To transfer control to the backup Routing Engine and then upgrade or downgrade the master Routing Engine software: 1.

Log in to the master Routing Engine console port.

2. Transfer control to the backup Routing Engine:

128



CAUTION: Because graceful Routing Engine switchover is disabled, this switchover causes all line cards in the switch to reload. All network traffic passing through these line cards is lost during the line card reloads.

user@switch> request chassis routing-engine master switch 3. Verify that the default backup Routing Engine (shown as slot 1 in the command output)

is now the master Routing Engine: user@switch> show chassis routing-engine

You will see: Routing Engine status: Slot 0: Current state Election priority Routing Engine status: Slot 1: Current state Election priority

Backup Master (default)

Master Backup (default)

4. Install the new software package:

user@switch> request system software add package.tgz 5. Reboot the Routing Engine:

user@switch> request system reboot Reboot the system? [yes, no] (no) yes

When the reboot completes, the prompt will reappear. Wait for this prompt to reappear before proceeding to the next step. 6. Log in to the default backup Routing Engine (slot 1) through the console port. 7. Re-enable graceful Routing Engine switchover:

[edit] user@switch# activate chassis redundancy graceful-switchover

Re-enabling graceful Routing Engine switchover allows any future Routing Engine switchovers to occur without loss of any network traffic. 8. Re-enable nonstop active routing:

[edit] user@switch# set routing-options nonstop-routing

NOTE: Automatic commit synchronization is a requirement for nonstop active routing. If you have not yet enabled it, do so with the set system commit synchronize command.

9. Save the configuration change:

[edit] user@switch# commit synchronize


129

®


10. To ensure that the resilient dual-root partitions feature operates correctly, execute

the following command to copy the new Junos OS image into the alternate root partition on each Routing Engine: user@switch> request system snapshot slice alternate routing-engine both

Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition. If you want to return routing control to the Routing Engine that was the master Routing Engine at the beginning of the procedure (the default master Routing Engine), perform the next task.

Returning Routing Control to the Default Master Routing Engine (Optional) The switch can maintain normal operations with the Routing Engine in slot 1 acting as the master Routing Engine after the software upgrade, so only perform this task if you want to return routing control to the default master Routing Engine in slot 0. 1.

Transfer routing control back to the default master Routing Engine: user@switch> request chassis routing-engine master switch

2. Verify that the default master Routing Engine (slot 0) is indeed the master Routing

Engine: user@switch> show chassis routing-engine

You will see: Routing Engine status: Slot 0: Current state Election priority Routing Engine status: Slot 1: Current state Election priority


Master Master (default)

Backup Backup (default)

•


•

Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure) on page 1697

•


•


•


Installing Software on EX Series Switches (J-Web Procedure) You can upgrade software packages on a single fixed-configuration switch, on an individual member of a Virtual Chassis, or for all members of a Virtual Chassis.

130



You can use the J-Web interface to install software upgrades from a server using FTP or HTTP, or by copying the file to the EX Series switch. This topic describes: 1.

Installing Software Upgrades from a Server on page 131

2. Installing Software Upgrades by Uploading Files on page 131

Installing Software Upgrades from a Server To install software upgrades from a remote server by using FTP or HTTP: 1.

Download the software package as described in “Downloading Software Packages from Juniper Networks” on page 123.

2. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives. 3. In the J-Web interface, select Maintain > Software > Install Package. 4. On the Install Remote page, enter information into the fields described in Table 42

on page 131. 5. Click Fetch and Install Package. The software is activated after the switch has

rebooted.

Table 42: Install Remote Summary Field

Function

Your Action

Package Location (required)

Specifies the FTP or HTTP server, file path, and software package name.

Type the full address of the software package location on the FTP or HTTP server—one of the following: ftp://hostname/pathname/package-name http://hostname/pathname/package-name

User

Specifies the username, if the server requires one.

Type the username.

Password

Specifies the password, if the server requires one.

Type the password.

Reboot If Required

If this box is checked, the switching platform is automatically rebooted when the upgrade is complete.

Check the box if you want the switching platform to reboot automatically when the upgrade is complete.

Installing Software Upgrades by Uploading Files To install software upgrades by uploading files: 1.

Download the software package.

2. In the J-Web interface, select Maintain>Software>Upload Package.


131

®


3. On the Upload Package page, enter information into the fields described in Table 43

on page 132. 4. Click Upload and Install Package. The software is activated after the switching

platform has rebooted.

Table 43: Upload Package Summary Field

Function

Your Action

File to Upload (required)

Specifies the location of the software package.

Type the location of the software package, or click Browse to navigate to the location.

Reboot If Required

Specifies that the switching platform is automatically rebooted when the upgrade is complete.

Select the check box if you want the switching platform to reboot automatically when the upgrade is complete.


•


•


•


Rebooting or Halting the EX Series Switch (J-Web Procedure) You can use the J-Web interface to schedule a reboot or to halt the switching platform. To reboot or halt the switching platform by using the J-Web interface: 1.

In the J-Web interface, select Maintain > Reboot.

2. Select one: •

Reboot Immediately—Reboots the switching platform immediately.

•

Reboot in number of minutes—Reboots the switch in the number of minutes from now that you specify.

•

Reboot when the system time is hour:minute —Reboots the switch at the absolute time that you specify, on the current day. You must select a 2-digit hour in 24-hour format and a 2-digit minute.

•

Halt Immediately— Stops the switching platform software immediately. After the switching platform software has stopped, you can access the switching platform through the console port only.

3. (Optional) In the Message box, type a message to be displayed to any users on the

switching platform before the reboot occurs. 4. Click Schedule. The J-Web interface requests confirmation to perform the reboot or

halt. 5. Click OK to confirm the operation.

132




•

•

If the reboot is scheduled to occur immediately, the switch reboots. You cannot access the J-Web interface until the switch has restarted and the boot sequence is complete. After the reboot is complete, refresh the browser window to display the J-Web interface login page.

•

If the reboot is scheduled to occur in the future, the Reboot page displays the time until reboot. You have the option to cancel the request by clicking Cancel Reboot on the J-Web interface Reboot page.

•

If the switch is halted, all software processes stop and you can access the switching platform through the console port only. Reboot the switch by pressing any key on the keyboard.

Starting the J-Web Interface on page 230


133

®


134


CHAPTER 6

Registering the Switch, Booting the Switch, Upgrading Software, and Managing Licenses •

Registering the Switch on page 135

•

Booting the Switch on page 135

•

Upgrading Software on page 138

•

Managing Licenses on page 139

Registering the Switch •

Registering the EX Series Switch with the J-Web Interface on page 135

Registering the EX Series Switch with the J-Web Interface You can register your EX Series switch with the J-Web interface so that you can request technical assistance as and when required. To register an EX Series switch: 1.

In the J-Web interface, select Maintain > Customer Support > Product Registration. Note the serial number that is displayed.

2. Click Register. Enter the serial number in the page that is displayed.


•


•

Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive on page 136

•


Booting the Switch


135

®


Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive There are two methods of getting Junos OS onto a USB flash drive before using the software to boot the switch. You can pre-install the software onto the USB flash drive before inserting the USB flash drive into the USB port, or you can use the system snapshot feature to copy files from internal switch memory to the USB flash drive. To move files into USB flash memory using a system snapshot and use those files to boot the switch, see “Creating a Snapshot and Using It to Boot an EX Series Switch” on page 137. We recommend that you use this method to boot the switch from a USB flash drive if your switch is running properly. If you need to pre-install the software onto the USB flash drive, you can use the method described in this topic. Pre-installing the Junos OS onto a USB flash drive to boot the switch can be done at any time and is particularly useful when the switch boots to the loader prompt because the switch cannot locate the Junos OS in internal flash memory. Ensure that you have the following tools and parts available to boot the switch from a USB flash drive: •

A USB flash drive that meets the EX Series switch USB port specifications. See USB Port Specifications for an EX Series Switch.

•

A computer or other device that you can use to download the software package from the Internet and copy it to the USB flash drive.

To download a Junos OS package onto a USB flash drive before inserting the USB flash drive: 1.

Download the Junos OS package that you would like to place onto the EX Series switch from the Internet onto the USB flash drive using your computer or other device. See “Downloading Software Packages from Juniper Networks” on page 123.

2. Remove the USB flash drive from the computer or other device. 3. Insert the USB flash drive into the USB port on the switch. 4. This step can only be performed when the prompt for the loader script (loader>) is

displayed. The loader script starts when the Junos OS loads but the CLI is not working for any reason or if the switch has no software installed. Install the software package onto the switch: loader> install source

where source represents the name and location of the Junos OS package on the USB flash drive. The Junos OS package on a flash drive is commonly stored in the root drive as the only file—for example, file:///jinstall-ex-4200-9.4R1.5-domestic-signed.tgz.


136

•


•



Chapter 6: Registering the Switch, Booting the Switch, Upgrading Software, and Managing Licenses

•

See Rear Panel of an EX3200 Switch for USB port location.

•

See Rear Panel of an EX4200 Switch for USB port location.

•

See Switch Fabric and Routing Engine (SRE) Module in an EX8208 Switch for USB port location.

•

See Routing Engine (RE) Module in an EX8216 Switch for USB port location.

•


Creating a Snapshot and Using It to Boot an EX Series Switch The system snapshot feature takes a “snapshot” of the files currently used to run the EX Series switch—the complete contents of the /config and /var directories, which include the running Juniper Networks Junos OS, the active configuration, and the rescue configuration—and copies all of these files into an alternate (internal, meaning internal flash, or an external, meaning USB flash) memory source. You can then use these snapshots to boot the switch at the next bootup or as a backup boot option. This topic includes the following tasks: •

Creating a Snapshot on a USB Flash Drive and Using It to Boot the Switch on page 137

•

Creating a Snapshot on an Internal Flash Drive and Using it to Boot the Switch on page 138

Creating a Snapshot on a USB Flash Drive and Using It to Boot the Switch A snapshot can be created on USB flash memory after a switch is booted using files stored in internal memory. Ensure that you have the following tools and parts available before creating a snapshot on a USB Flash drive: •

A USB flash drive that meets the EX Series switch USB port specifications. See USB Port Specifications for an EX Series Switch.

To create a snapshot on USB flash memory and use it to boot the switch: 1.

Place the snapshot into USB flash memory: user@switch> request system snapshot partition media external slice 1

NOTE: This example uses the partition option. If you have already created a partition for the snapshot, you don’t need to use the partition option.

2. (Optional) Perform this step if you want to boot the switch now using the snapshot

stored on the USB flash drive. If you created the snapshot as a backup, do not perform this step. •

To reboot the switch using the most recently created snapshot: user@switch> request system reboot media external


137

®


•

To reboot the switch using a snapshot in a specific partition on the USB flash drive: user@switch> request system reboot media external slice 1

Creating a Snapshot on an Internal Flash Drive and Using it to Boot the Switch A snapshot can be created on internal memory after a switch is booted using files stored in external memory. To create a snapshot in internal memory and use it to boot the switch: 1.

Place the snapshot files in internal memory: user@switch> request system snapshot parition media internal slice 1

NOTE: This example uses the partition option. If you have already created a partition for the snapshot, you don’t need to use the partition option.

2. (Optional) Perform this step if you want to boot the switch now using the newly

created snapshot. If you created the snapshot as a backup, do not perform this step. •

To reboot the switch using the most recently created snapshot: user@switch> request system reboot media internal

•

To reboot the switch using a snapshot in a specific partition in internal memory: user@switch> request system reboot media internal slice 1


•

Verifying That a System Snapshot Was Created on an EX Series Switch on page 144

•

Understanding System Snapshot on EX Series Switches on page 114

Upgrading Software •


Upgrading Software Using Automatic Software Download on EX Series Switches The automatic software download feature uses the DHCP message exchange process to download and install software packages. You configure the automatic software download feature on EX Series switches acting as DHCP clients. You must enable automatic software download on the EX Series switch before the software upgrade can occur. You configure a path to a software package file on the DHCP server. The server communicates the path to the software package file through DHCP server messages. If you enable automatic software download, the DHCP client EX Series switch compares the software package name in the DHCP server message to the name of the software package that booted the switch. If the software packages are different, the DHCP client

138



EX Series switch downloads and installs the software package specified in the DHCP server message. Before you upgrade software using automatic software download, ensure that you have configured DHCP services for the switch, including configuring a path to a boot server and a boot file. See the Junos OS System Basics Configuration Guide for information about using the CLI to configure DHCP services and settings. See “Configuring DHCP Services (J-Web Procedure)” on page 665 for information about using the J-Web interface to configure DHCP services and settings. To enable automatic software download on an EX Series switch acting as a DHCP client: [edit chassis] user@switch# set auto-image-upgrade

Once automatic software download is enabled on your DHCP client EX Series switch and once DHCP services are enabled on your network, an automatic software download can occur at any time as part of the DHCP message exchange process. If an automatic software download occurs, you see the following message on the switch: Auto-image upgrade started On successful installation system will reboot automatically

The switch reboots automatically to complete the upgrade. Related Documentation

•

Verifying That Automatic Software Download Is Working Correctly on page 143

•


•

Understanding DHCP Services for EX Series Switches on page 655

•


•


Managing Licenses

Managing Licenses for the EX Series Switch (CLI Procedure) To enable and use some Junos OS features on an EX Series switch, you must purchase, install, and manage separate software licenses. Each switch requires one license. For a Virtual Chassis deployment, two licenses are recommended for redundancy. After you have configured the features, you see a warning message if the switch does not have a license for the feature. Before you begin managing licenses, be sure that you have: •

Obtained the needed licenses. For information about how to purchase software licenses, contact your Juniper Networks sales representative.


139

®


•

Understand what makes up a license key. For more information, see “License Key Components for the EX Series Switch” on page 121.

This topic includes the following tasks: •

Adding New Licenses on page 140

•

Deleting Licenses on page 140

•

Saving License Keys on page 140

Adding New Licenses To add one or more new license keys on the switch, with the CLI: 1.

Add the license key or keys: •

To add one or more license keys from a file or URL, specify the filename of the file or the URL where the key is located: user@switch> request system license add filename | url

•

To add a license key from the terminal: user@switch> request system license add terminal

2. When prompted, enter the license key, separating multiple license keys with a blank

line. If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit the license entry mode.

Deleting Licenses To delete one or more license keys from the switch with the CLI, specify the license ID: user@switch> request system license delete license-id

You can delete only one license at a time.

Saving License Keys To save the installed license keys to a file (which can be a URL) or to the terminal: user@switch> request system license save filename | url

For example, the following command saves the installed license keys to a file named license.conf: user@switch> request system license save ftp://user@switch/license.conf


•


•


•


Managing Licenses for the EX Series Switch (J-Web Procedure) To enable and use some Junos OS features on an EX Series switch, you must purchase, install, and manage separate software licenses. Each switch requires one license. For a

140



Virtual Chassis deployment, two licenses are recommended for redundancy. After you have configured the features, you see a warning message if the switch does not have a license for the feature. Before you begin managing licenses, be sure that you have: •

Obtained the needed licenses. For information about how to purchase software licenses, contact your Juniper Networks sales representative.

•

Understand what makes up a license key. For more information, see “License Key Components for the EX Series Switch” on page 121.


Adding New Licenses on page 141

•

Deleting Licenses on page 141

•

Displaying License Keys on page 141

•

Downloading Licenses on page 142

Adding New Licenses To add one or more new license keys on the switch, with the J-Web license manager: 1.

In the J-Web interface, select Maintain > Licenses.

2. Under Installed Licenses, click Add to add a new license key or keys. 3. Do one of the following, using a blank line to separate multiple license keys: •

In the License File URL box, type the full URL to the destination file containing the license key or keys to be added.

•

In the License Key Text box, paste the license key text, in plain-text format, for the license to be added.

4. Click OK to add the license key or keys.

A list of features that use the license key is displayed. The table also lists the ID, state, and version of the license key.

Deleting Licenses To delete one or more license keys from a switch with the J-Web license manager: 1.


2. Select the check box of the license or licenses you want to delete. 3. Click Delete.

Displaying License Keys To display the license keys installed on a switch with the J-Web license manager: 1.



141

®


2. Under Installed Licenses, click Display Keys to display all the license keys installed

on the switch. A screen displaying the license keys in text format appears. Multiple licenses are separated by a blank line.

Downloading Licenses To download the license keys installed on the switch with the J-Web license manager: 1.


2. Under Installed Licenses, click Download Keys to download all the license keys

installed on the switch to a single file. 3. Select Save it to disk and specify the file to which the license keys are to be written.

You can also download the license file to your system. Related Documentation

142

•


•


•



CHAPTER 7

Verifying Software Installation •

Routine Monitoring on page 143

•

Monitoring Licenses on page 148

•

Verifying That Automatic Software Download Is Working Correctly on page 143

•

Verifying That a System Snapshot Was Created on an EX Series Switch on page 144

•

Verifying Junos OS and Boot Loader Software Versions on an EX Series Switch on page 144

Routine Monitoring

Verifying That Automatic Software Download Is Working Correctly Purpose Action

Verify that the automatic software download feature is working correctly. Use the show system services dhcp client interface-name command to verify that the automatic software download feature has been used to install a software package. user@switch> show system services dhcp client ge-0/0/1.0 Logical Interface Name ge-0/0/1.0 Hardware address 00:0a:12:00:12:12 Client Status bound Vendor Identifier ether Server Address 10.1.1.1 Address obtained 10.1.1.89 Lease Obtained at 2009-08-20 18:13:04 PST Lease Expires at 2009-08-22 18:13:04 PST DHCP Options : Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ] Name: server-identifier, Value: 10.1.1.1 Name: router, Value: [ 10.1.1.80 ] Name: boot-image, Value: jinstall-ex-4200-9.6R1.5-domestic-signed.tgz Name: boot-image-location, Value: 10.1.1.25:/bootfiles/

Meaning

The output from this command shows the name and location of the software package under DHCP options when automatic software download was last used to install a software package. The sample output in DHCP options shows that the last DHCP server


143

®


message to arrive on the DHCP client had a boot server address of 192.168.1.165 and a boot file named jinstall-ex-4200-9.6R1.5-domestic-signed.tgz. If automatic software download was enabled on this client switch during the last DHCP message exchange, these values were used by the switch to upgrade the software.


•


•


Verifying That a System Snapshot Was Created on an EX Series Switch Purpose Action

Verify that a system snapshot was created with the proper files on an EX Series switch. View the snapshot: user@switch> show system snapshot media external Information for snapshot on external (da1s1) Creation date: Oct 1320:23:23 2009 Junos version on snapshot: jbase : 10.0I20090726_0011_user jcrypto-ex: 10.0I20090726_0011_user jdocs-ex: 10.0I20090726_0011_user jkernel-ex: 10.0I20090726_0011_user jroute-ex: 10.0I20090726_0011_user jswitch-ex: 10.0I20090726_0011_user jweb-ex: 10.0I20090726_0011_user jpfe-ex42x: 10.0I20090726_0011_user

Meaning

The output shows the date and time when the snapshot was created and the packages that are part of the snapshot. The date and time match the time when you created the snapshot. You can compare the output of this command to the output of the show system software command to ensure that the snapshot contains the same packages as the software currently running the switch.


•


Verifying Junos OS and Boot Loader Software Versions on an EX Series Switch Before or after upgrading or downgrading Junos OS, you might need to verify the Junos OS version. You might also need to verify the boot loader software version if you are upgrading to or downgrading from a release that supports resilient dual-root partitions (Junos OS Release 10.4R3 and later). This topic includes:

144

•

Verifying the Number of Partitions and File System Mountings on page 145

•

Verifying the Loader Software Version on page 146


Chapter 7: Verifying Software Installation

•

Verifying Which Root Partition Is Active on page 146

•

Verifying the Junos OS Version in Each Root Partition on page 147

Verifying the Number of Partitions and File System Mountings Purpose

Action

Between Junos OS Release 10.4R2 and Release 10.4R3, upgrades were made to further increase resiliency of root partitions, which required reformatting the disk from three partitions to four partitions. If your switch is running Release 10.4R2 or earlier, it has three partitions, and if it is running Release 10.4R3 or later, it has four partitions. Verify how many partitions the disk has, as well as where each file system is mounted, by using the following command: user@switch> show system storage fpc0: ----------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 184M 124M 45M 73% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 37M 37M 0B 100% /packages/mnt/jbase /dev/md1 18M 18M 0B 100% /packages/mnt/jcrypto-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md2 6.1M 6.1M 0B 100% /packages/mnt/jdocs-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md3 154M 154M 0B 100% /packages/mnt/jkernel-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md4 23M 23M 0B 100% /packages/mnt/jpfe-ex42x-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md5 46M 46M 0B 100% /packages/mnt/jroute-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md6 28M 28M 0B 100% /packages/mnt/jswitch-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md7 22M 22M 0B 100% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081 /dev/md8 126M 10.0K 116M 0% /tmp /dev/da0s3e 123M 632K 112M 1% /var /dev/da0s3d 369M 20K 339M 0% /var/tmp /dev/da0s4d 62M 62K 57M 0% /config /dev/md9 118M 12M 96M 11% /var/rundb procfs 4.0K 4.0K 0B 100% /proc /var/jail/etc 123M 632K 112M 1% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081/jail/var/etc /var/jail/run 123M 632K 112M 1% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081/jail/var/run /var/jail/tmp 123M 632K 112M 1% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081/jail/var/tmp /var/tmp 369M 20K 339M 0% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081/jail/var/tmp/uploads devfs 1.0K 1.0K 0B 100% /packages/mnt/jweb-ex-10.4I20110121_0509_hbRPSRLI15184421081/jail/dev

Meaning

The presence of the partition name containing s4d indicates the fourth slice. If this were a three-slice partition scheme, in place of s1a, s3e, s3d, and s4d, you would see s1a, s1f, s2a, s2f, s3d, and s3e and you would not see s4d.


145

®


Verifying the Loader Software Version Purpose

Action

For the special case of upgrading from Junos OS Release 10.4R2 or earlier to Release 10.4R3 or later, you must upgrade the loader software. For EX Series switches, except EX8200 switches: user@switch> show chassis firmware Part Type FPC 0 uboot loader

Version U-Boot 1.1.6 (Jan

3 2011 - 16:14:58) 1.0.0

FreeBSD/PowerPC U-Boot bootstrap loader 2.4

For EX8200 switches: user@switch> show chassis firmware Part Type FPC 0 uboot loader

Meaning

Version U-Boot 1.1.6 (Jan

3 2011 - 16:14:58) 3.5.0

FreeBSD/PowerPC U-Boot bootstrap loader 2.4

For EX Series switches, other than EX8200 switches, with Junos OS Release 10.4R3 or later installed: •

If there is version information following the timestamp for U-Boot (1.0.0 in the preceding example), then the loader software does not require upgrading.

•

If there is no version number following the timestamp for U-boot, then the loader software requires upgrading.

NOTE: If the software version is Release 10.4R2 or earlier, no version number is displayed following the timestamp for U-boot, regardless of the loader software version installed. If you do not know whether you have installed the new loader software, you should upgrade the loader software when you upgrade the software version.

For EX8200 switches, if the version number following the timestamp for U-Boot is earlier than 3.5.0, you must upgrade the loader software when you upgrade the software version.

Verifying Which Root Partition Is Active Purpose

Switches running Release 10.4R3 or later have resilient dual-root partition functionality, which includes the ability to boot transparently from the inactive partition if the system fails to boot from the primary root partition. You can verify which root partition is active using the following command:

Action

146

user@switch> show system storage partitions fpc0: -------------------------------------------------------------------------Boot Media: internal (da0)



Active Partition: da0s1a Backup Partition: da0s2a

Currently booted from: active (da0s1a) Partitions information: Partition Size Mountpoint s1a 184M / s2a 184M altroot s3d 369M /var/tmp s3e 123M /var s4d 62M /config s4e unused (backup config)

Verifying the Junos OS Version in Each Root Partition Purpose

Action

Each switch contains two root partitions. We recommend that you copy the same Junos OS version in each partition when you upgrade. In Junos OS Release 10.4R2 and earlier, you might choose to have different Junos OS release versions in each partition. You might have different versions during a software upgrade and before you have finished verifying the new software installation. To enable a smooth reboot if corruption is found in the primary root file system, ensure that the identical Junos OS images are in each root partition. For Release 10.4R2 and earlier, you must manually reboot the switch from the backup root partition. However, for Release 10.4R3 and later, the switch reboots automatically from the backup root partition if it fails to reboot from the active partition. Verify whether both root partitions contain the same image by using the following commands: user@switch> show system snapshot media internal slice 1 Information for snapshot on internal (da0s1) Creation date: Jan 21 05:48:34 2011 JUNOS version on snapshot: jbase : 10.4I20110121_0509_hbRPSRLI15184421081 jcrypto-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jdocs-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jkernel-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jroute-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jswitch-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jweb-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jpfe-ex42x: 10.4I20110121_0509_hbRPSRLI15184421081 user@switch# run show system snapshot media internal slice 2 Information for snapshot on internal (da0s2) Creation date: Jan 21 05:47:54 2011 JUNOS version on snapshot: jbase : 10.4I20110121_0509_hbRPSRLI15184421081 jcrypto-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jdocs-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jkernel-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jroute-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jswitch-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jweb-ex: 10.4I20110121_0509_hbRPSRLI15184421081 jpfe-ex42x: 10.4I20110121_0509_hbRPSRLI15184421081


•



147

®


•

Troubleshooting a Switch That Has Booted from the Backup Junos OS Image on page 154

•


•


Monitoring Licenses •


Monitoring Licenses for the EX Series Switch To enable and use some Junos OS features on the EX Series switch, you must purchase, install, and manage the appropriate software licenses. Each switch requires one license. For a Virtual Chassis deployment, two licenses are recommended for redundancy. To monitor your installed licenses, perform the following tasks: •

Displaying Installed Licenses and License Usage Details on page 148

•

Displaying Installed License Keys on page 149

Displaying Installed Licenses and License Usage Details Purpose

Verify that the expected license is installed and active on the switch and fully covers the switch configuration.

Action

From the CLI, enter the show system license command. (To display only the License usage list, enter the show system license usage command. To display only the Licenses installed output, enter show system license installed.) user@switch> show system license License usage: Licenses

Licenses

Licenses

used

installed

needed

bgp

1

1

0

permanent

isis

0

1

0

permanent

ospf3

0

1

0

permanent

ripng

0

1

0

permanent

mpls

0

1

0

permanent

Feature name

Expiry

Licenses installed: License identifier: JUNOS204558 License version: 2

148



Valid for device: BN0208380000 Features: ex—series - Licensed routing protocols in ex-series permanent

Meaning

The output shows the license or licenses (for Virtual Chassis deployments) installed on the switch and license usage. Verify the following information: •

If a feature that requires a license is configured (used), a license is installed on the switch. The Licenses needed column must show that no licenses are required.

•

The appropriate number of licenses is installed. Each switch requires one license. For a Virtual Chassis deployment, two licenses are recommended for redundancy.

•

The expected license is installed.

Displaying Installed License Keys Purpose Action

Verify that the expected license keys are installed on the switch. From the CLI, enter the show system license keys command. user@switch> show system license keys JUNOS204558 aeaqea qmijhd amrqha ztfmbu gqzama uqceds ra32zr lsevik ftvjed o4jy5u fynzzj mgviyl kgioyf ardb5g sj7wnf rsdked wbjf5a sg

Meaning


The output shows the license key or keys (for Virtual Chassis deployments) installed on the switch. Verify that each expected license key is present.

•


•


•



149

®


150


CHAPTER 8

Troubleshooting Software Installation •


•


•


Troubleshooting Software Installation This topic describes troubleshooting issues with software installations on EX Series switches. •

Recovering from a Failed Software Upgrade on an EX Series Switch on page 151

•

Rebooting from the Inactive Partition on page 152

•

Freeing Disk Space for Software Installation on page 153

•

Installation from the Boot Loader Generates ’cannot open package’ Error on page 153

Recovering from a Failed Software Upgrade on an EX Series Switch Problem

If Junos OS loads but the CLI is not working, or if the switch has no software installed, use this recovery installation procedure to install Junos OS.

Solution

If there is already a Junos OS image on the system, you can either install the new Junos OS package in a separate partition and have both Junos OS images remain on the system, or you can wipe the disk clean before the new installation proceeds. If there is no Junos OS image on the system, follow the instructions in “Booting an EX Series Switch Using a Software Package Stored on a USB Flash Drive” on page 136 to get an image on the system and boot the switch. To perform a recovery installation: 1.

Power on the switch. The loader script starts. After the message Loading /boot/defaults/loader.conf displays, you are prompted with: Hit [Enter] to boot immediately, or space bar for command prompt.

2. Press the space bar to enter the manual loader. The loader> prompt displays. 3. Enter the following command:


151

®


loader> install [– –format] [– –external] source

where: •

format—Use this option to wipe the installation media before installing the software

package. If you do not include this option, the system installs the new Junos OS package in a different partition from the partition used by the most recently installed Junos OS package. •

external—Use this option to install the software package on an external medium.

•

source—Represents the name and location of the Junos OS package either on a

server on the network or as a file on the USB flash drive: •

Network address of the server and the path on the server; for example, tftp://192.17.1.28/junos/jinstall-ex-4200-9.4R1.5-domestic-signed.tgz

•

The Junos OS package on a USB device is commonly stored in the root drive as the only file; for example, file:///jinstall-ex-4200-9.4R1.5-domestic-signed.tgz

The boot process proceeds as normal and ends with a login prompt.

Rebooting from the Inactive Partition Problem

EX Series switches shipped with Junos OS Release 10.4R2 or earlier have Junos OS loaded on the system disk in partition 1. The first time you upgrade, the new software package is installed in partition 2. When you finish the installation and reboot, partition 2 becomes the active partition. Similarly, subsequent software packages are installed in the inactive partition, which becomes the active partition when you reboot at the end of the installation process. On switches shipped with Release 10.4R3 and later, the same Junos OS image is loaded in each of the two root partitions, and you should copy the new software image to the alternate partition each time you upgrade. If you performed an upgrade and rebooted, the system resets the active partition. You can use this procedure to manually boot from the inactive partition.

NOTE: If you have completed the installation of the software image but have not yet rebooted, issue the request system software rollback command to return to the original software installation package.

Solution

Reboot from the inactive partition: user@switch> request system reboot slice alternate

152


Chapter 8: Troubleshooting Software Installation

NOTE: If you cannot access the CLI, you can reboot from the inactive partition using the following procedure from the loader script prompt: 1.

Unload and clear the interrupted boot from the active partition: loader> unload loader> unset vfs.root.mountfrom

2. Select the new (inactive) partition to boot from:

loader> set currdev=diskxsy:

where x is either 0 (internal) or 1 (external) and the y indicates the number of the inactive partition, either 1 or 2. You must include the colon (:) at the end of this command. 3. Boot Junos OS from the inactive partition:

loader> boot

Freeing Disk Space for Software Installation Problem

The software installation process requires a certain amount of unused disk space. If there is not enough space, you might receive an error message such as: fetch: /var/tmp/incoming-package.tgz: No space left on device

Solution

Identify and delete unnecessary files by using the request system storage cleanup command.

Installation from the Boot Loader Generates ’cannot open package’ Error Problem

When installing a Junos OS software image from the loader prompt, a “cannot open package error” is generated: loader> install - -format tftp://10.204.33.248/images/Flash_corr/official/jinstall-ex-4200-10.4I2011012-domestic-signed.tgz Speed: 1000, full duplex bootp: no reply No response for RARP request net_open: RARP failed cannot open package (error 5)

Solution

This might be due to the IP address, gateway IP address, netmask address, or server IP address not being properly set. You can set these values either from the shell or from the u-boot prompt. To set these values from the shell: % % % %

nvram setenv ipaddr 10.204.35.235 nvram setenv netmask 255.255.240.0 nvram setenv gatewayip 10.204.47.254 nvram setenv serverip 10.204.33.248


153

®


To set these values from the u-boot prompt, log in to a console connection, reboot, and stop at the u-boot prompt (Cntrl+c): => setenv ipaddr 10.204.35.235 => setenv gatewayip 10.204.47.254 => setenv serverip 10.204.33.248 => setenv netmask 255.255.240.0 => saveenv => printenv Verify whether variables are set properly or not => boot


•

Upgrading EX Series Switches to Support Resilient Dual-Root Partitions

•


•


•


•


•

show system storage partitions (EX Series Switches Only) on page 217

Troubleshooting a Switch That Has Booted from the Backup Junos OS Image Problem

The switch boots from the backup root file partition. This event is flagged in two ways: •

Upon login through the console or management port, the following warning message is displayed: WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE It is possible that the primary copy of JUNOS failed to boot up properly, and so this device has booted from the backup copy. Please re-install JUNOS to recover the primary copy in case it has been corrupted.

•

The following alarm message is generated: user@switch> show chassis alarms 1 alarms currently active Alarm time Class Description 2011-02-17 05:48:49 PST Minor Host 0 Boot from backup root

If the switch is in a Virtual Chassis, the switch member number appears in the Description field, where the switch is called a host. Solution

Install a new Junos OS image on the partition that had the corruption, or take a snapshot (request system snapshot) of the currently active partition and use it to replace the image in the alternate partition: If the switch is a standalone switch or a Virtual Chassis master switch, enter this command: user@switch> request system snapshot slice alternate

154



If the switch is a Virtual Chassis member switch (not the master), enter this command on the Virtual Chassis: user@switch> request system snapshot slice alternate member member-id

where member-id is the switch Virtual Chassis member ID number.


•


•


•

show system storage partitions (EX Series Switches Only) on page 217

Resilient Dual-Root Partitions Frequently Asked Questions This FAQ addresses questions regarding resilient dual-root partitions on EX Series switches and upgrading to resilient dual-root partition releases. This feature was introduced on EX Series switches at Junos OS Release 10.4R3. It provides additional resiliency for EX Series switches. This FAQ covers the following questions: •

How Does Upgrading to Junos OS Release 10.4R3 and Later Differ from Normal Upgrades? on page 155

•

What Happens If I Do Not Upgrade Both the Loader Software and Junos OS at the Same Time? on page 156

•

Can I Downgrade Junos OS Without Downgrading the Loader Software? on page 157

•

Can I Upgrade to a Resilient Dual-Root Partition Release by Using the CLI? on page 157

•

Will I Lose My Configuration During an Upgrade? on page 157

•

How Long Will the Upgrade Process Take? on page 157

•

What Happens to My Files If the System Detects a File System Corruption? on page 158

•

How Will I Be Informed If My Switch Boots from the Alternate Slice Due to Corruption in the Root File System? on page 158

•

Can I Use Automatic Software Update and Download to Upgrade to a Resilient Dual-Root Partition Release? on page 158

•

Why Is the Message "At least one package installed on this device has limited support" Displayed When Users Log In to a Switch? on page 159

•

Where Can I Find Instructions for Upgrading? on page 159

How Does Upgrading to Junos OS Release 10.4R3 and Later Differ from Normal Upgrades? Upgrading from Junos OS Release 10.4R2 or earlier to Release 10.4R3 or later differs from other upgrades in these ways: •

You must upgrade the loader software in addition to installing the new Junos OS image.

•

Rebooting after the upgrade reformats the disk from three partitions to four partitions.


155

®


•

The upgrade process and the reboot take longer due to the additional time required to upgrade the loader software and additional time for the first reboot after the Junos OS installation (longer than normal because it reformats the disk from three partitions to four). Also, EX8200 switches require an additional reboot per Routing Engine as part of the loader software upgrade.

What Happens If I Do Not Upgrade Both the Loader Software and Junos OS at the Same Time? You must install a new loader software package if you are upgrading to a release that supports resilient dual-root partitions (Release 10.4R3 and later) from an earlier release (Release 10.4R2 and earlier). If you upgrade to Release 10.4R3 or later from Release 10.4R2 or earlier and do not upgrade the loader software, the switch will come up and function normally. However, if the switch encounters a problem and cannot boot from the active root partition, it cannot transparently boot up from the alternate root partition and you will need to perform a manual reboot.

Table 44: Combinations of Junos OS Versions and Loader Software Versions Junos OS Release

Loader Software

Notes

Release 10.4R3 and later

New loader software

Recommended

For all EX Series switches except EX8200 switches: U-Boot 1.1.6 (Mar 11 2011 - 04:39:06) 1.0.0

(Contains version 1.0.0 after the timestamp.) For EX8200 switches: U-Boot 1.1.6 (Jan 11 2008 - 05:24:35) 3.5.0

(Contains version 3.5.0.) Release 10.4R2 and earlier

Old loader software

If you downgrade to Release 10.4R2 or earlier after having upgraded to the new loader software version, you do not need to downgrade the loader software. The switch will function normally.

Release 10.4R3 and later

Old loader software

The switch will come up and function normally. However, in the event that the switch cannot boot from the active root partition, it will not transparently boot up from the alternate root partition.

For all EX Series switches except EX8200 switches: U-Boot 1.1.6 (Jan 11 2008 - 05:24:35)

(Does not contain a version number after the timestamp) For EX8200 switches: U-Boot 1.1.6 (Jan 11 2008 - 05:24:35) 2.3.0

(Contains a version earlier than 3.5.0.) Release 10.4R2 and earlier

New loader software

The switch will come up and function normally.

NOTE: For EX Series switches except EX8200 switches, in Release 10.4R2 and earlier the version number after the timestamp (shown in the previous row) is not displayed, and you cannot verify whether the old or the new loader software version is installed.

156



Can I Downgrade Junos OS Without Downgrading the Loader Software? Yes, when you downgrade from most releases, the new loader software runs seamlessly with the earlier Junos OS version.

NOTE: If you downgrade specifically from Release 10.4R3 or Release 11.1R1 to nonresilient dual-root partition release (10.4R2 or earlier), you must disable the boot-sequencing function. If you do not take this action, the switch will boot on each subsequent reboot from the alternate root partition rather than from the active partition. Disable the boot-sequencing function in one of two ways: •

From the shell as the root user: % nvram setenv boot.btsq.disable 1

•

From a console connection, reboot and stop at the u-boot prompt (Ctrl+c): => setenv boot.btsq.disable 1 => savenv

If you are downgrading from Release 10.4R4 or from Release 11.1R2 or later to Release 10.4R2 or earlier, you do not need to disable the boot-sequencing function—the software does it automatically.

Can I Upgrade to a Resilient Dual-Root Partition Release by Using the CLI? Yes, you can perform the entire upgrade to resilient dual-root partitions from the CLI. You download both the new loader software and Junos OS packages and install them from the CLI. During the final reboot, the disk is automatically reformatted from three partitions to four partitions.

Will I Lose My Configuration During an Upgrade? Configuration files are preserved and restored during the reformatting of the disk. We recommend that you save your configuration before upgrading because if there is a power interruption during the installation process, files might be lost.

How Long Will the Upgrade Process Take? The process of upgrading to a resilient dual-root partition release takes longer than other upgrades due to the additional step of upgrading the loader software and a longer reboot time while the disk is reformatted to four partitions during the reboot of the switch that completes the Junos OS upgrade. The reformat increases the reboot time for EX2200, EX3200, EX4200, and EX4500 switches by 5 to 10 minutes. For EX8200 switches, the reboot time increases by 10 to 25 minutes per Routing Engine, and additional reboots are required.


157

®


What Happens to My Files If the System Detects a File System Corruption? During a reboot, the system checks each file system partition for corruption. Table 45 on page 158 shows the action the system takes if corruption is detected and the corrective action that you can take.

Table 45: Actions If Corrupt Files Are Found Slice 1

Slice 2

Slice 3

s1a

s2a

s3e

s3d

s4d

/

/

/var

/var/tmp

/config

(root Junos OS)

(root Junos OS)

Slice 4

If a root directory (/) is corrupted, the corrupted file system is not mounted and the switch boots from the alternate slice.

During early boot, the integrity of /var, /var/tmp, and /config files is verified. If they are corrupted, the corrupted slice is reformatted and the file directory in that slice is lost.

Corrective action: Issue a request system snapshot command from the good root directory to the corrupted slice.

Corrective action: Restore the /var or /config files from the external backup.

How Will I Be Informed If My Switch Boots from the Alternate Slice Due to Corruption in the Root File System? If the switch detects corruption in the primary root file system, it boots from the alternate root partition. When this occurs, you are notified in two ways: •

If you are logged in through the console port or the management port: WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE It is possible that the primary copy of JUNOS failed to boot up properly, and so this device has booted from the backup copy. Please re-install JUNOS to recover the primary copy in case it has been corrupted.

•

The following alarm message is displayed when you issue show chassis alarms: user@switch> show chassis alarms 1 alarms currently active Alarm time Class Description 2011-02-17 05:48:49 PST Minor Host 0 Boot from backup root

Can I Use Automatic Software Update and Download to Upgrade to a Resilient Dual-Root Partition Release? Automatic software update and automatic software download are both supported with upgrading to resilient dual-root partition releases. However, after an automatic installation, you must take the extra step of upgrading the loader software.

158



Automatic software update is for new members added to a Virtual Chassis that do not have the same software as the master. Once this feature is configured on the Virtual Chassis, any new member added with a different software version will be upgraded automatically. Automatic software download uses the DHCP message exchange process to download and install software packages.

Why Is the Message "At least one package installed on this device has limited support" Displayed When Users Log In to a Switch? The following message might be displayed when a user logs in: Logging to master ..Password: --- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details.

This message can be safely ignored or you can permanently remove it. It appears because the jloader package file has been detected, and it only appears when Junos OS is installed before the loader software is upgraded (required only for EX8200 switches). You can permanently remove this message by removing the jloader package and rebooting the system: user@switch> request system software delete jloader-ex-zzzz user@switch> request system reboot

Where jloader-ex-zzzz represents the name of the jloader software package for your platform—jloader-ex2200 for an EX2200 switch, jloader-ex3242 for an EX3200 or EX4200 switch, or jloader-ex8200 for an EX8200 switch.

Where Can I Find Instructions for Upgrading? The procedure for upgrading to a release that supports resilient dual-root partitions (from a release that does not) is different from the normal upgrade procedure. For instructions on upgrading to a resilient dual-root partition release, see the Release Notes. Related Documentation

•


•


•


•



159

®


160


CHAPTER 9

Configuration Statements for Software Installation •


[edit chassis] Configuration Statement Hierarchy chassis { aggregated-devices { ethernet (Aggregated Devices) { device-count number; } } auto-image-upgrade; fpc slot { pic pic-number { sfpplus { pic-modemode; } } power (off | on); power-budget-priority priority; } lcd-menu { fpc slot-number { menu-item (menu-name | menu-option) { disable; } } } nssu { upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } } psu { redundancy { n-plus-n (Power Management); }


161

®


} redundancy { graceful-switchover; } }


162

•


•


•


•


•


•


•



Chapter 9: Configuration Statements for Software Installation

auto-image-upgrade Syntax Hierarchy Level Release Information Description

auto-image-upgrade; [edit chassis]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Enable automatic software download on an EX Series switch acting as a DHCP client. The DHCP client EX Series switch compares the software package name in the DHCP server message to the name of the software package that booted the switch. If the software packages are different, the DHCP client EX Series switch downloads and installs the software package specified in the DHCP server message. Before you upgrade software using automatic software download, ensure that you have configured DHCP services for the switch, including configuring a path to a boot server and a boot file. See the Junos OS System Basics Configuration Guide for information about using the CLI to configure DHCP services and settings. See “Configuring DHCP Services (J-Web Procedure)” on page 665 for information about using the J-Web interface to configure DHCP services and settings.

Default Required Privilege Level Related Documentation

Automatic software download is disabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•



163

®


164


CHAPTER 10

Operational Commands for Software Installation


165

®


request system license add Syntax Release Information

Description Options

request system license add (filename | terminal)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Add a license key. filename—License key from a file or URL. Specify the filename or the URL where the key

is located. terminal—License key from the terminal.

Required Privilege Level Related Documentation List of Sample Output Output Fields

maintenance

•

Adding New Licenses (CLI Procedure)

request system license add on page 166 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system license add

166

user@host> request system license add terminal


Chapter 10: Operational Commands for Software Installation

request system license delete Syntax

request system license delete license-id

Syntax (QFX Series)

request system license delete license-identifier

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description Options

Delete a license key. You can delete only one license at a time. license-id—License ID that uniquely identifies a license key. license-identification—(QFX Series) License ID that uniquely identifies a license key.


maintenance

•

Deleting a License (CLI Procedure)

request system license delete on page 167 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system license delete

user@host> request system license delete G03000002223


167

®


request system license save Syntax Release Information

Description Options

request system license save (filename | terminal)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Save installed license keys to a file or URL. filename—License key from a file or URL. Specify the filename or the URL where the key

is located. terminal—License key from the terminal.


maintenance

•

Saving License Keys

request system license save on page 168 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system license save

168

user@host> request system license save ftp://user@host/license.conf



request system reboot Syntax

request system reboot

Syntax (EX Series Switches)


Syntax (TX Matrix Router)


Syntax (TX Matrix Plus Router)

Syntax (MX Series Router)

Release Information

Description

request system reboot request system reboot

Command introduced before Junos OS Release 7.4. other-routing-engine option added in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Reboot the software.


169

®


Options

none—Reboot the software immediately. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

reboot all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, reboot all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

reboot all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, reboot all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Reboot the

software on all members of the Virtual Chassis configuration. at time—(Optional) Time at which to reboot the software, specified in one of the following

ways: •

now—Stop or reboot the software immediately. This is the default.

•

+minutes—Number of minutes from now to reboot the software.

•

yymmddhhmm—Absolute time at which to reboot the software, specified as year,

month, day, hour, and minute. •

hh:mm—Absolute time on the current day at which to stop the software, specified

in 24-hour time. in minutes—(Optional) Number of minutes from now to reboot the software. This option

is an alias for the at +minutes option. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

the number of a T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, the number of a T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Reboot the software

on the local Virtual Chassis member. media (compact-flash | disk | removable-compact-flash | usb)—(Optional) Boot medium

for next boot. (The options removable-compact-flash and usb pertain to the J Series routers only.) media (external | internal)—(EX Series switches and MX Series routers only) (Optional)

Reboot the boot media: •

external—Reboot the external mass storage device.

•

internal—Reboot the internal flash device.

member member-id—(EX4200 switches and MX Series routers only) (Optional) Reboot

the software on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1.

170



message "text"—(Optional) Message to display to all system users before stopping or

rebooting the software. other-routing-engine—(Optional) Reboot the other Routing Engine from which the

command is issued. For example, if you issue the command from the master Routing Engine, the backup Routing Engine is rebooted. Similarly, if you issue the command from the backup Routing Engine, the master Routing Engine is rebooted. partition—(TX Matrix Plus routers only) (Optional) Reboot using the specified partition

on the boot media. This option has the following suboptions: •

1—Reboot from partition 1.

•


•

alternate—Reboot from the alternate partition.

scc—(TX Matrix routers only) (Optional) Reboot the Routing Engine on the TX Matrix

router (or switch-card chassis). If you issue the command from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted. sfc number—(TX Matrix Plus routers only) (Optional) Reboot the Routing Engine on the

TX Matrix Plus router (or switch-fabric chassis). If you issue the command from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted. Replace number with 0. slice slice—(EX Series switches only) (Optional) Reboot a partition on the boot media.

This option has the following suboptions:


•

1—Power off partition 1.

•


•


Reboot requests are recorded in the system log files, which you can view with the show log command (see show log). Also, the names of any running processes that are scheduled to be shut down are changed. You can view the process names with the show system processes command (see show system processes). On a TX Matrix or TX Matrix Plus router, if you issue the request system reboot command on the master Routing Engine, all the master Routing Engines connected to the routing matrix are rebooted. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are rebooted.

NOTE: To reboot a router that has two Routing Engines, reboot the backup Routing Engine (if you have upgraded it) first, and then reboot the master Routing Engine.


171

®


Required Privilege Level Related Documentation

List of Sample Output

Output Fields

maintenance

•

clear system reboot on page 312

•

request system halt on page 326

•


•

Rebooting and Halting a QFX Series Product

request system reboot on page 172 request system reboot (at 2300) on page 172 request system reboot (in 2 Hours) on page 172 request system reboot (Immediately) on page 172 request system reboot (at 1:20 AM) on page 172 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system reboot

user@host> request system reboot Reboot the system ? [yes,no] (no)

request system reboot (at 2300)

user@host> request system reboot at 2300 message ?Maintenance time!? Reboot the system ? [yes,no] (no) yes shutdown: [pid 186] *** System shutdown message from [email protected] *** System going down at 23:00

request system reboot (in 2 Hours)

The following example, which assumes that the time is 5 PM (17:00), illustrates three different ways to request the system to reboot in two hours: user@host> request system reboot at +120 user@host> request system reboot in 120 user@host> request system reboot at 19:00

request system reboot (Immediately)

user@host> request system reboot at now

request system reboot (at 1:20 AM)

To reboot the system at 1:20 AM, enter the following command. Because 1:20 AM is the next day, you must specify the absolute time. user@host> request system reboot at 06060120 request system reboot at 120 Reboot the system at 120? [yes,no] (no) yes

172




Release Information

Description


Command introduced in Junos OS Release 9.0 for EX Series switches. Option partition changed to slice in Junos OS Release 10.0 for EX Series switches. Reboot the Junos OS. Reboot requests are recorded in the system log files, which you can view with the show log command. You can view the process names with the show system processes command.

Options

none—Reboots the software immediately. all-members | local | member member-id—(EX4200 switch only) (Optional) Specify which

member of the Virtual Chassis to reboot: •

all-members—Reboots each switch that is a member of the Virtual Chassis.

•

local—Reboots the local switch, meaning the switch you are logged into, only.

•

member member-id—Reboots the specified member switch of the Virtual Chassis.

at time—(Optional) Time at which to reboot the software, specified in one of the following

ways: •


•

hh:mm—Absolute time on the current day at which to reboot the software, specified

in 24-hour time. •


•


month, day, hour, and minute. in minutes—(Optional) Number of minutes from now to reboot the software. This option

is an alias for the at +minutes option. media (external | internal)—(Optional) Boot medium for the next boot. The external

option reboots the switch using a software package stored on an external boot source, such as a USB flash drive. The internal option reboots the switch using a software package stored in an internal memory source. message “text”—(Optional) Message to display to all system users before rebooting the

software.


173

®


slice (1 | 2 | alternate)—(Optional) Reboot using the specified partition on the boot media.

This option has the following suboptions: •


•


•

alternate—Reboot from the alternate partition, which is the partition that did not

boot the switch at the last bootup.

Required Privilege Level Related Documentation Output Fields

maintenance

•


When you enter this command, you are provided feedback on the status of your request.











174



request system snapshot Syntax


request system snapshot request system snapshot

Syntax (J Series Routers)

request system snapshot






Release Information

Description


Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 10.0 for EX Series switches. •

On the router, back up the currently running and active file system partitions to standby partitions that are not running. Specifically, the root file system (/) is backed up to /altroot, and /config is backed up to /altconfig. The root and /config file systems are on the router's flash drive, and the /altroot and /altconfig file systems are on the router's hard drive.

•

On the switch, take a snapshot of the files currently used to run the switch—the complete contents of the root (/) , /config, and /var directories, which include the running Junos OS, the active configuration, and log files.


175

®


CAUTION: After you run the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical.

Options

The specific options available depend upon the router or switch: none—Back up the currently running software as follows: •

On the router, back up the currently running and active file system partitions to standby partitions that are not running. Specifically, the root file system (/) is backed up to /altroot, and /config is backed up to /altconfig. The root and /config file systems are on the router's flash drive, and the /altroot and /altconfig file systems are on the router's hard drive.

•

On the switch, take a snapshot of the files currently used to run the switch—the complete contents of the root file system /, /config directory, and /var directory, which include the running Junos OS, the active configuration, and log files—and copy all these files onto an external drive. (If a USB flash drive is not connected, an error message is displayed.)

all-chassis | all-lcc | lcc number —(TX Matrix and TX Matrix Plus router only) (Optional) •

all-chassis—On a TX Matrix router, archive data and executable areas for all Routing

Engines in the chassis. On a TX Matrix Plus router, archive data and executable areas for all Routing Engines in the chassis. •

all-lcc—On a TX Matrix router, archive data and executable areas for all T640

routers (or line-card chassis) connected to a TX Matrix router. On a TX Matrix Plus router, archive data and executable areas for all T1600 routers (or line-card chassis) connected to a TX Matrix Plus router. •

lcc number—On a TX Matrix router, archive data and executable areas for a specific

T640 router (or line-card chassis) that is connected to a TX Matrix router. On a TX Matrix Plus router, archive data and executable areas for a specific T1600 router (or line-card chassis) that is connected to a TX Matrix Plus router. Replace number with a value from 0 through 3. all-members | local | member member-id—(EX4200, EX4500, and EX8200 Virtual Chassis

and MX Series routers only) (Optional) Specify where to place the snapshot (archive data and executable areas) in a Virtual Chassis: •

all-members—Create a snapshot (archive data and executable areas) for all

members of the Virtual Chassis. •

local—Create a snapshot (archive data and executable areas) on the member of

the Virtual Chassis that you are currently logged into. •

member member-id—Create a snapshot (archive data and executable areas) for

the specified member of the Virtual Chassis.

176



as-primary—(J Series routers only) (Optional) Create a snapshot that can be used to

replace the medium in the primary compact flash drive. This option can be used on the removable compact flash only. The option copies the default files that were loaded on the primary compact flash drive when it was shipped from the factory, plus the rescue configuration if one has been set. This option is useful if you have multiple routers and want to use the same software and configuration on each router. After a boot device is created as a primary compact flash drive, it can operate in only a primary compact flash drive slot. This option causes the boot medium to be partitioned. config-size size—(J Series routers only) (Optional) Specify the size of the config partition,

in megabytes. The default value is 10 percent of physical memory on the boot partition. The config partition is mounted on /config, and the configuration files are stored in this partition. This option causes the boot medium to be partitioned. data-size size—(J Series routers only) (Optional) Specify the size of the data partition, in

megabytes. The default value is 0 MB. The data partition is mounted on /data. This space is not used by the router, and can be used for extra storage. This option causes the boot medium to be partitioned. factory—(J Series routers only) (Optional) Copy only default files that were loaded on

the primary compact flash drive when it was shipped from the factory, plus the rescue configuration if one has been set. After the boot medium is created with the factory option, it can operate in only the primary compact flash drive. media type—(J Series routers and EX Series switches only)(Optional) Specify the boot

device the software is copied to: •

compact-flash—Copy software to the primary compact flash drive.

•

external—(Switches only) Copy software to an external mass storage device, such

as a USB flash drive. If the media option is not specified, this is the default. If a USB drive is not connected, the switch displays an error message. •

internal—(Switches only) Copy software to an internal flash drive.

•

removable-compact-flash—Copy software to the removable compact flash drive.

•

usb—(M320, T640, MX960, and J Series routers only) Copy software to the device

connected to the USB port. partition—(Optional) Repartition the flash drive before a snapshot occurs. If the partition

table on the flash drive is corrupted, the request system snapshot command fails and reports errors. The partition option is only supported for restoring the software image from the hard drive to the flash drive. (Routers only) You cannot issue the request system snapshot command when you enable flash disk mirroring. We recommend that you disable flash disk mirroring when you upgrade or downgrade the software. For more information, see the Junos OS System Basics Configuration Guide. re0 | re1 | routing-engine routing-engine-id—(EX8200 switch only) Specify where to place

the snapshot in a redundant Routing Engine configuration.


177

®


•

re0—Create a snapshot on Routing Engine 0.

•

re1—Create a snapshot on Routing Engine 1.

•

routing-engine routing-engine-id—Create a snapshot on the specified Routing

Engine. root-size size—(J Series routers only) (Optional) Specify the size of the root partition, in

megabytes. The default value is one-third of the physical memory minus the config, data, and swap partitions. The root partition is mounted on / and does not include configuration files. This option causes the boot medium to be partitioned. slice (1 | 2 |alternate)—(EX Series switches only) (Optional) Take a snapshot of the active

root partition and copy it to the selected slice on the boot media. scc—(TX Matrix router only) (Optional) Archive data and executable areas for a TX Matrix

router (or switch-card chassis). sfc number—(TX Matrix Plus router only) (Optional) Archive data and executable areas

for a TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. swap-size size—(J Series router only) (Optional) Specify the size of the swap partition,

in megabytes. The default value is one-third of the physical memory on a boot medium larger than 128 MB, or 0 MB on a smaller boot device. The swap partition is used for swap files and software failure memory snapshots. Software failure memory snapshots are saved to the boot medium only if it is specified as the dump device in the system dump-device configuration hierarchy. This option causes the boot medium to be partitioned. Additional Information

•

(Routers only) Before upgrading the software on the router, when you have a known stable system, issue the request system snapshot command to back up the software, including the configuration, to the /altroot and /altconfig file systems. After you have upgraded the software on the router and are satisfied that the new packages are successfully installed and running, issue the request system snapshot command again to back up the new software to the /altroot and /altconfig file systems.

•

(Routers only) You cannot issue the request system snapshot command when you enable flash disk mirroring. We recommend that you disable flash disk mirroring when you upgrade or downgrade the software. For more information, see the Junos OS System Basics Configuration Guide

•

Required Privilege Level

178

(TX Matrix and TX Matric Plus router only) On a routing matrix, if you issue the request system snapshot command on the master Routing Engine, all the master Routing Engines connected to the routing matrix are backed up. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are backed up.

maintenance



Related Documentation List of Sample Output

Output Fields

•

show system snapshot on page 214

request system snapshot (Routers) on page 179 request system snapshot (EX Series Switches) on page 179 request system snapshot (When Partition Flag Is On) on page 179 request system snapshot (When Mirroring Is Enabled) on page 179 request system snapshot all-lcc (Routing Matrix) on page 179 request system snapshot all-members (Virtual Chassis) on page 180 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system snapshot (Routers)

user@host> request system snapshot umount: /altroot: not currently mounted Copying / to /altroot.. (this may take a few minutes) umount: /altconfig: not currently mounted Copying /config to /altconfig.. (this may take a few minutes) The following filesystems were archived: / /config

request system snapshot (EX Series Switches)

user@switch> request system snapshot fpc0: -------------------------------------------------------------------------Verifying compatibility of destination media partitions... Running newfs (345MB) on external media / partition ... Running newfs (235MB) on external media /config partition ... The following filesystems were archived: / /config /var

request system snapshot (When Partition Flag Is On)

user@host> request system snapshot partition Performing preliminary partition checks ... Partitioning ad0 ... umount: /altroot: not currently mounted Copying / to /altroot.. (this may take a few minutes) The following filesystems were archived: / /config

request system snapshot (When Mirroring Is Enabled) request system snapshot all-lcc (Routing Matrix)

user@host> request system snapshot Snapshot is not possible since mirror-flash-on-disk is configured.

user@host> request system snapshot all-lcc lcc0-re0: -------------------------------------------------------------------------Copying '/' to '/altroot' .. (this may take a few minutes) Copying '/config' to '/altconfig' .. (this may take a few minutes) The following filesystems were archived: / /config lcc2-re0: -------------------------------------------------------------------------Copying '/' to '/altroot' .. (this may take a few minutes) Copying '/config' to '/altconfig' .. (this may take a few minutes) The following filesystems were archived: / /config


179

®


request system snapshot all-members (Virtual Chassis)

user@switch> request system snapshot all-members media internal fpc0: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: / fpc1: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: / fpc2: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: / fpc3: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: / fpc4: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: / fpc5: -------------------------------------------------------------------------Copying '/dev/da0s2a' to '/dev/da0s1a' .. (this may take a few minutes) The following filesystems were archived: /

180



request system software add Syntax

request system software add package-name










181

®


Syntax (QFX Series)

request system software add package-name request system software add /var/tmp/jbase user@host> request system software add /var/tmp/jkernel user@host> request system software add /var/tmp/jpfe user@host> request system software add /var/tmp/jdocs user@host> request system software add /var/tmp/jroute user@host> request system software add /var/tmp/jcrypto

By default, when you issue the request system software add package-name command on a TX Matrix master Routing Engine, all the T640 master Routing Engines that are connected to it are upgraded to the same version of software. If you issue the same command on the TX Matrix backup Routing Engine, all the T640 backup Routing Engines that are connected to it are upgraded to the same version of software. Likewise, when you issue the request system software add package-name command on a TX Matrix Plus master Routing Engine, all the T1600 master Routing Engines that are connected to it are upgraded to the same version of software. If you issue the same command on the TX Matrix Plus backup Routing Engine, all the T1600 backup Routing Engines that are connected to it are upgraded to the same version of software. Required Privilege Level Related Documentation

maintenance

•

request system software delete on page 188

•

request system software rollback on page 191

•

request system storage cleanup on page 346

•

Upgrading Software on a QFX3500 Switch

•

Upgrading Software on a QFabric System


185

®



request system software add validate on page 186 request system software add (Mixed EX4200 and EX4500 Virtual Chassis) on page 186 request system software add (QFabric Switch) on page 187

Output Fields


Sample Output request system software add validate

user@host> request system software add validate /var/tmp/ jinstall-7.2R1.7-domestic-signed.tgz Checking compatibility with configuration Initializing... Using jbase-7.1R2.2 Using /var/tmp/jinstall-7.2R1.7-domestic-signed.tgz Verified jinstall-7.2R1.7-domestic.tgz signed by PackageProduction_7_2_0 Using /var/validate/tmp/jinstall-signed/jinstall-7.2R1.7-domestic.tgz Using /var/validate/tmp/jinstall/jbundle-7.2R1.7-domestic.tgz Checking jbundle requirements on / Using /var/validate/tmp/jbundle/jbase-7.2R1.7.tgz Using /var/validate/tmp/jbundle/jkernel-7.2R1.7.tgz Using /var/validate/tmp/jbundle/jcrypto-7.2R1.7.tgz Using /var/validate/tmp/jbundle/jpfe-7.2R1.7.tgz Using /var/validate/tmp/jbundle/jdocs-7.2R1.7.tgz Using /var/validate/tmp/jbundle/jroute-7.2R1.7.tgz Validating against /config/juniper.conf.gz mgd: commit complete Validation succeeded Validating against /config/rescue.conf.gz mgd: commit complete Validation succeeded Installing package '/var/tmp/jinstall-7.2R1.7-domestic-signed.tgz' ... Verified jinstall-7.2R1.7-domestic.tgz signed by PackageProduction_7_2_0 Adding jinstall... WARNING: WARNING: WARNING: WARNING: WARNING: WARNING: WARNING:

This package will load JUNOS 7.2R1.7 software. It will save JUNOS configuration files, and SSH keys (if configured), but erase all other files and information stored on this machine. It will attempt to preserve dumps and log files, but this can not be guaranteed. This is the pre-installation stage and all the software is loaded when you reboot the system.

Saving the config files ... Installing the bootstrap installer ... WARNING: WARNING: WARNING: WARNING: WARNING:

A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the 'request system reboot' command when software installation is complete. To abort the installation, do not reboot your system, instead use the 'request system software delete jinstall' command as soon as this operation completes.

Saving package file in /var/sw/pkg/jinstall-7.2R1.7-domestic-signed.tgz ... Saving state for rollback ...

Sample Output request system software add (Mixed

186

user@switch> request system software add set [/var/tmp/jinstall-ex-4200-11.1R1.1-domestic-signed.tgz /var/tmp/jinstall-ex-4500-11.1R1.1-domestic-signed.tgz]



EX4200 and EX4500 Virtual Chassis) request system software add (QFabric Switch)

...

user@switch> request system software add /pbdata/packages/jinstall-qfabric-11.3X30.6.rpm component all reboot ...


187

®


request system software delete Syntax

request system software delete software-package





Release Information

Description

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Remove a software package or bundle from the router or switch.

CAUTION: Before removing a software package or bundle, make sure that you have already placed the new software package or bundle that you intend to load onto the router or switch.

Options

software-package—Software package or bundle name. You can delete any or all of the

following software bundles or packages: •

jbase—(Optional) Junos base software suite

•

jcrypto—(Optional, in domestic version only) Junos security software

•

jdocs—(Optional) Junos online documentation file

•

jkernel—(Optional) Junos kernel software suite

•

jpfe—(Optional) Junos Packet Forwarding Engine support

•

jroute—(Optional) Junos routing software suite

•

junos—(Optional) Junos base software

force—(Optional) Ignore warnings and force removal of the software. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

remove an extension or upgrade package from a specific T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, remove an extension or upgrade package from a specific T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3.

188



scc—(TX Matrix routers only) (Optional) Remove an extension or upgrade package from

the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Remove an extension or upgrade

package from the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information


List of Sample Output Output Fields

Before upgrading the software on the router or switch, when you have a known stable system, issue the request system snapshot command to back up the software, including the configuration, to the /altroot and /altconfig file systems. After you have upgraded the software on the router or switch and are satisfied that the new packages are successfully installed and running, issue the request system snapshot command again to back up the new software to the /altroot and /altconfig file systems. After you run the request system snapshot command, you cannot return to the previous version of the software, because the running and backup copies of the software are identical. maintenance

•

request system software add on page 181

•


•

request system software validate on page 194

request system software delete jdocs on page 189 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system software delete jdocs

The following example displays the system software packages before and after the jdocs package is deleted through the request system software delete command: user@host> show system software Information for jbase: Comment: JUNOS Base OS Software Suite [7.2R1.7]

Information for jcrypto: Comment: JUNOS Crypto Software Suite [7.2R1.7]

Information for jdocs: Comment: JUNOS Online Documentation [7.2R1.7]

Information for jkernel:


189

®


Comment: JUNOS Kernel Software Suite [7.2R1.7] ...

user@host> request system software delete jdocs Removing package 'jdocs' ...

user@host> show system software Information for jbase: Comment: JUNOS Base OS Software Suite [7.2R1.7]

Information for jcrypto: Comment: JUNOS Crypto Software Suite [7.2R1.7]

Information for jkernel: Comment: JUNOS Kernel Software Suite [7.2R1.7] ...

190



request system software rollback Syntax

request system software rollback









Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Revert to the software that was loaded at the last successful request system software add command. none—Revert to the set of software as of the last successful request system software add. all-members—(EX4200 switches and MX Series routers only) (Optional) Attempt to roll

back to the previous set of packages on all members of the Virtual Chassis configuration. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

attempt to roll back to the previous set of packages on a T640 router (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, attempt to roll back to the previous set of packages on a T1600 router (or line-card chassis) connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Attempt to roll back

to the previous set of packages on the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Attempt

to roll back to the previous set of packages on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1.


191

®


scc—(TX Matrix routers only) (Optional) Attempt to roll back to the previous set of

packages on the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Attempt to roll back to the previous

set of packages on the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information

On the J Series router, you can use this command to roll back to a previous software package when the current upgrade has been successful or has failed. On M Series and T Series routers, use this command only to recover from a failed software upgrade—you cannot issue this command to return to the previously installed software after using a jinstall package. To return to the previously installed software, use the corresponding jinstall package. A software rollback fails if any required package (or a jbundle package containing the required package) cannot be found in /var/sw/pkg.



192

maintenance

•

request system software abort

•


•


•

request system software validate on page 194

•

request system configuration rescue delete on page 577

•

request system configuration rescue save on page 578

request system software rollback on page 193 When you enter this command, you are provided feedback on the status of your request.



Sample Output request system software rollback

user@host> request system software rollback Verified SHA1 checksum of ./jbase-7.2R1.7.tgz Verified SHA1 checksum of ./jdocs-7.2R1.7.tgz Verified SHA1 checksum of ./jroute-7.2R1.7.tgz Installing package './jbase-7.2R1.7.tgz' ... Available space: 35495 require: 7335 Installing package './jdocs-7.2R1.7.tgz' ... Available space: 35339 require: 3497 Installing package './jroute-7.2R1.7.tgz' ... Available space: 35238 require: 6976 NOTICE: uncommitted changes have been saved in /var/db/config/juniper.conf.pre-install Reloading /config/juniper.conf.gz ... Activating /config/juniper.conf.gz ... mgd: commit complete Restarting mgd ... Restarting aprobed ... Restarting apsd ... Restarting cosd ... Restarting fsad ... Restarting fud ... Restarting gcdrd ... Restarting ilmid ... Restarting irsd ... Restarting l2tpd ... Restarting mib2d ... Restarting nasd ... Restarting pppoed ... Restarting rdd ... Restarting rmopd ... Restarting rtspd ... Restarting sampled ... Restarting serviced ... Restarting snmpd ... Restarting spd ... Restarting vrrpd ... WARNING: cli has been replaced by an updated version: CLI release 7.2R1.7 built by builder on 2005-04-22 02:03:44 UTC Restart cli using the new version ? [yes,no] (yes) yes Restarting cli ... user@host


193

®


request system software validate Syntax

request system software validate package-name


request system software validate







Release Information

Description Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Validate candidate software against the current configuration of the router or switch. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

validate the software bundle or package on a specific T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, validate the software bundle or package on a specific T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. member member-id—(EX4200 switches and MX Series routers only) (Optional) Validate

the software bundle or package on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. package-name—Name of the software bundle or package to test. scc—(TX Matrix routers only) (Optional) Validate the software bundle or package for

the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Validate the software bundle or

package for the TX Matrix Plus router (or switch-fabric chassis). Additional Information

194

By default, when you issue the request system software validate command on a TX Matrix master Routing Engine, all the T640 master Routing Engines that are connected to it are validated. If you issue the same command on the TX Matrix backup Routing Engine, all the T640 backup Routing Engines that are connected to it are upgraded to the same version of software.



Likewise, if you issue the request system software validate command on a TX Matrix Plus master Routing Engine, all the T1600 master Routing Engines that are connected to it are validated. If you issue the same command on a TX Matrix Plus backup Routing Engine, all the T1600 backup Routing Engines that are connected to it are upgraded to the same version of software. Required Privilege Level Related Documentation


Output Fields

maintenance

•


•


•


•


request system software validate (Successful Case) on page 195 request system software validate (Failure Case) on page 195 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system software validate (Successful Case)

user@host> request system software validate /var/sw/pkg/jbundle-5.3I20020124_0520_sjg.tgz Checking compatibility with configuration Initializing... Using /packages/jbase-5.3I20020122_1901_sjg Using /var/sw/pkg/jbundle-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jbase-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jkernel-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jcrypto-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jpfe-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jdocs-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jroute-5.3I20020124_0520_sjg.tgz Validating against /config/juniper.conf.gz mgd: commit complete WARNING: cli has been replaced by an updated version: CLI release 5.3I0 built by sjg on 2002-01-24 05:23:53 UTC Restart cli using the new version ? [yes,no] (yes)

request system software validate (Failure Case)

user@host> request system software validate 6.3/ Pushing bundle to lcc0-re0 error: Failed to transfer package to lcc0-re0

user@host> request system software validate test Pushing bundle to lcc0-re0 Pushing bundle to lcc2-re0 lcc0-re0: gzip: stdin: not in gzip format tar: child returned status 1 ERROR: Not a valid package: /var/tmp/test


195

®


request system software validate Syntax



request system software validate







Release Information

Description Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Validate candidate software against the current configuration of the router or switch. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

validate the software bundle or package on a specific T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, validate the software bundle or package on a specific T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. member member-id—(EX4200 switches and MX Series routers only) (Optional) Validate

the software bundle or package on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. package-name—Name of the software bundle or package to test. scc—(TX Matrix routers only) (Optional) Validate the software bundle or package for

the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Validate the software bundle or

package for the TX Matrix Plus router (or switch-fabric chassis). Additional Information

196

By default, when you issue the request system software validate command on a TX Matrix master Routing Engine, all the T640 master Routing Engines that are connected to it are validated. If you issue the same command on the TX Matrix backup Routing Engine, all the T640 backup Routing Engines that are connected to it are upgraded to the same version of software.



Likewise, if you issue the request system software validate command on a TX Matrix Plus master Routing Engine, all the T1600 master Routing Engines that are connected to it are validated. If you issue the same command on a TX Matrix Plus backup Routing Engine, all the T1600 backup Routing Engines that are connected to it are upgraded to the same version of software. Required Privilege Level Related Documentation


Output Fields

maintenance

•


•


•


•


request system software validate (Successful Case) on page 197 request system software validate (Failure Case) on page 197 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system software validate (Successful Case)

user@host> request system software validate /var/sw/pkg/jbundle-5.3I20020124_0520_sjg.tgz Checking compatibility with configuration Initializing... Using /packages/jbase-5.3I20020122_1901_sjg Using /var/sw/pkg/jbundle-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jbase-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jkernel-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jcrypto-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jpfe-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jdocs-5.3I20020124_0520_sjg.tgz Using /var/chroot/var/tmp/jbundle/jroute-5.3I20020124_0520_sjg.tgz Validating against /config/juniper.conf.gz mgd: commit complete WARNING: cli has been replaced by an updated version: CLI release 5.3I0 built by sjg on 2002-01-24 05:23:53 UTC Restart cli using the new version ? [yes,no] (yes)

request system software validate (Failure Case)

user@host> request system software validate 6.3/ Pushing bundle to lcc0-re0 error: Failed to transfer package to lcc0-re0

user@host> request system software validate test Pushing bundle to lcc0-re0 Pushing bundle to lcc2-re0 lcc0-re0: gzip: stdin: not in gzip format tar: child returned status 1 ERROR: Not a valid package: /var/tmp/test


197

®


request system zeroize Syntax

Release Information

Description

request system zeroize

Command introduced in Junos OS Release 11.2 for EX Series switches. Option media added in Junos OS Release 11.4 for EX Series switches. Remove all configuration information on the Routing Engines and reset all key values. The command removes all data files, including customized configuration and log files, by unlinking the files from their directories. To completely erase user-created data so that it is unrecoverable, use the media option.

CAUTION: Before issuing this command, use the request system snapshot command to back up the files currently used to run the switch to a secondary device.

This command reboots the switch and sets it to the factory default configuration. After the reboot, you cannot access the switch through the management Ethernet interface. Log in through the console as root and start the Junos OS command-line interface (CLI) by typing cli at the prompt. Options

media—(Optional) Erase all user-created files from the system including all plain-text

passwords, secrets, and private keys for SSH, local encryption, local authentication, IPsec, RADIUS, TACACS+, and SNMP. In addition to removing all configuration and log files, the media option causes memory and the media to be scrubbed, removing all traces of any user-created files. The duration of the scrubbing process is dependent on the size of the media being erased. As a result, the request system zeroize media operation can take considerably more time than the request system zeroize operation. Required Privilege Level Related Documentation


maintenance

•

Reverting to the Default Factory Configuration for the EX Series Switch on page 537

•

Reverting to the Rescue Configuration for the EX Series Switch on page 540

request system zeroize on page 198 request system zeroize media on page 199

Sample Output request system zeroize

198

user@switch> request system zeroize



warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no) yes 0 1 1 0 0 0 done syncing disks... All buffers synced. Uptime: 5d19h20m26s recorded reboot as normal shutdown Rebooting... U-Boot 1.1.6 (Mar 11 2011 - 04:39:06) Board: EPLD: DRAM: FLASH:

EX4200-24T 2.11 Version 6.0 (0x85) Initializing (1024 MB) 8 MB

Firmware Version: --- 01.00.00 --USB: scanning bus for devices... 2 USB Device(s) found scanning bus for storage devices... 1 Storage Device(s) found ELF file is 32 bit Consoles: U-Boot console FreeBSD/PowerPC U-Boot bootstrap loader, Revision 2.4 ([email protected], Fri Mar 11 03:03:36 UTC 2011) Memory: 1024MB bootsequencing is enabled bootsuccess is set new boot device = disk0s1: Loading /boot/defaults/loader.conf /kernel data=0x915c84+0xa1260 syms=[0x4+0x7cbd0+0x4+0xb1c19]

Hit [Enter] to boot immediately, or space bar for command prompt. Booting [/kernel]... Kernel entry at 0x800000e0 ... GDB: no debug ports present KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1996-2011, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 11.1R1.8 #0: 2011-03-09 20:14:25 UTC [email protected]:/volume/build/junos/11.1/release/11.1R1.8/obj-powerpc/bsd/kernels/ JUNIPER-EX/kernel Timecounter "decrementer" frequency 50000000 Hz quality 0 cpu0: Freescale e500v2 core revision 2.2 cpu0: HID0 80004080 ...

request system zeroize media

user@switch> request system zeroize media warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no) yes warning: ipsec-key-management subsystem not running - not needed by configuration. warning: zeroizing fpc0


199

®


{master:0} root> Waiting (max 60 seconds) for system process `vnlru' to stop...done . . . Syncing disks, vnodes remaining...2 4 2 4 3 2 1 1 0 0 0 done syncing disks... All buffers synced. Uptime: 14m50s recorded reboot as normal shutdown Rebooting... U-Boot 1.1.6 (Apr 21 2011 - 13:58:42) Board: EPLD: DRAM: FLASH: NAND: 0 MiB

EX4200-48PX 1.1 Version 8.0 (0x82) Initializing (512 MB) 8 MB No NAND device found!!!

Firmware Version: --- 01.00.00 --USB: scanning bus for devices... 2 USB Device(s) found scanning bus for storage devices... 1 Storage Device(s) found ELF file is 32 bit Consoles: U-Boot console FreeBSD/PowerPC U-Boot bootstrap loader, Revision 2.2 ([email protected], Fri Feb 26 17:48:51 PST 2010) Memory: 512MB Loading /boot/defaults/loader.conf /kernel data=0x9abfdc+0xb06e4 syms=[0x4+0x83b30+0x4+0xbd7c6] Hit [Enter] to boot immediately, or space bar for command prompt. Booting [/kernel] in 1 second... Booting [/kernel]... Kernel entry at 0x800000e0 ... GDB: no debug ports present KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1996-2011, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 11.4R1.2 #0: 2011-10-27 18:05:39 UTC [email protected]:/volume/build/junos/11.4/release/11.4R1.2/obj-powerpc/ bsd/kernels/JUNIPER-EX/kernel can't re-use a leaf (all_slot_serialid)! Timecounter "decrementer" frequency 50000000 Hz quality 0 cpu0: Freescale e500v2 core revision 2.2 cpu0: HID0 80004080 real memory = 511705088 (488 MB) avail memory = 500260864 (477 MB) ETHERNET SOCKET BRIDGE initialising Initializing EXSERIES platform properties ... . . . Automatic reboot in progress... Media check on da0 on ex platforms ** /dev/da0s2a FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 20055 free (31 frags, 2503 blocks, 0.0% fragmentation) zeroizing /dev/da0s1a ...

200



. . . zeroizing . . . zeroizing . . . zeroizing . . . zeroizing . . .

/dev/da0s3d ... /dev/da0s3e ... /dev/da0s4d ... /dev/da0s4e ...

syncing disks... All buffers synced. Uptime: 3m40s Rebooting... U-Boot 1.1.6 (Apr 21 2011 - 13:58:42) Board: EPLD: DRAM: FLASH: NAND: 0 MiB

EX4200-48PX 1.1 Version 8.0 (0x82) Initializing (512 MB) 8 MB No NAND device found!!!

Firmware Version: --- 01.00.00 --USB: scanning bus for devices... 2 USB Device(s) found scanning bus for storage devices... 1 Storage Device(s) found ELF file is 32 bit Consoles: U-Boot console FreeBSD/PowerPC U-Boot bootstrap loader, Revision 2.2 ([email protected], Fri Feb 26 17:48:51 PST 2010) Memory: 512MB Loading /boot/defaults/loader.conf /kernel data=0x9abfdc+0xb06e4 syms=[0x4+0x83b30+0x4+0xbd7c6] Hit [Enter] to boot immediately, or space bar for command prompt. Booting [/kernel] in 1 second... Booting [/kernel]... Kernel entry at 0x800000e0 ... GDB: no debug ports present KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1996-2011, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 11.4R1.2 #0: 2011-10-27 18:05:39 UTC [email protected]:/volume/build/junos/11.4/release/11.4R1.2/obj-powerpc/ bsd/kernels/JUNIPER-EX/kernel can't re-use a leaf (all_slot_serialid)! Timecounter "decrementer" frequency 50000000 Hz quality 0 cpu0: Freescale e500v2 core revision 2.2 cpu0: HID0 80004080 real memory = 511705088 (488 MB) avail memory = 500260864 (477 MB) ETHERNET SOCKET BRIDGE initialising Initializing EXSERIES platform properties ... . . . Automatic reboot in progress... Media check on da0 on ex platforms


201

®


** /dev/da0s1a FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 20064 free (48 frags, 2502 blocks, 0.1% fragmentation) zeroizing /dev/da0s2a ... . . . Creating initial configuration...mgd: error: Cannot open configuration file: /config/juniper.conf mgd: warning: activating factory configuration mgd: commit complete mgd: ---------------------------------------------------------mgd: Please login as 'root'. No password is required. mgd: To start Initial Setup, type 'ezsetup' at the JUNOS prompt. mgd: To start JUNOS CLI, type 'cli' at the JUNOS prompt. mgd: ---------------------------------------------------------Setting initial options: debugger_on_panic=NO debugger_on_break=NO. Starting optional daemons: . Doing initial network setup: . . . Amnesiac (ttyu0)

202



show system autoinstallation status Syntax

show system autoinstallation status

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches.

Description

(J Series routers and EX Series switches only) Display autoinstallation status information.

Options

This command has no options.


view


show system autoinstallation status on page 203

Output Fields

Table 46 on page 203 describes the output fields for the show system autoinstallation status command. Output fields are listed in the approximate order in which they appear.

Table 46: show system autoinstallation status Output Fields Field Name

Field Description

Autoinstallation status

Display autoinstallation status information: •

Last committed file—File last committed for autoinstallation configuration.

•

Configuration server of last committed file—IP address or URL of server configured to retrieve

configuration information for the last committed configuration file. •

•

Interface—Interface configured for autoinstallation. •

Name—Name of interface.

•

State—Interface state.

Address acquisition—Display IP address acquired and protocol used for acquisition upon bootup. •

Protocol—Protocol used for acquisition: BOOTP/DHCP or RARP.

•

Acquired address—IP address acquired from the DHCPserver.

Sample Output show system autoinstallation status

user@host> show system autoinstallation status Autoinstallation status: Master state: Active Last committed file: None Configuration server of last committed file: 0.0.0.0 Interface: Name: fe-0/0/1 State: None Address acquisition: Protocol: DHCP Client Acquired address: None Protocol: RARP Client Acquired address: None


203

®


show system boot-messages Syntax

show system boot-messages





Syntax (TX Matrix Plus Router) Syntax (MX Series Router)

show system boot-messages show system boot-messages

Syntax (QFX Series)

show system boot-messages infrastructure name | interconnect-device name | node-group name

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Options

Display initial messages generated by the system kernel upon startup. These messages are the contents of /var/run/dmesg.boot. none—Display all boot time messages. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Display boot time

messages for all of the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display boot time messages for all T640 routers (or line-card chassis) connected to a TX Matrix router. On a TX Matrix Plus router, display boot time messages for all T1600 routers (or line-card chassis) connected to a TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Display boot

time messages on all members of the Virtual Chassis configuration. infrastructure name—(QFabric switches only) (Optional) Display boot time messages

on the fabric control Routing Engine or fabric manager Routing engines. interconnect-device name—(QFabric switches only) (Optional) Display boot time

messages on the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display boot time messages for a specific T640 router connected to a TX Matrix

204



router. On a TX Matrix Plus router, display boot time messages for a specific T1600 router connected to a TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Display boot time

messages on the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Display

boot time messages on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. node-group name—(QFabric switches only) (Optional) Display boot time messages on

the Node group. scc—(TX Matrix routers only) (Optional) Display boot time messages for the TX Matrix

router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Display boot time messages for

the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information

Required Privilege Level List of Sample Output

By default, when you issue the show system boot-messages command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) master Routing Engines or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) backup Routing Engines or T1600 (routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it. view

show system boot-messages (TX Matrix Router) on page 205 show system boot-messages lcc (TX Matrix Router) on page 207 show system boot-messages (TX Matrix Plus Router) on page 207 show system boot-messages (QFX3500 Switch) on page 208

Sample Output show system boot-messages (TX Matrix Router)

user@host> show system boot-messages Copyright (c) 1992-1998 FreeBSD Inc. Copyright (c) 1996-2000 Juniper Networks, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California.

All rights reserved.

JUNOS 4.1-20000216-Zf8469 #0: 2000-02-16 12:57:28 UTC [email protected]:/p/build/20000216-0905/4.1/release_kernel/sys/compil e/GENERIC CPU: Pentium Pro (332.55-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x66a Stepping=10 Features=0x183f9ff


205

®


Teknor CPU Card Recognized real memory = 805306368 (786432K bytes) avail memory = 786280448 (767852K bytes) Probing for devices on PCI bus 0: chip0 rev 3 class 6000 0 on pci0:0:0 chip1 rev 1 class 60100 on pci0:7:0 chip2 rev 1 class 10180 on pci0:7:1 chip3 rev 1 class c0300 int d irq 11 on pci0:7:2 smb0 rev 1 class 68000 on pci0:7:3 pcic0 rev 1 class 60700 int a irq 15 on pci0:13 :0 TI1131 PCI Config Reg: [pci only][FUNC0 pci int] pcic1 rev 1 class 60700 int b irq 12 on pci0:13 :1 TI1131 PCI Config Reg: [pci only][FUNC1 pci int] fxp0 rev 8 class 20000 int a irq 12 on pci0:16:0 chip4 rev 4 class 6040 0 on pci0:17:0 fxp1 rev 8 class 20000 int a irq 10 on pci0:19:0 Probing for devices on PCI bus 1: mcs0 rev 12 class ff0000 int a irq 12 on pci1: 13:0 fxp2 rev 8 class 20000 int a irq 10 on pci1:14:0 Probing for devices on the ISA bus: sc0 at 0x60-0x6f irq 1 on motherboard sc0: EGA color ed0 not found at 0x300 ed1 not found at 0x280 ed2 not found at 0x340 psm0 not found at 0x60 sio0 at 0x3f8-0x3ff irq 4 flags 0x20010 on isa sio0: type 16550A, console sio1 at 0x3e8-0x3ef irq 5 flags 0x20000 on isa sio1: type 16550A sio2 at 0x2f8-0x2ff irq 3 flags 0x20000 on isa sio2: type 16550A pcic0 at 0x3e0-0x3e1 on isa PC-Card ctlr(0) TI PCI-1131 [CardBus bridge mode] (5 mem & 2 I/O windows) pcic0: slot 0 controller I/O address 0x3e0 npx0 flags 0x1 on motherboard npx0: INT 16 interface fdc0: direction bit not set fdc0: cmd 3 failed at out byte 1 of 3 fdc0 not found at 0x3f0 wdc0 at 0x1f0-0x1f7 irq 14 on isa wdc0: unit 0 (wd0): , single-sector-i/o wd0: 76MB (156672 sectors), 612 cyls, 8 heads, 32 S/T, 512 B/S wdc0: unit 1 (wd1): wd1: 8063MB (16514064 sectors), 16383 cyls, 16 heads, 63 S/T, 512 B/S wdc1 not found at 0x170 wdc2 not found at 0x180 ep0 not found at 0x300 fxp0: Ethernet address 00:a0:a5:12:05:5a fxp1: Ethernet address 00:a0:a5:12:05:59

206



fxp2: Ethernet address 02:00:00:00:00:01 swapon: adding /dev/wd1s1b as swap device Automatic reboot in progress... /dev/rwd0s1a: clean, 16599 free (95 frags, 2063 blocks, 0.1% fragmentation) /dev/rwd0s1e: clean, 9233 free (9 frags, 1153 blocks, 0.1% fragmentation) /dev/rwd0s1a: clean, 16599 free (95 frags, 2063 blocks, 0.1% fragmentation) /dev/rwd1s1f: clean, 4301055 free (335 frags, 537590 blocks, 0.0% fragmentation)

show system boot-messages lcc (TX Matrix Router)

user@host> show system boot-messages lcc 2 lcc2-re0: -------------------------------------------------------------------------Copyright (c) 1996-2001, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2001 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 7.0-20040912.0 #0: 2004-09-12 09:16:32 UTC [email protected]:/build/benten-b/7.0/20040912.0/obj-i386/sys/compile/JUNIPER Timecounter "i8254" frequency 1193182 Hz Timecounter "TSC" frequency 601368936 Hz CPU: Pentium III/Pentium III Xeon/Celeron (601.37-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x68a Stepping = 10 Features=0x387f9ff real memory = 2147467264 (2097136K bytes) sio0: gdb debugging port avail memory = 2084040704 (2035196K bytes) Preloaded elf kernel "kernel" at 0xc06d9000. DEVFS: ready for devices Pentium Pro MTRR support enabled md0: Malloc disk DRAM Data Integrity Mode: ECC Mode with h/w scrubbing npx0: on motherboard npx0: INT 16 interface pcib0: on motherboard pci0: on pcib0 pcic-pci0: irq 15 at device 1.0 on pci0 pcic-pci0: TI12XX PCI Config Reg: [pwr save][pci only] fxp0: port 0x1000-0x103f mem 0xfb800000-0xfb81ffff,0xfb820000-0xfb820fff irq 9 at device 3.0 on pci0 fxp1: port 0x1040-0x107f mem 0xfb840000-0xfb85ffff,0xfb821000-0xfb821fff irq 11 at device 4.0 on pci0 ...

show system boot-messages (TX Matrix Plus Router)

user@host> show system boot-messages sfc0-re0: -------------------------------------------------------------------------Copyright (c) 1996-2009, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 9.6B3.3 #0: 2009-06-17 19:52:08 UTC [email protected]:/volume/build/junos/9.6/release/9.6B3.3/obj-i386/bsd/sys/compile/JUNIPER MPTable: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU L5238 @ 2.66GHz (2660.01-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x1067a Stepping = 10 Features=0xbfebfbff ... lcc1-re0:


207

®


-------------------------------------------------------------------------Copyright (c) 1996-2009, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 9.6-20090617.0 #0: 2009-06-17 04:15:14 UTC [email protected]:/volume/build/junos/9.6/production/20090617.0/obj-i386/bsd/sys/compile/JUNIPER Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU @ 1.86GHz (1862.01-MHz 686-class CPU) Origin = "GenuineIntel" Features=0xbfebfbff ...

show system boot-messages (QFX3500 Switch)

Id = 0x1067a

Stepping = 10

user@switch> show sytem boot-messages getmemsize: msgbufp[size=32768] = 0x81d07fe4 System physical memory distribution: ------------------------------------------------------------------------------Total physical memory: 4160749568 (3968 MB) Physical memory used: 3472883712 (3312 MB) Physical memory allocated to kernel: 2130706432 (2032 MB) Physical memory allocated to user BTLB: 1342177280 (1280 MB) ------------------------------------------------------------------------------Copyright (c) 1996-2010, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 11.1I #0: 2010-09-17 19:18:07 UTC [email protected]:/c/ssiano/DEV_QFX_SI_BRANCH/03/20100917.399988/ obj-xlr/bsd/sys/compile/JUNIPER-DCTOR WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant JUNOS 11.1I #0: 2010-09-17 19:18:07 UTC [email protected]:/c/ssiano/DEV_QFX_SI_BRANCH/03/20100917.399988/ obj-xlr/bsd/sys/compile/JUNIPER-DCTOR real memory = 3472883712 (3312MB) avail memory = 1708171264 (1629MB) cpuid: 0, btlb_cpumap:0xfffffff8 FreeBSD/SMP: Multiprocessor System Detected: 12 CPUs ETHERNET SOCKET BRIDGE initialising Initializing QFX platform properties .. cpu0 on motherboard : RMI's XLR CPU Rev. 0.3 with no FPU implemented L1 Cache: I size 32kb(32 line), D size 32kb(32 line), eight way. L2 Cache: Size 1024kb, eight way pic_lbus0: pic_lbus0: on motherboard Enter qfx control ethernet probe addr:0xc5eeec00 gmac4: on pic_lbus0 me0: Ethernet address 00:1d:b5:f7:68:40 Enter qfx control ethernet probe addr:0xc5eeeb40 gmac5: on pic_lbus0 me1: Ethernet address 00:1d:b5:f7:68:41 Enter qfx control ethernet probe addr:0xc5eeea80 gmac6: on pic_lbus0

208



me1: Ethernet address 00:1d:b5:f7:68:42 sio0 on pic_lbus0 Entering sioattach sio0: type 16550A, console xls_setup_intr: skip irq 3, xlr regs are set up somewhere else. gblmem0 on pic_lbus0 ehci0: on pic_lbus0 ehci_bus_attach: allocated resource. tag=1, base=bef24000 xls_ehci_init: endian hardware swapping NOT enabled. usb0: EHCI version 1.0 usb0 on ehci0 usb0: USB revision 2.0 uhub0: vendor 0x0000 EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered umass0: USB USBFlashDrive, rev 2.00/11.00, addr 2 pcib0: PCIe link 0 up pcib0: PCIe link 2 up pcib0: PCIe link 3 up pcib0: on pic_lbus0 pci0: on pcib0 pcib1: at device 0.0 on pci0 pci1: on pcib1 pci1: at device 0.0 (no driver attached) pcib2: at device 1.0 on pci0 pcib3: at device 2.0 on pci0 pci2: on pcib3 pci2: at device 0.0 (no driver attached) pcib4: at device 3.0 on pci0 pci3: on pcib4 pci3: at device 0.0 (no driver attached) cfi device address space at 0xbc000000 cfi0: on pic_lbus0 cfi device address space at 0xbc000000 i2c0: on pic_lbus0 i2c1: on pic_lbus0 qfx_fmn0 on pic_lbus0 pool offset 1503776768 xlr_lbus0: on motherboard qfx_bcpld_probe[124] qfx_bcpld_probe[138]: dev_type=0x0 qfx_bcpld_probe[124] qfx_bcpld0: QFX BCPLD probe success qfx_bcpld0qfx_bcpld_attach[174] qfx_bcpld_attach[207] : bus_space_tag=0x0, bus_space_handle=0xbd900000 qfx_bcpld_probe[124] qfx_bcpld1: QFX BCPLD probe success qfx_bcpld1qfx_bcpld_attach[174] tor_bcpld_slave_attach[1245] : bus_space_tag=0x0, bus_space_handle=0xbda00000 Initializing product: 96 .. bmeb: bmeb_lib_init done 0xc60a5000, addr 0x809c99a0 bme0:Virtual BME driver initializing Timecounter "mips" frequency 1200000000 Hz quality 0 Timecounter "xlr_pic_timer" frequency 66666666 Hz quality 1 Timecounters tick every 1.000 msec Loading the NETPFE fc module IPsec: Initialized Security Association Processing. SMP: AP CPU #3 Launched! SMP: AP CPU #1 Launched! SMP: AP CPU #2 Launched! SMP: AP CPU #4 Launched! SMP: AP CPU #5 Launched!


209

®


SMP: AP CPU #7 Launched! SMP: AP CPU #6 Launched! SMP: AP CPU #11 Launched! SMP: AP CPU #10 Launched! SMP: AP CPU #9 Launched! SMP: AP CPU #8 Launched! da0 at umass-sim0 bus 0 target 0 lun 0 da0: Removable Direct Access SCSI-0 device da0: 40.000MB/s transfers da0: 3920MB (8028160 512 byte sectors: 255H 63S/T 499C) Trying to mount root from ufs:/dev/da0s1a

210



show system license Syntax

Release Information

Description Options

show system license

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display licenses and information about how they are used. none—Display all license information. installed—(Optional) Display installed licenses only. keys—(Optional) Display a list of license keys. Use this information to verify that each

expected license key is present. usage—(Optional) Display the state of licensed features.


Output Fields

maintenance

show system license on page 212 show system license installed on page 212 show system license keys on page 213 show system license usage on page 213 Table 47 on page 211 lists the output fields for the show system license command. Output fields are listed in the approximate order in which they appear.

Table 47: show system license Output Fields Field Name

Field Description

Feature name

Name assigned to the configured feature. You use this information to verify that all the features for which you installed licenses are present.

Licenses used

Number of licenses used by a router or switch. You use this information to verify that the number of licenses used matches the number configured. If a licensed feature is configured, the feature is considered used. NOTE: In Junos OS Release 10.1 and later, the Licenses used column displays the actual usage count based on the number of active sessions or connections as reported by the corresponding feature daemons. This is applicable for scalable license-based features such as Subscriber Access (scale-subscriber), L2TP (scale-l2tp), Mobile IP (scale-mobile-ip), and so on.


211

®


Table 47: show system license Output Fields (continued) Field Name

Field Description

Licenses installed

Information about the installed license key: •

License identifier—Identifier associated with a license key.

•

State—State of the license key:valid or invalid. An invalid state indicates that the key was entered

incorrectly or is not valid for the specific device. •

License version—Version of a license. The version indicates how the license is validated, the type

of signature, and the signer of the license key. •

Valid for device—Device that can use a license key.

•

Group defined—Group membership of a device.

•

Features—Feature associated with a license, such as data link switching (DLSw).

Licenses needed

Number of licenses required for features being used but not yet properly licensed.

Expiry

Amount of time left within the grace period before a license is required for a feature being used.

Sample Output show system license

user@host> show system license License usage: Feature name subscriber-accounting subscriber-authentication subscriber-address-assignment subscriber-vlan subscriber-ip scale-subscriber scale-l2tp scale-mobile-ip

Licenses used 2 1 2 2 0 2 4 1

Licenses installed 2 2 2 2 2 3 5 2

Licenses needed 0 0 0 0 0 0 0 0

Expiry permanent permanent permanent permanent permanent permanent permanent permanent

Licenses installed: License identifier: XXXXXXXXXX License version: 2 Features: subscriber-accounting - Per Subscriber Radius Accounting permanent subscriber-authentication - Per Subscriber Radius Authentication permanent subscriber-address-assignment - Radius/SRC Address Pool Assignment permanent subscriber-vlan - Dynamic Auto-sensed Vlan permanent subscriber-ip - Dynamic and Static IP permanent

show system license installed

212

user@host> show system license installed License identifier: XXXXXXXXXX License version: 2 Features: subscriber-accounting - Per Subscriber Radius Accounting permanent subscriber-authentication - Per Subscriber Radius Authentication



permanent subscriber-address-assignment - Radius/SRC Address Pool Assignment permanent subscriber-vlan - Dynamic Auto-sensed Vlan permanent subscriber-ip - Dynamic and Static IP permanent

show system license keys

user@host> show system license keys XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxx

show system license usage

user@host> show system license usage License usage: Licenses Feature name used subscriber-accounting 2 subscriber-authentication 1 subscriber-address-assignment 2 subscriber-vlan 2 subscriber-ip 0 scale-subscriber 2 scale-l2tp 4 scale-mobile-ip 1


Licenses installed 2 2 2 2 2 3 5 2

Licenses needed 0 0 0 0 0 0 0 0

Expiry permanent permanent permanent permanent permanent permanent permanent permanent

213

®


show system snapshot Syntax Syntax (EX Series Switches)

Release Information

Description

show system snapshot show system snapshot

Command introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 10.0 for EX Series switches. Display information about the backup software: •

On the routers, display information about the backup software, which is located in the /altroot, and /altconfig file systems or on the alternate media.

•

On the switches, display information about the backup of the root fie system /, /config directory, and /var directory, which are located either on an external USB flash drive or in internal flash memory.

NOTE: To back up software, use the request system snapshot command.

Options

none—Display information about the backup software. all-members | local | member member-id—(EX4200 switch and EX4200, EX4500, and

EX8200 Virtual Chassis only) (Optional) Display the snapshot in a Virtual Chassis: •

all-members—Display the snapshot for all members of the Virtual Chassis.

•

local—Display the snapshot on the member of the Virtual Chassis that you are

currently logged into. •

member member-id—Display the snapshot for the specified member of the Virtual

Chassis. media (external | internal)—(EX Series switch only) (Optional) Display the destination

media location for the snapshot. The external option specifies the snapshot on an external mass storage device, such as a USB flash drive. The internal option specifies the snapshot on an internal memory source, such as internal flash memory. If no additional options are specified, the command displays the snapshot stored in both slices. slice (1 | 2 | alternate)—(EX Series switch only) Display the snapshot in a specific partition: •

1—Display the snapshot in partition 1.

•

2—Display the snapshot in partition 2.

•

alternate—Display the snapshot in the alternate partition, which is the partition

that did not boot the switch at the last bootup.

214



Required Privilege Level Related Documentation List of Sample Output

Output Fields

view

•

request system snapshot on page 175

show system snapshot (Router) on page 215 show system snapshot media external (Switch) on page 215 show system snapshot media internal (Switch) on page 215 show system snapshot media internal slice 2 (Switch) on page 216 Table 48 on page 215 lists the output fields for the show system snapshot command. Output fields are listed in the approximate order in which they appear.

Table 48: show system snapshot Output Fields Field Name

Field Description

Creation date

Date and time of the last snapshot.

JUNOS version on snapshot

Junos OS release number of individual software packages.

Sample Output show system snapshot (Router)

user@host> show system snapshot Information for snapshot on hard-disk Creation date: Oct 5 13:53:29 2005 JUNOS version on snapshot: jbase : 7.3R2.5 jcrypto: 7.3R2.5 jdocs : 7.3R2.5 jkernel: 7.3R2.5 jpfe : M40-7.3R2.5 jroute : 7.3R2.5

show system snapshot media external (Switch)

user@switch> show system snapshot media external Information for snapshot on external (da1s1) Creation date: Oct 13 20:23:23 2009 JUNOS version on snapshot: jbase : 10.0I20090726_0011_user jcrypto-ex: 10.0I20090726_0011_user jdocs-ex: 10.0I20090726_0011_user jkernel-ex: 10.0I20090726_0011_user jroute-ex: 10.0I20090726_0011_user jswitch-ex: 10.0I20090726_0011_user jweb-ex: 10.0I20090726_0011_user jpfe-ex42x: 10.0I20090726_0011_user

show system snapshot media internal (Switch)

user@switch> show system snapshot media internal Information for snapshot on internal (/dev/da0s1a) (backup) Creation date: Mar 14 05:01:02 2011 JUNOS version on snapshot: jbase : 11.1R1.9 jcrypto-ex: 11.1R1.9 jdocs-ex: 11.1R1.9


215

®


jkernel-ex: 11.1R1.9 jroute-ex: 11.1R1.9 jswitch-ex: 11.1R1.9 jweb-ex: 11.1R1.9 jpfe-ex42x: 11.1R1.9 Information for snapshot on internal (/dev/da0s2a) (primary) Creation date: Mar 30 08:46:27 2011 JUNOS version on snapshot: jbase : 11.2-20110330.0 jcrypto-ex: 11.2-20110330.0 jdocs-ex: 11.2-20110330.0 jkernel-ex: 11.2-20110330.0 jroute-ex: 11.2-20110330.0 jswitch-ex: 11.2-20110330.0 jweb-ex: 11.2-20110330.0 jpfe-ex42x: 11.2-20110330.0

show system snapshot media internal slice 2 (Switch)

216

user@switch> show system snapshot media internal slice 2 Information for snapshot on internal (/dev/da0s2a) (primary) Creation date: Mar 30 08:46:27 2011 JUNOS version on snapshot: jbase : 11.2-20110330.0 jcrypto-ex: 11.2-20110330.0 jdocs-ex: 11.2-20110330.0 jkernel-ex: 11.2-20110330.0 jroute-ex: 11.2-20110330.0 jswitch-ex: 11.2-20110330.0 jweb-ex: 11.2-20110330.0 jpfe-ex42x: 11.2-20110330.0



show system storage partitions (EX Series Switches Only) Syntax

Release Information Description Options

show system storage partitions

Command introduced in Junos OS Release 11.1 for EX Series switches. Display information about the disk partitions on EX Series switches. none—Display partition information. all-members—(Virtual Chassis systems only) (Optional) Display partition information

for all members of the Virtual Chassis. local—(Virtual Chassis systems only) (Optional) Display partition information for the

local Virtual Chassis member. member member-id—(Virtual Chassis systems only) (Optional) Display partition

information for the specified member of the Virtual Chassis configuration. Required Privilege Level Related Documentation List of Sample Output Output Fields

view

•


show system storage partitions on page 218 Table 49 on page 217 describes the output fields for the show system storage partitions command. Output fields are listed in the approximate order in which they appear.

Table 49: show system storage partitions Output Fields Field Name

Field Description

Boot Media

Media (internal or external) from which the switch was booted.

Active Partition

Name of the active root partition.

Backup Partition

Name of the backup (alternate) root partition.

Currently booted from

Partition from which the switch was last booted.

Partitions information

Information about partitions on the boot media:


•

Partition—Partition identifier.

•

Size—Size of partition.

•

Mountpoint—Directory on which the partition is mounted.

217

®


Sample Output show system storage partitions

user@switch> show system storage partitions fpc0: -------------------------------------------------------------------------Boot Media: internal (da0) Active Partition: da0s1a Backup Partition: da0s2a Currently booted from: active (da0s1a) Partitions information: Partition Size Mountpoint s1a 184M / s2a 184M altroot s3d 369M /var/tmp s3e 123M /var s4d 62M /config s4e unused (backup config)

218


PART 4

User Interfaces •

User Interfaces Overview on page 221

•

Using the Configuration Tools on page 229

•

Operational Commands for User Interfaces on page 231


219

®


220


CHAPTER 11

User Interfaces Overview •

User Interfaces—Overview on page 221

User Interfaces—Overview •

CLI User Interface Overview on page 221

•

J-Web User Interface for EX Series Switches Overview on page 223

•

Understanding J-Web Configuration Tools on page 225

•

Understanding J-Web User Interface Sessions on page 227

CLI User Interface Overview You can use two interfaces to monitor, configure, troubleshoot, and manage a Juniper Networks EX Series Ethernet Switch: the J-Web graphical user interface and the Junos operating system (Junos OS) command-line interface (CLI). Both of these user interfaces are shipped with the switch. This topic describes the CLI. For information about the J-Web user interface, see “J-Web User Interface for EX Series Switches Overview” on page 223. •

CLI Overview on page 221

•

CLI Help and Command Completion on page 221

•

CLI Command Modes on page 222

CLI Overview Junos operating system (Junos OS) CLI is a Juniper Networks specific command shell that runs on top of a UNIX-based operating system kernel. The CLI provides command help and command completion. The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard sequences that allow you to move around on a command line and scroll through recently executed commands, regular expression matching to locate and replace values and identifiers in a configuration, filter command output, or log file entries, store and archive router files on a UNIX-based file system, and exit from the CLI environment and create a UNIX C shell or Bourne shell to navigate the file system, manage switch processes, and so on.

CLI Help and Command Completion To access CLI Help, type a question mark (?) at any level of the hierarchy. The system displays a list of the available commands or statements and a short description of each.


221

®


To complete a command, statement, or option that you have partially typed, press the Tab key or the Spacebar. If the partially typed letters uniquely identify a command, the complete command name appears. Otherwise, a beep indicates that you have entered an ambiguous command and the possible completions are displayed. This completion feature also applies to other strings, such as filenames, interface names, usernames, and configuration statements.

CLI Command Modes The CLI has two modes, operational mode and configuration mode. In operational mode, you enter commands to monitor and troubleshoot switch hardware and software and network connectivity. Operational mode is indicated by the > prompt—for example, user@switch>. In configuration mode, you can define all properties of the Juniper Networks Junos operating system (Junos OS), including interfaces, VLANs, Virtual Chassis information, routing protocols, user access, and several system hardware properties. To enter configuration mode, enter the configure command: . user@switch> configure

Configuration mode is indicated by the # prompt, and includes the current location in the configuration hierarchy—for example: [edit interfaces ge-0/0/12] user@switch#

In configuration mode, you are actually viewing and changing the candidate configuration file. The candidate configuration allows you to make configuration changes without causing operational changes to the current operating configuration, called the active configuration. When you commit the changes you added to the candidate configuration, the system updates the active configuration. Candidate configurations enable you to alter your configuration without causing potential damage to your current network operations. To activate your configuration changes, enter the commit command. To return to operational mode, go to the top of the configuration hierarchy and then quit—for example: [edit interfaces ge-0/0/12] user@switch# top [edit] user@switch# exit

You can also activate your configuration changes and exit configuration mode with a single command, commit and-quit. This command succeeds only if there are no mistakes or syntax errors in the configuration.

TIP: When you commit the candidate configuration, you can require an explicit confirmation for the commit to become permanent by using the commit

222


Chapter 11: User Interfaces Overview

confirmed command. This is useful for verifying that a configuration change

works correctly and does not prevent management access to the switch. After you issue the commit confirmed command, you must issue another commit command within the defined period of time (10 minutes by default) or the system reverts to the previous configuration.


•

EX Series Switch Software Features Overview

•

Junos OS CLI User Guide

J-Web User Interface for EX Series Switches Overview You can use two interfaces to monitor, configure, troubleshoot, and manage a Juniper Networks EX Series Ethernet Switch: the J-Web graphical user interface and the Juniper Networks Junos operating system (Junos OS) command-line interface (CLI). Both of these user interfaces are shipped with the switch. This topic describes the J-Web interface. You can navigate the J-Web interface, scroll pages, and expand and collapse elements as you do in a typical Web browser interface. For information about the CLI user interface, see “CLI User Interface Overview” on page 221. To access the J-Web interface for the switch, your management device requires the following software: •

Supported browsers—Microsoft Internet Explorer version 7.0 and Mozilla Firefox version 3.0

NOTE: Other browser versions might not work on the switch. The browser and the network must support receiving and processing HTTP 1.1 GZIP compressed data.

•

Language support—English-version browsers

•

Supported OS—Microsoft Windows XP Service Pack 3

Each page of the J-Web interface is divided into panes. •

Top pane—Displays system identity information and links.

•

Main pane—Location where you monitor, configure, diagnose (troubleshoot), and manage (maintain) the switch by entering information in text boxes, making selections, and clicking buttons.

•

Side pane—Displays suboptions of the Monitor, Configure, Troubleshoot, or Maintain task currently displayed in the main pane. Click a suboption to access it in the main pane.

The layout of the panes allows you to quickly navigate through the interface. Table 50 on page 224 summarizes the elements of the J-Web interface.


223

®


The J-Web interface provides CLI tools that allow you to perform all of the tasks that you can perform from the Junos OS command-line interface (CLI), including a CLI Viewer to view the current configuration, a CLI Editor for viewing and modifying the configuration, and a Point & Click CLI editor that allows you to click through all of the available CLI statements.

Table 50: J-Web Interface J-Web Interface Element

Description

Main Pane Top Pane Host

The hostname of the switch.

Logged in as: username

The user name you used to log in to the switch.

Commit Options

A set of options using which you can configure committing multiple changes with a single commit. •

Commit—Commits the candidate configuration of the current user session, along with changes from other user sessions.

•

Compare—Displays the XML log of pending configurations on the device.

•

Discard—Discards the candidate configuration of the current user session, along with changes from other user sessions.

•

Preference—Indicates your choice of committing all configurations changes together or committing each configuration change immediately. The two commit options are: •

Commit changes immediately—Sets the system to force an immediate commit on every page after every configuration change.

•

Validate changes until explicit commit—Loads all configuration changes for an accumulated single commit. If there are errors in loading the configuration, the errors are logged. This is the default mode.

NOTE: There are some pages on which configuration changes must be committed immediately. For such pages, if you configure the commit options for a single commit, the system displays warning notifications that remind you to commit your changes immediately. An example for such a page is Switching.

Help

Displays links to information on help and the J-Web interface. •

Help Contents—View context-sensitive help topics.

•

About—Displays information about the J-Web interface, such as the version number.

Logout

Ends your current login session with the switch and returns you to the login page.

Taskbar

Menu of J-Web main options. Click the tab to access an option.

224

•

Dashboard—Displays a high-level, graphical view of the chassis and status of the switch. It displays system health information, alarms, and system status.

•

Configure—Configure the switch, and view configuration history.

•

Monitor—View information about configuration and hardware on the switch.

•

Maintain—Manage files and licenses, upgrade software, and reboot the switch.

•

Troubleshoot—Run diagnostic tools to troubleshoot network issues.



Table 50: J-Web Interface (continued) J-Web Interface Element

Description

Main Pane Help (?) icon

Displays useful information—such as the definition, format, and valid range of an option—when you move the cursor over the question mark.

Red asterisk (*)

Indicates a required field.

Icon legend

(Applies to the Point & Click CLI editor only) Explains icons that appear in the user interface to provide information about configuration statements: •

C—Comment. Move your cursor over the icon to view a comment about the configuration statement.

•

I—Inactive. The configuration statement does not apply for the switch.

•

M—Modified. The configuration statement has been added or modified.

•

*—Mandatory. The configuration statement must have a value.

Task Pane Configuration hierarchy


(Applies to the Junos OS CLI configuration editor only) Displays the hierarchy of committed statements in the switch configuration. •

Click Expand all to display the entire hierarchy.

•

Click Hide all to display only the statements at the top level.

•

Click plus signs (+) to expand individual items.

•

Click minus signs (-) to hide individual items.

•

Using the Commit Options to Commit Configuration Changes (J-Web Procedure) on page 530

•


•


•


•


•


•


Understanding J-Web Configuration Tools The J-Web graphical user interface (GUI) allows you to monitor, configure, troubleshoot, and manage the switching platform by means of a Web browser with Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer (HTTPS) enabled. The J-Web interface provides access to all the configuration statements supported by the switch. The J-Web interface provides three methods of configuring the switch: •

Configure menu


225

®


•

Point & Click CLI Editor

•

CLI Editor

Table 51 on page 226 gives a comparison of the three methods of configuration.

Table 51: Switching Platform Configuration Interfaces Tool

Description

Function

Use

Configure menu

Web browser pages for setting up the switch quickly and easily without configuring each statement individually.

Configure basic switch platform services:

Use for basic configuration.

For example, use the Virtual Chassis Configuration page to configure the Virtual Chassis parameters on the switch.

Point & Click CLI editor

Switching

•

Virtual Chassis

•

Security

•

Services

•

System Properties

•

Routing

Configure all switching platform services:

•

•

System parameters

•

User Accounting and Access

•

Interfaces

•

VLAN properties

•

Virtual Chassis properties Secure Access

Expand the entire configuration hierarchy and click a configuration statement to view or edit. The main pane displays all the options for the statement, with a text box for each option. Paste a complete configuration hierarchy into a scrollable text box, or edit individual lines.

•

Upload or download a complete configuration.

•

•

Roll back to a previous configuration.

•

Services

•

Create or delete a rescue configuration.

•

Routing protocols

Interface in which you do any of the following:

Configure all switching platform services:

•

Type commands on a line and press Enter to create a hierarchy of configuration statements.

•

System parameters

•

Create an ASCII text file that contains the statement hierarchy.

•

User Accounting and Access

•

Interfaces

Upload a complete configuration, or roll back to a previous configuration.

•

VLAN properties

•

Virtual Chassis properties

•

Secure Access

•

Services

•

Routing protocols

•

•

Create or delete a rescue configuration.


226

Interfaces

•

Web browser pages divided into panes in which you can do any of the following:

•

CLI editor

•

Use for complete configuration if you are not familiar with the Junos OS CLI or prefer a graphical interface.

Use for complete configuration if you know the Junos OS CLI or prefer a command interface.

•


•


•


•

Configuration Files Terms on page 498



Understanding J-Web User Interface Sessions You establish a J-Web session with the switch through an HTTP-enabled or HTTPS-enabled Web browser. The HTTPS protocol, which uses 128-bit encryption, is available only in domestic versions of the Juniper Networks Junos operating system (Junos OS). To use HTTPS, you must have installed a certificate on the switch and enabled HTTPS. See “Generating SSL Certificates to Be Used for Secure Web Access” on page 600. When you attempt to log in through the J-Web interface, the switch authenticates your username with the same methods used for Telnet and SSH. If the switch does not detect any activity through the J-Web interface for 15 minutes, the session times out and is terminated. You must log in again to begin a new session. To explicitly terminate a J-Web session at any time, click Logout in the top pane. Related Documentation

•


•

Configuring Management Access for the EX Series Switch (J-Web Procedure) on page 597


227

®


228


CHAPTER 12

Using the Configuration Tools •

Using the CLI Terminal on page 229

•

Starting the J-Web Interface on page 230

Using the CLI Terminal The J-Web CLI terminal provides access to the Junos OS command-line interface (CLI) through the J-Web interface. The functionality and behavior of the CLI available through the CLI terminal page is the same as that of the Junos OS CLI available through the switch console. The CLI terminal supports all CLI commands and other features such as CLI help and autocompletion. Using the CLI terminal page you can fully configure, monitor, and manage the switch. •

Before you can use the CLI terminal, you must configure the domain name and hostname of the switch. See “Configuring System Identity for an EX Series Switch (J-Web Procedure)” on page 265 for more information.

•

To access the CLI through the J-Web interface, your management device requires the following features: •

SSH access—Enable Secure shell (SSH) on your system. SSH provides a secured method of logging in to the switch, to encrypt traffic so that it is not intercepted. If SSH is not enabled on the system, the CLI terminal page displays an error.

•

Java applet support—Make sure that your Web browser supports Java applets.

•

JRE installed on the client—Install Java Runtime Environment (JRE) version 1.4 or later on your system. JRE is a software package that must be installed on a system to run Java applications. Download the latest JRE version from the Java Software website http://www.java.com/. Installing JRE installs Java plug-ins, which once installed, load automatically and transparently to render Java applets.

NOTE: The CLI terminal is supported on JRE version 1.4 and later only.

To access the CLI terminal, select Troubleshoot >CLI Terminal. Related Documentation

•



229

®


•


Starting the J-Web Interface You can use the J-Web graphical interface to configure and manage the EX Series switch. To start the J-Web interface: 1.

Launch your HTTP-enabled or HTTPS-enabled Web browser. To use HTTPS, you must have installed a certificate on the switch and enabled HTTPS.

2. After http:// or https:// in your Web browser, type the hostname or IP address of the

switch and press Enter. The J-Web login page appears. 3. On the login page, type your username and password, and click Log In.

To correct or change the username or password you typed, click Reset, type the new entry or entries, and click Log In.

NOTE: The default username is root with no password. You must change this during initial configuration or the system does not accept the configuration.

The Chassis Dashboard information page appears. To explicitly terminate a J-Web session at any time, click Logout in the top pane. Related Documentation

230

•


•

Dashboard for EX Series Switches on page 836


CHAPTER 13

Operational Commands for User Interfaces


231

®


set cli complete-on-space Syntax Release Information

Description

Options

set cli complete-on-space (off | on)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set the command-line interface (CLI) to complete a partial command entry when you type a space or a tab. This is the default behavior of the CLI. off—Turn off command completion. on—Allow either a space or a tab to be used for command completion.



view

•

CLI User Interface Overview

•

show cli on page 241

set cli complete-on-space on page 232 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli complete-on-space

In the following example, pressing the Spacebar changes the partial command entry from com to complete-on-space. The example shows how adding the keyword off at the end of the command disables command completion. user@host> set cli com user@host>set cli complete-on-space off Disabling complete-on-space

232


Chapter 13: Operational Commands for User Interfaces

set cli directory Syntax Release Information

Description Options Required Privilege Level Related Documentation


set cli directory directory

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set the current working directory. directory—Pathname of the working directory.

view

•


•

show cli directory on page 246

set cli directory on page 233 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli directory

user@host> set cli directory /var/home/regress Current directory: /var/home/regress


233

®


set cli idle-timeout Syntax

Release Information

set cli idle-timeout


Description

Set the maximum time that an individual session can be idle before the user is logged off the router or switch.

Options

minutes—(Optional) Maximum idle time. The range of values, in minutes, is 0 through

100,000. If you do not issue this command, and the user’s login class does not specify this value, the user is never forced off the system after extended idle times. Setting the value to 0 disables the timeout. Required Privilege Level Related Documentation


view

•


•


set cli idle-timeout on page 234 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli idle-timeout

234

user@host> set cli idle-timeout 60 Idle timeout set to 60 minutes



set cli prompt Syntax Release Information

Description Options

set cli prompt string

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set the prompt so that it is displayed within the CLI. string—CLI prompt string. To include spaces in the prompt, enclose the string in quotation

marks. By default, the string is username@hostname. Required Privilege Level Related Documentation


view

•


•


set cli prompt on page 235 When you enter this command, the new CLI prompt is displayed.

Sample Output set cli prompt

user@host> set cli prompt lab1-router> lab1-router>


235

®


set cli restart-on-upgrade Syntax Release Information

Description

Options

set cli restart-on-upgrade string (off | on)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. For an individual session, set the CLI to prompt you to restart the router or switch after upgrading the software. off—Disables the prompt. on—Enables the prompt.



view

•


•


set cli restart-on-upgrade on page 236 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli restart-on-upgrade

236

user@host> set cli restart-on-upgrade on Enabling restart-on-upgrade



set cli screen-length Syntax Release Information

Description Options

set cli screen-length length

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set terminal screen length. length—Number of lines of text that the terminal screen displays (0 through 10,000).

The default is 24. Additional Information



The point at which the ---(more)--- prompt appears on the screen is a function of this setting and the settings for the set cli screen-width and set cli terminal commands. view

•


•

set cli screen-width on page 238

•

set cli terminal on page 239

•


set cli screen-length on page 237 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli screen-length

user@host> set cli screen-length 75 Screen length set to 75


237

®


set cli screen-width Syntax Release Information

Description Options Additional Information



set cli screen-width width

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set the terminal screen width. width—Number of characters (0 through 1024) in a line. The default is 80.

The point at which the ---(more)--- prompt appears on the screen is a function of this setting and the settings for the set cli screen-length and set cli terminal commands. view

•


•

set cli screen-length on page 237

•

set cli terminal on page 239

•


set cli screen-width on page 238 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli screen-width

238

user@host> set cli screen-width Screen width set to 132



set cli terminal Syntax Release Information

Description Options



set cli terminal terminal-type

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set the terminal type. terminal-type—Type of terminal that is connected to the Ethernet management port: •

ansi—ANSI-compatible terminal (80 characters by 24 lines)

•

small-xterm—Small xterm window (80 characters by 24 lines)

•

vt100—VT100-compatible terminal (80 characters by 24 lines)

•

xterm—Large xterm window (80 characters by 65 lines)

view

•


•

set cli screen-length on page 237

•

set cli screen-width on page 238

•


set cli terminal on page 239 This command provides no output.

Sample Output set cli terminal

user@host> set cli terminal xterm


239

®


set cli timestamp Syntax Release Information

Description Options

set cli timestamp (format timestamp-format | disable)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Set a timestamp for CLI output. format timestamp-format—Set the date and time format for the timestamp. The

timestamp format you specify can include the following placeholders in any order: •

%m—Two-digit month

•

%d—Two-digit date

•

%T—Six-digit hour, minute, and seconds

disable—Remove the timestamp from the CLI.



view

•


•


set cli timestamp on page 240 When you enter this command, you are provided feedback on the status of your request.

Sample Output set cli timestamp

240

user@host> set cli timestamp format '%m-%d-%T' '04-21-17:39:13' CLI timestamp set to: '%m-%d-%T'



show cli Syntax

show cli

Syntax (QFX Series)

show cli

Release Information


Description

Display configured CLI settings.

Options


Required Privilege Level List of Sample Output Output Fields

view

show cli on page 242 Table 52 on page 241 lists the output fields for the show cli command. Output fields are listed in the approximate order in which they appear.

Table 52: show cli Output Fields Field Name

Field Description

CLI complete-on-space

Capability to complete a partial command entry when you type a space or a tab: on or off.

CLI idle-timeout

Maximum time that an individual session can be idle before the user is logged out from the router or switch. When this feature is enabled, the number of minutes is displayed. Otherwise, the state is disabled.

CLI restart-on-upgrade

CLI is set to prompt you to restart the router or switch after upgrading the software: on or off.

CLI screen-length

Number of lines of text that the terminal screen displays.

CLI screen-width

Number of characters in a line on the terminal screen.

CLI terminal

Terminal type.

CLI is operating in

Mode: enhanced.

CLI timestamp

Date and time format for the timestamp. If the timestamp is not set, the state is disabled.

CLI working directory

Pathname of the working directory.


241

®


Sample Output show cli

242

user@host> show cli CLI complete-on-space set to on CLI idle-timeout disabled CLI restart-on-upgrade set to on CLI screen-length set to 47 CLI screen-width set to 132 CLI terminal is 'vt100' CLI is operating in enhanced mode CLI timestamp disabled CLI working directory is '/var/home/regress'



show cli authorization Syntax Release Information

Description Options Required Privilege Level List of Sample Output Output Fields

show cli authorization

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the permissions for the current user. This command has no options. view

show cli authorization on page 245 Table 53 on page 243 lists the output fields for the show cli authorization command. In the table, all possible permissions are displayed and output fields are listed in alphabetical order.

Table 53: show cli authorization Output Fields Field Name

Field Description

access

Can view access configuration information.

access-control

Can modify access configuration.

admin

Can view user account information.

admin-control

Can modify user account information.

clear

Can clear learned network information.

configure

Can enter configuration mode.

control

Can modify any configuration.

edit

Can edit configuration files.

field

Reserved for field (debugging) support.

firewall

Can view firewall configuration information.

firewall-control

Can modify firewall configuration information.

floppy

Can read from and write to removable media.

flow-tap

Can view flow-tap configuration information.


243

®


Table 53: show cli authorization Output Fields (continued)

244

Field Name

Field Description

flow-tap-control

Can configure flow-tap configuration information.

idp-profiler-operation

Can configure Profiler data.

interface

Can view interface configuration information.

interface-control

Can modify interface configuration information.

maintenance

Can perform system maintenance.

network

Can access the network by entering the ping, ssh, telnet, and traceroute commands.

pgcp-session-mirroring

Can view Packet Gateway Control Protocol session mirroring configuration.

pgcp-session-mirroring-control

Can modify Packet Gateway Control Protocol session mirroring configuration all-control.

reset

Can reset or restart interfaces and system processes.

rollback

Can roll back to previous configurations.

routing

Can view routing configuration information.

routing-control

Can modify routing configuration information.

secret

Can view passwords and authentication keys in the configuration.

secret-control

Can modify passwords and authentication keys in the configuration.

security

Can view security configuration information.

security-control

Can modify security configuration information.

shell

Can start a local shell.

snmp

Can view SNMP configuration information.

snmp-control

Can modify SNMP configuration information.

system

Can view system configuration information.

system-control

Can modify system configuration information.

trace

Can view trace file settings information.



Table 53: show cli authorization Output Fields (continued) Field Name

Field Description

trace-control

Can modify trace file settings information.

view

Can view current values and statistics.

view-configuration

Can view all configuration information (not including secrets).

Sample Output show cli authorization

user@host> show cli authorization Current user: 'remote' login: 'user' class '' Permissions: admin -- Can view user accounts admin-control-- Can modify user accounts clear -- Can clear learned network information configure -- Can enter configuration mode control -- Can modify any configuration edit -- Can edit full files field -- Special for field (debug) support floppy -- Can read and write from the floppy interface -- Can view interface configuration interface-control-- Can modify interface configuration network -- Can access the network reset -- Can reset/restart interfaces and daemons routing -- Can view routing configuration routing-control-- Can modify routing configuration shell -- Can start a local shell snmp -- Can view SNMP configuration snmp-control-- Can modify SNMP configuration system -- Can view system configuration system-control-- Can modify system configuration trace -- Can view trace file settings trace-control-- Can modify trace file settings view -- Can view current values and statistics maintenance -- Can become the super-user firewall -- Can view firewall configuration firewall-control-- Can modify firewall configuration secret -- Can view secret configuration secret-control-- Can modify secret configuration rollback -- Can rollback to previous configurations security -- Can view security configuration security-control-- Can modify security configuration access -- Can view access configuration access-control-- Can modify access configuration view-configuration-- Can view all configuration (not including secrets) flow-tap -- Can view flow-tap configuration flow-tap-control-- Can configure flow-tap service Individual command authorization: Allow regular expression: none Deny regular expression: none Allow configuration regular expression: none Deny configuration regular expression: none


245

®


show cli directory Syntax Release Information


show cli directory

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the current working directory. This command has no options. view

show cli directory on page 246 Table 54 on page 246 lists the output fields for the show cli directory command. Output fields are listed in the approximate order in which they appear.

Table 54: show cli directory Output Fields Field Name

Field Description

Current directory

Pathname of the current working directory.

Sample Output show cli directory

246

user@host> show cli directory Current directory: /var/home/regress



show cli history Syntax

Release Information

Description Options

show cli history

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display a list of previous CLI commands. none—Display all previous CLI commands. count—(Optional) Maximum number of commands to display.


view

show cli history on page 247 Table 55 on page 247 lists the output fields for the show cli history command. Output fields are listed in the approximate order in which they appear.

Table 55: show cli history Output Fields Field Name

Field Description

timestamp

Time at which the command was entered.

command-syntax

Command that was entered.

Sample Output show cli history

user@host> 11:14:14 11:22:10 11:27:12


show cli history -- show arp -- show cli authorization -- show cli history

247

®


start shell Syntax

Release Information

Description

start shell (csh | sh)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Exit from the CLI environment and create a UNIX-level shell. To return to the CLI, type exit from the shell.

NOTE:

Options

•

To issue this command, the user must have the required login access privileges configured by including the permissions statement at the [edit system login class class-name] hierarchy level.

•

UNIX wheel group membership or permissions are no longer required to issue this command.

csh—Create a UNIX C shell. sh—Create a UNIX Bourne shell. user username—(Optional) Start the shell as another user.


When you are in the shell, the shell prompt has the following format: username@hostname%

An example of the prompt is: root@host%


shell and maintenance

start shell csh on page 248 When you enter this command, you are provided feedback on the status of your request.

Sample Output start shell csh

user@host> start shell csh % exit % username@hostname% start shell sh

248



% exit user@host>


249

®


250


PART 5

Junos OS for EX Series Switches System Setup •

System Setup Overview on page 253

•

Initial Configuration on page 257

•

Configuration Statements for System Setup on page 269

•

Operational Commands for System Setup on page 309


251

®


252


CHAPTER 14

System Setup Overview •

Junos OS—Overview on page 253

Junos OS—Overview •




•




•




253

®


•


•




Name

Description

Chassis process

chassisd



eswd


Forwarding process

pfem


Interface process

dcd


Management process

mgd


254


Chapter 14: System Setup Overview

Table 56: Junos OS Processes (continued) Process

Name

Description


rpd



•


•



255

®


256


CHAPTER 15

Initial Configuration •


•


•


•

Configuring Date and Time for the EX Series Switch (J-Web Procedure) on page 264

•

Configuring System Identity for an EX Series Switch (J-Web Procedure) on page 265

•

Configuring the Console Port Type (CLI Procedure) on page 266

Connecting and Configuring an EX Series Switch (CLI Procedure) There are two ways to connect and configure an EX Series switch: one method is through the console using the command-line interface (CLI) and the other is using the J-Web interface.

NOTE: EX2200-24T-4G-DC switches do not support switch connection and configuration through the J-Web interface.

This topic describes the CLI procedure.

NOTE: To run the ezsetup script, the switch must have the factory default configuration as the active configuration. If you have configured anything on the switch and want to run ezsetup, revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

Before you begin connecting and configuring an EX Series switch through the console using the CLI: •

Set the following parameter values in the console server or PC: •

Baud rate—9600

•

Flow control—None

•

Data—8


257

®


•

Parity—None

•

Stop bits—1

•

DCD state—Disregard

To connect and configure the switch from the console using the CLI: 1.

Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with the switch. For the location of the console port on different EX Series switches: •

See “EX2200 Switches Hardware Overview” on page 41.

•

See Rear Panel of an EX3200 Switch.

•


•


•

See Front Panel of an EX4500 Switch.

•

See Switch Fabric and Routing Engine (SRE) Module in an EX6200 Switch.

•

See Switch Fabric and Routing Engine (SRE) Module in an EX8208 Switch.

•

See Routing Engine (RE) Module in an EX8216 Switch.

NOTE: In EX2200-C switch models, you can also use Mini-USB Type-B console port to connect to a laptop or PC. See Connecting an EX Series Switch to a Management Console.

2. At the Junos OS shell prompt root%, type ezsetup. 3. Enter the hostname. This is optional. 4. Enter the root password you plan to use for this device. You are prompted to re-enter

the root password. 5. Enter yes to enable services like Telnet and SSH. By default, Telnet is not enabled and

SSH is enabled.

NOTE: When Telnet is enabled, you will not be able to log in to an EX Series switch through Telnet using root credentials. Root login is allowed only for SSH access.

6. Use the Management Options page to select the management scenario:

NOTE: On EX4500, EX6200, and EX8200 switches, only the out-of-band management option is available.

258


Chapter 15: Initial Configuration

•

•

Configure in-band management. In this scenario you have the following two options: •

Use the default VLAN.

•

Create a new VLAN—If you select this option, you are prompted to specify the VLAN name, VLAN ID, management IP address, and default gateway. Select the ports that must be part of this VLAN.

Configure out-of-band management. Specify the IP address and gateway of the

management interface. Use this IP address to connect to the switch. 7. Specify the SNMP Read Community, Location, and Contact to configure SNMP

parameters. These parameters are optional. 8. Specify the system date and time. Select the time zone from the list. These options

are optional. 9. The configured parameters are displayed. Enter yes to commit the configuration. The

configuration is committed as the active configuration for the switch. 10. (For EX4500 switches only) Enter the request chassis pic-mode intraconnect

operational mode command to set the PIC mode to intraconnect. You can now log in with the CLI or the J-Web interface to continue configuring the switch. If you use the J-Web interface to continue configuring the switch, the Web session is redirected to the new management IP address. If the connection cannot be made, the J-Web interface displays instructions for starting a J-Web session. Related Documentation

•


•

Installing and Connecting an EX2200 Switch

•


•


•


•


•


•


•


Connecting and Configuring an EX Series Switch (J-Web Procedure) There are two ways to connect and configure an EX Series switch: one method is through the console using the command-line interface (CLI) and the other is using the J-Web interface.

NOTE: EX2200-24T-4G-DC switches do not support switch connection and configuration through J-Web procedure.


259

®


This topic describes the J-Web procedure.

NOTE: Before you begin the configuration, enable a DHCP client on the management PC you will connect to the switch so that the PC can obtain an IP address dynamically.

NOTE: Read the following steps before you begin the configuration. You must complete the initial configuration using EZSetup within 10 minutes. The switch exits EZSetup after 10 minutes and reverts to the factory default configuration, and the PC loses connectivity to the switch. •

EX2200 and EX2200-C switch—The LEDs on the network ports on the front panel blink when the switch is in the initial setup mode.

•

EX3200, EX3300, EX4200, EX4500, EX6200, or EX8200 switch—The LCD panel displays a count-down timer when the switch is in initial setup mode.

To connect and configure the switch using the J-Web interface: 1.

Transition the switch into initial setup mode: •

EX2200 and EX2200-C switch—Press the mode button located on the lower right corner of the front panel for 10 seconds.

•

EX3200, EX3300, EX4200, EX4500, EX6200, or EX8200 switch—Use the Menu and Enter buttons located to the right of the LCD panel (see Figure 16 on page 260):

Figure 16: LCD Panel in an EX3200, EX4200, EX4500, or EX8200 Switch

1.

Press the Menu button until you see MAINTENANCE MENU. Then press the Enter button.

2. Press Menu until you see ENTER EZSetup. Then press Enter.

If EZSetup does not appear as an option in the menu, select Factory Default to return the switch to the factory default configuration. EZSetup is displayed in the menu of standalone switches only when a switch is set to the factory default configuration. 3. Press Enter to confirm setup and continue with EZSetup. 2. Connect the Ethernet cable from the Ethernet port on the PC to the switch.

260



•

EX2200, EX3200, or EX4200 switch—Connect the cable to port 0 (ge-0/0/0) on the front panel of the switch.

•

EX3300 and EX4500 switch—Connect the cable to the port labeled MGMT on the front panel of the switch.

•

EX6210 switch—Connect the cable to one of the ports labeled MGMT on the Switch Fabric and Routing Engine (SRE) module in slot 4 or 5 in an EX6210 switch.

•

EX8200 switch—Connect the cable to the port labeled MGMT on the Switch Fabric and Routing Engine (SRE) module in slot SRE0 in an EX8208 switch or on the Routing Engine (RE) module in slot RE0 in an EX8216 switch.

These ports are configured as the DHCP server with the default IP address, 192.168.1.1. The switch can assign an IP address to the management PC in the IP address range 192.168.1.2 through 192.168.1.253. 3. From the PC, open a Web browser, type http://192.168.1.1 in the address field, and

press Enter. 4. On the J-Web login page, type root as the username, leave the password field blank,

and click Login. 5. On the Introduction page, click Next. 6. On the Basic Settings page, modify the hostname, the root password, and date and

time settings: •

Enter the hostname. This is optional.

•

Enter a password and reenter the password.

•

Specify the time zone.

•

Synchronize the date and time settings of the switch with the management PC or set them manually by selecting the appropriate option button. This is optional.

Click Next. 7. Use the Management Options page to select the management scenario:

NOTE: On EX4500, EX6210, and EX8200 switches, only the out-of-band management option is available.

•

In-band Management—Use VLAN 'default' for management. Select this option to configure all data interfaces as members of the default VLAN. Click Next. Specify the management IP address and the default gateway for the default VLAN.

•

In-band Management—Create new VLAN for management. Select this option to create a management VLAN. Click Next. Specify the VLAN name, VLAN ID, member interfaces, management IP address, and default gateway for the new VLAN.


261

®


•

Out-of-band Management—Configure management port. Select this option to configure only the management interface. Click Next. Specify the IP address and default gateway for the management interface.

8. Click Next. 9. On the Manage Access page, you can select options to enable Telnet, SSH, and SNMP

services. For SNMP, you can configure the read community, location, and contact. 10. Click Next. The Summary screen displays the configured settings. 11. Click Finish. The configuration is committed as the active switch configuration.

NOTE: After the configuration is committed, the connectivity between the PC and the switch might be lost. To renew the connection, release and renew the IP address by executing the appropriate commands on the management PC or by removing and reinserting the Ethernet cable.

12. (For EX4500 switches only) In the CLI, enter the request chassis pic-mode intraconnect

operational mode command to set the PIC mode to intraconnect. You can now log in using the CLI or the J-Web interface to continue configuring the switch. If you use the J-Web interface to continue configuring the switch, the Web session is redirected to the new management IP address. If the connection cannot be made, the J-Web interface displays instructions for starting a J-Web session. Related Documentation

•


•


•


•


•


•


•


•


•


Configuring the LCD Panel on EX Series Switches (CLI Procedure) This topic applies to hardware devices in the EX Series product family, which includes switches and the XRE200 External Routing Engine, that support the LCD panel interface. The LCD panel on the front panel of EX Series switches displays a variety of information about the switch in the Status menu and provides the Maintenance menu to allow you to perform basic operations such as initial setup and reboot. You can disable these menus

262



or individual menu options if you do not want switch users to use them. You can also set a custom message that will be displayed on the panel. This topic describes: •

Disabling or Enabling Menus and Menu Options on the LCD Panel on page 263

•

Configuring a Custom Display Message on page 263

Disabling or Enabling Menus and Menu Options on the LCD Panel By default, the Maintenance menu, the Status menu, and the options in those menus in the LCD panel are enabled. Users can configure and troubleshoot the switch using the Maintenance menu and view certain details about the switch using the Status menu. If you do not want users to be able to use those menus or use some of the menu options, you can disable the menus or individual menu options. You can re-enable the menus or menu options. Issue the show chassis lcd operational mode command to see which menus and menu options are currently enabled.

NOTE: On some platforms you must specify an FPC slot number in these commands. See the lcd-menu statement for details.

To disable a menu: [edit] user@switch# set chassis lcd-menu menu-item menu-name disable

To enable a menu: [edit] user@switch# delete chassis lcd-menu menu-item menu-name disable

To disable a menu option: [edit] user@switch# set chassis lcd-menu menu-item menu-option disable

To enable a menu option: [edit] user@switch# delete chassis lcd-menu menu-item menu-option disable

Configuring a Custom Display Message You can configure the second line of the LCD to display a custom message temporarily for 5 minutes or permanently. To display a custom message temporarily: •

On an EX3200 switch, a standalone EX3300 switch, a standalone EX4200 switch, a standalone EX4500 switch, an EX8200 switch, or an XRE200 External Routing Engine: user@switch> set chassis display message message

•

On an EX3300, EX4200, or EX4500 switch in a Virtual Chassis configuration:


263

®


user@switch> set chassis display message message fpc-slot slot-number

To display a custom message permanently: •

On an EX3200 switch, a standalone EX3300 switch, a standalone EX4200 switch, a standalone EX4500 switch, an EX8200 switch, or an XRE200 External Routing Engine: user@switch> set chassis display message message permanent

•

On an EX3300, EX4200, or EX4500 switch in a Virtual Chassis configuration: user@switch> set chassis display message message fpc-slot slot-number permanent

NOTE: The buttons on the LCD panel are disabled when the LCD is configured to display a custom message.

To disable the display of the custom message: user@switch> clear chassis display message

You can view the custom message by issuing the command show chassis lcd. Related Documentation

•

LCD Panel in EX3200 Switches

•


•


•


•

LCD Panel in an EX6200 Switch

•


•

LCD Panel in an XRE200 External Routing Engine

Configuring Date and Time for the EX Series Switch (J-Web Procedure) To configure date and time on an EX Series switch: 1.

Select Configure > System Properties > Date & Time.

2. To modify the information, click Edit. Enter information into the Edit Date & Time page

as described in Table 57 on page 265. 3. Click one: •

To apply the configuration, click OK.

•

To cancel your entries and return to the System Properties page, click Cancel.

NOTE: After you make changes to the configuration in this page, you must commit the changes for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes for details about all commit options.

264



Table 57: Date and Time Settings Time

Function

Your Action

Time Zone

Identifies the timezone that the switching platform is located in.

Select the appropriate time zone from the list.

Set Time

Synchronizes the system time with that of the NTP server. You can also manually set the system time and date.

To immediately set the time, click one:


•

•

Synchronize with PC time—The switch synchronizes the time with that of the PC.

•

NTP Servers—The switch sends a request to the NTP server and synchronizes the system time.

•

Manual—A pop-up window allows you to select the current date and time from a list.


Configuring System Identity for an EX Series Switch (J-Web Procedure) To configure identification details for an EX Series switch: 1.

Select Configure > System Properties > System Identity. The System Identity page displays configuration details.

2. To modify the configuration, click Edit. Enter information into the System Identity

page as described in Table 58 on page 265.


Table 58: System Identity Configuration Summary Field

Function

Your Action

Host Name

Defines the hostname of the switching platform.

Type the hostname.

Domain Name

Defines the network or subnetwork that the machine belongs to.

Type the domain name.


265

®


Table 58: System Identity Configuration Summary (continued) Field

Function

Your Action

Root Password

Sets the root password that user root can use to log in to the switching platform.

Type a plain-text password. The system encrypts the password. NOTE: After a root password has been defined, it is required when you log in to the J-Web user interface or the CLI.

Confirm Root Password

Verifies that the root password has been typed correctly.

Retype the password.

DNS Name Servers

Specifies a DNS server for the switching platform to use to resolve hostnames into addresses.

To add an IP address, click Add. To edit an IP address, click Edit. To delete an IP address, click Delete.

Domain Search

Specifies the domains to be searched.

To add a domain, click Add. To edit a domain click Edit. To delete a domain, click Delete.


•

Configuring Date and Time for the EX Series Switch (J-Web Procedure) on page 264

Configuring the Console Port Type (CLI Procedure) EX2200-C switches provide two console ports: an RJ-45 console port that accepts a cable with an RJ-45 connector and a Mini USB Type-B console port that accepts a cable with a Mini-B plug (5-pin) connector. You can choose to use either connection, but only one connection can be active at a time. By default, the RJ-45 console port is the active port and the Mini USB Type-B console port is the passive. That is, to make a connection on the RJ-45 console port you need not configure it as the active port while to make a connection to the Mini USB Type-B console port, you must first explicitly configure this port as the active port. You can make either port the active port by using the port-type configuration statement. If you connect to a passive port, you will lose the early boot messages and once the switch has booted, a login prompt will be displayed at the connected console port. To configure the RJ-45 or the Mini-USB Type-B console port as an active console port: 1.

Configure the port type: [edit] user@switch# set system ports auxiliary port-type type

For example, to activate the Mini USB Type-B console port: user@switch# set system ports auxiliary port-type mini-usb 2. Commit the configuration and Exit.

266



3. Reboot the system. The boot log will appear on the activated console.

Set the Hyper Terminal properties (Baud rate, Flow control, Data, Parity, Stop bits, and DCD state). Related Documentation

•

Connecting an EX Series Switch to a Management Console

•



267

®


268


CHAPTER 16

Configuration Statements for System Setup


269

®


arp Syntax

Hierarchy Level Release Information

arp { aging-timer minutes; gratuitous-arp-delayseconds; gratuitous-arp-on-ifup; interfaces { interface-name { aging-timer minutes; } } passive-learning; purging; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description

Specify ARP options. You can enable backup VRRP routers to learn ARP requests for VRRP-IP to VRRP-MAC address translation. You can also set the time interval between ARP updates.

Options

aging-timer—Time interval in minutes between ARP updates. In environments where the

number of ARP entries to update is high (for example, on routers only, metro Ethernet environments), increasing the time between updates can improve system performance. Default: 20 minutes Range: 5 to 240 minutes The remaining statements are explained separately. Required Privilege Level Related Documentation

270

system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS ARP Learning and Aging Options for Mapping IPv4 Network Addresses to MAC Addresses

•

Junos OS Network Interfaces Configuration Guide


Chapter 16: Configuration Statements for System Setup

authentication-key Syntax Hierarchy Level Release Information

Description

authentication-key key-number type type value password; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Network Time Protocol (NTP) authentication keys so that the router or switch can send authenticated packets. If you configure the router or switch to operate in authenticated mode, you must configure a key. Both the keys and the authentication scheme (MD5) must be identical between a set of peers sharing the same key number.

Options

key-number—Positive integer that identifies the key. type type—Authentication type. It can only be md5. value password—The key itself, which can be from 1 through 8 ASCII characters. If the key

contains spaces, enclose it in quotation marks. Required Privilege Level Related Documentation


Configuring NTP Authentication Keys

•

broadcast on page 274

•

peer on page 299

•

server on page 304

•

trusted-key on page 307


271

®


auxiliary Syntax


Description

auxiliary { disable; insecure; type terminal-type; port-type (mini-usb | rj45); } [edit system ports]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the characteristics of the auxiliary port. Remaining statement is explained separately.

Default Options

disable is the default option. disable—Disable the port. insecure—Disable super user access or root logins to establish terminal connection. type terminal-type—Type of terminal that is connected to the port.

Range: ansi, vt100, small-xterm, xterm Default: The terminal type is unknown, and the user is prompted for the terminal type.The remaining statement is explained separately. Required Privilege Level Related Documentation

272


Configuring the Junos OS to Set Console and Auxiliary Port Properties



boot-server (NTP) Syntax Hierarchy Level Release Information

Description

boot-server (address | hostname); [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the server that NTP queries when the router or switch boots to determine the local date and time. When you boot the router or switch, it issues an ntpdate request, which polls a network server to determine the local date and time. You need to configure a server that the router or switch uses to determine the time when the router or switch boots. Otherwise, NTP will not be able to synchronize to a time server if the server’s time appears to be very far off of the local router’s or switch’s time. You can either configure an IP address or a hostname for the boot server. If you configure a hostname instead of an IP address, the ntpdate request resolves the hostname to an IP address when the router or switch boots up.

Options


•

address—The IP address of an NTP boot server.

•

hostname—The hostname of an NTP boot server.


Synchronizing and Coordinating Time Distribution Using NTP


273

®


broadcast Syntax Hierarchy Level Release Information

Description

Options

broadcast address ; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the local router or switch to operate in broadcast mode with the remote system at the specified address. In this mode, the local router or switch sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the local router or switch is operating as a transmitter. address—The broadcast address on one of the local networks or a multicast address

assigned to NTP. You must specify an address, not a hostname. If the multicast address is used, it must be 224.0.1.1. key key-number—(Optional) All packets sent to the address include authentication fields

that are encrypted using the specified key number. Range: Any unsigned 32-bit integer ttl value—(Optional) Time-to-live (TTL) value to use.

Range: 1 through 255 Default: 1 version value—(Optional) Specify the version number to be used in outgoing NTP packets.

Range: 1 through 4 Default: 4 Required Privilege Level Related Documentation

274


Configuring the NTP Time Server and Time Services



broadcast-client Syntax

broadcast-client;

Hierarchy Level

[edit system ntp]

Release Information

Description


Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the local router or switch to listen for broadcast messages on the local network to discover other servers on the same subnet. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Router or Switch to Listen for Broadcast Messages Using NTP


275

®


console (Physical Port) Syntax


Description Default Options

console { disable; insecure; log-out-on-disconnect; type terminal-type; } [edit system ports]

Statement introduced before Junos OS Release 7.4. disable option added in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the characteristics of the console port. The console port is enabled and its speed is 9600 baud. disable—Disable console login connections. insecure—Disable root login connections to the console and auxiliary ports. Configuring

the console port as insecure also prevents superusers and anyone with a user identifier (UID) of 0 from establishing terminal connections in multiuser mode. This option can be used to prevent a user from attempting password recovery by booting into single-user mode, if the user does not know the root password. log-out-on-disconnect—Log out the session when the data carrier on the console port is

lost.

NOTE: The log-out-on-disconnect option is not operational on MX80 routers. On MX80 routers you must manually log out from the console with the request system logout u0 command.

type terminal-type—Type of terminal that is connected to the port.

Range: ansi, vt100, small-xterm, xterm Default: The terminal type is unknown, and the user is prompted for the terminal type. Required Privilege Level Related Documentation

276





default-address-selection Syntax Hierarchy Level Release Information

default-address-selection; [edit system]


Description

Use the loopback interface, lo0, as the source address for all locally generated IP packets when the packet is sent through a routed interface, but not when the packet is sent through a local interface such as fxp0. The lo0 interface is the interface to the router’s or switch’s Routing Engine.

Default

The default address is used as the source address for all locally generated IP packets on outgoing interfaces that are unnumbered. If an outgoing interface is numbered, the default address is chosen using the following sequence: •

The primary address on the loopback interface lo0 that is not 127.0.0.1 is used.

•

The primary address for the primary interface or the preferred address (if configured) for the primary interface is used. By default, the primary address on an interface is selected as the numerically lowest local address configured on the interface. An interface’s primary address is used by default as the local address for broadcast and multicast packets sourced locally and sent out through the interface. An interface’s preferred address is the default local address used for packets sourced by the local router or switch to destinations on the subnet. By default, the numerically lowest local address configured for the interface is chosen as the preferred address on the subnet. To configure a different primary address or preferred address, include the primary or preferred statement at the [edit interfaces interface-name unit logical-unit-number family family address address or [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family address address hierarchy levels. For more information about default, primary, and preferred addresses for an interface, see “Configuring Default, Primary, and Preferred Addresses and Interfaces” in the Junos OS Network Interfaces Configuration Guide.



Configuring the Junos OS to Select a Fixed Source Address for Locally Generated TCP/IP Packets

•



277

®


domain-name Syntax Hierarchy Level Release Information

Description

Options Required Privilege Level Related Documentation

domain-name domain-name; [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the name of the domain in which the router or switch is located. This is the default domain name that is appended to hostnames that are not fully qualified. domain-name—Name of the domain.


Configuring the Domain Name for the Router or Switch

gre-path-mtu-discovery Syntax Hierarchy Level Release Information

Description


278

(gre-path-mtu-discovery | no-gre-path-mtu-discovery); [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure path MTU discovery for outgoing GRE tunnel connections: •

gre-path-mtu-discovery—Path MTU discovery is enabled.

•

no-gre-path-mtu-discovery—Path MTU discovery is disabled.

Path MTU discovery is enabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS for Path MTU Discovery on Outgoing GRE Tunnel Connections



host-name Syntax Hierarchy Level Release Information

host-name hostname; [edit system]


Description

Set the hostname of the router or switch.

Options

hostname—Name of the router or switch.



Configuring the Hostname of the Router or Switch

icmpv4-rate-limit Syntax


Description Options

icmpv4-rate-limit { bucket-size seconds; packet-rate pps; } [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure rate-limiting parameters for ICMPv4 messages sent. bucket-size seconds—Number of seconds in the rate-limiting bucket.

Range: 0 through 4294967295 seconds Default: 5 packet-rate pps—Rate-limiting packets earned per second.

Range: 0 through 4294967295 pps Default: 1000 Required Privilege Level Related Documentation

admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •

Configuring the Junos OS ICMPv4 Rate Limit for ICMPv4 Routing Engine Messages


279

®


icmpv6-rate-limit Syntax


Description Options

icmpv6-rate-limit { bucket-size seconds; packet-rate packet-rate; } [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure rate-limiting parameters for ICMPv6 messages sent. bucket-size seconds—Number of seconds in the rate-limiting bucket.

Range: 0 through 4294967295 seconds Default: 5 packet-rate pps—Rate-limiting packets earned per second.

Range: 0 through 4294967295 pps Default: 1000 Required Privilege Level Related Documentation

280





inet6-backup-router Syntax Hierarchy Level Release Information

Description

Options

inet6-backup-router address ; [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set a default router (running IP version 6 [IPv6]) to use while the local router or switch (running IPv6) is booting and if the routing protocol processes fail to start. The Junos OS removes the route to this router or switch as soon as the software starts. address—Address of the default router. destination destination-address—(Optional) Destination address that is reachable through

the backup router. You can include this option to achieve network reachability while loading, configuring, and recovering the router or switch, but without the risk of installing a default route in the forwarding table. Default: All hosts (default route) are reachable through the backup router. Required Privilege Level Related Documentation


Configuring a Backup Router


281

®


internet-options Syntax


Description

internet-options { (gre-path-mtu-discovery | no-gre-path-mtu-discovery); icmpv4-rate-limit bucket-size bucket-size packet-rate packet-rate; icmpv6-rate-limit bucket-size bucket-size packet-rate packet-rate; (ipip-path-mtu-discovery | no-ipip-path-mtu-discovery); ipv6-duplicate-addr-detection-transmits; (ipv6-reject-zero-hop-limit | no-ipv6-reject-zero-hop-limit); (ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery); ipv6-path-mtu-discovery-timeout; no-tcp-rfc1323; no-tcp-rfc1323-paws; (path-mtu-discovery | no-path-mtu-discovery); source-port upper-limit ; (source-quench | no-source-quench); tcp-drop-synfin-set; tcp-mss mss-value; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure system IP options to protect against certain types of DoS attacks. The remaining statements are explained separately.


282



•


•

Configuring the Junos OS for IP-IP Path MTU Discovery on IP-IP Tunnel Connections

•


•

Configuring the Junos OS for Path MTU Discovery on Outgoing TCP Connections

•

Configuring the Junos OS for IPv6 Duplicate Address Detection Attempts

•

Configuring the Junos OS for Acceptance of IPv6 Packets with a Zero Hop Limit

•

Configuring the Junos OS to Ignore ICMP Source Quench Messages

•

Configuring the Junos OS to Enable the Router or Switch to Drop Packets with the SYN and FIN Bits Set

•

Configuring the Junos OS to Disable TCP RFC 1323 Extensions

•

Configuring the Junos OS to Disable the TCP RFC 1323 PAWS Extension

•

Configuring the Junos OS to Extend the Default Port Address Range



•

Configuring TCP MSS for Session Negotiation

ipip-path-mtu-discovery Syntax Hierarchy Level Release Information

Description


(ipip-path-mtu-discovery | no-ipip-path-mtu-discovery); [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure path MTU discovery for outgoing IP-IP tunnel connections: •

ipip-path-mtu-discovery—Path MTU discovery is enabled.

•

no-ipip-path-mtu-discovery—Path MTU discovery is disabled.


Configuring the Junos OS for IP-IP Path MTU Discovery on IP-IP Tunnel Connections

•

internet-options on page 282

ipv6-duplicate-addr-detection-transmits Syntax Hierarchy Level

ipv6-duplicate-addr-detection-transmits; [edit system internet-options]

Release Information

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches.

Description

Control the number of attempts for IPv6 duplicate address detection.


The default value is 3. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS for IPv6 Duplicate Address Detection Attempts


283

®


ipv6-path-mtu-discovery Syntax Hierarchy Level Release Information

Description


(ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery); [edit system internet-options]

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure path MTU discovery for IPv6 packets: •

ipv6-path-mtu-discovery—IPv6 path MTU discovery is enabled.

•

no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.

IPv6 path MTU discovery is enabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS for IPv6 Path MTU Discovery

ipv6-path-mtu-discovery-timeout Syntax Hierarchy Level Release Information

Description Options

ipv6-path-mtu-discovery-timeout minutes; [edit system internet-options]

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 9.2 for EX Series switches. Set the IPv6 path MTU discovery timeout interval. minutes—IPv6 path MTU discovery timeout.

Default: 10 minutes Required Privilege Level Related Documentation

284





ipv6-reject-zero-hop-limit Syntax Hierarchy Level Release Information

Description


(ipv6-reject-zero-hop-limit | no-ipv6-reject-zero-hop-limit); [edit system internet-options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Enable and disable rejecting incoming IPv6 packets with a zero hop limit value in their header. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS for Acceptance of IPv6 Packets with a Zero Hop Limit


285

®


lcd-menu Syntax

EX3200, EX3300, EX4200, or EX4500 switch: lcd-menu fpc slot-number { menu-item (menu-name | menu-option) ; }

EX6200 or EX8200 switch or XRE200 External Routing Engine: lcd-menu { menu-item (menu-name | menu-option) ; }

Hierarchy Level Release Information Description Options

[edit chassis]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Disable or enable the Maintenance menu or the Status menu in the LCD panel. none—(EX6200 and EX8200 switches and XRE200 External Routing Engines only) Disable or enable the specified menu or menu options. fpc slot-number—(EX3200, EX3300, EX4200, and EX4500 switches only) Disable or

enable the specified menu or menu options, where slot-number is: •

0—On standalone switches.

•

0–9—On a device in a Virtual Chassis. The value is the member ID of the device.

NOTE: This option is not available on an EX8200 Virtual Chassis. The LCD panel on an XRE200 External Routing Engine provides information for the XRE200 External Routing Engine only.

disable—(Optional) Disable the specified menu.

The remaining statement is explained separately. Required Privilege Level Related Documentation

286

interface—To view this statement in the configuration. interface-level—To add this statement to the configuration. •


•


•


•


•


•




•


•



287

®


location Syntax


Description Options

location { altitude feet; building name; country-code code; floor number; hcoord horizontal-coordinate; lata service-area; latitude degrees; longitude degrees; npa-nxx number; postal-code postal-code; rack number; vcoord vertical-coordinate; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the system location in various formats. altitude feet—Number of feet above sea level. building name—Name of building. The name of the building can be 1 to 28 characters in

length. If the string contains spaces, enclose it in quotation marks (" "). country-code code—Two-letter country code. floor number—Floor in the building. hcoord horizontal-coordinate—Bellcore Horizontal Coordinate. lata service-area—Long-distance service area. latitude degrees—Latitude in degree format. longitude degrees—Longitude in degree format. npa-nxx number—First six digits of the phone number (area code and exchange). postal-code postal-code—Postal code. rack number—Rack number. vcoord vertical-coordinate—Bellcore Vertical Coordinate.


288

system—To view this statement in the configuration. system-control—To add this statement to the configuration.




•

Configuring the Physical Location of the Router or Switch


289

®


menu-item Syntax

menu-item (menu-name | menu-option);

Hierarchy Level

[edit chassis lcd-menu], [edit chassis lcd-menu fpc slot-number]

Release Information Description

Statement introduced in Junos OS Release 10.2 for EX Series switches. Disable or enable the Maintenance menu, the Status menu, or an individual option in one of those menus in the LCD panel. On EX3200, EX3300, EX4200, and EX4500 switches, you use menu-item at the [edit chassis lcd-menu fpc slot-number] hierarchy level. On EX6200 and EX8200 switches, and on XRE200 External Routing Engines, you use menu-item at the [edit chassis lcd-menu] hierarchy level.

Options

menu-name—Name of the LCD menu: •

maintenance-menu

•

status-menu

menu-option—Specific option on one of the LCD menus. You must include the quotation

marks when you type the option. Table 59 on page 291 describes the different menu options of the LCD menus supported on the switches.

290



Table 59: Menu Options of the LCD Menus Supported on the Switches Platforms Supported

Menu

Menu Options

Option Descriptions

maintenance-menu

''maintenance-menu halt-menu''

System halt option

All switches except EX2200

''maintenance-menu system-reboot''

System reboot option


''maintenance-menu rescue-config''

Load rescue option


''maintenance-menu vc-uplink-config''

Request VC port option for a device in a Virtual Chassis configuration

EX3300, EX4200, and EX4500 switches and XRE200 External Routing Engines only

''maintenance-menu factory-default''

Factory default option


''status-menu vcp-status''

Virtual Chassis port (VCP) status for a device in a Virtual Chassis configuration

EX3300, EX4200, and EX4500 switches and XRE200 External Routing Engines only

''status-menu sf-status1-menu''

Status of the switch fabric on the Switch Fabric and Routing Engine (SRE) module in slot SRE0 on EX8208 switches

EX8208 and EX8216 switches only

status-menu

Status of the switch fabric on the Switch Fabric (SF) modules in slots SF0 and SF1 on EX8216 switches ''status-menu sf-status2-menu''

Status of the switch fabric on the SRE module in slot SRE1 on EX8208 switches


Status of the switch fabric on the SF modules in slots SF2–SF5 on EX8216 switches ''status-menu sf-status3-menu''

Status of the switch fabric on the SF modules in slots SF6 and SF7 on EX8216 switches

EX8216 switches only

''status-menu power-status''

Status of the power supply or power supplies

EX3200, EX3300, EX4200, and EX4500 switches


291

®


Table 59: Menu Options of the LCD Menus Supported on the Switches (continued) Menu

Menu Options

Option Descriptions

Platforms Supported and XRE200 External Routing Engines only

''status-menu psu-status1-menu''

Status of the power supplies in slots P0 and P1


''status-menu psu-status2-menu''

Status of the power supplies in slots P2–P5


''status-menu environ-menu''

Status of the fan; current chassis temperature

All switches (except EX2200) and XRE200 External Routing Engine

''status-menu show-version''

The version of Junos OS loaded on the switch



292

view-level—To view this statement in the configuration. control-level—To add this statement to the configuration. •


•


•


•


•


•


•


•




multicast-client Syntax Hierarchy Level Release Information

Description

Options

multicast-client ; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For NTP, configure the local router or switch to listen for multicast messages on the local network to discover other servers on the same subnet. address—(Optional) One or more IP addresses. If you specify addresses, the router or

switch joins those multicast groups. Default: 224.0.1.1. Required Privilege Level Related Documentation


Configuring the Router or Switch to Listen for Multicast Messages Using NTP


293

®


no-multicast-echo Syntax


Description

Default Required Privilege Level

294

no-multicast-echo { arp { aging-timer minutes; gratuitous-arp-delayseconds; gratuitious-arp-on-ifup; interfaces { interface-name { aging-timer minutes; } } passive-learning; purging; } host-name hostname; location{ altitude feet; building name; country-code code; floor number; hcoord horizontal-coordinate; lata service-area; latitude degrees; longitude degrees; npa-nxx number; postal-code postal-code; rack number; vcoord vertical-coordinate; } } license { autoupdate URL; } renew before-expiration (number | interval number) } } } [edit system]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Disable the Routing Engine from responding to ICMP echo requests sent to multicast group addresses. The Routing Engine responds to ICMP echo requests sent to multicast group addresses. system—To view this statement in the configuration. system-control—To add this statement to the configuration.




•

Configuring the Junos OS to Disable the Routing Engine Response to Multicast Ping Packets

no-ping-record-route Syntax Hierarchy Level Release Information

Description Required Privilege Level Related Documentation

no-ping-record-route; [edit system]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 9.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the Junos OS to disable the reporting of the IP address in ping responses. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS to Disable the Reporting of IP Address and Timestamps in Ping Responses

no-ping-time-stamp Syntax Hierarchy Level Release Information


no-ping-time-stamp; [edit system]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 9.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the Junos OS to disable the recording of timestamps in ping responses. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS to Disable the Reporting of IP Address and Timestamps in Ping Responses


295

®


no-redirects Syntax Hierarchy Level Release Information

Description

no-redirects; [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Disable the sending of protocol redirect messages by the router or switch. To disable the sending of redirect messages on a per-interface basis, include the no-redirects statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level.


The router or switch sends redirect messages. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS to Disable Protocol Redirect Messages on the Router or Switch

•


no-tcp-rfc1323 Syntax Hierarchy Level Release Information

[edit system internet-options]


Description

Configure the Junos OS to disable RFC 1323 TCP extensions.




296

no-tcp-rfc1323;

•

Configuring the Junos OS to Disable TCP RFC 1323 Extensions



no-tcp-rfc1323-paws Syntax Hierarchy Level Release Information

Description


no-tcp-rfc1323-paws; [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring the Junos OS to Disable the TCP RFC 1323 PAWS Extension

ntp Syntax


Description

ntp { authentication-key number type type value password; boot-server address; broadcast ; broadcast-client; multicast-client ; peer address ; server address ; source-address source-address; trusted-key [ key-numbers ]; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure NTP on the router or switch. The remaining statements are explained separately.





297

®


path-mtu-discovery Syntax Hierarchy Level Release Information

Description


298

(path-mtu-discovery | no-path-mtu-discovery); [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure path MTU discovery for outgoing Transmission Control Protocol (TCP) connections: •

path-mtu-discovery—Path MTU discovery is enabled.

•

no-path-mtu-discovery—Path MTU discovery is disabled.


Configuring the Junos OS for Path MTU Discovery on Outgoing TCP Connections



peer Syntax Hierarchy Level Release Information

Description

Options

peer address ; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For NTP, configure the local router or switch to operate in symmetric active mode with the remote system at the specified address. In this mode, the local router or switch and the remote system can synchronize with each other. This configuration is useful in a network in which either the local router or switch or the remote system might be a better source of time. address—Address of the remote system. You must specify an address, not a hostname. key key-number—(Optional) All packets sent to the address include authentication fields

that are encrypted using the specified key number. Range: Any unsigned 32-bit integer prefer—(Optional) Mark the remote system as the preferred host, which means that if

all other factors are equal, this remote system is chosen for synchronization among a set of correctly operating systems. version value—(Optional) Specify the NTP version number to be used in outgoing NTP

packets. Range: 1 through 4 Default: 4 Required Privilege Level Related Documentation




299

®


ports Syntax


Description

ports { auxiliary { disable; insecure; type terminal-type; port-type (mini-usb | rj45); } console { disable; insecure; log-out-on-disconnect; type terminal-type; } } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the properties of the console and auxiliary ports. The ports are located on the router’s craft interface. See the switch’s hardware documentation for port locations. The remaining statements are explained separately.


300





port-type Syntax Hierarchy Level Release Information Description

Default Options

port-type (mini-usb | rj45); [edit system ports auxiliary]

Statement introduced in Junos OS Release 11.3 for EX Series switches. (EX2200-C switch only) Set the RJ-45 console port or the Mini-USB console port as the active console port. The RJ-45 console port is the active port. mini-usb—Set the Mini USB type-B console port as the active console port. rj45—Set the RJ-45 console port as the active console port.



Configuring the Console Port Type (CLI Procedure) on page 266


301

®


processes Syntax


Description

processes { process-name (enable | disable) failover (alternate-media | other-routing-engine); timeout seconds; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure which Junos OS processes are running on the router or switch.

CAUTION: Never disable any of the software processes unless instructed to do so by a customer support engineer.

Default Options

All processes are enabled by default. (enable | disable)—(Optional) Enable or disable a specified process. failover (alternate-media | other-routing-engine)—(Optional) For routers or switches with

redundant Routing Engines only, switch to backup media if a process fails repeatedly. If a process fails four times within 30 seconds, the router or switch reboots from the alternate media or the other Routing Engine. process-name—One of the valid process names. You can obtain a complete list of process

names by using the CLI command completion feature. After specifying a process name, command completion also indicates any additional options for that process. timeout seconds—(Optional) How often the system checks the watchdog timer, in seconds.

If the watchdog timer has not been checked in the specified number of seconds, the system reloads. If you set the time value too low, it is possible for the system to reboot immediately after it loads. Values: 15, 60, or 180 Default: 180 seconds (rounded up to 291 seconds by the Junos kernel) Required Privilege Level Related Documentation

302


Disabling Junos OS Processes



power Syntax Hierarchy Level Release Information Description

power (off | on); [edit chassis fpc slot]

Statement introduced in Junos OS Release 9.4 for EX Series switches. On an EX6200 or EX8200 switch, turn a specified Flexible PIC Concentrator (FPC) on or off. See “EX Series Switches Hardware and CLI Terminology Mapping” on page 847.

NOTE: On an EX6200 switch, the power statement has no effect when you configure it for an uplink port FPC on the Switch Fabric and Routing Engine (SRE) module. If you configure the statement for those FPCs, the configuration will be committed, but a message that informs you that the configuration has no effect is logged in the system log. You cannot turn the power on and off for these FPCs.

Options


•

on—Turn on the specified FPC.

•

off—Turn off the specified FPC.

interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Removing a Line Card from an EX6200 Switch


303

®


server (NTP) Syntax Hierarchy Level Release Information

Description

Options

server address ; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For NTP, configure the local router or switch to operate in client mode with the remote system at the specified address. In this mode, the local router or switch can be synchronized with the remote system, but the remote system can never be synchronized with the local router or switch. address—Address of the remote system. You must specify an address, not a hostname. key key-number—(Optional) Use the specified key number to encrypt authentication

fields in all packets sent to the specified address. Range: Any unsigned 32-bit integer prefer—(Optional) Mark the remote system as preferred host, which means that if all

other things are equal, this remote system is chosen for synchronization among a set of correctly operating systems. version value—(Optional) Specify the version number to be used in outgoing NTP packets.




tcp-drop-synfin-set Syntax Hierarchy Level Release Information


304

tcp-drop-synfin-set; [edit system internet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the router or switch to drop packets that have both the SYN and FIN bits set. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •

Configuring the Junos OS to Enable the Router or Switch to Drop Packets with the SYN and FIN Bits Set



traceoptions (SBC Configuration Process) Syntax


Description

Options

traceoptions { file filename ; flag flag; } [edit system processes sbc-configuration-process]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure trace options for the session border controller (SBC) process of the border signaling gateway (BSG). file filename—Name of the file that receives the output of the tracing operation. Enclose

the name in quotation marks. All files are placed in the directory /var/log. You can include the following file options: •

files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so

on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option and a filename. Range: 2 through 1000 Default: 3 files •

match regex—(Optional) Refine the output to include lines that contain the regular

expression. •

no-world-readable—(Optional) Disable unrestricted file access.

•

size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and filename. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB. Range: 10 KB through 1 GB Default: 128 KB •

world-readable—(Optional) Enable unrestricted file access.


305

®


flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags: •

all trace-level—Trace all SBC process operations.

•

common trace-level—Trace common events.

•

configuration trace-level—Trace configuration events.

•

device-monitor trace-level—Trace device monitor events.

•

ipc trace-level—Trace IPC events.

•

memory—pool trace-level—Trace memory pool events.

•

trace-level—Trace level options are related to the severity of the event being traced.

When you choose a trace level, messages at that level and higher levels are captured. Enter one of the following trace levels as the trace-level: •

debug—Log all code flow of control.

•

error—Log failures with a short-term effect.

•

info—Log summary for normal operations, such as the policy decisions made for a

call.

•


306

•

trace—Log program trace START and EXIT macros.

•

warning—Log failure recovery events or failure of an external entity.

ui trace-level—Trace user interface operations.


See “Troubleshooting the IMSG” in the Junos Multiplay Solutions Guide

•

System Management Configuration Statements



trusted-key Syntax Hierarchy Level Release Information

Description

Options

trusted-key [ key-numbers ]; [edit system ntp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For NTP, configure the keys you are allowed to use when you configure the local router or switch to synchronize its time with other systems on the network. key-numbers—One or more key numbers. Each key can be any 32-bit unsigned integer

except 0. Required Privilege Level Related Documentation


Configuring NTP Authentication Keys

•

authentication-key on page 271

•

broadcast on page 274

•

peer on page 299

•

server on page 304


307

®


308


CHAPTER 17

Operational Commands for System Setup


309

®


clear chassis display message Syntax

clear chassis display message





Syntax (QFX Series)


Release Information

Command introduced in Junos OS Release 7.5. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option for the TX Matrix Plus routers introduced in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Options

(M40e, M160, M320, T Series routers, EX Series, and QFX Series only) Clear or stop a text message on the craft interface display, which is on the front of the router or switch or on the LCD panel display on the router or switch. The craft interface alternates the display of text messages with standard craft interface messages, switching between messages every 2 seconds. By default, on both the router and the switch, the text message is displayed for 5 minutes. The craft interface display has four 20-character lines. The LCD panel display has two 16-character lines, and text messages appear only on the second line. none—Clear or stop a text message on the craft interface display. interconnect-device name—(QFabric switches only) (Optional) On a QFabric switch, clear

or stop a text message on the LCD panel display on the specified Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

clear or stop a text message on the craft interface on a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, clear or stop a text message on the craft interface on a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. node-device name—(QFabric switches only) (Optional) On a QFabric switch, clear or

stop a text message on the LCD panel display on the specified node device in a Node group. scc—(TX Matrix routers only) (Optional) Clear or stop a text message on the craft interface

on the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Clear or stop a text message on

the craft interface on the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0.

310


Chapter 17: Operational Commands for System Setup



clear

•


•

set chassis display message on page 365

•

show chassis craft-interface

clear chassis display message on page 311 See show chassis craft-interface for an explanation of output fields.

Sample Output clear chassis display message

The following example displays and then clears the text message on the craft interface display: user@host> show chassis craft-interface Red alarm: LED off, relay off Yellow alarm: LED off, relay off Host OK LED: On Host fail LED: Off FPCs 0 1 2 3 4 5 6 7 ------------------------------Green .. *.. * *. Red ........ LCD screen: +--------------------+ |NOC contact Dusty | |(888) 526-1234 | +--------------------+ user@host> clear chassis display message user@host> show chassis craft-interface Red alarm: LED off, relay off Yellow alarm: LED off, relay off Host OK LED: On Host fail LED: Off FPCs 0 1 2 3 4 5 6 7 ------------------------------Green .. *.. * *. Red ........ LCD screen: +--------------------+ |host | |Up: 0+17:05:47 | | | |Temperature OK | +--------------------+


311

®


clear system reboot Syntax

clear system reboot


clear system reboot


clear system reboot


clear system reboot

Syntax (QFX Series)

clear system reboot

Release Information


Description

Options

Clear any pending system software reboots or halts. When issued on a TX Matrix router without any options, the default behavior clears all pending system software reboots or halts on all T640 routers connected to the TX Matrix router. When issued on a TX Matrix Plus router without any options, the default behavior clears all pending system software reboots or halts on all T1600 routers connected to the TX Matrix Plus router. none—Clear all pending system software reboots or halts. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Clear all halt or reboot

requests for all the Routing Engines in the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

clear all halt or reboot requests for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, clear all halt or reboot requests for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches only) (Optional) Clear all halt or reboot requests on

all members of the Virtual Chassis configuration. both-routing-engines—(Systems with multiple Routing Engines) (Optional) Clear all halt

or reboot requests on both Routing Engines. On a TX Matrix router, clear both Routing Engines on all chassis connected to the TX Matrix router. Likewise, on a TX Matrix

312



Plus router, clear both Routing Engines on all chassis connected to the TX Matrix Plus router. infrastructure name—(QFabric switches) (Optional) Clear all halt or reboot requests on

the fabric control Routing Engines or fabric manager Routing Engines. interconnect-device name—(QFabric switches) (Optional) Clear all halt or reboot requests

on the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

clear all halt or reboot requests for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, clear all halt or reboot requests for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches only) (Optional) Clear all halt or reboot requests on the local

Virtual Chassis member. member member-id—(EX4200 switches only) (Optional) Clear all halt or reboot requests

on the specified member of the Virtual Chassis configuration. Replace member-id with a value from 0 through 9. node-group name—(QFabric switches) (Optional) Clear all halt or reboot requests on

the Node group. scc—(TX Matrix routers only) (Optional) Clear all halt or reboot requests for the TX Matrix

router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Clear all halt or reboot requests for

the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Required Privilege Level Related Documentation


Output Fields

maintenance

•

request system reboot on page 169

•


•


clear system reboot on page 314 clear system reboot (TX Matrix Router) on page 314 clear system reboot (QFX Series) on page 314 When you enter this command, you are provided feedback on the status of your request.


313

®


Sample Output

314

clear system reboot

user@host> clear system reboot reboot requested by root at Sat Dec 12 19:37:34 1998 [process id 17855] Terminating...

clear system reboot (TX Matrix Router)

user@host> clear system reboot scc-re0: -------------------------------------------------------------------------No shutdown/reboot scheduled. lcc0-re0: -------------------------------------------------------------------------No shutdown/reboot scheduled. lcc2-re0: -------------------------------------------------------------------------No shutdown/reboot scheduled.

clear system reboot (QFX Series)

user@switch> clear system reboot node-group node1 No shutdown/reboot scheduled.



configure Syntax

Release Information

Description

Options

configure

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Enter configuration mode. When this command is entered without any optional keywords, everyone can make configuration changes and commit all changes made to the configuration. none—Enter configuration mode. dynamic—(Optional) Configure routing policies and certain routing policy objects in a

dynamic database that is not subject to the same verification required in the standard configuration database. As a result, the time it takes to commit changes to the dynamic database is much shorter than for the standard configuration database. You can then reference these policies and policy objects in routing policies you configure in the standard database. exclusive—(Optional) Lock the candidate configuration for as long as you remain in

configuration mode, allowing you to make changes without interference from other users. Other users can enter and exit configuration mode, but they cannot change the configuration. private—(Optional) Allow multiple users to edit different parts of the configuration at

the same time and to commit only their own changes, or to roll back without interfering with one another's changes. You cannot commit changes in configure private mode when another user is in configure exclusive mode. Additional Information


For more information about the different methods of entering configuration mode and the restrictions that apply, see the Junos OS System Basics Configuration Guide. configure

•

show configuration on page 387

configure on page 315 When you enter this command, you are placed in configuration mode and the system prompt changes from hostname> to hostname#.

Sample Output configure

user@host> configure


315

®


Entering configuration mode [edit] user@host#

316



op Syntax

Release Information

Description

Options

op filename op script1 interface ge-0/2/0.0 protocol inet user@host> op url https://www.juniper.net/fa/2009-04-01.01.slax key md5 8de24d09e1d90b2581bb937d2a5ad590 interface ge-0/2/0.0 protocol inet



request chassis pic Syntax

request chassis pic (offline | online) fpc-slot slot-number pic-slot slot-number

Syntax (TX Matrix and TX Matrix Plus Router)

request chassis pic (offline | online) fpc-slot slot-number pic-slot slot-number

Release Information

Description

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Control the operation of the PIC.

NOTE: The request chassis pic (offline | online) fpc-slot slot number pic-slot slot-number command is not supported for built-in PICs on MX Series routers. To view a list of built-in PICs on the router or switch chassis, use the show chassis hardware command.

NOTE: T1600 routers and TX Matrix Plus routers with 100-Gigabit Ethernet PICs require two adjacent PIC slots, 0 and 1, for each PIC. Therefore, only online and offline command options to PIC slot 0 are allowed. Use of the online and offline command options for PIC slot 1 with the described router and PIC combination is not allowed.

NOTE: In T Series routers, when the PIC state is set from offline to online or vice-versa before the processing is complete for the previous command, you are provided feedback on the status of your request. The following sample messages are displayed if you try to set a PIC offline or online: user@switch> request chassis pic fpc-slot 1 pic-slot 0 online fpc 1 pic 0 online initiated, use "show chassis fpc pic-status" to verify user@switch> request chassis pic fpc-slot 1 pic-slot 0 online FPC 1 PIC 0 already transitioning to online

When the same PIC is set to a different state while the transition is in progress, you are provided feedback on the status of your request. user@switch> request chassis pic fpc-slot 1 pic-slot 0 offline FPC 1, PIC 0 already transitioning to online. Please retry later.

Options

offline—Take the PIC offline. online—Bring the PIC online.


319

®


fpc-slot slot-number—Flexible PIC Concentrator (FPC) slot number. Replace slot-number

with a value appropriate for your router or switch: •

EX Series switches: •

EX3200 switches and EX4200 standalone switches—0.

•

EX4200 switches in a Virtual Chassis configuration—0 through 9 (switch’s member ID).

•

EX8208 switches—0 through 7 (line card).

•

EX8216 switches—0 through 15 (line card).

•

M5, M7i, M10, and M10i routers—0 or 1.

•

M20 routers—0 through 3.

•

M120 routers—0 through 5.

•

MX960 routers—0 through 11.

•

M40, M40e, M160, M320, T320, T640, and T1600 routers—0 through 7.

•

TX Matrix and TX Matrix Plus routers only—On a TX Matrix router, if you specify the number of the T640 router by using the lcc number option (the recommended method), replace slot-number with a value from 0 through 7. Otherwise, replace slot-number with a value from 0 through 31. Likewise, on a TX Matrix Plus router, if you specify the number of the T1600 router by using the lcc number option (the recommended method), replace slot-number with a value from 0 through 7. Otherwise, replace slot-number with a value from 0 through 31. For example, the following commands have the same result: user@host> request chassis pic fpc-slot 1 lcc 1 pic-slot 0 offline user@host> request chassis pic fpc-slot 9 pic-slot 0 offline

pic-slot slot-number—PIC slot number. For the M Series router, the T640 router, the T1600

router, and the TX Matrix and TX Matrix Plus routers, it can be 0, 1, 2, or 3. On the MX960 router, slot-number corresponds to the slot number of the Packet Forwarding Engine. For the T320 router, it can be 0 or 1. For EX3200 and EX4200 switches, it is 0 for built-in network interfaces and 1 for interfaces on uplink modules. For EX8208 and EX8216 switches, it is 0. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

control the PIC in a specified T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, control the PIC in a specified T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. Required Privilege Level Related Documentation

320

maintenance

•

show chassis hardware on page 1083

•

show chassis pic on page 1155




•

Configuring the PIC Type

•

100-Gigabit Ethernet PIC Overview

request chassis pic on page 321 When you enter this command, you are provided feedback on the status of your request.

Sample Output request chassis pic

user@host> request chassis pic pic-slot 0 online fpc-slot 0 FPC 0, PIC 0 is already online


321

®


request chassis routing-engine master Syntax

request chassis routing-engine master (acquire | release | switch)


request chassis routing-engine master (acquire | release | switch) (lcc number | scc | all-chassis)


request chassis routing-engine master (acquire | release | switch) (lcc number | sfc | all-chassis | all-lcc)



Syntax (QFX Series)


Release Information

Command introduced before Junos OS Release 7.4. all-chassis option added in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

For routers or switches with multiple Routing Engines, control which Routing Engine is the master.

CAUTION: (Routing matrix based on the TX Matrix or TX Matrix Plus routers only) Within the routing matrix, we recommend that all Routing Engines run the same Junos OS Release. If you run different releases on the Routing Engines and a change in mastership occurs on any backup Routing Engine in the routing matrix, one or all T640 routers (in a routing matrix based on the TX Matrix router) or T1600 routers (in a routing matrix based on a TX Matrix Plus router) might become logically disconnected from the TX Matrix router and cause data loss. For more information, see the TX Matrix Router Hardware Guide or the Junos OS High Availability Configuration Guide.

322



NOTE: Successive graceful Routing Engine switchover events must be a minimum of 240 seconds (4 minutes) apart after both Routing Engines have come up. If the router or switch displays a warning message similar to “Standby Routing Engine is not ready for graceful switchover. Packet Forwarding Engines that are not ready for graceful switchover might be reset,” do not attempt switchover. If you choose to proceed with switchover, only the Packet Forwarding Engines that were not ready for graceful switchover are reset. None of the Flexible PIC concentrators (FPCs) should spontaneously restart. We recommend that you wait until the warning no longer appears and then proceed with the switchover.

Options

acquire—Attempt to become the master Routing Engine. release—Request that the other Routing Engine become the master. switch—Toggle mastership between Routing Engines.

The acquire, release, and switch options have the following suboptions: all-chassis—(TX Matrix and TX Matrix Plus routers only) On a routing matrix composed

of a TX Matrix router and the attached T640 routers, switch mastership on all the Routing Engines in the routing matrix. Likewise, on a routing matrix composed of a TX Matrix Plus router and the attached T1600 routers, switch mastership on all the Routing Engines in the routing matrix. all-lcc—(TX Matrix Plus routers only) Request to acquire mastership for all line-card

chassis (LCC). all-members—(MX Series routers only) (Optional) Control Routing Engine mastership

on the Routing Engines in all member routers of the Virtual Chassis configuration. interconnect-device name—(QFabric switches only) (Optional) Control Routing Engine

mastership on the Routing Engines on an Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) On a TX Matrix router, the T640

router (or LCC) that is connected to the TX Matrix router (or switch-card chassis). On a TX Matrix Plus router, the T1600 router (or LCC) that is connected to the TX Matrix Plus router (or switch-fabric chassis). Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Control Routing Engine mastership on the

Routing Engines in the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Control Routing Engine

mastership on the Routing Engines of the specified member in the Virtual Chassis Configuration. Replace member-id with a value of 0 or 1.


323

®


no-confirm—(Optional) Do not request confirmation for the switch. node-group name—(QFabric switches only) (Optional) Control Routing Engine mastership

on the Routing Engines on a Node group. scc—(TX Matrix routers only) TX Matrix (or switch-card chassis). sfc—(TX Matrix Plus routers only) TX Matrix Plus router (or switch-fabric chassis). force—(Optional) Available only with the acquire option. Force the change to a new

master Routing Engine. Additional Information

Because both Routing Engines are always running, the transition from one to the other as the master Routing Engine is immediate. However, the changeover interrupts communication to the System and Switch Board (SSB). The SSB takes several seconds to reinitialize the Flexible PIC Concentrators (FPCs) and restart the PICs. Interior gateway protocol (IGP) and BGP convergence times depend on the specific network environment. By default, the Routing Engine in slot 0 (RE0) is the master and the Routing Engine in slot 1 (RE1) is the backup. To change the default master Routing Engine, include the routing-engine statement at the [edit chassis redundancy] hierarchy level in the configuration. For more information, see the Junos OS System Basics Configuration Guide To have the backup Routing Engine become the master Routing Engine, use the request chassis routing-engine master switch command. If you use this command to change the master and then restart the chassis software for any reason, the master reverts to the default setting.

NOTE: Although the configurations on the two Routing Engines do not have to be the same and are not automatically synchronized, we recommend making both configurations the same.



Output Fields

324

maintenance

•

show chassis routing-engine on page 1165

•

Configuring Routing Engine Redundancy

•

Switching the Global Master and Backup Roles in a Virtual Chassis Configuration

request chassis routing-engine master acquire on page 325 request chassis routing-engine master switch on page 325 When you enter this command, you are provided feedback on the status of your request.



Sample Output request chassis routing-engine master acquire

user@host> request chassis routing-engine master acquire warning: Traffic will be interrupted while the PFE is re-initialized warning: The other routing engine's file system could be corrupted Reset other routing engine and become master ? [yes,no] (no)

request chassis routing-engine master switch

user@host> request chassis routing-engine master switch warning: Traffic will be interrupted while the PFE is re-initialized Toggle mastership between Routing Engines ? [yes,no] (no) yes Resolving mastership... Complete. The other Routing Engine becomes the master.

Switch mastership back to the local Routing Engine: user@host> request chassis routing-engine master switch warning: Traffic will be interrupted while the PFE is re-initialized Toggle mastership between routing engines ? [yes,no] (no) yes Resolving mastership... Complete. The local routing engine becomes the master.


325

®


request system halt Syntax


request system halt


request system halt



Syntax (QFX Series)

326

request system halt

request system halt request system halt request system halt



Release Information

Description

Command introduced before Junos OS Release 7.4. other-routing-engine option introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Stop the router or switch software.

NOTE: When you issue this command on an individual component in a QFabric system, you will receive a warning that says “Hardware-based members will halt, Virtual Junos Routing Engines will reboot.” If you want to halt only one member, use the member option. You cannot issue this command from the QFabric CLI.

Options

none—Stop the router or switch software immediately. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Halt all chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

halt all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, halt all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Halt all members

of the Virtual Chassis configuration. at time —(Optional) Time at which to stop the software, specified in one of the following

ways: •

now—Stop the software immediately. This is the default.

•

+minutes—Number of minutes from now to stop the software.

•

yymmddhhmm—Absolute time at which to stop the software, specified as year,


hh:mm—Absolute time on the current day at which to stop the software.

both-routing-engines—(Optional) Halt both Routing Engines at the same time. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

halt a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, halt a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3.


327

®


local—(EX4200 switches and MX Series routers only) (Optional) Halt the local Virtual

Chassis member. in minutes—(Optional) Number of minutes from now to stop the software. This option

is an alias for the at +minutes option. media (compact-flash | disk | removable-compact-flash | usb)—(Optional) Boot medium

for the next boot. (The options removable-compact-flash and usb pertain to J Series routers only.) media (external | internal)—(EX Series and QFX Series switches and MX Series routers

only) (Optional) Halt the boot media: •

external—Halt the external mass storage device.

•

internal—Halt the internal flash device.

member member-id—(EX4200 switches and MX Series routers only) (Optional) Halt the

specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. message "text"—(Optional) Message to display to all system users before stopping the

software. other-routing-engine—(Optional) Halt the other Routing Engine from which the command

is issued. For example, if you issue the command from the master Routing Engine, the backup Routing Engine is halted. Similarly, if you issue the command from the backup Routing Engine, the master Routing Engine is halted. scc—(TX Matrix routers only) (Optional) Halt the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Halt the TX Matrix Plus router (or

switch-fabric chassis). Replace number with 0. slice slice—(EX Series and QFX Series switches only) (Optional) Halt a partition on the

boot media. This option has the following suboptions:


•

1—Halt partition 1.

•

2—Halt partition 2.

•


On the M7i router, the request system halt command does not immediately power down the Packet Forwarding Engine. The power-down process can take as long as 5 minutes. On a TX Matrix or TX Matrix Plus router, if you issue the request system halt command on the master Routing Engine, all the master Routing Engines connected to the routing matrix are halted. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are halted. If you issue the request system halt both-routing-engines command on the TX Matrix or TX Matrix Plus router, all the Routing Engines on the routing matrix are halted.

328



NOTE: If you have a router or switch with two Routing Engines and you want to shut the power off to the router or switch or remove a Routing Engine, you must first halt the backup Routing Engine (if it has been upgraded), and then halt the master Routing Engine. To halt a Routing Engine, issue the request system halt command. You can also halt both Routing Engines at the same time by issuing the request system halt both-routing-engines command.



Output Fields

maintenance

•


•

request system power-off on page 332

•


request system halt on page 330 request system halt (In 2 Hours) on page 330 request system halt (Immediately) on page 330 request system halt (At 1:20 AM) on page 330 When you enter this command, you are provided feedback on the status of your request.


329

®


Sample Output request system halt

user@host> request system halt Halt the system ? [yes,no] (no) yes *** FINAL System shutdown message from root@section2 *** System going down IMMEDIATELY Terminated ... syncing disks... 11 8 done The operating system has halted. Please press any key to reboot.

request system halt (In 2 Hours)

The following example, which assumes that the time is 5 PM (1700), illustrates three different ways to request that the system stop 2 hours from now: user@host> request system halt at +120 user@host> request system halt in 120 user@host> request system halt at 19:00

request system halt (Immediately)

user@host> request system halt at now

request system halt (At 1:20 AM)

To stop the system at 1:20 AM, enter the following command. Because 1:20 AM is the next day, you must specify the absolute time. user@host> request system halt at yymmdd120 request system halt at 120 Halt the system at 120? [yes,no] (no) yes

330



request system logout Syntax

Release Information

request system logout (pid pid | terminal terminal | user username)


Description

Log out users from the router or switch and the configuration database. If a user held the configure exclusive lock, this command clears the exclusive lock.

Options

all—(Optional) Log out all sessions owned by a particular PID, terminal session, or user.

(On a TX Matrix or TX Matrix Plus router, this command is broadcast to all chassis.) pid pid—Log out the user session using the specified management process identifier

(PID). The PID type must be management process. terminal terminal—Log out the user for the specified terminal session. user username—Log out the specified user.


configure

•


request system logout on page 331 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system logout

user@host> request system logout user tammy all Connection closed by foreign host.


331

®


request system power-off Syntax


request system power-off





Syntax (QFX Series)

332


request system power-off request system power-off request system power-off



Release Information

Description

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Power off the software.

NOTE: When you issue this command on an individual component in a QFabric system, you will receive a warning that says “Hardware-based members will halt, Virtual Junos Routing Engines will reboot.” If you want to halt only one member, use the member option. You cannot issue this command from the QFabric CLI.

Options

none—Power off the router or switch software immediately. all-chassis—(Optional) (TX Matrix and TX Matrix Plus router only) Power off all Routing

Engines in the chassis. all-lcc—(Optional) (TX Matrix and TX Matrix Plus router only) On a TX Matrix router,

power off all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, power off all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Power off all

members of the Virtual Chassis configuration. at time—(Optional) Time at which to power off the software, specified in one of the

following ways: •

now—Power off the software immediately. This is the default.

•

+minutes—Number of minutes from now to power off the software.

•

yymmddhhmm—Absolute time at which to power off the software, specified as

year, month, day, hour, and minute. •

hh:mm—Absolute time on the current day at which to power off the software.

both-routing-engines—(Optional) Power off both Routing Engines at the same time. in minutes—(Optional) Number of minutes from now to power off the software. This

option is an alias for the at +minutes option. lcc number—(Optional) (TX Matrix and TX Matrix Plus router only) On a TX Matrix router,

power off a T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, power off a T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3.


333

®


local—(EX4200 switches and MX Series routers only) (Optional) Power off the local

Virtual Chassis member. media (compact-flash | disk | removable-compact-flash | usb)—(Optional) Boot medium

for the next boot. (The options removable-compact-flash and usb pertain to the J Series routers only.) media (external | internal)—(EX Series and QFX Series switches and MX Series routers

only) (Optional) Power off the boot media: •

external—Power off the external mass storage device.

•

internal—Power off the internal flash device.

member member-id—(EX4200 switches and MX Series routers only) (Optional) Power

off the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. message "text"—(Optional) Message to display to all system users before powering off

the software. other-routing-engine—(Optional) Power off the other Routing Engine from which the

command is issued. For example, if you issue the command from the master Routing Engine, the backup Routing Engine is halted. Similarly, if you issue the command from the backup Routing Engine, the master Routing Engine is halted. scc—(Optional) (TX Matrix router only) Power off only the master Routing Engine or the

backup Routing Engine on the TX Matrix router (or switch-card chassis). If you issue the command from the master Routing Engine, the master SCC is powered off. If you issue the command from the backup Routing Engine, the backup SCC is powered off. sfc number—(Optional) (TX Matrix Plus router only) Power off only the master Routing

Engine or the backup Routing Engine on the TX Matrix Plus router (or switch-fabric chassis). If you issue the command from the master Routing Engine, the master SFC is powered off. If you issue the command from the backup Routing Engine, the backup SFC is powered off. Replace number with zero. slice slice—(EX Series and QFX Series switches only) (Optional) Power off a partition on

the boot media. This option has the following suboptions:


334

•


•


•


On a routing matrix composed of a TX Matrix router and T640 routers, if you issue the request system power-off command on the TX Matrix master Routing Engine, all the master Routing Engines connected to the routing matrix are powered off. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are powered off.



Likewise, on a routing matrix composed of a TX Matrix Plus router and T1600 routers, if you issue the request system power-off command on the TX Matrix Plus master Routing Engine, all the master Routing Engines connected to the routing matrix are powered off. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are powered off. If you issue the request system power-off both-routing-engines command on the TX Matrix or TX Matrix Plus router, all the Routing Engines on the routing matrix are powered off. Required Privilege Level List of Sample Output Output Fields

maintenance

request system power-off on page 335 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system power-off

user@host> request system power-off message “This router will be powered off in 30 minutes. Please save your data and log out immediately.” warning: This command will not halt the other routing-engine. If planning to switch off power, use the both-routing-engines option. Power Off the system ? [yes,no] (no) yes *** FINAL System shutdown message from remote@nutmeg *** System going down IMMEDIATELY This router will be powered off in 30 minutes. Please save your data and log out immediately. Shutdown NOW! [pid 5177]


335

®









Release Information

Description

336


request system reboot request system reboot

Command introduced before Junos OS Release 7.4. other-routing-engine option added in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Reboot the software.



Options

none—Reboot the software immediately. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

reboot all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, reboot all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

reboot all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, reboot all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Reboot the

software on all members of the Virtual Chassis configuration. at time—(Optional) Time at which to reboot the software, specified in one of the following

ways: •


•


•



hh:mm—Absolute time on the current day at which to stop the software, specified

in 24-hour time. in minutes—(Optional) Number of minutes from now to reboot the software. This option

is an alias for the at +minutes option. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

the number of a T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, the number of a T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Reboot the software

on the local Virtual Chassis member. media (compact-flash | disk | removable-compact-flash | usb)—(Optional) Boot medium

for next boot. (The options removable-compact-flash and usb pertain to the J Series routers only.) media (external | internal)—(EX Series switches and MX Series routers only) (Optional)

Reboot the boot media: •

external—Reboot the external mass storage device.

•

internal—Reboot the internal flash device.

member member-id—(EX4200 switches and MX Series routers only) (Optional) Reboot

the software on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1.


337

®


message "text"—(Optional) Message to display to all system users before stopping or

rebooting the software. other-routing-engine—(Optional) Reboot the other Routing Engine from which the

command is issued. For example, if you issue the command from the master Routing Engine, the backup Routing Engine is rebooted. Similarly, if you issue the command from the backup Routing Engine, the master Routing Engine is rebooted. partition—(TX Matrix Plus routers only) (Optional) Reboot using the specified partition

on the boot media. This option has the following suboptions: •


•


•


scc—(TX Matrix routers only) (Optional) Reboot the Routing Engine on the TX Matrix

router (or switch-card chassis). If you issue the command from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted. sfc number—(TX Matrix Plus routers only) (Optional) Reboot the Routing Engine on the

TX Matrix Plus router (or switch-fabric chassis). If you issue the command from re0, re0 is rebooted. If you issue the command from re1, re1 is rebooted. Replace number with 0. slice slice—(EX Series switches only) (Optional) Reboot a partition on the boot media.

This option has the following suboptions:


•


•


•


Reboot requests are recorded in the system log files, which you can view with the show log command (see show log). Also, the names of any running processes that are scheduled to be shut down are changed. You can view the process names with the show system processes command (see show system processes). On a TX Matrix or TX Matrix Plus router, if you issue the request system reboot command on the master Routing Engine, all the master Routing Engines connected to the routing matrix are rebooted. If you issue this command on the backup Routing Engine, all the backup Routing Engines connected to the routing matrix are rebooted.

NOTE: To reboot a router that has two Routing Engines, reboot the backup Routing Engine (if you have upgraded it) first, and then reboot the master Routing Engine.

338





Output Fields

maintenance

•


•

request system halt on page 326

•


•


request system reboot on page 339 request system reboot (at 2300) on page 339 request system reboot (in 2 Hours) on page 339 request system reboot (Immediately) on page 339 request system reboot (at 1:20 AM) on page 339 When you enter this command, you are provided feedback on the status of your request.












339

®



Release Information

Description


Command introduced in Junos OS Release 9.0 for EX Series switches. Option partition changed to slice in Junos OS Release 10.0 for EX Series switches. Reboot the Junos OS. Reboot requests are recorded in the system log files, which you can view with the show log command. You can view the process names with the show system processes command.

Options

none—Reboots the software immediately. all-members | local | member member-id—(EX4200 switch only) (Optional) Specify which

member of the Virtual Chassis to reboot: •

all-members—Reboots each switch that is a member of the Virtual Chassis.

•

local—Reboots the local switch, meaning the switch you are logged into, only.

•

member member-id—Reboots the specified member switch of the Virtual Chassis.

at time—(Optional) Time at which to reboot the software, specified in one of the following

ways: •


•

hh:mm—Absolute time on the current day at which to reboot the software, specified

in 24-hour time. •


•


month, day, hour, and minute. in minutes—(Optional) Number of minutes from now to reboot the software. This option

is an alias for the at +minutes option. media (external | internal)—(Optional) Boot medium for the next boot. The external

option reboots the switch using a software package stored on an external boot source, such as a USB flash drive. The internal option reboots the switch using a software package stored in an internal memory source. message “text”—(Optional) Message to display to all system users before rebooting the

software.

340



slice (1 | 2 | alternate)—(Optional) Reboot using the specified partition on the boot media.

This option has the following suboptions: •


•


•

alternate—Reboot from the alternate partition, which is the partition that did not

boot the switch at the last bootup.


maintenance

•














341

®


request system scripts convert Syntax

Release Information

Description

Options

request system scripts convert (slax-to-xslt | xslt-to-slax) source source/filename destination destination/

Command introduced in Junos OS Release 8.2. Command introduced in Junos OS Release 9.0 for EX Series switches. Convert an Extensible Stylesheet Language Transformations (XSLT) script to Stylesheet Language, Alternative syntaX (SLAX), or convert a SLAX script to XSLT. destination destination/—Specify a destination for the converted file.

Optionally, you can specify a filename for the converted file. If you do not specify a filename, the software assigns one automatically. The default destination filename is the same as the source filename, except the file extension is altered. For example, the software converts a source file called test.xsl to test.slax. The software converts a source file called test1.slax to test1.xsl. slax-to-xslt—Convert a SLAX script to XSLT. source source/filename—Specify a source file that you want to convert. xslt-to-slax—Convert an XSLT script to SLAX.


Output Fields

maintenance

request system scripts convert slax-to-xslt on page 342 request system scripts convert xslt-to-slax on page 342 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system scripts convert slax-to-xslt

user@host> request system scripts convert slax-to-xslt source /var/db/scripts/op/script1.slax destination /var/db/scripts/op conversion complete

request system scripts convert xslt-to-slax

user@host> request system scripts convert xslt-to-slax source /var/db/scripts/commit/script1.xsl destination /var/db/scripts/commit conversion complete

342



request system scripts refresh-from commit Syntax Release Information

Description

request system scripts refresh-from commit file file-name url url-path

Command introduced in Junos OS Release 10.1 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Automatically download the initial Junos OS configuration and a set of standard commit scripts during a Junos XML management protocol/NETCONF session when a switch is brought up for the first time. The Junos XML management protocol equivalent for this operational mode command is: commit file-name> URL

Options

file file-name—Name of the file to be downloaded. url url-path—URL of the file to be downloaded.



maintenance

•

Understanding Automatic Refreshing of Scripts on EX Series Switches on page 499

•

Junos OS Junos XML Management Protocol Guide

•

Junos OS NETCONF XML Management Protocol Guide

request system scripts refresh-from commit file config.txt url http://host1.juniper.net on page 343

Sample Output request system scripts refresh-from commit file config.txt url http://host1.juniper.net

user@switch> request system scripts refresh-from commit file config.txt url http://host1.juniper.net user@switch>


343

®


request system scripts refresh-from event Syntax Release Information

Description

request system scripts refresh-from event file file-name url url-path

Command introduced in Junos OS Release 10.1 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Automatically download the initial Junos OS configuration and a set of standard event scripts during a Junos XML management protocol/NETCONF session when a switch is brought up for the first time. The Junos XML management protocol equivalent for this operational mode command is: event file-name> URL

Options




maintenance

•


•


•


request system scripts refresh-from event file config.txt url http://host1.juniper.net on page 344

Sample Output request system scripts refresh-from event file config.txt url http://host1.juniper.net

344

user@switch> request system scripts refresh-from event file config.txt url http://host1.juniper.net user@switch>



request system scripts refresh-from op Syntax Release Information Description

request system scripts refresh-from op file file-name url url-path

Command introduced in Junos OS Release 10.1 for EX Series switches. Automatically download the initial Junos OS configuration and a set of standard op scripts during a Junos XML management protocol/NETCONF session when a switch is brought up for the first time. The Junos XML management protocol equivalent for this operational mode command is: op file-name> URL

Options




maintenance

•


•


•


request system scripts refresh-from op file config.txt url http://host1.juniper.net on page 345

Sample Output request system scripts refresh-from op file config.txt url http://host1.juniper.net

user@switch> request system scripts refresh-from op file config.txt url http://host1.juniper.net user@switch>


345

®


request system storage cleanup Syntax

request system storage cleanup





Syntax (QFX Series)


Release Information

Command introduced in Junos OS Release 7.4. dry-run option introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Free storage space on the router or switch by rotating log files and proposing a list of files for deletion. User input is required for file deletion. On a QFabric switch, you can delete debug files located on individual devices or on the entire QFabric switch.

Options

all-members—(EX4200 switches and MX Series routers only) (Optional) Delete files on

all members of the Virtual Chassis configuration. component (UUID | serial number | all)—(QFabric switches only) (Optional) Delete files

located on individual QFabric switch devices or on the entire QFabric switch. director-group name—(QFabric switches only) (Optional) Delete files on the Director

group. dry-run—(Optional) List files proposed for deletion (without deleting them). infrastructure name—(QFabric switches only) (Optional) Delete files on the fabric control

Routing Engine and fabric manager Routing Engine.

346



interconnect-device name—(QFabric switches only) Optional) Delete files on the

Interconnect device. local—(EX4200 switches and MX Series routers only) (Optional) Delete files on the local

Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Delete

files on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. name-tag name-tag—(QFabric switches only) (Optional) Delete debug files that match

a specific regular expression. node-group name—(QFabric switches only) (Optional) Delete files on the Node group. prune—(QFabric switches only) (Optional) Delete debug files located in either the core

or log debug repositories of a QFabric switch device. qfabric component name—(QFabric switches only) (Optional) Delete debug files located

in the debug repositories of a QFabric switch device. repository (core | log)—(QFabric switches only) (Optional) Specify the repository on the

QFabric switch device for which you want to delete debug files. Additional Information


If logging is configured and being used, the dry-run option rotates the log files. In that case, the output displays the message “Currently rotating log files, please wait.” If no logging is currently under way, the output displays only a list of files to delete. maintenance


request system storage cleanup dry-run on page 348 request system storage cleanup on page 349 request system storage cleanup director-group (QFabric Switches) on page 349 request system storage cleanup infrastructure device-name (QFabric Switches) on page 351 request system storage cleanup interconnect-device device-name (QFabric Switches) on page 351 request system storage cleanup node-group group-name (QFabric Switches) on page 353 request system storage cleanup qfabric component device-name (QFabric Switches) on page 353 request system storage cleanup qfabric component device-name repository core (QFabric Switches) on page 354 request system storage cleanup qfabric component all (QFabric Switches) on page 354

Output Fields

Table 60 on page 348 describes the output fields for the request system storage cleanup command. Output fields are listed in the approximate order in which they appear.


347

®


Table 60: request system storage cleanup Output Fields Field Name

Field Description

List of files to delete:

Shows list of files available for deletion.

Size

Size of the core-dump file.

Date

Last core-dump file modification date and time.

Name

Name of the core-dump file.

Directory to delete:

Shows list of directories available for deletion.

Repository scope:

Repository where core-dump files and log files are stored. The core-dump files are located in the core repository, and the log files are located in the log repository. The default Repository scope is shared since both the core and log repositories are shared by all of the QFabric switch devices.

Repository head:

Name of the top-level repository location.

Repository name:

Name of the repository: core or log.

Creating list of debug artifacts to be removed under:

Shows location of files available for deletion.

List of debug artifacts to be removed under:

Shows list of files available for deletion.

Sample Output request system storage cleanup dry-run

user@host> request system storage cleanup dry-run Currently rotating log files, please wait. This operation can take up to a minute. List of files to delete:

11.4K 7245B 11.8K 3926B 3962B 4146B 4708B 7068B 13.7K 890B 65.8M 63.1M

348

Size Date Mar 8 15:00 Feb 5 15:00 Feb 22 13:00 Mar 16 13:57 Feb 22 12:47 Mar 8 12:20 Dec 21 11:39 Jan 16 18:00 Dec 27 22:00 Feb 22 17:22 Oct 26 09:10 Oct 26 09:13

Name /var/log/messages.1.gz /var/log/messages.3.gz /var/log/messages.2.gz /var/log/messages.0.gz /var/log/sampled.1.gz /var/log/sampled.0.gz /var/log/sampled.2.gz /var/log/messages.4.gz /var/log/messages.5.gz /var/tmp/sampled.pkts /var/sw/pkg/jinstall-7.4R1.7-export-signed.tgz /var/sw/pkg/jbundle-7.4R1.7.tgz




user@host> request system storage cleanup Currently rotating log files, please wait. This operation can take up to a minute. List of files to delete: Size Date Mar 8 15:00 Feb 5 15:00 Feb 22 13:00 Mar 16 13:57 Mar 8 15:00 Feb 5 15:00 Feb 22 13:00 Mar 16 13:57 Feb 22 12:47 Mar 8 12:20 Dec 21 11:39 Jan 16 18:00 Dec 27 22:00 Feb 22 17:22 Oct 26 09:10 Oct 26 09:13

11.4K 7245B 11.8K 3926B 11.6K 7254B 12.9K 3726B 3962B 4146B 4708B 7068B 13.7K 890B 65.8M 63.1M

Name /var/log/messages.1.gz /var/log/messages.3.gz /var/log/messages.2.gz /var/log/messages.0.gz /var/log/messages.5.gz /var/log/messages.6.gz /var/log/messages.8.gz /var/log/messages.7.gz /var/log/sampled.1.gz /var/log/sampled.0.gz /var/log/sampled.2.gz /var/log/messages.4.gz /var/log/messages.5.gz /var/tmp/sampled.pkts /var/sw/pkg/jinstall-7.4R1.7-export-signed.tgz /var/sw/pkg/jbundle-7.4R1.7.tgz

Delete these files ? [yes,no] (yes)

request system storage cleanup director-group (QFabric Switches)

user@switch> request system storage cleanup director-group List of files to delete:

4.0K 4.0K 4.0K 4.0K 0 1.3M 4.0K 4.0K 9.6M 4.0K 248K 4.0K 4.0K 8.0K 0 4.0K 0 4.0K 4.0K 160K 38M 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 8.0K 4.0K 0 4.0K


Size Date Name 2011-11-07 05:16:29 /tmp/2064.sfcauth 2011-11-07 05:07:34 /tmp/30804.sfcauth 2011-11-07 04:13:41 /tmp/26792.sfcauth 2011-11-07 04:13:39 /tmp/26432.sfcauth 2011-11-07 07:45:40 /tmp/cluster_cleanup.log 2011-11-07 07:39:11 /tmp/cn_monitor.20111107-052401.log 2011-11-07 07:36:29 /tmp/clustat.28019.log 2011-11-07 07:36:29 /tmp/clustat_x.28019.log 2011-11-07 05:30:24 /tmp/sfc.2.log 2011-11-07 05:28:11 /tmp/mgd-init.1320672491.log 2011-11-07 05:19:24 /tmp/cn_monitor.20111107-045111.log 2011-11-07 05:17:18 /tmp/clustat.3401.log 2011-11-07 05:17:18 /tmp/clustat_x.3401.log 2011-11-07 04:58:25 /tmp/mgd-init.1320670633.log 2011-11-07 04:54:01 /tmp/mysql_db_install_5.1.37.log 2011-11-07 04:52:08 /tmp/cn_send.log 2011-11-07 04:52:00 /tmp/init_eth0.log 2011-11-07 04:49:35 /tmp/install_interfaces.sh.log 2011-11-07 04:48:15 /tmp/bootstrap.sh.log 2011-11-07 04:47:43 /tmp/bootstrap_cleanup.log 2011-11-07 04:42:42 /tmp/cn_monitor.20111104-110308.log 2011-11-07 04:38:47 /tmp/clustat.30913.log 2011-11-07 04:38:47 /tmp/clustat_x.30913.log 2011-11-07 04:38:03 /tmp/dcf_upgrade.sh.remove.log 2011-11-07 04:38:03 /tmp/peer_update.log 2011-11-07 04:38:02 /tmp/dcf_upgrade.log 2011-11-07 04:38:02 /tmp/perl_mark_upgrade.log 2011-11-07 04:13:42 /tmp/install_dcf_rpm.log 2011-11-07 04:13:06 /tmp/00_cleanup.sh.1320667986.log 2011-11-07 04:13:06 /tmp/ccif_patch_4410_4450.sh.1320667986.log 2011-11-07 04:13:06 /tmp/dcf-tools.sh.1320667986.log

349

®


0 0 4.0K 4.0K 8.0K 8.0K 4.0K 8.0K 8.0K 4.0K 8.0K 4.0K 4.0K 8.0K

2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-07 2011-11-04

04:13:06 04:13:06 04:13:06 04:13:06 04:13:05 11:10:24 11:07:03 10:55:07 10:55:07 10:55:07 10:55:07 10:54:09 04:13:06 10:55:07

Directory to delete: 45M 2011-11-08 10:57:43

/tmp/initial.sh.1320667986.log /tmp/inventory.sh.1320667986.log /tmp/qf-db.sh.1320667986.log /tmp/sfc.sh.1320667986.log /tmp/jinstall-qfabric.log /tmp/mgd-init.1320430192.log /tmp/mysql_dcf_db_install.log /tmp/ccif_patch_4410_4450.sh.1320429307.log /tmp/initial.sh.1320429307.log /tmp/inventory.sh.1320429307.log /tmp/sfc.sh.1320429307.log /tmp/ks-script-Ax0tz5.log /tmp//sfc.sh.1320667986.log /tmp//sfc.sh.1320429307.log

/tmp/sfc-captures


4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 4.0K 824K 4.0K 4.0K 4.0K 4.0K 92K 4.0K 4.0K 8.0K 4.0K 0 4.0K 4.0K 160K 28M 4.0K 4.0K 4.0K 4.0K 12K 4.0K

350

Size Date Name 2011-11-08 05:47:47 /tmp/5713.sfcauth 2011-11-08 05:14:32 /tmp/14494.sfcauth 2011-11-08 05:11:47 /tmp/9978.sfcauth 2011-11-08 05:09:37 /tmp/6128.sfcauth 2011-11-08 05:04:28 /tmp/29703.sfcauth 2011-11-07 11:59:10 /tmp/7811.sfcauth 2011-11-07 11:36:08 /tmp/32415.sfcauth 2011-11-07 11:30:30 /tmp/22406.sfcauth 2011-11-07 11:24:37 /tmp/12131.sfcauth 2011-11-07 10:48:42 /tmp/12687.sfcauth 2011-11-07 09:27:20 /tmp/31082.sfcauth 2011-11-07 07:33:58 /tmp/14633.sfcauth 2011-11-07 05:08:25 /tmp/15447.sfcauth 2011-11-07 04:12:29 /tmp/26874.sfcauth 2011-11-07 04:12:27 /tmp/26713.sfcauth 2011-11-07 03:49:17 /tmp/17691.sfcauth 2011-11-05 01:32:23 /tmp/5716.sfcauth 2011-11-07 08:00:17 /tmp/sfcsnmpd.log 2011-11-07 07:57:50 /tmp/cluster_cleanup.log 2011-11-07 07:38:37 /tmp/cn_monitor.20111107-053643.log 2011-11-07 07:36:30 /tmp/clustat.18399.log 2011-11-07 07:36:30 /tmp/clustat_x.18399.log 2011-11-07 07:35:47 /tmp/command_lock.log 2011-11-07 05:39:54 /tmp/mgd-init.1320673194.log 2011-11-07 05:19:25 /tmp/cn_monitor.20111107-050412.log 2011-11-07 05:17:20 /tmp/clustat.30115.log 2011-11-07 05:17:20 /tmp/clustat_x.30115.log 2011-11-07 05:08:07 /tmp/mgd-init.1320671241.log 2011-11-07 05:04:57 /tmp/cn_send.log 2011-11-07 05:04:52 /tmp/init_eth0.log 2011-11-07 05:02:38 /tmp/install_interfaces.sh.log 2011-11-07 05:01:19 /tmp/bootstrap.sh.log 2011-11-07 05:00:47 /tmp/bootstrap_cleanup.log 2011-11-07 04:42:27 /tmp/cn_monitor.20111104-112954.log 2011-11-07 04:38:49 /tmp/clustat.6780.log 2011-11-07 04:38:49 /tmp/clustat_x.6780.log 2011-11-07 04:38:05 /tmp/issue_event.log 2011-11-07 04:38:05 /tmp/peer_upgrade_reboot.log 2011-11-07 04:38:05 /tmp/primary_update.log 2011-11-07 04:38:04 /tmp/dcf_upgrade.sh.remove.log



4.0K 4.0K 4.0K 0 0 4.0K 4.0K 4.0K 0 8.0K 4.0K 8.0K 8.0K 8.0K 4.0K 8.0K 4.0K 4.0K 8.0K

2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-07 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-04 2011-11-07 2011-11-04

04:38:04 04:13:42 04:11:57 04:11:57 04:11:57 04:11:57 04:11:57 04:11:56 04:11:56 04:11:56 04:11:33 11:53:12 11:06:17 11:06:17 11:06:17 11:06:17 11:05:19 04:11:57 11:06:17

Directory to delete: 49M 2011-11-08 10:45:20

request system storage cleanup infrastructure device-name (QFabric Switches)

/tmp/peer_rexec_upgrade.log /tmp/peer_install_dcf_rpm.log /tmp/dcf-tools.sh.1320667917.log /tmp/initial.sh.1320667917.log /tmp/inventory.sh.1320667917.log /tmp/qf-db.sh.1320667917.log /tmp/sfc.sh.1320667917.log /tmp/00_cleanup.sh.1320667916.log /tmp/ccif_patch_4410_4450.sh.1320667916.log /tmp/jinstall-qfabric.log /tmp/dcf_upgrade.log /tmp/mgd-init.1320432782.log /tmp/ccif_patch_4410_4450.sh.1320429977.log /tmp/initial.sh.1320429977.log /tmp/inventory.sh.1320429977.log /tmp/sfc.sh.1320429977.log /tmp/ks-script-_tnWeb.log /tmp//sfc.sh.1320667917.log /tmp//sfc.sh.1320429977.log

/tmp/sfc-captures

user@switch> request system storage cleanup infrastructure FC-0 re0: -------------------------------------------------------------------------List of files to delete: Size Date Name 139B Nov 8 19:03 /var/log/default-log-messages.0.gz 5602B Nov 8 19:03 /var/log/messages.0.gz 28.4K Nov 8 10:15 /var/log/messages.1.gz 35.2K Nov 7 13:45 /var/log/messages.2.gz 207B Nov 7 16:02 /var/log/wtmp.0.gz 27B Nov 7 12:14 /var/log/wtmp.1.gz 184.4M Nov 7 12:16 /var/sw/pkg/jinstall-dc-re-11.3I20111104_1216_dc-builder-domestic-signed.tgz 124.0K Nov 7 15:59 /var/tmp/gres-tp/env.dat 0B Nov 7 12:57 /var/tmp/gres-tp/lock 155B Nov 7 16:02 /var/tmp/krt_gencfg_filter.txt 0B Nov 7 12:35 /var/tmp/last_ccif_update 1217B Nov 7 12:15 /var/tmp/loader.conf.preinstall 184.4M Nov 6 07:11 /var/tmp/mchassis-install.tgz 10.8M Nov 7 12:16 /var/tmp/preinstall/bootstrap-install-11.3I20111104_1216_dc-builder.tar 57.4K Nov 7 12:16 /var/tmp/preinstall/configs-11.3I20111104_1216_dc-builder.tgz 259B Nov 7 12:16 /var/tmp/preinstall/install.conf 734.3K Nov 4 13:46 /var/tmp/preinstall/jboot-dc-re-11.3I20111104_1216_dc-builder.tgz 177.8M Nov 7 12:16 /var/tmp/preinstall/jbundle-dc-re-11.3I20111104_1216_dc-builder-domestic.tgz 124B Nov 7 12:15 /var/tmp/preinstall/metatags 1217B Nov 7 12:16 /var/tmp/preinstall_boot_loader.conf 0B Nov 7 16:02 /var/tmp/rtsdb/if-rtsdb

request system storage cleanup interconnect-device

user@switch> request system storage cleanup interconnect IC-WS001 re1: --------------------------------------------------------------------------


351

®


device-name (QFabric Switches)


11B 128B 9965B 15.8K 15.8K 15.7K 15.8K 15.7K 18.7K 17.6K 58.3K 20.3K 90B 57B 124.0K 0B 0B 12.0K 132.0K 2688.0K 2048.0K 730B 155B 0B

Size Date Nov 7 15:55 Nov 8 19:06 Nov 8 19:06 Nov 8 12:30 Nov 8 11:00 Nov 8 07:30 Nov 8 04:00 Nov 8 00:30 Nov 7 21:00 Nov 7 19:00 Nov 7 16:00 Nov 7 15:15 Nov 7 15:41 Nov 7 12:41 Nov 7 15:42 Nov 7 12:40 Nov 7 12:41 Nov 7 15:41 Nov 7 15:55 Nov 7 15:41 Nov 7 15:41 Nov 7 19:57 Nov 7 15:53 Nov 7 15:41

Name /var/jail/tmp/alarmd.ts /var/log/default-log-messages.0.gz /var/log/messages.0.gz /var/log/messages.1.gz /var/log/messages.2.gz /var/log/messages.3.gz /var/log/messages.4.gz /var/log/messages.5.gz /var/log/messages.6.gz /var/log/messages.7.gz /var/log/messages.8.gz /var/log/messages.9.gz /var/log/wtmp.0.gz /var/log/wtmp.1.gz /var/tmp/gres-tp/env.dat /var/tmp/gres-tp/lock /var/tmp/if-rtsdb/env.lck /var/tmp/if-rtsdb/env.mem /var/tmp/if-rtsdb/shm_usr1.mem /var/tmp/if-rtsdb/shm_usr2.mem /var/tmp/if-rtsdb/trace.mem /var/tmp/juniper.conf+.gz /var/tmp/krt_gencfg_filter.txt /var/tmp/rtsdb/if-rtsdb

re0: -------------------------------------------------------------------------List of files to delete:

11B 121B 16.7K 22.2K 18.4K 21.6K 17.9K 19.4K 18.2K 20.4K 21.4K 21.0K 19.9K 203B 57B 124.0K 0B 0B 12.0K 132.0K 2688.0K 2048.0K 727B 155B 0B

352

Size Date Nov 7 15:55 Nov 8 19:06 Nov 8 19:06 Nov 8 17:45 Nov 8 17:00 Nov 8 16:00 Nov 8 14:30 Nov 8 13:30 Nov 8 12:30 Nov 8 11:30 Nov 8 10:15 Nov 8 09:00 Nov 8 08:13 Nov 8 15:36 Nov 7 12:41 Nov 7 15:42 Nov 7 12:40 Nov 7 12:41 Nov 7 15:41 Nov 7 15:55 Nov 7 15:41 Nov 7 15:41 Nov 7 15:54 Nov 7 15:55 Nov 7 15:41

Name /var/jail/tmp/alarmd.ts /var/log/default-log-messages.0.gz /var/log/messages.0.gz /var/log/messages.1.gz /var/log/messages.2.gz /var/log/messages.3.gz /var/log/messages.4.gz /var/log/messages.5.gz /var/log/messages.6.gz /var/log/messages.7.gz /var/log/messages.8.gz /var/log/messages.9.gz /var/log/snmp-traps.0.gz /var/log/wtmp.0.gz /var/log/wtmp.1.gz /var/tmp/gres-tp/env.dat /var/tmp/gres-tp/lock /var/tmp/if-rtsdb/env.lck /var/tmp/if-rtsdb/env.mem /var/tmp/if-rtsdb/shm_usr1.mem /var/tmp/if-rtsdb/shm_usr2.mem /var/tmp/if-rtsdb/trace.mem /var/tmp/juniper.conf+.gz /var/tmp/krt_gencfg_filter.txt /var/tmp/rtsdb/if-rtsdb



request system storage cleanup node-group group-name (QFabric Switches)

user@switch> request system storage cleanup node-group NW-NG-0 BBAK0372: -------------------------------------------------------------------------List of files to delete:

126B 179B 22.9K 26.5K 20.5K 33.2K 35.5K 339B 58B 124.0K 0B 0B 12.0K 2688.0K 132.0K 2048.0K 1082B 155B 0B

Size Date Nov 8 19:07 Nov 7 13:32 Nov 8 19:07 Nov 8 17:30 Nov 8 13:15 Nov 7 17:45 Nov 7 15:45 Nov 8 17:10 Nov 7 12:40 Nov 8 17:08 Nov 7 12:39 Nov 7 12:59 Nov 8 17:09 Nov 8 17:09 Nov 8 17:09 Nov 8 17:09 Nov 8 17:09 Nov 7 17:39 Nov 8 17:09

Name /var/log/default-log-messages.0.gz /var/log/install.0.gz /var/log/messages.0.gz /var/log/messages.1.gz /var/log/messages.2.gz /var/log/messages.3.gz /var/log/messages.4.gz /var/log/wtmp.0.gz /var/log/wtmp.1.gz /var/tmp/gres-tp/env.dat /var/tmp/gres-tp/lock /var/tmp/if-rtsdb/env.lck /var/tmp/if-rtsdb/env.mem /var/tmp/if-rtsdb/shm_usr1.mem /var/tmp/if-rtsdb/shm_usr2.mem /var/tmp/if-rtsdb/trace.mem /var/tmp/juniper.conf+.gz /var/tmp/krt_gencfg_filter.txt /var/tmp/rtsdb/if-rtsdb

EE3093: -------------------------------------------------------------------------List of files to delete:

11B 119B 180B 178B 2739B 29.8K 31.8K 20.6K 15.4K 15.4K 25.5K 48.0K 32.8K 684B 58B 124.0K 0B 0B 12.0K 2688.0K 132.0K 2048.0K 155B 0B


Size Date Nov 8 17:33 Nov 8 19:08 Nov 7 17:41 Nov 7 13:32 Nov 8 19:08 Nov 8 18:45 Nov 8 17:15 Nov 8 16:00 Nov 8 10:15 Nov 8 02:15 Nov 7 20:45 Nov 7 17:45 Nov 7 13:45 Nov 8 17:02 Nov 7 12:40 Nov 7 17:34 Nov 7 12:40 Nov 7 12:59 Nov 7 17:39 Nov 7 17:39 Nov 7 17:40 Nov 7 17:39 Nov 7 17:40 Nov 7 17:39

Name /var/jail/tmp/alarmd.ts /var/log/default-log-messages.0.gz /var/log/install.0.gz /var/log/install.1.gz /var/log/messages.0.gz /var/log/messages.1.gz /var/log/messages.2.gz /var/log/messages.3.gz /var/log/messages.4.gz /var/log/messages.5.gz /var/log/messages.6.gz /var/log/messages.7.gz /var/log/messages.8.gz /var/log/wtmp.0.gz /var/log/wtmp.1.gz /var/tmp/gres-tp/env.dat /var/tmp/gres-tp/lock /var/tmp/if-rtsdb/env.lck /var/tmp/if-rtsdb/env.mem /var/tmp/if-rtsdb/shm_usr1.mem /var/tmp/if-rtsdb/shm_usr2.mem /var/tmp/if-rtsdb/trace.mem /var/tmp/krt_gencfg_filter.txt /var/tmp/rtsdb/if-rtsdb

user@switch> request system storage cleanup qfabric component A0001/YA0197 Repository type: regular Repository head: /pbstorage


353

®


qfabric component device-name (QFabric Switches)

Creating list of debug artifacts to be removed under: /pbstorage/rdumps/A0001/YA0197 Removing debug artifacts ... (press control C to abort) Removing /pbstorage/rdumps/A0001/YA0197/cosd.core.0.0.05162011123308.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/cosd.core.1.0.05162011123614.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/cosd.core.2.0.05162011123920.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/livekcore.05132011163930.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/tnetd.core.0.1057.05162011124500.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/vmcore.05132011120528.gz ... done Removing /pbstorage/rdumps/A0001/YA0197/vmcore.kz ... done Creating list of debug artifacts to be removed under: /pbstorage/rlogs/A0001/YA0197 Removing debug artifacts ... (press control C to abort) Removing /pbstorage/rlogs/A0001/YA0197/kdumpinfo.05132011120528 ... done Removing /pbstorage/rlogs/A0001/YA0197/kernel.tarball.0.1039.05122011234415.tgz ... done Removing /pbstorage/rlogs/A0001/YA0197/kernel.tarball.1.1039.05132011175544.tgz ... done Removing /pbstorage/rlogs/A0001/YA0197/tnetd.tarball.0.1057.05162011175453.tgz ... done

request system storage cleanup qfabric component device-name repository core (QFabric Switches)

user@switch> request system storage cleanup qfabric component EE3093 repository core Repository scope: shared Repository head: /pbdata/export Repository name: core Creating list of debug artifacts to be removed under: /pbdata/export/rdumps/EE3093 NOTE: core repository under /pbdata/export/rdumps/EE3093 empty

request system storage cleanup qfabric component all (QFabric Switches)

user@switch> request system storage cleanup qfabric component all Repository scope: shared Repository head: /pbdata/export Creating list of debug artifacts to be removed under: /pbdata/export/rdumps NOTE: core repository under /pbdata/export/rdumps/all empty Creating list of debug artifacts to be removed under: /pbdata/export/rlogs List of debug artifacts to clean up ... (press control C to abort) /pbdata/export/rlogs/73747cd8-0710-11e1-b6a4-00e081c5297e/install-11072011125819.log /pbdata/export/rlogs/77116f18-0710-11e1-a2a0-00e081c5297e/install-11072011125819.log /pbdata/export/rlogs/BBAK0372/install-11072011121538.log /pbdata/export/rlogs/BBAK0394/install-11072011121532.log /pbdata/export/rlogs/EE3093/install-11072011121536.log /pbdata/export/rlogs/WS001/YN5999/install-11072011121644.log /pbdata/export/rlogs/WS001/YW3803/install-11072011122429.log /pbdata/export/rlogs/cd78871a-0710-11e1-878e-00e081c5297e/install-11072011125932.log /pbdata/export/rlogs/d0afda1e-0710-11e1-a1d0-00e081c5297e/install-11072011125930.log /pbdata/export/rlogs/d0afda1e-0710-11e1-a1d0-00e081c5297e/install-11072011133211.log /pbdata/export/rlogs/d0afda1e-0710-11e1-a1d0-00e081c5297e/install-11072011155302.log /pbdata/export/rlogs/d31ab7a6-0710-11e1-ad1b-00e081c5297e/install-11072011125931.log /pbdata/export/rlogs/d4d0f254-0710-11e1-90c3-00e081c5297e/install-11072011125932.log

354



restart Syntax

restart


restart

Syntax (TX Matrix Routers)

restart

Syntax (TX Matrix Plus Routers)

restart


355

®


Syntax (MX Series Routers)

restart


restart

Syntax (QFX Series)

restart | routing | sampling |secure-neighbor-discovery | service-deployment | snmp | usb-control | web-management>

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Options added:

356

•

dynamic-flow-capture in Junos OS Release 7.4.

•

dlsw in Junos OS Release 7.5.

•

event-processing in Junos OS Release 7.5.



Description

•

ppp in Junos OS Release 7.5.

•

l2ald in Junos OS Release 8.0.

•

link-management in Release 8.0.

•

pgcp-service in Junos OS Release 8.4.

•

sbc-configuration-process in Junos OS Release 9.5.

•

services pgcp gateway in Junos OS Release 9.6.

•

sfc and all-sfc for the TX Matrix Router in Junos OS Release 9.6.

Restart a Junos OS process.

CAUTION: Never restart a software process unless instructed to do so by a customer support engineer. A restart might cause the router or switch to drop calls and interrupt transmission, resulting in possible loss of data.

Options

none—Same as gracefully. adaptive-services—(Optional) Restart the configuration management process that

manages the configuration for stateful firewall, Network Address Translation (NAT), intrusion detection services (IDS), and IP Security (IPsec) services on the Adaptive Services PIC. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Restart the software

process on all chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) For a TX Matrix router,

restart the software process on all T640 routers connected to the TX Matrix router. For a TX Matrix Plus router, restart the software process on all T1600 routers connected to the TX Matrix Plus router. all-members—(MX Series routers only) (Optional) Restart the software process for all

members of the Virtual Chassis configuration. all-sfc—(TX Matrix Plus routers only) (Optional) For a TX Matrix Plus router, restart the

software processes for the TX Matrix Plus router (or switch-fabric chassis). ancpd-service—(Optional) Restart the Access Node Control Protocol (ANCP) process,

which works with a special Internet Group Management Protocol (IGMP) session to collect outgoing interface mapping events in a scalable manner. application-identification—(Optional) Restart the process that identifies an application

using intrusion detection and prevention (IDP) to allow or deny traffic based on applications running on standard or nonstandard ports.


357

®


audit-process—(Optional) Restart the RADIUS accounting process that gathers statistical

data that can be used for general network monitoring, analyzing and tracking usage patterns, for billing a user based upon the amount of time or type of services accessed. auto-configuration—(Optional) Restart the Interface Auto-Configuration process. autoinstallation—(EX Series switches only) (Optional) Restart the autoinstallation

process. captive-portal-content-delivery—(Optional) Restart the HTTP redirect service by specifying

the location to which a subscriber's initial Web browser session is redirected, enabling initial provisioning and service selection for the subscriber. ce-l2tp-service—(M10, M10i, M7i, and MX Series routers only) (Optional) Restart the

Universal Edge Layer 2 Tunneling Protocol (L2TP) process, which establishes L2TP tunnels and Point-to-Point Protocol (PPP) sessions through L2TP tunnels. chassis-control—(Optional) Restart the chassis management process. class-of-service—(Optional) Restart the class-of-service (CoS) process, which controls

the router's or switch’s CoS configuration. clksyncd-service—(Optional) Restart the external clock synchronization process, which

uses synchronous Ethernet (SyncE). database-replication—(EX Series switches and MX Series routers) (Optional) Restart

the database replication process. datapath-trace-service—(Optional) Restart the packet path tracing process. dhcp—(J Series routers and EX Series switches only) (Optional) Restart the software

process for a Dynamic Host Configuration Protocol (DHCP) server. A DHCP server allocates network IP addresses and delivers configuration settings to client hosts without user intervention. dhcp-service— (Optional) Restart the Dynamic Host Configuration Protocol process. dialer-services—(J Series routers and EX Series switches only) (Optional) Restart the

ISDN dial-out process. diameter-service—(Optional) Restart the diameter process. disk-monitoring—(Optional) Restart disk monitoring, which checks the health of the hard

disk drive on the Routing Engine. dlsw—(J Series routers and QFX Series only) (Optional) Restart the data link switching

(DLSw) service. dot1x-protocol—(EX Series switches only) (Optional) Restart the port-based network

access control process. dynamic-flow-capture—(Optional) Restart the dynamic flow capture (DFC) process,

which controls DFC configurations on Monitoring Services III PICs.

358



ecc-error-logging—(Optional) Restart the error checking and correction (ECC) process,

which logs ECC parity errors in memory on the Routing Engine. ethernet-connectivity-fault-management—(Optional) Restart the process that provides

IEEE 802.1ag Operation, Administration, and Management (OAM) connectivity fault management (CFM) database information for CFM maintenance association end points (MEPs) in a CFM session. ethernet-link-fault-management—(EX Series switches and MX Series routers only)

(Optional) Restart the process that provides the OAM link fault management (LFM) information for Ethernet interfaces. ethernet-switching—(EX Series switches only) (Optional) Restart the Ethernet switching

process. event-processing—(Optional) Restart the event process (eventd). fibre-channel—(QFX Series only) (Optional) Restart the Fibre Channel process. firewall—(Optional) Restart the firewall management process, which manages the

firewall configuration and enables accepting or rejecting packets that are transiting an interface on a router or switch. general-authentication-service—(EX Series switches and MX Series routers) (Optional)

Restart the general authentication process. gracefully—(Optional) Restart the software process. iccp-service—(Optional) Restart the Inter-Chassis Communication Protocol (ICCP)

process. idp-policy—(Optional) Restart the intrusion detection and prevention (IDP) protocol

process. immediately—(Optional) Immediately restart the software process. interface-control—(Optional) Restart the interface process, which controls the router's

or switch’s physical interface devices and logical interfaces. ipsec-key-management—(Optional) Restart the IPsec key management process. isdn-signaling—(J Series routers and QFX Series only) (Optional) Restart the ISDN

signaling process, which initiates ISDN connections. kernel-replication—(Optional) Restart the kernel replication process, which replicates

the state of the backup Routing Engine when graceful Routing Engine switchover (GRES) is configured. l2-learning—(Optional) Restart the Layer 2 address flooding and learning process. l2cpd-service—(Optional) Restart the Layer 2 Control Protocol process, which enables

features such as Layer 2 protocol tunneling and nonstop bridging.


359

®


l2tp-service— (M10, M10i, M7i, and MX Series routers only) (Optional) Restart the Layer 2

Tunneling Protocol (L2TP) process, which sets up client services for establishing Point-to-Point Protocol (PPP) tunnels across a network and negotiating Multilink PPP if it is implemented. l2tp-universal-edge—(MX Series routers) (Optional) Restart the L2TP process, which

establishes L2TP tunnels and PPPsessions through L2TP tunnels. lacp—(Optional) Restart the Link Aggregation Control Protocol (LACP) process. LACP

provides a standardized means for exchanging information between partner systems on a link to allow their link aggregation control instances to reach agreement on the identity of the LAG to which the link belongs, and then to move the link to that LAG, and to enable the transmission and reception processes for the link to function in an orderly manner. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) For a TX Matrix router,

restart the software process for a specific T640 router that is connected to the TX Matrix router. For a TX Matrix Plus router, restart the software process for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. license-service—(EX Series switches) (Optional) Restart the feature license management

process. link-management— (TX Matrix and TX Matrix Plus routers and EX Series switches only)

(Optional) Restart the Link Management Protocol (LMP) process, which establishes and maintains LMP control channels. lldpd-service—(EX Series switches only) (Optional) Restart the Link Layer Discovery

Protocol (LLDP) process. local—(MX Series routers only) (Optional) Restart the software process for the local

Virtual Chassis member. local-policy-decision-function— (Optional) Restart the process for the Local Policy

Decision Function, which regulates collection of statistics related to applications and application groups and tracking of information about dynamic subscribers and static interfaces. mac-validation— (Optional) Restart the Media Access Control (MAC) validation process,

which configures MAC address validation for subscriber interfaces created on demux interfaces in dynamic profiles on MX Series routers. member member-id—(MX Series routers only) (Optional) Restart the software process

for a specific member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. mib-process—(Optional) Restart the Management Information Base (MIB) version II

process, which provides the router's MIB II agent. mobile-ip—(Optional) Restart the Mobile IP process, which configures Junos OS Mobile

IP features.

360



mountd-service—(EX Series switches and MX Series router) (Optional) Restart the service

for NFS mount requests. mpls-traceroute—(Optional) Restart the MPLS Periodic Traceroute process. mspd—(Optional) Restart the Multiservice process. multicast-snooping—(EX Series switches and MX Series routers) (Optional) Restart the

multicast snooping process, which makes Layer 2 devices, such as VLAN switches, aware of Layer 3 information, such as the media access control (MAC) addresses of members of a multicast group. named-service—(Optional) Restart the DNS Server process, which is used by a router or

a switch to resolve hostnames into addresses. network-access-service—(J Series routers and QFX Series only) (Optional) Restart the

network access process, which provides the router's Challenge Handshake Authentication Protocol (CHAP) authentication service. nfsd-service—(Optional) Restart the Remote NFS Server process, which provides remote

file access for applications that need NFS-based transport. packet-triggered-subscribers—(Optional) Restart the packet-triggered subscribers and

policy control (PTSP) process, which allows the application of policies to dynamic subscribers that are controlled by a subscriber termination device. peer-selection-service—(Optional) Restart the Peer Selection Service process. pgcp-service—(Optional) Restart the pgcpd service process running on the Routing

Engine. This option does not restart pgcpd processes running on mobile station PICs. To restart pgcpd processes running on mobile station PICs, use the services pgcp gateway option. pgm—(Optional) Restart the process that implements the Pragmatic General Multicast

(PGM) protocol for assisting in the reliable delivery of multicast packets. pic-services-logging—(Optional) Restart the logging process for some PICs. With this

process, also known as fsad (the file system access daemon), PICs send special logging information to the Routing Engine for archiving on the hard disk. pki-service—(Optional) Restart the PKI Service process. ppp—(Optional) Restart the Point-to-Point Protocol (PPP) process, which is the

encapsulation protocol process for transporting IP traffic across point-to-point links. ppp-service—(Optional) Restart the Universal edge PPP process, which is the

encapsulation protocol process for transporting IP traffic across universal edge routers. pppoe—(Optional) Restart the Point-to-Point Protocol over Ethernet (PPPoE) process,

which combines PPP that typically runs over broadband connections with the Ethernet link-layer protocol that allows users to connect to a network of hosts over a bridge or access concentrator.


361

®


protected-system-domain-service—(Optional) Restart the Protected System Domain

(PSD) process. redundancy-interface-process—(Optional) Restart the ASP redundancy process. remote-operations—(Optional) Restart the remote operations process, which provides

the ping and traceroute MIBs. root-system-domain-service—(Optional) Restart the Root System Domain (RSD) service. routing—(QFX Series, EX Series switches, and MX Series routers only) (Optional) Restart

the routing protocol process. routing —(Optional) Restart the routing protocol

process, which controls the routing protocols that run on the router or switch and maintains the routing tables. Optionally, restart the routing protocol process for the specified logical system only. sampling—(Optional) Restart the sampling process, which performs packet sampling

based on particular input interfaces and various fields in the packet header. sbc-configuration-process—(Optional) Restart the session border controller (SBC) process

of the border signaling gateway (BSG). scc—(TX Matrix routers only) (Optional) Restart the software process on the TX Matrix

router (or switch-card chassis). sdk-service—(Optional) Restart the SDK Service process, which runs on the Routing

Engine and is responsible for communications between the SDK application and Junos OS. Although the SDK Service process is present on the router, it is turned off by default. secure-neighbor-discovery—(QFX Series, EX Series switches, and MX Series routers only)

(Optional) Restart the secure Neighbor Discovery Protocol (NDP) process, which provides support for protecting NDP messages. sfc number—(TX Matrix Plus routers only) (Optional) Restart the software process on

the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. service-deployment—(Optional) Restart the service deployment process, which enables

Junos OS to work with the Session and Resource Control (SRC) software. services—(Optional) Restart a service. services pgcp gateway gateway-name—(Optional) Restart the pgcpd process for a specific

border gateway function (BGF) running on an MS-PIC. This option does not restart the pgcpd process running on the Routing Engine. To restart the pgcpd process on the Routing Engine, use the pgcp-service option. sflow-service—(EX Series switches only) (Optional) Restart the flow sampling (sFlow

technology) process.

362



snmp—(Optional) Restart the SNMP process, which enables the monitoring of network

devices from a central location and provides the router's or switch’s SNMP master agent. soft—(Optional) Reread and reactivate the configuration without completely restarting

the software processes. For example, BGP peers stay up and the routing table stays constant. Omitting this option results in a graceful restart of the software process. static-subscribers—(Optional) Restart the Static subscribers process, which associates

subscribers with statically configured interfaces and provides dynamic service activation and activation for these subscribers. statistics-service—(Optional) Restart the process that manages the Packet Forwarding

Engine statistics. subscriber-management—(Optional) Restart the Subscriber Management process. subscriber-management-helper—(Optional) Restart the Subscriber Management Helper

process. tunnel-oamd—(Optional) Restart the Tunnel OAM process, which enables the Operations,

Administration, and Maintenance of Layer 2 tunneled networks. Layer 2 protocol tunneling (L2PT) allows service providers to send Layer 2 protocol data units (PDUs) across the provider’s cloud and deliver them to Juniper Networks EX Series Ethernet Switches that are not part of the local broadcast domain. usb-control—(J Series routers and MX Series routers) (Optional) Restart the USB control

process. vrrp—(EX Series switches and MX Series routers) (Optional) Restart the Virtual Router

Redundancy Protocol (VRRP) process, which enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. web-management—(J Series routers, QFX Series, EX Series switches, and MX Series

routers) (Optional) Restart the Web management process. Required Privilege Level Related Documentation List of Sample Output Output Fields

reset

•

Overview of Junos OS CLI Operational Mode Commands

restart interfaces on page 363 When you enter this command, you are provided feedback on the status of your request.

Sample Output restart interfaces

user@host> restart interfaces


363

®


interfaces process terminated interfaces process restarted

364



set chassis display message Syntax

Syntax (TX Matrix Router) Syntax (TX Matrix Plus Router) Release Information

Description

Options

set chassis display message "message" set chassis display message "message" (lcc number | scc) set chassis display message “message ” (fpc-slot slot-number | lcc number | sfc number)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option for TX Matrix Plus router introduced in Junos OS Release 9.6. Display or stop a text message on the craft interface display, which is on the front of the router, or on the LCD panel display on the switch. The craft interface alternates the display of text messages with standard craft interface messages, switching between messages every 2 seconds. By default, on both the router and the switch, the text message is displayed for 5 minutes. The craft interface display has four 20-character lines. The LCD panel display has two 16-character lines, and text messages appear only on the second line. "message"—Message to display. On the craft interface display, if the message is longer

than 20 characters, it wraps onto the next line. If a word does not fit on one line, the entire word moves down to the next line. Any portion of the message that does not fit on the display is truncated. An empty pair of quotation marks (“ ”) deletes the text message from the craft interface display. On the LCD panel display, the message is limited to 16 characters. fpc-slot slot-number—(TX Matrix Plus routers and EX4200 and QFX Series only) On the

router or switch, display the text message on the craft interface for a specific Flexible PIC Concentrator (FPC). Replace slot-number with a value from 0 through 31. On the switch, display the text message for a specific member of a Virtual Chassis, where fpc-slot slot-number corresponds to the member ID. Replace slot-number with a value from 0 through 9. On the QFX Series, the slot-number is always 0. lcc number —(TX Matrix and TX Matrix Plus routers only) On a TX Matrix router, display

the text message on the craft interface display of a specified T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, display the text message on the craft interface display of a specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. permanent—(Optional) Display a text message on the craft interface display or LCD

panel display permanently. scc—(TX Matrix routers only) Display the text message on the craft interface display of

the TX Matrix router (or switch-card chassis).


365

®


sfc number—(TX Matrix Plus routers only) Display the text message on the craft interface

display of the TX Matrix Plus router (or switch-fabric chassis). Required Privilege Level Related Documentation


Output Fields

clear

•


•

clear chassis display message on page 310

•

show chassis craft-interface

•

Understanding the Implementation of System Log Messages on the QFabric System

set chassis display message (Creating) on page 366 set chassis display message (Deleting) on page 366 See show chassis craft-interface for an explanation of output fields.

Sample Output set chassis display message (Creating)

The following example shows how to set the display message and verify the result: user@host> set chassis display message "NOC contact Dusty (888) 555-1234" message sent user@host> show chassis craft-interface Red alarm: LED off, relay off Yellow alarm: LED off, relay off Host OK LED: On Host fail LED: Off FPCs 0 1 2 3 4 5 6 7 ------------------------------Green .. *.. * *. Red ........ LCD screen: +--------------------+ |NOC contact Dusty | |(888) 555-1234 | +--------------------+

set chassis display message (Deleting)

The following example shows how to delete the display message and verify that the message is removed: user@host> set chassis display message "" message sent

user@host> show chassis craft-interface Red alarm: LED off, relay off Yellow alarm: LED off, relay off Host OK LED: On Host fail LED: Off FPCs 0 1 2 3 4 5 6 7 ------------------------------Green .. *.. * *. Red ........ LCD screen:

366



+--------------------+ |host | |Up: 0+17:05:47 | | | |Temperature OK | +--------------------+


367

®


set date Syntax Release Information

Description Options

set date (date-time ntp )

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Set the date and time. date-time—Date and time. Enter this string inside quotation marks. ntp—Use a Network Time Protocol (NTP) server to synchronize the current date and

time setting on the router or switch. servers—(Optional) Specify the IP address of one or more NTP servers. source-address source-address—Specify the source address that the router or switch uses

to contact the remote NTP server. Required Privilege Level Related Documentation List of Sample Output Output Fields

view

•

Setting the Date and Time

set date on page 368 When you enter this command, you are provided feedback on the status of your request.

Sample Output set date

368

user@host> set date ntp 21 Apr 17:22:02 ntpdate[3867]: step time server 172.17.27.46 offset 8.759252 sec



show chassis firmware Syntax

show chassis firmware




show chassis firmware show chassis firmware

Syntax (QFX Series)

show chassis firmware interconnect-device name node-device name

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.4 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced for EX8200 switches in Junos OS Release 10.2 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

On routers and switches, display the version levels of the firmware running on the System Control Board (SCB), Switching and Forwarding Module (SFM), System and Switch Board (SSB), Forwarding Engine Board (FEB), Flexible PIC Concentrators (FPCs), and Routing Engines. On a TX Matrix Plus router, display the version levels of the firmware running on the FPCs and the Switch Processor Mezzanine Board (SPMBs). On EX2200, EX3200, and EX4200 switches, and the QFX Series, display the version levels of the firmware running on the switch. On an EX8208 switch, display the version levels of the firmware running on the Switch Fabric and Routing Engine (SRE) modules and on the line cards (shown as FPCs). On an EX8216 switch, display the version levels of the firmware running on the Routing Engine (RE) modules and on the line cards (shown as FPCs).

Options

none—Display the version levels of the firmware running. For an EX4200 switch that is

a member of a Virtual Chassis, display version levels for all members. For a TX Matrix router, display version levels for the firmware on the TX Matrix router and on all the T640 routers connected to the TX Matrix router. For a TX Matrix Plus router, display version levels for the firmware on the TX Matrix Plus router and on all the T1600 routers connected to the TX Matrix Plus router. all-members—(MX Series routers only) (Optional) Display the version levels of the

firmware running for all members of the Virtual Chassis configuration.


369

®


interconnect-device name—(QFabric switches) (Optional) Display the version levels of

the firmware running on the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display version levels for the firmware on a specified T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, display the version levels for the firmware on a specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display the version levels of the firmware

running for the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display the version levels of

the firmware running for the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. node-device—(QFabric switches only) (Optional) Display the version levels of the firmware

running on the Node device. scc—(TX Matrix router only) (Optional) Display version levels for the firmware on the TX

Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus router only) (Optional) Display version levels for the firmware

on the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Required Privilege Level Related Documentation List of Sample Output

370

view

•

Upgrading the HSM Firmware

show chassis firmware (M10 Router) on page 371 show chassis firmware (M20 Router) on page 371 show chassis firmware (M40 Router) on page 371 show chassis firmware (M120 Router) on page 371 show chassis firmware (M160 Router) on page 371 show chassis firmware (MX240 Router) on page 372 show chassis firmware (MX480 Router) on page 372 show chassis firmware (MX960 Router) on page 372 show chassis firmware (EX4200 Switch) on page 372 show chassis firmware (EX8200 Switch) on page 372 show chassis firmware lcc (TX Matrix Router) on page 372 show chassis firmware scc (TX Matrix Router) on page 373 show chassis firmware (TX Matrix Plus Router) on page 373 show chassis firmware lcc (TX Matrix Plus Router) on page 374 show chassis firmware sfc (TX Matrix Plus Router) on page 374 show chassis firmware (QFX Series) on page 375 show chassis firmware interconnect-device (QFabric Switch) on page 375



Output Fields

Table 61 on page 371 lists the output fields for the show chassis firmware command. Output fields are listed in the approximate order in which they appear.

Table 61: show chassis firmware Output Fields Field Name

Field Description

Part

Chassis part name.

Type

Type of firmware: On routers: ROM or O/S. On switches: uboot or loader.

Version

Version of firmware running on the chassis part.

Sample Output show chassis firmware (M10 Router)

user@host> show chassis firmware Part Type Forwarding engine board ROM O/S

Version Juniper ROM Monitor Version 4.1b2 Version 4.1I1 by tlim on 2000-04-24 11:27

show chassis firmware (M20 Router)

user@host> show chassis firmware Part Type System switch board ROM O/S FPC 1 ROM O/S FPC 2 ROM O/S

Version Juniper Version Juniper Version Juniper Version

ROM Monitor Version 3.4b26 3.4I16 by smackie on 2000-02-29 2 ROM Monitor Version 3.0b1 3.4I4 by smackie on 2000-02-25 21 ROM Monitor Version 3.0b1 3.4I4 by smackie on 2000-02-25 21

user@host> show chassis firmware Part Type System control board ROM O/S FPC 5 ROM O/S

Version Juniper Version Juniper Version

ROM Monitor Version 2.0i126Copyri 2.0i1 by root on Thu Jul 23 00:51 ROM Monitor Version 2.0i49Copyrig 2.0i1 by root on Thu Jul 23 00:59

user@host> show chassis firmware FPC 2 ROM O/S FPC 3 ROM O/S FPC 4 ROM O/S FEB 3 ROM O/S FEB 4 ROM O/S

Juniper Version Juniper Version Juniper Version Juniper Version Juniper Version

ROM Monitor Version 8.2B1 by builder on ROM Monitor Version 8.2B1 by builder on ROM Monitor Version 8.2B1 by builder on ROM Monitor Version 8.2B1 by builder on ROM Monitor Version 8.2B1 by builder on

user@host> show chassis firmware Part Type SFM 0 ROM O/S SFM 1 ROM O/S FPC 0 ROM

Version Juniper Version Juniper Version Juniper

ROM Monitor Version 4.0b2 4.0I1 by tlim on 2000-02-29 11:50 ROM Monitor Version 4.0b2 4.0I1 by tlim on 2000-02-29 11:50 ROM Monitor Version 4.0b2





8.0b29 2006-10-18 8.0b29 2006-10-18 8.0b29 2006-10-18 8.0b29 2006-10-18 8.0b29 2006-10-18

16:2 16:2 16:2 16:1 16:1

371

®



4.0I1 by tlim on 2000-02-29 11:56 ROM Monitor Version 4.0b2 4.0I1 by tlim on 2000-02-29 11:56 ROM Monitor Version 4.0b3 4.0I1 by tlim on 2000-02-29 11:56

user@host> show chassis firmware Part Type FPC 1 ROM O/S FPC 2 ROM O/S


ROM Monitor Version 8.3b1 9.0-20080103.0 by builder on 2008-0 ROM Monitor Version 8.3b1 9.0-20080103.0 by builder on 2008-0

show chassis firmware (MX480 Router)

user@host> show chassis firmware Part Type FPC 1 ROM O/S

Version Juniper ROM Monitor Version 8.3b1 Version 9.0-20070916.3 by builder on 2007-0


user@host> show chassis firmware Part Type FPC 4 ROM O/S FPC 7 ROM O/S


FPC 1 FPC 2


show chassis firmware (EX4200 Switch)

FPC 1 FPC 2

FPC 3 FPC 5 FPC 7 Routing Engine 0

Routing Engine 1

372

Type uboot loader uboot loader uboot loader

Version U-Boot 1.1.6 (Feb 6 2008 - 11:27:42) FreeBSD/PowerPC U-Boot bootstrap loader 2.1 U-Boot 1.1.6 (Feb 6 2008 - 11:27:42) FreeBSD/PowerPC U-Boot bootstrap loader 2.1 U-Boot 1.1.6 (Feb 6 2008 - 11:27:42) FreeBSD/PowerPC U-Boot bootstrap loader 2.1

user@host> show chassis firmware Part FPC 0

show chassis firmware lcc (TX Matrix Router)

ROM Monitor Version 8.0b8 8.2I59 by artem on 2006-10-31 19:22 ROM Monitor Version 8.2b1 8.2-20061026.1 by builder on 2006-1

user@host> show chassis firmware Part FPC 0

show chassis firmware (EX8200 Switch)

O/S ROM O/S ROM O/S

Type U-Boot loader U-Boot loader U-Boot loader U-Boot loader U-Boot loader U-Boot loader

Version U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2 U-Boot 1.1.6 (Dec 4 2009 - 13:17:34) 3.1.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2 U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2 U-Boot 1.1.6 (Feb 6 2009 - 05:31:46) 2.4.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2 U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2 U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.2

user@host> show chassis firmware lcc 0 lcc0-re0: -------------------------------------------------------------------------Part Type Version FPC 1 ROM Juniper ROM Monitor Version 6.4b18 O/S Version 7.0-20040804.0 by builder on 2004-0



FPC 2 SPMB 0

ROM O/S ROM O/S

Juniper Version Juniper Version


show chassis firmware scc (TX Matrix Router)

user@host> show chassis firmware scc scc-re0: -------------------------------------------------------------------------Part Type Version SPMB 0 ROM Juniper ROM Monitor Version 6.4b18 O/S Version 7.0-20040804.0 by builder on 2004-0

show chassis firmware (TX Matrix Plus Router)

user@host> show chassis firmware sfc0-re0: -------------------------------------------------------------------------Part Type Version Global FPC 4 Global FPC 6 Global FPC 7 Global FPC 12 Global FPC 14 Global FPC 15 Global FPC 20 Global FPC 21 Global FPC 22 Global FPC 23 Global FPC 24 Global FPC 25 Global FPC 26 Global FPC 28 Global FPC 29 Global FPC 31 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 1 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 lcc0-re1: -------------------------------------------------------------------------Part Type Version FPC 4 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 6 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 7 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 1 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 lcc1-re1: -------------------------------------------------------------------------Part Type Version FPC 4 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 6 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 7 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1


373

®


SPMB 1

O/S ROM O/S

Version 9.6-20090507.0 by builder on 2009-0 Juniper ROM Monitor Version 9.5b1 Version 9.6-20090507.0 by builder on 2009-0

lcc2-re1: -------------------------------------------------------------------------Part Type Version FPC 4 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 5 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 6 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 7 ROM Juniper ROM Monitor Version 7.5b4 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 1 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 lcc3-re1: -------------------------------------------------------------------------Part Type Version FPC 0 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 1 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 2 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 4 ROM Juniper ROM Monitor Version 7.5b4 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 5 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 7 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 1 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0

show chassis firmware lcc (TX Matrix Plus Router)

user@host> show chassis firmware lcc 0 lcc0-re1: -------------------------------------------------------------------------Part Type Version FPC 4 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 6 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 FPC 7 ROM Juniper ROM Monitor Version 9.0b2 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 0 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0 SPMB 1 ROM Juniper ROM Monitor Version 9.5b1 O/S Version 9.6-20090507.0 by builder on 2009-0

show chassis firmware sfc (TX Matrix Plus Router)

user@host> show chassis firmware sfc 0 sfc0-re0: -------------------------------------------------------------------------Part Type Version Global FPC 4 Global FPC 6

374



Global Global Global Global Global Global Global Global Global Global Global Global Global Global SPMB 0 SPMB 1

show chassis firmware (QFX Series)

show chassis firmware interconnect-device (QFabric Switch)

FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC

7 12 14 15 20 21 22 23 24 25 26 28 29 31 ROM O/S ROM O/S

user@switch> show chassis firmware Part Type FPC 0 Routing Engine 0 U-Boot loader

Juniper Version Juniper Version


Version U-Boot 1.1.6 (Sep 15 2010 - 02:11:11) 1.0.5 FreeBSD/MIPS U-Boot bootstrap loader 0.1

user@switch> show chassis firmware interconnect-device interconnect1 Part Type Version Routing Engine 0 U-Boot U-Boot 1.1.6 (May 10 2011 - 04:52:59) 1.1.1 loader FreeBSD/MIPS U-Boot bootstrap loader 0.1 Routing Engine 1 U-Boot U-Boot 1.1.6 (May 10 2011 - 04:52:59) 1.1.1 loader FreeBSD/MIPS U-Boot bootstrap loader 0.1


375

®


show chassis lcd Syntax

show chassis lcd (QFX Series)

Release Information

show chassis lcd show chassis lcd

Command introduced in Junos OS Release 9.0 for EX Series switches. menu option introduced in Junos OS Release 10.2 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Display the information that appears on the LCD panel of EX3200, EX3300, EX4200, EX4500, EX6200, and EX8200 switches, XRE200 External Routing Engines, and the QFX Series. Display the status of the currently selected port parameter of the Status LED for each network port on the device.

Options

none—Display the information that appears on the LCD panel (for any EX Series member

switch in a Virtual Chassis or for XRE200 External Routing Engines, display the information for all Virtual Chassis members). Display the status of the currently selected port parameter of the Status LED for each network port. fpc-slot —(Optional) Display the information as follows: •

(EX3200, EX3300, EX4200, and EX4500 switches, or the QFX Series) Display the information that appears on the LCD panel for either an FPC slot with no fpc-slot-number value specified or for the FPC slot specified by fpc-slot 0. fpc-slot refers to the switch itself and 0 is the only valid value for fpc-slot-number. Output for these options is the same as for the none option. Also display the status of the currently selected port parameter of the Status LED for each network port.

•

(EX Series Virtual Chassis member switches or XRE200 External Routing Engines) If no fpc-slot-number value is specified, display the information that appears on the LCD panel for all members of the Virtual Chassis. Output for this option is the same as for the none option. If the fpc-slot-number value is specified (it equals the member-id value), display the information for the specified member. Also display the status of the currently selected port parameter of the Status LED for each network port.

•

(EX6200 or EX8200 switches)—Display the information that appears on the LCD panel for the line card in the line-card slot specified by the fpc-slot-number value. Also display the status of the currently selected port parameter of the Status LED for each network port.

376



interconnect-device name—(QFabric switches only) (Optional) Display the front panel

contents and LED status of all the ports on the Interconnect device. menu—(Optional) Display the names of the menus and menu options that are currently

enabled on the LCD panel. menu all-members—(EX Series Virtual Chassis member switches or XRE200 External

Routing Engines) (Optional) Display the names of the menus and menu options that are currently enabled on the LCD panel for all Virtual Chassis members. menu local—(EX Series Virtual Chassis member switches or XRE200 External Routing

Engines) (Optional) Display the names of the menus and menu options that are currently enabled on the LCD panel for the Virtual Chassis member from which you issued the command. menu member member-id—(EX Series Virtual Chassis member switches or XRE200

External Routing Engines) (Optional) Display the names of the menus and menu options that are currently enabled on the LCD panel for the specified Virtual Chassis member. node-device name—(QFabric switches only) (Optional) Display the front panel contents

and LED status of all the ports on the Node device. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


•


show chassis lcd (Two-Member EX4200 Virtual Chassis) on page 378 show chassis lcd fpc-slot 1 (EX4200 Virtual Chassis) on page 380 show chassis lcd (EX8200 Switch) on page 380 show chassis lcd fpc-slot 2 (EX8200 Switch) on page 382 show chassis lcd menu (EX4200 Switch) on page 382 show chassis lcd menu (EX8200 Switch) on page 382 show chassis lcd (QFX3500 Switches) on page 382 show chassis lcd (XRE200 External Routing Engine in EX8200 Virtual Chassis) on page 383 Table 62 on page 378 lists the output fields for the show chassis lcd command. Output fields are listed in the approximate order in which they appear.


377

®


Table 62: show chassis lcd Output Fields Field Name

Field Description

membernumber (XRE200 External

Member ID of the device whose content is being displayed.

Routing Engine) Front panel contents for slot

FPC slot number of the switch whose content is being displayed. The number is always 0, except for EX4200 switches in a Virtual Chassis, where it is the member ID value.

Front panel contents (EX6200,

EX8200 switch, XRE200 External Routing Engine, and QFX Series)

On EX6200 switches, EX8200 switches, and XRE200 External Routing Engines, no slot number is displayed. On XRE200 External Routing Engines, this field appears under the member number field for each member device in the EX8200 Virtual Chassis.

LCD screen

The first line displays the hostname (for Virtual Chassis members, displays the member ID, the current role, and hostname; for EX8200 switches, displays RE and the hostname). The second line displays the currently selected port parameter of the Status LED and the alarms counter. The Status LED port parameters are: •

ADM—Administrative

•

SPD—Speed

•

DPX—Duplex

•

POE—Power over Ethernet (EX3200 and EX4200 switches only)

LEDs status

Current state of the Alarms, System, and Master LEDs (chassis status LEDs).

Interface

Names of the interfaces on the switch.

LED (ADM/SPD/DPX/POE)

State of the currently selected port parameter of the Status LED for the interface. The Status LED port parameters are: NOTE: The XRE200 External Routing Engine always displays the NA parameter. The QFX Series products do not have any of the port parameters listed below. •

ADM—Administrative

•

SPD—Speed

•

DPX—Duplex

•

NA—Not applicable.

•

POE—Power over Ethernet

On standalone EX Series switchesand the QFX3500 switch, always 0. On EX Series Virtual Chassis member switches, member ID of the Virtual Chassis member whose LCD menu is displayed.

fpcx

Sample Output show chassis lcd (Two-MemberEX4200 Virtual Chassis)

378

user@switch> show chassis lcd Front panel contents for slot: 0 --------------------------------LCD screen: 00:BK switch1 LED:SPD ALARM 00 LEDs status: Alarms LED: Off



System LED: Green Master LED: Off Interface LED(ADM/SPD/DPX/POE) ------------------------------------ge-0/0/0 Off ge-0/0/1 Off ge-0/0/2 Off ge-0/0/3 Off ge-0/0/4 Off ge-0/0/5 Off ge-0/0/6 Off ge-0/0/7 Off ge-0/0/8 Off ge-0/0/9 Off ge-0/0/10 Off ge-0/0/11 Off ge-0/0/12 Off ge-0/0/13 Off ge-0/0/14 Off ge-0/0/15 Off ge-0/0/16 Off ge-0/0/17 Off ge-0/0/18 Off ge-0/0/19 Off ge-0/0/20 Off ge-0/0/21 Off ge-0/0/22 Off ge-0/0/23 Off Front panel contents for slot: 1 --------------------------------LCD screen: 01:RE switch2 LED:SPD ALARM 01 LEDs status: Alarms LED: Yellow System LED: Green Master LED: Green Interface LED(ADM/SPD/DPX/POE) ------------------------------------ge-1/0/0 Off ge-1/0/1 Off ge-1/0/2 Off ge-1/0/3 Off ge-1/0/4 Off ge-1/0/5 Off ge-1/0/6 Off ge-1/0/7 Off ge-1/0/8 Off ge-1/0/9 Off ge-1/0/10 Off ge-1/0/11 Off ge-1/0/12 Off ge-1/0/13 Off ge-1/0/14 Off ge-1/0/15 Off ge-1/0/16 Off ge-1/0/17 Off ge-1/0/18 Off ge-1/0/19 Off ge-1/0/20 Off ge-1/0/21 Off


379

®


ge-1/0/22 ge-1/0/23

Off Off

The output for the show chassis lcd fpc-slot command is the same as the output for the show chassis lcd command. show chassis lcd fpc-slot 1 (EX4200 Virtual Chassis)

show chassis lcd (EX8200 Switch)

380

user@switch> show chassis lcd fpc-slot 1 Front panel contents for slot: 1 --------------------------------LCD screen: 01:RE switch2 LED:SPD ALARM 01 LEDs status: Alarms LED: Yellow System LED: Green Master LED: Green Interface LED(ADM/SPD/DPX/POE) ------------------------------------ge-1/0/0 Off ge-1/0/1 Off ge-1/0/2 Off ge-1/0/3 Off ge-1/0/4 Off ge-1/0/5 Off ge-1/0/6 Off ge-1/0/7 Off ge-1/0/8 Off ge-1/0/9 Off ge-1/0/10 Off ge-1/0/11 Off ge-1/0/12 Off ge-1/0/13 Off ge-1/0/14 Off ge-1/0/15 Off ge-1/0/16 Off ge-1/0/17 Off ge-1/0/18 Off ge-1/0/19 Off ge-1/0/20 Off ge-1/0/21 Off ge-1/0/22 Off ge-1/0/23 Off user@switch> show chassis lcd Front panel contents: --------------------LCD screen: RE st-8200-r LED:ADM ALARM 01 LEDs status: Alarms LED: Yellow System LED: Yellow Master LED: Green Interface LED(ADM/SPD/DPX) -----------------------------------------ge-0/0/0 Off ge-0/0/1 Off ge-0/0/2 Off ge-0/0/3 Off



ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/11 ge-0/0/12 ge-0/0/13 ge-0/0/14 ge-0/0/15 ge-0/0/16 ge-0/0/17 ge-0/0/18 ge-0/0/19 ge-0/0/20 ge-0/0/21 ge-0/0/22 ge-0/0/23 ge-0/0/24 ge-0/0/25 ge-0/0/26 ge-0/0/27 ge-0/0/28 ge-0/0/29 ge-0/0/30 ge-0/0/31 ge-0/0/32 ge-0/0/33 ge-0/0/34 ge-0/0/35 ge-0/0/36 ge-0/0/37 ge-0/0/38 ge-0/0/39 ge-0/0/40 ge-0/0/41 ge-0/0/42 ge-0/0/43 ge-0/0/44 ge-0/0/45 ge-0/0/46 ge-0/0/47 xe-2/0/0 xe-2/0/1 xe-2/0/2 xe-2/0/3 xe-2/0/4 xe-2/0/5 xe-2/0/6 xe-2/0/7 xe-3/0/0 xe-3/0/1 xe-3/0/2 xe-3/0/3 xe-3/0/4 xe-3/0/5 xe-3/0/6 xe-3/0/7 xe-5/0/0


Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off

381

®


xe-5/0/1 xe-5/0/2 xe-5/0/3 xe-5/0/4 xe-5/0/5 xe-5/0/6 xe-5/0/7 xe-7/0/5

show chassis lcd fpc-slot 2 (EX8200 Switch)

show chassis lcd menu (EX4200 Switch)

Off Off Off Off Off On On Off

show chassis lcd fpc-slot 2 Interface LED(ADM/SPD/DPX) -----------------------------------------xe-2/0/0 Off xe-2/0/1 Off xe-2/0/2 Off xe-2/0/3 Off xe-2/0/4 Off xe-2/0/5 Off xe-2/0/6 Off xe-2/0/7 Off user@switch> show chassis lcd menu fpc0: -------------------------------------------------------------------------status-menu status-menu vcp-status status-menu power-status status-menu environ-menu status-menu show-version maintenance-menu maintenance-menu halt-menu maintenance-menu system-reboot maintenance-menu rescue-config maintenance-menu vc-uplink-config maintenance-menu factory-default

On an EX4200 switch in a Virtual Chassis, the output for the show chassis lcd menu all-members command is the same as the output for the show chassis lcd menu command. show chassis lcd menu (EX8200 Switch)

user@switch> show chassis lcd menu status-menu status-menu sf-status1-menu status-menu sf-status2-menu status-menu psu-status1-menu status-menu psu-status2-menu status-menu environ-menu status-menu show-version maintenance-menu maintenance-menu halt-menu maintenance-menu system-reboot maintenance-menu rescue-config maintenance-menu factory-default

show chassis lcd (QFX3500 Switches)

user@switch> show chassis lcd Front panel contents for slot: 0 --------------------------------LCD screen: 00:RE switch

382



ALARM 01 LEDs status: Status/Beacon LED: Yellow Blinking Interface STATUS LED ACTIVITY LED ------------------------------------------fte-0/1/0 Off Off

show chassis lcd (XRE200 External Routing Engine in EX8200 Virtual Chassis)

user@external-routing-engine> show chassis lcd member0: -------------------------------------------------------------------------Front panel contents: --------------------LCD screen: RE ex8200-member0 LED:ADM ALARM 04 LEDs status: Alarms LED: Red System LED: Yellow Master LED: Green member1: -------------------------------------------------------------------------member8: -------------------------------------------------------------------------Front panel contents: --------------------LCD screen: BACKUP member9: -------------------------------------------------------------------------Front panel contents: --------------------LCD screen: 09:RE xre200-member9 LED: NA ALARM 01 Interface LED(ADM/SPD/DPX/POE) -----------------------------------------ge-0/0/0 On ge-0/0/1 On ge-0/0/2 On ge-0/0/3 On ge-0/0/4 Off ge-0/0/5 Off ge-0/0/6 Off ge-0/0/7 Off ge-0/0/8 Off ge-0/0/9 Off ge-0/0/10 On ge-0/0/11 Off ge-0/0/12 Off ge-0/0/13 Off ge-0/0/14 Off ge-0/0/15 Off ge-0/0/16 Off ge-0/0/17 Off ge-0/0/18 Off ge-0/0/19 Off ge-0/0/20 Off ge-0/0/21 Off


383

®


ge-0/0/22 ge-0/0/23 ge-0/0/24 ge-0/0/25 ge-0/0/26 ge-0/0/27 ge-0/0/28 ge-0/0/29 ge-0/0/30 ge-0/0/31 ge-0/0/32 ge-0/0/33 ge-0/0/34 ge-0/0/35 ge-0/0/36 ge-0/0/37 ge-0/0/38 ge-0/0/39 ge-0/0/40 ge-0/0/41 ge-0/0/42 ge-0/0/43 ge-0/0/44 ge-0/0/45 ge-0/0/46 ge-0/0/47 ge-16/0/0 ge-16/0/1 ge-16/0/2 ge-16/0/3 ge-16/0/4 ge-16/0/5 ge-16/0/6 ge-16/0/7 ge-16/0/8 ge-16/0/9 ge-16/0/10 ge-16/0/11 ge-16/0/12 ge-16/0/13 ge-16/0/14 ge-16/0/15 ge-16/0/16 ge-16/0/17 ge-16/0/18 ge-16/0/19 ge-16/0/20 ge-16/0/21 ge-16/0/22 ge-16/0/23 ge-16/0/24 ge-16/0/25 ge-16/0/26 ge-16/0/27 ge-16/0/28 ge-16/0/29 ge-16/0/30 ge-16/0/31 ge-16/0/32 ge-16/0/33 ge-16/0/34

384

Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off On On On On On On On On On Off On Off On Off On Off Off Off Off Off Off On Off On Off On On On On Off On Off Off Off On Off Off Off On Off On On On



ge-16/0/35 ge-16/0/36 ge-16/0/37 ge-16/0/38 ge-16/0/39 ge-16/0/40 ge-16/0/41 ge-16/0/42 ge-16/0/43 ge-16/0/44 ge-16/0/45 ge-16/0/46 ge-16/0/47 xe-19/0/0 xe-19/0/1 xe-19/0/2 xe-19/0/3 xe-19/0/4 xe-19/0/5 ge-22/0/0 ge-22/0/1 ge-22/0/2 ge-22/0/3 ge-22/0/4 ge-22/0/5 ge-22/0/6 ge-22/0/7 ge-22/0/8 ge-22/0/9 ge-22/0/10 ge-22/0/11 ge-22/0/12 ge-22/0/13 ge-22/0/14 ge-22/0/15 ge-22/0/16 ge-22/0/17 ge-22/0/18 ge-22/0/19 ge-22/0/20 ge-22/0/21 ge-22/0/22 ge-22/0/23 ge-22/0/24 ge-22/0/25 ge-22/0/26 ge-22/0/27 ge-22/0/28 ge-22/0/29 ge-22/0/30 ge-22/0/31 ge-22/0/32 ge-22/0/33 ge-22/0/34 ge-22/0/35 ge-22/0/36 ge-22/0/37 ge-22/0/38 ge-22/0/39 ge-22/0/40 ge-22/0/41


Off On Off Off Off Off Off On Off Off Off Off Off Off On On On On On Off Off On Off On On On On Off Off Off Off Off Off Off Off On Off On Off On Off On Off On Off Off Off Off Off Off Off On Off On Off Off Off Off Off Off Off

385

®


ge-22/0/42 ge-22/0/43 ge-22/0/44 ge-22/0/45 ge-22/0/46 ge-22/0/47

386

Off Off Off Off Off Off



show configuration Syntax

Release Information

Description

Options

show configuration

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the configuration that currently is running on the router or switch, which is the last committed configuration. none—Display the entire configuration. statement-path—(Optional) Display one of the following hierarchies in a configuration.

(Each statement-path option has additional suboptions not described here. See the appropriate configuration guide or EX Series switch documentation for more information.) •

access—Network access configuration.

•

access-profile—Access profile configuration.

•

accounting-options—Accounting data configuration.

•

applications—Applications defined by protocol characteristics.

•

apply-groups—Groups from which configuration data is inherited.

•

chassis—Chassis configuration.

•

chassis network-services—Current running mode.

•

class-of-service—Class-of-service configuration.

•

diameter—Diameter base protocol layer configuration.

•

ethernet-switching-options—(EX Series switch only) Ethernet switching

configuration. •

event-options—Event processing configuration.

•

firewall—Firewall configuration.

•

forwarding-options—Options that control packet sampling.

•

groups—Configuration groups.

•

interfaces—Interface configuration.

•

jsrc—JSRC partition configuration.

•

jsrc-partition—JSRC partition configuration.

•

logical-systems—Logical system configuration.

•

poe—(EX Series switch only) Power over Ethernet configuration.

•

policy-options—Routing policy option configuration.

•

protocols—Routing protocol configuration.


387

®





Output Fields

•

routing-instances—Routing instance configuration.

•

routing-options—Protocol-independent routing option configuration.

•

security—Security configuration.

•

services—Service PIC applications configuration.

•

snmp—Simple Network Management Protocol configuration.

•

system—System parameters configuration.

•

virtual-chassis—(EX Series switch only) Virtual Chassis configuration.

•

vlans—(EX Series switch only) VLAN configuration.

The portions of the configuration that you can view depend on the user class that you belong to and the corresponding permissions. If you do not have permission to view a portion of the configuration, the text ACCESS-DENIED is substituted for that portion of the configuration. If you do not have permission to view authentication keys and passwords in the configuration, because the secret permission bit is not set for your user account, the text SECRET-DATA is substituted for that portion of the configuration. If an identifier in the configuration contains a space, the identifier is displayed in quotation marks. view

•

Displaying the Current Junos OS Configuration

•

Overview of Junos OS CLI Operational Mode Commands

show configuration on page 388 show configuration policy-options on page 389 This command displays information about the current running configuration.

Sample Output show configuration

388

user@host> show configuration ## Last commit: 2006-10-31 14:13:00 PST by alant version "8.2I0 [builder]"; ## last changed: 2006-10-31 14:05:53 PST system { host-name nestor; domain-name east.net; backup-router 192.1.1.254; time-zone America/Los_Angeles; default-address-selection; name-server { 192.154.169.254; 192.154.169.249; 192.154.169.176; } services { telnet; } tacplus-server {



1.2.3.4 { secret /* SECRET-DATA */; ... } } } interfaces { ... } protocols { isis { export "direct routes"; } } policy-options { policy-statement "direct routes" { from protocol direct; then accept; } }

show configuration policy-options

user@host> show configuration policy-options policy-options { policy-statement "direct routes" { from protocol direct; then accept; } }


389

®


show host Syntax Release Information

Description Options Additional Information Required Privilege Level List of Sample Output

show host hostname

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display Domain Name System (DNS) hostname information. hostname—Hostname or address.

The show host command displays the raw data received from the DNS server. view

show host on page 390

Sample Output show host

user@host> show host snark snark.boojum.net has address 192.168.1.254 user@host> show host 192.168.1.254 Name: snark.boojum.net Address: 192.168.1.254 Aliases:

390



show ntp associations Syntax

Release Information

Description Options

show ntp associations

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display Network Time Protocol (NTP) peers and their state. none—Display NTP peers and their state. no-resolve—(Optional) Suppress symbolic addressing.


view

•

show ntp status on page 393

show ntp associations on page 392 Table 63 on page 391 describes the output fields for the show ntp associations command. Output fields are listed in the approximate order in which they appear.

Table 63: show ntp associations Output Fields Field Name

Field Description

remote

Address or name of the remote NTP peer.

refid

Reference identifier of the remote peer. If the reference identifier is not known, this field shows a value of 0.0.0.0.

st

Stratum of the remote peer.

t

Type of peer: b (broadcast), l (local), m (multicast), or u (unicast).

when

When the last packet from the peer was received.

poll

Polling interval, in seconds.

reach

Reachability register, in octal.

delay

Current estimated delay of the peer, in milliseconds.

offset

Current estimated offset of the peer, in milliseconds.

disp

Current estimated dispersion of the peer, in milliseconds.


391

®


Table 63: show ntp associations Output Fields (continued) Field Name

Field Description

peer-name

Peer name and status of the peer in the clock selection process: •

space—Discarded because of a high stratum value or failed sanity checks.

•

x—Designated "falseticker" by the intersection algorithm.

•

.—Culled from the end of the candidate list.

•

– —Discarded by the clustering algorithm.

•

+—Included in the final selection set.

•

#—Selected for synchronization, but the distance exceeds the maximum.

•

*—Selected for synchronization.

•

o—Selected for synchronization, but the packets-per-second (pps) signal is in use.

Sample Output show ntp associations

392

user@host> show ntp associations remote refid st t when poll reach delay offset disp ============================================================================== *wolfe-gw.junipe tick.ucla.edu 2 u 43 64 377 1.86 0.319 0.08



show ntp status Syntax


show ntp status

Command introduced in Junos OS Release 11.1 for the QFX Series. Display the values of internal variables returned by Network Time Protocol (NTP) peers. none—Display the values of internal variables returned by NTP peers. no-resolve—(Optional) Suppress symbolic addressing.


view

•

show ntp associations on page 391

show ntp status on page 393

Sample Output show ntp status

user@host> show ntp status status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg, version="ntpd 4.1.0-a Fri Jun 24 06:40:56 GMT 2005 (1)", processor="i386", system="JUNOS7.4-20050624.0", leap=00, stratum=2, precision=-28, rootdelay=6.849, rootdispersion=10.615, peer=38788, refid=ntp-server.company-a.net, reftime=c66705d9.06ee0f3c Fri, Jun 24 2005 15:21:13.027, poll=6, clock=c6670602.cf6db940 Fri, Jun 24 2005 15:21:54.810, state=4, offset=0.205, frequency=75.911, jitter=0.396, stability=0.005


393

®


show system firmware Syntax

Release Information

Description Options Required Privilege Level List of Sample Output

Output Fields

show system firmware

Command introduced in Junos OS Release 7.4. Command introduced in Junos OS Release 9.4 for EX Series switches. (J Series routers and EX8200 switches only) Display firmware information. compatibility—(Optional) Display firmware compatibility information.

view

show system firmware on page 394 show system firmware compatibility on page 394 Table 64 on page 394 lists the output fields for the show system firmware command. Output fields are listed in the approximate order in which they appear.

Table 64: show system firmware Output Fields Field Name

Field Description

Part

Physical part on the router or switch affected by the firmware.

Type

Type of firmware on the router or switch.

Tag

Location of the firmware on the interface.

Current version

Firmware version on the affected router or switch parts.

Available version

New versions of firmware for upgrading or downgrading.

Status

Firmware condition on the router or switch.

Action

Whether you can upgrade or downgrade, or if no action is available (none).

Sample Output show system firmware

user@host> show system firmware Part Type

Tag Current version 0 6.4.10 0 0

Available Status version OK OK

user@host> show system firmware compatibility Part Type Tag Current version

Available Action version

FPC 0 ROM Monitor 0 Routing Engine 0 RE BIOS

show system firmware compatibility

394



FPC 0 ROM Monitor 0 Routing Engine 0 RE BIOS


0 0

6.4.10 0

None None

395

®


show system reboot Syntax

show system reboot


show system reboot


show system reboot



show system reboot show system reboot

Syntax (QFX Series)

show system reboot

Release Information


Description Options

Display pending system reboots or halts. none—Display pending reboots or halts on the active Routing Engine. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display halt or reboot request information for all the T640 routers in the chassis that are connected to the TX Matrix router. On a TX Matrix router, display halt or reboot request information for all the T1600 routers in the chassis that are connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Display halt or

reboot request information for all members of the Virtual Chassis configuration. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display system halt or reboot request information for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display halt

396



or reboot request information for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router both-routing-engines—(Systems with multiple Routing Engines) (Optional) Display halt

or reboot request information on both Routing Engines. infrastructure name—(QFabric switches only) (Optional) Display reboot request

information on the fabric manager Routing Engines and fabric control Routing Engines. interconnect-device name—(QFabric switches only) (Optional) Display reboot request

information on the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display halt or reboot request information for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, display halt or reboot request information for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Display halt or reboot

request information for the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Display

halt or reboot request information for the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. node-group name—(QFabric switches only) (Optional) Display reboot request information

on the Node group. scc—(TX Matrix router only) (Optional) Display halt or reboot request information for

the TX Matrix router (or switch-card chassis). sfc—(TX Matrix Plus router only) (Optional) Display halt or reboot request information

for the TX Matrix Plus router (or switch-fabric chassis). Additional Information


By default, when you issue the show system reboot command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on the TX Matrix router) or T1600 (in a routing matrix based on the TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on the TX Matrix router) or T1600 (in a routing matrix based on the TX Matrix Plus router) backup Routing Engines that are connected to it. maintenance

show system reboot on page 398 show system reboot all-lcc (TX Matrix Router) on page 398 show system reboot sfc (TX Matrix Plus Router) on page 398 show system reboot (QFX3500 Switch) on page 398


397

®


Sample Output show system reboot

user@host> show system reboot reboot requested by root at Wed Feb 10 17:40:46 1999 [process id 17885]

show system reboot all-lcc (TX Matrix Router)

user@host> show system reboot all-lcc lcc0-re0: -------------------------------------------------------------------------No shutdown/reboot scheduled. lcc2-re0: -------------------------------------------------------------------------No shutdown/reboot scheduled.

show system reboot sfc (TX Matrix Plus Router)

user@host> show system sfc 0 No shutdown/reboot scheduled.

show system reboot (QFX3500 Switch)

user@switch> show system reboot No shutdown/reboot scheduled.

398



show system software Syntax

show system software







show system software show system software

Syntax (QFX Series)


Release Information


Description Options

Display the Junos OS extensions loaded on your router or switch. none—Display standard information about all loaded Junos OS extensions. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Display system

software information for all the T640 routers (TX Matrix Router) or all the T1600 routers (TX Matrix Plus Router) in the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display system software information for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display system software information for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router all-members—(EX4200 switches only) (Optional) Display the system software running

on all members of the Virtual Chassis configuration.


399

®


backup—(J Series routers only) (Optional) Display the status of old system software

packages only. detail—(Optional) Display detailed information about available Junos OS extensions. infrastructure name—(QFabric switches only) (Optional) Display the system software

running on the fabric control Routing Engine and the fabric manager Routing Engine. interconnect-device name—(QFabric switches only) (Optional) Display the system

software running on the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display system software information for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, display system software information for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches only) (Optional) Display the system software running on the

local Virtual Chassis member. member member-id—(EX4200 switches only) (Optional) Display the system software

running on the specified member of the Virtual Chassis configuration. Replace member-id with a value from 0 through 9. node-group name—(QFabric switches only) (Optional) Display the system software

running on the Node group. scc—(Routing matrix only) (Optional) Display the system software running on a TX Matrix

router (or switch-card chassis). sfc—(TX Matrix Plus routers only) (Optional) Display system software information for

the TX Matrix Plus router (or switch-fabric chassis). Required Privilege Level List of Sample Output

Output Fields

maintenance

show system software on page 400 show system software (TX Matrix Plus Router) on page 401 show system software (QFX Series) on page 405 When you enter this command, you are provided a list of Junos OS packages installed on the router and their corresponding Junos OS release number.

Sample Output show system software

user@host> show system software Information for jbase: Comment: JUNOS Base OS Software Suite [7.2R1.7]

Information for jcrypto:

400



Comment: JUNOS Crypto Software Suite [7.2R1.7] Information for jdocs: Comment: JUNOS Online Documentation [7.2R1.7]

Information for jkernel: Comment: JUNOS Kernel Software Suite [7.2R1.7]

Information for jpfe: Comment: JUNOS Packet Forwarding Engine Support (M20/M40) [7.2R1.7]

Information for jroute: Comment: JUNOS Routing Software Suite [7.2R1.7]

Information for junos: Comment: JUNOS Base OS boot [7.2R1.7]

show system software (TX Matrix Plus Router)

user@host> show system software sfc0-re0: -------------------------------------------------------------------------Information for jbase: Comment: JUNOS Base OS Software Suite [9.6-20090515.0]

Information for jcrypto: Comment: JUNOS Crypto Software Suite [9.6-20090515.0]

Information for jdocs: Comment: JUNOS Online Documentation [9.6-20090515.0] Information for jkernel: Comment: JUNOS Kernel Software Suite [9.6-20090515.0]

Information for jpfe:


401

®


Comment: JUNOS Packet Forwarding Engine Support (T-Series) [9.6-20090515.0]

Information for jpfe-common: Comment: JUNOS Packet Forwarding Engine Support (M/T Common) [9.6-20090515.0]

Information for jroute:Comment: JUNOS Routing Software Suite [9.6-20090515.0]

Information for jservices-aacl: Comment: JUNOS Services AACL Container package [9.6-20090515.0]

Information for jservices-appid: Comment: JUNOS AppId Services [9.6-20090515.0]

Information for jservices-bgf: Comment: JUNOS Border Gateway Function package [9.6-20090515.0] Information for jservices-idp: Comment: JUNOS IDP Services [9.6-20090515.0]

Information for jservices-llpdf: Comment: JUNOS Services LL-PDF Container package [9.6-20090515.0]

Information for jservices-sfw: Comment: JUNOS Services Stateful Firewall [9.6-20090515.0] Information for jservices-voice: Comment: JUNOS Voice Services Container package [9.6-20090515.0]

Information for junos:

402



Comment: JUNOS Base OS boot [9.6-20090515.0] ... lcc0-re0: -------------------------------------------------------------------------Information for jbase: Comment: JUNOS Base OS Software Suite [9.6-20090515.0]


Information for jdocs: Comment: JUNOS Online Documentation [9.6-20090515.0]

Information for jkernel: Comment: JUNOS Kernel Software Suite [9.6-20090515.0]

Information for jpfe: Comment: JUNOS Packet Forwarding Engine Support (T-Series) [9.6-20090515.0]

Information for jpfe-common: Comment: JUNOS Packet Forwarding Engine Support (M/T Common) [9.6-20090515.0]

Information for jroute: Comment: JUNOS Routing Software Suite [9.6-20090515.0]

Information for jservices-aacl: Comment: JUNOS Services AACL Container package [9.6-20090515.0]


403

®


Information for jservices-appid: Comment: JUNOS AppId Services [9.6-20090515.0]

Information for jservices-bgf: Comment: JUNOS Border Gateway Function package [9.6-20090515.0]

Information for jservices-idp: Comment: JUNOS IDP Services [9.6-20090515.0]

Information for jservices-llpdf: Comment: JUNOS Services LL-PDF Container package [9.6-20090515.0]

Information for jservices-sfw: Comment: JUNOS Services Stateful Firewall [9.6-20090515.0]

Information for jservices-voice: Comment: JUNOS Voice Services Container package [9.6-20090515.0]

Information for junos: Comment: JUNOS Base OS boot [9.6-20090515.0]

lcc1-re0: -------------------------------------------------------------------------Information for jbase: Comment: JUNOS Base OS Software Suite [9.6-20090515.0]

Information for jcrypto:

404



Comment: JUNOS Crypto Software Suite [9.6-20090515.0] ...

show system software (QFX Series)

user@switch> show system software Information for jbase: Comment: JUNOS Base OS Software Suite [11.3-20110730.0]


Information for jdocs: Comment: JUNOS Online Documentation [11.3-20110730.0]

Information for jkernel: Comment: JUNOS Kernel Software Suite [11.3-20110730.0]

Information for jpfe: Comment: JUNOS Packet Forwarding Engine Support (QFX) [11.3-20110730.0]

Information for jroute: Comment: JUNOS Routing Software Suite [11.3-20110730.0]

Information for jswitch: Comment: JUNOS Enterprise Software Suite [11.3-20110730.0]

Information for junos: Comment: JUNOS Base OS boot [11.3-20110730.0]


405

®


Information for jweb: Comment: JUNOS Web Management [11.3-20110730.0]

406



show system storage Syntax

show system storage


show system storage


show system storage



show system storage show system storage

Syntax (QFX Series)

show system storage

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in JUNOS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Options

Display statistics about the amount of free disk space in the router's or switch’s file systems. none—Display standard information about the amount of free disk space in the router's

or switch’s file systems. detail—(Optional) Display detailed output. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Display system

storage statistics for all the routers in the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display system storage statistics for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display system storage statistics for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router.


407

®


all-members—(EX4200 switches and MX Series routers only) (Optional) Display system

storage statistics for all members of the Virtual Chassis configuration. infrastructure name—(QFabric switches only) (Optional) Display system storage statistics

for the fabric control Routing Engines or fabric manager Routing Engines. interconnect-device name—(QFabric switches only) (Optional) Display system storage

statistics for the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display system storage statistics for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, display system storage statistics for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Display system storage

statistics for the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Display

system storage statistics for the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. node-group name—(QFabric switches only) (Optional) Display system storage statistics

for the Node group. scc—(TX Matrix routers only) (Optional) Display system storage statistics for the TX

Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Display system storage statistics

for the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information


Output Fields

408

By default, when you issue the show system storage command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it. view

show system storage on page 409 show system storage (TX Matrix Plus Router) on page 409 show system storage (QFX3500 Switch) on page 411 Table 65 on page 409 describes the output fields for the show system storage command. Output fields are listed in the approximate order in which they appear.



Table 65: show system storage Output Fields Field Name

Field Description

Filesystem

Name of the filesystem.

Size

Size of the filesystem.

Used

Amount of space used in the filesystem.

Avail

Amount of space available in the filesystem.

Capacity

Percentage of the filesystem space that is being used.

Mounted on

Directory in which the filesystem is mounted.

Sample Output show system storage

show system storage (TX Matrix Plus Router)

user@host> show system storage Filesystem Size /dev/ad0s1a 77M devfs 16K /dev/vn0 12M /dev/vn1 39M /packages/mnt/jkernel-7.2R1.7 /dev/vn2 12M /packages/mnt/jpfe-M40-7.2R1.7 /dev/vn3 2.3M /packages/mnt/jdocs-7.2R1.7 /dev/vn4 14M /packages/mnt/jroute-7.2R1.7 /dev/vn5 4.5M /packages/mnt/jcrypto-7.2R1.7 mfs:172 1.5G /dev/ad0s1e 12M procfs 4.0K /dev/ad1s1f 9.4G

Used 37M 16K 12M 39M

Avail 34M 0B 0B 0B

Capacity Mounted on 52% / 100% /dev/ 100% /packages/mnt/jbase 100%

12M

0B

100%

2.3M

0B

100%

14M

0B

100%

4.5M

0B

100%

4.0K 20K 4.0K 4.9G

1.3G 11M 0B 3.7G

0% 0% 100% 57%

/tmp /config /proc /var

user@host> show system storage sfc0-re0: -------------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 3.4G 178M 2.9G 6% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 33M 33M 0B 100% /packages/mnt/jbase /dev/md1 216M 216M 0B 100% /packages/mnt/jkernel-9.6-20090519.0 /dev/md2 66M 66M 0B 100% /packages/mnt/jpfe-T-9.6-20090519.0 /dev/md3 4.1M 4.1M 0B 100% /packages/mnt/jdocs-9.6-20090519.0 /dev/md4 57M 57M 0B 100% /packages/mnt/jroute-9.6-20090519.0 /dev/md5 15M 15M 0B 100% /packages/mnt/jcrypto-9.6-20090519.0 /dev/md6 34M 34M 0B 100%


409

®


/packages/mnt/jpfe-common-9.6-20090519.0 /dev/md7 2.0G 10.0K /dev/md8 2.0G 1.0M /dev/ad0s1e 383M 82K procfs 4.0K 4.0K /dev/ad1s1f 52G 7.5G

1.8G 1.8G 352M 0B 40G

0% 0% 0% 100% 16%

/tmp /mfs /config /proc /var

lcc0-re0: -------------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 3.4G 178M 2.9G 6% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 33M 33M 0B 100% /packages/mnt/jbase /dev/md1 216M 216M 0B 100% /packages/mnt/jkernel-9.6-20090519.0 /dev/md2 66M 66M 0B 100% /packages/mnt/jpfe-T-9.6-20090519.0 /dev/md3 4.1M 4.1M 0B 100% /packages/mnt/jdocs-9.6-20090519.0 /dev/md4 57M 57M 0B 100% /packages/mnt/jroute-9.6-20090519.0 /dev/md5 15M 15M 0B 100% /packages/mnt/jcrypto-9.6-20090519.0 /dev/md6 34M 34M 0B 100% /packages/mnt/jpfe-common-9.6-20090519.0 /dev/md7 2.0G 10.0K 1.8G 0% /tmp /dev/md8 2.0G 540K 1.8G 0% /mfs /dev/ad0s1e 383M 88K 352M 0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 52G 6.3G 41G 13% /var lcc1-re0: -------------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 3.4G 178M 2.9G 6% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 33M 33M 0B 100% /packages/mnt/jbase /dev/md1 216M 216M 0B 100% /packages/mnt/jkernel-9.6-20090519.0 /dev/md2 66M 66M 0B 100% /packages/mnt/jpfe-T-9.6-20090519.0 /dev/md3 4.1M 4.1M 0B 100% /packages/mnt/jdocs-9.6-20090519.0 /dev/md4 57M 57M 0B 100% /packages/mnt/jroute-9.6-20090519.0 /dev/md5 15M 15M 0B 100% /packages/mnt/jcrypto-9.6-20090519.0 /dev/md6 34M 34M 0B 100% /packages/mnt/jpfe-common-9.6-20090519.0 /dev/md7 2.0G 10.0K 1.8G 0% /tmp /dev/md8 2.0G 540K 1.8G 0% /mfs /dev/ad0s1e 383M 88K 352M 0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 23G 13G 7.7G 64% /var lcc2-re0: -------------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 3.4G 178M 2.9G 6% /

410



devfs 1.0K 1.0K devfs 1.0K 1.0K /dev/md0 33M 33M /dev/md1 216M 216M /packages/mnt/jkernel-9.6-20090519.0 /dev/md2 66M 66M /packages/mnt/jpfe-T-9.6-20090519.0 /dev/md3 4.1M 4.1M /packages/mnt/jdocs-9.6-20090519.0 /dev/md4 57M 57M /packages/mnt/jroute-9.6-20090519.0 /dev/md5 15M 15M /packages/mnt/jcrypto-9.6-20090519.0 /dev/md6 34M 34M /packages/mnt/jpfe-common-9.6-20090519.0 /dev/md7 2.0G 10.0K /dev/md8 2.0G 540K /dev/ad0s1e 383M 64K procfs 4.0K 4.0K /dev/ad1s1f 23G 3.7G

0B 0B 0B 0B

100% /dev 100% /dev/ 100% /packages/mnt/jbase 100%

0B

100%

0B

100%

0B

100%

0B

100%

0B

100%

1.8G 1.8G 352M 0B 17G

0% 0% 0% 100% 18%

/tmp /mfs /config /proc /var

lcc3-re0: -------------------------------------------------------------------------Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 3.4G 178M 2.9G 6% / devfs 1.0K 1.0K 0B 100% /dev devfs 1.0K 1.0K 0B 100% /dev/ /dev/md0 33M 33M 0B 100% /packages/mnt/jbase /dev/md1 216M 216M 0B 100% /packages/mnt/jkernel-9.6-20090519.0 /dev/md2 66M 66M 0B 100% /packages/mnt/jpfe-T-9.6-20090519.0 /dev/md3 4.1M 4.1M 0B 100% /packages/mnt/jdocs-9.6-20090519.0 /dev/md4 57M 57M 0B 100% /packages/mnt/jroute-9.6-20090519.0 /dev/md5 15M 15M 0B 100% /packages/mnt/jcrypto-9.6-20090519.0 /dev/md6 34M 34M 0B 100% /packages/mnt/jpfe-common-9.6-20090519.0 /dev/md7 2.0G 10.0K 1.8G 0% /tmp /dev/md8 2.0G 540K 1.8G 0% /mfs /dev/ad0s1e 383M 34K 352M 0% /config procfs 4.0K 4.0K 0B 100% /proc /dev/ad1s1f 23G 18G 3.5G 84% /var

show system storage (QFX3500 Switch)

user@switch> show system storage Filesystem Size Used /dev/da0s2a 343M 192M devfs 1.0K 1.0K /dev/md0 119M 119M /dev/md1 513M 513M /packages/mnt/jkernel-qfx-11.1R1.5 /dev/md2 37M 37M /packages/mnt/jpfe-qfx-e9xxx-11.1R1.5 /dev/md3 6.0M 6.0M /packages/mnt/jdocs-qfx-11.1R1.5 /dev/md4 216M 216M /packages/mnt/jroute-qfx-11.1R1.5 /dev/md5 59M 59M /packages/mnt/jcrypto-qfx-11.1R1,5


Avail 123M 0B 0B 0B

Capacity Mounted on 61% / 100% /dev 100% /packages/mnt/jbase 100%

0B

100%

0B

100%

0B

100%

0B

100%

411

®


/dev/md6 85M /packages/mnt/jswitch-qfx-11.1R1.5 /dev/md7 63M /dev/da0s2f 228M /dev/da0s3d 590M /dev/da0s3e 104M procfs 4.0K

412

85M

0B

100%

8.0K 14M 3.0M 162K 4.0K

58M 196M 540M 95M 0B

0% 7% 1% 0% 100%

/tmp /var /var/tmp /config /proc



show system switchover Syntax Syntax (TX Matrix Router) Syntax (TX Matrix Plus Router) Syntax (MX Series Router)

Release Information

Description

show system switchover show system switchover show system switchover show system switchover

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Display whether graceful Routing Engine switchover is configured, the state of the kernel replication (ready or synchronizing), any replication errors, and whether the primary and standby Routing Engines are using compatible versions of the kernel database.

NOTE: Issue the show system switchover command only on the backup Routing Engine. This command is not supported on the master Routing Engine. because the kernel-replication process daemon does not run on the master Routing Engine. This process runs only on the backup Routing Engine. Beginning Junos OS Release 9.6, the show system switchover command has been deprecated on the master Routing Engine on all routers other than a TX Matrix (switch-card chassis) or a TX Matrix Plus (switch-fabric chassis) router. However, in a routing matrix, if you issue the show system switchover command on the master Routing Engine of the TX Matrix router (or switch-card chassis), the CLI displays graceful switchover information for the master Routing Engine of the T640 routers (or line-card chassis) in the routing matrix. Likewise, if you issue the show system switchover command on the master Routing Engine of a TX Matrix Plus router (or switch-fabric chassis), the CLI displays output for the master Routing Engine of T1600 routers (or line-card chassis) in the routing matrix.

Options

all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display graceful Routing Engine switchover information for all Routing Engines on the TX Matrix router and the T640 routers configured in the routing matrix. On a TX Matrix Plus router, display graceful Routing Engine switchover information for all


413

®


Routing Engines on the TX Matrix Plus router and the T1600 routers configured in the routing matrix. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display graceful Routing Engine switchover information for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display graceful Routing Engine switchover information for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(MX Series routers only) (Optional) Display graceful Routing Engine

switchover information for all Routing Engines on all members of the Virtual Chassis configuration. lcc number—(TX Matrix and TX Matrix Plus router only) (Optional) On a TX Matrix router,

display graceful Routing Engine switchover information for a specific T640 router (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display graceful Routing Engine switchover information for a specific T1600 router (or line-card chassis) connected to the TX Matrix Plus router.Replace number with 0. local—(MX Series routers only) (Optional) Display graceful Routing Engines switchover

information for all Routing Engines on the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display graceful Routing Engine

switchover information for all Routing Engines on the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. scc—(TX Matrix router only) (Optional) Display graceful Routing Engine switchover

information for the TX Matrix router (or switch-card chassis). sfc—(TX Matrix Plus router only) (Optional) Display graceful Routing Engine switchover

information for the TX Matrix Plus router (or switch-fabric chassis). Additional Information

If you issue the show system switchover command on a TX Matrix backup Routing Engine, the command is broadcast to all the T640 backup Routing Engines that are connected to it. Likewise, if you issue the show system switchover command on a TX Matrix Plus backup Routing Engine, the command is broadcast to all the T1600 backup Routing Engines that are connected to it. If you issue the show system switchover command on the active Routing Engine in the master router of an MX Series Virtual Chassis, the router displays an error message that graceful Routing Engine switchover (GRES) is not enabled on this member.


414

view

show system switchover (Backup Routing Engine) on page 415 show system switchover all-lcc (Routing Matrix) on page 415



Output Fields

Table 66 on page 415 describes the output fields for the show system switchover command. Output fields are listed in the approximate order in which they appear.

Table 66: show system switchover Output Fields Field Name

Field Description

Graceful switchover

Display graceful Routing Engine switchover status:

Configuration database

•

On—Indicates graceful-switchover is specified for the routing-options configuration command.

•

Off—Indicates graceful-switchover is not specified for the routing-options configuration command.

State of the configuration database: •

Ready—Configuration database has synchronized.

•

Synchronizing—Configuration database is synchronizing. Displayed when there are updates within

the last 5 seconds. •

Kernel database

Synchronize failed—Configuration database synchronize process failed.

State of the kernel database: •

Ready—Kernel database has synchronized.

•

Synchronizing—Kernel database is synchronizing. Displayed when there are updates within the last

5 seconds. •

Version incompatible—The primary and standby Routing Engines are running incompatible kernel

database versions. •

Peer state

Replication error—An error occurred when the state was replicated from the primary Routing Engine. Inspect /var/log/ksyncd for possible causes, or notify Juniper Networks customer support.

Routing Engine peer state: •

Steady State—Peer completed switchover transition.

•

Peer Connected—Peer in switchover transition.

Sample Output show system switchover (Backup Routing Engine)

show system switchover all-lcc (Routing Matrix)

user@host> show system switchover Graceful switchover: On Configuration database: Ready Kernel database: Ready Peer state: Steady State user@host> show system switchover all-lcc lcc0-re0: -------------------------------------------------------------------------Multichassis replication: On Configuration database: Ready Kernel database: Ready Peer state: Steady State lcc2-re0: -------------------------------------------------------------------------Multichassis replication: On Configuration database: Ready Kernel database: Ready Peer state: Steady State


415

®


416



show system uptime Syntax Syntax (EX Series Switches)

Syntax (QFX Series)

Syntax (TX Matrix Router) Syntax (TX Matrix Plus Router)


Release Information

Description

Options

show system uptime show system uptime show system uptime show system uptime show system uptime show system uptime

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in JUNOS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the current time and information about how long the router or switch, router or switch software, and routing protocols have been running. none—Show time since the system rebooted and processes started. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Show time since the

system rebooted and processes started on all the routers in the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

show time since the system rebooted and processes started for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, show time since the system rebooted and processes started for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Show time

since the system rebooted and processes started on all members of the Virtual Chassis configuration.


417

®


director-group name—(QFabric switches only) (Optional) Show time since the system

rebooted and processes started on the Director group. infrastructure name—(QFabric switches only) (Optional) Show time since the system

rebooted and processes started on the fabric control Routing Engine and fabric manager Routing Engine. interconnect-device name—(QFabric switches only) (Optional) Show time since the

system rebooted and processes started on the Interconnect device. invoke-on—(MX Series routers only) (Optional) Display the time since the system rebooted

and processes started on the master Routing Engine, backup Routing Engine, or both, on a router with two Routing Engines. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

show time since the system rebooted and processes started for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, show time since the system rebooted and processes started for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Show time since the

system rebooted and processes started on the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Show

time since the system rebooted and processes started on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. node-group name—(QFabric switches only) (Optional) Show time since the system

rebooted and processes started on the Node group. scc—(TX Matrix routers only) (Optional) Show time since the system rebooted and

processes started for the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Show time since the system rebooted

and processes started for the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information


418

By default, when you issue the show system uptime command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it. view





Output Fields

•

Monitoring System Process Information

•

Monitoring System Properties

•

10-Gigabit Ethernet LAN/WAN PIC with XFP (T640 Router)

show system uptime on page 419 show system uptime all-lcc (TX Matrix Router) on page 419 show system uptime all-lcc (TX Matrix Plus Router) on page 420 show system uptime (QFX Series) on page 420 Table 67 on page 419 describes the output fields for the show system uptime command. Output fields are listed in the approximate order in which they appear.

Table 67: show system uptime Output Fields Field Name

Field Description

Current time

Current system time in UTC.

System booted

Date and time when the Routing Engine on the router or switch was last booted and how long it has been running.

Protocols started

Date and time when the routing protocols were last started and how long they have been running.

Last configured

Date and time when a configuration was last committed. Also shows the name of the user who issued the last commit command.

time and up

Current time, in the local time zone, and how long the router or switch has been operational.

users

Number of users logged in to the router or switch.

load averages

Load averages for the last 1 minute, 5 minutes, and 15 minutes.

Sample Output show system uptime

show system uptime all-lcc (TX Matrix Router)

user@host> show system uptime Current time: 1998-10-13 19:45:47 UTC System booted: 1998-10-12 20:51:41 UTC Protocols started: 1998-10-13 19:33:45 UTC Last configured: 1998-10-13 19:33:45 UTC 12:45PM up 22:54, 2 users, load averages:

(22:54:06 ago) (00:12:02 ago) (00:12:02 ago) by abc 0.07, 0.02, 0.01

user@host> show system uptime all-lcc lcc0-re0: -------------------------------------------------------------------------Current time: 2004-09-13 09:55:35 PDT System booted: 2004-09-13 03:13:55 PDT (06:41:40 ago) Last configured: 2004-09-13 03:17:48 PDT (06:37:47 ago) by root 9:55AM PDT up 6:42, 1 user, load averages: 0.02, 0.03, 0.00 lcc2-re0: -------------------------------------------------------------------------Current time: 2004-09-13 09:55:35 PDT System booted: 2004-09-12 03:23:43 PDT (1d 06:31 ago)


419

®


Last configured: 2004-09-13 03:05:36 PDT (06:49:59 ago) by root 9:55AM PDT up 1 day, 6:32, 1 user, load averages: 0.02, 0.01, 0.00

show system uptime all-lcc (TX Matrix Plus Router)

user@host> show system uptime all-lcc sfc0-re0: -------------------------------------------------------------------------Current time: 2009-05-25 00:24:30 PDT System booted: 2009-05-24 06:39:33 PDT (17:44:57 ago) Protocols started: 2009-05-24 06:40:30 PDT (17:44:00 ago) Last configured: 2009-05-24 06:33:27 PDT (17:51:03 ago) by gregdo 12:24AM up 17:45, 2 users, load averages: 0.07, 0.05, 0.01 lcc0-re0: -------------------------------------------------------------------------Current time: 2009-05-25 00:24:30 PDT System booted: 2009-05-24 06:39:46 PDT (17:44:44 ago) error: the routing subsystem is not running Last configured: 2009-05-24 06:40:47 PDT (17:43:43 ago) by root 12:24AM up 17:45, 0 users, load averages: 0.00, 0.00, 0.00 lcc1-re0: -------------------------------------------------------------------------Current time: 2009-05-25 00:24:30 PDT System booted: 2009-05-24 06:39:38 PDT (17:44:52 ago) error: the routing subsystem is not running Last configured: 2009-05-24 06:40:18 PDT (17:44:12 ago) by root 12:24AM up 17:45, 0 users, load averages: 0.00, 0.00, 0.00 lcc2-re0: -------------------------------------------------------------------------Current time: 2009-05-25 00:24:30 PDT System booted: 2009-05-24 06:39:48 PDT (17:44:42 ago) error: the routing subsystem is not running Last configured: 2009-05-24 06:40:44 PDT (17:43:46 ago) by root 12:24AM up 17:45, 0 users, load averages: 0.00, 0.00, 0.00 lcc3-re0: -------------------------------------------------------------------------Current time: 2009-05-25 00:24:30 PDT System booted: 2009-05-24 06:39:44 PDT (17:44:46 ago) error: the routing subsystem is not running Last configured: 2009-05-24 06:40:08 PDT (17:44:22 ago) by root 12:24AM up 17:45, 0 users, load averages: 0.00, 0.00, 0.00

show system uptime (QFX Series)

420

user@switch> show system uptime Current time: 2010-08-27 03:12:30 PDT System booted: 2010-08-13 17:11:54 PDT (1w6d 10:00 ago) Protocols started: 2010-08-13 17:13:56 PDT (1w6d 09:58 ago) Last configured: 2010-08-26 05:54:00 PDT (21:18:30 ago) by regress 3:12AM up 13 days, 10:01, 3 users, load averages: 0.00, 0.00, 0.00



show system users Syntax




Release Information

Description

show system users show system users show system users show system users

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in JUNOS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. List information about the users who are currently logged in to the router or switch.

NOTE: The show system users command lists the information about administrative users that are logged in to a router or switch using the CLI, J-Web, or an SSH client. The output does not list information about web users or automated users that are logged in from a remote client application using Junos XML APIs, such as NETCONF.

Options

none—List information about the users who are currently logged in to the router or switch. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Show users currently

logged in to all the routers in the chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

show users currently logged in to all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, show users currently logged in to all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(MX Series routers only) (Optional) Display users currently logged in to

all members of the Virtual Chassis configuration. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

show users currently logged in to a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, show users currently logged in to a specific


421

®


T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display users currently logged in to the local

Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display users currently logged

in to the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. no-resolve—(Optional) Do not attempt to resolve IP addresses to hostnames. scc—(TX Matrix routers only) (Optional) Show users currently logged in to the TX Matrix

router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Show users currently logged in to

the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information


Output Fields

By default, when you issue the show system users command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it. view

show system users on page 423 show system users lcc no-resolve (TX Matrix and TX Matrix Plus Router) on page 423 show system users (TX Matrix Plus Router) on page 423 show system users (QFX Series) on page 424 show system users no-resolve (QFX Series) on page 424 Table 68 on page 422 describes the output fields for the show system users command. Output fields are listed in the approximate order in which they appear.

Table 68: show system users Output Fields Field Name

Field Description

time and up

Current time, in the local time zone, and how long the router or switch has been operational.

users

Number of users logged in to the router or switch.

load averages


USER

Username.

TTY

Terminal through which the user is logged in.

422



Table 68: show system users Output Fields (continued) Field Name

Field Description

FROM

System from which the user has logged in. A hyphen indicates that the user is logged in through the console.

LOGIN@

Time when the user logged in.

IDLE

How long the user has been idle.

WHAT

Processes that the user is running.

Sample Output show system users

user@host> show system users 7:30PM up 4 days, 2:26, 2 users, load averages: 0.07, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE WHAT root d0 Fri05PM 4days -csh (csh) blue p0 level5.company.net 7:30PM - cli

show system users lcc no-resolve (TX Matrix and TX Matrix Plus Router)

user@host> show system users lcc 2 no-resolve

show system users (TX Matrix Plus Router)

user@host> show system users sfc0-re0: -------------------------------------------------------------------------1:41AM up 26 mins, 3 users, load averages: 0.08, 0.04, 0.03 USER TTY FROM LOGIN@ IDLE WHAT regress p0 10.209.208.123 1:18AM 21 cli regress p1 172.17.29.207 1:37AM 2 cli regress p2 172.17.28.19 1:40AM - cli

lcc2-re0: -------------------------------------------------------------------------10:34AM PDT up 1 day, 7:11, 5 users, load averages: 0.03, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root d0 3:21AM 7:12 /bin/csh regress p0 scc-re0 10:15AM - telnet hostA regress p1 scc-re0 10:16AM - telnet hostA regress p2 scc-re0 10:19AM - telnet hostA regress p3 scc-re0 10:24AM - telnet hostA

lcc0-re0: -------------------------------------------------------------------------1:41AM up 26 mins, 0 users, load averages: 0.00, 0.00, 0.03 lcc1-re0: -------------------------------------------------------------------------1:41AM up 26 mins, 0 users, load averages: 0.00, 0.02, 0.03 lcc2-re0: -------------------------------------------------------------------------1:41AM up 26 mins, 0 users, load averages: 0.16, 0.06, 0.02 lcc3-re0: -------------------------------------------------------------------------1:41AM up 26 mins, 0 users, load averages: 0.12, 0.04, 0.04


423

®


regress@aj> show system users sfc0-re0: -------------------------------------------------------------------------1:42AM up 28 mins, 4 users, load averages: 0.02, 0.03, 0.02 USER TTY FROM LOGIN@ IDLE WHAT regress p0 pssraj-t61.jnpr.net 1:18AM 22 cli regress p1 eng-shell4.juniper.net 1:37AM - cli regress p2 bigpink.juniper.net 1:40AM - cli regress p3 sv-cuty-01.englab.juniper.net 1:42AM - -csh (csh) lcc0-re0: -------------------------------------------------------------------------1:42AM up 28 mins, 0 users, load averages: 0.02, 0.01, 0.03 lcc1-re0: -------------------------------------------------------------------------1:42AM up 28 mins, 0 users, load averages: 0.07, 0.04, 0.03 lcc2-re0: -------------------------------------------------------------------------1:42AM up 27 mins, 0 users, load averages: 0.07, 0.06, 0.02 lcc3-re0: -------------------------------------------------------------------------1:42AM up 28 mins, 0 users, load averages: 0.05, 0.04, 0.04

424

show system users (QFX Series)

user@switch> show system users USER TTY FROM tlewis p0 172.22.18.117 tlewis p1 172.22.18.117 tcheng p2 172.22.17.197

LOGIN@ 2:54AM 3:01AM 3:08AM

IDLE 39 11

WHAT -cli (cli) -cli (cli) -cli (cli)

show system users no-resolve (QFX Series)

user@switch> show system users no-resolve USER TTY FROM tlewis p0 172.22.18.117 tlewis p1 172.22.18.117 tcheng p2 172.22.17.197

LOGIN@ 2:54AM 3:01AM 3:08AM

IDLE 39 11

WHAT -cli (cli) -cli (cli) -cli (cli)



show system virtual-memory Syntax

show system virtual-memory

Syntax (EX Series)


Syntax (TX Matrix Router) Syntax (TX Matrix Plus Router)

show system virtual-memory show system virtual-memory



Syntax (QFX Series)


Release Information


Description

Options

Display the usage of Junos OS kernel memory listed first by size of allocation and then by type of usage. Use the show system virtual-memory command for troubleshooting with Juniper Networks Customer Support. none—Display kernel dynamic memory usage information. all-chassis—(TX Matrix and TX Matrix Plus routers only) (Optional) Display kernel dynamic

memory usage information for all chassis. all-lcc—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display kernel dynamic memory usage information for all T640 routers (or line-card chassis) connected to the TX Matrix router. On a TX Matrix Plus router, display kernel dynamic memory usage information for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router. all-members—(EX4200 switches and MX Series routers only) (Optional) Display kernel

dynamic memory usage information for all members of the Virtual Chassis configuration.


425

®


infrastructure name—(QFabric switches only) (Optional) Display kernel dynamic memory

usage information for the fabric control Routing Engine and fabric manager Routing Engine. interconnect-device name—(QFabric switches only) (Optional) Display kernel dynamic

memory usage information for the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display kernel dynamic memory usage information for a specific T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, display kernel dynamic memory usage information for a specific T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(EX4200 switches and MX Series routers only) (Optional) Display kernel dynamic

memory usage information for the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Display

kernel dynamic memory usage information for the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. node-group name—(QFabric switches only) (Optional) Display kernel dynamic memory

usage information for the Node group. scc—(TX Matrix routers only) (Optional) Display kernel dynamic memory usage

information for the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Display kernel dynamic memory

usage information for the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information

By default, when you issue the show system virtual-memory command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it.

NOTE: The show system virtual-memory command with the | display XML pipe option now displays XML output for the command in the parent tags: , , , , and with each child element as a separate XML tag. In Junos OS Releases 10.1 and earlier, the | display XML option for this command does not have an XML API element and the entire output is displayed in a single tag element.

426




Output Fields

view

show system virtual-memory on page 429 show system virtual-memory scc (TX Matrix Router) on page 433 show system virtual-memory sfc (TX Matrix Plus Router) on page 434 show system virtual-memory | display xml on page 437 show system virtual-memory (QFX Series) on page 459 Table 69 on page 428 lists the output fields for the show system virtual-memory command. Output fields are listed in the approximate order in which they appear.


427

®


Table 69: show system virtual-memory Output Fields Field Name

Field Description

Memory statistics by bucket size Size

Memory block size (bytes). The kernel memory allocator appropriates blocks of memory whose size is exactly a power of 2.

In Use

Number of memory blocks of this size that are in use (bytes).

Free

Number of memory blocks of this size that are free (bytes).

Requests

Number of memory allocation requests made.

HighWater

Maximum value the free list can have. Once the system starts reclaiming physical memory, it continues until the free list is increased to this value.

Couldfree

Total number of times that the free elements for a bucket size exceed the high-water mark for that bucket size.

Memory usage type by bucket size Size

Memory block size (bytes).

Type(s)

Kernel modules that are using these memory blocks. For a definition of each type, refer to a FreeBSD book.

Memory statistics by type Type

Kernel module that is using dynamic memory.

InUse

Number of memory blocks used by this type. The number is rounded up.

MemUse

Amount of memory in use, in kilobytes (KB).

HighUse

Maximum memory ever used by this type.

Limit

Maximum memory that can be allocated to this type.

Requests

Total number of dynamic memory allocation requests this type has made.

Type Limit

Number of times requests were blocked for reaching the maximum limit.

Kern Limit

Number of times requests were blocked for the kernel map.

Size(s)

Memory block sizes this type is using.

Memory Totals In Use

Total kernel dynamic memory in use (bytes, rounded up).

Free

Total kernel dynamic memory free (bytes, rounded up).

428



Table 69: show system virtual-memory Output Fields (continued) Field Name

Field Description

Requests

Total number of memory allocation requests.

ITEM

Kernel module that is using memory.

Size

Memory block size (bytes).

LImit

Maximum memory that can be allocated to this type.

Used

Number of memory blocks used by this type. The number is rounded up.

Free

Number of memory blocks available to this type.

Requests

Total number of memory allocation requests this type has made.

interrupt

Timer events and scheduling interruptions.

total

Total number of interruptions for each type.

rate

Interruption rate.

Total

Total for all interruptions.

Sample Output show system virtual-memory

user@host> show system virtual-memory Memory statistics by bucket size Size In Use Free Requests HighWater 16 906 118 154876 1280 32 455 313 209956 640 64 4412 260 75380 320 128 3200 32 19361 160 256 1510 10 8844 80 512 446 2 5085 40 1K 18 2 5901 20 2K 1128 2 4445 10 4K 185 1 456 5 8K 5 1 2653 5 16K 181 0 233 5 32K 2 0 1848 5 64K 20 0 22 5 128K 5 0 5 5 256K 2 0 2 5 512K 1 0 1 5

Couldfree 0 0 20 81 4 0 0 1368 0 0 0 0 0 0 0 0

Memory usage type by bucket size Size Type(s) 16 uc_devlist, nexusdev, iftable, temp, devbuf, atexit, COS, BPF, DEVFS mount, DEVFS node, vnodes, mount, pcb, soname, proc-args, kld, MD disk, rman, ATA generic, bus, sysctl, ippool, pfestat, ifstate, pfe_ipc, mkey, rtable, ifmaddr, ipfw, rnode 32 atkbddev, dirrem, mkdir, diradd, freefile, freefrag, indirdep,


429

®


64

128

256

512

1K 2K 4K 8K 16K 32K 64K 128K 256K 512K

bmsafemap, newblk, temp, devbuf, COS, vnodes, cluster_save buffer, pcb, soname, proc-args, sigio, kld, Gzip trees, taskqueue, SWAP, eventhandler, bus, sysctl, uidinfo, subproc, pgrp, pfestat, itable32, ifstate, pfe_ipc, mkey, rtable, ifmaddr, ipfw, rnode, rtnexthop isadev, iftable, MFS node, allocindir, allocdirect, pagedep, temp, devbuf, lockf, COS, NULLFS hash, DEVFS name, vnodes, cluster_save buffer, vfscache, pcb, soname, proc-args, file, AR driver, AD driver, Gzip trees, rman, eventhandler, bus, sysctl, subproc, pfestat, pic, ifstate, pfe_ipc, mkey, ifaddr, rtable, ipfw ZONE, freeblks, inodedep, temp, devbuf, zombie, COS, DEVFS node, vnodes, mount, vfscache, pcb, soname, proc-args, ttys, dev_t, timecounter, kld, Gzip trees, ISOFS node, bus, uidinfo, cred, session, pic, itable16, ifstate, pfe_ipc, rtable, ifstat, metrics, rtnexthop, iffamily iflogical, iftable, MFS node, FFS node, newblk, temp, devbuf, NFS daemon, vnodes, proc-args, kqueue, file desc, Gzip trees, bus, subproc, itable16, ifstate, pfe_ipc, sysctl, rtnexthop UFS mount, temp, devbuf, mount, BIO buffer, ptys, ttys, AR driver, Gzip trees, ISOFS mount, msg, ioctlops, ATA generic, bus, proc, pfestat, lr, ifstate, pfe_ipc, rtable, ipfw, ifstat, rtnexthop iftable, temp, devbuf, NQNFS Lease, kqueue, kld, AD driver, Gzip trees, sem, MD disk, bus, ifstate, pfe_ipc, ipfw uc_devlist, UFS mount, temp, devbuf, BIO buffer, pcb, AR driver, Gzip trees, ioctlops, bus, ipfw, ifstat, rcache memdesc, iftable, UFS mount, temp, devbuf, kld, Gzip trees, sem, msg temp, devbuf, syncache, Gzip trees indirdep, temp, devbuf, shm, msg pagedep, kld, Gzip trees VM pgdata, devbuf, MSDOSFS mount UFS ihash, inodedep, NFS hash, kld, ISOFS mount mbuf, vfscache SWAP

Memory statistics by type Type Kern Type InUse MemUse HighUse Limit Requests Limit Limit isadev 13 1K 1K127753K 13 0 0 atkbddev 2 1K 1K127753K 2 0 0 uc_devlist 24 3K 3K127753K 24 0 0 nexusdev 3 1K 1K127753K 3 0 0 memdesc 1 4K 4K127753K 1 0 0 mbuf 1 152K 152K127753K 1 0 0 iflogical 6 2K 2K127753K 6 0 0 iftable 17 9K 9K127753K 18 0 0 ZONE 15 2K 2K127753K 15 0 0 VM pgdata 1 64K 64K127753K 1 0 0 UFS mount 12 26K 26K127753K 12 0 0 UFS ihash 1 128K 128K127753K 1 0 0 MFS node 6 2K 3K127753K 35 0 0 FFS node 906 227K 227K127753K 1352 0 0 dirrem 0 0K 4K127753K 500 0 0 mkdir 0 0K 1K127753K 38 0 0 diradd 0 0K 6K127753K 521 0 0 freefile 0 0K 4K127753K 374 0 0 freeblks 0 0K 8K127753K 219 0 0 freefrag 0 0K 1K127753K 193 0 0 allocindir 0 0K 25K127753K 1518 0 0 indirdep 0 0K 17K127753K 76 0 0 allocdirect 0 0K 10K127753K 760 0 0 bmsafemap 0 0K 1K127753K 72 0 0 newblk 1 1K 1K127753K 2279 0 0 inodedep 1 128K 175K127753K 2367 0 0

430

Size(s) 64 32 16,2K 16 4K 256K 256 16,64,256,1K,4K 128 64K 512,2K,4K 128K 64,256 256 32 32 32 32 128 32 64 32,16K 64 32 32,256 128,128K



pagedep 1 temp 1239 devbuf 1413 lockf 38 atexit 1 zombie 0 NFS hash 1 NQNFS Lease 1 NFS daemon 1 syncache 1 COS 353 BPF 189 MSDOSFS mount 1 NULLFS hash 1 DEVFS mount 2 DEVFS name 487 DEVFS node 471 vnodes 28 mount 15 cluster_save buffer vfscache 1898 BIO buffer 49 pcb 159 soname 82 proc-args 57 ptys 32 ttys 254 kqueue 5 sigio 1 file 383 file desc 76 shm 1 dev_t 286 timecounter 10 kld 11 AR driver 1 AD driver 2 Gzip trees 0 ISOFS node 1136 ISOFS mount 9 sem 3 MD disk 2 msg 4 rman 59 ioctlops 0 taskqueue 2 SWAP 2 ATA generic 6 eventhandler 17 bus 340 sysctl 0 uidinfo 4 cred 22 subproc 156 proc 2 session 12 pgrp 16 ippool 1 pfestat 0 pic 5 lr 1


32K 92K 5527K 3K 1K 0K 128K 1K 1K 8K 44K 3K 64K 1K 1K 31K 58K 7K 8K 0 376K 98K 16K 10K 2K 16K 33K 3K 1K 24K 19K 12K 36K 2K 117K 1K 2K 0K 142K 132K 6K 2K 25K 4K 0K 1K 413K 3K 1K 30K 0K 1K 3K 10K 1K 2K 1K 1K 0K 1K 1K

33K127753K 47 96K127753K 8364 5527K127753K 1535 3K127753K 2906 1K127753K 1 2K127753K 3850 128K127753K 1 1K127753K 1 1K127753K 1 8K127753K 1 44K127753K 353 3K127753K 189 64K127753K 1 1K127753K 1 1K127753K 2 31K127753K 487 58K127753K 479 7K127753K 429 8K127753K 18 0K 1K127753K 376K127753K 3228 398K127753K 495 17K127753K 399 10K127753K 42847 3K127753K 2105 16K127753K 32 33K127753K 522 4K127753K 23 1K127753K 27 24K127753K 16060 20K127753K 3968 12K127753K 1 36K127753K 286 2K127753K 10 122K127753K 34 3K127753K 5 3K127753K 2755 46K127753K 133848 142K127753K 1189 132K127753K 10 6K127753K 3 2K127753K 2 25K127753K 4 4K127753K 461 2K127753K 992 1K127753K 2 413K127753K 2 3K127753K 6 1K127753K 17 31K127753K 794 1K127753K 130262 1K127753K 10 3K127753K 3450 10K127753K 7882 1K127753K 2 2K127753K 34 1K127753K 45 1K127753K 1 1K127753K 47349 1K127753K 5 1K127753K 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 55 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

64,32K 16,32,64K 16,32,64,128,256 64 16 128 128K 1K 256 8K 16,32,64,128 16 64K 64 16 64 16,128 16,32,64,128,256 16,128,512 0 32,64 64,128,256K 512,2K 16,32,64,128,2K 16,32,64,128 16,32,64,128,256 512 128,512 256,1K 32 64 256 16K 128 128 16,32,128,1K,4K 64,512,2K 64,1K 32,64,128,256 128 512,128K 1K,4K 16,1K 512,4K,16K 16,64 512,2K 32 32,512K 16,512 32,64 16,32,64,128,256 16,32,64 32,128 128 32,64,256 512 128 32 16 16,32,64,512 64,128 512

431

®


itable32 itable16 ifstate pfe_ipc mkey ifaddr sysctl rtable ifmaddr ipfw ifstat rcache rnode metrics rtnexthop iffamily

In Use 9311K

ITEM PIPE: SWAPMETA: unpcb: ripcb: syncache: tcpcb: udpcb: socket: KNOTE: NFSNODE: NFSMOUNT: VNODE: NAMEI: VMSPACE: PROC: DP fakepg: PV ENTRY: MAP ENTRY: KMAP ENTRY: MAP: VM OBJECT:

SIZE 192, 160, 160, 192, 128, 576, 192, 256, 96, 352, 544, 224, 1024, 192, 448, 64, 28, 48, 48, 108, 92,

4K 26K 159K 0K 4K 1K 0K 6K 1K 10K 805K 8K 1K 1K 9K 2K

Memory Totals:

792644 9863474 286510 390851 3596829 16 3880 27 0 0 0 0 0 380 395 122 1476 0

432

110 161 694 0 250 9 0 49 22 23 698 4 27 1 57 12

4K127753K 26K127753K 160K127753K 1K127753K 4K127753K 1K127753K 1K127753K 6K127753K 1K127753K 10K127753K 805K127753K 8K127753K 1K127753K 1K127753K 9K127753K 2K127753K Free 54K

LIMIT 0, 95814, 0, 25330, 15359, 25330, 25330, 25330, 0, 0, 0, 0, 0, 0, 0, 0, 499566, 0, 35645, 0, 0,

110 161 1735 56218 824 9 30 307 22 48 698 4 285 3 312 12

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

32 128,256 16,32,64,128,1K 16,32,64,128,1K 16,32,64 64 256 16,32,64,128,512 16,32 16,32,64,512,2K 128,512,2K 2K 16,32 128 32,128,256,512 128

Requests 489068 USED FREE REQUESTS 4, 81, 4422 0, 0, 0 114, 36, 279 5, 37, 5 0, 64, 5 23, 12, 32 14, 28, 255 246, 26, 819 27, 57, 71 0, 0, 0 0, 0, 0 2778, 43, 2778 0, 8, 40725 57, 71, 3906 73, 17, 3923 0, 0, 0 44530, 152053, 1525141 1439, 134, 351075 179, 119, 10904 7, 3, 7 2575, 109, 66912

cpu context switches device interrupts software interrupts traps system calls kernel threads created fork() calls vfork() calls rfork() calls swap pager pageins swap pager pages paged in swap pager pageouts swap pager pages paged out vnode pager pageins vnode pager pages paged in vnode pager pageouts vnode pager pages paged out page daemon wakeups



0 101 161722 0 84623 83063 7 535606 0 238254 2535 0 283379 0 190091 17458 29166 0 10395 134610 4096 183419

interrupt ata0 irq14 mux irq7 fxp1 irq10 sio0 irq4 clk irq0 rtc irq8 Total

pages examined by the page daemon pages reactivated copy-on-write faults copy-on-write optimized faults zero fill pages zeroed zero fill pages prezeroed intransit blocking page faults total VM faults taken pages affected by kernel thread creation pages affected by fork() pages affected by vfork() pages affected by rfork() pages freed pages freed by daemon pages freed by exiting processes pages active pages inactive pages in VM cache pages wired down pages free bytes per page total name lookups cache hits (90% pos + 7% neg) system 0% per-directory deletions 0%, falsehits 0%, toolong 0%

show system virtual-memory scc (TX Matrix Router)

total 113338 727643 1178671 833 3439769 4403221 9863475

rate 3 21 34 0 99 127 286

user@host> show system virtual-memory scc Memory statistics by bucket size Size In Use Free Requests HighWater 16 898 126 749493 1280 32 2018 1310 980643 640 64 3490 13342 935420 320 ...

Couldfree 0 632 5365

Memory usage type by bucket size Size Type(s) 16 uc_devlist, COS, BPF, DEVFS mount, DEVFS node, vnodes, mount, pcb, soname, rman, bus, sysctl, ifstate, pfe_ipc, mkey, socket, rtable, ifmaddr, ipfw, rnode, iftable, temp, devbuf, atexit, proc-args, kld, MD disk 32 atkbddev, Gzip trees, dirrem, mkdir, diradd, freefile, freefrag, indirdep, bmsafemap, newblk, tseg_qent, COS, vnodes, ... Memory statistics by type Type Kern Type InUse MemUse HighUse Limit Requests Limit Limit isadev 12 1K 1K166400K 12 0 0 atkbddev 2 1K 1K166400K 2 0 0 uc_devlist 24 3K 3K166400K 24 0 0 ....


Size(s) 64 32 16,2K

433

®


Memory Totals:

show system virtual-memory sfc (TX Matrix Plus Router)

434

In Use 6091K

Free 1554K

Requests 2897122

user@host> show system virtual-memory sfc 0 sfc0-re0: -------------------------------------------------------------------------Type InUse MemUse HighUse Requests Size(s) CAM dev queue 1 1K 1 64 entropy 1024 64K 1024 64 linker 487 6272K 1163 16,32,64,4096,32768,131072 USB 127 10K 127 16,32,64,128,256,1024,2048 lockf 46 3K 98418 64 USBdev 10 2K 34 16,128,2048,16384 ifstateSLLNode 0 0K 1096 16 devbuf 21243 15683K 21810 16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072 temp 1283 151K - 2483472 16,32,64,128,256,512,2048,4096,8192,16384,32768,65536,131072 ip6ndp 0 0K 4 64 in6ifmulti 1 1K 1 64 in6grentry 1 1K 1 64 iflogical 20 5K 29 2048 iffamily 45 6K 69 32,1024,2048 rtnexthop 266 46K 608013 32,256,512,1024,2048,4096 metrics 31 4K 54 256 rnode 212 4K 607848 16,32 rcache 4 8K 4 65536 iflist 0 0K 6 16,64 ifdevice 11 8K 17 16,32768 ifstat 424 472K 427 512,16384,65536 ipfw 42 23K 145 16,32,64,128,256,512,1024,16384,32768,65536,131072 ifmaddr 415 11K 415 16,32 rtable 329 28K 608066 16,32,64,128,1024,16384 sysctl 0 0K 887976 16,32,64,4096,16384,32768 ifaddr 64 5K 70 32,64,128 mkey 331 6K 12528 16,128 pfe_ipc 0 0K - 7299115 16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072 ifstate 1245054 70088K - 3040437 16,32,64,128,256,512,1024,2048,4096,8192,16384,32768 idxbucket 1 1K 1 16 itable16 5069 1250K 5103 1024,4096 itable32 157 10K 157 64 itable64 2 1K 2 128 lr 1 1K 4 16384 pic 37 6K 37 64,16384 pfestat 0 0K 6220 32,64,128,256,131072 gencfg 1486 424K 2614 16,32,64,256,512,16384,32768,65536 jsr 2 1K 22 16 idl 1 4K 165 32,64,128,256,512,1024,2048,8192,16384,32768,65536,131072 rtsmsg 0 0K 16 131072 module 250 16K 250 64,128 mtx_pool 1 8K 1 64,128 DEVFS3 113 13K 114 256 DEVFS1 106 24K 106 2048 pgrp 15 1K 8600 64 session 11 2K 2829 512 proc 2 1K 2 16384 subproc 296 572K 24689 2048,131072



cred 38 5K 619244 256 plimit 18 4K 21311 2048 uidinfo 3 1K 10 32,512 sysctloid 2701 82K 2701 16,32,64 sysctltmp 0 0K 15572 16,32,64,1024 umtx 171 11K 171 64 SWAP 2 277K 2 64 bus 779 125K 3072 16,32,64,128,32768 bus-sc 67 62K 1477 16,32,64,512,1024,2048,8192,16384,65536,131072 devstat 8 17K 8 16,131072 eventhandler 46 2K 47 32,128 kobj 93 186K 111 65536 DEVFS 8 1K 9 16,64 rman 106 7K 490 16,32,64 sbuf 0 0K 28234 16,32,32768,131072 ... lcc0-re0: -------------------------------------------------------------------------Type InUse MemUse HighUse Requests Size(s) CAM dev queue 1 1K 1 64 entropy 1024 64K 1024 64 linker 487 6272K 1163 16,32,64,4096,32768,131072 USB 127 10K 127 16,32,64,128,256,1024,2048 lockf 23 2K 169585 64 USBdev 10 2K 34 16,128,2048,16384 devbuf 5128 10760K 5310 16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072 temp 1285 151K 10770 16,32,64,128,256,512,2048,4096,8192,16384,32768,65536,131072 ip6ndp 0 0K 4 64 iflogical 20 5K 29 2048 iffamily 45 6K 69 32,1024,2048 rtnexthop 189 29K - 1211988 32,256,512,1024,2048,4096 metrics 11 2K 16 256 rnode 135 3K 606391 16,32 rcache 4 8K 4 65536 iflist 0 0K 6 16,64 ifdevice 11 8K 17 16,32768 ifstat 412 471K 415 512,16384,65536 ipfw 42 23K 91 16,32,64,128,256,512,1024,16384,32768,65536,131072 ifmaddr 415 11K 415 16,32 rtable 225 20K 606584 16,32,64,128,1024,16384 sysctl 0 0K - 2302479 16,32,64 ifaddr 53 4K 69 32,64,128 mkey 133 3K 8974 16,128 pfe_ipc 0 0K - 19035108 16,32,64,128,512,1024,2048,8192,16384,32768,65536,131072 ifstate 710270 42176K - 9583703 16,32,64,128,256,512,1024,2048,8192,16384,32768 idxbucket 1 1K 1 16 itable16 5045 1245K - 1825178 1024,4096 itable32 157 10K 157 64 itable64 2 1K 2 128 lr 1 1K 4 16384 pic 37 6K 37 64,16384 pfestat 0 0K 1682 32,64,128,256,131072 gencfg 1486 424K 2812 16,32,64,256,512,16384,32768,65536 jsr 0 0K 22 16 idl 0 0K 4 32768,131072


435

®


rtsmsg 0 0K 3 131072 module 250 16K 250 64,128 mtx_pool 1 8K 1 64,128 DEVFS3 108 12K 109 256 DEVFS1 101 23K 101 2048 pgrp 5 1K 917 64 session 5 1K 917 512 proc 2 1K 2 16384 subproc 217 441K 4867 2048,131072 cred 21 3K 48719 256 plimit 9 2K 5255 2048 uidinfo 2 1K 2 32,512 sysctloid 2786 85K 2786 16,32,64 sysctltmp 0 0K 1833 16,32,64,1024 umtx 126 8K 126 64 SWAP 2 277K 2 64 bus 780 125K 2734 16,32,64,128,32768 bus-sc 69 69K 1194 16,32,64,512,1024,2048,8192,16384,65536,131072 devstat 8 17K 8 16,131072 eventhandler 45 2K 46 32,128 kobj 93 186K 111 65536 DEVFS 8 1K 9 16,64 rman 94 6K 477 16,32,64 sbuf 0 0K 532 16,32,32768,131072 NULLFS hash 1 1K 1 64 taskqueue 5 1K 5 64 turnstiles 127 8K 127 64 Unitno 6 1K 44 16,64 ioctlops 0 0K - 1771718 16,32,64,128,8192,16384,65536,131072 iov 0 0K 79425 msg 4 25K 4 sem 4 7K 4 shm 2 13K 4 ttys 93 16K 195 soname 31 3K 389284 pcb 101 16K 4374 16,32,64,128,1024,2048,4096,16384,65536 BIO buffer 40 80K 750 vfscache 1 512K 1 cluster_save buffer 0 0K VFS hash 1 256K 1 vnodes 1 1K 1 mount 266 21K 481 vnodemarker 0 0K 2497 pfs_nodes 25 3K 25 pfs_vncache 144 5K 386 STP 1 1K 1 GEOM 173 15K 1068 16,32,64,128,256,512,2048,16384,32768,131072 syncache 1 8K 1 16,32,64,128,256,512,2048,16384,32768,131072 tlv_stat 0 0K 223 16,32,64,128,256,512,2048,16384,32768,131072 NFS daemon 1 8K 1 16,32,64,128,256,512,2048,16384,32768,131072 p1003.1b 1 1K 1 MD disk 9 18K 9 ata_generic 2 2K 25 ISOFS mount 7 1K 13

436

16,64,128,256,512,1024,2048,131072 32768,131072 16384,32768,131072 32768 512,32768 16,32,64,256

65536 65536 55 32,64 32,64 512 16,32,64,128,256,4096,32768 16384 128 32 64

16 65536 16,16384,32768 512



ISOFS node CAM SIM CAM XPT CAM periph ad_driver pagedep inodedep newblk bmsafemap allocdirect freefrag freeblks freefile diradd mkdir dirrem savedino UFS mount ata_dma UMAHash cdev file desc VM pgdata sigio kenv atkbddev kqueue proc-args isadev zombie ithread legacydrv memdesc nexusdev CAM queue KTRACE kbdmux ITEM UMA Kegs: ...

show system virtual-memory | display xml

1439 135K 1 1K 6 1K 1 1K 2 1K 1 64K 1 256K 1 1K 0 0K 0 0K 0 0K 0 0K 0 0K 0 0K 0 0K 0 0K 0 0K 15 36K 6 1K 1 4K 26 3K 111 25K 2 65K 1 1K 30 5K 2 1K 0 0K 28 2K 23 2K 1 1K 92 7K 3 1K 1 4K 2 1K 3 1K 100 10K 5 9K SIZE LIMIT 136, 0,

-

1453 1 9 1 2 105 552 327 19 326 31 103 175 590 166 382 283 15 6 5 26 5199 2 27 33 2 88 3970 23 4651 92 3 1 2 3 100 5 USED 71,

128 64 16,64,16384 128 256 64 256 64,4096 64 128 32 2048 32 64 32 32 512 2048,65536,131072 256 4096,16384,32768,65536,131072 256 16,1024,2048,16384 64 32 16,32,64,131072 32 1024,4096,32768 32,64,128,256,512,1024 64 128 16,64,256 16 131072 16 16 128 128,2048,65536,131072 FREE REQUESTS 1, 71

user@host> show system virtual-memory | display xml CAM dev queue 1 1 - 1 64 entropy 1024 64 - 1024 64 linker 481 1871 -


437

®


1145 16,32,64,4096,32768,131072 lockf 56 4 - 5998 64 devbuf 2094 3877 - 2099 16,32,64,128,512,1024,4096,8192,16384,32768,65536,131072 temp 21 66 - 3127 16,32,64,128,256,512,2048,4096,8192,16384,32768,65536,131072 ip6ndp 0 0 - 4 64 in6ifmulti 1 1 - 1 64 in6grentry 1 1 - 1 64 iflogical 13 3 - 13 64,2048 iffamily 28 4 - 28 32,1024,2048 rtnexthop 127 18 - 129 32,256,512,1024,2048,4096 metrics

438



3 1 - 5 256 inifmulti 3 1 - 3 64 ingrentry 6 1 - 6 64 rnode 68 2 - 76 16,32 rcache 4 8 - 4 65536 ifdevice 4 1 - 4 16 ifstat 40 22 - 40 512,16384,32768 ipfw 42 23 - 91 16,32,64,128,256,512,1024,16384,32768,65536,131072 ifmaddr 103 3 - 103 16,32 rtable 129 14 - 139 16,32,64,128,1024,16384 sysctl


439

®


0 0 - 14847 16,32,64,4096,16384,32768 ifaddr 29 3 - 29 64,128 mkey 345 6 - 2527 16,128 pfe_ipc 0 0 - 1422 16,32,64,128,512,1024,2048,8192,16384,32768,65536,131072 ifstate 594 51 - 655 16,32,64,128,256,1024,2048,4096,16384,32768 itable16 276 52 - 294 1024,4096 itable32 160 10 - 160 64 itable64 2 1 - 2 128 lr 1 1 - 1 16384 pic 5 1 - 5

440



64,512 pfestat 0 0 - 162 16,32,128,256,16384 gencfg 224 56 - 540 16,32,64,256,512,32768,65536 jsr 2 1 - 4 16 idl 0 0 - 13 16,32,64,128,256,4096,16384,32768,131072 rtsmsg 0 0 - 2 131072 module 249 16 - 249 64,128 mtx_pool 1 8 - 1 64,128 DEVFS3 109 12 - 117 256 DEVFS1 102 23 - 109 2048 pgrp 12 1 - 21


441

®


64 session 8 1 - 15 512 proc 2 1 - 2 16384 subproc 244 496 - 1522 2048,131072 cred 30 4 - 11409 256 plimit 17 4 - 133 2048 uidinfo 3 1 - 6 32,512 sysctloid 1117 34 - 1117 16,32,64 sysctltmp 0 0 - 743 16,32,64,1024 umtx 144 9 - 144 64 SWAP 2 209 - 2 64

442



bus 496 55 - 1196 16,32,64,128,32768 bus-sc 23 33 - 335 16,32,64,512,1024,2048,8192,16384,65536,131072 devstat 10 21 - 10 16,131072 eventhandler 35 2 - 36 32,128 kobj 93 186 - 111 65536 DEVFS 8 1 - 9 16,64 rman 71 5 - 433 16,32,64 sbuf 0 0 - 522 16,32,32768,131072 NULLFS hash 1 1 - 1 64 taskqueue 5 1 - 5 64


443

®


turnstiles 145 10 - 145 64 Unitno 8 1 - 44 16,64 ioctlops 0 0 - 27622 16,64,8192,16384,131072 iov 0 0 - 18578 16,64,128,256,512,1024,2048,131072 msg 4 25 - 4 32768,131072 sem 4 7 - 4 16384,32768,131072 shm 9 20 - 14 32768 ttys 321 61 - 528 512,32768 ptys 1 1 - 1 128 mbuf_tag 0 0 - 23383 16 soname

444



115 12 - 24712 16,32,64,256 pcb 216 33 - 484 16,32,64,128,1024,2048,4096,16384,32768,65536 BIO buffer 43 86 - 405 65536 vfscache 1 256 - 1 65536 cluster_save buffer 0 0 - 2 32,64 VFS hash 1 128 - 1 32,64 vnodes 1 1 - 1 512 mount 290 23 - 535 16,32,64,128,256,4096,32768 vnodemarker 0 0 - 498 16384 pfs_nodes 25 3 - 25 128 pfs_vncache


445

®


27 1 - 53 32 STP 1 1 - 1 64 GEOM 146 11 - 1042 16,32,64,128,256,512,2048,16384,32768,131072 syncache 1 8 - 1 16,32,64,128,256,512,2048,16384,32768,131072 tlv_stat 0 0 - 8 16,32,64,128,256,512,2048,16384,32768,131072 NFS daemon 1 8 - 1 16,32,64,128,256,512,2048,16384,32768,131072 p1003.1b 1 1 - 1 16 MD disk 10 20 - 10 65536 ata_generic 1 1 - 6 16,16384,32768 ISOFS mount 8 1 -

446



15 512 ISOFS node 1440 135 - 1457 128 CAM SIM 1 1 - 1 64 CAM XPT 6 1 - 9 16,64,16384 CAM periph 1 1 - 1 128 ad_driver 1 1 - 1 256 pagedep 1 32 - 106 64 inodedep 1 128 - 464 256 newblk 1 1 - 336 64,4096 bmsafemap 0 0 - 63 64 allocdirect 0 0 - 320


447

®


128 indirdep 0 0 - 17 32 allocindir 0 0 - 15 64 freefrag 0 0 - 12 32 freeblks 0 0 - 40 2048 freefile 0 0 - 101 32 diradd 0 0 - 465 64 mkdir 0 0 - 136 32 dirrem 0 0 - 168 32 newdirblk 0 0 - 1 32 savedino 0 0 - 157 512

448



UFS mount 15 36 - 15 2048,65536,131072 ata_dma 2 1 - 2 256 UMAHash 1 2 - 4 4096,16384,32768,65536 cdev 22 3 - 22 256 file desc 141 32 - 1583 16,1024,2048,16384 VM pgdata 2 65 - 2 64 sigio 1 1 - 20 32 kenv 24 5 - 27 16,32,64,131072 atkbddev 2 1 - 2 32 kqueue 15 9 - 19 1024,4096,32768 proc-args


449

®


57 3 - 1001 16,32,64,128,256,512,1024 isadev 21 2 - 21 64 zombie 0 0 - 1278 128 ithread 69 5 - 69 16,64,256 legacydrv 4 1 - 4 16 memdesc 1 4 - 1 131072 nexusdev 2 1 - 2 16 CAM queue 3 1 - 3 16 $PIR 4 1 - 4 32 KTRACE 100 10 - 100 128 kbdmux 5

450



9 - 5 128,2048,65536,131072 UMA Kegs: 136 0 71 1 71 UMA Zones: 120 0 71 19 71 UMA Slabs: 64 0 490 41 579 UMA RCntSlabs: 104 0 276 20 276 UMA Hash: 128 0 4 26 5 16 Bucket: 76 0 30 20 30 32 Bucket: 140 0 33 23 33 64 Bucket: 268 0 33 9 33 128 Bucket: 524 0 49 0 49 VM OBJECT:


451

®


128 0 2111 79 25214 MAP: 160 0 7 41 7 KMAP ENTRY: 68 35336 19 149 2397 MAP ENTRY: 68 0 2031 153 62417 PV ENTRY: 24 509095 57177 6333 1033683 DP fakepg: 72 0 0 0 0 mt_zone: 64 0 238 57 238 16: 16 0 2114 119 80515 32: 32 0 1335 134 10259 64: 64 0 3529 129 29110 96: 96

452



0 2062 58 4365 112: 112 0 361 164 24613 128: 128 0 359 61 942 160: 160 0 364 44 577 224: 224 0 422 20 1950 256: 256 0 204 36 1225 288: 288 0 2 24 10 512: 512 0 49 7 911 1024: 1024 0 213 11 1076 2048: 2048 0 199 113 640 4096: 4096 0


453

®


144 7 2249 Files: 72 0 665 77 16457 MAC labels: 20 0 3998 227 21947 PROC: 544 0 116 10 1394 THREAD: 416 0 127 17 131 KSEGRP: 88 0 127 73 131 UPCALL: 44 0 0 0 0 SLEEPQUEUE: 32 0 145 194 145 VMSPACE: 268 0 57 13 1335 mbuf_packet: 256 180000 256 128 49791 mbuf: 256 180000 50

454



466 105183 mbuf_cluster: 2048 25190 387 165 5976 mbuf_jumbo_pagesize: 4096 0 0 0 0 mbuf_jumbo_9k: 9216 0 0 0 0 mbuf_jumbo_16k: 16384 0 0 0 0 ACL UMA zone: 388 0 0 0 0 g_bio: 132 0 0 174 69750 ata_request: 200 0 0 57 5030 ata_composite: 192 0 0 0 0 GENCFG: 72 1000004 57 102 57 VNODE: 292 0 2718 25


455

®


2922 VNODEPOLL: 72 0 0 0 0 S VFS Cache: 68 0 2500 76 3824 L VFS Cache: 291 0 51 14 63 NAMEI: 1024 0 0 8 53330 NFSMOUNT: 480 0 0 0 0 NFSNODE: 460 0 0 0 0 PIPE: 404 0 27 9 717 KNOTE: 72 0 42 64 3311 socket: 412 25191 343 8 2524 unpcb: 140 25200 170 26 2157

456



ipq: 52 216 0 0 0 udpcb: 232 25194 19 32 31 inpcb: 232 25194 40 28 105 tcpcb: 520 25193 40 16 105 tcptw: 56 5092 0 0 0 syncache: 128 15360 0 60 55 tcpreass: 20 1690 0 0 0 sackhole: 20 0 0 0 0 ripcb: 232 25194 5 29 5 SWAPMETA: 276 94948 0 0 0 FFS inode:


457

®


132 0 1146 72 1306 FFS1 dinode: 128 0 1146 24 1306 FFS2 dinode: 256 0 0 0 0 934906 1707986 33819 203604 1200636 60 1313 21 0 0 0 0 0 23094 23119 226 3143 0 0 8821 48364 31 74665 70061 85 191824 0 95343 3526 0 221502 0 75630 45826 13227 49278 10640 70706 4096 0 0

458



214496 92 5 0 0 0 0 irq0: clk 1243455 999 irq4: sio0 1140 0 irq8: rtc 159164 127 irq9: cbb1 fxp0 28490 22 irq10: fxp1 20593 16 irq14: ata0 5031 4 Total 1457873 1171 248524800

show system virtual-memory (QFX Series)

user@switch> show system virtual-memory | display xml CAM dev queue 1 1 - 1 64 entropy 1024 64 - 1024 64 linker 481 1871 - 1145


459

®


16,32,64,4096,32768,131072 lockf 56 4 - 5998 64 devbuf 2094 3877 - 2099 16,32,64,128,512,1024,4096,8192,16384,32768,65536,131072 temp 21 66 - 3127 16,32,64,128,256,512,2048,4096,8192,16384,32768,65536,131072 ip6ndp 0 0 - 4 64 in6ifmulti 1 1 - 1 64 in6grentry 1 1 - 1 64 iflogical 13 3 - 13 64,2048 iffamily 28 4 - 28 32,1024,2048 rtnexthop 127 18 - 129 32,256,512,1024,2048,4096 metrics 3

460



1 - 5 256 inifmulti 3 1 - 3 64 ingrentry 6 1 - 6 64 rnode 68 2 - 76 16,32 rcache 4 8 - 4 65536 ifdevice 4 1 - 4 16 ifstat 40 22 - 40 512,16384,32768 ipfw 42 23 - 91 16,32,64,128,256,512,1024,16384,32768,65536,131072 ifmaddr 103 3 - 103 16,32 rtable 129 14 - 139 16,32,64,128,1024,16384 sysctl 0


461

®


0 - 14847 16,32,64,4096,16384,32768 ifaddr 29 3 - 29 64,128 mkey 345 6 - 2527 16,128 pfe_ipc 0 0 - 1422 16,32,64,128,512,1024,2048,8192,16384,32768,65536,131072 ifstate 594 51 - 655 16,32,64,128,256,1024,2048,4096,16384,32768 itable16 276 52 - 294 1024,4096 itable32 160 10 - 160 64 itable64 2 1 - 2 128 lr 1 1 - 1 16384 pic 5 1 - 5 64,512

462



pfestat 0 0 - 162 16,32,128,256,16384 gencfg 224 56 - 540 16,32,64,256,512,32768,65536 jsr 2 1 - 4 16 idl 0 0 - 13 16,32,64,128,256,4096,16384,32768,131072 rtsmsg 0 0 - 2 131072 module 249 16 - 249 64,128 mtx_pool 1 8 - 1 64,128 DEVFS3 109 12 - 117 256 DEVFS1 102 23 - 109 2048 pgrp 12 1 - 21 64


463

®


session 8 1 - 15 512 proc 2 1 - 2 16384 subproc 244 496 - 1522 2048,131072 cred 30 4 - 11409 256 plimit 17 4 - 133 2048 uidinfo 3 1 - 6 32,512 sysctloid 1117 34 - 1117 16,32,64 sysctltmp 0 0 - 743 16,32,64,1024 umtx 144 9 - 144 64 SWAP 2 209 - 2 64 bus

464



496 55 - 1196 16,32,64,128,32768 bus-sc 23 33 - 335 16,32,64,512,1024,2048,8192,16384,65536,131072 devstat 10 21 - 10 16,131072 eventhandler 35 2 - 36 32,128 kobj 93 186 - 111 65536 DEVFS 8 1 - 9 16,64 rman 71 5 - 433 16,32,64 sbuf 0 0 - 522 16,32,32768,131072 NULLFS hash 1 1 - 1 64 taskqueue 5 1 - 5 64 turnstiles


465

®


145 10 - 145 64 Unitno 8 1 - 44 16,64 ioctlops 0 0 - 27622 16,64,8192,16384,131072 iov 0 0 - 18578 16,64,128,256,512,1024,2048,131072 msg 4 25 - 4 32768,131072 sem 4 7 - 4 16384,32768,131072 shm 9 20 - 14 32768 ttys 321 61 - 528 512,32768 ptys 1 1 - 1 128 mbuf_tag 0 0 - 23383 16 soname 115

466



12 - 24712 16,32,64,256 pcb 216 33 - 484 16,32,64,128,1024,2048,4096,16384,32768,65536 BIO buffer 43 86 - 405 65536 vfscache 1 256 - 1 65536 cluster_save buffer 0 0 - 2 32,64 VFS hash 1 128 - 1 32,64 vnodes 1 1 - 1 512 mount 290 23 - 535 16,32,64,128,256,4096,32768 vnodemarker 0 0 - 498 16384 pfs_nodes 25 3 - 25 128 pfs_vncache 27


467

®


1 - 53 32 STP 1 1 - 1 64 GEOM 146 11 - 1042 16,32,64,128,256,512,2048,16384,32768,131072 syncache 1 8 - 1 16,32,64,128,256,512,2048,16384,32768,131072 tlv_stat 0 0 - 8 16,32,64,128,256,512,2048,16384,32768,131072 NFS daemon 1 8 - 1 16,32,64,128,256,512,2048,16384,32768,131072 p1003.1b 1 1 - 1 16 MD disk 10 20 - 10 65536 ata_generic 1 1 - 6 16,16384,32768 ISOFS mount 8 1 - 15

468



512 ISOFS node 1440 135 - 1457 128 CAM SIM 1 1 - 1 64 CAM XPT 6 1 - 9 16,64,16384 CAM periph 1 1 - 1 128 ad_driver 1 1 - 1 256 pagedep 1 32 - 106 64 inodedep 1 128 - 464 256 newblk 1 1 - 336 64,4096 bmsafemap 0 0 - 63 64 allocdirect 0 0 - 320 128


469

®


indirdep 0 0 - 17 32 allocindir 0 0 - 15 64 freefrag 0 0 - 12 32 freeblks 0 0 - 40 2048 freefile 0 0 - 101 32 diradd 0 0 - 465 64 mkdir 0 0 - 136 32 dirrem 0 0 - 168 32 newdirblk 0 0 - 1 32 savedino 0 0 - 157 512 UFS mount

470



15 36 - 15 2048,65536,131072 ata_dma 2 1 - 2 256 UMAHash 1 2 - 4 4096,16384,32768,65536 cdev 22 3 - 22 256 file desc 141 32 - 1583 16,1024,2048,16384 VM pgdata 2 65 - 2 64 sigio 1 1 - 20 32 kenv 24 5 - 27 16,32,64,131072 atkbddev 2 1 - 2 32 kqueue 15 9 - 19 1024,4096,32768 proc-args 57


471

®


3 - 1001 16,32,64,128,256,512,1024 isadev 21 2 - 21 64 zombie 0 0 - 1278 128 ithread 69 5 - 69 16,64,256 legacydrv 4 1 - 4 16 memdesc 1 4 - 1 131072 nexusdev 2 1 - 2 16 CAM queue 3 1 - 3 16 $PIR 4 1 - 4 32 KTRACE 100 10 - 100 128 kbdmux 5 9

472



- 5 128,2048,65536,131072 UMA Kegs: 136 0 71 1 71 UMA Zones: 120 0 71 19 71 UMA Slabs: 64 0 490 41 579 UMA RCntSlabs: 104 0 276 20 276 UMA Hash: 128 0 4 26 5 16 Bucket: 76 0 30 20 30 32 Bucket: 140 0 33 23 33 64 Bucket: 268 0 33 9 33 128 Bucket: 524 0 49 0 49 VM OBJECT: 128


473

®


0 2111 79 25214 MAP: 160 0 7 41 7 KMAP ENTRY: 68 35336 19 149 2397 MAP ENTRY: 68 0 2031 153 62417 PV ENTRY: 24 509095 57177 6333 1033683 DP fakepg: 72 0 0 0 0 mt_zone: 64 0 238 57 238 16: 16 0 2114 119 80515 32: 32 0 1335 134 10259 64: 64 0 3529 129 29110 96: 96 0

474



2062 58 4365 112: 112 0 361 164 24613 128: 128 0 359 61 942 160: 160 0 364 44 577 224: 224 0 422 20 1950 256: 256 0 204 36 1225 288: 288 0 2 24 10 512: 512 0 49 7 911 1024: 1024 0 213 11 1076 2048: 2048 0 199 113 640 4096: 4096 0 144


475

®


7 2249 Files: 72 0 665 77 16457 MAC labels: 20 0 3998 227 21947 PROC: 544 0 116 10 1394 THREAD: 416 0 127 17 131 KSEGRP: 88 0 127 73 131 UPCALL: 44 0 0 0 0 SLEEPQUEUE: 32 0 145 194 145 VMSPACE: 268 0 57 13 1335 mbuf_packet: 256 180000 256 128 49791 mbuf: 256 180000 50 466

476



105183 mbuf_cluster: 2048 25190 387 165 5976 mbuf_jumbo_pagesize: 4096 0 0 0 0 mbuf_jumbo_9k: 9216 0 0 0 0 mbuf_jumbo_16k: 16384 0 0 0 0 ACL UMA zone: 388 0 0 0 0 g_bio: 132 0 0 174 69750 ata_request: 200 0 0 57 5030 ata_composite: 192 0 0 0 0 GENCFG: 72 1000004 57 102 57 VNODE: 292 0 2718 25 2922


477

®


VNODEPOLL: 72 0 0 0 0 S VFS Cache: 68 0 2500 76 3824 L VFS Cache: 291 0 51 14 63 NAMEI: 1024 0 0 8 53330 NFSMOUNT: 480 0 0 0 0 NFSNODE: 460 0 0 0 0 PIPE: 404 0 27 9 717 KNOTE: 72 0 42 64 3311 socket: 412 25191 343 8 2524 unpcb: 140 25200 170 26 2157 ipq:

478



52 216 0 0 0 udpcb: 232 25194 19 32 31 inpcb: 232 25194 40 28 105 tcpcb: 520 25193 40 16 105 tcptw: 56 5092 0 0 0 syncache: 128 15360 0 60 55 tcpreass: 20 1690 0 0 0 sackhole: 20 0 0 0 0 ripcb: 232 25194 5 29 5 SWAPMETA: 276 94948 0 0 0 FFS inode: 132


479

®


0 1146 72 1306 FFS1 dinode: 128 0 1146 24 1306 FFS2 dinode: 256 0 0 0 0 934906 1707986 33819 203604 1200636 60 1313 21 0 0 0 0 0 23094 23119 226 3143 0 0 8821 48364 31 74665 70061 85 191824 0 95343 3526 0 221502 0 75630 45826 13227 49278 10640 70706 4096 0 0 214496

480



92 5 0 0 0 0 irq0: clk 1243455 999 irq4: sio0 1140 0 irq8: rtc 159164 127 irq9: cbb1 fxp0 28490 22 irq10: fxp1 20593 16 irq14: ata0 5031 4 Total 1457873 1171 248524800


481

®


show task replication Syntax Release Information

Description

Options Required Privilege Level List of Sample Output

Output Fields

show task replication

Command introduced in Junos OS Release 8.5. Command introduced in Junos OS Release 9.0 for EX Series switches. Displays graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) status. When you issue this command on the master Routing Engine, the status of nonstop active routing synchronization is also displayed. This command has no options. view

show task replication (Issued on the Master Routing Engine) on page 482 show task replication (Issued on the Backup Routing Engine) on page 483 Table 70 on page 482 lists the output fields for the show task replication command. Output fields are listed in the approximate order in which they appear.

Table 70: show task replication Output Fields Field Name

Field Description

Stateful replication

Displays whether or not graceful Routing Engine switchover is configured. The status can be Enabled or Disabled.

RE mode

Displays the Routing Engine on which the command is issued: Master, Backup, or Not applicable (when the router has only one Routing Engine).

Protocol

Protocols that are supported by nonstop active routing.

Synchronization Status

Nonstop active routing synchronization status for the supported protocols. States are NotStarted, InProgress, and Complete.

Sample Output show task replication (Issued on the Master Routing Engine)

user@host> show task replication Stateful Replication: Enabled RE mode: Master Protocol OSPF BGP IS-IS LDP PIM

482

Synchronization Status NotStarted Complete NotStarted Complete Complete



show task replication (Issued on the Backup Routing Engine)

user@host> show task replication Stateful Replication: Enabled RE mode: Backup


483

®


show version Syntax

show version


show version


show version



show version show version

Syntax (QFX Series)

show version

Syntax (QFX Series)

show version

Release Information


Description

Options

Display the hostname and version information about the software running on the router or switch. none—Display standard information about the hostname and version of the software

running on the router or switch. brief | detail—(Optional) Display the specified level of output. all—(QFabric switches only) (Optional) Display the host name and version information

about the software running on all of the devices on the QFabric. all-members—(EX4200 switches and MX Series routers only) (Optional) Display standard

information about the hostname and version of the software running on all members of the Virtual Chassis configuration.

484



all—(QFabric switches only) (Optional) Display the host name and version information

about the software running on all of the components on the QFabric. component component-name—(QFabric switches only) (Optional) Display the host name

and version information about the software running on a specific QFabric component. Replace component-name with the name of the QFabric component. The component-name can be the name of a diagnostics Routing Engine, Director group, fabric control Routing Engine, fabric manager Routing Engine, Interconnect device, or Node group. local—(EX4200 switches and MX Series routers only) (Optional) Display standard

information about the hostname and version of the software running on the local Virtual Chassis member. member member-id—(EX4200 switches and MX Series routers only) (Optional) Display

standard information about the hostname and version of the software running on the specified member of the Virtual Chassis configuration. For EX4200 switches, replace member-id with a value from 0 through 9. For an MX Series Virtual Chassis, replace member-id with a value of 0 or 1. scc—(TX Matrix routers only) (Optional) Display the hostname and version information

about the software running on the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus routers only) (Optional) Display the hostname and version

information about the software running on the TX Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information


By default, when you issue the show version command on a TX Matrix or TX Matrix Plus master Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) master Routing Engines connected to it. Likewise, if you issue the same command on the TX Matrix or TX Matrix Plus backup Routing Engine, the command is broadcast to all the T640 (in a routing matrix based on a TX Matrix router) or T1600 (in a routing matrix based on a TX Matrix Plus router) backup Routing Engines that are connected to it. view

show version on page 486 show version (TX Matrix Plus Router) on page 486 show version (MX Series Router) on page 491 show version (QFX3500 Switch) on page 491 show version (QFabric Switch) on page 491 show version component all (QFabric Switch) on page 491


485

®


Sample Output show version

user@host> show version Hostname: router1 Model: m20 JUNOS Base OS boot [7.2-20050312.0] JUNOS Base OS Software Suite [7.2-20050312.0] JUNOS Kernel Software Suite [7.2R1.7] JUNOS Packet Forwarding Engine Support (M20/M40) [7.2R1.7] JUNOS Routing Software Suite [7.2R1.7] JUNOS Online Documentation [7.2R1.7] JUNOS Crypto Software Suite [7.2R1.7] {master} user@host> show version psd 1 psd1-re0: -------------------------------------------------------------------------Hostname: china Model: t640 JUNOS Base OS boot [9.1I20080311_1959_builder] JUNOS Base OS Software Suite [9.1-20080321.0] JUNOS Kernel Software Suite [9.1-20080321.0] JUNOS Crypto Software Suite [9.1-20080321.0] JUNOS Packet Forwarding Engine Support (M/T Common) [9.1-20080321.0] JUNOS Packet Forwarding Engine Support (T-series) [9.1-20080321.0] JUNOS Online Documentation [9.1-20080321.0] JUNOS Routing Software Suite [9.1-20080321.0] labpkg [7.0]

show version (TX Matrix Plus Router)

user@host> show version sfc0-re0: -------------------------------------------------------------------------Type InUse MemUse HighUse Requests Size(s) file desc 164 35K 4034 16,1024,2048,16384 sigio 1 1K 50 32 kenv 28 5K 31 16,32,64,131072 kqueue 5 3K 119 1024,4096,32768 proc-args 66 3K 2951 16,32,64,128,256,512,1024,2048 zombie 0 0K 3513 128 ithread 100 7K 100 16,64,256 CAM queue 3 1K 3 16 KTRACE 100 10K 100 128 entropy 1024 64K 1024 64 USB 127 10K 127 16,32,64,128,256,1024,2048 linker 485 6216K 1166 16,32,64,4096,32768,131072 USBdev 10 1K 34 16,128,2048,16384 lockf 50 4K 64872 64 devbuf 21086 15337K 21661 16,32,64,128,256,512,1024,2048,4096,16384,32768,65536,131072 temp 1249 149K 9479 16,32,64,128,256,512,2048,4096,16384,32768,65536,131072 ip6ndp 0 0K 4 in6ifmulti 1 1K 1 in6grentry 1 1K 1 iftable 13 3K 14 iflogical 17 4K 24 iffamily 45 6K 63 rtnexthop 206 36K 380 16,32,64,256,512,1024,2048,4096,8192,16384

486

64 64 64 16,64,4096 64,2048 32,1024,2048



metrics 5 1K 25 256 inifmulti 6 1K 12 64 ingrentry 12 1K 24 64 rnode 126 3K 240 16,32 rcache 4 8K 4 65536 tagnh 10 2K 20 256 ifdevice 11 8K 11 16,32768 ifstat 2817 2765K 2825 16,32,1024,16384,32768,65536 ipfw 32 22K 43 16,32,64,128,256,512,16384,32768,65536,131072 ifmaddr 399 11K 435 16,32 rtable 208 19K 340 16,32,64,128,1024,16384 sysctl 0 0K - 1188265 16,32,64,4096,16384,32768 ifaddr 45 3K 57 32,64,128 mkey 354 6K 4690 16,128 pfe_ipc 0 0K 11456 16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072 ifstate 5961 435K 6846 16,32,64,128,256,512,1024,2048,4096,16384,32768 itable16 249 39K 294 256,4096 itable32 148 5K 148 32 itable64 2 1K 2 64 lr 1 1K 1 16384 pic 29 3K 29 64,16384 pfestat 0 0K 2820 32,128,65536 gencfg 1499 200K 6086 16,32,64,128,512,4096,16384,32768,65536 jsr 2 1K 10 16 idl 1 4K 121 32,64,128,256,512,1024,2048,4096,16384,32768,65536,131072 rtsmsg 0 0K 16 131072 DEVFS2 108 2K 108 16 DEVFS3 204 23K 205 256 module 247 16K 247 64,128 mtx_pool 1 8K 1 DEVFS1 108 27K 108 4096 pgrp 20 2K 275 64 session 14 2K 173 512 proc 2 1K 2 16384 subproc 302 601K 3815 4096,131072 cred 45 5K 33092 256 plimit 22 5K 1363 2048 uidinfo 3 1K 6 32,512 sysctloid 2548 78K 2548 16,32,64 sysctltmp 0 0K 1449 16,32,64,1024 umtx 162 11K 162 64 SWAP 2 277K 2 64 bus 781 126K 3263 16,32,64,128,32768 bus-sc 67 62K 1623 16,32,64,512,1024,4096,16384,65536,131072 DEVFS 14 1K 15 16,64 devstat 8 17K 8 16,131072 eventhandler 42 2K 42 32,128 kobj 93 186K 111 65536 rman 106 7K 490 16,32,64 sbuf 0 0K 1112 16,32,32768,131072 NULLFS hash 1 1K 1 64 taskqueue 5 1K 5 64 turnstiles 163 11K 163 64 Unitno 6 1K 10 16,64 ioctlops 0 0K 477380 16,32,64,128,16384,65536,131072


487

®


iov 0 0K 49032 16,64,128,256,512,1024,2048,131072 msg 4 25K 4 32768,131072 sem 4 7K 4 16384,32768,131072 shm 3 14K 8 32768 ttys 412 60K 863 512,32768 ptys 4 1K 4 128 mbextcnt 0 0K 42 16 soname 104 11K 104726 16,32,64,256 pcb 256 32K 1097 16,32,64,128,1024,2048,4096,16384,32768,65536 BIO buffer 44 88K 723 65536 vfscache 1 512K 1 cluster_save buffer 0 0K 30 32,64 VFS hash 1 256K 1 vnodes 1 1K 1 512 mount 274 23K 489 16,32,64,128,256,4096,32768 vnodemarker 0 0K 1699 16384 pfs_nodes 25 3K 25 128 pfs_vncache 227 8K 429 32 GEOM 173 15K 1068 16,32,64,128,256,512,2048,16384,32768,131072 STP 1 1K 1 64 CAM dev queue 1 1K 1 64 syncache 1 8K 1 tlv_stat 0 0K 238 NFS daemon 1 8K 1 pagedep 1 64K 124 64 inodedep 1 256K 605 256 newblk 1 1K 611 64,4096 bmsafemap 0 0K 47 64 allocdirect 0 0K 605 128 indirdep 0 0K 6 32 allocindir 0 0K 5 64 freefrag 0 0K 91 32 freeblks 0 0K 93 2048 freefile 0 0K 161 32 diradd 0 0K 603 64 mkdir 0 0K 166 32 dirrem 0 0K 312 32 newdirblk 0 0K 1 32 savedino 0 0K 294 512 UFS mount 15 36K 15 4096,65536,131072 UMAHash 1 16K 7 4096,16384,32768,65536,131072 MD disk 9 18K 9 65536 ata_generic 2 2K 21 16,16384,32768 ISOFS mount 7 1K 13 512 VM pgdata 2 65K 2 64 ISOFS node 1405 132K 1419 128 CAM SIM 1 1K 1 64 atkbddev 2 1K 2 32 Gzip trees 0 0K 470292 32,64,128,1024,8192,32768,65536,131072 CAM XPT isadev CAM periph I/O APIC ad_driver legacydrv memdesc MP Table nexusdev

488

6 23 1 1 2 3 1 1 2

1K 2K 1K 1K 1K 1K 4K 1K 1K

-

9 23 1 1 2 3 1 1 2

16,64,16384 64 128 32768 256 16 131072 128 16



ata_dma cdev kbdmux ITEM

6 26 5 SIZE

1K 3K 9K LIMIT

-

6 26 5 USED

256 256 128,4096,65536,131072 FREE REQUESTS

UMA Kegs: 136, 0, 69, 3, 69 UMA Zones: 120, 0, 69, 21, 69 UMA Slabs: 64, 0, 1681, 30, 17268 UMA RCntSlabs: 104, 0, 2419, 23, 2419 UMA Hash: 128, 0, 4, 26, 5 16 Bucket: 76, 0, 32, 18, 32 32 Bucket: 140, 0, 35, 21, 35 64 Bucket: 268, 0, 32, 10, 32 128 Bucket: 524, 0, 105, 0, 105 VM OBJECT: 128, 0, 3767, 193, 69113 MAP: 160, 0, 7, 41, 7 KMAP ENTRY: 68, 44352, 26, 142, 40036 MAP ENTRY: 68, 0, 2718, 474, 195484 PV ENTRY: 24, 1259180, 107193, 12722, 5133143 DP fakepg: 72, 0, 0, 0, 0 mt_zone: 64, 0, 231, 64, 231 16: 16, 0, 4447, 222, 1707104 32: 32, 0, 5559, 204, 427638 64: 64, 0, 23128, 59, 191981 96: 96, 0, 3628, 92, 36576 112: 112, 0, 782, 93, 51883 128: 128, 0, 727, 143, 2028 160: 160, 0, 1041, 39, 9623 208: 208, 0, 302, 40, 5625 256: 256, 0, 627, 18, 4296 272: 272, 0, 48, 22, 3160 512: 512, 0, 666, 14, 5529 1024: 1024, 0, 420, 12, 15128 2048: 2048, 0, 1909, 17, 13067 4096: 4096, 0, 228, 19, 7877 Files: 72, 0, 586, 103, 124488 PROC: 544, 0, 139, 22, 3652 THREAD: 416, 0, 161, 1, 162 KSEGRP: 88, 0, 161, 39, 162 UPCALL: 44, 0, 0, 0, 0 SLEEPQUEUE: 32, 0, 163, 176, 163 VMSPACE: 268, 0, 66, 18, 3569 mbuf_packet: 256, 180000, 256, 128, 27221 mbuf: 256, 180000, 4110, 501, 2286155 mbuf_cluster: 2048, 30000, 4487, 351, 697551 mbuf_jumbo_pagesize: 4096, 0, 0, 0, mbuf_jumbo_9k: 9216, 0, 0, 0, 0 mbuf_jumbo_16k: 16384, 0, 0, 0, 0 ACL UMA zone: 388, 0, 0, 0, 0 g_bio: 132, 0, 0, 290, 97288 ata_request: 200, 0, 0, 76, 5910 ata_composite: 192, 0, 0, 0, 0 VNODE: 292, 0, 4128, 32, 4583 VNODEPOLL: 72, 0, 0, 0, 0 S VFS Cache: 68, 0, 3890, 86, 9271 L VFS Cache: 291, 0, 17, 22, 24 NAMEI: 1024, 0, 0, 36, 341732 NFSMOUNT: 480, 0, 0, 0, 0 NFSNODE: 460, 0, 0, 0, 0 PIPE: 404, 0, 29, 7, 1825 KNOTE: 72, 0, 35, 71, 15004


0

489

®


socket: ipq: udpcb: inpcb: tcpcb: tcptw: syncache: tcpreass: sackhole: ripcb: unpcb: SWAPMETA: FFS inode: FFS1 dinode: FFS2 dinode:

412, 52, 224, 224, 520, 56, 128, 20, 20, 224, 140, 276, 132, 128, 256,

30006, 288, 30005, 30005, 30002, 6030, 15360, 2028, 0, 30005, 30016, 121576, 0, 0, 0,

352, 0, 24, 35, 35, 0, 0, 0, 0, 5, 150, 0, 2385, 2385, 0,

26, 0, 27, 33, 7, 134, 60, 0, 0, 29, 46, 0, 51, 45, 0,

4683 0 232 140 140 66 41 0 0 7 3791 0 2622 2622 0

19933113 5244831 154821 459702 8357837 76 3442 134 0 0 0 0 0 504 538 380 3646 0 0 56570 127752 39 200992 196746 27 443499 0 441644 52141 0 420183 0 206284 52228 56648 52413 17956 654199 4096 0 0 1295493

cpu context switches device interrupts software interrupts traps system calls kernel threads created fork() calls vfork() calls rfork() calls swap pager pageins swap pager pages paged in swap pager pageouts swap pager pages paged out vnode pager pageins vnode pager pages paged in vnode pager pageouts vnode pager pages paged out page daemon wakeups pages examined by the page daemon pages reactivated copy-on-write faults copy-on-write optimized faults zero fill pages zeroed zero fill pages prezeroed intransit blocking page faults total VM faults taken pages affected by kernel thread creation pages affected by fork() pages affected by vfork() pages affected by rfork() pages freed pages freed by daemon pages freed by exiting processes pages active pages inactive pages in VM cache pages wired down pages free bytes per page swap pages used peak swap pages used total name lookups cache hits (93% pos + 5% neg) system 0% per-directory deletions 0%, falsehits 0%, toolong 0% interrupt total rate

490



irq4: sio0 irq16: uhci0 uhci* irq17: uhci1 uhci* cpu0: timer Total vm.kmem_map_free: 618377216

show version (MX Series Router)

show version (QFX3500 Switch)

show version (QFabric Switch)

show version component all (QFabric Switch)

5131 164201 386684 8131301 8687317

1 40 95 2017 2155

user@host5> show version Hostname: host5 Model: mx80 JUNOS Base OS boot [11.3-20110717.0] JUNOS Base OS Software Suite [11.3-20110717.0] JUNOS Kernel Software Suite [11.3-20110717.0] JUNOS Crypto Software Suite [11.3-20110717.0] JUNOS Packet Forwarding Engine Support (MX80) [11.3-20110717.0] JUNOS Online Documentation [11.3-20110717.0] JUNOS Routing Software Suite [11.3-20110717.0] user@switch> show version Hostname: switch Model: qfx_s3500 JUNOS Base OS boot [11.1R1] JUNOS Base OS Software Suite [11.1R1] JUNOS Kernel Software Suite [11.1R1] JUNOS Crypto Software Suite [11.1R1 JUNOS Online Documentation [11.1R1] JUNOS Enterprise Software Suite [11.1R1] JUNOS Packet Forwarding Engine Support (QFX) [11.1R1] JUNOS Routing Software Suite [11.1R1] user@qfabric> show version Hostname: qfabric Model: qfx3000 Serial Number: qfsn-0123456789 QFabric System ID: f158527a-f99e-11e0-9fbd-00e081c57cda JUNOS Base Version [11.3I20111018_0215_dc-builder] user@switch> show version component all dg1: – Hostname: qfabric Model: qfx3100 JUNOS Base Version [11.3R1.6] dg0: Hostname: qfabric Model: qfx3100 JUNOS Base Version [11.3R1.6] NW-NG-0: Hostname: qfabric Model: qfx-jvre JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6]


491

®


JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] FC-0: Hostname: qfabric Model: qfx-jvre JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6] JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] FC-1: Hostname: qfabric Model: qfx-jvre JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6] JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] DRE-0: Hostname: dre-0 Model: qfx-jvre JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6] JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] FM-0: Hostname: qfabric Model: qfx-jvre JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6] JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] nodedevice1: Hostname: qfabric Model: QFX3500 JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6]

492



JUNOS JUNOS JUNOS JUNOS JUNOS

Crypto Software Suite [11.3R1.6] Online Documentation [11.3R1.6] Enterprise Software Suite [11.3R1.6] Packet Forwarding Engine Support (QFX RE) [11.3R1.6] Routing Software Suite [11.3R1.6]

interconnectdevice1: Hostname: qfabric Model: QFX3108 JUNOS Base OS boot [11.3R1.6] JUNOS Base OS Software Suite [11.3R1.6] JUNOS Kernel Software Suite [11.3R1.6] JUNOS Crypto Software Suite [11.3R1.6] JUNOS Online Documentation [11.3R1.6] JUNOS Enterprise Software Suite [11.3R1.6] JUNOS Packet Forwarding Engine Support (QFX RE) [11.3R1.6] JUNOS Routing Software Suite [11.3R1.6] warning: from interconnectdevice0: Disconnected


493

®


494


PART 6

Junos OS for EX Series Switches Configuration Management •

Configuration Management Overview on page 497

•

Managing Junos OS Configuration on page 527

•

Verifying Configuration on page 545

•

Configuration Statements for Configuration File Management on page 547

•

Operational Commands for Configuration File Management on page 557


495

®


496


CHAPTER 18

Configuration Management Overview •

Configuration Files—Overview on page 497

•

EX Series Switches Default Configuration on page 501

Configuration Files—Overview •

Understanding Configuration Files for EX Series Switches on page 497

•


•


•

Understanding Autoinstallation of Configuration Files on EX Series Switches on page 499

Understanding Configuration Files for EX Series Switches A configuration file stores the complete configuration of a switch. The current configuration of a switch is called the active configuration. You can alter this current configuration and you can also return to a previous configuration or to a rescue configuration. For more information, see “Configuration Files Terms” on page 498. Juniper Networks Junos operating system (Junos OS) saves the 50 most recently committed configuration files on the switch so that you can return to a previous configuration. The configuration files are named: •

juniper.conf.gz—The current active configuration.

•

juniper.conf.1.gz to juniper.conf.49.gz—Rollback configurations.

To make changes to the configuration file, you have to work in the configuration mode in the CLI or use the configuration tools in the J-Web interface. When making changes to a configuration file, you are viewing and changing the candidate configuration file. The candidate configuration allows you to make configuration changes without causing operational changes to the active configuration or causing potential damage to your current network operations. Once you commit the changes made to the candidate configuration, the system updates the active configuration. Related Documentation

•

Managing Configuration Files Through the Configuration History (J-Web Procedure) on page 534

•

Uploading a Configuration File (CLI Procedure) on page 532

•

Uploading a Configuration File (J-Web Procedure) on page 533


497

®


•

Loading a Previous Configuration File (CLI Procedure) on page 537

•


•


Configuration Files Terms Table 71 on page 498 lists the various configuration file terms used for EX Series switches and their definitions.

Table 71: Configuration File Terms Term

Definition

active configuration

The current committed configuration of a switch.

candidate configuration

A working copy of the configuration that allows users to make configurational changes without causing any operational changes until this copy is committed.

configuration group

Group of configuration statements that can be inherited by the rest of the configuration.

commit a configuration

Have the candidate configuration checked for proper syntax, activated, and marked as the current configuration file running on the switching platform.

configuration hierarchy

The Junos OS configuration consists of a hierarchy of statements. There are two types of statements: container statements, which contain other statements, and leaf statements, which do not contain other statements. All the container and leaf statements together form the configuration hierarchy.

default configuration

The default configuration contains the initial values set for each configuration parameter when a switch is shipped.

rescue configuration

Well-known configuration that recovers a switch from a configuration that denies management access. You set a current committed configuration to be the rescue configuration through the J-Web interface or CLI.

roll back a configuration

Return to a previously committed configuration.


498

•

EX2200 Switch Default Configuration on page 502

•

EX3200 Default Configuration on page 506

•


•


•


•


•


•



Chapter 18: Configuration Management Overview

•


Understanding Automatic Refreshing of Scripts on EX Series Switches You can automatically refresh commit, event, and op scripts using operational mode commands on EX Series switches. The commands are: •

request system scripts refresh-from commit

•

request system scripts refresh-from event

•

request system scripts refresh-from op

The existing Junos operating system (Junos OS) command-line interface (CLI) refresh and refresh-from configuration mode statements have been extended to work with Junos XML management protocol and NETCONF XML management protocol sessions. Related Documentation

•


•


•


•


Understanding Autoinstallation of Configuration Files on EX Series Switches Autoinstallation is the automatic configuration of a device over the network from a pre-existing configuration file that you create and store on a configuration server—typically a Trivial File Transfer Protocol (TFTP) server. You can use autoinstallation to automatically configure new devices and to deploy multiple devices from a central location in the network. Autoinstallation takes place automatically when you connect an Ethernet port on a new switch to the network and power on the switch. You can also explicitly enable autoinstallation on Juniper Networks EX Series Ethernet Switches in your network to implement autoinstallation when they are powered on. To configure autointallation, you specify a configuration server, an autoinstallation interface, and a protocol for IP address acquisition. This topic describes: •

Typical Uses for Autoinstallation on page 499

•

Autoinstallation Configuration Files and IP Addresses on page 500

•

Typical Autoinstallation Process on a New Switch on page 500

Typical Uses for Autoinstallation •

To deploy and update multiple devices from a central location in the network.

•

To configure a new device—Autoinstallation takes place when you power on a device that has only the factory default configuration (boot) file.


499

®


•

To update a device—Autoinstallation takes place when a device that has been manually configured for autoinstallation is powered on.

Autoinstallation Configuration Files and IP Addresses For the autoinstallation process to work, you must store one or more host-specific or default configuration files on a configuration server in the network and have a service available—typically Dynamic Host Configuration Protocol (DHCP)—to assign an IP address to the switch. You can set up the following configuration files for autoinstallation on the switch: •

network.conf—Default configuration file for autoinstallation, in which you specify IP

addresses and associated hostnames for devices on the network. •

switch.conf—Default configuration file for autoinstallation with a minimum configuration

sufficient for you to telnet to the device and configure it manually. •

hostname.conf—Host-specific configuration file for autoinstallation on a device that

contains all the configuration information necessary for the switch. In the filename, hostname is replaced with the hostname assigned to the switch. If the server with the autoinstallation configuration file is not on the same LAN segment as the new device, or if a specific device is required by the network, you must configure an intermediate device directly attached to the new switch, through which the new switch can send TFTP, boot protocol (BOOTP), and Domain Name System (DNS) requests. In this case, you specify the IP address of the intermediate device as the location to receive TFTP requests for autoinstallation.

Typical Autoinstallation Process on a New Switch When an EX Series switch is powered on for the first time, it performs the following autoinstallation tasks: 1.

The new switch sends out DHCP or BOOTP requests on each connected interface simultaneously to obtain an IP address. If a DHCP server responds to these requests, it provides the switch with some or all of the following information: •

An IP address and subnet mask for the autoinstallation interface.

•

The location of the (typically) TFTP server, Hypertext Transfer Protocol (HTTP) server, or FTP server on which the configuration file is stored.

•

The name of the configuration file to be requested from the TFTP server.

•

The IP address or hostname of the TFTP server. If the DHCP server provides the server’s hostname, a DNS server must be available on the network to resolve the name to an IP address.

•

500

The IP address of an intermediate device if the configuration server is on a different LAN segment from the new switch.



2. After the new switch acquires an IP address, the autoinstallation process on the switch

attempts to download a configuration file in the following ways: a. If the DHCP server specifies the host-specific configuration file hostname.conf, the

switch uses that filename in the TFTP server request. The autoinstallation process on the new switch makes three unicast TFTP requests for hostname.conf. If these attempts fail, the switch broadcasts three requests to any available TFTP server for the file. b. If the new switch does not locate a hostname.conf file, the autoinstallation process

sends three unicast TFTP requests for a network.conf file that contains the switch’s hostname-to-IP-address mapping information. If these attempts fail, the switch broadcasts three requests to any available TFTP server for the file. c. If the switch fails to find a network.conf file that contains a hostname entry for the

switch, the autoinstallation process sends out a DNS request and attempts to resolve the new switch's IP address to a hostname. d. If the new switch determines its hostname, it sends a TFTP request for the

hostname.conf file. e. If the new switch is unable to map its IP address to a hostname, it sends TFTP

requests for the default configuration file switch.conf. The TFTP request procedure is the same as for the network.conf file. 3. After the new switch locates a configuration file on a TFTP server, the autoinstallation

process downloads the file, installs the file on the switch, and commits the configuration. Related Documentation

•

Configuring Autoinstallation of Configuration Files (CLI Procedure) on page 543

•


•


•


EX Series Switches Default Configuration •


•


•


•


•


•


•



501

®


EX2200 Switch Default Configuration Each EX Series switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file for an EX2200 switch configures Ethernet switching and storm control on all interfaces, configures Power over Ethernet (PoE) on all interfaces of models that provide PoE, and enables the LLDP, LLDP-MED, and RSTP protocols and IGMP snooping. When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration—because an EX2200 switch does not have an LCD panel, use the CLI commands to revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. The following factory default configuration file is for an EX2200 switch with 24 ports, all of which have PoE capability:

NOTE: The factory default configuration file is different for different EX2200 switch models. The number of interfaces in the default configuration file depends on the number of ports in the EX2200 switch. The poe stanza does not appear for models without PoE. Uplink ports for the EX2200 switches except the EX2200-C models will be listed as ge-0/1/0 to ge-0/1/3 and for the EX2200-C switches as ge-0/1/0 to ge-0/1/1.

system { syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 {

502



unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 {


503

®


family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching;

504



} } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } }


•


•


•


•


•



505

®


EX3200 Default Configuration Each EX Series switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file sets values for system parameters such as syslog and commit; configures Power over Ethernet (PoE), storm control, and Ethernet switching on all interfaces; and enables the LLDP and RSTP protocols. When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. The following factory default configuration file is for an EX3200 switch with 24 ports (for models that have more ports, this default configuration file has more interfaces):

NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports. Optional uplink modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit SFP transceivers (ge-0/1/0 through ge-0/1/3). Although you can install only one uplink module, the interfaces for both are shown below.

system { syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching;

506



} } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; }


507

®


} ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } }

508



xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping{ vlan all; } lldp { interface all; } lldp-med { interface all; } rstp; } ethernet-switching-options { storm-control { interface all; } } poe { interface all; }


•


•



509

®


•


•


•


EX3300 Switch Default Configuration Each EX Series switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The EX3300 switch default configuration: •

Sets Ethernet switching and storm control on all interfaces

•

Sets Power over Ethernet (PoE) on all network ports of models that provide PoE

•

Enables the following protocols: •

Internet Group Management Protocol (IGMP) snooping

•

Rapid Spanning Tree Protocol (RSTP)

•


•

Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED)

When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. The following factory default configuration file is for an EX3300 switch with 24 PoE+-capable ports. This file might differ from the default configuration file on your switch in the following ways: •

If your model has 48 ports, the file contains more interfaces, which correspond to the additional network ports.

•

If your model is not PoE+-capable, the file does not include the poe stanza.

NOTE: All models have four uplink ports as listed below (ge-0/1/0 to ge-0/1/3 and xe-0/1/0 to xe-0/1/3). Uplink ports labeled 2 and 3 are configured as Virtual Chassis ports by default. You can configure these ports as network ports.

system { syslog { user * { any emergency; } file messages { any notice;

510



authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 {


511

®


family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching;

512



} } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } xe-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; }


513

®


} xe-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } poe { interface all; }


•


•


•


•


EX4200 Default Configuration Each EX Series switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file sets values for system parameters such as syslog and commit; configures Power over Ethernet (PoE), storm control, and Ethernet switching on all interfaces; and enables the LLDP and RSTP protocols. When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. The following factory default configuration file is for an EX4200 switch with 24 ports (for models that have more ports, this default configuration file has more interfaces):

514



NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports. Optional uplink modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit SFP transceivers (ge-0/1/0 through ge-0/1/3). Although you can install only one uplink module, the interfaces for both are shown below.

system { syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 {


515

®


unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 {

516



family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching;


517

®


} } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping{ vlan all; } lldp { interface all; } lldp-med { interface all; } rstp; } ethernet-switching-options { storm-control { interface all; } } poe { interface all; }


•


•


•


•


•


EX4500 Default Configuration Each EX Series switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file sets values for system parameters such as syslog and commit, configures Ethernet switching on all interfaces, enables IGMP snooping, and enables the LLDP and RSTP protocols.

518



NOTE: Interfaces xe-0/0/0 through xe-0/0/39 are the network interface ports. Optional uplink modules provide four 10-gigabit small form-factor pluggable (SFP+) transceivers (xe-0/1/0 through xe-0/1/3) or four 1-gigabit small form-factor pluggable (SFP) transceivers (xe-0/2/0 through xe-0/2/3). Although you can install only one uplink module, the interfaces for both are shown below.

When you commit changes to the configuration, a new configuration file is created, which becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. This topic shows the factory default configuration file of an EX4500 switch: system { syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { xe-0/0/0 { unit 0 { family ethernet-switching; } } xe-0/0/1 { unit 0 { family ethernet-switching; } } xe-0/0/2 { unit 0 { family ethernet-switching; } } xe-0/0/3 { unit 0 {


519

®


family ethernet-switching; } } xe-0/0/4 { unit 0 { family ethernet-switching; } } xe-0/0/5 { unit 0 { family ethernet-switching; } } xe-0/0/6 { unit 0 { family ethernet-switching; } } xe-0/0/7 { unit 0 { family ethernet-switching; } } xe-0/0/8 { unit 0 { family ethernet-switching; } } xe-0/0/9 { unit 0 { family ethernet-switching; } } xe-0/0/10 { unit 0 { family ethernet-switching; } } xe-0/0/11 { unit 0 { family ethernet-switching; } } xe-0/0/12 { unit 0 { family ethernet-switching; } } xe-0/0/13 { unit 0 { family ethernet-switching; } } xe-0/0/14 { unit 0 { family ethernet-switching;

520



} } xe-0/0/15 { unit 0 { family ethernet-switching; } } xe-0/0/16 { unit 0 { family ethernet-switching; } } xe-0/0/17 { unit 0 { family ethernet-switching; } } xe-0/0/18 { unit 0 { family ethernet-switching; } } xe-0/0/19 { unit 0 { family ethernet-switching; } } xe-0/0/20 { unit 0 { family ethernet-switching; } } xe-0/0/21 { unit 0 { family ethernet-switching; } } xe-0/0/22 { unit 0 { family ethernet-switching; } } xe-0/0/23 { unit 0 { family ethernet-switching; } } xe-0/0/24 { unit 0 { family ethernet-switching; } } xe-0/0/25 { unit 0 { family ethernet-switching; }


521

®


} xe-0/0/26 { unit 0 { family ethernet-switching; } } xe-0/0/27 { unit 0 { family ethernet-switching; } } xe-0/0/28 { unit 0 { family ethernet-switching; } } xe-0/0/29 { unit 0 { family ethernet-switching; } } xe-0/0/30 { unit 0 { family ethernet-switching; } } xe-0/0/31 { unit 0 { family ethernet-switching; } } xe-0/0/32 { unit 0 { family ethernet-switching; } } xe-0/0/33 { unit 0 { family ethernet-switching; } } xe-0/0/34 { unit 0 { family ethernet-switching; } } xe-0/0/35 { unit 0 { family ethernet-switching; } } xe-0/0/36 { unit 0 { family ethernet-switching; } }

522



xe-0/0/37 { unit 0 { family ethernet-switching; } } xe-0/0/38 { unit 0 { family ethernet-switching; } } xe-0/0/39 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/2 { unit 0 { family ethernet-switching; } } xe-0/1/3 { unit 0 { family ethernet-switching; } } xe-0/2/0 { unit 0 { family ethernet-switching; } } xe-0/2/1 { unit 0 { family ethernet-switching; } } xe-0/2/2 { unit 0 { family ethernet-switching; } } xe-0/2/3 { unit 0 { family ethernet-switching; } } }


523

®


protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } }


•


•


•


•


•


EX6200 Switch Default Configuration Each EX6200 switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file sets values for system parameters such as the Address Resolution Protocol (ARP) aging timer, while also enabling the Link Layer Discovery Protocol (LLDP) protocol, the Rapid Spanning Tree Protocol (RSTP), Internet Group Management Protocol (IGMP) snooping, and storm control. When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. This topic shows the factory default configuration file of an EX6200 switch: protocols { lldp { interface all; } lldp-med { interface all; } igmp-snooping { vlan all; } rstp;

524



} ethernet-switching-options { storm-control { interface all; } } poe { interface all; } system { arp { aging-timer 5; } commit { factory-settings { reset-chassis-lcd-menu; } } }


•


•


•


•


EX8200 Switch Default Configuration Each EX8200 switch is programmed with a factory default configuration that contains the values set for each configuration parameter when a switch is shipped. The default configuration file sets values for system parameters such as the Address Resolution Protocol (ARP) aging timer, the system log, and file messages, while also enabling the Link Layer Discovery Protocol (LLDP) protocol, the Rapid Spanning Tree Protocol (RSTP), Internet Group Management Protocol (IGMP) snooping, and storm control. When you commit changes to the configuration, a new configuration file is created that becomes the active configuration. You can always revert to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. This topic shows the factory default configuration file of an EX8200 switch: system { arp { aging-timer 5; } syslog { user * { any emergency; } file messages { any notice; authorization info;


525

®


} file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; } } } protocols { igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { storm-control { interface all; } } poe { interface all; }


526

•


•


•


•


•


•



CHAPTER 19

Managing Junos OS Configuration •

Using the Configuration Tools in J-Web on page 527

•

Managing Junos OS Configuration on page 531

Using the Configuration Tools in J-Web •

Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 527

•

Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 527

•

Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text on page 528

•

Using the Commit Options to Commit Configuration Changes (J-Web Procedure) on page 530

Using the CLI Viewer in the J-Web Interface to View Configuration Text To view the entire configuration file contents in text format, select Configure > CLI Tools > CLI Viewer. The main pane displays the configuration in text format. Each level in the hierarchy is indented to indicate each statement's relative position in the hierarchy. Each level is generally set off with braces, with an open brace ({) at the beginning of each hierarchy level and a closing brace (}) at the end. If the statement at a hierarchy level is empty, the braces are not displayed. Each leaf statement ends with a semicolon (;), as does the last statement in the hierarchy. This indented representation is used when the configuration is displayed or saved as an ASCII file. However, when you load an ASCII configuration file, the format of the file is not so strict. The braces and semicolons are required, but the indention and use of new lines are not required in ASCII configuration files. Related Documentation

•


Using the CLI Editor in the J-Web Interface to Edit Configuration Text Use the CLI Editor to edit configuration if you know the Junos OS CLI or prefer a command interface. To edit the entire configuration in text format:


527

®


CAUTION: We recommend that you use this method to edit and commit the configuration only if you have experience editing configurations through the CLI.

1.

Select Configure > CLI Tools > CLI Editor. The main pane displays the configuration in a text editor.

2. Navigate to the hierarchy level you want to edit.

You can edit the candidate configuration using standard text editor operations—insert lines (by using the Enter key), delete lines, and modify, copy, and paste text. 3. Click Commit to load and commit the configuration.

The switching platform checks the configuration for the correct syntax before committing it. Related Documentation

•


•


Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text To edit the configuration on a series of pages of clickable options that steps you through the hierarchy, select Configure > CLI Tools > Point&Click CLI. The side pane displays the top level of the configured hierarchy, and the main pane displays configured hierarchy options and the Icon Legend. To expand or hide the hierarchy of all the statements in the side pane, click Expand all or Hide all. To expand or hide an individual statement in the hierarchy, click the expand (+) or collapse (–) icon to the left of the statement.

TIP: Only those statements included in the committed configuration are displayed in the hierarchy.

The configuration information in the main pane consists of configuration options that correspond to configuration statements. Configuration options that contain subordinate statements are identified by the term Nested. To include, edit, or delete statements in the candidate configuration, click one of the links described in Table 72 on page 528. Then specify configuration information by typing in a field, selecting a value from a list, or clicking a check box (toggle).

Table 72: J-Web Edit Point & Click Configuration Links Link

Function

Add new entry

Displays fields and lists for a statement identifier, allowing you to add a new identifier to a statement.

528


Chapter 19: Managing Junos OS Configuration

Table 72: J-Web Edit Point & Click Configuration Links (continued) Link

Function

Configure

Displays information for a configuration option that has not been configured, allowing you to include a statement.

Delete

Deletes the corresponding statement or identifier from the configuration. All subordinate statements and identifiers contained within a deleted statement are also discarded.

Edit

Displays information for a configuration option that has already been configured, allowing you to edit a statement.

Identifier

Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.

As you navigate through the configuration, the hierarchy level is displayed at the top of the main pane. You can click a statement or identifier in the hierarchy to display the corresponding configuration options in the main pane. The main pane includes icons that display information about statements and identifiers when you place your cursor over them. Table 73 on page 529 describes these icons.

Table 73: J-Web Edit Point & Click Configuration Icons Icon

Function

C

Displays a comment about a statement.

I

Indicates that a statement is inactive.

M

Indicates that a statement has been added or modified but has not been committed.

*

Indicates that the statement or identifier is required in the configuration.

?

Provides online help information.

After typing or selecting your configuration edits, click a button in the main pane (described in Table 74 on page 529) to apply your changes or cancel them, refresh the display, or discard parts of the candidate configuration. An updated configuration does not take effect until you commit it.

Table 74: J-Web Edit Point & Click Configuration Buttons Button

Function

Refresh

Updates the display with any changes to the configuration made by other users.

Commit

Verifies edits and applies them to the current configuration file running on the switch.

Discard

Removes edits applied to or deletes existing statements or identifiers from the candidate configuration.


529

®



•


•


Using the Commit Options to Commit Configuration Changes (J-Web Procedure) You can use the single-commit feature to commit all outstanding configuration changes in the J-Web interface on EX Series switches simultaneously. This helps in reducing the time J-Web takes for committing configurations because when changes are committed at every step, rollback configurations pile up. For example, suppose you want to delete a firewall filter and add a new one. With immediate commits, you would need to commit your changes twice for this action. Using single commit, you can decrease the number of commits to one, thus saving time for working on other configurations. When you edit a configuration, you work on a copy of the current configuration, which is your candidate configuration. The changes you make to the candidate configuration are visible through the user interface immediately, allowing other users to edit those configurations, but they do not take effect on the switch until you commit the changes. When you commit the configuration, the candidate file is checked for proper syntax, activated, and marked as the current, operational software configuration file. If multiple users are editing the configuration when you commit the candidate configuration, changes made by all users take effect. You can configure the commit options to either commit all configuration changes together or commit each configuration change immediately using the J-Web Commit Preference page.

NOTE: There are some pages on which configuration changes must be committed immediately. For such pages, if you configure the commit options for a single commit, the system displays warning notifications that remind you to commit your changes immediately. An example of such a page is the Interface Page (Configure > Interface).

To configure the commit options on an EX Series switch using the J-Web interface: 1.

Select Commit Options.

NOTE: All action links except Preference are disabled unless you edit, add, or delete a configuration.

2. Choose an action. See Table 75 on page 531 for details on the actions. 3. Configure the commit options by selecting Preference. See Table 76 on page 531 for

details on preference options.

530



Table 75: Commit Options Menu Item

Function

Your Action

Commit

Commits the candidate configuration of the current user session, along with changes from other user sessions.

1.

Select Commit Options > Commit. Changes are committed after the system validates your configuration. A window displays that the configuration was successfully committed or that the commit failed.

2. Click OK. Click Details to view the commit log. Compare

Displays the XML log of pending uncommitted configurations on the device.

1.

Select Commit Options > Compare. The XML log of pending configurations on the devices are displayed similar to the CLI interface, in a “human-readable” form.

2. Click Close. Discard

Preference

Discards the candidate configuration of your current session, along with changes from other user sessions.

1.

Indicates your choice of committing all global configurations together or committing each configuration change immediately.

1.

Select Commit Options > Discard.

2. Click OK to confirm the discard action. Your changes are discarded after the system validates your configuration. Select Commit Options > Preference. The Commit Preference page is displayed.

2. Configure the commit options by selecting your preference. See Table 76 on page 531 for details on preference options.

Table 76: Commit Preference Options Option

Function

Validate and commit configuration changes

Sets the system to validate and force an immediate commit on every screen after every configuration change.

Validate configuration changes

Loads all the configuration changes for an accumulated single commit. If there are errors in loading the configuration, the errors are logged. This is the default mode. Once you select this option, you need to select Commit Options > Commit to commit your changes.


•


•


Managing Junos OS Configuration •


•



531

®


•


•


•


•


•

Setting or Deleting the Rescue Configuration (CLI Procedure) on page 541

•

Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 542

•


Uploading a Configuration File (CLI Procedure) You can create a configuration file on your local system, copy the file to the EX Series switch and then load the file into the CLI. After you have loaded the configuration file, you can commit it to activate the configuration on the switch. You can also edit the configuration interactively using the CLI and commit it at a later time. To upload a configuration file from your local system: 1.

Create the configuration file using a text editor such as Notepad, making sure that the syntax of the configuration file is correct. For more information about testing the syntax of a configuration file see the Junos OS System Basics and Services Command Reference.

2. In the configuration text file, use an option to perform the required action when the

file is loaded. Table 77 on page 532 lists and describes some options for the load command.

Table 77: Options for the load command Options

Description

merge

Combines the current active configuration and the configuration in filename or the one that you type at the terminal. A merge operation is useful when you are adding a new section to an existing configuration. If the active configuration and the incoming configuration contain conflicting statements, the statements in the incoming configuration override those in the active configuration.

override

Discards the current candidate configuration and loads the configuration in filename or the one that you type at the terminal. When you use the override option and commit the configuration, all system processes reparse the configuration. You can use the override option at any level of the hierarchy.

replace

Searches for the replace tags, deletes the existing statements of the same name, if any, and replaces them with the incoming configuration. If there is no existing statement of the same name, the replace operation adds the statements marked with the replace tag to the active configuration. NOTE: For this operation to work, you must include replace tags in the text file or in the configuration you type at the terminal.

3. Press Ctrl+A to select all the text in the configuration file. 4. Press Ctrl+C to copy the contents of the configuration text file to the Clipboard.

532



5. Log in to the switch using your username and password. 6. To enter configuration mode:

user@switch> configure

You will see this output, with the hash or pound mark indicating configuration mode. Entering configuration mode [edit] user@switch# 7. Load the configuration file:

[edit] user@switch# load merge terminal 8. At the cursor, paste the contents of the Clipboard using the mouse and the Paste icon:

[edit] user@switch# load merge terminal [Type ^D at a new line to end input] >Cursor is here. Paste the contents of the clipboard here< 9. Press Enter. 10. Press Ctrl+D to set the end-of-file marker.

To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.You can also edit the configuration interactively using the CLI and commit it at a later time. Related Documentation

•


•


Uploading a Configuration File (J-Web Procedure) You can create a configuration file on your local system, copy the file to the EX Series switch and then load the file into the CLI. After you have loaded the configuration file, you can commit it to activate the configuration on the switch. You can also edit the configuration interactively using the CLI and commit it at a later time. To upload a configuration file from your local system: 1.

Select Maintain > Config Management > Upload. The main pane displays the File to Upload box.

2. Specify the name of the file to upload using one of the following methods: •

Type the absolute path and filename in the File to Upload box.

•

Click Browse to navigate to the file.

3. Click Upload and Commit to upload and commit the configuration.


533

®


The switch checks the configuration for the correct syntax before committing it. Related Documentation

•


•


•


Managing Configuration Files Through the Configuration History (J-Web Procedure) Use the Configuration History function to manage configuration files. 1.

Displaying Configuration History on page 534

2. Displaying Users Editing the Configuration on page 535 3. Comparing Configuration Files with the J-Web Interface on page 535 4. Downloading a Configuration File with the J-Web Interface on page 536 5. Loading a Previous Configuration File with the J-Web Interface on page 536

Displaying Configuration History To manage configuration files with the J-Web interface, select Maintain > Config Management > History. The main pane displays History — Database Information page. Table 78 on page 534 summarizes the contents of the display. The configuration history display allows you to: •

View a configuration.

•

Compare two configurations.

•

Download a configuration file to your local system.

•

Roll back the configuration to any of the previous versions stored on the switch.

Table 78: J-Web Configuration History Summary Field

Description

Number

Version of the configuration file.

Date/Time

Date and time the configuration was committed.

User

Name of the user who committed the configuration.

Client

Method by which the configuration was committed: •

cli—A user entered a Junos OS CLI command.

•

junoscript—A Junos XML protocol client performed the operation. Commit operations performed by users

through the J-Web interface are identified in this way.

534

•

snmp—An SNMP set request started the operation.

•

other—Another method was used to commit the configuration.



Table 78: J-Web Configuration History Summary (continued) Field

Description

Comment

Comment.

Log Message

Method used to edit the configuration:

Action

•

Imported via paste— Configuration was edited and loaded with the Configure > CLI Tools > Edit Configuration Text option.

•

Imported upload [filename]—Configuration was uploaded with the Configure > CLI Tools > Point Click Editor option.

•

Modified via J–Web Configure — Configuration was modified with the J-Web Configure menu.

•

Rolled back via user-interface— Configuration was rolled back to a previous version through the user interface specified by user-interface, which can be Web Interface or CLI.

Action to perform with the configuration file. The action can be Download or Rollback.

Displaying Users Editing the Configuration To display a list of users editing the switching platform configuration, select Config Management > History. The list is displayed as Database Information in the main pane. Table 79 on page 535 summarizes the Database Information display.

Table 79: J-Web Configuration Database Information Summary Field

Description

User Name

Name of user editing the configuration.

Start Time

Time of day the user logged in to the switch.

Idle Time

Elapsed time since the user issued a configuration command from the CLI.

Terminal

Terminal on which the user is logged in.

PID

Process identifier assigned to the user by the switching platform.

Edit Flags

Designates a private or exclusive edit.

Edit Path

Level of the configuration hierarchy that the user is editing.

Comparing Configuration Files with the J-Web Interface To compare any two of the past 50 committed configuration files: 1.

Select Config Management > History. A list of the current and the previous 49 configurations is displayed as Configuration History in the main pane.

2. Select the check boxes to the left of the two configuration versions you want to

compare. 3. Click Compare.


535

®


The main pane displays the differences between the two configuration files at each hierarchy level as follows: •

Lines that have changed are highlighted side by side in green.

•

Lines that exist only in the more recent configuration file are displayed in red on the left.

•

Lines that exist only in the older configuration file are displayed in blue on the right.

Downloading a Configuration File with the J-Web Interface To download a configuration file from the switch to your local system: 1.

Select Config Management > History. A list of current and previous 49 configurations is displayed as Configuration History in the main pane.

2. In the Action column, click Download for the version of the configuration you want to

download. 3. Select the options your Web browser provides that allow you to save the configuration

file to a target directory on your local system. The file is saved as an ASCII file.

Loading a Previous Configuration File with the J-Web Interface To load (roll back) and commit a previous configuration file stored on the switching platform: 1.

Select Config Management > History. A list of current and previous 49 configurations is displayed as Configuration History in the main pane.

2. In the Action column, click Rollback for the version of the configuration you want to

load. The main pane displays the results of the rollback operation.

NOTE: When you click Rollback, the switch loads and commits the selected configuration. This behavior is different from the switch's behavior that occurs after you enter the rollback configuration mode command from the CLI. In the latter case, the configuration is loaded but not committed.


536

•


•


•




Loading a Previous Configuration File (CLI Procedure) You can return to a previously committed configuration file if you need to revert to a previous configuration. The EX Series switch saves the last 50 committed configurations, including the rollback number, date, time, and name of the user who issued the commit configuration command. Syntax rollback

Options •

none— Return to the most recently saved configuration.

•

number—Configuration to return to. •

Range: 0 through 49. The most recently saved configuration is number 0, and the oldest saved configuration is number 49.

•

Default: 0

To return to a configuration prior to the most recently committed one: 1.

Specify the rollback number (here, 1 is entered and the configuration returns to the previously committed configuation): [edit] user@switch# rollback 1 load complete

2. Activate the configuration you have loaded:

[edit] user@switch# commit


•


•


•

For more information on rollback, see Junos OS CLI User Guide .

Reverting to the Default Factory Configuration for the EX Series Switch If for any reason the current active configuration fails, you can revert to the default factory configuration. You can also roll back to a previous configuration, as described in “Loading a Previous Configuration File (CLI Procedure)” on page 537, or revert to the rescue configuration, as described in “Reverting to the Rescue Configuration for the EX Series Switch” on page 540. The default factory configuration contains the basic configuration settings. This is the first configuration of the switch and it is loaded when the switch is first installed and powered on.


537

®


You can revert to the default factory configuration by using the Menu button to the right of the LCD on the front panel of the switch or by using the request system zeroize operational command or the load factory-default configuration command. (If your switch model does not have an LCD panel, use the commands.)

TIP: If you have lost the root password, it is not necessary to revert to the factory default configuration to reset it. See “Troubleshooting Loss of the Root Password” on page 605.

•

Reverting to the Default Factory Configuration by Using the LCD Panel on page 538

•

Reverting to the Default Factory Configuration by Using the request system zeroize Command on page 539

•

Reverting to the Default Factory Configuration by Using the load factory-default Command on page 539

Reverting to the Default Factory Configuration by Using the LCD Panel To set the switch to the default factory configuration, use the LCD panel and buttons on the front panel of the switch as shown in Figure 17 on page 538. If the switch model does not have an LCD panel, use one of the CLI commands described in the following sections. Use the LCD panel to revert to the default factory configuration if you want to run EZsetup. When you use the CLI to revert to the default factory configuration, the configuration for the root password is retained and you cannot run EZSetup.

Figure 17: EX Series Switch LCD Panel

NOTE: If you want to convert an EX3300, EX4200, or EX4500 switch from a member of a multimember Virtual Chassis configuration to a standalone switch, first disconnect the cables connected to the Virtual Chassis ports (VCPs). See Disconnecting a Fiber-Optic Cable from an EX Series Switch, Disconnecting a Virtual Chassis Cable from an EX4200 Switch, or Disconnecting a Virtual Chassis Cable from an EX4500 Switch. The Menu button procedure deletes all modified configuration parameters, including Virtual Chassis parameters such as member ID, mastership priority, and setting of VCP uplinks.

To revert to the default factory configuration by using the LCD panel: 1.

Press the Menu button until you see MAINTENANCE MENU on the panel.

2. Press the Enter button.

538



3. Press Menu until you see FACTORY DEFAULT. 4. Press Enter. The display says RESTORE DEFAULT? 5. Press Enter. The screen flashes FACTORY DEFAULT IN PROGRESS and returns to the

idle menu.

Reverting to the Default Factory Configuration by Using the request system zeroize Command The request system zeroize command is a standard Junos OS operational mode command. Issuing this command removes all configuration information and resets all key values. The operation unlinks all user-created data files, including customized configuration and log files, from their directories. The switch then reboots and reverts to the default factory configuration. To completely erase user-created data so that it is unrecoverable, use the request system zeroize media command.

CAUTION: Before issuing request system zeroize, use the request system snapshot command to back up the files currently used to run the switch to a secondary device.

To revert to the default factory configuration by using the request system zeroize command: 1.

user@switch> request system zeroize warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (yes)

2. Type yes to remove configuration and log files and revert to the factory default

configuration.

NOTE: After running the request system zeroize command, you cannot access the switch through the management Ethernet interface. Instead, log in through the console as root and start the Junos OS CLI by typing cli at the prompt.

Reverting to the Default Factory Configuration by Using the load factory-default Command The load factory-default command is a standard Junos OS configuration command. Issuing this configuration command replaces the current active configuration with the default factory configuration. Use the LCD panel to revert to the default factory configuration if you want to run EZSetup. When you use the CLI to revert to the default factory configuration, the configuration for the root password is retained and you cannot run EZSetup.


539

®


NOTE: The load factory-default command by itself is not supported on EX3300, EX4200, and EX4500 switches configured in a Virtual Chassis with multiple members.

To revert to the default factory configuration by using the load factory-default command: 1.

[edit] user@switch# load factory-default

2. [edit]

user@switch# delete system commit factory-settings 3. [edit]

user@switch# set system root-authentication plain-text-password 4. [edit]

user@switch# commit 5. Check the member ID and mastership priority with the show virtual-chassis status

command and check to see whether there are remaining settings for uplink VCPs by using the show virtual-chassis vc-port command. Related Documentation

•


•


•


•


•


•


•


•


•

For more information about the load factory-default command, see Junos OS CLI User Guide.

Reverting to the Rescue Configuration for the EX Series Switch If someone inadvertently commits a configuration that denies management access to an EX Series switch and the console port is not accessible, you can overwrite the invalid configuration and replace it with the rescue configuration by using the LCD panel on the switch. The rescue configuration is a previously committed, valid configuration. You can also revert to the default factory configuration, as described in “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. Before you begin to revert to the rescue configuration: •

540

Ensure that you have physical access to the switch.



•

A rescue configuration for the switch must have been previously set.

To revert the switch to the rescue configuration: 1.

At the LCD panel on the switch, press Menu until you see MAINTENANCE MENU.

2. Press Enter. 3. Press Menu until you see Load Rescue. 4. Press Enter. 5. When Commit Rescue is displayed, press Enter.

The LCD panel displays the message Commit Rescue in Progress. When the reversion is complete, it displays the idle menu.

NOTE: If there is no rescue configuration saved on the switch, the message Commit rescue failed is displayed.


•


•


•


•


•


•


•


Setting or Deleting the Rescue Configuration (CLI Procedure) A rescue configuration is a well-known configuration that recovers a switch from a configuration that denies management access. You set a current committed configuration to be the rescue configuration through the J-Web interface or CLI. If someone inadvertently commits a configuration that denies management access to an EX Series switch and the console port is not accessible, you can overwrite the invalid configuration and replace it with the rescue configuration by using the LCD panel on the switch. The rescue configuration is a previously committed, valid configuration. We recommend that the rescue configuration include the IP address (accessible from the network) for the management port. To set the current active configuration as the rescue configuration: user@switch> request system configuration rescue save

To delete an existing rescue configuration: user@switch> request system configuration rescue delete


541

®



•


•


•


•


•

For information on show system configuration rescue, see Junos OS System Basics and Services Command Reference .

Setting or Deleting the Rescue Configuration (J-Web Procedure) A rescue configuration is a well-known configuration that recovers a switch from a configuration that denies management access. You set a current committed configuration to be the rescue configuration through the J-Web interface or CLI. If someone inadvertently commits a configuration that denies management access to an EX Series switch and the console port is not accessible, you can overwrite the invalid configuration and replace it with the rescue configuration by using the LCD panel on the switch. The rescue configuration is a previously committed, valid configuration. We recommend that the rescue configuration include the IP address (accessible from the network) for the management port. To view, set, or delete the rescue configuration using the J-Web interface, select Maintain > Config Management > Rescue. On the Rescue page, you can perform the following tasks:


542

•

View the current rescue configuration—Click View rescue configuration.

•

Set the current running configuration as the rescue configuration—Click Set rescue configuration.

•

Delete the current rescue configuration—Click Delete rescue configuration.

•


•


•




Configuring Autoinstallation of Configuration Files (CLI Procedure) Autoinstallation is the automatic configuration of a device over the network from a pre-existing configuration file that you create and store on a configuration server—typically a Trivial File Transfer Protocol (TFTP) server. You can use autoinstallation to automatically configure new devices and to deploy multiple devices from a central location in the network. No configuration is required on a new switch (a switch that has the factory default configuration file), because it is an automated process. However, to specify autoinstallation to run when you power on a switch already installed in your network, you can enable it by specifying one or more interfaces, protocols, and configuration servers to be used for autoinstallation. Before you explicitly enable and configure autoinstallation on the switch, perform these tasks as needed for your network’s configuration: •

Have a service available—typically Dynamic Host Configuration Protocol (DHCP)—to assign an IP address to the switch

•

Configure a DHCP server on your network to meet your network requirements. You can configure an EX Series switch to operate as a DHCP server. For more information, see “Configuring DHCP Services (J-Web Procedure)” on page 665.

•

Create one of the following configuration files, and store it on a TFTP server (or HTTP server or FTP server) in the network: •

A host-specific file with the name hostname.conf for each switch undergoing autoinstallation. Replace hostname with the name of a switch. The hostname.conf file typically contains all the configuration information necessary for the switch with this hostname.

•

A default configuration file named switch.conf with the minimum configuration necessary to enable you to telnet into the new switch for further configuration.

•

Physically attach the switch to the network using a Gigabit Ethernet port.

•

If you configure the DHCP server to provide only the TFTP server hostname, add an IP address-to-hostname mapping entry for the TFTP server to the DNS database file on the Domain Name System (DNS) server in the network.

•

If the new switch is not on the same network segment as the DHCP server (or other device providing IP address resolution), configure an existing device as an intermediate device to receive TFTP and DNS requests and forward them to the TFTP server and the DNS server. You must configure the LAN or serial interface on the intermediate device with the IP addresses of the hosts providing TFTP and DNS services. Connect this interface to the new switch.

•

If you are using hostname.conf files for autoinstallation, you must also complete the following tasks: •

Configure the DHCP server to provide a hostname.conf filename to each new switch. Each switch uses its hostname.conf filename to request a configuration file from the TFTP server. Copy the necessary hostname.conf configuration files to the TFTP server.


543

®


•

Create a default configuration file named network.conf, and copy it to the TFTP server. This file contains IP-address-to-hostname mapping entries. If the DHCP server does not send a hostname.conf filename to a new switch, the switch uses network.conf to resolve its hostname based on its IP address. Alternatively, you can add the IP-address-to-hostname mapping entry for the new switch to a DNS database file. The switch uses the hostname to request a hostname.conf file from the TFTP server.

To configure autoinstallation: 1.

Specify the URL address of one or more servers from which to obtain configuration files. [edit system] user@switch# set autoinstallation configuration-servers tftp://tftpconfig.sp.com

NOTE: You can also use an FTP address, for example, ftp://user:[email protected].

2. Configure one or more Ethernet interfaces to perform autoinstallation and one or two

procurement protocols for each interface. The switch uses the protocols to send a request for an IP address for the interface: [edit system] user@switch# set autoinstallation interfaces ge-0/0/0 bootp


544

•

Verifying Autoinstallation Status on an EX Series Switch on page 545

•


•



CHAPTER 20

Verifying Configuration •

Verifying Autoinstallation Status on an EX Series Switch on page 545

Verifying Autoinstallation Status on an EX Series Switch Purpose Action

Display the status of the autoinstallation feature on an EX Series switch. From the CLI, enter the show system autoinstallation status command.

Sample Output user@switch> show system autoinstallation status Autoinstallation status: Master state: Active Last committed file: None Configuration server of last committed file: 10.25.100.1 Interface: Name: ge-0/0/0 State: Configuration Acquisition Acquired: Address: 192.168.124.75 Hostname: host-ge-000 Hostname source: DNS Configuration filename: switch-ge-000.conf Configuration filename server: 10.25.100.3 Address acquisition: Protocol: DHCP Client Acquired address: None Protocol: RARP Client Acquired address: None Interface: Name: ge-0/0/1 State: None Address acquisition: Protocol: DHCP Client Acquired address: None Protocol: RARP Client Acquired address: None

Meaning


The output shows the settings configured for autoinstallation. Verify that the values displayed are correct for the switch when it is deployed on the network.

•



545

®


546


CHAPTER 21

Configuration Statements for Configuration File Management


547

®


archival Syntax


Description

Options

archival { configuration { archive-sites { file:///; ftp://username@host:url-path password password; http://username@host:url-path password password; pasvftp://username@host:url-path password password; scp://username@host:url-path password password; } transfer-interval interval; transfer-on-commit; } } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure copying of the currently active configuration to an archive site. An archive site can be a file, or an FTP or scp location. The remaining statements are explained separately.

NOTE: The [edit system archival] hierarchy is not available on QFabric switches.


548


Using Junos OS to Configure a Router or Switch to Transfer Its Configuration to an Archive Site


Chapter 21: Configuration Statements for Configuration File Management

archive-sites (Configuration File) Syntax


Description

archive-sites { file:///; ftp://username@host:url-path password password; http://username@host:url-path password password; pasvftp://username@host:url-path password password; scp://username@host:url-path password password; } [edit system archival configuration]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify where to transfer the current configuration files. When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, "scp://username@[ipv6-host-address]/url-path"

If you specify more than one archive site, the router or switch attempts to transfer the configuration files to the first archive site in the list, moving to the next only if the transfer fails. The format for the destination filename is router-name_juniper.conf[.gz]_YYYYMMDD_HHMMSS.

NOTE: The time included in the destination filename is always in Coordinated Universal Time (UTC) regardless of whether the time on the router or switch is configured as UTC or the local time zone. The default time zone on the router or switch is UTC.


Options

The prefix used in the configuration statement determines the form of transfer: file:// —transfer on a path to a named file ftp:// —transfer using active FTP server pasvftp:// —transfer to a device that only accepts passive FTP services scp:// —transfer to a known host using background SCP file transfers


549

®





•

configuration on page 552

•

transfer-on-commit on page 556

autoinstallation Syntax


Description


550

autoinstallation { configuration-servers { url; } interfaces { interface-name { bootp; rarp; } } } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.1 for EX Series switches. For J Series Services Routers and EX Series switches only. Download a configuration file automatically from an FTP, Hypertext Transfer Protocol (HTTP), or Trivial FTP (TFTP) server. When you power on a router or switch configured for autoinstallation, it requests an IP address from a Dynamic Host Configuration Protocol (DHCP) server. Once the router or switch has an address, it sends a request to a configuration server and downloads and installs a configuration. The remaining statements are explained separately. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•

J Series Services Router Basic LAN and WAN Access Configuration Guide

•

configuration-servers on page 553

•

idle-timeout on page 619



commit synchronize Syntax Hierarchy Level Release Information

Description

commit synchronize; [edit system]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For devices with multiple Routing Engines only. Configure a commit command to automatically result in a commit synchronize command. The Routing Engine on which you execute the commit command (the requesting Routing Engine) copies and loads its candidate configuration to the other (the responding) Routing Engines. All Routing Engines then perform a syntax check on the candidate configuration file being committed. If no errors are found, the configuration is activated and becomes the current operational configuration on all Routing Engines. Starting with Junos OS Release 9.3, accounting of events and operations on a backup Routing Engine is not supported on accounting servers such as TACACS+ or RADIUS. Logging of accounting events is supported only for events and operations on a master Routing Engine.



Configuring Multiple Routing Engines to Synchronize Committed Configurations Automatically


551

®


configuration Syntax


Description

configuration { transfer-interval interval; transfer-on-commit; archive-sites { file:///; ftp://username@host:url-path password password; http://username@host:url-path password password; pasvftp://username@host:url-path password password; scp://username@host:url-path password password; } } [edit system archival]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the router or switch to periodically transfer its currently active configuration (or after each commit).



552

The remaining statements are explained separately. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•

archive

•

archive-sites on page 549

•

transfer-interval on page 555

•




configuration-servers Syntax


Description

configuration-servers { url; } [edit system autoinstallation]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only, configure the URL address of a server from which to obtain configuration files. Examples of URLs: tftp://hostname/path/filename ftp://username:[email protected]/filename /




•

Getting Started Guide for your router model

•

autoinstallation on page 550

•

idle-timeout on page 619


553

®


interfaces Syntax


Description

Options

interfaces { interface-name { bootp; rarp; slarp; } } [edit system autoinstallation]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Configure the interface on which to perform autoinstallation. A request for an IP address is sent from the interface. Specify the IP address procurement protocol. bootp—Send requests over serial interfaces with Frame Relay. rarp—Send requests over Ethernet interfaces. slarp—(On J Series Services Routers only) Send requests over serial interfaces with HDLC.


554



•

J Series Services Router Basic LAN and WAN Access Configuration Guide

•

autoinstallation on page 550



transfer-interval (Configuration) Syntax Hierarchy Level Release Information

Description

transfer-interval interval; [edit system archival configuration]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the router or switch to periodically transfer its currently active configuration to an archive site.

NOTE: The edit system archival hierarchy is not available on QFabric switches.

Options

interval—Interval at which to transfer the current configuration to an archive site.

Range: 15 through 2880 minutes





•

archive

•


•



555

®


transfer-on-commit Syntax Hierarchy Level Release Information

Description

transfer-on-commit; [edit system archival configuration]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the router or switch to transfer its currently active configuration to an archive site each time you commit a candidate configuration.

NOTE: When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (“ ”) and enclose the IPv6 host address in brackets ([ ]). For example, “ftp://username@[ipv6-host-address]/url-path” .



556



•

archive

•


•

transfer-interval on page 555


CHAPTER 22

Operational Commands for Configuration File Management


557

®


clear log Syntax

Release Information

Description Options

clear log filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Remove contents of a log file. filename—Name of the specific log file to delete. all—(Optional) Delete the specified log file and all archived versions of it.


clear

•

show log on page 1186

clear log on page 558 See file list for an explanation of output fields.

Sample Output clear log

The following sample commands list log file information, clear the contents of a log file, and then display the updated log file information: user@host> file list lcc0-re0:/var/log/sampled detail lcc0-re0: --------------------------------------------------------------------------rw-r----- 1 root wheel 26450 Jun 23 18:47 /var/log/sampled total 1 user@host> clear log lcc0-re0:sampled lcc0-re0: -------------------------------------------------------------------------user@host> file list lcc0-re0:/var/log/sampled detail lcc0-re0: --------------------------------------------------------------------------rw-r----- 1 root wheel 57 Sep 15 03:44 /var/log/sampled total 1

558


Chapter 22: Operational Commands for Configuration File Management

clear system commit Syntax Release Information

Description Options Required Privilege Level Related Documentation List of Sample Output

Output Fields

clear system commit

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear any pending commit operation. This command has no options. maintenance (or the actual user who scheduled the commit)

•

show system commit on page 582

clear system commit on page 559 clear system commit (None Pending) on page 559 clear system commit (User Does Not Have Required Privilege Level) on page 559 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear system commit

user@host> clear system commit Pending commit cleared.

clear system commit (None Pending)

user@host> clear system commit No commit scheduled.

clear system commit (User Does Not Have Required Privilege Level)

user@host> clear system commit error: Permission denied


559

®


file archive Syntax

Release Information

Description

Options

file archive destination destination source source

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Archive, and optionally compress, one or multiple local system files as a single file, locally or at a remote location. destination destination—Destination of the archived file or files. Specify the destination

as a URL or filename. The Junos OS adds one of the following suffixes if the destination filename does not already have it: •

For archived files—The suffix .tar

•

For archived and compressed files—The suffix .tgz

source source—Source of the original file or files. Specify the source as a URL or filename. compress—(Optional) Compress the archived file with the GNU zip (gzip) compression

utility. The compressed files have the suffix .tgz. Required Privilege Level List of Sample Output

Output Fields

maintenance

file archive (Multiple Files) on page 560 file archive (Single File) on page 560 file archive (with Compression) on page 560 When you enter this command, you are provided feedback on the status of your request.

Sample Output file archive (Multiple Files)

The following sample command archives all message files in the local directory /var/log/messages as the single file messages-archive.tar. user@host> file archive source /var/log/messages* destination /var/log/messages-archive.tar /usr/bin/tar: Removing leading / from absolute path names in the archive. user@host>

file archive (Single File)

The following sample command archives one message file in the local directory /var/log/messages as the single file messages-archive.tar. user@host> file archive source /var/log/messages destination /var/log/messages-archive.tar /usr/bin/tar: Removing leading / from absolute path names in the archive. user@host

file archive (with Compression)

560

The following sample command archives and compresses all message files in the local directory /var/log/messages as the single file messages-archive.tgz.



user@host> file archive compress source /var/log/messages* destination /var/log/messages-archive.tgz /usr/bin/tar: Removing leading / from absolute path names in the archive.


561

®


file checksum md5 Syntax Release Information

Description Options

file checksum md5 filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Message Digest 5 (MD5) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the MD5 checksum.



maintenance

•

Configuring Checksum Hashes for a Commit Script in the Junos OS Configuration and Operations Automation Guide

•

Configuring Checksum Hashes for an Event Script in the Junos OS Configuration and Operations Automation Guide

•

Configuring Checksum Hashes for an Op Script in the Junos OS Configuration and Operations Automation Guide

•

Executing an Op Script from a Remote Site in the Junos OS Configuration and Operations Automation Guide

•

file checksum sha-256 on page 564

•

file checksum sha1 on page 563

•

op on page 317

file checksum md5 on page 562 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum md5

562

user@host> file checksum md5 jbundle-5.3R2.4-export-signed.tgz MD5 (jbundle-5.3R2.4-export-signed.tgz) = 2a3b69e43f9bd4893729cc16f505a0f5



file checksum sha1 Syntax Release Information

Description Options

file checksum sha1 filename

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Secure Hash Algorithm (SHA-1) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the SHA-1 checksum.



maintenance

•


•


•


•


•

file checksum md5 on page 562

•


•

op on page 317

file checksum sha1 on page 563 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum sha1

user@host> file checksum sha1 /var/db/scripts/opscript.slax SHA1 (/var/db/scripts/commitscript.slax) = ba9e47120c7ce55cff29afd73eacd370e162c676


563

®


file checksum sha-256 Syntax Release Information

Description Options

file checksum sha-256 filename

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Secure Hash Algorithm 2 family (SHA-256) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the SHA-256 checksum.



maintenance

•


•


•


•


•


•


•

op on page 317

file checksum sha-256 on page 564 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum sha-256

user@host> file checksum sha-256 /var/db/scripts/commitscript.slax SHA256 (/var/db/scripts/commitscript.slax) = 94c2b061fb55399e15babd2529453815601a602b5c98e5c12ed929c9d343dd71

564



file compare Syntax

Release Information

Description

file compare (files filename filename)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Compare two local files and describe the differences between them in default, context, or unified output styles: •

Default—In the first line of output, c means lines were changed between the two files, d means lines were deleted between the two files, and a means lines were added

between the two files. The numbers preceding this alphabetical marker represent the first file, and the lines after the alphabetical marker represent the second file. A left angle bracket () in front of output lines refers to the second file. •

Context—The display is divided into two parts. The first part is the first file; the second

part is the second file. Output lines preceded by an exclamation point (!) have changed. Additions are marked with a plus sign (+), and deletions are marked with a minus sign (-). •

Unified—The display is preceded by the line number from the first and the second file

(xx,xxx,x). Before the line number, additions to the file are marked with a plus sign (+), and deletions to the file are marked with a minus sign (-). The body of the output contains the affected lines. Changes are viewed as additions plus deletions. Options

files filename—Names of two local files to compare. context—(Optional) Display output in context format. ignore-white-space—(Optional) Ignore changes in the amount of white space. unified—(Optional) Display output in unified format.


Output Fields

none

file compare files on page 566 file compare files context on page 566 file compare files unified on page 566 file compare files unified ignore-white-space on page 566 When you enter this command, you are provided feedback on the status of your request.


565

®


Sample Output file compare files

user@host> file compare files /tmp/one /tmp/two 100c100 < full-name "File 1"; --> full-name "File 2"; 102c102 < class foo; # 'foo' is not defined --> class super-user;

file compare files context

user@host> file compare files /tmp/one /tmp/two context *** /tmp/one Wed Dec 3 17:12:50 2003 --- /tmp/two Wed Dec 3 09:13:14 2003 *************** *** 97,104 **** } } user bill { ! full-name "Bill Smith"; ! class foo; # 'foo' is not defined authentication { encrypted-password SECRET; } --- 97,105 ---} } user bill { ! full-name "Bill Smith"; ! uid 1089; ! class super-user; authentication { encrypted-password SECRET; }

file compare files unified

user@host> file compare files /tmp/one /tmp/two unified --- /tmp/one Wed Dec 3 17:12:50 2003 +++ /tmp/two Wed Dec 3 09:13:14 2003 @@ -97,8 +97,9 @@ } } user bill { full-name "Bill Smith"; class foo; # 'foo' is not defined + full-name "Bill Smith"; + uid 1089; + class super-user; authentication { encrypted-passwordSECRET; }

file compare files unified ignore-white-space

566

user@host> file compare files /tmp/one /tmp/two unified ignore-white-space --- /tmp/one Wed Dec 3 09:13:10 2003 +++ /tmp/two Wed Dec 3 09:13:14 2003 @@ -99,7 +99,7 @@ user bill { full-name "Bill Smith"; uid 1089;



+


class foo; # 'foo' is not defined class super-user; authentication { encrypted-password ; # SECRET-DATA }

567

®


file copy Syntax

Release Information

Description

Options

file copy source destination

Command introduced before Junos OS Release 7.4. source-address option added in Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches. Copy files from one place to another on the local router or switch or between the local router or switch and a remote system. source—Source of the original file. Specify this as a URL or filename. destination—Destination of the copied file. Specify this as a URL or filename. If you are

copying a file to the current directory (your home directory on the local router or switch) and are not renaming the file, specify the destination with a period (.). source-address address—(Optional) Source IP host address. This option is useful for

specifying the source address of a secure copy (scp) file transfer. Required Privilege Level List of Sample Output

Output Fields

maintenance

file copy (A File from the Router or Switch to a PC) on page 568 file copy (A Configuration File Between Routing Engines) on page 568 file copy (A Log File Between Routing Engines) on page 568 file copy (A File from the TX Matrix Plus Router to a T1600 Router Connected to the TX Matrix Plus Router) on page 568 When you enter this command, you are provided feedback on the status of your request.

Sample Output file copy (A File from the Router or Switch to a PC) file copy (A Configuration File Between Routing Engines) file copy (A Log File Between Routing Engines) file copy (A File from the TX Matrix Plus Router to a T1600

568

user@host> file copy /var/tmp/rpd.core.4 berry:/c/junipero/tmp ...transferring.file...... |

0 KB |

0.3 kB/s | ETA: 00:00:00 | 100%

The following sample command copies a configuration file from Routing Engine 0 to Routing Engine 1: user@host> file copy /config/juniper.conf re1:/var/tmp/copied-juniper.conf

The following sample command copies a log file from Routing Engine 0 to Routing Engine 1: user@host> file copy lcc0-re0:/var/log/chassisd lcc0-re1:/var/tmp

The following sample command copies a text file from Routing Engine 1 on the switch-fabric chassis sfc0 to Routing Engine 1 on the line-card chassis lcc0:



Router Connected to the TX Matrix Plus Router)

user@host> file copy sfc0-re1:/tmp/sample.txt lcc0-re1:/var/tmp


569

®


file delete Syntax

Release Information

Description Options

file delete filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Delete a file on the local router or switch. filename—Name of the file to delete. For a routing matrix, include chassis information in

the filename if the file to be deleted is not local to the Routing Engine from which the command is issued. purge—(Optional) Overwrite regular files before deleting them.


Output Fields

maintenance

file delete on page 570 file delete (Routing Matrix) on page 570 When you enter this command, you are provided feedback on the status of your request.

Sample Output file delete

user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file delete /var/tmp/snmpd.core user@host> file list /var/tmp dcd.core rpd.core

file delete (Routing Matrix)

user@host> file list lcc0-re0:/var/tmp dcd.core rpd.core snmpd.core user@host> file delete lcc0-re0:/var/tmp/snmpd.core user@host> file list /var/tmp dcd.core rpd.core

570



file list Syntax

Release Information

Description Options

file list

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display a list of files on the local router or switch. none—Display a list of all files for the current directory. detail | recursive—(Optional) Display detailed output or descend recursively through the

directory hierarchy, respectively. filename—(Optional) Display a list of files. For a routing matrix, the filename must include

the chassis information. Additional Information


Output Fields

The default directory is the home directory of the user logged in to the router or switch. To view available directories, enter a space and then a backslash (/) after the file list command. To view files within a specific directory, include a backslash followed by the directory and, optionally, subdirectory name after the file list command. maintenance

file list on page 571 file list (Routing Matrix) on page 571 When you enter this command, you are provided feedback on the status of your request.

Sample Output file list

file list (Routing Matrix)

user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file list lcc0-re0:var/tmp lcc0-re0: -------------------------------------------------------------------------/var/tmp/: .gdbinit .pccardd Test/ chassisd* chassisd.nathan* check_time* cores/ diagTestPrep* diagtest*


571

®


diagtest.regress* do_switchovers* dump_test* err.manoj.log esw_clearstats* esw_counter* esw_debug* esw_debug_ge* esw_filt_test* esw_filter_tnp_addr* esw_getstats* esw_phy* esw_stats*

572



file rename Syntax Release Information

Description Options

file rename source destination

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Rename a file on the local router or switch. destination—New name for the file. source—Original name of the file. For a routing matrix, the filename must include the

chassis information. Required Privilege Level List of Sample Output

Output Fields

maintenance

file rename on page 573 file rename (Routing Matrix) on page 573 When you enter this command, you are provided feedback on the status of your request.

Sample Output file rename

The following example lists the files in /var/tmp, renames one of the files, and then displays the list of files again to reveal the newly named file. user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file rename /var/tmp/dcd.core /var/tmp/dcd.core.990413 user@host> file list /var/tmp dcd.core.990413 rpd.core snmpd.core

file rename (Routing Matrix)

The following example lists the files in /var/tmp, renames one of the files, and then displays the list of files again to reveal the newly named file. user@host> file list lcc0-re1:/var/tmp lcc0-re1: -------------------------------------------------------------------------/var/tmp: .pccardd sartre.conf snmpd syslogd.core-tarball.0.tgz user@host> file rename lcc0-re0:/var/tmp/snmpd /var/tmp/snmpd.rr user@host> file list lcc0-re1:/var/tmp


573

®


lcc0-re1: -------------------------------------------------------------------------/var/tmp: .pccardd sartre.conf snmpd.rr syslogd.core-tarball.0.tgz

574



file show Syntax

Release Information

Description Options

file show filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the contents of a file. filename—Name of a file. For a routing matrix, the filename must include the chassis

information. encoding (base64 | raw)—(Optional) Encode file contents with base64 encoding or show

raw text. Required Privilege Level List of Sample Output

Output Fields

maintenance

file show on page 575 file show (Routing Matrix) on page 575 When you enter this command, you are provided feedback on the status of your request.

Sample Output file show

file show (Routing Matrix)

user@host> file show /var/log/messages Apr 13 21:00:08 romney /kernel: so-1/1/2: loopback suspected; going to standby. Apr 13 21:00:40 romney /kernel: so-1/1/2: loopback suspected; going to standby. Apr 13 21:02:48 romney last message repeated 4 times Apr 13 21:07:04 romney last message repeated 8 times Apr 13 21:07:13 romney /kernel: so-1/1/0: Clearing SONET alarm(s) RDI-P Apr 13 21:07:29 romney /kernel: so-1/1/0: Asserting SONET alarm(s) RDI-P ... user@host> file show lcc0-re0:/var/tmp/.gdbinit lcc0-re0: -------------------------------------------------------------------------#################################################################### # Settings #################################################################### set print pretty #################################################################### # Basic stuff #################################################################### define msgbuf printf "%s", msgbufp->msg_ptr end # hex dump of a block of memory # usage: dump address length define dump


575

®


p $arg0, $arg1 set $ch = $arg0 set $j = 0 set $n = $arg1 while ($j < $n) #printf "%x %x ",&$ch[$j],$ch[$j] printf "%x ",$ch[$j] set $j = $j + 1 if (!($j % 16)) printf "\n" end end end

576



request system configuration rescue delete Syntax Release Information

Description

request system configuration rescue delete

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Delete an existing rescue configuration.

NOTE: The [edit system configuration] hierarchy is not available on QFabric switches.



This command has no options. maintenance

•


•


•


request system configuration rescue delete on page 577 This command produces no output.

Sample Output request system configuration rescue delete

user@host> request system configuration rescue delete


577

®


request system configuration rescue save Syntax Release Information

Description

request system configuration rescue save

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Save the most recently committed configuration as the rescue configuration so that you can return to it at any time by using the rollback command.





•


•


•


request system configuration rescue save on page 578 This command produces no output.

Sample Output request system configuration rescue save

578

user@host> request system configuration rescue save




Description



Options




maintenance

•


•


•






579

®



Description



Options




maintenance

•


•


•




580







Options




maintenance

•


•


•






581

®


show system commit Syntax

show system commit

Release Information


Description

Display the pending commit operation (if any) and the commit history.

Options



view


•


clear system commit on page 559

show system commit on page 583 show system commit (At a Particular Time) on page 583 show system commit (At the Next Reboot) on page 583 show system commit (Rollback Pending) on page 583 show system commit (QFX Series) on page 583

Output Fields

Table 80 on page 582 describes the output fields for the show system commit command. Output fields are listed in the approximate order in which they appear.

Table 80: show system commit Output Fields Field Name

Field Description

Commit history

Displays the last 50 commit operations listed, most recent to first. The identifier rescue designates a configuration created for recovery using the request system configuration rescue save command.

Timestamp

Date and time of the commit operation.

Username

User who executed the commit operation.

Commit method

Method used to execute the commit operation:

582

•

cli—CLI interactive user performed the commit operation.

•

Junos XML protocol—Junos XML protocol client performed the commit operation.

•

synchronize—The commit synchronize command was performed on the other Routing Engine.

•

snmp—An SNMP set request caused the commit operation.

•

button—A button on the router or switch was pressed to commit a rescue configuration for recovery.

•

autoinstall—A configuration obtained through autoinstallation was committed.

•

other—A method other than those identified was used to perform the commit operation.



Sample Output show system commit

user@host> show system commit 0 2003-07-28 19:14:04 PDT by root via other 1 2003-07-25 22:01:36 PDT by regress via cli 2 2003-07-25 22:01:32 PDT by regress via cli 3 2003-07-25 21:30:13 PDT by root via button 4 2003-07-25 13:46:48 PDT by regress via cli 5 2003-07-25 05:33:21 PDT by root via autoinstall ... rescue 2002-05-10 15:32:03 PDT by root via other

show system commit (At a Particular Time)

user@host> show system commit commit requested by root via cli at Tue May

show system commit (At the Next Reboot)

user@host> show system commit commit requested by root via cli at reboot

show system commit (Rollback Pending)

user@host> show system commit 0 2005-01-05 15:00:37 PST by root via cli commit confirmed, rollback in 3mins

show system commit (QFX Series)

user@switch> show system commit 0 2011-11-25 19:17:49 PST by root via cli


7 15:59:00 2002

583

®


show system configuration archival Syntax Release Information

Description

show system configuration archival

Introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display directory and number of files queued for archival transfer.


Options Required Privilege Level List of Sample Output


show system configuration archival on page 584

Sample Output show system configuration archival

user@host> show system configuration archival /var/transfer/config/: total 8

584



show system configuration rescue Syntax Release Information

Description

show system configuration rescue

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display a rescue configuration, if one exists.


Options Required Privilege Level Related Documentation List of Sample Output


•

show system configuration archival on page 584

show system configuration rescue on page 585

Sample Output show system configuration rescue

user@switch> show system configuration rescue version "7.3"; groups { global { system { host-name router1; domain-name customer.net; domain-search [ customer.net ]; backup-router 192.168.124.254; name-server { 172.17.28.11; 172.17.28.101; 172.17.28.100; 172.17.28.10; } login { user regress { uid 928; class ; shell csh; authentication { encrypted-password "$1$kPU..$w.4FGRAGanJ8U4Yq6sbj7."; ## SECRET-DATA } } } services { ftp; rlogin;


585

®


rsh; telnet; } } } ....

586



show system rollback Syntax

Release Information

Description

show system rollback number

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the contents of a previously committed configuration, or the differences between two previously committed configurations.

NOTE: The show system rollback command is a purely operational mode command and cannot be issued with run from the configuration mode.

Options

number—Number of a configuration to view. The output displays the configuration. The

range of values is 0 through 49. compare number —(Optional) Number of another previously committed (rollback)

configuration to compare to rollback number. The output displays the differences between the two configurations. The range of values is 0 through 49. Required Privilege Level List of Sample Output

view

show system rollback compare on page 587

Sample Output show system rollback compare

user@host> show system rollback 3 compare 1 [edit] + interfaces { + ge-1/1/1 { + unit 0 { + family inet { + filter { + input mf_plp; + } + address 14.1.1.1/30; + } + } + } + ge-1/2/1 { + unit 0 { + family inet { + filter { + input mf_plp; + } + address 13.1.1.1/30; + } + } + }


587

®


+ + + + + + + + + + +}

588

ge-1/3/0 { unit 0 { family inet { filter { input mf_plp; } address 12.1.1.1/30; } } }



test configuration Syntax Release Information

Description

Options Required Privilege Level List of Sample Output Output Fields

test configuration filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Verify that the syntax of a configuration file is correct. If the configuration contains any errors, a message is displayed to indicate the line number and column number in which the error was found. filename—Name of the configuration file.

view

test configuration on page 589 When you enter this command, you are provided feedback on the status of your request.

Sample Output test configuration

user@host> test configuration terminal [Type ^D to end input] system { host-name bluesky; paris-23; login; } terminal:3:(8) syntax error: paris [edit system] 'paris-23;' syntax error terminal:4:(11) statement must contain additional statements: ; [edit system login] 'login ;' statement must contain additional statements configuration syntax failed


589

®


590


PART 7

Access and User Management on EX Series Switches •

Access and User Management on EX Series Switches Overview on page 593

•

Access and User Management Configuration on page 597

•

Troubleshooting Access and User Management on page 605

•

Configuration Statements for Access and User Management on page 609

•

Operational Commands for Access and User Management on page 637


591

®


592


CHAPTER 23

Access and User Management on EX Series Switches Overview •




•




•



•



593

®


•




Name

Description

Chassis process

chassisd



eswd


Forwarding process

pfem


Interface process

dcd


Management process

mgd



594

rpd



Chapter 23: Access and User Management on EX Series Switches Overview


•


•



595

®


596


CHAPTER 24

Access and User Management Configuration •


•

Generating SSL Certificates to Be Used for Secure Web Access on page 600

•

Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) on page 601

•

Managing Users (J-Web Procedure) on page 601

Configuring Management Access for the EX Series Switch (J-Web Procedure) You can manage an EX Series switch remotely through the J-Web interface. To communicate with the switch, the J-Web interface uses Hypertext Transfer Protocol (HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted between the Web browser and the switch by means of HTTP is vulnerable to interception and attack. To enable secure Web access the switch supports HTTP over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific interfaces and ports as needed. Navigate to the Secure Access Configuration page by selecting Configure > System Properties > Management Access. On this page, you can enable HTTP and HTTPS access on interfaces for managing the EX Series switch through the J-Web interface. You can also install SSL certificates and enable Junos XML management protocol over SSL with the Secure Access page. 1.

Click Edit to modify the configuration. Enter information into the Management Access Configuration page as described in Table 82 on page 598.

2. To verify that Web access is enabled correctly, connect to the switch using the

appropriate method: •

For HTTP access—In your Web browser, type http://URL or http://IP address.

•

For HTTPS access—In your Web browser, type https://URL or https://IP address.

•

For SSL Junos XML management protocol access—To use this option, you must have a Junos XML management protocol client such as Junos Scope. For information about how to log into Junos Scope, see the Junos Scope Software User Guide.


597

®



Table 82: Secure Management Access Configuration Summary Field

Function

Your Action

Management Access tab Management Port IP/Management Port IPv6

Specifies the management port IP address. The software supports both IPv4 ( displayed as IP) and IPv6 address. NOTE: IPv6 is not supported on EX2200 and EX 4500 switches.

To specify an IPv4 address: 1.

Select the check box IPv4 address.

2. Type an IP address—for example: 10.10.10.10. 3. Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. 4. Click OK. To specify an IPv6 address: 1.


2. Type an IP address—for example:2001:ab8:85a3::8a2e:370:7334. 3. Enter the subnet mask or address prefix. 4. Click OK. Default Gateway

Defines a default gateway through which to direct packets addressed to networks that are not explicitly listed in the bridge table constructed by the switch.

For IPv4 address type a 32-bit IP address, in dotted decimal notation. Type a 128-bit IP address for IPv6 address type.

Loopback address

Specifies the IP address of the loopback interface.

Type an IP address.

Subnet Mask

Specifies the subnet mask for the loopback interface.

Enter the subnet mask or address prefix.

Services

Specifies services to be enabled: telnet and SSH.

Select to enable the required services.

Enable Junos XML management protocol over Clear Text

Enables clear text access to the Junos XML management protocol XML scripting API.

To enable clear text access, select the Enable Junos XML management protocol over Clear Text check box.

Enable Junos XML protocol over SSL

Enables secure SSL access to the Junos XML management protocol XML scripting API.

To enable SSL access, select the Enable Junos XML management protocol over SSL check box.

Services tab

598


Chapter 24: Access and User Management Configuration

Table 82: Secure Management Access Configuration Summary (continued) Field

Function

Your Action

Junos XML management protocol Certificate

Specifies SSL certificates to be used for encryption.

To enable an SSL certificate, select a certificate from the Junos XML management protocol SSL Certificate list—for example, new.

This field is available only after you create at least one SSL certificate. Enable HTTP

Enables HTTP access on interfaces.

To enable HTTP access, select the Enable HTTP access check box. Select and clear interfaces by clicking the direction arrows: •

Enable HTTPS

Enables HTTPS access on interfaces.

To enable HTTP access on an interface, add the interface to the HTTP Interfaces list. You can either select all interfaces or specific interfaces.

To enable HTTPS access, select the Enable HTTPS access check box. Select and deselect interfaces by clicking the direction arrows: •

To enable HTTPS access on an interface, add the interface to the HTTPS Interfaces list. You can either select all interfaces or specific interfaces.

NOTE: Specify the certificate to be used for HTTPS access.

Certificates tab Certificates

Displays digital certificates required for SSL access to the switch.

To add a certificate: 1.

Allows you to add and delete SSL certificates.

Have a general SSL certificate available. See Generating SSL Certificates for more information.

2. Click Add. The Add a Local Certificate page opens. 3. Type a name in the Certificate Name box—for example, new. 4. Open the certificate file and copy its contents. 5. Paste the generated certificate and RSA private key in the Certificate box. To edit a certificate, select it and click Edit. To delete a certificate, select it and click Delete.


•



599

®


•


Generating SSL Certificates to Be Used for Secure Web Access You can set up secure Web access for an EX Series switch. To enable secure Web access, you must generate a digital Secure Sockets Layer (SSL) certificate and then enable HTTPS access on the switch. To generate an SSL certificate: 1.

Enter the following openssl command in your SSH command-line interface on a BSD or Linux system on which openssl is installed. The openssl command generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file. % openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out filename.pem

where filename is the name of a file in which you want the SSL certificate to be written—for example, my-certificate. 2. When prompted, type the appropriate information in the identification form. For

example, type US for the country name. 3. Display the contents of the file that you created.

cat my-certificate.pem

You can use the J-Web Configuration page to install the SSL certificate on the switch. To do this, copy the file containing the certificate from the BSD or Linux system to the switch. Then open the file, copy its contents, and paste them into the Certificate box on the J-Web Secure Access Configuration page. You can also use the following CLI statement to install the SSL certificate on the switch: [edit] user@switch# set security certificates local my-signed-cert load-key-file my-certificate.pem


600

•


•




Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) Junos OS for EX Series switches enables you to configure the Microsoft Corporation implementation of the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) on the switch to provide password-change support. Configuring MS-CHAPv2 on the switch provides users accessing a switch the option of changing the password when the password expires, is reset, or is configured to be changed at next login. See RFC 2433 at , Microsoft PPP CHAP Extensions, for information about MS-CHAP. Before you configure MS-CHAPv2 to provide password-change support, ensure that you have: •

Configured RADIUS server authentication. Configure users on the authentication server and set the first-tried option in the authentication order to radius. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

To configure MS-CHAPv2, specify the following: [edit system radius-options] user@switch# set password-protocol mschap-v2

You must have the required access permission on the switch in order to change your password. Related Documentation

•

Managing Users (J-Web Procedure) on page 601

•

For more about configuring user access, see the Junos OS Access Privilege Configuration Guide.

Managing Users (J-Web Procedure) You can use the Users Configuration page for user information to add new users to an EX Series switch. For each account, you define a login name and password for the user and specify a login class for access privileges. To configure users: 1.

Select Configure > System Properties > User Management. The User Management page displays details of users, the authentication order, the RADIUS servers and TACACS servers present.

2. Click Edit. 3. Click any of the following options on the Users tab: •

Add—Select this option to add a user. Enter details as described in Table 83 on page 602.

•

Edit—Select this option to edit an existing user's details. Enter details as described in Table 83 on page 602.


601

®


•

Delete—Select this option to delete a user.

4. Click an option on the Authentication Methods and Order tab: •

Authentication Order—Drag and drop the authentication type from the Available Methods section to the Selected Methods. Click the up or down buttons to modify the authentication order.

•

RADIUS server—Click one:

•

•

Add—Select this option to add an authentication server. Enter details as described in Table 84 on page 603.

•

Edit—Select this option to modify the authentication server details. Enter details as described in Table 84 on page 603.

•

Delete—Select this option to delete an authentication server from the list.

TACACS server—Click one: •

Add—Select this option to add an authentication server. Enter details as described in Table 84 on page 603.

•

Edit—Select this option to modify the authentication server details. Enter details as described in Table 84 on page 603.

•

Delete—Select this option to delete an authentication server from the list.


Table 83: User Management Configuration Page Summary Field

Function

Your Action

Username (required)

Specifies the name that identifies the user.

Type the username. It must be unique within the switching platform. Do not include spaces, colons, or commas in the username.

User Id

Specifies the user identification.

Type the user’s ID.

Full Name

Specifies the user's full name.

Type the user's full name. If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.

User Information

602



Table 83: User Management Configuration Page Summary (continued) Field

Function

Your Action

Login Class (required)

Defines the user's access privilege.

Select the user's login class from the list: •

operator

•

read-only

•

super-user/superuser

•

unauthorized

This list also includes any user-defined login classes. Password

Confirm Password

Specifies the login password for this user.

Verifies the login password for this user.

Type the login password for this user. The login password must meet these criteria: •

The password must be at least 6 characters long.

•

It can include alphabetic, numeric, and special characters, but not control characters.

•

It must contain at least one change of case or character class.

Retype the login password for this user.

Table 84: Add an Authentication Server Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Type the server’s 32-bit IP address, in dotted decimal notation.

Password

Specifies the password of the server.

Type the password of the server.

Confirm Password

Verifies that the password of the server is entered correctly.

Retype the password of the server.

Server Port

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the server.

Type the server’s 32-bit IP address, in dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a login failure.

Type the number. NOTE: Only 1 retry is permitted for a TACACS server.

Time out


Specifies the time interval to wait before the connection to the server is closed.

•

Type the interval in seconds.



603

®


604


CHAPTER 25

Troubleshooting Access and User Management •

Troubleshooting Loss of the Root Password on page 605

Troubleshooting Loss of the Root Password Problem

If you forget the root password for the switch, you can use the password recovery procedure to reset the root password.

NOTE: You need physical access to the switch to recover the root password.

Solution

To recover the root password: 1.

Power off your switch by unplugging the power cord or turning off the power at the wall switch.

2. Insert one end of the Ethernet cable into the serial port on the management device

and connect the other end to the console port on the back of the switch. See Figure 18 on page 605

Figure 18: Connecting to the Console Port on the EX Series Switch


605

®


3. On the management device, start your asynchronous terminal emulation application

(such as Microsoft Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1). 4. Configure the port settings as follows: •

Bits per second: 9600

•

Data bits: 8

•

Parity: None

•

Stop bits: 1

•

Flow control: None

5. Power on your switch by plugging in the power cord or turning on the power at the

wall switch. 6. When the following prompt appears, press the Spacebar to access the switch's

bootstrap loader command prompt: Hit [Enter] to boot immediately, or space bar for command prompt. Booting [kernel] in 1 second... 7. At the following prompt, type boot -s to start up the system in single-user mode:

loader> boot -s 8. At the following prompt, type recovery to start the root password recovery procedure:

Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

A series of messages describe consistency checks, mounting of filesystems, and initialization and checkout of management services. Then the CLI prompt appears. 9. Enter configuration mode in the CLI:

user@switch> configure 10. Set the root password. For example:

user@switch# set system root-authentication plain-text-password 11. At the following prompt, enter the new root password. For example:

New password: juniper1 Retype new password: 12. At the second prompt, reenter the new root password. 13. If you are finished configuring the network, commit the configuration.

root@switch# commit commit complete 14. Exit configuration mode in the CLI.

root@switch# exit 15. Exit operational mode in the CLI.

root@switch> exit 16. At the prompt, enter y to reboot the switch.

606


Chapter 25: Troubleshooting Access and User Management

Reboot the system? [y/n] y


•


•


•

For information about configuring an encrypted root password, configuring SSH keys to authenticate root logins, and configuring special requirements for plain-text passwords, see the Junos OS System Basics Configuration Guide.


607

®


608


CHAPTER 26

Configuration Statements for Access and User Management allow-commands Syntax Hierarchy Level Release Information

Description

allow-commands "regular-expression"; [edit system login class class-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the operational mode commands that members of a login class can use.

Default

If you omit this statement and the deny-commands statement, users can issue only those commands for which they have access privileges through the permissions statement.

Options

regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2.

If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. Required Privilege Level Related Documentation


Specifying Access Privileges for Junos OS Operational Mode Commands on page 3845

•

deny-commands on page 616

•

user on page 635


609

®


allow-configuration Syntax Hierarchy Level Release Information

Description

allow-configuration "regular-expression"; [edit system login class class-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Explicitly allow configuration access to the specified levels in the hierarchy even if the permissions set with the permissions statement do not grant such access by default.

Default

If you omit this statement and the deny-configuration statement, users can edit only those commands for which they have access privileges through the permissions statement.

Options



610


Specifying Access Privileges Using allow/deny-configuration Statements

•

Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies

•

deny-configuration on page 617

•

user on page 635


Chapter 26: Configuration Statements for Access and User Management

announcement Syntax Hierarchy Level Release Information

announcement text; [edit system login]


Description

Configure a system login announcement. This announcement appears after a user logs in.

Options

text—Text of the announcement. If the text contains any spaces, enclose it in quotation

marks. Required Privilege Level Related Documentation

system—To view this statement in the configuration. system-control—To add this statement to the configuration •

Configuring the Junos OS to Display a System Login Announcement

•

message on page 623


611

®


authentication (Login) Syntax


Description

Options

authentication { (encrypted-password "password" | plain-text-password); load-key-file URL filename; ssh-dsa "public-key"; ssh-rsa "public-key"; } [edit system login user username]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Authentication methods that a user can use to log in to the router or switch. You can assign multiple authentication methods to a single user. encrypted-password "password"—Message Digest 5 (MD5) or other encrypted

authentication. Specify the MD5 or other password. You can specify only one encrypted password for each user. You cannot configure a blank password for encrypted-password using blank quotation marks (" "). You must configure a password whose number of characters range from 1 through 128 characters and enclose the password in quotation marks. load-key-file URL filename—Load previously-generated RSA (SSH version 1 and SSH

version 2) and DSA (SSH version 2) public keys from a named file at a specified URL location. The file contains one or more SSH keys. plain-text-password—When using this option, the command-line interface (CLI) prompts

you for the password and then encrypts it. ssh-dsa "public-key"—SSH version 2 authentication. Specify the SSH public key. You can

specify one or more public keys for each user. ssh-rsa "public-key"—SSH version 1 and SSH version 2 authentication. Specify the SSH

public key. You can specify one or more public keys for each user. Required Privilege Level Related Documentation

612


Configuring Junos OS User Accounts

•

root-authentication on page 629



authentication-order Syntax Hierarchy Level Release Information

authentication-order [ authentication-methods ]; [edit system]


Description

Configure the order in which the software tries different user authentication methods when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches.

Default

If you do not include the authentication-order statement, users are verified based on their configured passwords.

Options

authentication-methods—One or more authentication methods, listed in the order in which

they should be tried. The method can be one or more of the following: •

password—Use the password configured for the user with the authentication statement

at the [edit system login user] hierarchy level.


•

radius—Use RADIUS authentication services.

•

tacplus—Use TACACS+ authentication services.


Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication

•

authentication on page 612


613

®


change-type Syntax Hierarchy Level Release Information

Description

Options

change-type (character-sets | set-transitions); [edit system login password]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set requirements for using character sets in plain-text passwords. When you combine this statement with the minimum-changes statement, you can check for the total number of character sets included in the password or for the total number of character-set changes in the password. Newly created passwords must meet these requirements. Specify one of the following: •

character-sets—The number of character sets in the password. Valid character sets

include uppercase letters, lowercase letters, numbers, punctuation, and other special characters. •


set-transitions—The number of transitions between character sets.


Special Requirements for Junos OS Plain-Text Passwords

•

minimum-changes on page 624

class (Assigning a Class to an Individual User) Syntax Hierarchy Level Release Information


614

class class-name; [edit system login user username]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a user’s login class. You must configure one class for each user. class-name—One of the classes defined at the [edit system login class] hierarchy level.





class (Defining Login Classes) Syntax


Description Options

class class-name { allow-commands "regular-expression"; ( allow-configuration | allow-configuration-regexps) “regular expression 1” “regular expression 2”; deny-commands "regular-expression"; ( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular expression 2 ”; idle-timeout minutes; permissions [ permissions ]; } [edit system login]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define a login class. class-name—A name you choose for the login class.

The remaining statements are explained separately. Required Privilege Level Related Documentation


Defining Junos OS Login Classes

•

user on page 635


615

®


deny-commands Syntax Hierarchy Level Release Information

Description

deny-commands "regular-expression"; [edit system login class]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the operational mode commands that the user is denied permission to issue even though the permissions set with the permissions statement would allow it.

Default

If you omit this statement and the allow-commands statement, users can issue only those commands for which they have access privileges through the permissions statement.

Options



616



•

allow-commands on page 609

•

user on page 635



deny-configuration Syntax Hierarchy Level Release Information

Description

deny-configuration "regular-expression"; [edit system login class]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Explicitly deny configuration access to the specified levels in the hierarchy even if the permissions set with the permissions statement grant such access by default.

Default

If you omit this statement and the allow-configuration statement, users can edit those levels in the configuration hierarchy for which they have access privileges through the permissions statement.

Options




Specifying Access Privileges Using allow/deny-configuration Statements

•

allow-configuration on page 610

•

user on page 635


617

®


format Syntax Hierarchy Level Release Information

Description

format (des | md5 | sha1); [edit system login password]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the authentication algorithm for plain-text passwords.

Default

For Junos OS, the default encryption format is md5. For Junos-FIPS software, the default encryption format is sha1.

Options

The hash algorithm that authenticates the password can be one of three algorithms:


•

des—Has a block size of 8 bytes; its key size is 48 bits long.

•

md5—Produces a 128-bit digest.

•

sha1—Produces a 160-bit digest.



full-name Syntax Hierarchy Level Release Information

Description Options

full-name complete-name; [edit system login user]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the complete name of a user. complete-name—Full name of the user. If the name contains spaces, enclose it in quotation

marks. Required Privilege Level Related Documentation

618



•

user on page 635

•

user



idle-timeout Syntax Hierarchy Level Release Information

idle-timeout minutes; [edit system login class class-name]


Description

For a login class, configure the maximum time that a session can be idle before the user is logged off the router or switch. The session times out after remaining at the CLI operational mode prompt for the specified time.

Default

If you omit this statement, a user is never forced off the system after extended idle times.

Options

minutes—Maximum idle time.

Range: 0 through 4294967295 minutes Required Privilege Level Related Documentation


Configuring the Timeout Value for Idle Login Sessions

•

user on page 635


619

®


login Syntax


Description Options Required Privilege Level

620

login { announcement text; class class-name { allow-commands "regular-expression"; ( allow-configuration | allow-configuration-regexps) “regular expression 1” “regular expression 2”; deny-commands "regular-expression"; ( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular expression 2 ”; idle-timeout minutes; login-tip; permissions [ permissions ]; } message text; password { change-type (set-transitions | character-set); format (md5 | sha1 | des); maximum-length length; minimum-changes number; minimum-length length; } retry-options { backoff-threshold number; backoff-factor seconds; minimum-time seconds; tries-before-disconnect number; } user username { full-name complete-name; uid uid-value; class class-name; authentication authentication; (encrypted-password "password" | plain-text-password); ssh-rsa "public-key"; ssh-dsa "public-key"; } } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure user access to the router or switch. The remaining statements are explained separately. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration.




•


login-alarms Syntax Hierarchy Level Release Information

Description


login-alarms; [edit system login class admin]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. For J Series Services Routers, EX Series switches, and the QFX Series only. Show system alarms automatically when an admin user logs in to the router or switch. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •

Configuring System Alarms to Appear Automatically on J Series Routers, EX Series Ethernet Switches, and the QFX Series

•

J Series Services Router Administration Guide

login-tip Syntax Hierarchy Level Release Information

Description Default Required Privilege Level Related Documentation

login-tip; [edit system login class class-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable CLI tips at login. Disabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring CLI Tips


621

®


maximum-length Syntax Hierarchy Level Release Information

Description

Default

Options

maximum-length length; [edit system login passwords]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the maximum number of characters allowed in plain-text passwords. Newly created passwords must meet this requirement. For Junos-FIPS software, the maximum number of characters for plain-text passwords is 20. For Junos OS, no maximum is set. length—The maximum number of characters the password can include.

Range: 1 to 64 characters Required Privilege Level Related Documentation

622





message Syntax Hierarchy Level Release Information

Description

message text; [edit system login]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a system login message. This message appears before a user logs in. You can format the message using the following special characters:


•

\n—New line

•

\t—Horizontal tab

•

\'—Single quotation mark

•

\"—Double quotation mark

•

\\—Backslash

text—Text of the message.


Configuring the Junos OS to Display a System Login Message

•

announcement on page 611


623

®


minimum-changes Syntax Hierarchy Level Release Information

Description

minimum-changes number; [edit system login passwords]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the minimum number of character sets (or character set changes) required in plain-text passwords. Newly created passwords must meet this requirement. This statement is used in combination with the change-type statement. If the change-type is character-sets, then the number of character sets included in the password is checked against the specified minimum. If change-type is set-transitions, then the number of character set changes in the password is checked against the specified minimum.

Default

For Junos OS, the minimum number of changes is 1. For Junos-FIPS Software, the minimum number of changes is 3.

Options

number—The minimum number of character sets (or character set changes) required for

the password. Required Privilege Level Related Documentation

624



•

change-type on page 614



minimum-length Syntax Hierarchy Level Release Information

Description

Default

Options

minimum-length length; [edit system login passwords]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the minimum number of characters required in plain-text passwords. Newly created passwords must meet this requirement. For Junos OS, the minimum number of characters for plain-text passwords is six. For Junos-FIPS software, the minimum number of characters for plain-text passwords is 10. length—The minimum number of characters the password must include.

Range: 6 to 20 characters Required Privilege Level Related Documentation



•

maximum-length on page 622


625

®


password (Login) Syntax


Description

password { change-type (set-transitions | character-set); format (md5 | sha1 | des); maximum-length length; minimum-changes number; minimum-length length; } [edit system login]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure special requirements such as character length and encryption format for plain-text passwords. Newly created passwords must meet these requirements. The remaining statements are explained separately.




•

maximum-length on page 622

permissions Syntax Hierarchy Level Release Information


626

permissions [ permissions ]; [edit system login class]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the login access privileges to be provided on the router or switch. permissions—Privilege type. For a list of permission flag types, see Table 433 on page 3826.


Configuring Access Privilege Levels on page 3845

•

user on page 635



radius-options (edit system) Syntax


radius-options { attributes { nas-ip-address ip-address; } password-protocol mschap-v2; } [edit system]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. MS-CHAPv2 password protocol configuration option introduced in Junos OS Release 9.2. MS-CHAPv2 password protocol configuration option introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series.

NOTE: The radius-options statement is not available on QFabric switches.

Description

Options

Configure RADIUS options for the NAS-IP address for outgoing RADIUS packets and password protocol used in RADIUS packets. nas-ip-address ip-address—IP address of the network access server (NAS) that requests

user authentication. password-protocol mschap-v2—Protocol MS-CHAPv2, used for password authentication

and password changing. Required Privilege Level Related Documentation


Configuring RADIUS Authentication

•



627

®


retry-options Syntax


Description


628

retry-options { backoff-factor seconds; backoff-threshold number; maximum-time seconds; minimum-time seconds; tries-before-disconnect number; } [edit system login]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. maximum-time option introduced in Junos OS Release 9.6. maximum-time option introduced in Junos OS Release 9.6 for EX Series switches. Maximum number of times a user can attempt to enter a password while logging in through SSH or Telnet before being disconnected. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •

Limiting the Number of User Login Attempts for SSH and Telnet Sessions

•

rate-limit on page 761



root-authentication Syntax


root-authentication { (encrypted-password "password" | plain-text-password); ssh-dsa "public-key"; ssh-rsa "public-key"; } [edit system]


Description

Configure the authentication methods for the root-level user, whose username is root.

Options

encrypted-password "password"— MD5 or other encrypted authentication. Specify the

MD5 or other password. You can specify only one encrypted password. You cannot configure a blank password for encrypted-password using blank quotation marks (" "). You must configure a password whose number of characters range from 1 through 128 characters and enclose the password in quotation marks. plain-text-password—Plain-text password. The CLI prompts you for the password and

then encrypts it. The CLI displays the encrypted version, and the software places the encrypted version in its user database. You can specify only one plain-text password. ssh-dsa "public-key"—SSH version 2 authentication. Specify the DSA (SSH version 2)

public key. You can specify one or more public keys. ssh-rsa "public-key"—SSH version 1 authentication. Specify the RSA (SSH version 1 and

SSH version 2) public key. You can specify one or more public keys. Required Privilege Level Related Documentation


Configuring the Root Password

•

authentication on page 612


629

®


root-login Syntax Hierarchy Level Release Information


root-login (allow | deny | deny-password); [edit system services ssh]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Control user access through SSH. Allow user access through SSH. allow—Allow users to log in to the router or switch as root through SSH. deny—Disable users from logging in to the router or switch as root through SSH. deny-password—Allow users to log in to the router or switch as root through SSH when

the authentication method (for example, RSA authentication) does not require a password. Required Privilege Level Related Documentation

630


Configuring SSH Service for Remote Access to the Router or Switch



tacplus-options Syntax


Description Options

tacplus-options { (exclude-cmd-attribute | no-cmd-attribute-value); service-name service-name; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for QFX Series. no-cmd-attribute-value and exclude-cmd-attribute options introduced in Junos OS Release 9.3. no-cmd-attribute-value and exclude-cmd-attribute options introduced in Junos OS Release 9.3 for EX Series switches. Configure TACACS+ options for authentication and accounting. exclude-cmd-attribute—Exclude the cmd attribute value completely from start and stop

accounting records to enable logging of accounting records in the correct log file on a TACACS+ server. no-cmd-attribute-value—Set the cmd attribute value to an empty string in the TACACS+

accounting start and stop requests to enable logging of accounting records in the correct log file on a TACACS+ server. service-name service-name—Name of the authentication service used when you configure

multiple TACACS+ servers to use the same authentication service. Default: junos-exec Required Privilege Level Related Documentation


Configuring TACACS+ Authentication

•

Configuring TACACS+ System Accounting

•

Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication

•


•



631

®


tacplus-server Syntax


Description Options

tacplus-server server-address { secret password; single-connection; source-address source-address; timeout seconds; } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the TACACS+ server. server-address—Address of the TACACS+ authentication server.


632





traceoptions (Address-Assignment Pool) Syntax


Description Options

traceoptions { file filename { files number; size maximum-file-size; match regex; (world-readable | no-world-readable); } flag address-assignment; flag all; flag configuration; flag framework; flag ldap; flag local-authentication; flag radius; } [edit system processes general-authentication-service]

Flag for tracing address-assignment pool operations introduced in Junos OS Release 9.0. option-name option introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure tracing options. file filename—Name of the file that receives the output of the tracing operation. Enclose

the name in quotation marks. All files are placed in the directory /var/log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,


address-assignment—All address-assignment events

•

all—All tracing operations

•

configuration—Configuration events

•

framework—Authentication framework events

•

ldap—LDAP authentication events

•

local-authentication—Local authentication events


633

®


•

radius—RADIUS authentication events


expression. no-world-readable—(Optional) Restrict access to the originator of the trace operation

only. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and filename. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB world-readable—(Optional) Enable unrestricted file access.



Configuring Address-Assignment Pools

uid Syntax Hierarchy Level Release Information

Description

Options

uid uid-value; [edit system login user]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Numeric identifier associated with the user account name, either assigned by an administrator or assigned automatically when you commit the user configuration. It is used by applications that request numeric identifiers, such as some RADIUS queries or secure applications such as flow-tap monitoring. uid-value—Number associated with the login account. This value must be unique on the

router or switch. Range: 100 through 64000 Required Privilege Level Related Documentation

634





user (Access) Syntax



user username { authentication { class class-name; (encrypted-password "password" | plain-text-password); full-name complete-name; load-key-file URL filename; ssh-dsa “public-key” ; ssh-rsa “public-key” ; uid uid-value; } } [edit system login]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure access permission for individual users. The remaining statements are explained separately. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •


•

class on page 614


635

®


636


CHAPTER 27

Operational Commands for Access and User Management


637

®


request message Syntax

Release Information

Description

Options

request message all message "text" request message message "text" (terminal terminal-name | user user-name)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display a message on the screens of all users who are logged in to the router or switch or on specific screens. all—Display a message on the terminal of all users who are currently logged in. message "text"—Message to display. terminal terminal-name—Name of the terminal on which to display the message. user user-name—Name of the user to whom to direct the message.


maintenance

request message message on page 638 When you enter this command, you are provided feedback on the status of your request.

Sample Output request message message

638

user@host> request message message "Maintenance window in 10 minutes" user maria Message from user@host on ttyp0 at 20:27 ... Maintenance window in 10 minutes EOF


Chapter 27: Operational Commands for Access and User Management

show subscribers Syntax

show subscribers

Release Information

Command introduced in Junos OS Release 9.3. Command introduced in Junos OS Release 9.3 for EX Series switches. client-type, mac-address, subscriber-state, extensive, and summary options introduced in Junos OS Release 10.2. count option usage with other options introduced in Junos OS Release 10.2. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description Options

Display information for active subscribers. address—(Optional) Display subscribers whose IP address matches the specified address. client-type—(Optional) Display subscribers whose client type matches the specified

client type (DHCP, L2TP, PPP, PPPOE, VLAN, or static). count—(Optional) Display the count of total subscribers and active subscribers for any

specified option. You can use the count option alone or with the address, client-type, interface, logical-system, mac-address, profile-name, routing-instance, stacked-vlan-id, subscriber-state, or vlan-id options. id—(Optional) Display a specific subscriber session whose session id matches the specified

subscriber ID. You can display subscriber IDs by using the show subscribers extensive or the show subscribers interface extensive commands. interface—(Optional) Display subscribers whose interface matches the specified interface. logical-system—(Optional) Display subscribers whose logical system matches the

specified logical system. mac-address—(Optional) Display subscribers whose MAC address matches the specified

MAC address. profile-name—(Optional) Display subscribers whose dynamic profile matches the specified

profile name. routing-instance—(Optional) Display subscribers whose routing instance matches the

specified routing instance.


639

®


subscriber-state—(Optional) Display subscribers whose subscriber state matches the

specified subscriber state (ACTIVE, CONFIGURED, INIT, TERMINATED, or TERMINATING). vlan-id—(Optional) Display subscribers whose VLAN ID matches the specified VLAN ID. stacked-vlan-id—(Optional) Display subscribers whose stacked VLAN ID matches the

specified stacked VLAN ID. detail | extensive | summary | terse—(Optional) Display the specified level of output.

NOTE: Due to display limitations, logical system and routing instance output values are truncated when necessary.


Output Fields

640

view

show subscribers (IPv4) on page 643 show subscribers (IPv6) on page 643 show suscribers (IPv4 and IPv6 Dual Stack) on page 643 show subscribers (LNS on MX Series Routers) on page 644 show subscribers detail (IPv4) on page 644 show subscribers detail (IPv6) on page 644 show subscribers detail (IPv6 Static Demux Interface) on page 644 show subscribers detail (L2TP LNS Subscribers on MX Series Routers) on page 645 show subscribers detail (Tunneled Subscriber) on page 645 show subscribers detail (IPv4 and IPv6 Dual Stack) on page 645 show subscribers interface on page 646 show subscribers logical-system on page 647 show subscribers count on page 647 show subscribers routing-instance inst1 count on page 647 show subscribers vlan-id on page 647 show subscribers vlan-id detail on page 647 show subscribers stacked-vlan-id detail on page 647 show subscribers stacked-vlan-id vlan-id detail (Combined Output) on page 647 show subscribers stacked-vlan-id vlan-id interface detail (Combined Output for a Specific Interface) on page 648 show subscribers client-type dhcp detail on page 648 show subscribers extensive on page 648 show subscribers extensive (L2TP LNS Subscribers on MX Series Routers) on page 648 show subscribers extensive (IPv4 and IPv6 Dual Stack) on page 649 show subscribers summary on page 650 show subscribers summary all on page 650 show subscribers terse on page 650 Table 85 on page 641 lists the output fields for the show subscribers command. Output fields are listed in the approximate order in which they appear.



Table 85: show subscribers Output Fields Field Name

Field Description

User Name

Name of subscriber.

Type

Subscriber client type (DHCP, L2TP, PPP, PPPoE, STATIC-INTERFACE, VLAN).

IP Address

Subscriber IPv4 address.

IP Netmask

Subscriber IP netmask.

IPv6 Address

Subscriber IPv6 address, or multiple addresses.

IPv6 Prefix

Subscriber IPv6 prefix. If you are using DHCPv6 prefix delegation, this is the delegated prefix.

IPv6 User Prefix

IPv6 prefix obtained through ND/RA.

IPv6 Address Pool

Subscriber IPv6 address pool. The IPv6 address pool is used to allocate IPv6 prefixes to the DHCPv6 clients.

IPv6 Network Prefix Length

Length of the network portion of the IPv6 address.

IPv6 Prefix Length

Length of the subscriber IPv6 prefix.

Logical System

Logical system associated with the subscriber.

Routing Instance

Routing instance associated with the subscriber.

Interface

Interface associated with the subscriber. The router or switch displays subscribers whose interface matches or begins with the specified interface. The * character indicates a continuation of addresses for the same session.

Interface Type

Whether the subscriber interface is Static or Dynamic.

Dynamic Profile Name

Dynamic profile used for the subscriber.

MAC Address

MAC address associated with the subscriber.

State

Current state of the subscriber session (Init, Configured, Active, Terminating, Tunneled).

VLAN Id

VLAN ID associated with the subscriber in the form tpid.vlan-id.

Stacked VLAN Id

Stacked VLAN ID associated with the subscriber in the form tpid.vlan-id.

RADIUS Accounting ID

RADIUS accounting ID associated with the subscriber.

Agent Circuit ID

Option 82 agent circuit ID associated with the subscriber. The ID is displayed as an ASCII string unless the value has nonprintable characters, in which case it is displayed in hexadecimal format.


641

®


Table 85: show subscribers Output Fields (continued) Field Name

Field Description

Agent Remote ID

Option 82 agent remote ID associated with the subscriber. The ID is displayed as an ASCII string unless the value has nonprintable characters, in which case it is displayed in hexadecimal format.

DHCP Relay IP Address

IP address used by the DHCP relay agent.

Login Time

Date and time at which the subscriber logged in.

DHCP Options

len = number of hex values in the message. The hex values specify the type, length, value (TLV) for

DHCP options, as defined in RFC 2132. Session ID

ID number for a subscriber service session.

Underlying Session ID

For DHCPv6 subscribers on a PPPoE network, dispalys the session ID of the underlying PPPoE interface.

Service Sessions

Number of service sessions (that is, a service activated using RADIUS CoA) associated with the subscribers.

Service Session Name

Service session profile name.

Session Timeout (seconds)

Number of seconds of access provided to the subscriber before the session is automatically terminated.

Idle Timeout (seconds)

Number of seconds subscriber can be idle before the session is automatically terminated.

IPv6 Delegated Address Pool

Name of the pool used for DHCPv6 prefix delegation.

IPv6 Delegated Network Prefix Length

Length of the prefix configured for the IPv6 delegated address pool.

IPv6 Interface Address

Address assigned by the Framed-Ipv6-Prefix AAA attribute.

IPv6 Framed Interface Id

Interface ID assigned by the Framed-Interface-Id AAA attribute.

ADF IPv4 Input Filter Name

Name assigned to the Ascend-Data-Filter (ADF) interface IPv4 input filter (client or service session). The filter name is followed by the rules (in hexadecimal format) associated with the ADF filter and the decoded rule in Junos OS filter style.

ADF IPv4 Output Filter Name

Name assigned to the Ascend-Data-Filter (ADF) interface IPv4 output filter (client or service session). The filter name is followed by the rules (in hexadecimal format) associated with the ADF filter and the decoded rule in Junos OS filter style.

ADF IPv6 Input Filter Name

Name assigned to the Ascend-Data-Filter (ADF) interface IPv6 input filter (client or service session). The filter name is followed by the rules (in hexadecimal format) associated with the ADF filter and the decoded rule in Junos OS filter style.

642



Table 85: show subscribers Output Fields (continued) Field Name

Field Description

ADF IPv6 Output Filter Name

Name assigned to the Ascend-Data-Filter (ADF) interface IPv6 output filter (client or service session). The filter name is followed by the rules (in hexadecimal format) associated with the ADF filter and the decoded rule in Junos OS filter style.

IPv4 Input Filter Name

Name assigned to the IPv4 input filter (client or service session).

IPv4 Output Filter Name

Name assigned to the IPv4 output filter (client or service session).

IPv6 Input Filter Name

Name assigned to the IPv6 input filter (client or service session).

IPv6 Output Filter Name

Name assigned to the IPv6 output filter (client or service session).

IFL Input Filter Name

Name assigned to the logical interface input filter (client or service session).

IFL Output Filter Name

Name assigned to the logical interface output filter (client or service session).

Subscribers by State

Number of subscribers summarized by state. The summary information includes the following: •

Init—Number of subscriber currently in the initialization state.

•

Configured—Number of configured subscribers.

•

Active—Number of active subscribers.

•

Terminating—Number of subscribers currently terminating.

•

Terminated—Number of terminated subscribers.

Summary information includes subscriber counts per state and the total number of subscribers. Subscribers by Client Type

Number of subscribers summarized by client type. Client types can include DHCP, VLAN, PPP, PPPOE, L2TP, and static. Summary information includes subscriber counts per client type and the total number of subscribers.

Subscribers by LS:RI

Number of subscribers summarized by logical system:routing instance (LS:RI) combination. Summary information includes subscriber counts per LS:RI and the total number of subscribers.

Sample Output show subscribers (IPv4)

user@host> show subscribers Interface IP Address/VLAN ID ge-1/3/0.1073741824 100 demux0.1073741824 100.0.0.10 demux0.1073741825 101.0.0.3 demux0.1073741826 102.0.0.3

show subscribers (IPv6)

user@host> show subscribers Interface IP Address/VLAN ID ge-1/0/0.0 2001::c0:0:0:0/74 * 2002::1/128

show suscribers (IPv4 and IPv6 Dual Stack)

user@host> show subscribers Interface IP Address/VLAN ID LS:RI


User Name

LS:RI default:default WHOLESALER-CLIENT default:default RETAILER1-CLIENT test1:retailer1 RETAILER2-CLIENT test1:retailer2

User Name WHOLESALER-CLIENT subscriber-25

LS:RI default:default default:default

User Name

643

®


demux0.1073741834 default:default demux0.1073741835 default:default pp0.1073741836 default:ASP-1 * * pp0.1073741837 default:ASP-1 *

show subscribers (LNS on MX Series Routers)

0x8100.1001 0x8100.1 61.1.1.1

[email protected]

2041:1:1::/48 2061:1:1:1::/64 23.1.1.3

[email protected]

2001:1:2:5::/64

user@host> show subscribers Interface IP Address/VLAN ID si-4/0/0.1 192.168.4.1

User Name [email protected]

LS:RI default:default

show subscribers detail (IPv4)

user@host> show subscribers detail Type: DHCP IP Address: 100.20.9.7 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: demux0.1073744127 Interface type: Dynamic Dynamic Profile Name: dhcp-demux-prof MAC Address: 00:10:95:00:00:98 State: Active Radius Accounting ID: jnpr :2304 Session Timeout (seconds): 3600 Idle Timeout (seconds): 600 Login Time: 2009-08-25 14:43:52 PDT DHCP Options: len 52 35 01 01 39 02 02 40 3d 07 01 00 10 94 00 00 08 33 04 00 00 00 3c 0c 15 63 6c 69 65 6e 74 5f 50 6f 72 74 20 2f 2f 36 2f 33 2d 37 2d 30 37 05 01 06 0f 21 2c Service Sessions: 2

show subscribers detail (IPv6)

user@host> show subscribers detail Type: DHCP User Name: pd-user1 IPv6 Prefix: 2002:db2:ffff:1::/64 Logical System: default Routing Instance: default Interface: ge-3/1/3.2 Interface type: Static MAC Address: 00:51:ff:ff:00:03 State: Active Radius Accounting ID: 1 Session ID: 1 Login Time: 2011-08-25 12:12:26 PDT DHCP Options: len 42 00 08 00 02 00 00 00 01 00 0a 00 03 00 01 00 51 ff ff 00 03 00 06 00 02 00 19 00 19 00 0c 00 00 00 00 00 00 00 00 00 00 00 00

show subscribers detail (IPv6 Static Demux Interface)

644

0x8100.1002 0x8100.1

user@host> show subscribers detail Type: STATIC-INTERFACE User Name: [email protected] IPv6 Prefix: 1:2:3:4:5:6:7:aa/128



Logical System: default Routing Instance: default Interface: demux0.1 Interface type: Static Dynamic Profile Name: junos-default-profile State: Active Radius Accounting ID: 185 Login Time: 2010-05-18 14:33:56 EDT

show subscribers detail (L2TP LNS Subscribers on MX Series Routers)

show subscribers detail (Tunneled Subscriber)

show subscribers detail (IPv4 and IPv6 Dual Stack)

user@host> show subscribers detail Type: L2TP User Name: [email protected] IP Address: 10.1.32.58 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: si-5/2/0.1073749824 Interface type: Dynamic Dynamic Profile Name: dyn-lns-profile2 Dynamic Profile Version: 1 State: Active Radius Accounting ID: 8001 Session ID: 8001 Login Time: 2011-04-25 20:27:50 IST user@host> show subscribers detail Type: PPPoE User Name: [email protected] Logical System: default Routing Instance: default Interface: pp0.1 State: Active, Tunneled Radius Accounting ID: 512 user@host> show subscribers detail Type: VLAN Logical System: default Routing Instance: default Interface: demux0.1073741824 Interface type: Dynamic Dynamic Profile Name: svlanProfile State: Active Session ID: 1 Stacked VLAN Id: 0x8100.1001 VLAN Id: 0x8100.1 Login Time: 2011-11-30 00:18:04 PST Type: PPPoE User Name: [email protected] IP Address: 61.1.1.1 IPv6 Prefix: 2041:1:1::/48 IPv6 User Prefix: 2061:1:1:1::/64 Logical System: default Routing Instance: ASP-1 Interface: pp0.1073741825 Interface type: Dynamic Dynamic Profile Name: dualStack-Profile1 MAC Address: 00:00:64:03:01:02 State: Active Radius Accounting ID: 2


645

®


Session ID: 2 Login Time: 2011-11-30 00:18:05 PST Type: DHCP IPv6 Prefix: 2041:1:1::/48 Logical System: default Routing Instance: ASP-1 Interface: pp0.1073741825 Interface type: Static MAC Address: 00:00:64:03:01:02 State: Active Radius Accounting ID: jnpr :3 Session ID: 3 Underlying Session ID: 2 Login Time: 2011-11-30 00:18:35 PST DHCP Options: len 42 00 08 00 02 0b b8 00 01 00 0a 00 03 00 01 00 00 64 03 01 02 00 06 00 02 00 19 00 19 00 0c 00 00 00 00 00 00 00 00 00 00 00 00

show subscribers interface

user@host> show subscribers interface demux0.1073741826 extensive Type: VLAN User Name: [email protected] Logical System: default Routing Instance: testnet Interface: demux0.1073741826 Interface type: Dynamic Dynamic Profile Name: profile-vdemux-relay-23qos MAC Address: 00:00:6e:56:01:04 State: Active Radius Accounting ID: 12 Session ID: 12 Stacked VLAN Id: 0x8100.1500 VLAN Id: 0x8100.2902 Login Time: 2011-10-20 16:21:59 EST Type: DHCP User Name: [email protected] IP Address: 172.16.200.6 IP Netmask: 255.255.255.0 Logical System: default Routing Instance: testnet Interface: demux0.1073741826 Interface type: Static MAC Address: 00:00:6e:56:01:04 State: Active Radius Accounting ID: 21 Session ID: 21 Login Time: 2011-10-20 16:24:33 EST Service Sessions: 2 Service Session ID: 25 Service Session Name: SUB-QOS State: Active Service Session ID: 26 Service Session Name: service-cb-content State: Active

646



IPv4 Input Filter Name: content-cb-in-demux0.1073741826-in IPv4 Output Filter Name: content-cb-out-demux0.1073741826-out

show subscribers logical-system

user@host> show subscribers logical-system test1 terse Interface IP Address/VLAN ID User Name LS:RI demux0.1073741825 101.0.0.3 RETAILER1-CLIENT test1:retailer1 demux0.1073741826 102.0.0.3 RETAILER2-CLIENT test1:retailer2

show subscribers count

user@host> show subscribers count Total Subscribers: 188, Active Subscribers: 188

show subscribers routing-instance inst1 count

user@host> show subscribers routing-instance inst1 count Total Subscribers: 188, Active Subscribers: 183

show subscribers vlan-id

user@host> show subscribers vlan-id 100 Interface IP Address ge-1/0/0.1073741824 ge-1/2/0.1073741825

show subscribers vlan-id detail

user@host> show subscribers vlan-id 100 detail Type: VLAN Interface: ge-1/0/0.1073741824 Interface type: Dynamic Dynamic Profile Name: vlan-prof-tpid State: Active VLAN Id: 100 Login Time: 2009-03-11 06:48:54 PDT

User Name

Type: VLAN Interface: ge-1/2/0.1073741825 Interface type: Dynamic Dynamic Profile Name: vlan-prof-tpid State: Active VLAN Id: 100 Login Time: 2009-03-11 06:48:54 PDT

show subscribers stacked-vlan-id detail

user@host> show subscribers stacked-vlan-id 101 detail Type: VLAN Interface: ge-1/2/0.1073741824 Interface type: Dynamic Dynamic Profile Name: svlan-prof State: Active Stacked VLAN Id: 0x8100.101 VLAN Id: 0x8100.100 Login Time: 2009-03-27 11:57:19 PDT

show subscribers stacked-vlan-id vlan-id detail (Combined Output)

user@host> show subscribers stacked-vlan-id 101 vlan-id 100 detail Type: VLAN Interface: ge-1/2/0.1073741824 Interface type: Dynamic Dynamic Profile Name: svlan-prof State: Active Stacked VLAN Id: 0x8100.101 VLAN Id: 0x8100.100 Login Time: 2009-03-27 11:57:19 PDT


647

®


show subscribers stacked-vlan-id vlan-id interface detail (Combined Output for a Specific Interface)

user@host> show subscribers stacked-vlan-id 101 vlan-id 100 interface ge-1/2/0.* detail Type: VLAN Interface: ge-1/2/0.1073741824 Interface type: Dynamic Dynamic Profile Name: svlan-prof State: Active Stacked VLAN Id: 0x8100.101 VLAN Id: 0x8100.100 Login Time: 2009-03-27 11:57:19 PDT

show subscribers client-type dhcp detail

user@host> show subscribers client-type dhcp detail Type: DHCP IP Address: 100.20.9.7 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: demux0.1073744127 Interface type: Dynamic Dynamic Profile Name: dhcp-demux-prof MAC Address: 00:10:95:00:00:98 State: Active Radius Accounting ID: jnpr :2304 Login Time: 2009-08-25 14:43:52 PDT Type: DHCP IP Address: 100.20.10.7 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: demux0.1073744383 Interface type: Dynamic Dynamic Profile Name: dhcp-demux-prof MAC Address: 00:10:94:00:01:f3 State: Active Radius Accounting ID: jnpr :2560 Login Time: 2009-08-25 14:43:56 PDT

show subscribers extensive

show subscribers extensive (L2TP LNS

648

user@host> show subscribers extensive Type: DHCP User Name: pd-user1 IPv6 Prefix: 2002:db2:ffff:1::/64 Logical System: default Routing Instance: default Interface: ge-3/1/3.2 Interface type: Static MAC Address: 00:51:ff:ff:00:03 State: Active Radius Accounting ID: 1 Session ID: 1 Login Time: 2011-08-25 12:12:26 PDT DHCP Options: len 42 00 08 00 02 00 00 00 01 00 0a 00 03 00 01 00 51 ff ff 00 03 00 06 00 02 00 19 00 19 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 IPv6 Address Pool: pd_pool IPv6 Network Prefix Length: 48 user@host> show subscribers extensive Type: L2TP User Name: [email protected]



Subscribers on MX Series Routers)

show subscribers extensive (IPv4 and IPv6 Dual Stack)

IP Address: 10.1.32.58 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: si-5/2/0.1073749824 Interface type: Dynamic Dynamic Profile Name: dyn-lns-profile2 Dynamic Profile Version: 1 State: Active Radius Accounting ID: 8001 Session ID: 8001 Login Time: 2011-04-25 20:27:50 IST IPv4 Input Filter Name: classify-si-5/2/0.1073749824-in IPv4 Output Filter Name: classify-si-5/2/0.1073749824-out user@host> show subscribers extensive Type: VLAN Logical System: default Routing Instance: default Interface: demux0.1073741824 Interface type: Dynamic Dynamic Profile Name: svlanProfile State: Active Session ID: 1 Stacked VLAN Id: 0x8100.1001 VLAN Id: 0x8100.1 Login Time: 2011-11-30 00:18:04 PST Type: PPPoE User Name: [email protected] IP Address: 61.1.1.1 IPv6 Prefix: 2041:1:1::/48 IPv6 User Prefix: 2061:1:1:1::/64 Logical System: default Routing Instance: ASP-1 Interface: pp0.1073741825 Interface type: Dynamic Dynamic Profile Name: dualStack-Profile1 MAC Address: 00:00:64:03:01:02 State: Active Radius Accounting ID: 2 Session ID: 2 Login Time: 2011-11-30 00:18:05 PST IPv6 Delegated Network Prefix Length: 48 IPv6 Interface Address: 2061:1:1:1::1/64 IPv6 Framed Interface Id: 1:1:2:2 IPv4 Input Filter Name: FILTER-IN-pp0.1073741825-in IPv4 Output Filter Name: FILTER-OUT-pp0.1073741825-out IPv6 Input Filter Name: FILTER-IN6-pp0.1073741825-in IPv6 Output Filter Name: FILTER-OUT6-pp0.1073741825-out Type: DHCP IPv6 Prefix: 2041:1:1::/48 Logical System: default Routing Instance: ASP-1 Interface: pp0.1073741825 Interface type: Static MAC Address: 00:00:64:03:01:02 State: Active Radius Accounting ID: jnpr :3 Session ID: 3


649

®


Underlying Session ID: 2 Login Time: 2011-11-30 00:18:35 PST DHCP Options: len 42 00 08 00 02 0b b8 00 01 00 0a 00 03 00 01 00 00 64 03 01 02 00 06 00 02 00 19 00 19 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 IPv6 Delegated Network Prefix Length: 48

show subscribers summary

user@host> show subscribers summary Subscribers by State Init 3 Configured 2 Active 183 Terminating 2 Terminated 1 TOTAL

191

Subscribers by Client Type DHCP 107 PPP 76 VLAN 8 TOTAL

show subscribers summary all

191

user@host> show subscribers summary all Subscribers by State Init 3 Configured 2 Active 183 Terminating 2 Terminated 1 TOTAL

191

Subscribers by Client Type DHCP 107 PPP 76 VLAN 8 TOTAL

191

Subscribers by LS:RI default:default 1 default:ri1 28 default:ri2 16 ls1:default 22 ls1:riA 38 ls1:riB 44 logsysX:routinstY 42 TOTAL

show subscribers terse

650

191

user@host> show subscribers summary terse Interface IP Address/VLAN ID ge-1/3/0.1073741824 100 demux0.1073741824 100.0.0.10

User Name

LS:RI default:default WHOLESALER-CLIENT default:default



demux0.1073741825 demux0.1073741826


101.0.0.3 102.0.0.3

RETAILER1-CLIENT RETAILER2-CLIENT

test1:retailer1 test1:retailer2

651

®


652


PART 8

Junos OS for EX Series Switches System Services •

System Services Overview on page 655

•

System Services Configuration on page 665

•

Monitoring System Services on page 677

•

Configuration Statements for System Services on page 681

•

Operational Commands for System Services on page 797


653

®


654


CHAPTER 28

System Services Overview •

DHCP Overview on page 655

•

Understanding Public Key Cryptography on Switches on page 660

•

Understanding Self-Signed Certificates on EX Series Switches on page 661

•

Understanding Extended DHCP Relay Agent for EX Series Switches on page 662

•


•


DHCP Overview

Understanding DHCP Services for EX Series Switches A Dynamic Host Configuration Protocol (DHCP) server on a Juniper Networks EX Series Ethernet switch can provide many valuable TCP/IP network services. For example, DHCP can dynamically allocate the four required IP parameters to each computer on the LAN: IP address, network mask, router or switch address, and name server address. Additionally, DHCP on the switch can automatically upgrade software on client systems. This topic describes: •

DHCP Client/Server Model on page 655

•

Why Use DHCP? on page 656

•

How Are DHCP Relay Servers Different from DHCP Servers? on page 656

•

Legacy DHCP and Extended DHCP for Server Versions on page 657

•

How Do I Configure DHCP on a Switch? on page 657

•

How Does DHCP Work? on page 658

DHCP Client/Server Model DHCP IP address allocation works on a client/server model in which the server, in this case a switch, assigns the client reusable IP information from an address pool. A DHCP client might receive offers from multiple DHCP servers and can accept any one of the offers; however, the client usually accepts the first offer it receives. See Figure 19 on page 656.


655

®


Figure 19: DHCP Client/Server Model

Why Use DHCP? DHCP automates network-parameter assignment to network devices. Even in small networks, DHCP is useful because it makes it easy to add new machines to the network. DHCP access service minimizes the overhead required to add clients to the network by providing a centralized, server-based setup. This means that you do not have to manually create and maintain IP address assignments for clients. In addition, when you use DHCP to manage a pool of IP addresses among hosts, you reduce the number of IP addresses needed on the network. DHCP does this by leasing an IP address to a host for a limited period of time, allowing the DHCP server to share a limited number of IP addresses. DHCP also provides a central database of devices that are connected to the network and eliminates duplicate resource assignments. In addition to IP addresses, DHCP also provides other configuration information, particularly the IP addresses of local caching DNS resolvers, network boot servers, or other service hosts. A second valuable DHCP feature is automatic software download for installation of software packages on the switches. DHCP clients configured for automatic software download receive messages as part of the DHCP message exchange process—when the software package name in the DHCP server message is different from that of the software package that booted the DHCP client switch, the new software is downloaded and installed. See “Upgrading Software Using Automatic Software Download on EX Series Switches” on page 138.

How Are DHCP Relay Servers Different from DHCP Servers? You can configure a switch either as a DHCP server or as a DHCP relay server, but not both. Whereas a DHCP server replies to a client with an IP address, a DHCP relay server relays DHCP messages to and from the configured DHCP server, even if the client and server are on different IP networks. Configure a switch to be a DHCP relay agent if you have locally attached hosts and a remote DHCP server.

656


Chapter 28: System Services Overview

Legacy DHCP and Extended DHCP for Server Versions Two versions of DHCP server are available on EX Series switches. The original legacy DHCP server co-exists with extended DHCP and DHCP relay versions. You can configure one version or the other but not both versions simultaneously. Because the newer extended DHCP server version has more features, we recommend that you configure the extended DHCP server unless you have a legacy reason for not doing so. The extended DHCP server version has these added features: •

Graceful Routing Engine switchover (GRES) support that provides mirroring support for clients. For details, see “High Availability Features for EX Series Switches Overview” on page 33.

•

Virtual routing and forwarding (VRF) support that allows multiple instances of a routing table to simultaneously co-exist on the same switch. For details, see “Understanding Virtual Routing Instances on EX Series Switches” on page 2088.

NOTE: Legacy DHCP supports circuit ID and remote ID fields for the relay agent option (option-82). Extended DHCP supports configuration of only circuit ID.

Configuration for legacy DHCP and extended DHCP servers takes place at the hierarchy levels shown in Table 86 on page 657:

Table 86: Legacy DHCP and Extended DHCP Server Hierarchy Levels DHCP Service

Hierarchy

Extended DHCP server

edit system services dhcp-local-server

Extended DHCP address pool

edit access address-assignment pool

Legacy DHCP server

edit system services dhcp

Legacy DHCP relay

edit forwarding-options helpers bootp

Extended DHCP relay

edit forwarding-options dhcp-relay

Legacy DHCP address pool

edit system services dhcp pool

DHCP clients on a switch are always configured at the hierarchy [edit interfaces interface-name family dhcp].

How Do I Configure DHCP on a Switch? DHCP configuration consists of two parts, configuration of a DHCP server and configuration of DHCP clients. DHCP server configuration is simple if you accept the default configurations.


657

®


When you configure a legacy DHCP server, you need only define the DHCP server name and the interface on the switch. You can use the default configuration for the rest of the settings. When you configure an extended DHCP server, you need only define a DHCP pool, indicate IP addresses for the pool, and create a server group. You can use the default configuration for the rest of the settings. For directions for configuring either a legacy DHCP server or an extended DHCP server, see “Configuring a DHCP Server on EX Series Switches (CLI Procedure)” on page 672. There is only one way to configure a DHCP client. When defining a DHCP client, you set the client’s DHCP interface address in the [edit interfaces interface-name unit 0 family inet dhcp] hierarchy. For directions for configuring a DHCP client on a switch, see “Configuring a DHCP Client (CLI Procedure)” on page 671.

How Does DHCP Work? DHCP consists of a four-step transfer process beginning with a broadcast DHCP discovery message from the client. The second step involves a DHCP offer message from the server to the client, which includes the IP address and mask and some other specific parameters. The client then sends a DHCP request to accept the offer it received from the server in the previous step. The DHCP server sends a DHCP response message and removes the now-allocated address from the DHCP address pool. See Figure 20 on page 658.

Figure 20: DHCP Four-Step Transfer

NOTE: Because the DHCP discovery message from the client is a broadcast message and because broadcast messages only cross other segments when they are explicitly routed, you might have to configure a DHCP relay agent on the switch interface so that all DHCP discovery messages from the clients are forwarded to one DHCP server.


658

•

Configuring a DHCP Client (CLI Procedure) on page 671

•

Configuring a DHCP Server on EX Series Switches (CLI Procedure) on page 672

•

Configuring an Extended DHCP Relay Server on EX Series Switches (CLI Procedure) on page 674

•

Configuring a DHCP SIP Server (CLI Procedure) on page 668



•


•

Monitoring DHCP Services on page 677

DHCP/BOOTP Relay for EX Series Switches Overview You can configure the Juniper Networks EX Series Ethernet Switch to act as a Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) relay agent. This means that a locally attached host can issue a DHCP or BOOTP request as a broadcast message. If the switch sees this broadcast message, it relays the message to a specified DHCP or BOOTP server. You should configure the switch to be a DHCP/BOOTP relay agent if you have locally attached hosts and a distant DHCP or BOOTP server. For detailed information about configuring a DHCP/BOOTP relay agent, see the Junos OS Policy Framework Configuration Guide. You can configure an EX Series switch to use the gateway IP address (giaddr) as the source IP address of the switch for relayed DHCP packets when the switch is used as the DHCP relay agent. For information on configuring this option, see the source-address-giaddr configuration statement.

NOTE: Because DHCP/BOOTP messages are broadcast and are not directed to a specific server, switch, or router, EX Series switches cannot function as both a DHCP server and a DHCP/BOOTP relay agent at the same time. The Junos operating system (Junos OS) generates a commit error if both options are configured at the same time, and the commit will not succeed until one of the options is removed.

NOTE: DHCP relay across routing-instances is not supported on EX Series switches.


•

For information about configuring the switch as a DHCP/BOOTP relay agent, see Junos OS Policy Framework Configuration Guide.

•



659

®


Understanding Public Key Cryptography on Switches Cryptography describes the techniques related to the following aspects of information security: •

Privacy or confidentiality

•

Integrity of data

•

Authentication

•

Nonrepudiation or nonrepudiation of origin—Nonrepudiation of origin means that signers cannot claim that they did not sign a message while claiming that their private key remains secret. In some nonrepudiation schemes used in digital signatures, a timestamp is attached to the digital signature, so that even if the private key is exposed, the signature remains valid. Public and private keys are described in the following text.

In practice, cryptographic methods protect the data transferred from one system to another over public networks by encrypting the data using an encryption key. Public key cryptography (PKC), which is used on Juniper Networks EX Series Ethernet Switches, uses a pair of encryption keys: a public key and a private key. The public and private keys are created simultaneously using the same encryption algorithm. The private key is held by a user secretly and the public key is published. Data encrypted with a public key can be decrypted only with the corresponding private key and vice versa. When you generate a public/private key pair, the switch automatically saves the key pair in a file in the certificate store, from which it is subsequently used in certificate request commands. The generated key pair is saved as certificate-id.priv.

NOTE: The default RSA and DSA key size is 1024 bits. If you are using the Simple Certificate Enrollment Protocol (SCEP), Juniper Networks Junos operating system (Junos OS) supports RSA only.


Public Key Infrastructure (PKI) and Digital Certificates on page 660

Public Key Infrastructure (PKI) and Digital Certificates Public key infrastructure (PKI) allows the distribution and use of the public keys in public key cryptography with security and integrity. PKI manages the public keys by using digital certificates. A digital certificate provides an electronic means of verifying the identity of an individual, an organization, or a directory service that can store digital certificates. A PKI typically consists of a Registration Authority (RA) that verifies the identities of entities, authorizes their certificate requests, and generates unique asymmetric key pairs (unless the users’ certificate requests already contain public keys); and a Certificate Authority (CA) that issues corresponding digital certificates for the requesting entities. Optionally, you can use a Certificate Repository that stores and distributes certificates and a certificate revocation list (CRL) identifying the certificates that are no longer valid.

660



Each entity possessing the authentic public key of a CA can verify the certificates issued by that CA. Digital signatures exploit the public key cryptographic system as follows: 1.

A sender digitally signs data by applying a cryptographic operation, involving its private key, on a digest of the data.

2. The resulting signature is attached to the data and sent to the receiver. 3. The receiver obtains the digital certificate of the sender, which provides the sender’s

public key and confirmation of the link between its identity and the public key. The sender’s certificate is often attached to the signed data. 4. The receiver either trusts this certificate or attempts to verify it. The receiver verifies

the signature on the data by using the public key contained in the certificate. This verification ensures the authenticity and integrity of the received data. As an alternative to using a PKI, an entity can distribute its public key directly to all potential signature verifiers, so long as the key’s integrity is protected. The switch does it by using a self-signed certificate as a container for the public key and the corresponding entity’s identity. Related Documentation

•


Understanding Self-Signed Certificates on EX Series Switches When you initialize a Juniper Networks EX Series Ethernet Switch with the factory default configuration, the switch generates a self-signed certificate, allowing secure access to the switch through the Secure Sockets Layer (SSL) protocol. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) and XML Network Management over Secure Sockets Layer (XNM-SSL) are the two services that can make use of the self-signed certificates.

NOTE: Self-signed certificates do not provide additional security as do those generated by Certificate Authorities (CAs). This is because a client cannot verify that the server he or she has connected to is the one advertised in the certificate.

The switches provide two methods for generating a self-signed certificate: •

Automatic generation In this case, the creator of the certificate is the switch. An automatically generated (also called “system-generated”) self-signed certificate is configured on the switch by default. After the switch is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the switch generates one and saves it in the file system.


661

®


A self-signed certificate that is automatically generated by the switch is similar to an SSH host key. It is stored in the file system, not as part of the configuration. It persists when the switch is rebooted, and it is preserved when a request system snapshot command is issued. The switch uses the following distinguished name for the automatically generated certificate: “ CN=, CN=system generated, CN=self-signed”

If you delete the system-generated self-signed certificate on the switch, the switch generates a self-signed certificate automatically. •

Manual generation In this case, you create the self-signed certificate for the switch. At any time, you can use the CLI to generate a self-signed certificate. Manually generated self-signed certificates are stored in the file system, not as part of the configuration.

Self-signed certificates are valid for five years from the time they are generated. When the validity of an automatically generated self-signed certificate expires, you can delete it from the switch so that the switch generates a new self-signed certificate. System-generated self-signed certificates and manually generated self-signed certificates can coexist on the switch. Related Documentation

•

Understanding Public Key Cryptography on Switches on page 660

•

Manually Generating Self-Signed Certificates on Switches (CLI Procedure) on page 668

Understanding Extended DHCP Relay Agent for EX Series Switches You can configure an EX Series switch to act as an extended DHCP relay agent. This means that a locally attached host can issue a DHCP request as a broadcast message and the switch configured for DHCP relay relays the message to a specified DHCP server. Configure a switch to be a DHCP relay agent if you have locally attached hosts and a remote DHCP server. You can use DHCP relay in applications such as video/IPTV to obtain configuration parameters, including an IP address, for your subscribers. DHCP relay supports the attachment of dynamic profiles. You can attach dynamic profiles on a global basis or for a specific group of interfaces. This topic covers: •

Extended DHCP Relay and Legacy DHCP/BOOTP Relay on page 662

•

Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP Servers on page 663

Extended DHCP Relay and Legacy DHCP/BOOTP Relay The extended DHCP relay agent options configured with the dhcp-relay statement are incompatible with the DHCP/BOOTP relay agent options configured with the bootp

662



statement. As a result, you cannot enable both the extended DHCP relay agent and the legacy DHCP/BOOTP relay agent on the switch at the same time. For information about the legacy DHCP/BOOTP relay agent, see “DHCP/BOOTP Relay for EX Series Switches Overview” on page 659.

Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP Servers The following steps describe, at a high level, how the DHCP client, DHCP relay agent, and DHCP server interact in a configuration that includes two DHCP servers: 1.

The DHCP client sends a discover packet to find a DHCP server in the network from which to obtain configuration parameters for the subscriber, including an IP address.

2. The DHCP relay agent receives the discover packet and forwards copies to each of

the two DHCP servers. The DHCP relay agent then creates an entry in its internal client table to keep track of the client’s state. 3. In response to receiving the discover packet, each DHCP server sends an offer packet

to the client. The DHCP relay agent receives the offer packets and forwards them to the DHCP client. 4. On receipt of the offer packets, the DHCP client selects the DHCP server from which

to obtain configuration information. Typically, the client selects the server that offers the longest lease time on the IP address. 5. The DHCP client sends a request packet that specifies the DHCP server from which

to obtain configuration information. 6. The DHCP relay agent receives the request packet and forwards copies to each of the

two DHCP servers. 7. The DHCP server requested by the client sends an acknowledgement (ACK) packet

that contains the client’s configuration parameters. 8. The DHCP relay agent receives the ACK packet and forwards it to the client. 9. The DHCP client receives the ACK packet and stores the configuration information. 10. If configured to do so, the DHCP relay agent installs a host route and Address

Resolution Protocol (ARP) entry for this client. 11. After establishing the initial lease on the IP address, the DHCP client and the DHCP

server use unicast transmission to negotiate lease renewal or release. The DHCP relay agent snoops all of the packets unicast between the client and the server that pass through the relay agent to determine when the lease has expired or been released. This process is referred to as lease shadowing or passive snooping. Related Documentation

•


•



663

®


664


CHAPTER 29

System Services Configuration •

Configuring DHCP Services (J-Web Procedure) on page 665

•


•


•

Enabling HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure) on page 669

•

Deleting Self-Signed Certificates (CLI Procedure) on page 670

•


•


•


Configuring DHCP Services (J-Web Procedure) Use the J-Web DHCP Configuration pages to configure DHCP pools for subnets and static bindings for DHCP clients on an EX Series switch. If DHCP pools or static bindings are already configured, use the Configure Global DHCP Parameters Configuration page to add settings for these pools and static bindings. Settings that have been previously configured for DHCP pools or static bindings are not overridden when you use the Configure Global DHCP Parameters Configuration page. To configure the DHCP server: 1.

Select Configure > Services > DHCP.

2. Access a DHCP Configuration page: •

To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.

•

To configure a static binding for a DHCP client, click Add in the DHCP Static Binding box.

•

To globally configure settings for existing DHCP pools and static bindings, click Configure Global DHCP Parameters.

3. Enter information into the DHCP Configuration pages as described in Table 87 on

page 666. 4. To apply the configuration, click Apply.


665

®



Table 87: DHCP Server Configuration Pages Summary Field

Function

Your Action

DHCP Subnet (required)

Specifies the subnet on which DHCP is configured.

Type an IP address prefix.

Address Range (Low) (required)

Specifies the lowest address in the IP address pool range.

Type an IP address that is part of the subnet specified in DHCP Subnet.

Address Range (High) (required)

Specifies the highest address in the IP address pool range.

Type an IP address that is part of the subnet specified in DHCP Subnet. This address must be greater than the address specified in Address Range (Low).

Exclude Addresses

Specifies addresses to exclude from the IP address pool.

•

To add an excluded address, type the address next to the Add button, and click Add.

•

To delete an excluded address, select the address in the Exclude Addresses box, and click Delete.

DHCP Pool Information

Lease Time Maximum Lease Time (Seconds)

Specifies the maximum length of time a client can hold a lease. (Dynamic BOOTP lease lengths can exceed this maximum time.)

Type a number from 60 through 4,294,967,295 (seconds). You can also type infinite to specify a lease that never expires.

Default Lease Time (Seconds)

Specifies the length of time a client can hold a lease for clients that do not request a specific lease length.

Type a number from 60 through 2,147,483,647 (seconds). You can also type infinite to specify a lease that never expires.

Server Identifier

Specifies the IP address of the DHCP server reported to a client.

Type the IP address of the server. If you do not specify a server identifier, the primary address of the interface on which the DHCP exchange occurs is used.

Domain Name

Specifies the domain name that clients must use to resolve hostnames.

Type the name of the domain.

Domain Search

Specifies the order—from top to bottom—in which clients must append domain names when resolving hostnames using DNS.

•

To add a domain name, type the name next to the Add button, and click Add.

•

To delete a domain name, select the name in the Domain Search box, and click Delete.

Server Information

666


Chapter 29: System Services Configuration

Table 87: DHCP Server Configuration Pages Summary (continued) Field

Function

Your Action

DNS Name Servers

Defines a list of DNS servers the client can use, in the specified order—from top to bottom.

•

To add a DNS server, type an IP address next to the Add button, and click Add.

•

To remove a DNS server, select the IP address in the DNS Name Servers box, and click Delete.

•

To add a relay agent, type an IP address next to the Add button, and click Add.

•

To remove a relay agent, select the IP address in the Gateway Routers box, and click Delete.

•

To add a NetBIOS name server, type an IP address next to the Add button, and click Add.

•

To remove a NetBIOS name server, select the IP address in the WINS Servers box, and click Delete.

Gateway Routers

WINS Servers

Defines a list of relay agents on the subnet, in the specified order—from top to bottom.

Defines a list of NetBIOS name servers, in the specified order—from top to bottom.

Boot Options Boot File

Specifies the path and filename of the initial boot file to be used by the client.

Type a path and filename.

Boot Server

Specifies the TFTP server that provides the initial boot file to the client.

Type the IP address or hostname of the TFTP server.

DHCP Static Binding Information DHCP MAC Address (required)

Specifies the MAC address of the client to be permanently assigned a static IP address.

Type the hexadecimal MAC address of the client.

Fixed IP Addresses (required)

Defines a list of IP addresses permanently assigned to the client. A static binding must have at least one fixed address assigned to it, but multiple addresses are also allowed.

•

To add an IP address, type it next to the Add button, and click Add.

•

To remove an IP address, select it in the Fixed IP Addresses box, and click Delete.

Host Name

Specifies the name of the client used in DHCP messages exchanged between the server and the client. The name must be unique to the client within the subnet on which the client resides.

Type a client hostname.

Client Identifier

Specifies the name of the client used by the DHCP server to index its database of address bindings. The name must be unique to the client within the subnet on which the client resides.

Type a client identifier in string form.

Hexadecimal Client Identifier

Specifies the name of the client, in hexadecimal form, used by the DHCP server to index its database of address bindings. The name must be unique to the client within the subnet on which the client resides.

Type a client identifier in hexadecimal form.


667

®



•


•


Configuring a DHCP SIP Server (CLI Procedure) You can use the sip-server statement on the EX Series switch to configure option 120 on a DHCP server. The DHCP server sends configured option values—Session Initiation Protocol (SIP) server addresses or names—to DHCP clients when they request them. Previously, you were only allowed to specify a SIP server by address using [edit system services dhcp option 120]. You specify either an IPv4 address or a fully qualified domain name to be used by SIP clients to locate a SIP server. You cannot specify both an address and name in the same statement. To configure a SIP server using the address option: [edit system services dhcp] user@switch# set sip-server address

For example, to configure one address: [edit system services dhcp] user@switch set sip-server 172.168.0.11

To configure a SIP server using the name option: [edit system services dhcp] user@switch# set sip-server name

For example, to configure a name: [edit system services dhcp] user@switch set sip-server abc.example.com


•


•


Manually Generating Self-Signed Certificates on Switches (CLI Procedure) EX Series switches allow you to generate custom self-signed certificates and store them in the file system. The certificate you generate manually can coexist with the automatically generated self-signed certificate on the switch. To enable secure access to the switch over SSL, you can use either the system-generated self-signed certificate or a certificate you have generated manually. To generate self-signed certificates manually, you must complete the following tasks:

668

•

Generating a Public-Private Key Pair on Switches on page 669

•

Generating Self-Signed Certificates on Switches on page 669



Generating a Public-Private Key Pair on Switches A digital certificate has an associated cryptographic key pair that is used to sign the certificate digitally. The cryptographic key pair comprises a public key and a private key. When you generate a self-signed certificate, you must provide a public-private key pair that can be used to sign the self-signed certificate. Therefore, you must generate a public-private key pair before you can generate a self-signed certificate. To generate a public-private key pair: user@switch> request security pki generate-key-pair certificate-id certificate-id-name

NOTE: Optionally, you can specify the encryption algorithm and the size of the encryption key. If you do not specify the encryption algorithm and encryption key size, default values are used. The default encryption algorithm is RSA, and the default encryption key size is 1024 bits.

After the public-private key pair is generated, the switch displays the following: generated key pair certificate-id-name, key size 1024 bits

Generating Self-Signed Certificates on Switches To generate the self-signed certificate manually, include the certificate ID name, the subject of the distinguished name (DN), the domain name, the IP address of the switch, and the e-mail address of the certificate holder: user@switch> request security pki local-certificate generate-self-signed certificate-id certificate-id-name domain-name domain-name email email-address ip-address switch-ip-address subject subject-of-distinguished-name

The certificate you have generated is stored in the switch’s file system. The certificate ID you have specified while generating the certificate is a unique identifier that you can use to enable the HTTPS or XNM-SSL services. To verify that the certificate was generated and loaded properly, enter the show security pki local-certificate operational command. Related Documentation

•

Enabling HTTPS Service on Switches Using Self-Signed Certificates (CLI Procedure) on page 669

•


Enabling HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure) You can use the system-generated self-signed certificate or a manually generated self-signed certificate to enable Web management HTTPS and XNM-SSL services. •

To enable HTTPS services using the automatically generated self-signed certificate: [edit] user@switch# set system services web-management https system-generated-certificate


669

®


•

To enable HTTPS services using a manually generated self-signed certificate: [edit] user@switch# set system services web-management https pki-local-certificate certificate-id-name

NOTE: The value of the certificate-id-name must match the name you specified when you generated the self-signed certificate manually.

•

To enable XNM-SSL services using a manually generated self-signed certificate: [edit] user@switch# set system services xnm-ssl local-certificate certificate-id-name

NOTE: The value of the certificate-id-name must match the name you specified when you generated the self-signed certificate manually.


•


•


Deleting Self-Signed Certificates (CLI Procedure) You can delete a self-signed certificate that is automatically or manually generated from the EX Series switch. When you delete the automatically generated self-signed certificate, the switch generates a new self-signed certificate and stores it in the file system. •

To delete the automatically generated certificate and its associated key pair from the switch: user@switch> clear security pki local-certificate system-generated

•

To delete a manually generated certificate and its associated key pair from the switch: user@switch> clear security pki local-certificate certificate-id certificate-id-name

•

To delete all manually generated certificates and their associated key pairs from the switch: user@switch> clear security pki local-certificate all


670

•


•




Configuring a DHCP Client (CLI Procedure) A Dynamic Host Configuration Protocol (DHCP) server can provide many valuable TCP/IP network services. DHCP can dynamically allocate IP parameters, such as an IP address, to clients and it can also deliver software upgrades to clients. DHCP configuration consists of two components, configuration of DHCP clients and configuration of a DHCP server. Client configuration determines how clients send a message requesting an IP address, while a DHCP server configuration enables the server to send an IP address configuration back to the client. This topic describes configuring a DHCP client. For directions for configuring a DHCP server, see “Configuring a DHCP Server on EX Series Switches (CLI Procedure)” on page 672. You can change DHCP client configurations from the switch, using client identifiers to indicate which clients you want to configure. To configure a DHCP client: [edit] user@switch# set interfaces interface-name unit 0 family inet dhcp configuration-statement-from-table1

The options that you can configure are listed in Table 88 on page 671. Replace the variable configuration-statement with one of the options. If you do not explicitly configure these options, the switch uses default values for them.

Table 88: DHCP Client Settings Configuration Statement

Description

client-identifier

Unique client ID—by default this consists of the hardware type (01 for Ethernet) and the MAC address (a.b.c.d). Using this example, the value would be 01abcd.

lease-time

Length of time in seconds that a client holds the lease for an IP address assigned by a DHCP server. If a client does not request a specific lease time, then the server sends the default lease time. The default lease time on a JUNOS DHCP server is 1 day.

retransmission-attempt

Number of times the client attempts to retransmit a DHCP packet.

retransmission-interval

How much time elapses between transmission attempts.

server-address

IP address of the server to query for an IP address.

update-server

Propagates TCP/IP settings learned from an external DHCP server to the DHCP server running on the switch.

vendor-id

Vendor class ID (CPU's manufacturer ID string) for the DHCP client.


•


•



671

®


Configuring a DHCP Server on EX Series Switches (CLI Procedure) A Dynamic Host Configuration Protocol (DHCP) server can provide two valuable TCP/IP network services. DHCP can dynamically allocate IP parameters, such as an IP address, to clients and it can also deliver software upgrades to clients. DHCP configuration consists of two components, optional reconfiguration of default settings on DHCP clients and configuration of a DHCP server. This topic covers configuration of the DHCP server. For directions for reconfiguring a DHCP client, see “Configuring a DHCP Client (CLI Procedure)” on page 671. You can configure either of two versions of a DHCP server on the switches—either the extended server version or the legacy server version. We recommend that you use the extended server configuration unless you need to keep your DHCP server configuration backwards-compatible with the legacy server version. This topic includes the following tasks: 1.

Configuring an Extended DHCP Server on a Switch on page 672

2. Configuring a Legacy DHCP Server on a Switch (CLI Procedure) on page 673

Configuring an Extended DHCP Server on a Switch To configure an extended DHCP server, you must configure a DHCP pool, indicate IP addresses for the pool, and create a server group. Additional configurations are optional. 1.

Create an address pool for DHCP IP addresses: [edit] user@switch# set access address-pool address-pool

2. Configure addresses for DHCP dynamic assignment.

[edit access address-assignment] user@switch# set pool address-pool-name 3. Create a server group on the switch, providing a group name and an interface for

DHCP: [edit system services dhcp-local-server] user@switch# set group group-name interface interface-name 4. Optionally, process the information protocol data units (PDUs)::

[edit system services dhcp-local-server] user@switch# set overrides process-inform 5. Optionally, redefine the order of attribute matching for pool selection:

[edit system services dhcp-local-server] user@switch# set pool-match-order ip-address 6. Optionally, enable dynamic reconfiguration triggered by the DHCP extended server

of all DHCP clients or only the DHCP clients serviced by the specified group of interfaces: [edit system services dhcp-local-server]

672



user@switch# set reconfigure [edit system services dhcp-local-server group group-name] user@switch# set reconfigure

Configuring a Legacy DHCP Server on a Switch (CLI Procedure) To configure a legacy DHCP server, you must configure a pool of IP addresses for dynamic assignment. You only need to supply a series of network addresses. Additional configurations are optional. 1.

Configure a pool of IP addresses for dynamic assignment: [edit system services dhcp] user@switch# set pool network-range

NOTE: Steps 2 through 15 assign global values under the hierarchy [edit system services dhcp]. You can also assign the same values to a specific pool using those same commands under the hierarchy [edit system services dhcp pool network-range].

2. Optionally, change the domain search list used to resolve hostnames:

[edit system services dhcp] user@switch# set domain-search [domain-list] 3. Optionally, change the domain name server (DNS) name that the DHCP server

advertises to clients: [edit system services dhcp] user@switch# set name-server address 4. Optionally, change the DHCP options:

[edit system services dhcp] user@switch# set option id-number 5. Optionally, change the devices advertised to clients:

[edit system services dhcp] user@switch# set router address 6. Optionally, change the SIP server:

[edit system services dhcp] user@switch# set sip-server addresses-or-names

For more information, see “Configuring a DHCP SIP Server (CLI Procedure)” on page 668. 7. Optionally, change the DHCP client’s hardware address:

[edit system services dhcp] user@switch# set static-binding mac-address 8. Optionally, change the NetBIOs name server:

[edit system services dhcp] user@switch# set wins-server address


673

®



•


•


•


Configuring an Extended DHCP Relay Server on EX Series Switches (CLI Procedure) You can configure an EX Series switch to act as an extended DHCP relay agent. This means that a locally attached host can issue a DHCP request as a broadcast message and the switch configured for DHCP relay relays the message to a specified DHCP server. Configure a switch to be a DHCP relay agent if you have locally attached hosts and a remote DHCP server. Before you begin: •

Ensure that the switch can connect to the DHCP server.

To configure a switch to act as an extended DHCP relay agent server: 1.

Create at least one DHCP server group, which is a group of one through five DHCP server IP addresses: [edit forwarding-options dhcp-relay] user@switch# set server-group server-group-name ip-address

2. Set the global active DHCP server group. The DHCP relay server relays DHCP client

requests to the DHCP servers defined in the active server group: [edit forwarding-options dhcp-relay] user@switch# set active-server-group server-group-name 3. Create a DHCP relay group that includes at least one interface. DHCP relay runs on

the interfaces defined in DHCP groups: [edit forwarding-options dhcp-relay] user@switch# set group group-name interface interface-name 4. (Optional) Configure overrides of default DHCP relay behaviors, at the global level.

See the override options in the overrides statement. [edit forwarding-options dhcp-relay] user@switch# set overrides 5. (Optional) Configure DHCP relay to use the DHCP vendor class identifier option

(option 60) in DHCP client packets, at the global level: [edit forwarding-options dhcp-relay] user@switch# set relay-option-60 6. (Optional) Configure a service profile, which specifies the default subscriber service,

at the global level: [edit forwarding-options dhcp-relay] user@switch# set service-profile dynamic-profile-name 7. (Optional) Configure settings for a DHCP relay group that override the settings at the

global level, using these statements:

674



[edit forwarding-options dhcp-relay group group-name ] user@switch# set active-server-group server-group-name user@switch# set overrides user@switch# set relay-option-60 user@switch# set service-profile dynamic-profile-name 8. (Optional) Configure settings for a DHCP relay group interface that override the

settings at the global and group levels, using these statements: [edit forwarding-options dhcp-relay group group-name interface interface-name] user@switch# set dynamic-profile profile-name user@switch# exclude user@switch# set overrides user@switch# set service-profile dynamic-profile-name user@switch# set trace user@switch# set upto upto-interface-name


•


•


•



675

®


676


CHAPTER 30

Monitoring System Services •


•

Verifying and Managing DHCP Relay Configuration for EX Series Switches on page 680

Monitoring DHCP Services Purpose

Action

A switch or router can operate as a DHCP server. Use the monitoring functionality to view information about dynamic and static DHCP leases, conflicts, pools, and statistics. To monitor the DHCP server in the J-Web interface, select Monitor > Services > DHCP. To monitor the DHCP server in the CLI, enter the following CLI commands:

Meaning

•

show system services dhcp binding

•

show system services dhcp conflict

•

show system services dhcp pool

•

show system services dhcp statistics

•

show system services dhcp relay-statistics

•

show system services dhcp global

•

show system services dhcp client

Table 89 on page 677 summarizes the output fields in DHCP displays in the J-Web interface.

Table 89: Summary of DHCP Output Fields Field

Values


Global tab


677

®


Table 89: Summary of DHCP Output Fields (continued) Field

Values

Name

This column displays the following information:

Value

•

Boot lease length

•

Domain Name

•

Name servers

•

Server identifier

•

Domain search

•

Gateway routers

•

WINS server

•

Boot file

•

Boot server

•

Default lease time

•

Minimum lease time

•

Maximum lease time


Displays the value for each of the parameters in the Name column.

Bindings tab Allocated Address

List of IP addresses the DHCP server has assigned to clients.

MAC Address

Corresponding media access control (MAC) address of the client.

Binding Type

Type of binding assigned to the client: dynamic or static.

Lease Expires

Date and time the lease expires, or never for leases that do not expire.

DHCP servers can assign a dynamic binding from a pool of IP addresses or a static binding to one or more specific IP addresses.

Pools tab Pool Name

Subnet on which the IP address pool is defined.

Low Address

Lowest address in the IP address pool.

High Address

Highest address in the IP address pool.

Excluded Addresses

Addresses excluded from the address pool.

Clients tab Interface Name

678

Name of the logical interface.


Chapter 30: Monitoring System Services


Values

Hardware Address

Vendor identification.

Status

State of the client binding.

Address Obtained

IP address obtained from the DHCP server.

Update Server

Indicates whether server update is enabled.

Lease Obtained

Date and time the lease was obtained.

Lease Expires

Date and time the lease expires.

Renew

Reacquires an IP address from the server for the interface. When you click this option, the command sends a discover message if the client state is INIT and a renew request message if the client state is BOUND. For all other states it performs no action.

Release

Clears other resources received earlier from the server, and reinitializes the client state to INIT for the particular interface.


Conflicts tab Detection Time

Date and time the client detected the conflict.

Detection Method

How the conflict was detected.

Only client-detected conflicts are displayed.

Address

IP address where the conflict occurs.

The addresses in the conflicts list remain excluded until you use the clear system services dhcp conflict command to manually clear the list.

DHCP Statistics Relay Statistics tab Packet Counters

Displays the number of packet counters.

Dropped Packet Counters

Graphically displays the number of dropped packet counters.

Statistics tab


679

®



Values

Packets dropped

Total number of packets dropped and the number of packets dropped due to a particular condition.

Messages received

Number of BOOTREQUEST, DHCPDECLINE, DHCPDISCOVER, DHCPINFORM, DHCPRELEASE, and DHCPREQUEST messages sent from DHCP clients and received by the DHCP server.

Messages sent

Number of BOOTREPLY, DHCPACK, DHCPOFFER, and DHCPNAK messages sent from the DHCP server to DHCP clients.



•

Configuring DHCP Services (J-Web Procedure) on page 665

•


Verifying and Managing DHCP Relay Configuration for EX Series Switches Purpose Action

View or clear statistics for extended DHCP relay agent clients: •

To display extended DHCP relay agent statistics: user@host> show dhcp relay statistics

•

To clear all extended DHCP relay agent statistics: user@host> clear dhcp relay statistics


680

•


•



CHAPTER 31

Configuration Statements for System Services


681

®


active-server-group Syntax Hierarchy Level

Release Information

Description

active-server-group server-group-name; [edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay group group-name dhcpv6], [edit logical-systems logical-system-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6], [edit logical-systems logical-system-name forwarding-options group group-name], [edit logical-systems logical-system-name forwarding-options group group-name dhcpv6], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name dhcpv6], [edit routing-instances routing-instance-name forwarding-options dhcp-relay] [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name]

Statement introduced in Junos OS Release 8.3. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Apply a DHCP relay agent configuration to the named group of DHCP server addresses. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. A group-specific configuration overrides a global option. EX Series switches do not support DHCPv6.

Options

server-group-name—Name of the group of DHCP or DHCPv6 server addresses to which

the DHCP or DHCPv6 relay agent configuration applies. Required Privilege Level Related Documentation

682


Extended DHCP Relay Agent Overview

•

Configuring Active Server Groups

•

Group-Specific DHCP Relay Options

•

dhcp-relay

•

dhcp-relay (EX Series switches only) on page 702


Chapter 31: Configuration Statements for System Services

•


•


address-assignment Syntax

Hierarchy Level Release Information Description

address-assignment { pool (Legacy DHCP) address-pool; } address-assignment { address-poolpool-name; } [edit access]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure the address of a location-based DHCP IP address pool for enhanced DHCP on a switch. The remaining statement is explained separately.




address-pool Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

address-pool address-pool-name; [edit access address-assignment]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Allocate IP addresses for extended DHCP clients. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •



683

®


aggregate-clients (DHCP Relay Agent) Syntax Hierarchy Level

Release Information

Description

aggregate-clients (merge | replace); [edit forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit forwarding-options dhcp-relay dynamic-profile profile-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name]

Statement introduced in Junos OS Release 9.3. Options merge and replace introduced in Junos OS Release 9.5. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify that the router merge (chain) client attributes such as firewall filters and CoS attributes or replace them when multiple client sessions exist on the same underlying VLAN. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6. Not supported for IP demux subscriber interfaces.

Options

merge—Aggregate multiple client attributes for the same subscriber (logical interface) replace—Replace the entire logical interface whenever a new client logs in to the network

using the same VLAN logical interface

684





dhcp-relay

•


•


•


•

Attaching Dynamic Profiles to DHCP Subscriber Interfaces

•


always-write-giaddr Syntax Hierarchy Level

Release Information

Description


always-write-giaddr; [edit forwarding-options dhcp-relay overrides], [edit forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name overrides]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 12.1 for EX Series switches. Overwrite the gateway IP address (giaddr) of every DHCP packet with the giaddr of the DHCP relay agent before forwarding the packet to the DHCP server. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•

dhcp-relay

•


•


•



685

®


boot-file Syntax Hierarchy Level

Release Information

Description

Options

boot-file filename; [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Set the boot file advertised to DHCP clients. After the client receives an IP address and the boot file location from the DHCP server, the client uses the boot image stored in the boot file to complete DHCP setup. filename—The location of the boot file on the boot server. The filename can include a

pathname. Required Privilege Level Related Documentation

686


Configuring the Router or Interface to Act as a DHCP Server on J Series Services Routers

•

boot-server on page 687



boot-server (DHCP) Syntax Hierarchy Level

Release Information

Description

Options


boot-server (address | hostname); [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Configure the name of the boot server advertised to DHCP clients. The client uses a boot file located on the boot server to complete DHCP setup. •

address—IP address of a DHCP boot server.

•

hostname—Hostname of a DHCP boot server.



•

boot-file on page 686


687

®


bootp Syntax


Description

bootp { client-response-ttl number; description text-description; interface (interface-name | interface-group) { client-response-ttl number; description text-description; maximum-hop-count number; minimum-wait-time seconds; no-listen; server address { logical-system logical-system-name ; routing-instance [ routing-instance-names ]; } } maximum-hop-count number; minimum-wait-time seconds; relay-agent-option; server address { ; } } [edit forwarding-options helpers]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Configures a router, switch, or interface to act as a Dynamic Host Configuration Protocol (DHCP) or bootstrap protocol (BOOTP) relay agent. DHCP relaying is disabled.


688

The remaining statements are explained separately. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Configuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents

•




ca-name Syntax Hierarchy Level Release Information

Description


ca-name ca-identity; [edit security certificates certification-authority]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Specify the certificate authority (CA) identity to use in the certificate request. ca-identity—CA identity to use in the certificate request.


Configuring Digital Certificates for an ES PIC

cache-size Syntax Hierarchy Level Release Information

Description

Options

cache-size bytes; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure the cache size for digital certificates. bytes—Cache size for digital certificates.

Range: 64 through 4,294,967,295 Default: 2 megabytes (MB)

NOTE: We recommend that you limit your cache size to 4 MB.


admin—To view this statement in the configuration. admin-control—To add this statement to the configuration •



689

®


cache-timeout-negative Syntax Hierarchy Level Release Information

Description

Options

cache-timeout-negative seconds; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure a negative cache for digital certificates. seconds—Negative time to cache digital certificates, in seconds.

Range: 10 through 4,294,967,295 Default: 20

CAUTION: Configuring a large negative cache value can lead to a denial-of-service attack.


690





certificates Syntax


Description

certificates { cache-size bytes; cache-timeout-negative seconds; certification-authority ca-profile-name { ca-name ca-identity; crl file-name; encoding (binary | pem); enrollment-url url-name; file certificate-filename; ldap-url url-name; } enrollment-retry attempts; local certificate-name { certificate-key-string; load-key-file URL filename; } maximum-certificates number; path-length certificate-path-length; } [edit security]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure the digital certificates for IPsec. The remaining statements are explained separately.





691

®


certification-authority Syntax


Description

certification-authority ca-profile-name { ca-name ca-identity; crl file-name; encoding (binary | pem); enrollment-url url-name; file certificate-filename; ldap-url url-name; } [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure a certificate authority profile name. The remaining statements are explained separately.


692





client-identifier (DHCP Client) Syntax Hierarchy Level Release Information

client-identifier (ascii ascii | hexadecimal hexadecimal ); [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description

Specify an ASCII or hexadecimal identifier for the Dynamic Host Configuration Protocol (DHCP) client. The DHCP server identifies a client by a client-identifier value, which must be unique for each client.

Default

If you do not include client-identifier in the configuration, the DHCP server uses the client hardware type and MAC address to identify the client.

Options

ascii ascii—Identifier consisting of ASCII characters, such as a fully qualified domain name. hexadecimal hexadecimal—Identifier consisting of hexadecimal numbers (0-9, a-f, A-F).

Do not use colons. Required Privilege Level Related Documentation



client-identifier Syntax Hierarchy Level

Release Information

client-identifier (ascii client-id | hexadecimal client-id); [edit system services dhcp], [edit system services dhcp]


Description

For J Series Services Routers and EX Series switches only. Configure the client’s unique identifier. This identifier is used by the DHCP server to index its database of address bindings. Either a client identifier or the client’s MAC address is required to uniquely identify the client on the network.

Options

client-id—A name or number that uniquely identifies the client on the network. The client

identifier can be an ASCII string or hexadecimal digits. Required Privilege Level Related Documentation



•



693

®


connection-limit Syntax Hierarchy Level

Release Information

connection-limit limit; [edit system services finger], [edit system services ftp], [edit system services netconf ssh], [edit system services ssh], [edit system services telnet], [edit system services xnm-clear-text], [edit system services xnm-ssl]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series.

Description

Configure the maximum number of connections sessions for each type of system services (finger, ftp, ssh, telnet, xnm-clear-text, or xnm-ssl) per protocol (either IPv6 or IPv4).

Options

limit—(Optional) Maximum number of established connections per protocol (either IPv6

or IPv4). Range: 1 through 250 Default: 75

NOTE: The actual number of maximum connections depends on the availability of system resources, and might be fewer than the configured connection-limit value if the system resources are limited.


694


Configuring clear-text or SSL Service for Junos XML Protocol Client Applications

•

Configuring DTCP-over-SSH Service for the Flow-Tap Application

•

Configuring Finger Service for Remote Access to the Router

•

Configuring FTP Service for Remote Access to the Router or Switch

•


•

Configuring Telnet Service for Remote Access to a Router or Switch



crl (Encryption Interface) Syntax Hierarchy Level Release Information

Description


crl file-name; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure the certificate revocation list (CRL). A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis. file-name—Specify the file from which to read the CRL.



default-lease-time Syntax Hierarchy Level

Release Information

Description

Options

default-lease-time seconds; [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Specify the length of time in seconds that a client holds the lease for an IP address assigned by a DHCP server. This setting is used if a lease time is not requested by the client. seconds—Number of seconds the lease can be held.

Default: 86400 (1day) Required Privilege Level Related Documentation



•

maximum-lease-time on page 745


695

®


default-local-server-group Syntax Hierarchy Level

Release Information

Description

default-local-server-group local-server-group-name; [edit forwarding-options dhcp-relay relay-option-60 vendor-option], [edit forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 12.1 for EX Series switches. Forward DHCP client packets to a default extended DHCP local server when you use the DHCP vendor class identifier option (option 60) in DHCP packets to forward client traffic to specific DHCP servers. If the option 60 string received in the DHCP client packet does not match the ASCII or hexadecimal match string and match criteria (exact match or partial match) that you specify, the extended DHCP relay agent forwards the client packets to the specified default DHCP local server group configured with the dhcp-local-server statement at the [edit system services] hierarchy level.


696

local-server-group-name—Name of the default extended DHCP local server group.


Using Option 60 Information to Forward Client Traffic to Specific DHCP Servers

•

dhcp-relay

•


•


•




default-relay-server-group Syntax Hierarchy Level

Release Information

Description

default-relay-server-group server-group-name; [edit forwarding-options dhcp-relay relay-option-60 vendor-option], [edit forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 12.1 for EX Series switches. Relay DHCP client packets to a default group of extended DHCP relay servers when you use the DHCP vendor class identifier option (option 60) in DHCP packets to forward client traffic to specific DHCP servers. If the option 60 string received in the DHCP client packet does not match the ASCII or hexadecimal match string and match criteria (exact match or partial match) that you specify, the extended DHCP relay agent relays the client packets to the specified default group of servers configured with the server-group statement at the [edit forwarding-options dhcp-relay] hierarchy level.


server-group-name—Name of the default DHCP relay server group.



•

dhcp-relay

•


•


•



697

®


description Syntax Hierarchy Level

Release Information

Description


description text-description; [edit forwarding-options helpers bootp], [edit forwarding-options helpers bootpinterface (interface-name | interface-group)], [edit forwarding-options helpers domain], [edit forwarding-options helpers domain interface interface-name], [edit forwarding-options helpers tftp], [edit forwarding-options helpers tftpinterface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Describe a BOOTP, DHCP, Domain Name System (DNS), or Trivial File Transfer Protocol (TFTP) service, or an interface that is configured for the service. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Configuring DNS and TFTP Packet Forwarding

•


dhcp (DHCP Client) Syntax


dhcp { client-identifier (DHCP Client) (ascii ascii | hexadecimal hexadecimal); lease-time (seconds | infinte); retransmission-attempt number; retransmission-interval seconds; server-address ip-address; update-server; vendor-id vendor-id; } [edit interfaces (for EX Series switches) interface-name unit logical-unit-number family inet]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a DHCP client for an IPv4 interface. The remaining statements are described separately.


698





dhcp (DHCP Server) Syntax


dhcp { domain-search [domain-list]; name-server { address; } option option-identifier-code ; pool subnet-address/prefix-length { address-range { low address; high address; } exclude-address { address; } } router { address; } sip-server [address | name] static-binding mac-address { fixed-address { address; } host-name hostname; client-identifier (ascii client-id | hexadecimal client-id); } wins-server { address; } } [edit system services]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a switch to use the legacy version of DHCP. A DHCP server allocates network addresses and delivers configuration information to client hosts on a TCP/IP network. The remaining statements are explained separately.





699

®


dhcp Syntax


dhcp { boot-file filename; boot-server (address | hostname); default-lease-time seconds; domain-name domain-name; domain-search [domain-list]; maximum-lease-time seconds; name-server { address; } next-servernext-server option option-identifier-code ; pool address/prefix-length { address-range { low address; high address; } exclude-address { address; } } router { address; } static-binding mac-address { fixed-address { address; } host-name hostname; client-identifier (ascii client-id | hexadecimal client-id); } wins-server { address; } } [edit system services]

Statement introduced before Junos OS Release 7.4. For J Series Services Routers only. Configure a router, switch, or interface as a DHCP server. A DHCP server can allocate network addresses and deliver configuration information to client hosts on a TCP/IP network. The remaining statements are explained separately.


700



•




dhcp-local-server Syntax


dhcp-local-server { group group-name interface interface-name; overrides { interface-client-limit; no-arp; process-inform { pool pool-name network address-range: } } pool-match-order { ip-address; } reconfigure; wlan-profile profile-name } [edit system services]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure extended Dynamic Host Configuration Protocol (DHCP) server options on the switch and enable the switch to function as an extended DHCP local server. The DHCP local server receives DHCP request and reply packets from DHCP clients and then responds with an IP address and other optional configuration information to the client. The DHCP local server supports the attachment of dynamic profiles and also interacts with the local AAA service framework to use back-end authentication servers, such as RADIUS, to provide subscriber authentication. You can configure dynamic profiles and authentication support on a global basis or for a specific group of interfaces. The DHCP local server also supports the use of Junos OS address-assignment pools or external authorities, such as RADIUS, to provide the client address and configuration information. The remaining statements are explained separately.




•



701

®


dhcp-relay (EX Series switches only) Syntax

Hierarchy Level

702

dhcp-relay { active-server-group server-group-name; group group-name { active-server-group server-group-name; interface interface-name { dynamic-profile profile-name { aggregate-clients (merge | replace); use-primary primary-profile-name; } exclude; overrides { ... } service-profile dynamic-profile-name; trace; upto upto-interface-name; } overrides { ... } relay-option-60 { ... } service-profile dynamic-profile-name; } overrides { always-write-giaddr; interface-client-limit number; layer2-unicast-replies; no-arp; } relay-option-60 { vendor-option { (equals | starts-with) (ascii match-string | hexadecimal match-hex) { default-local-server-group local-server-group-name | (default-relay-server-group server-group-name | drop); } default-local-server-group local-server-group-name | (default-relay-server-group server-group-name | drop); } } server-group { server-group-name { server-ip-address; } } service-profile dynamic-profile-name; } [edit forwarding-options],



[edit routing-instances routing-instance-name forwarding-options]


Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure extended DHCP relay options on the switch and enable the switch to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets between a DHCP client and a DHCP server. The extended DHCP relay agent options configured with the dhcp-relay statement are incompatible with the DHCP/BOOTP relay agent options configured with the bootp statement. As a result, the extended DHCP relay agent and the DHCP/BOOTP relay agent cannot both be enabled on the switch at the same time. See “DHCP/BOOTP Relay for EX Series Switches Overview” on page 659 for more information about the DHCP/BOOTP relay agent. The remaining statements are explained separately.




•



703

®


domain Syntax


Description

domain { description text-description; interface interface-name { broadcast; description text-description; no-listen; server address ; } server address ; } [edit forwarding-options helpers]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable DNS request packet forwarding. The remaining statements are explained separately.


704





domain-name (DHCP) Syntax Hierarchy Level

Release Information

Description


domain-name domain-name; [edit system services dhcp [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Configure the name of the domain in which clients search for a DHCP server host. This is the default domain name that is appended to hostnames that are not fully qualified. domain-name—Name of the domain.



•



705

®


domain-search Syntax Hierarchy Level

Release Information

Description Options

domain-search [ domain-list ]; [edit system], [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a list of domains to be searched. domain-list—A list of domain names to search. The list can contain up to six domain

names, with a total of up to 256 characters. Required Privilege Level Related Documentation

706


Configuring the Domains to Search When a Router or Switch Is Included in Multiple Domains

•


•




drop Syntax Hierarchy Level

Release Information

Description

drop; [edit forwarding-options dhcp-relay relay-option-60 vendor-option], [edit forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit forwarding-options dhcp-relay relay-option-60 vendor-option], [edit forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit logical-systems logical-system-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 12.1 for EX Series switches. Drop (discard) DHCP client packets when you use the DHCP vendor class identifier option (option 60) in DHCP packets to forward client traffic to specific DHCP servers. To drop DHCP client packets that contain an option 60 string that matches the ASCII or hexadecimal match string and match criteria (exact match or partial match) that you specify, include the drop statement at the [edit forwarding-options dhcp-relay relay-option-60 vendor-option (equals | starts-with) (ascii match-string | hexadecimal match-hex)] hierarchy level.

To drop DHCP client packets that contain an option 60 string that does not match the ASCII or hexadecimal match string and match criteria (exact match or partial match)


707

®


that you specify, include the drop statement at the [edit forwarding-options dhcp-relay relay-option-60 vendor-option] hierarchy level. Required Privilege Level Related Documentation

708



•

dhcp-relay

•


•


•




dynamic-profile (DHCP Relay Agent) Syntax

Hierarchy Level

Release Information

Description

dynamic-profile profile-name { aggregate-clients (merge | replace); use-primary primary-profile-name; } [edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay dhcpv6 group group-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay group group-name interface interface-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay ...], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay ...], [edit routing-instances routing-instance-name forwarding-options dhcp-relay ...]

Statement introduced in Junos OS Release 9.2. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the dynamic profile that is attached to all interfaces, to a named group of interfaces, or to a specific interface. EX Series switches do not support DHCPv6.

Options

profile-name—Name of the dynamic profile.



dhcp-relay

•


•


•


•


•

Grouping Interfaces with Common DHCP Configurations

•

Configuring a Default Subscriber Service


709

®


encoding Syntax Hierarchy Level

Release Information

Description

Options

encoding (binary | pem); [edit security ike policy ike-peer-address], [edit security certificates certification-authority ca-profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Specify the file format used for the local-certificate and local-key-pair statements. binary—Binary file format. pem—Privacy-enhanced mail (PEM), an ASCII base 64 encoded format.

Default: binary Required Privilege Level Related Documentation



•

Configuring an IKE Policy for Digital Certificates for an ES PIC

enrollment-retry Syntax Hierarchy Level Release Information

Description

Options

enrollment-retry attempts; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. (Encryption interface on M Series and T Series routers and EX Series switches only) Specify how many times a router or switch can resend a digital certificate request. attempts—Number of enrollment retries.


710





enrollment-url Syntax Hierarchy Level Release Information

Description


enrollment-url url-name; [edit security certificates certification-authority ca-profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Specify where your router or switch sends Simple Certificate Enrollment Protocol-based (SCEP-based) certificate enrollment requests (certificate authority URL). url-name—Certificate authority URL.




711

®


family (for EX Series switches) Syntax

family ccc family ethernet-switching

family inet

712

family ccc on page 712 family ethernet-switching on page 712 family inet on page 712 family inet6 on page 713 family iso on page 713 family mpls on page 713 family ccc; family ethernet-switching { filter [input | output] filter-name; native-vlan-id vlan-id; port-mode mode; vlan (802.1Q Tagging) { members [ (all | names | vlan-ids) ]; } } family inet { address address { arp ip-address (mac | multicast-mac) mac-address ; broadcast; preferred; primary; vrrp-group group-id { advertise-interval milliseconds; preempt | no-preempt { hold-time seconds; } priority number; virtual-address [addresses]; virtual-link-local-address ip-address; } } dhcp { client-identifier (ascii ascii | hexadecimal hexadecimal); lease-time (seconds | infinite); retransmission-attempt number; retransmission-interval seconds; server-address ip-address; update-server; vendor-id vendor-id; } filter { input filter-name; output filter-name; } mtu bytes; no-redirects; no-neighbor-learn; primary; rpf-check;



targeted-broadcast; }

family inet6

family iso

family mpls

Hierarchy Level

Release Information

Description

family inet6 { address address { eui-64; ndp ip-address (mac | multicast-mac) mac-address ; preferred; primary; vrrp-inet6-group group-id { inet6-advertise-interval milliseconds; preempt | preempt { hold-time seconds; } priority number; virtual-inet6-address [addresses]; virtual-link-local-address ipv6–address; } } (dad-disable | no-dad-disable); filter { input filter-name; output filter-name; } mtu bytes; no-neighbor-learn rpf-check; } family iso { address interface-address; mtu bytes; } family mpls { mtu bytes; } [edit interfaces interface-name unit logical-unit-number], [edit interfaces interface-range name unit logical-unit-number]

Statement introduced in Junos OS Release 9.0 for EX Series switches, including options ethernet-switching, inet, and iso. Option inet6 introduced in Junos OS Release 9.3 for EX Series switches. Options ccc and mpls introduced in Junos OS Release 9.5 for EX Series switches. Configure protocol family information for the logical interface on the switch.


713

®


Default

Interfaces on EX2200, EX3200, EX3300, EX4200, and EX4500 switches are set to family ethernet-switching by the default factory configuration. If you are going to change the family setting for an interface, you might have to delete this default setting or any user-configured family setting before you change the setting to another family type. EX6200 and EX8200 switch interfaces do not have a default family setting. You must configure a logical interface to be able to use the physical device.

714



Options

See Table 90 on page 715 for protocol families available on the switch interfaces. Different protocol families support different subsets of the interfaces types on the switch. Interface types on the switch are: •

Aggregated Ethernet (ae)

•

Gigabit Ethernet (ge)

•

Interface-range configuration (interface-range)

•

Loopback (lo0)

•

Management Ethernet (me0)

•

Routed VLAN interface (RVI) (vlan)

•

Virtual management Ethernet (vme)

•

10-Gigabit Ethernet (xe)

If you are using an interface range, the supported protocol families are the ones supported by the interface types that compose the range. Not all interface types support all family substatements. Check your switch CLI for supported substatements for a particular protocol family configuration.

Table 90: Protocol Families and Supported Interface Types Supported Interface Types Family

Description

ae

ge

lo0

me0

vlan

vme

xe

ccc

Circuit cross-connect protocol family

✓*

✓

ethernetswitching

Ethernet switching protocol family

✓

✓

inet

IPv4 protocol family

✓

✓

✓

✓

✓

✓

✓

inet6


✓

✓

✓

✓

✓

✓

✓

iso

Junos OS protocol family for IS-IS traffic

✓

✓

✓

✓

✓

✓

✓

mpls

MPLS protocol family

✓

✓

✓

✓

✓

✓

✓ ✓

✓

*Supported on EX8200 switches only

The remaining statements are explained separately. Required Privilege Level

interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.


715

®



•


•

Example: Configuring MPLS on EX Series Switches on page 4819

•


•


•


file Syntax Hierarchy Level Release Information

Description


716

file certificate-filename; [edit security certificates certification-authority ca-profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Specify the file from which to read the digital certificate. certificate-filename—File from which to read the digital certificate.





ftp Syntax

Hierarchy Level

ftp { connection-limit limit; rate-limit limit; } [edit system services]

Release Information


Description

Allow FTP requests from remote systems to the local router or switch.


The remaining statements are explained separately. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring FTP Service for Remote Access to the Router or Switch


717

®


group (Extended DHCP) Syntax


group group-name interface interface-name overrides { always-write-giaddr interface-client-limit interface-client-limit layer2-unicast-replies overrides no-arp always-write-giaddr } no-arp process-inform } reconfigure [edit system services dhcp-local-server]

Statement introduced before Junos OS Release 12.1 for EX Series switches. Defines an extended DHCP group for EX Series switches. interface interface-name—One or more interfaces used by DHCP overrides process-inform—Process the information protocol data units (PDUs), which

are not processed by default. reconfigure —Reconfigure DHCP processing


718



•




group (DHCP Relay Agent) Syntax

group group-name { active-server-group server-group-name; authentication { password password-string; username-include { circuit-type; client-id; delimiter delimiter-character; domain-name domain-name-string; logical-system-name; mac-address; option-60; option-82 [circuit-id] [remote-id]; relay-agent-interface-id; relay-agent-remote-id; relay-agent-subscriber-id; routing-instance-name; user-prefix user-prefix-string; } } dynamic-profile profile-name { aggregate-clients (merge | replace); use-primary primary-profile-name; } interface interface-name { exclude; liveness-detection { failure-action (clear-binding | clear-binding-if-interface-up | log-only); method { bfd { version (0 | 1 | automatic); minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } detection-time { threshold milliseconds; } session-mode(automatic | multihop | singlehop); holddown-interval milliseconds; } } } overrides { ... } service-profile dynamic-profile-name; trace;


719

®


upto upto-interface-name; } overrides { allow-snooped-clients; always-write-giaddr; always-write-option-82; client-discover-match ; disable-relay; interface-client-limit number; layer2-unicast-replies; no-allow-snooped-clients; no-arp; no-bind-on-request; proxy-mode; replace-ip-source-with; send-release-on-delete; trust-option-82; } relay-agent-interface-id { prefix prefix; use-interface-description (logical | device): } relay-option-60 { vendor-option { (equals | starts-with) (ascii match-string | hexadecimal match-hex) { (default-relay-server-group server-group-name | default-local-server-group local-server-group-name | drop); } (default-relay-server-group server-group-name | default-local-server-group local-server-group-name | drop); } } relay-option-82 { circuit-id { prefix prefix; use-interface-description (logical | device); } } service-profile dynamic-profile-name; }

Hierarchy Level

Release Information

720

[edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit logical-systems logical-system-name forwarding-options dhcp-relay ...], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay ...], [edit routing-instances routing-instance-name forwarding-options dhcp-relay ...]

Statement introduced in Junos OS Release 8.3. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches.



Description

Specify the name of a group of interfaces that have a common DHCP or DHCPv6 relay agent configuration. A group must contain at least one interface. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.

Options

group-name—Name of a group of interfaces that have a common DHCP or DHCPv6 relay

agent configuration. The remaining statements are explained separately. Required Privilege Level Related Documentation


dhcp-relay

•


•


•


•


•


•


•

Using External AAA Authentication Services with DHCP

•



721

®


helpers Syntax

722

helpers { bootp { client-response-ttl number; description text-description; interface interface-group { client-response-ttl number; description text-description; maximum-hop-count number; minimum-wait-time seconds; no-listen; server address { logical-system logical-system-name ; routing-instance [ routing-instance-names ]; } } maximum-hop-count number; minimum-wait-time seconds; relay-agent-option; server address { logical-system logical-system-name ; routing-instance [ routing-instance-names ]; } } domain { description text-description; interface interface-name { broadcast; description text-description; no-listen; server address ; } server address ; } port port-number { description text-description; interface interface-name { broadcast; description text-description; no-listen; server address ; } server address ; } tftp { description text-description; interface interface-name {



broadcast; description text-description; no-listen; server address ; } server address ; } traceoptions { file filename ; flag flag; level level; no-remote-trace level; } }


Description

[edit forwarding-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable TFTP or DNS request packet forwarding, or configure the router, switch, or interface to act as a DHCP/BOOTP relay agent. Use only one server address per interface or global configuration. The remaining statements are explained separately.




•



723

®


http Syntax


Description Options

http { interfaces [ interface-names ]; port port; } [edit system services web-management]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the port and interfaces for HTTP service, which is unencrypted. interfaces [ interface-names ]—Name of one or more interfaces on which to allow the

HTTP service. By default, HTTP access is allowed through built-in Fast Ethernet or Gigabit Ethernet interfaces only. The remaining statement is explained separately. Required Privilege Level Related Documentation

724



•

J-Web Interface User Guide

•

https on page 725

•

port on page 758

•

web-management on page 795



https Syntax


Description Options

https { interfaces [ interface-names ]; local-certificate name; port port; } [edit system services web-management]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the secure version of HTTP (HTTPS) service, which is encrypted. interfaces [ interface-names]—Name of one or more interfaces on which to allow the

HTTPS service. By default, HTTPS access is allowed through any ingress interface, but HTTP access is allowed through built-in Fast Ethernet or Gigabit Ethernet interfaces only. local-certificate name—Name of the X.509 certificate for a Secure Sockets Layer (SSL)

connection. An SSL connection is configured at the [edit security certificates local] hierarchy. The remaining statements are explained separately. Required Privilege Level Related Documentation



•


•

http on page 724

•

port on page 758

•



725

®


interface (BOOTP) Syntax


Description Options

interface (interface-name | interface-group) { broadcast; client-response-ttl number; description text-description; maximum-hop-count number; minimum-wait-time seconds; no-listen; server address { logical-system logical-system-name ; routing-instance [ routing-instance-names ]; } } [edit forwarding-options helpers bootp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Specify the interface for a DHCP and BOOTP relay agent. interface-group—Sets a logical interface or group of logical interfaces with a specific

DHCP relay configuration. The remaining statements are explained separately. Required Privilege Level Related Documentation

726



•




interface (DHCP Relay Agent) Syntax

Hierarchy Level

Release Information

Description

interface interface-name { exclude; overrides { allow-snooped-clients; always-write-giaddr; always-write-option-82; client-discover-match ; disable-relay; interface-client-limit number; layer2-unicast-replies; no-allow-snooped-clients; no-arp; proxy-mode; replace-ip-source-with; send-release-on-delete; trust-option-82; } service-profile dynamic-profile-name; trace; upto upto-interface-name; } [edit forwarding-options dhcp-relay dhcpv6 group group-name], [edit forwarding-options dhcp-relay group group-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay ...], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay ...], [edit routing-instances routing-instance-name forwarding-options dhcp-relay ...]

Statement introduced in Junos OS Release 8.3. Options upto and exclude introduced in Junos OS Release 9.1. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify one or more interfaces, or a range of interfaces, that are within a specified group on which the DHCP or DHCPv6 relay agent is enabled. You can repeat the interface interface-name statement to specify multiple interfaces within a group, but you cannot specify the same interface in more than one group. Also, you cannot use an interface that is being used by the DHCP local server. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.

NOTE: DHCP values are supported in Integrated Routing and Bridging (IRB) configurations. When you configure an IRB interface in a network that is using DHCP, the DHCP information (for example, authentication, address assignment, and so on) is propagated in the associated bridge domain. This enables the DHCP server to configure client IP addresses residing within the bridge domain. IRB currently only supports static DHCP configurations. For


727

®


additional information about how to configure IRB, see the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.

Options

exclude—Exclude an interface or a range of interfaces from the group. This option and

the overrides option are mutually exclusive. interface-name—Name of the interface. You can repeat this option multiple times. overrides—Override the specified default configuration settings for the interface. The overrides statement is described separately. upto-interface-name—Upper end of the range of interfaces; the lower end of the range is

the interface-name entry. The interface device name of the upto-interface-name must be the same as the device name of the interface-name. The remaining statements are explained separately. Required Privilege Level Related Documentation

728



•

dhcp-relay

•


•


•


•


•

Using External AAA Authentication Services with DHCP



interface (DNS and TFTP Packet Forwarding or Relay Agent) Syntax

Hierarchy Level

Release Information

Description Options

interface interface-name { broadcast; description text-description; no-listen; server address ; } [edit forwarding-options helpers domain], [edit forwarding-options helpers tftp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the interface for monitoring and forwarding DNS or TFTP requests. interface-name—Name of the interface.




interface-client-limit (DHCP Local Server) Syntax Hierarchy Level Release Information Description


interface-client-limit number; [edit system services dhcp-local-server overrides]

Statement introduced in Junos OS Release 12.1. Set the maximum number of DHCP subscribers per interface allowed for a specific group or for all groups. A group specification takes precedence over a global specification for the members of that group. No limit. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



729

®


interface-client-limit (DHCP Relay Agent) Syntax Hierarchy Level

Release Information

Description

interface-client-limit number; [edit forwarding-options dhcp-relay dhcpv6 overrides], [edit forwarding-options dhcp-relay overrides], [edit forwarding-options dhcp-relay dhcpv6 group group-name overrides], [edit forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 group group-name overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name overrides]

Statement introduced in Junos OS Release 9.2. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Set the maximum number of DHCP (or DHCPv6) subscribers per interface allowed for a specific group or for all groups. A group specification takes precedence over a global specification for the members of that group. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.

Default Options

No limit number—Maximum number of clients allowed.

Range: 1 through 500,000 Required Privilege Level

730





•

dhcp-relay

•


•


•


•


•


•

Overriding the Default DHCP Relay Configuration Settings


731

®


interfaces (for EX Series switches) Syntax

732

interfaces ae on page 732 interfaces ge on page 732 interfaces interface-range on page 734 interfaces lo0 on page 734 interfaces me0 on page 735 interfaces traceoptions on page 735 interfaces vlan on page 735 interfaces vme on page 736 interfaces xe on page 737

interfaces ae

aex { accounting-profile name; aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }

interfaces ge

ge-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad {



aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; media-type (Dual-Purpose Uplink Ports); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }


733

®


interfaces interface-range

interfaces lo0

734

interface-range name { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes; unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } lo0 { accounting-profile name; description text; disable; hold-time up milliseconds down milliseconds; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); } }



interfaces me0

interfaces traceoptions

interfaces vlan

me0 { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } traceoptions { file ; flag flag ; no-remote-trace; } vlan { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); } }


735

®


interfaces vme

736

vme { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }



interfaces xe


xe-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure interfaces on EX Series switches.


737

®


Options

See Table 91 on page 738 for the interface types and protocol-family options supported on the switch. Different protocol families support different subsets of the interface types on the switch. See the family statement for syntax of the protocol families supported for switch interfaces. Not all interface types support all family substatements. Check your switch CLI for supported substatements for a particular protocol family configuration.

Table 91: Interface Types and Their Supported Protocol Families Supported Protocol Families Interface Type

Description

ccc

ethernetswitching

inet

inet6

iso

mpls

ae

Aggregated Ethernet interface (also referred to as a link aggregation group [LAG])

✓*

✓

✓

✓

✓

✓

ge

Gigabit Ethernet interface

✓

✓

✓

✓

✓

✓

interface-range

Interface-range configuration

Supported protocol families are the ones supported by the interface types that compose the range.

lo0

Loopback interface

me0

Management Ethernet interface

vlan

✓

✓

✓

✓

✓

✓

✓

✓

Routed VLAN interface (RVI)

✓

✓

✓

vme

Virtual management Ethernet interface

✓

✓

✓

✓

xe

10-Gigabit Ethernet interface

✓

✓

✓

✓

✓

✓

✓



738





•


•


•


•


•


•


•


•


ip-address-first Syntax Hierarchy Level Release Information Description

Default


ip-address-first; [edit system services dhcp-local-server pool-match-order]

Statement introduced in Junos OS Release 12.1. Configure the extended Dynamic Host Configuration Protocol (DHCP) extended server to use the IP address method to determine which address-assignment pool to use. The extended server uses the IP address in the gateway IP address if one is present in the DHCP client protocol data unit (PDU). If no gateway IP address is present, the extended server uses the IP address of the receiving interface to find the address-assignment pool. The DHCP extended server uses this method by default when no method is explicitly specified. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



739

®


layer2-unicast-replies Syntax Hierarchy Level

Release Information

Description


740

layer2-unicast-replies; [edit forwarding-options dhcp-relay overrides], [edit forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name overrides]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 12.1 for EX Series switches. Override the setting of the broadcast bit in DHCP request packets and instead use the Layer 2 unicast transmission method to transmit DHCP Offer reply packets and DHCP ACK reply packets from the DHCP server to DHCP clients during the discovery process. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•

dhcp-relay

•


•


•




ldap-url Syntax Hierarchy Level Release Information

Description


; [edit security certificates certification-authority ca-profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) (Optional) Specify the Lightweight Directory Access Protocol (LDAP) URL for digital certificates. url-name—Name of the LDAP URL.



lease-time Syntax Hierarchy Level Release Information Description Default

Options

lease-time (seconds | infinte); [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Request a specific lease time for the IP address. Iif no lease time is requested by client, then the server sends the lease time. The default lease time on a JUNOS OS DHCP server is one day. seconds —Request a lease time of a specific duration.

Range: 60 through 2147483647 seconds infinite—Request that the lease never expire.





741

®


load-key-file Syntax Hierarchy Level

Release Information

Description


742

load-key-file URL filename; [edit system root-authentication], [edit system login user username authentication]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Load RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys from a previously-generated named file at a specified URL location. The file contains one or more SSH keys that are copied into the configuration when the command is issued. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •


•


•


•




local Syntax


Description

Options

local certificate-name { certificate-key-string; load-key-file URL filename; } [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Import a paired X.509 private key and authentication certificate, to enable Junos XML protocol client applications to establish Secure Sockets Layer (SSL) connections to the router or switch. certificate-key-string—String of alphanumeric characters that constitute the private key

and certificate. certificate-name—Name that uniquely identifies the certificate. load-key-file URL filename—File that contains the private key and certificate. It can be

one of two types of values:


•

Pathname of a file on the local disk (assuming you have already used another method to copy the certificate file to the router’s or switch’s local disk)

•

URL to the certificate file location (for instance, on the computer where the Junos XML protocol client application runs)


Importing SSL Certificates for Junos XML Protocol Support


743

®


local-certificate Syntax Hierarchy Level

Release Information


local-certificate; [edit system services service-deployment], [edit system services web-management https], [edit system services xnm-ssl]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Import or reference an SSL certificate. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •


•

Generating SSL Certificates to Be Used for Secure Web Access on page 600

•

Importing SSL Certificates for Junos XML Protocol Support

maximum-certificates Syntax Hierarchy Level Release Information

Description

Options

maximum-certificates number; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure the maximum number of peer digital certificates to be cached. number—Maximum number of peer digital certificates to be cached.

Range: 64 through 4,294,967,295 peer certificates Default: 1024 peer certificates Required Privilege Level Related Documentation

744





maximum-hop-count Syntax Hierarchy Level

Release Information

Description Options

maximum-hop-count number; [edit forwarding-options helpers bootp], [edit forwarding-options helpers bootpinterface (interface-name | interface-group)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Specify the maximum number of hops allowed. number—Maximum number of hops.

Default: 4 hops Required Privilege Level Related Documentation



maximum-lease-time Syntax Hierarchy Level Release Information

Description

maximum-lease-time seconds; [edit system services dhcp],

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Specify the maximum length of time in seconds for which a client can request and hold a lease on a DHCP server. An exception is that the dynamic BOOTP lease length can exceed the maximum lease length specified.


seconds—The maximum number of seconds the lease can be held.



•

default-lease-time on page 695


745

®


minimum-wait-time Syntax Hierarchy Level

Release Information

Description Options

minimum-wait-time seconds; [edit forwarding-options helpers bootp], [edit forwarding-options helpers bootpinterface (interface-name | interface-group)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Specify the minimum time allowed. seconds—Minimum time.

Default: 0 seconds Required Privilege Level Related Documentation



name-server Syntax

Hierarchy Level

Release Information

Description Options

name-server { address; } [edit system], [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure one or more Domain Name System (DNS) name servers. address—Address of the name server. To configure multiple name servers, include multiple address options.


746


Configuring a DNS Name Server for Resolving a Hostname into Addresses

•


•




no-arp Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

no-arp; [edit system services dhcp-local-server overrides]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Turn off Address Resolution Protocol (ARP) table population in a distrusted environment. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


no-arp (DHCP Relay Agent) Syntax Hierarchy Level

Release Information


no-arp; [edit forwarding-options dhcp-relay overrides], [edit forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name overrides], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name overrides]

Statement introduced in Junos OS Release 9.3. Statement introduced in Junos OS Release 12.1 for EX Series switches. Turn off ARP table population in a distrusted environment. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•


•



747

®


no-listen Syntax Hierarchy Level

Release Information

Description


748

no-listen; [edit forwarding-options helpers bootp interface (interface-name | interface-group)], [edit forwarding-options helpers domain interface interface-name], [edit forwarding-options helpers tftp interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches. Disable recognition of DNS requests or stop packets from being forwarded on a logical interface, a group of logical interfaces, a router, or a switch. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•




option (DHCP server) Syntax

Hierarchy Level

Release Information

Description

Options

option { [ (id-number option-type option-value) | (id-number array option-type option-value) ]; } [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure one or more user-defined options that are not included in the Junos default implementation of the DHCP server. For example, if a client requests a DHCP option that is not included in the DHCP server, you can create a user-defined option that enables the server to respond to the client’s request. •

id-number—Any whole number. The ID number is used to index the option and must

be unique across a DHCP server. •

option-type—Any of the following types: byte, byte-stream, flag, integer, ip-address, short, string, unsigned-integer, unsigned-short.

•

array—An option can include an array of values.

•

option-value—Value associated with an option. The option value must be compatible

with the option type (for example, an On or Off value for a flag type). Required Privilege Level Related Documentation


Creating User-Defined DHCP Options Not Included in the Default Junos Implementation of the DHCP Server

•



749

®


outbound-ssh Syntax


[edit system services] outbound-ssh { client client-id { address { port port-number; retry number; timeout seconds; } device-id device-id; keep-alive { retry number; timeout seconds; } reconnect-strategy (in-order | sticky); secret password; services netconf; } traceoptions { file filename ; flag flag; no-remote-trace; } } [edit system services]


Description

Configure a router or switch running the Junos OS behind a firewall to communicate with client management applications on the other side of the firewall.

Default

To configure transmission of the router’s or switch’s device ID to the application, include the device-id statement at the [edit system services] hierarchy level.

Options

client-id—Identifies the outbound-ssh configuration stanza on the router or switch. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute

is not sent to the client. device-id—Identifies the router or switch to the client during the initiation sequence. keep-alive—(Optional) When configured, specifies that the router or switch send keepalive

messages to the management server. To configure the keepalive message, you must set both the timeout and retry attributes. reconnect-strategy—(Optional) Specify the method the router or switch uses to reestablish

a disconnected outbound SSH connection. Two methods are available:

750



•

in-order—Specify that the router or switch first attempt to establish an outbound SSH

session based on the management server address list. The router or switch attempts to establish a session with the first server on the list. If this connection is not available, the router or switch attempts to establish a session with the next server, and so on down the list until a connection is established. •

sticky—Specify that the router or switch first attempt to reconnect to the management

server that it was last connected to. If the connection is unavailable, it attempts to establish a connection with the next client on the list and so forth until a connection is made. retry—Number of keepalive messages the router or switch sends without receiving a

response from the client before the current SSH connection is disconnected. The default is three messages. secret—(Optional) Router’s or switch’s public SSH host key. If added to the outbound-ssh

statement, during the initialization of the outbound SSH service, the router or switch passes its public key to the management server. This is the recommended method of maintaining a current copy of the router’s or switch’s public key. timeout—Length of time that the Junos server waits for data before sending a keep alive

signal. The default is 15 seconds. When reconnecting to a client, the router or switch attempts to reconnect to the client based on the retry and timeout values for each client listed. address—Hostname or the IPv4 address of the NSM application server. You can list

multiple clients by adding each client’s IP address or hostname along with the following connection parameters: •

port—Outbound SSH port for the client. The default is port 22.

•

retry—Number of times the router or switch attempts to establish an outbound SSH

connection before giving up. The default is three tries. •

timeout—Length of time that the router or switch attempts to establish an outbound

SSH connection before giving up. The default is fifteen seconds. filename—(Optional) By default, the filename of the log file used to record the trace

options is the name of the traced process (for example, mib2d or snmpd). Use this option to override the default value. files—(Optional) Maximum number of trace files generated. By default, the maximum

number of trace files is 10. Use this option to override the default value. When a trace file reaches its maximum size, the system archives the file and starts a new file. The system archives trace files by appending a number to the filename in sequential order from 1 to the maximum value (specified by the default value or the options value set here). Once the maximum value is reached, the numbering sequence is restarted at 1, overwriting the older file.


751

®


size—(Optional) Maximum size of the trace file in kilobytes (KB). Once the maximum file

size is reached, the system archives the file. The default value is 1000 KB. Use this option to override the default value. match—(Optional) When used, the system only adds lines to the trace file that match

the regular expression specified. For example, if the match value is set to =error, the system only records lines to the trace file that include the string error. services—Services available for the session. Currently, NETCONF is the only service

available. world-readable | no-world-readable—(Optional) Whether the files are accessible by the

originator of the trace operation only or by any user. By default, log files are only accessible by the user that started the trace operation (no-world-readable). all | configuration | connectivity—(Optional) Type of tracing operation to perform. all—Log all events. configuration—Log all events pertaining to the configuration of the router or switch. connectivity—Log all events pertaining to the establishment of a connection between

the client server and the router or switch. no-remote-trace—(Optional) Disable remote tracing.


752


Configuring Outbound SSH Service

•




overrides Syntax


overrides { interface-client-limit; no-arp; process-inform { pool pool-name network address-range: } } [edit system services dhcp-local-server]

Statement introduced in Junos OS Release 12.1 for EX Series switches. On extended DHCP servers, override the default configuration settings. The remaining statements are explained separately.





753

®


overrides (DHCP Relay Agent) Syntax

Hierarchy Level

Release Information

Description

overrides { allow-snooped-clients; always-write-giaddr; always-write-option-82; client-discover-match ; disable-relay; interface-client-limit number; layer2-unicast-replies; no-allow-snooped-clients; no-arp; no-bind-on-request; proxy-mode; replace-ip-source-with; send-release-on-delete; trust-option-82; } [edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay group group-name interface interface-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay ...], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay ...], [edit routing-instances routing-instance-name forwarding-options dhcp-relay ...]

Statement introduced in Junos OS Release 8.3. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Override the default configuration settings for the extended DHCP relay agent. Specifying the overrides statement with no subordinate statements removes all DHCP relay agent overrides at that hierarchy level. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6. The following statements are supported at both the [edit ... dhcp-relay] and [edit ... dhcpv6] hierarchy levels. All other statements are supported at the dhcp-relay hierarchy levels only.

754

•

allow-snooped-clients

•

interface-client-limit

•

no-allow-snooped-clients

•

no-bind-on-request

•

send-release-on-delete






•


•

Deleting DHCP Local Server and DHCP Relay Override Settings

•

dhcp-relay

•


•


•


path-length Syntax Hierarchy Level Release Information

Description

Options

path-length certificate-path-length; [edit security certificates]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (Encryption interface on M Series and T Series routers and EX Series switches only) Configure the digital certificate path length. certificate-path-length—Digital certificate path length.

Range: 2 through 15 certificates Default: 15 certificates Required Privilege Level Related Documentation




755

®


pool (Extended DHCP) Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

756

pool address-pool-name; [edit access address-assignment]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure DHCP address-assignment pool for extended DHCP. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •




pool Syntax

pool address/prefix-length { address-range { low address; high address; } exclude-address { address; } }

Hierarchy Level

[edit system services dhcp],

Release Information


Description

For J Series Services Routers and EX Series switches only. Configure a pool of IP addresses for DHCP clients on a subnet. When a client joins the network, the DHCP server dynamically allocates an IP address from this pool.

Options

address-range—Lowest and highest IP addresses in the pool that are available for dynamic

address assignment. If no range is specified, the pool will use all available addresses within the subnet specified. (Broadcast addresses, interface addresses, and excluded addresses are not available.) exclude-address—Addresses within the range that are not used for dynamic address

assignment. You can exclude one or more addresses within the range. The remaining statements are explained separately. Required Privilege Level Related Documentation




757

®


pool-match-order Syntax


pool-match-order { ip-address; } [edit system services dhcp-local-server ]

Statement introduced in Junos OS Release 12.1. On EX Series switches, configure the order in which the extended DHCP server uses information in the DHCP client protocol data units (PDUs) to determine how to obtain an address for the client. The remaining statements are explained separately.

Default


DHCP local server uses the ip-address-first method to determine which address pool to use. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


port (HTTP/HTTPS) Syntax Hierarchy Level

port port-number; [edit system services web-management]

Release Information


Description

Configure the port on which the HTTP or HTTPS service is connected.


758

port-number—The TCP port number on which the specified service listens.


Table 82 on page 598

•


•

http on page 724

•

https on page 725

•




port (SRC Server) Syntax Hierarchy Level Release Information

Description Options

port port-number; [edit system services service-deployment servers server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the port number on which to contact the SRC server. port-number—(Optional) The TCP port number for the SRC server.

Default: 3333 Required Privilege Level Related Documentation


Configuring the Junos OS to Work with SRC Software

process-inform Syntax



process-inform { pool pool-name network address-range } [edit system services dhcp-local-server overrides]

Statement introduced in Junos OS Release 12.1 for EX Series switches. For extended Dynamic Host Configuration Protocol (DHCP) servers, enable the processing of DHCP information request messages sent from the client to the server to request DHCP options. The messages are also passed to the configured server list. Information request messages are not processed. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



759

®


protocol-version Syntax Hierarchy Level Release Information

Description Default Options Required Privilege Level Related Documentation

760

protocol-version version; [edit system services ssh]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify the secure shell (SSH) protocol version. v2—SSH protocol version 2 is the default, introduced in Junos OS Release 11.4. version—SSH protocol version: v1, v2, or both.





rate-limit Syntax Hierarchy Level

Release Information

Description

Default Options

rate-limit limit; [edit system services finger], [edit system services ftp], [edit system services netconf ssh], [edit system services ssh], [edit system services telnet], [edit system services xnm-clear-text], [edit system services xnm-ssl]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the maximum number of connections attempts per protocol (either IPv6 or IPv4) on an access service. 150 connections rate-limit limit—(Optional) Maximum number of connection attempts allowed per minute,

per IP protocol (either IPv4 or IPv6). Range: 1 through 250 Default: 150 Required Privilege Level Related Documentation




761

®


reconfigure Syntax


Options

reconfigure { attempts attempts; clear-on-abort; timeout interval; token token; } [edit system services dhcp-local-server ]

Statement introduced in Junos OS Release 12.1 for EX Series switches. For extended Dynamic Host Configuration Protocol (DHCP) servers, enable dynamic reconfiguration triggered by the server of all DHCP clients. attempts—Number of attempts made to reconfigure all DHCP clients. clear-on-abort—Delete all DHCP clients when reconfiguration fails; that is, when the

maximum number of retry attempts have been made without success. timeout interval—Initial value (in seconds) between attempts to reconfigure all DHCP

clients. Each successive attempt doubles the interval between attempts. For example, if the first value is 2, the first retry is attempted 2 seconds after the first attempt fails. The second retry is attempted 4 seconds after the first retry fails. The third retry is attempted 8 seconds after the second retry fails, and so on. A group configuration takes precedence over a DHCP local server configuration. token—Configure a plain-text token for all DHCP clients. The token enables rudimentary

entity authentication to protect against inadvertently instantiated DHCP servers. A null token (empty string) indicates that the configuration token functionality is not enabled. Required Privilege Level Related Documentation

762





relay-option-60 Syntax

Hierarchy Level

Release Information

Description

relay-option-60 { vendor-option { (equals | starts-with) (ascii match-string | hexadecimal match-hex) { (relay-server-group server-group-name | local-server-group local-server-group-name | drop); } (default-relay-server-group server-group-name | default-local-server-group local-server-group-name | drop); } } [edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay group group-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure the extended DHCP relay agent to use the DHCP vendor class identifier option (option 60) in DHCP client packets to forward client traffic to specific DHCP servers, or to drop selected DHCP client packets. This feature is useful in network environments where DHCP clients access services provided by multiple vendors and DHCP servers. You can use the relay-option-60 statement and its subordinate statements at the [edit forwarding-options dhcp-relay] hierarchy level to configure option 60 support globally, or at the [edit forwarding-options dhcp-relay group group-name] hierarchy level to configure option 60 support for a named group of interfaces. You can also configure option 60 support for the extended DHCP relay agent on a per logical system and per routing instance basis. The remaining statements are explained separately.



dhcp-relay

•

dhcp-relay (EX Series switches only) on page 702 Extended DHCP Relay Agent Overview


763

®


•


•


•


retransmission-attempt Syntax Hierarchy Level Release Information Description

Options

retransmission-attempt number; [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the number of times the device retransmits a Dynamic Host Control Protocol (DHCP) packet if a DHCP server fails to respond. After the specified number of attempts, no further attempts at reaching a server are made. number—Number of retransmit attempts..




retransmission-interval Syntax Hierarchy Level Release Information Description

Options

retransmission-interval seconds; [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the time between successive retransmissions of the client DHCP request if a DHCP server fails to respond. seconds—Number of seconds between successive retransmissions.

Range: 4 through 64 seconds Default: 4 seconds Required Privilege Level Related Documentation

764





router Syntax

Hierarchy Level

Release Information

Description

Options

router { address; } [edit system services dhcp], [edit system services dhcp], [edit system services dhcp-service], [edit system services dhcp-service pool], [edit system services dhcp-service static-binding]

Statement introduced before Junos OS Release 7.4. Statement for EX Series switches introduced in Junos OS Release 9.0. For J Series Services Routers and EX Series switches only, specify IPv4 addresses for one or more devices available to a DHCP client. List devices (switches or routers) in order of preference. address—IPv4 address of the router or switch. To configure multiple devices, include

multiple address options. Required Privilege Level Related Documentation



•



765

®


server (DHCP and BOOTP Relay Agent) Syntax

Hierarchy Level

server address { logical-system logical-system-name ; routing-instance [ routing-instance-names ]; } [edit forwarding-options helpers bootp], [edit forwarding-options helpers bootp interface (interface-name | interface-group)]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for QFX Series switches.

Description

Configure the router or switch to act as a DHCP and BOOTP relay agent.

Options

•

address—One or more addresses of the server.

•

logical-system logical-system-name—(Optional) Logical system of the server.

•

routing-instance routing-instance-names—(Optional) Routing instance name that belong

to the DHCP or BOOTP relay agent. Required Privilege Level Related Documentation

766





server (DNS and TFTP Service) Syntax

Hierarchy Level

Release Information

Description

Options

server address ; [edit forwarding-options helpers domain], [edit forwarding-options helpers domain interface interface-name], [edit forwarding-options helpers tftp], [edit forwarding-options helpers tftp interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the DNS or TFTP server for forwarding DNS or TFTP requests. Only one server can be specified for each interface. address—Address of the server. logical-system logical-system-name—(Optional) Logical system of the server. routing-instance [ routing-instance-names ]—(Optional) Set the routing instance name

or names that belong to the DNS server or TFTP server. Required Privilege Level Related Documentation



server-address Syntax Hierarchy Level Release Information Description

Default Options Required Privilege Level Related Documentation

server-address ip-address; [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the address of the DHCP server that the client should accept DHCP offers from. If this option is included in the DHCP configuration, the client accepts offers only from this server and ignores all other offers. The client accepts the first offer it receives from any DHCP server. ip-address—DHCP server address.




767

®


server-group Syntax

server-group { server-group-name { server-ip-address; } }

Hierarchy Level

[edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit logical-systems logical-system-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6], [edit routing-instances routing-instance-name forwarding-options dhcp-relay], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6]

Release Information

Statement introduced in Junos OS Release 8.3. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches.

Description

Specify the name of a group of DHCP server addresses for use by the extended DHCP relay agent. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.

Options

server-group-name—Name of the group of DHCP or DHCPv6 server addresses. server-ip-address—IP address of the DHCP server belonging to this named server group.

Use IPv6 addresses when configuring DHCPv6 support. You can configure a maximum of five IP addresses per named server group. Required Privilege Level Related Documentation

768


dhcp-relay

•


•


•


•


•

Configuring Server Groups



server-identifier Syntax Hierarchy Level

Release Information

Description

server-identifier address; [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For J Series Services Routers and EX Series switches only. Configure a server identifier. The identifier can be used to identify a DHCP server in a DHCP message. It can also be used as a destination address from clients to servers (for example, when the boot file is set, but not the boot server). Servers include the server identifier in DHCPOFFER messages so that clients can distinguish between multiple lease offers. Clients include the server identifier in DHCPREQUEST messages to select a lease and indicate which offer is accepted from multiple lease offers. Also, clients can use the server identifier to send unicast request messages to specific DHCP servers to renew a current lease. This address must be a manually assigned, static IP address. The server cannot send a request and receive an IP address from itself or another DHCP server.

Default

If no server identifier is set, the DHCP server sets the server identifier based on the primary interface address used by the server to receive a client request. For example, if the client sends a DHCP request and the server receives it on fe-0/0/0 and the primary interface address is 1.1.1.1, then the server identifier is set to 1.1.1.1.

Options

address—IPv4 address of the server. This address must be accessible by all clients served

within a specified range of addresses (based on an address pool or static binding). Required Privilege Level Related Documentation




769

®


servers Syntax


Description Options

servers server-address { port port-number; } [edit system services service-deployment]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an IPv4 address for the Session and Resource Control (SRC) server. server-address—The TCP port number.

Default: 3333 The remaining statements are explained separately. Required Privilege Level Related Documentation



service-deployment Syntax


Description

service-deployment { servers server-address { port port-number; } source-address source-address; } [edit system services]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable Junos OS to work with the Session and Resource Control (SRC) software. The remaining statements are explained separately.


770





service-profile Syntax Hierarchy Level Release Information Description


service-profile profile-name; [edit system services dhcp-local-server]

Statement introduced in Junos OS Release 12.1 for EX Series switches. For extended DHCP servers, specify the default subscriber service activated. The default is used when the subscriber logs in when no other service is activated by a RADIUS server or a provisioning server. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



771

®


service-profile (DHCP Relay Agent) Syntax Hierarchy Level

Release Information

Description

service-profile dynamic-profile-name; [edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay group group-name interface interface-name], [edit forwarding-options dhcp-relay dhcpv6 groupgroup-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay ...], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay ...], [edit routing-instances routing-instance-name forwarding-options dhcp-relay ...]

Statement introduced in Junos OS Release 11.2. Support at the [edit ... dhcpv6 ...] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the default subscriber service, which is activated when the subscriber logs in and no other service is activated by a RADIUS server or a provisioning server. •

To specify the default service for all DHCP relay agent clients, include the service-profile statement at the [edit forwarding-options dhcp relay] hierarchy level.

•

To specify the default service for a named group of interfaces, include the service-profile statement at the [edit forwarding-options dhcp relay group group-name] hierarchy level.

•

To specify the default service for a particular interface within a named group of interfaces, include the service-profile statement at the [edit forwarding-options dhcp relay group group-name interface interface-name] hierarchy level.

EX Series switches do not support DHCPv6. Options Required Privilege Level Related Documentation

772

dynamic-profile-name—Name of the dynamic profile.


dhcp-relay

•


•


•


•


•


•

Default Subscriber Service Overview

•

Configuring a Default Subscriber Service



services Syntax

services { dhcp { \* DHCP not supported on a DCF dhcp_services; } finger { connection-limit limit; rate-limit limit; } ftp { connection-limit limit; rate-limit limit; } service-deployment { servers address { port-number port-number; } source-address address; } ssh { connection-limit limit; protocol-version [v1 v2]; rate-limit limit; root-login (allow | deny | deny-password); } telnet { connection-limit limit; rate-limit limit; } web-management { http { interfaces [ names ]; port port; } https { interfaces [ names ]; local-certificate name; port port; } session { idle-timeout [ minutes ]; session-limit [ limit ]; } } xnm-clear-text { connection-limit limit; rate-limit limit; } xnm-ssl { connection-limit limit; local-certificate name; rate-limit limit; }


773

®


}


Description

[edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the router or switch so that users on remote systems can access the local router or switch through the DHCP server, finger, rlogin, SSH, telnet, Web management, Junos XML protocol clear-text, Junos XML protocol SSL, and network utilities or enable Junos OS to work with the Session and Resource Control (SRC) software. The remaining statements are explained separately.


774



•


•




session Syntax


Description

Options

session { idle-timeout minutes; session-limit session-limit; } [edit system services web-management]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure limits for the number of minutes a session can be idle before it times out, and configure the number of simultaneous J-Web user login sessions. idle-timeout minutes—Configure the number of minutes a session can be idle before it

times out. Range: 1 through 1440 Default: 1440 session-limit session-limit—Configure the maximum number of simultaneous J-Web user

login sessions. Range: 1 through 1024 Default: Unlimited Required Privilege Level Related Documentation




775

®


sip-server Syntax Hierarchy Level

Release Information

sip-server [address | name]; [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]


Description

Configure Session Initiation Protocol (SIP) server addresses or names for DHCP servers.

Options

address—IPv4 address of the SIP server. To configure multiple SIP servers, include multiple address options. This address must be accessible by all clients served within a

specified range of addresses (based on an address pool or static binding). name—Fully qualified domain name of the SIP server. To configure multiple SIP servers,

include multiple name options. This domain name must be accessible by all clients served within a specified range of addresses (based on an address pool or static binding). Required Privilege Level Related Documentation



•


source-address (SRC Software) Syntax Hierarchy Level Release Information

Description Options

source-address source-address; [edit system services service-deployment]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable Junos OS to work with the Session and Resource Control (SRC) software. source-address— Local IPv4 address to be used as source address for traffic to the SRC

server. The source address restricts traffic within the out-of-band network. Required Privilege Level Related Documentation

776





source-address-giaddr Syntax Hierarchy Level


source-address-giaddr; [edit forwarding-options helpers bootp], [edit forwarding-options helpers bootp interface interface-name]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure the gateway IP address (giaddr) as the source IP address of the switch for relayed DHCP packets when the switch is used as the DHCP relay agent. When this statement is entered in the [edit forwarding-options helpers bootp] hierarchy, the gateway IP address is configured as the source IP address of the switch for relayed DHCP packets exiting all interfaces on the switch. When this statement is entered in the [edit forwarding-options helpers bootp interface interface-name] hierarchy, the gateway IP address is configured as the source IP address of the switch for relayed DHCP packets exiting the specified interface of the switch. In Junos OS Release 10.1 for EX Series switches and later releases, the IP address of the interface that the DHCP packet exits on the switch acting as a DHCP relay agent is used as the source IP address for relayed DHCP packets by default. In Junos OS Releases 9.6 and 10.0 for EX Series switches, the gateway IP address of the switch is always used as the source IP address for relayed DHCP packets when the switch is used as the DHCP relay agent. In Junos OS Releases 9.3 through 9.5 for EX Series switches, the IP address of the interface that the DHCP packet exits on the switch acting as a DHCP relay agent is always used as the source IP address for relayed DHCP packets.





777

®


ssh Syntax


Description

ssh { ciphers [ cipher-1 cipher-2 cipher-3 ...]; client-alive-count-max seconds; client-alive-interval seconds; connection-limit limit; hostkey-algorithm ; key-exchange ; macs ; max-sessions-per-connection ; no-tcp-forwarding; protocol-version [v1 v2]; rate-limit limit; root-login (allow | deny | deny-password); } [edit system services]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. client-alive-interval and client-alive-max-count statements introduced in Junos OS Release 12.2. Allow SSH requests from remote systems to the local router or switch. The remaining statements are explained separately.


778





static-binding Syntax

Hierarchy Level

Release Information

static-binding mac-address { client-identifier (ascii client-id | hexadecimal client-id); fixed-address { address; } host-name client-hostname; } [edit system services dhcp], [edit system services dhcp]


Description

For J Series Services routers and EX Series switches only. Set static bindings for DHCP clients. A static binding is a mapping between a fixed IP address and the client’s MAC address or client identifier.

Options

mac-address—The MAC address of the client. This is a hardware address that uniquely

identifies a client on the network. fixed-address address—Fixed IP address assigned to the client. Typically a client has one

address assigned, but you can assign more. host-name client-hostname—Hostname of the client requesting the DHCP server. The

name can include the local domain name. Otherwise, the name is resolved based on the domain-name statement. client-identifier (ascii client-id | hexadecimal client-id)—Used by the DHCP server to index

the database of address bindings. The client identifier is an ASCII string or hexadecimal number and can include a type-value pair as specified in RFC 1700, Assigned Numbers. Either a client identifier or the client’s MAC address must be configured to uniquely identify the client on the network. Required Privilege Level Related Documentation



•



779

®


system-generated-certificate Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

system-generated-certificate; [edit system services web-management https]

Command introduced in Junos OS Release 11.1 for EX Series switches. Configure the automatically generated self-signed certificate for enabling HTTPS services.. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Enabling HTTPS Service on Switches Using Self-Signed Certificates (CLI Procedure) on page 669

telnet Syntax


Description

telnet { connection-limit limit; rate-limit limit; } [edit system services]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Provide Telnet connections from remote systems to the local router or switch. The remaining statements are explained separately.


780


Configuring Telnet Service for Remote Access to a Router or Switch



tftp Syntax


Description

tftp { description text-description; interface interface-name { broadcast; description text-description; no-listen; server address ; } server address ; } [edit forwarding-options helpers]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable TFTP request packet forwarding. The remaining statements are explained separately.





781

®


trace (DHCP Relay Agent) Syntax Hierarchy Level

Release Information

Description

trace; [edit forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit forwarding-options dhcp-relay group group-name interface interface-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name interface interface-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name interface interface-name]

Statement introduced in Junos OS Release 10.4. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Enable trace operations for a group of interfaces or for a specific interface within a group. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.


782



•


•


•

Tracing Extended DHCP Operations

•

Tracing Extended DHCP Operations for Specific Interfaces



traceoptions Syntax

Hierarchy Level

traceoptions { file filename ; flag all; flag certificates; flag database; flag general; flag ike; flag parse; flag policy-manager; flag routing-socket; flag timer; level no-remote-trace } [edit security], [edit services ipsec-vpn]

Trace options can be configured at either the [edit security] or the [edit services ipsec-vpn] hierarchy level, but not at both levels. Release Information

Description

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure security trace options. To specify more than one trace option, include multiple flag statements. Trace option output is recorded in the /var/log/kmd file.

Options

files number—(Optional) Maximum number of trace files. When a trace file (for example, kmd) reaches its maximum size, it is renamed kmd.0, then kmd.1, and so on, until the

maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 0 files size size—(Optional) Maximum size of each trace file, in kilobytes (KB). When a trace file

(for example, kmd) reaches this size, it is renamed, kmd.0, then kmd.1 and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Default: 1024 KB flag flag—Trace operation to perform. To specify more than one trace operation, include

multiple flag statements. •

all—Trace all security events.

•

certificates—Trace certificate events.


783

®


•

database—Trace database events.

•

general—Trace general events.

•

ike—Trace IKE module processing.

•

parse—Trace configuration processing.

•

policy-manager—Trace policy manager processing.

•

routing-socket—Trace routing socket messages.

•

timer—Trace internal timer events.

level level—(Optional) Set traceoptions level. •

all—match all levels.

•

error—Match error conditions.

•

info—Match informational messages.

•

notice—Match conditions that should be handled specially.

•

verbose—Match verbose messages.

•

warning—Match warning messages.

no-remote-trace—(Optional) Disable remote tracing


784

admin—To view the configuration. admin-control—To add this statement to the configuration. •

Configuring Tracing Operations for Security Services



traceoptions (DHCP Server) Syntax


traceoptions { file filename ; flag flag; } [edit system services dhcp]

Statement for tracing J Series Services Router DHCP processes introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description

Define tracing operations for DHCP processes for J Series Services Routers and EX Series switches.

Options

file filename—Name of the file that receives the output of the tracing operation. Enclose

the name in quotation marks. All files are placed in the directory /var/log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and




•

binding—Trace binding operations

•

config—Log reading of configuration

•

conflict—Trace user-detected conflicts for IP addresses

•

event—Trace important events

•

ifdb—Trace interface database operations

•

io— Trace I/O operations

•

lease—Trace lease operations

•

main—Trace main loop operations

•

misc— Trace miscellaneous operations

•

packet—Trace DHCP packets


785

®


•

options—Trace DHCP options

•

pool—Trace address pool operations

•

protocol—Trace protocol operations

•

rtsock—Trace routing socket operations

•

scope—Trace scope operations

•

signal—Trace DHCP signal operations

•

trace—All tracing operations

•

ui—Trace user interface operations


expression. •


•

binding—Trace binding operations

•

config— Log reading of configuration

•

conflict—Trace user-detected conflicts for IP addresses

•

event—Trace important events

•

ifdb— Trace interface database operations

•

io—Trace I/O operations

•

lease—Trace lease operations

•

main—Trace main loop operations

•

match regex— Refine the output to include lines that contain the regular expression.

•

misc—Trace miscellaneous operations

•

packet—Trace DHCP packets

•

options—Trace DHCP options

•

pool—Trace address pool operations

•

protocol—Trace protocol operations

•


•

scope—Trace scope operations

•

signal—Trace DHCP signal operations

•

trace—All tracing operations

•


no-world-readable—(Optional) Disable unrestricted file access.

786



size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and filename. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB world-readable—(Optional) Enable unrestricted file access.



Configuring Tracing Operations for DHCP Processes

•



787

®


traceoptions (DNS and TFTP Packet Forwarding) Syntax



traceoptions { file filename ; flag flag; level level; ; } [edit forwarding-options helpers]

Statement introduced before Junos OS Release 7.4. Statement standardized and match option introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure tracing operations for BOOTP, DNS and TFTP packet forwarding. If you do not include this statement, no tracing operations are performed. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name in quotation marks (" "). All files are placed in a file named fud in the directory /var/log. If you include the file statement, you must specify a filename. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and


include multiple flag statements. You can include the following flags:

788

•

address—Trace address management events

•

all—Trace all events

•

bootp—Trace BOOTP or DHCP services events

•

config—Trace configuration events

•

domain—Trace DNS service events

•

ifdb—Trace interface database operations

•

io—Trace I/O operations

•

main—Trace main loop events

•

port—Trace arbitrary protocol events



•


•

tftp—Trace TFTP service events

•

trace—Trace tracing operations

•


•

util—Trace miscellaneous utility operations

match regular-expression—(Optional) Refine the output to include lines that contain the

regular expression. no-remote-trace—(Optional) Disable remote tracing globally or for a specific tracing

operation. no-world-readable—(Optional) Restrict file access to the owner. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and filename. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 0 bytes through 4,294,967,295 KB Default: 128 KB world-readable—(Optional) Enable unrestricted file access.



Tracing BOOTP, DNS, and TFTP Forwarding Operations


789

®


update-server Syntax Hierarchy Level Release Information Description


790

update-server; [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Propagate TCP/IP settings learned from an external DHCP server to the DHCP server running on the switch. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •




use-primary (DHCP Relay Agent) Syntax Hierarchy Level

Release Information

Description

use-primary primary-profile-name; [edit forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit forwarding-options dhcp-relay dynamic-profile profile-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dynamic-profile profile-name], [edit routing-instances routing-instance-name forwarding-options dhcp-relay dhcpv6 group group-name dynamic-profile profile-name] [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name dynamic-profile profile-name]

Statement introduced in Junos OS Release 9.3. Support at the [edit ... dhcpv6] hierarchy levels introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the dynamic profile to configure as the primary dynamic profile. The primary dynamic profile is instantiated when the first subscriber logs in. Subsequent subscribers are not assigned the primary dynamic profile; instead, they are assigned the dynamic profile specified for the interface. When the first subscriber logs out, the next subscriber that logs in is assigned the primary dynamic profile. Use the statement at the [edit ... dhcpv6] hierarchy levels to configure DHCPv6 support. EX Series switches do not support DHCPv6.

Options

primary-profile-name—Name of the dynamic profile to configure as the primary dynamic

profile Required Privilege Level



791

®



•


•


•


•


vendor-id Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

792

vendor-id vendor-id; [edit interfaces interface-name unit logical-unit-number family inet dhcp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a vendor class ID for the Dynamic Host Configuration Protocol (DHCP) client. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •




vendor-option Syntax

Hierarchy Level

Release Information

Description

vendor-option { (equals | starts-with) (ascii match-string | hexadecimal match-hex) { (relay-server-group server-group-name | local-server-group local-server-group-name | drop); } (default-relay-server-group server-group-name | default-local-server-group local-server-group-name | drop); } [edit forwarding-options dhcp-relay relay-option-60], [edit forwarding-options dhcp-relay group group-name relay-option-60], [edit logical-systems logical-system-name forwarding-options dhcp-relay relay-option-60], [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name relay-option-60], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60], [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60], [edit routing-instances routing-instance-name forwarding-options dhcp-relay relay-option-60], [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name relay-option-60]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure the match criteria when you use the DHCP vendor class identifier option (option 60) in DHCP client packets to forward client traffic to specific DHCP servers. The extended DHCP relay agent compares the option 60 vendor-specific strings received in DHCP client packets against the match criteria that you specify. If there is a match, you can define certain actions for the associated DHCP client packets. The vendor-option statement enables you to specify either an exact, left-to-right match (with the equals statement) or a partial match (with the starts-with statement), and configure either an ASCII match string (with the ascii statement) or a hexadecimal match string (with the hexadecimal statement). You can configure an unlimited number of match strings. Match strings do not support the use of wildcard attributes.

Options

equals—Use exact, left-to-right match of the ASCII or hexadecimal match string with

the option 60 string. starts-with—Use partial match of the ASCII or hexadecimal match string with the

option 60 string. The option 60 string can contain a superset of the ASCII or hexadecimal match string, provided that the leftmost characters of the option 60 string entirely match the characters in the configured match string. When you use


793

®


the starts-with statement, the longest match rule applies; that is, the router matches the string “test123” before it matches the string “test”. ascii match-string—ASCII match string of 1 through 255 alphanumeric characters. hexadecimal match-hex—Hexadecimal match string of 1 through 255 hexadecimal

characters (0 through 9, a through f, A through F). The remaining statements are explained separately. Required Privilege Level Related Documentation


dhcp-relay

•

dhcp-relay (EX Series switches only) on page 702 Extended DHCP Relay Agent Overview

794

•


•


•




web-management Syntax


Description

web-management { http { interfaces [ interface-names ]; port port; } https { interfaces [ interface-names ]; local-certificate name; port port; } } [edit system services]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure settings for HTTP or HTTPS access. HTTP access allows management of the router or switch using the browser-based J-Web graphical user interface. HTTPS access allows secure management of the router or switch using the J-Web interface. With HTTPS access, communication between the router or switch Web server and your browser is encrypted. The remaining statements are explained separately.




•


•

http on page 724

•

https on page 725

•

port on page 758


795

®


wins-server Syntax

Hierarchy Level

Release Information

wins-server { address; } [edit system services dhcp], [edit system services dhcp], [edit system services dhcp pool], [edit system services dhcp static-binding]


Description

For J Series Services Routers and EX Series switches only. Specify one or more NetBIOS Name Servers. When a DHCP client is added to the network and assigned an IP address, the NetBIOS Name Server manages the Windows Internet Name Service (WINS) database that matches IP addresses (such as 192.168.1.3) to Windows NetBIOS names (such as \\Marketing ). List servers in order of preference.

Options

address—IPv4 address of the NetBIOS Name Server running WINS. To configure multiple

servers, include multiple address options. Required Privilege Level Related Documentation

796



•



CHAPTER 32

Operational Commands for System Services


797

®


clear dhcp relay statistics Syntax

clear dhcp relay statistics

Syntax

Syntax for EX Series switches: show dhcp relay statistics

Release Information

Command introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 12.1 for EX Series switches.

Description

Clear all Dynamic Host Configuration Protocol (DHCP) relay statistics.

Options

logical-system logical-system-name—(On routers only) (Optional) Perform this operation

on the specified logical system. If you do not specify a logical system name, statistics are cleared for the default logical system. routing-instance routing-instance-name—(Optional) Perform this operation on the specified

routing instance. If you do not specify a routing instance name, statistics are cleared for the default routing instance. Required Privilege Level Related Documentation List of Sample Output Output Fields

798

view

•

show dhcp relay statistics on page 811

clear dhcp relay statistics on page 799 Table 92 on page 799 lists the output fields for the clear dhcp relay statistics command.


Chapter 32: Operational Commands for System Services

Table 92: clear dhcp relay statistics Output Fields Field Name

Field Description

Packets dropped

Number of packets discarded by the extended DHCP relay agent application due to errors. Only nonzero statistics appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only the Total field appears. •

Total—Total number of packets discarded by the extended DHCP relay agent application.

•

Bad hardware address—Number of packets discarded because an invalid hardware address was

specified. •

Bad opcode—Number of packets discarded because an invalid operation code was specified.

•

Bad options—Number of packets discarded because invalid options were specified.

•

Invalid server address—Number of packets discarded because an invalid server address was specified.

•

No available addresses—Number of packets discarded because there were no addresses available

for assignment. •

No interface match—Number of packets discarded because they did not belong to a configured

interface. •

No routing instance match—Number of packets discarded because they did not belong to a configured

routing instance.

Messages received

Messages sent

•

No valid local address—Number of packets discarded because there was no valid local address.

•

Packet too short—Number of packets discarded because they were too short.

•

Read error—Number of packets discarded because of a system read error.

•

Send error—Number of packets that the extended DHCP relay application could not send.

•

Option 60—Number of packets discarded containing DHCP option 60 vendor-specific information.

•

Option 82—Number of packets discarded because DHCP option 82 information could not be added.

Number of DHCP messages received. •

BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received

•

DHCPDECLINE—Number of DHCP PDUs of type DECLINE received

•

DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received

•

DHCPINFORM—Number of DHCP PDUs of type INFORM received

•

DHCPRELEASE—Number of DHCP PDUs of type RELEASE received

•

DHCPREQUEST—Number of DHCP PDUs of type REQUEST received

Number of DHCP messages sent. •

BOOTREPLY—Number of BOOTP PDUs transmitted

•

DHCPOFFER—Number of DHCP OFFER PDUs transmitted

•

DHCPACK—Number of DHCP ACK PDUs transmitted

•

DHCPNACK—Number of DHCP NACK PDUs transmitted

Sample Output clear dhcp relay statistics

The following sample output displays the DHCP relay statistics before and after the clear dhcp relay statistics command is issued. user@host> show dhcp relay statistics Packets dropped: Total 0


799

®


Messages received: BOOTREQUEST DHCPDECLINE DHCPDISCOVER DHCPINFORM DHCPRELEASE DHCPREQUEST

116 0 11 0 0 105

Messages sent: BOOTREPLY DHCPOFFER DHCPACK DHCPNAK

44 11 11 11

user@host> clear dhcp relay statistics

user@host> show dhcp relay statistics Packets dropped: Total 0

800


0 0 0 0 0 0

Messages sent: BOOTREPLY DHCPOFFER DHCPACK DHCPNAK

0 0 0 0



clear security pki local-certificate Syntax


Options

clear security pki local-certificate

Command introduced in Junos OS Release 11.1 for EX Series switches. Delete local digital certificates, certificate requests, and the corresponding public/private key pairs from the switch. all—(Optional) Delete all local digital certificates, certificate requests, and the

corresponding public and private key pairs from the router.

NOTE: This option does not delete the automatically generated self-signed certificate or its public/private key pair.

certificate-id certificate-id-name—(Optional) Delete the specified local digital certificate

and corresponding public and private key pair. system-generated—(Optional) Delete the automatically generated self-signed certificate.


clear

•

Deleting Self-Signed Certificates (CLI Procedure) on page 670

clear security pki local-certificate all on page 801 This command produces no output.

Sample Output clear security pki local-certificate all

user@switch> clear security pki local-certificate all


801

®


clear system services dhcp binding Syntax

Release Information

Description

Options

clear system services dhcp binding

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers and EX Series switches only) Remove obsolete IP address bindings on a Dynamic Host Configuration Protocol (DHCP) server and return them to the IP address pool. address—(Optional) Remove a specific IP address binding and return it to the address

pool. Required Privilege Level Related Documentation List of Sample Output Output Fields

view and system

•

show system services dhcp binding on page 817

clear system services dhcp binding on page 802 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear system services dhcp binding

802

user@host> clear system services dhcp binding



clear system services dhcp conflict Syntax

Release Information

Description

Options

clear system services dhcp conflict

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers and EX Series switches only) Remove IP addresses from the Dynamic Host Configuration Protocol (DHCP) server conflict list and return them to the IP address pool. address—(Optional) Remove a specific IP address from the conflict list and return it to

the address pool. Required Privilege Level Related Documentation List of Sample Output Output Fields

view and system

•

show system services dhcp conflict on page 820

clear system services dhcp conflict on page 803 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear system services dhcp conflict

user@host> clear system services dhcp conflict


803

®


clear system services dhcp statistics Syntax Release Information

Description

Options Required Privilege Level Related Documentation List of Sample Output Output Fields

clear system services dhcp statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers and EX Series switches only) Clear Dynamic Host Configuration Protocol (DHCP) server statistics. This command has no options. view and system

•

show system services dhcp statistics on page 825

clear system services dhcp statistics on page 804 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear system services dhcp statistics

804

user@host> clear system services dhcp statistics



request ipsec switch Syntax Release Information

Description

Options

request ipsec switch (interface | security-associations )

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (Encryption interface on M Series and T Series routers and EX Series switches only) Manually switch from the primary to the backup encryption services interface, or switch from the primary to the backup IP Security (IPsec) tunnel. interface —Switch to the backup encryption interface. security-associations —Switch to the backup tunnel.


view

•

show ipsec redundancy

request ipsec switch on page 805 When you enter this command, you are provided feedback on the status of your request.

Sample Output request ipsec switch

user@host> request ipsec switch security-associations sa-private


805

®


request security certificate (signed) Syntax

Release Information

Description

Options

request security certificate enroll filename filename subject subject alternative-subject alternative-subject certification-authority certification-authority encoding (binary | pem) key-file key-file domain-name domain-name

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (Encryption interface on M Series and T Series routers and EX Series switches only) Obtain a signed certificate from a certificate authority (CA). The signed certificate validates the CA and the owner of the certificate. The results are saved in a specified file to the /var/etc/ikecert directory. filename filename—File that stores the certificate. subject subject—Distinguished name (dn), which consists of a set of components—for

example, an organization (o), an organization unit (ou), a country (c), and a locality (l). alternative-subject alternative-subject—Tunnel source address. certification-authority certification-authority—Name of the certificate authority profile in

the configuration. encoding (binary | pem)—File format used for the certificate. The format can be a binary

file or privacy-enhanced mail (PEM), an ASCII base64-encoded format. The default format is binary. key-file key-file—File containing a local private key. domain-name domain-name—Fully qualified domain name.


maintenance

request security certificate (signed) on page 806 When you enter this command, you are provided feedback on the status of your request.

Sample Output request security certificate (signed)

806

user@host> request security certificate enroll filename host.crt subject c=uk,o=london alternative-subject 10.50.1.4 certification-authority verisign key-file host-1.prv domain-name host.juniper.net CA name: juniper.net CA file: ca_verisign local pub/private key pair: host.prv subject: c=uk,o=london domain name: host.juniper.net alternative subject: 10.50.1.4 Encoding: binary Certificate enrollment has started. To view the status of your enrollment, check the key management process (kmd) log file at /var/log/kmd. request security certificate enroll filename ca_verisign ca-file verisign ca-name juniper.net urlxyzcompany URL http:///cgi-bin/pkiclient.exe CA name: juniper.net CA file: verisign Encoding: binary Certificate enrollment has started. To view the status of your enrollment, check the key management process (kmd) log file at /var/log/kmd. request security key-pair security-key-file



request security pki generate-key-pair Syntax


Options

request security pki generate-key-pair certificate-id certificate-id-name

Command introduced in Junos OS Release 11.1 for EX Series switches. Generate a public key infrastructure (PKI) public/private key pair for a local digital certificate. certificate-id certificate-id-name—Name of the local digital certificate and the

public/private key pair. size—(Optional) Key pair size. The key pair size can be 512, 1024, or 2048 bits. If a key pair

size is not specified, the default value, 1024 bits, is applied. type—(Optional) The algorithm to be used for encrypting the public/private key pair. The

encryption algorithm can be dsa or rsa . If an encryption algorithm is not specified, the default value, rsa, is applied. Required Privilege Level Related Documentation List of Sample Output Output Fields

maintenance

•


request security pki generate-key-pair on page 809 When you enter this command, you are provided feedback on the status of your request.

Sample Output request security pki generate-key-pair

user@switch> request security pki generate-key-pair certificate-id billy size 2048 Generated key pair billy, key size 2048 bits


809

®


request security pki local-certificate generate-self-signed Syntax


request security pki local-certificate generate-self-signed certificate-id certificate-id-name domain-name domain-name ip-address ip-address email email-address subject subject-distinguished-name

Command introduced in Junos OS Release 11.1 for EX Series switches. Manually generate a self-signed certificate for the given distinguished name. certificate-id certificate-id-name—Name of the local digital certificate and the

public/private key pair. domain-name domain-name—Fully qualified domain name (FQDN). The FQDN provides

the identity of the certificate owner for Internet Key Exchange (IKE) negotiations and provides an alternative to the subject name. email email-address—E-mail address of the certificate holder. ip-address ip-address—IP address of the switch. subject subject-distinguished-name—Distinguished name format that contains the common

name, department, company name, state, and country:


•

CN—Common name

•

OU—Organizational unit name

•

O—Organization name

•

ST—State

•

C—Country

maintenance security •


request security pki local-certificate generate-self-signed on page 810 When you enter this command, you are provided feedback on the status of your request.

Sample Output request security pki local-certificate generate-self-signed

810

user@switch> request security pki local-certificate generate-self-signed certificate-id self-cert subject cn=abc domain-name abc.net email [email protected] Self-signed certificate generated and loaded successfully



show dhcp relay statistics Syntax

show dhcp relay statistics

Syntax

Syntax for EX Series switches: show dhcp relay statistics

Release Information

Command introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 12.1 for EX Series switches.

Description

Display Dynamic Host Configuration Protocol (DHCP) relay statistics.

Options

logical-system logical-system-name—(On routers only) (Optional) Perform this operation

on the specified logical system. If you do not specify a logical system name, statistics are displayed for the default logical system. routing-instance routing-instance-name—(Optional) Perform this operation on the specified

routing instance. If you do not specify a routing instance name, statistics are displayed for the default routing instance. Required Privilege Level Related Documentation List of Sample Output Output Fields

view

•

clear dhcp relay statistics on page 798

show dhcp relay statistics on page 812 Table 93 on page 812 lists the output fields for the show dhcp relay statistics command. Output fields are listed in the approximate order in which they appear.


811

®


Table 93: show dhcp relay statistics Output Fields Field Name

Field Description

Packets dropped

Number of packets discarded by the extended DHCP relay agent application due to errors. Only nonzero statistics appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only the Total field appears. •

Total—Total number of packets discarded by the extended DHCP relay agent application.

•

Bad hardware address—Number of packets discarded because an invalid hardware address was

specified. •

Bad opcode—Number of packets discarded because an invalid operation code was specified.

•

Bad options—Number of packets discarded because invalid options were specified.

•

Invalid server address—Number of packets discarded because an invalid server address was specified.

•

No available addresses—Number of packets discarded because there were no addresses available

for assignment. •

No interface match—Number of packets discarded because they did not belong to a configured

interface. •

No routing instance match—Number of packets discarded because they did not belong to a configured

routing instance.

Messages received

Messages sent

•

No valid local address—Number of packets discarded because there was no valid local address.

•

Packet too short—Number of packets discarded because they were too short.

•

Read error—Number of packets discarded because of a system read error.

•

Send error—Number of packets that the extended DHCP relay application could not send.

•

Option 60—Number of packets discarded containing DHCP option 60 vendor-specific information.

•

Option 82—Number of packets discarded because DHCP option 82 information could not be added.

Number of DHCP messages received. •

BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received

•

DHCPDECLINE—Number of DHCP PDUs of type DECLINE received

•

DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received

•

DHCPINFORM—Number of DHCP PDUs of type INFORM received

•

DHCPRELEASE—Number of DHCP PDUs of type RELEASE received

•

DHCPREQUEST—Number of DHCP PDUs of type REQUEST received

Number of DHCP messages sent. •

BOOTREPLY—Number of BOOTP PDUs transmitted

•

DHCPOFFER—Number of DHCP OFFER PDUs transmitted

•

DHCPACK—Number of DHCP ACK PDUs transmitted

•

DHCPNACK—Number of DHCP NACK PDUs transmitted

•

DHCPFORCERENEW—Number of DHCP FORCERENEW PDUs transmitted

Sample Output show dhcp relay statistics

812

user@host> show dhcp relay statistics Packets dropped: Total 30 Bad hardware address 1 Bad opcode 1 Bad options 3



Invalid server address No available addresses No interface match No routing instance match No valid local address Packet too short Read error Send error Option 60 Option 82

5 1 2 9 4 2 1 1 1 2


116 0 11 0 0 105

Messages sent: BOOTREPLY DHCPOFFER DHCPACK DHCPNAK DHCPFORCERENEW

0 2 1 0 0


813

®


show security pki local-certificate Syntax


Options

show security pki local-certificate

Command introduced in Junos OS Release 11.1 for EX Series switches. Display information about the local digital certificates and the corresponding public keys installed in the switch. none—(Same as brief) Display information about all local digital certificates and

corresponding public keys. brief | detail—(Optional) Display information about local digital certificates and

corresponding public keys for the specified level of output. certificate-id certificate-id-name—(Optional) Display information about only the specified

the local digital certificate and corresponding public keys. system-generated—(Optional) Display information about the automatically generated

self-signed certificate. Required Privilege Level Related Documentation List of Sample Output

Output Fields

view

•


show security pki local-certificate on page 815 show security pki local-certificate detail on page 816 Table 94 on page 814 lists the output fields for the show security pki local-certificate command. Output fields are listed in the approximate order in which they appear.

Table 94: show security pki local-certificate Output Fields Field Name

Field Description

Level of Output

Certificate identifier

Name of the digital certificate.

All levels

Certificate version

Revision number of the digital certificate.

detail

Serial number

Unique serial number of the digital certificate.

detail

Issued by

Authority that issued the digital certificate.

none brief

Issued to

Device that was issued the digital certificate.

none brief

814



Table 94: show security pki local-certificate Output Fields (continued) Field Name

Field Description

Level of Output

Issuer

Authority that issued the digital certificate, including details of the authority organized using the distinguished name format. Possible subfields are:

detail

Subject

•

Common name—Name of the authority.

•

Organization—Organization of origin.

•

Organizational unit—Department within an organization.

•

State—State of origin.

•

Country—Country of origin.

Details of the digital certificate holder organized using the distinguished name format. Possible subfields are: •

Common name—Name of the authority.

•

Organization—Organization of origin.

•

Organizational unit—Department within an organization.

•

State—State of origin.

•

Country—Country of origin.

detail

Alternate subject

Domain name or IP address of the device related to the digital certificate.

detail

Validity

Time period when the digital certificate is valid. Values are:

All levels

•

Not before—Start time when the digital certificate becomes valid.

•

Not after—End time when the digital certificate becomes invalid.

Public key algorithm

Encryption algorithm used with the private key, such as rsaEncryption (1024 bits).

All levels

Public key verification status

Public key verification status: Failed or Passed. The detail output also provides the verification hash.

All levels

Signature algorithm

Encryption algorithm that the CA used to sign the digital certificate, such as sha1WithRSAEncryption.

detail

Fingerprint

Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used to identify the digital certificate.

detail

Distribution CRL

Distinguished name information and URL for the certificate revocation list (CRL) server.

detail

Use for key

Use of the public key, such as Certificate signing, CRL signing, Digital signature, or Key encipherment.

detail

Sample Output show security pki local-certificate

user@switch> show security pki local-certificate Certificate identifier: local-entrust2 Issued to: router2.juniper.net, Issued by: juniper Validity:


815

®


Not before: 2005 Nov 21st, 23:28:22 GMT Not after: 2008 Nov 21st, 23:58:22 GMT Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed

show security pki local-certificate detail

816

user@switch> show security pki local-certificate detail Certificate identifier: local-entrust3 Certificate version: 3 Serial number: 4355 94f9 Issuer: Organization: juniper, Country: us Subject: Organization: juniper, Country: us, Common name: switch1.juniper.net Alternate subject: switch1.juniper.net Validity: Not before: 2005 Nov 21st, 23:33:58 GMT Not after: 2008 Nov 22nd, 00:03:58 GMT Public key algorithm: rsaEncryption(1024 bits) Public key verification status: Passed fb:79:df:d4:a9:03:0f:d3:69:7e:c1:e4:27:35:9c:d9:b1:a2:47:78 d2:6d:f3:e5:f4:68:4f:b3:04:45:88:57:99:82:39:a6:51:9e:5f:42 23:3f:d7:6e:3d:a5:54:a9:b1:2d:6e:90:dd:12:8a:bf:ef:2b:20:50 ba:f0:da:d9:0c:ad:5e:d6:c6:98:3a:ae:3f:90:dd:94:78:c1:ea:2e 7c:f0:2d:d4:79:d4:cd:f0:52:df:5e:72:f2:e7:ae:66:f7:61:f4:bc 72:57:3e:6c:6d:d3:24:58:8b:f4:ef:da:2a:6a:fa:eb:98:f8:34:84 79:54:da:4f:d3:6f:52:1f Signature algorithm: sha1WithRSAEncryption Fingerprint: 61:3a:d0:b4:7a:16:9b:39:ba:81:3f:9d:ab:34:e5:c8:be:3b:a1:6d (sha1) 60:a0:ff:58:05:4a:65:73:9d:74:3a:e1:83:6f:1b:c8 (md5) Distribution CRL: C=us, O=juniper, CN=CRL1 http://CA-1/CRL/juniper_us_crlfile.crl Use for key: Digital signature



show system services dhcp binding Syntax

Release Information

Description

Options

show system services dhcp binding

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers only) Display Dynamic Host Configuration Protocol (DHCP) server client binding information. none—Display brief information about all active client bindings. detail—(Optional) Display detailed information about all active client bindings. address—(Optional) Display detailed client binding information for the specified IP address

only. Required Privilege Level Related Documentation List of Sample Output

Output Fields

view and system

•

clear system services dhcp binding on page 802

show system services dhcp binding on page 818 show system services dhcp binding address on page 818 show system services dhcp binding address detail on page 818 Table 95 on page 817 describes the output fields for the show system services dhcp binding command. Output fields are listed in the approximate order in which they appear.

Table 95: show system services dhcp binding Output Fields Field Name

Field Description

Level of Output

Allocated address

List of IP addresses the DHCP server has assigned to clients.

All levels

MAC address

Corresponding media access control (MAC) hardware address of the client.

All levels

Client identifier

(address option only) Client's unique identifier (represented by an ASCII string or hexadecimal digits). This identifier is used by the DHCP server to index its database of address bindings.

All levels

Binding Type

Type of binding assigned to the client. DHCP servers can assign a dynamic binding from a pool of IP addresses or a static binding to one or more specific IP addresses.

All levels

Lease Expires at

Time the lease expires or never for leases that do not expire.

All levels

Lease Obtained at

(address option only) Time the client obtained the lease from the DHCP server.

detail


817

®


Table 95: show system services dhcp binding Output Fields (continued) Field Name

Field Description

Level of Output

State

Status of the binding. Bindings can be active or expired.

detail

Pool

Address pool that contains the IP address assigned to the client.

detail

Request received on

Interface on which the DHCP message exchange occurs. The IP address pool is configured based on the interface's IP address. If a relay agent is used, its IP address is also displayed.

detail

DHCP options

User-defined options created for the DHCP server. If no options have been defined, this field is blank.

detail

Sample Output show system services dhcp binding

user@host> show system services dhcp binding Allocated address 192.168.1.2 192.168.1.3

show system services dhcp binding address

MAC address 00:a0:12:00:12:ab 00:a0:12:00:13:02

Binding Type static dynamic

Lease expires at never 2004-05-03 13:01:42 PDT

user@host> show system services dhcp binding 192.168.1.3 DHCP binding information: Allocated address: 192.168.1.3 Mac address: 00:a0:12:00:12:ab Client identifier 61 63 65 64 2d 30 30 3a 61 30 3a 31 32 3a 30 30aced-00:a0:12:00 3a 31 33 3a 30 32:13:02 Lease information: Binding Type dynamic Obtained at 2004-05-02 13:01:42 PDT Expires at 2004-05-03 13:01:42 PDT

show system services dhcp binding address detail

user@host> show system services dhcp binding 192.168.1.3 detail DHCP binding information: Allocated address 192.168.1.3 MAC address 00:a0:12:00:12:ab Pool 192.168.1.0/24 Request received on fe-0/0/0, relayed by 192.168.4.254 Lease information: Type Obtained at Expires at State active

DHCP 2004-05-02 13:01:42 PDT 2004-05-03 13:01:42 PDT

DHCP options: Name: name-server, Value: { 6.6.6.6, 6.6.6.7 } Name: domain-name, Value: mydomain.tld Code: 19, Type: flag, Value: off

818



Code: 40, Type: string, Value: domain.tld Code: 32, Type: ip-address, Value: 3.3.3.33


819

®


show system services dhcp conflict Syntax Release Information

Description

Options Required Privilege Level Related Documentation List of Sample Output Output Fields

show system services dhcp conflict

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers only and EX Series switches) Display Dynamic Host Configuration Protocol (DHCP) client-detected conflicts for IP addresses. When a conflict is detected, the DHCP server removes the address from the address pool. This command has no options. view and system

•

clear system services dhcp conflict on page 803

show system services dhcp conflict on page 820 Table 96 on page 820 describes the output fields for the show system services dhcp conflict command. Output fields are listed in the approximate order in which they appear.

Table 96: show system services dhcp conflict Output Fields Field Name

Field Description

Detection time

Date and time the client detected the conflict.

Detection method

How the conflict was detected.

Address

IP address where the conflict occurs. The addresses in the conflicts list remain excluded from the pool until you use a clear system services dhcp conflict command to manually clear the list.

Sample Output show system services dhcp conflict

user@host> show system services dhcp conflict Detection time 2004-08-03 19:04:00 PDT 2004-08-04 04:23:12 PDT 2004-08-05 21:06:44 PDT

820

Detection method ARP Ping Client

Address 3.3.3.5 4.4.4.8 3.3.3.10



show system services dhcp global Syntax Release Information

Description


show system services dhcp global

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers and EX Series switches only) Display Dynamic Host Configuration Protocol (DHCP) global configuration options. Global options apply to all scopes and clients served by the DHCP server. Global options are overridden if specified otherwise in scope or client options. Scope options apply to specific subnets or ranges of addresses. Client options apply to specific clients. This command has no options. view and system

show system services dhcp global on page 822 Table 97 on page 821 describes the output fields for the show system services dhcp global command. Output fields are listed in the approximate order in which they appear.

Table 97: show system services dhcp global Output Fields Field Name

Field Description

BOOTP lease length

Length of lease time assigned to BOOTP clients.

Default lease time

Lease time assigned to clients that do not request a specific lease time.

Minimum lease time

Minimum time a client retains an IP address lease on the server.

Maximum lease time

Maximum time a client can retain an IP address lease on the server.

DHCP options



821

®


Sample Output show system services dhcp global

user@host> show system services dhcp global Global settings: BOOTP lease length

infinite

DHCP lease times: Default lease time Minimum lease time Maximum lease time

1 hour 2 hours infinite

DHCP options: Name: name-server, Value: { 6.6.6.6, 6.6.6.7 } Name: domain-name, Value: mydomain.tld Code: 19, Type: flag, Value: off Code: 40, Type: string, Value: domain.tld Code: 32, Type: ip-address, Value: 3.3.3.33

822



show system services dhcp pool Syntax

Release Information

Description

Options

show system services dhcp pool

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. (J Series routers and EX Series switches only) Display Dynamic Host Configuration Protocol (DHCP) server IP address pools. none—Display brief information about all IP address pools. detail—(Optional) Display detailed information. subnet-address—(Optional) Display information for the specified subnet address.


Output Fields

view and system

show system services dhcp pool on page 824 show system services dhcp pool subnet-address on page 824 show system services dhcp pool subnet-address detail on page 824 Table 98 on page 823 describes the output fields for the show system services dhcp pool command. Output fields are listed in the approximate order in which they appear.

Table 98: show system services dhcp pool Output Fields Field Name

Field Description

Level of Output

Pool name

Subnet on which the IP address pool is defined.

None specified

Low address

Lowest address in the IP address pool.

None specified

High address

Highest address in the IP address pool.

None specified

Excluded addresses

Addresses excluded from the address pool.

None specified

Subnet

(subnet-address option only) Subnet to which the specified address pool belongs.

None specified

Address range

(subnet-address option only) Range of IP addresses in the address pool.

None specified

Addresses assigned

Number of IP addresses in the pool that are assigned to DHCP clients and the total number of IP addresses in the pool.

detail

Active

Number of assigned IP addresses in the pool that are active.

detail

Excluded

Number of assigned IP addresses in the pool that are excluded.

detail

Default lease time


detail


823

®


Table 98: show system services dhcp pool Output Fields (continued) Field Name

Field Description

Level of Output

Minimum lease time

Minimum time a client can retain an IP address lease on the server.

detail

Maximum lease time


detail

DHCP options


detail

Sample Output show system services dhcp pool

user@host> show system services dhcp pool Pool name 3.3.3.0/24

Low address 3.3.3.2

High address 3.3.3.254

Excluded addresses 3.3.3.1

show system services dhcp pool subnet-address

user@host> show system services dhcp pool 3.3.3.0/24

show system services dhcp pool subnet-address detail

user@host> show system services dhcp pool 3.3.3.0/24 detail

Pool information: Subnet Address range Addresses assigned

Pool information: Subnet Address range Addresses assigned Active: 1, Excluded: 1 DHCP lease times: Default lease time Minimum lease time Maximum lease time

3.3.3.0/24 3.3.3.2 - 3.3.3.254 2/253

3.3.3.0/24 3.3.3.2 - 3.3.3.254 2/253


DHCP options: Name: name-server, Value: { 6.6.6.6, 6.6.6.7 } Name: domain-name, Value: mydomain.tld Name: router, Value: { 3.3.3.1 } Name: server-identifier, Value: 3.3.3.1 Code: 19, Type: flag, Value: off Code: 40, Type: string, Value: domain.tld Code: 32, Type: ip-address, Value: 3.3.3.333.3.3.254 3.3.3.1

824



show system services dhcp statistics Syntax

show system services dhcp statistics

Release Information


Description

(J Series routers and EX Series switches only) Display Dynamic Host Configuration Protocol (DHCP) server statistics.

Options



view and system


•


clear system services dhcp statistics on page 804

show system services dhcp statistics on page 826

Output Fields

Table 99 on page 825 describes the output fields for the show system services dhcp statistics command. Output fields are listed in the approximate order in which they appear.

Table 99: show system services dhcp statistics Output Fields Field Name

Field Description

Default lease time


Minimum lease time

Minimum time a client can retain an IP address lease on the server.

Maximum lease time


Packets dropped

Total number of packets dropped and number of packets dropped because of: •

Invalid hardware address

•

Invalid opcode

•

Invalid server address

•

No available address

•

No interface match

•

No routing instance match

•

No valid local addresses

•

Packet too short

•

Read error

•

Send error


825

®


Table 99: show system services dhcp statistics Output Fields (continued) Field Name

Field Description

Messages received

Number of the following message types sent from DHCP clients and received by the DHCP server:

Messages sent

•

BOOTREQUEST

•

DHCPDECLINE

•

DHCPDISCOVER

•

DHCPINFORM

•

DHCPRELEASE

•

DHCPREQUEST

Number of the following message types sent from the DHCP server to DHCP clients: •

BOOTREPLY

•

DHCPACK

•

DHCPOFFER

•

DHCPNAK

Sample Output show system services dhcp statistics

826

user@host> show system services dhcp statistics DHCP lease times: Default lease time Minimum lease time Maximum lease time


Packets dropped: Total Bad hardware address Bad opcode Invalid server address No available addresses No interface match No routing instance match No valid local address Packet too short Read error Send error

0 0 0 0 0 0 0 0 0 0 0


0 0 0 0 0 0

Messages sent: BOOTREPLY DHCPACK DHCPOFFER DHCPNAK

0 0 0 0



show system services service-deployment Syntax Release Information


show system services service-deployment

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display information about a Session and Resource Control (SRC) client. This command has no options. system view show system services service-deployment on page 827 Table 100 on page 827 lists the output fields for the show system services service-deployment command. Output fields are listed in the approximate order in which they appear.

Table 100: show system services service-deployment Output Fields Field Name

Field Description

PDT Keepalive settings

Configured PDT keepalive interval, in seconds.

Keepalives sent

Number of keepalives sent.

Notifications sent

Number of notifications sent.

Last update from peer

Time at which the last update from a peer was received.

Sample Output show system services service-deployment

user@host> show system services service-deployment Connected to 192.4.4.4 port 10288 since 2004-05-03 11:04:34 PDT Keepalive settings: Interval 15 seconds Keepalives sent: 750 Notifications sent: 0 Last update from peer: 00:00:06 ago


827

®


ssh Syntax

ssh host

Syntax (EX Series Switch and the QFX Series)

ssh host

Release Information


Description

Use the SSH program to open a connection between a local router or switch and a remote system and execute commands on the remote system. You can issue the ssh command from the Junos OS CLI to log in to a remote system or from a remote system to log in to the local router or switch. When executing this command, you include one or more CLI commands by enclosing them in quotation marks and separating the commands with semicolons: ssh address 'cli-command1 ; cli-command2 '

Options

host—Name or address of the remote system. bypass-routing—(Optional) Bypass the normal routing tables and send ping requests

directly to a system on an attached network. If the system is not on a directly attached network, an error is returned. Use this option to ping a local system through an interface that has no route through it. inet | inet6—(Optional) Create an IPv4 or IPv6 connection, respectively. interface interface-name—(Optional) Interface name for the SSH session. (This option

does not work when default-address-selection is configured at the [edit system] hierarchy level, because this configuration uses the loopback interface as the source address for all locally generated IP packets.) logical-system logical-system-name—(Optional) Name of a particular logical system for

the SSH attempt. routing-instance routing-instance-name—(Optional) Name of the routing instance for the

SSH attempt.

828



source address—(Optional) Source address of the SSH connection. v1 | v2—(Optional) Use SSH version 1 or 2, respectively, when connecting to a remote

host. Additional Information

To configure an SSH (version 1) key for your user account, include the authentication ssh-rsa statement at the [edit system login user user-name] hierarchy level. To configure an SSH (version 2) key for your user account, include the authentication dsa-rsa statement at the [edit system login user user-name] hierarchy level. For details, see the . You can limit the number of times a user can attempt to enter a password while logging in through SSH. To specify the number of times a user can attempt to enter a password to log in through SSH, include the retry-options statement at the [edit system login] hierarchy level. For details, see the .


network

•

Configuring SSH Host Keys for Secure Copying of Data

ssh on page 829 When you enter this command, you are provided feedback on the status of your request.

Sample Output ssh

user@switch> ssh cree Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host ?cree' added to the list of known hosts. boojun@cree's password: Last login: Sun Jun 21 10:43:42 1998 from junos-router % ...


829

®


telnet Syntax

telnet host


telnet host

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Open a telnet session to a remote system. Type Ctrl+] to escape from the telnet session to the telnet command level, and then type quit to exit from telnet. host—Name or address of the remote system. 8bit—(Optional) Use an 8-bit data path. bypass-routing—(Optional) Bypass the normal routing tables and send ping requests

directly to a system on an attached network. If the system is not on a directly attached network, an error is returned. Use this option to ping a local system through an interface that has no route through it. inet | inet6—(Optional) Open an IPv4 or IPv6 session, respectively. interface interface-name—(Optional) Interface name for the telnet session. (This option

does not work when default-address-selection is configured at the [edit system] hierarchy level, because this configuration uses the loopback interface as the source address for all locally generated IP packets.) logical-system logical-system-name—(Optional) Name of a particular logical system for

the telnet attempt. no-resolve—(Optional) Do not attempt to determine the hostname that corresponds to

the IP address. port port-number—(Optional) Port number or service name on the remote system.

830



routing-instance routing-instance-name—(Optional) Name of the routing instance for the

telnet attempt. source source-address—(Optional) Source address of the telnet connection.



You can limit the number of times a user can attempt to enter a password while logging in through telnet. To specify the number of times a user can attempt to enter a password to log in through telnet, include the retry-options statement at the [edit system login] hierarchy level. For details, see the Junos OS System Basics Configuration Guide. network

telnet on page 831 When you enter this command, you are provided feedback on the status of your request.

Sample Output telnet

user@host> telnet 192.154.1.254 Trying 192.154.169.254... Connected to level5.company.net. Escape character is '^]'. ttypa login:


831

®


832


PART 9

Junos OS for EX Series Switches System Monitoring •

System Monitoring Overview on page 835

•

Administering and Monitoring System Functions on page 849

•

Configuration Statements for System Monitoring on page 867

•

Operational Commands for System Monitoring on page 883


833

®


834


CHAPTER 33

System Monitoring Overview •

Understanding Alarm Types and Severity Levels on EX Series Switches on page 835

•


•

EX Series Switches Hardware and CLI Terminology Mapping on page 847

Understanding Alarm Types and Severity Levels on EX Series Switches Before monitoring alarms on the switch, become familiar with the terms defined in Table 101 on page 835.

Table 101: Alarm Terms Term

Definition

alarm

Signal alerting you to conditions that might prevent normal operation. On a switch, the alarm signal is the yellow ALARM LED lit on the front of the chassis.

alarm condition

Failure event that triggers an alarm.

alarm severity

Seriousness of the alarm. The level of severity can be either major (red) or minor (yellow).

chassis alarm

Predefined alarm triggered by a physical condition on the switch such as a power supply failure, excessive component temperature, or media failure.

system alarm

Predefined alarm triggered by a missing rescue configuration or failure to install a license for a licensed software feature.

Alarm Types The switch supports these alarms: •

Chassis alarms indicate a failure on the switch or one of its components. Chassis alarms are preset and cannot be modified.

•

System alarms indicate a missing rescue configuration. System alarms are preset and cannot be modified, although you can configure them to appear automatically in the J-Web interface display or CLI display.

Alarm Severity Levels


835

®


Alarms on Juniper Networks EX Series Ethernet Switches have two severity levels: •

•

Major (red)—Indicates a critical situation on the switch that has resulted from one of the following conditions. A red alarm condition requires immediate action. •

One or more hardware components have failed.

•

One or more hardware components have exceeded temperature thresholds.

•

An alarm condition configured on an interface has triggered a critical warning.

Minor (yellow or amber)—Indicates a noncritical condition on the switch that, if left unchecked, might cause an interruption in service or degradation in performance. A yellow alarm condition requires monitoring or maintenance. A missing rescue configuration generates a yellow system alarm.


•

Checking Active Alarms with the J-Web Interface on page 852

•


Dashboard for EX Series Switches When you log in to the J-Web user interface, the dashboard for the EX Series switch appears. Use the dashboard to view system information. The dashboard comprises four panels and a graphical chassis viewer. You can click Preferences to choose which panels are to be displayed and set the refresh interval for chassis viewer information. Click OK to save your preference changes and return to the dashboard or click Cancel to return to the dashboard without saving changes.

NOTE: You can drag and drop the various panels to different locations in the J-Web window.


System Information Panel on page 836

•

Health Status Panel on page 837

•

Capacity Utilization Panel on page 839

•

Alarms Panel on page 839

•

Chassis Viewer on page 840

System Information Panel Table 102: System Information Field

Description

System name

Indicates the local name of the EX Series switch.

836


Chapter 33: System Monitoring Overview

Table 102: System Information (continued) Field

Description

Device model

Indicates the model of the EX Series switch. NOTE: For EX6210, EX8208 and EX8216 switches, the Device model information displays details of the master Routing Engine. To view details of the backup Routing Engine, select it.

Inventory details

Indicates the following: •

For EX2200, EX2200-C, EX3200 switches, and for EX3300, EX4200, and EX4500 switches not configured as Virtual Chassis, the value in Inventory is always 1 FPC. FPC is a legacy term for a slot in a large Juniper Networks chassis; here, it simply refers to the single switch.

•

For EX3300 switches configured as a Virtual Chassis, the value in Inventory is displayed as 1–6 FPC, with the number corresponding to the number of member switches.

•

For EX4200 and EX4500 switches configured as a Virtual Chassis, the value in Inventory is displayed as 1–10 FPC, with the number corresponding to the number of member switches.

•

For EX6210 switches, the values in Inventory are displayed as 1–2 CB and 1–9 FPC. Control board (CB) refers to the SRE module. FPC refers to line cards and the FPC within the CB.

•

For an EX8208 switch, the values in Inventory are displayed as 1–3 CB and 0–8 FPC. Control board (CB) refers to SRE and SF modules. FPC refers to line cards.

•

For an EX8216 switch, the values in Inventory are displayed as 1–2 CB and 0–16 FPC. Control board (CB) refers to RE modules and FPC refers to line cards.

Junos image

Indicates the version of the Junos OS image.

Boot image

Indicates the version of the boot image that is used.

Device uptime

Indicates the time since the last reboot.

Last configured time

Indicates the time when the switch was last configured.

Health Status Panel Table 103: Health Status Field

Description

EX2200, EX2200-C, EX3200, EX3300, and EX4200 Switches Memory util.

Indicates the memory used in the Routing Engine. In a Virtual Chassis configuration, the memory utilization value of the master Routing Engine is displayed.

Flash

Indicates the usage and capacity of internal flash memory and any external USB flash drive.

Temp.

Indicates the chassis temperature status. Temperatures in the dashboard are listed in Celsius and the corresponding Fahrenheit values. NOTE: Temp. is not applicable for an EX2200-C switch.

CPU load

Indicates the average CPU usage over 15 minutes.


837

®


Table 103: Health Status (continued) Field

Description

Fan status

Indicates the status of the fans in the fan tray. The possible values are OK, Failed, and Absent. NOTE: Fan Status is not applicable for an EX2200-C switch.

EX4500 Switches Memory util.

Indicates the memory used in the Routing Engine. In a Virtual Chassis configuration, the memory utilization value of the master Routing Engine is displayed

Flash


Temp

Indicates the temperature when an EX4200 switch is present in the Virtual Chassis configuration and is selected.

CPU load


Fan status

Indicates the status of the fans in the fan tray. The possible values are OK, Failed, and Absent. Also indicates the direction of airflow of the fan tray. The possible values are Front to back and Back to front.


Indicates the memory used in the master Routing Engine. Click the backup Routing Engine to view the memory used in the backup Routing Engine.

CPU load


Flash


Fan status

Indicates the status of the fans in the fan tray. The possible values are OK, Failed, and Absent.



CPU load


Flash




CPU load


Flash


838



Capacity Utilization Panel Table 104: Capacity Utilization Field

Description

Number of active ports

Indicates the number of active ports in the switch. Virtual Chassis ports (VCPs) are not considered active ports.

Total number of ports

Indicates the number of ports in the switch.

Used-up MAC-Table entries

Indicates the number of MAC table entries.

Supported MAC-Table entries

Indicates the maximum number of MAC table entries permitted.

Number of VLANs configured

Indicates the number of VLANs configured.

Number of VLANs supported

Indicates the maximum number of VLANs supported.

Alarms Panel Displays information about the last five alarms raised in the system. For example, if there are 5 major alarms, then details for all 5 major alarms are displayed. If there are 4 major alarms and 3 minor alarms, then details of the 4 major alarms and 1 minor alarm are displayed. Major alarms are displayed in red and minor alarms are displayed in yellow.


839

®


Chassis Viewer Click the Rear View button to see the back of the chassis image. Click the Front View button to see the front of the chassis image. In a Virtual Chassis configuration, the Rear View button is disabled if the switch is not selected. •

Table 105 on page 840—Describes the chassis viewer for EX2200 switches.

•

Table 106 on page 841—Describes the chassis viewer for EX2200-C switches.

•

Table 107 on page 841—Describes the chassis viewer for EX3200, EX3300, and EX4200 switches.

•


•


•


•


Table 105: Chassis Viewer for EX2200 Switches Field

Description

Front View Interface status

In the image, the colors listed below denote the interface status: •

Green—Interface is up and operational.

•

Yellow—Interface is up but is nonoperational.

•

Gray—Interface is down and nonoperational.

Hover the mouse pointer over the interface (port) to view more information.

Rear View Management (me0) port

The management port is used to connect the switch to a management device for out-of-band management.

Console port

The console port is used to connect the switch to a management console or to a console server. (You might do this for initial switch configuration.)

USB port

Indicates the USB port for the switch. NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX Series switch.

Fan tray

Hover the mouse pointer over the fan tray icon to display Name, Status, and Description information.

Power supply

Hover the mouse pointer over the power outlet icon to display Name, Status, and Description information.

840



Table 106: Chassis Viewer for EX2200-C Switches Field

Description




•


•


Hover the mouse pointer over the interface (port) to view more information. Management (me0) port


Console port


USB port


Rear View Power supply

Hover the mouse pointer over the power outlet icon to display Name, Status, and Description information.

Table 107: Chassis Viewer for EX3200, EX3300, and EX4200 Switches Field

Description




•


•


Hover the mouse pointer over the interface (port) to view more information. For a Virtual Chassis configuration, select the switch to view the interface status. If an SFP+ uplink module is installed in the switch, hover the mouse pointer over the port icon to display whether the module is configured to operate in 1-gigabit mode or in 10-gigabit mode. If the module is configured to operate in 1-gigabit mode, the tool tip information is displayed for all 4 ports. If the module is configured to operate in 10-gigabit mode, the tool tip information is displayed only for 2 ports. On an EX3300 switch with the 4x GE/XE SFP+ module, hover the mouse pointer over the port icon to display whether the module is configured to operate in 1-gigabit mode or 10-gigabit mode. For SFP, SFP+, and XFP ports, the interfaces appear dimmed if no transceiver is inserted. The chassis viewer displays “Transceiver not plugged-in” when you hover the mouse pointer over the port icon.


841

®


Table 107: Chassis Viewer for EX3200, EX3300, and EX4200 Switches (continued) Field

Description

LCD panel

LCD panel configured for the LEDs on the ports. Hover the mouse pointer over the icon to view the current character display.

Rear View of the EX3200 Switch Management (me0) port


Console port


USB port


Fan tray


Power supply

Hover the mouse pointer over the power supply icon to display Name, Status, and Description information.

Rear View of the EX3300 and EX4200 Switch Fan tray

Hover the mouse pointer over the fan tray icon to display Name, Status, and Description information. For a Virtual Chassis, the status of the fans of the selected member switch is displayed.

Virtual Chassis port

Displayed only when EX4200 switches are configured as a Virtual Chassis. The colors listed below denote the Virtual Chassis port (VCP) status:

USB port

•

Green—VCP is up and operational.

•

Yellow—VCP is up but is nonoperational.

•

Gray—VCP is down and nonoperational.


Management (me0) port


Console port


Power supplies

Hover the mouse pointer over the power supply icons to display Name, Status, and Description information.

842




Description




•


•


Hover the mouse pointer over the interface (port) to view more information. For a Virtual Chassis configuration, select the switch to view the interface status. If an SFP+ uplink module is installed in the switch, hover the mouse pointer over the interface (ports) on the module for more information. For SFP and SFP+ ports, the interfaces appear dimmed if no transceiver is inserted. The chassis viewer displays “Transceiver not plugged-in” when you hover the mouse pointer over the port icon. LCD panel


Console port

The console port is used to connect the switch to a management console or to a console server.

Management (me0) port

The management port is used to connect the switch to a management device for out-of-band management. Use this port for initial switch configuration.

USB port


Rear View of the EX4500 Switch Fan tray

Hover the mouse pointer over the fan tray icon to display status of the fans and airflow direction information. For a Virtual Chassis, the status of the fans of the selected member switch is displayed.

Virtual Chassis port

Displayed only when switches are configured as a Virtual Chassis. The colors listed below denote the Virtual Chassis port (VCP) status: •

Green—VCP is up and operational.

•

Yellow—VCP is up but is nonoperational.

•

Gray—VCP is down and nonoperational.

Power supplies


Intraconnect module

Hover the mouse pointer over the module to display details of the intraconnect module. The intraconnect module helps the switch achieve line rate on all its ports.

Virtual Chassis module

Hover the mouse pointer to display details of the switches in the Virtual Chassis configuration.


843

®



Description

Front View Temperature

Hover the mouse pointer over the temperature icon to display the temperature of the CB or line card.

Interface status

Select the CB or line card. In the image, the colors listed below denote the interface status: •


•


•


Hover the mouse pointer over the interface (port) to view more information. You can view status for the following ports on the SRE module: •

USB port—Indicates the USB port for the switch.

NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX Series switch. •

Management (me0) port—The management port is used to connect the switch to a management device for out-of-band management. There are 2 management ports: fiber and copper. The same status is displayed for both the me0 ports.

•

Console port—The console port is used to connect the switch to a management console or to a console server. (You might do this for initial switch configuration.)

CBs support 4 SFP+ uplink ports. Hover the mouse pointer over the interface on the CB for more information. For SFP and SFP+ ports, the interfaces appear dimmed if no transceiver is inserted. The chassis viewer displays “Transceiver not plugged-in” when you hover the mouse pointer over the port icon. Power supplies


LCD panel

LCD panel configured for the LEDs on the ports. Hover the mouse pointer over the icon to view the current character display of the master Routing Engine. The EX6210 switch has 2 LCD panels, one for each Routing Engine. The backup Routing Engine LCD displays Backup.

Rear View of the EX6210 Switch Fan tray

Hover the mouse pointer over the fan tray icon to display information regarding the cooling fans.


Description

Front View

844



Table 110: Chassis Viewer for EX8208 Switches (continued) Field

Description

Interface status

In the image, click any line card, SRE module, or SF module to view the front view of the selected component. The colors listed below denote the interface status: •


•


•


Hover the mouse pointer over the interface (port) to view more information. You can view status for the following ports on the SRE module: •


NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX Series switch. •

Auxiliary port—This port is not enabled on the switch. It is reserved for future use.

•

Management (me0) port—The management port is used to connect the switch to a management device for out-of-band management.

•


Because the SF module has no ports, no status information is displayed. Slot numbers

Slots on the switch are labeled, from the top of the switch down: •

0–3 (line cards)

•

SRE0, SF, SRE1 (SRE and SF modules)

•

4–7 (line cards)

Temperature

The active slots contain a gray temperature icon. Hover the mouse pointer over the icon to display temperature information for the slot.

Fan status


Power supplies


LCD panel


Rear View

The EX8208 switch does not have any components on the rear of the chassis.


845

®



Description


In the image, click any line card or RE module to view the front view of the selected component. The colors listed below denote the interface status: •


•


•


Hover the mouse pointer over the interface (port) to view more information. You can view status for the following ports on the RE module: •


NOTE: We recommend you use USB flash drives purchased from Juniper Networks for your EX Series switch.

Slot numbers

•

Auxiliary port—This port is not enabled on the switch. It is reserved for future use.

•

Management (me0) port—The management port is used to connect the switch to a management device for out-of-band management.

•


Slots on the switch are labeled, from the top of the switch down: •

RE0 (RE module)

•

RE1 (RE module)

•

0–15 (line cards)

Temperature

The active slots contain a gray temperature icon. Hover the mouse pointer over the icon to display temperature information for the slot.

Fan status

Hover the mouse pointer over the fan tray icon to display consolidated information about the fans.

Power supplies


LCD panel


Rear View SF modules


846

Hover the mouse pointer over the SF module icons in their respective slots to display information. Slots are numbered SF7–SF0, from left to right.

•


•


•


•




•


•


•


•


•


•


EX Series Switches Hardware and CLI Terminology Mapping The terms used to describe hardware components in EX Series switches documentation are sometimes different from the terms used in the Junos OS command line interface (CLI). See the following topics to map the hardware terms used in EX Series switches documentation to the corresponding terms used in the CLI:


•

EX2200 Switch Hardware and CLI Terminology Mapping

•


•


•


•


•


•


•


•


•


•


•


•


•



847

®


848


CHAPTER 34

Administering and Monitoring System Functions •

Monitoring System Log Messages on page 849

•


•

Monitoring Chassis Alarms for an EX8200 Switch on page 852

•

Monitoring Switch Control Traffic on page 856

•

Monitoring System Properties on page 858

•

Monitoring Chassis Information on page 860

•

Monitoring System Process Information on page 862

•

Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure) on page 863

Monitoring System Log Messages Purpose

Action

Use the monitoring functionality to filter and view system log messages for EX Series switches. To view events in the J-Web interface, select Monitor > Events and Alarms > View Events. Apply a filter or a combination of filters to view messages. You can use filters to display relevant events. Table 112 on page 849 describes the different filters, their functions, and the associated actions. To view events in the CLI, enter the following command: show log

Table 112: Filtering System Log Messages Field

Function

Your Action

System Log File

Specifies the name of a system log file for which you want to display the recorded events.

To specify events recorded in a particular file, select the system log filename from the list—for example, messages.

Lists the names of all the system log files that you configure. By default, a log file, messages, is included in the /var/log/ directory.


Select Include archived files to include archived files in the search.

849

®


Table 112: Filtering System Log Messages (continued) Field

Function

Your Action

Process

Specifies the name of the process generating the events you want to display.

To specify events generated by a process, type the name of the process.

To view all the processes running on your system, enter the CLI command show system processes.

For example, type mgd to list all messages generated by the management process.

For more information about processes, see the Junos OS Installation and Upgrade Guide. Date From

Specifies the time period in which the events you want displayed are generated.

To Displays a calendar that allows you to select the year, month, day, and time. It also allows you to select the local time. By default, the messages generated in the last hour are displayed. End Time shows the current time and Start Time shows the time one hour before End Time. Event ID

Specifies the event ID for which you want to display the messages.

To specify the time period: •

Click the Calendar icon and select the year, month, and date—for example, 02/10/2007.

•

Click the Calendar icon and select the year, month, and date—for example, 02/10/2007.

•

Click to select the time in hours, minutes, and seconds.

To specify events with a specific ID, type the partial or complete ID—for example, TFTPD_AF_ERR.

Allows you to type part of the ID and completes the remainder automatically. An event ID, also known as a system log message code, uniquely identifies a system log message. It begins with a prefix that indicates the generating software process or library. Description

Specifies text from the description of events that you want to display. Allows you to use regular expressions to match text from the event description.

To specify events with a specific description, type a text string from the description with regular expression. For example, type Înitial* to display all messages with lines beginning with the term Initial.

NOTE: Regular expression matching is case-sensitive. Search

Applies the specified filter and displays the matching messages.

Meaning

To apply the filter and display messages, click Search.

Table 113 on page 851 describes the Event Summary fields.

NOTE: By default, the View Events page in the J-Web interface displays the most recent 25 events, with severity levels highlighted in different colors. After you specify the filters, Event Summary displays the events matching the specified filters. Click the First, Next, Prev, and Last links to navigate through messages.

850


Chapter 34: Administering and Monitoring System Functions

Table 113: Viewing System Log Messages Field

Function


Process

Displays the name and ID of the process that generated the system log message.

The information displayed in this field is different for messages generated on the local Routing Engine than for messages generated on another Routing Engine (on a system with two Routing Engines installed and operational). Messages from the other Routing Engine also include the identifiers re0 and re1 to identify the Routing Engine.

Severity

Severity level of a message is indicated by different colors.

A severity level indicates how seriously the triggering event affects switch functions. When you configure a location for logging a facility, you also specify a severity level for the facility. Only messages from the facility that are rated at that level or higher are logged to the specified file.

Event ID

•

Unknown—Gray—Indicates no severity level is specified.

•

Debug/Info/Notice—Green—Indicates conditions that are not errors but are of interest or might warrant special handling.

•

Warning—Yellow—Indicates conditions that warrant monitoring.

•

Error—Blue—Indicates standard error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels.

•

Critical—Pink—Indicates critical conditions, such as hard-drive errors.

•

Alert—Orange—Indicates conditions that require immediate correction, such as a corrupted system database.

•

Emergency—Red—Indicates system panic or other conditions that cause the switch to stop functioning.

Displays a code that uniquely identifies the message. The prefix on each code identifies the message source, and the rest of the code indicates the specific event or error.

The event ID begins with a prefix that indicates the generating software process. Some processes on a switch do not use codes. This field might be blank in a message generated from such a process. An event can belong to one of the following type categories:

Event Description

Displays a more detailed explanation of the message.

Time

Displays the time at which the message was logged.


•

Error—Indicates an error or failure condition that might require corrective action.

•

Event—Indicates a condition or occurrence that does not generally require corrective action.

•


•



851

®


Checking Active Alarms with the J-Web Interface Purpose

Use the monitoring functionality to view alarm information for the EX Series switches including alarm type, alarm severity, and a brief description for each active alarm on the switching platform.

Action

To view the active alarms: 1.

Select Monitor > Events and Alarms > View Alarms in the J-Web interface.

2. Select an alarm filter based on alarm type, severity, description, and date range. 3. Click Go.

All the alarms matching the filter are displayed.

NOTE: When the switch is reset, the active alarms are displayed.

Meaning

Table 114 on page 852 lists the alarm output fields.

Table 114: Summary of Key Alarm Output Fields Field

Values

Type

Category of the alarm: •

Chassis—Indicates an alarm condition on the chassis (typically an environmental alarm such as one related to temperature).

•

System—Indicates an alarm condition in the system.

Severity

Alarm severity—either major (red) or minor (yellow).

Description

Brief synopsis of the alarm.

Time

Date and time when the failure was detected.


•

Monitoring System Log Messages on page 849

•


•


Monitoring Chassis Alarms for an EX8200 Switch Purpose

852

This document provides information on chassis alarm conditions, and how you should respond when a certain chassis alarm is seen on your switch.



Various conditions related to the chassis components trigger yellow and red alarms. You cannot configure these conditions. See “Understanding Alarm Types and Severity Levels on EX Series Switches” on page 835. Action

You can monitor chassis alarms by watching the ALM chassis status LED and using the LCD panel to gather information about the alarm. See Chassis Status LEDs in an EX8200 Switch and LCD Panel in an EX8200 Switch. To display switch chassis alarms in the CLI, use the following command user@host> show chassis alarms

The command output displays the number of alarms currently active, the time when the alarm began, the severity level, and an alarm description. Note the date and time of an alarm so that you can correlate it with error messages in the messages system log file. You can also monitor chassis alarms using the J-Web interface. See “Checking Active Alarms with the J-Web Interface” on page 852. Table 115 on page 853 lists some of the chassis alarms that an EX8200 switch can generate.

Table 115: Chassis Alarms for EX8200 Switches Component

Alarm Condition

Remedy

Severity


Fan tray

The fan tray has been removed from the chassis.

Install the fan tray.

Yellow/Red

The switch will eventually get too hot to operate if a fan tray is removed. Temperature alarms will follow. This alarm is expected during fan tray removal and installation.

Fan tray

One or more fans in a fan tray is spinning below the required speed.

Replace the fan tray.

Red

Individual fans cannot be replaced; you must replace the fan tray.

Fan tray

The fan tray’s internal connection to the switch is not functioning properly.

Remove and reinsert the fan tray.

Red

The switch will eventually get too hot to operate if a fan tray is not operating. Temperature alarms will follow.


If removing and reinserting the fan tray does not resolve the problem, reboot the switch.

853

®


Table 115: Chassis Alarms for EX8200 Switches (continued) Component

Alarm Condition

Remedy

Severity


Power supply

A power supply slot that contained a power supply at bootup is now empty.

Install a power supply in the empty power supply slot.

Yellow

You can ignore this alarm in cases in which a power supply slot can remain empty. You will not see this alarm if the switch is booted with an empty power supply slot. This alarm is expected during power supply removal and installation. This alarm can be triggered by a line card insertion. The alarm condition corrects itself when seen for this reason.

Power supply

A power supply has failed due to an input or output failure, or due to temperature issues.

Replace the failed power supply.

Red

Power supply

A power supply’s internal connection to the switch is not operating properly.

Remove and reinsert the power supply.

Red

The chassis warm temperature threshold has been exceeded and fan speeds have increased.

Adjust room temperature downward, if possible.

Temperature

If removing and reinserting the power supply does not resolve the problem, reboot the switch.

Ensure airflow through the switch is unobstructed.

Yellow

The chassis is warm and should be cooled down. The switch is still functioning normally. To monitor temperature: user@switch>

show chassis

environment

To monitor temperature thresholds: user@switch>

show chassis

temperature-thresholds

854




Alarm Condition

Remedy

Severity


Temperature

The chassis high temperature threshold has been exceeded and the fans are operating at full speed.


Red

The chassis is hot and should be cooled down. The switch might still function normally but is close to shutting down if it hasn’t already.


To monitor temperature: user@switch>

show chassis

environment


show chassis


Temperature

Temperature

The chassis warm temperature threshold has been exceeded, and one or more fans are not operating properly. The operating fans are running at full speed.

The chassis high temperature threshold has been exceeded, and one or more fans is not operating properly. The operating fans are running at full speed.

Replace the fan tray that has the faulty fan or fans.

Yellow

The chassis is warm and should be cooled down. The switch is still functioning normally.


To monitor temperature:


To monitor temperature user@switch> thresholds: show chassis

Replace the fan tray that has the faulty fan or fans.

user@switch>

show chassis

environment


Red


The chassis is hot and should be cooled down. The switch might still function normally but is close to shutting down if it hasn’t already. To monitor temperature: user@switch>


show chassis

environment


show chassis


Temperature

The temperature sensor on a hardware component has failed.

Replace the hardware component.

Yellow

Routing Engine (RE), Switch Fabric and Routing Engine (SRE), or Switch Fabric (SF) module

The RE, SRE, or SF module has failed.

The RE, SRE, or SF module must be replaced.

Red


855

®



Alarm Condition

Remedy

Severity


Link Status

The link to the network is down.

Check network connectivity.

Red or Yellow

The network link is disabled by default, so you might see this alarm before you connect the switch to the network.


•


•

Chassis Status LEDs in an EX8200 Switch

Monitoring Switch Control Traffic Purpose

Action

Use the packet capture feature when you need to quickly capture and analyze switch control traffic on a switch. The packet capture feature allows you to capture traffic destined for or originating from the Routing Engine. To use the packet capture feature in the J-Web interface, select Troubleshoot > Packet Capture. To use the packet capture feature in the CLI, enter the following CLI command: monitor traffic

Meaning

You can use the packet capture feature to compose expressions with various matching criteria to specify the packets that you want to capture. You can decode and view the captured packets in the J-Web interface as they are captured. The packet capture feature does not capture transient traffic.

Table 116: Packet Capture Field Summary Field

Function

Your Action

Interface

Specifies the interface on which the packets are captured. If you select default, packets on the Ethernet management port 0, are captured.

From the list, select an interface—for example, ge-0/0/0.

Detail level

Specifies the extent of details to be displayed for the packet headers.

From the list, select Detail.

Packets

856

•

Brief—Displays the minimum packet header information. This is the default.

•

Detail—Displays packet header information in moderate detail.

•

Extensive—Displays the maximum packet header information.

Specifies the number of packets to be captured. Values range from 1 to 1000. Default is 10. Packet capture stops capturing packets after this number is reached.

From the list, select the number of packets to be captured—for example, 10.



Table 116: Packet Capture Field Summary (continued) Field

Function

Your Action

Addresses

Specifies the addresses to be matched for capturing the packets using a combination of the following parameters:

Select address-matching criteria. For example:

•

Direction—Matches the packet headers for IP address, hostname, or network address of the source, destination or both.

1.

Type—Specifies if packet headers are matched for host address or network address.

3. In the Address box, type 10.1.40.48.

•

From the Direction list, select source.

2. From the Type list, select host.

4. Click Add.

You can add multiple entries to refine the match criteria for addresses. Protocols

Matches the protocol for which packets are captured. You can choose to capture TCP, UDP, or ICMP packets or a combination of TCP, UDP, and ICMP packets.

From the list, select a protocol—for example, tcp.

Ports

Matches packet headers containing the specified source or destination TCP or UDP port number or port name.

Select a direction and a port. For example: •

From the Type list, select src.

•

In the Port box, type 23.

Advanced Options Absolute TCP Sequence

Specifies that absolute TCP sequence numbers are to be displayed for the packet headers.

To display absolute TCP sequence numbers in the packet headers, select this check box.

Layer 2 Headers

Specifies that link-layer packet headers are to be displayed.

To include link-layer packet headers while capturing packets, select this check box.

Non-Promiscuous

Specifies not to place the interface in promiscuous mode, so that the interface reads only packets addressed to it. In promiscuous mode, the interface reads every packet that reaches it.

To read all packets that reach the interface, select this check box.

Display Hex

Specifies that packet headers, except link-layer headers, are to be displayed in hexadecimal format.

To display the packet headers in hexadecimal format, select this check box.

Display ASCII and Hex

Specifies that packet headers are to be displayed in hexadecimal and ASCII format.

To display the packet headers in ASCII and hexadecimal formats, select this check box.

Header Expression

Specifies the match condition for the packets to be captured. The match conditions you specify for Addresses, Protocols, and Ports are displayed in expression format in this field.

You can enter match conditions directly in this field in expression format or modify the expression composed from the match conditions you specified for Addresses, Protocols, and Ports. If you change the match conditions specified for Addresses, Protocols, and Ports again, packet capture overwrites your changes with the new match conditions.

Packet Size

Specifies the number of bytes to be displayed for each packet. If a packet header exceeds this size, the display is truncated for the packet header. The default value is 96 bytes.

Type the number of bytes you want to capture for each packet header—for example, 256.


857

®


Table 116: Packet Capture Field Summary (continued) Field

Function

Your Action

Don't Resolve Addresses

Specifies that IP addresses are not to be resolved into hostnames in the packet headers displayed.

To prevent packet capture from resolving IP addresses to hostnames, select this check box.

No Timestamp

Suppresses the display of packet header timestamps.

To stop displaying timestamps in the captured packet headers, select this check box.

Write Packet Capture File

Writes the captured packets to a file in PCAP format in /var/tmp. The files are named with the prefix jweb-pcap and the extension .pcap. If you select this option, the decoded packet headers are not displayed on the packet capture page.

To decode and display the packet headers on the J-Web page, clear this check box.


•

Using the CLI Terminal on page 229

Monitoring System Properties Purpose

Action

Use the monitoring functionality to view system properties such as the name and IP address of the switch and resource usage. To monitor system properties in the J-Web interface, select Monitor > System View > System Information. To monitor system properties in the CLI, enter the following commands:

Meaning

•

show system uptime

•

show system users

•

show system storage

Table 117 on page 858 summarizes key output fields in the system properties display.

Table 117: Summary of Key System Properties Output Fields Field

Values


General Information Serial Number

Serial number for the switch.

Junos OS Version

Version of Junos OS active on the switch, including whether the software is for domestic or export use.

Hostname

The name of switch.

IP Address

The IP address of the switch.

858

Export software is for use outside of the U.S. and Canada.



Table 117: Summary of Key System Properties Output Fields (continued) Field

Values

Loopback Address

The loopback address.

Domain Name Server

The address of the domain name server.

Time Zone

The time zone on the switch.


Time Current Time

Current system time, in Coordinated Universal Time (UTC).

System Booted Time

Date and time when the switch was last booted and how long it has been running.

Protocol Started Time

Date and time when the switching protocols were last started and how long they have been running.

Last Configured Time

Date and time when a configuration was last committed. This field also shows the name of the user who issued the last commit command, through either the J-Web interface or the CLI.

Load Average

The CPU load average for 1, 5, and 15 minutes.

Storage Media Internal Flash Memory

Memory usage details of internal flash.

External Flash Memory

Usage details of external flash memory.

Logged in Users Details User

Username of any user logged in to the switching platform.

Terminal

Terminal through which the user is logged in.

From

System from which the user has logged in. A hyphen indicates that the user is logged in through the console.

Login Time

Time when the user logged in.


This is the LOGIN@ field in show system users command output.

859

®


Table 117: Summary of Key System Properties Output Fields (continued) Field

Values

Idle Time

How long the user has been idle.



•


•


Monitoring Chassis Information Purpose

Action

Use the monitoring functionality to view chassis properties such as general switch information, temperature and fan status, and resource information for the EX Series switch. To view chassis properties in the J-Web interface, select Monitor > System View > Chassis Information. To view chassis properties in the CLI, enter the following commands:

Meaning

•

show chassis environment

•

show chassis fpc

•

show chassis hardware

Table 118 on page 860 gives information about the key output fields for chassis information.

NOTE: For an EX2200, EX2200-C, EX3200, or EX4500 switch or an EX4200 standalone switch, the FPC slot number refers to the switch itself and is always 0. In a Virtual Chassis configuration, the FPC slot number refers to the member ID. In an EX8200 switch, the FPC slot number refers to the line card slot number.

Table 118: Summary of the Key Output Fields for Chassis Information Field

Values

Routing Engine Details

Select the Master tab to view details about the master Routing Engine or select Backup to view details about the backup Routing Engine.

860



Table 118: Summary of the Key Output Fields for Chassis Information (continued) Field

Values

Name/Value

This table displays the following details of the master Routing Engine: •

Routing engine module

•

Model

•

Version

•

Part number

•

Serial number

•

Memory utilization

•

Temperature

•

Start time

•

CPU load average for 1, 5, and 15 minutes

Power and Fan Tray Details Power

Select the Power tab to view details of the power supplies.

Name/Value

Displays the status and model number of each power supply.

Fan

Select the Fan tab to view details about the fans.

Name/Value

Displays the status of each fan in the corresponding FPC.

Chassis Component Details Select component

Select an FPC to view General, Temperature, Resource, and Sub-component details.

General

Select the General tab to view the general information about the chassis components.

Name/Value

Displays general information: •

Version—Revision level. Supply the version number when reporting hardware problems to customer support.

•

Part Number

•

Serial Number—Supply the serial number when contacting customer support about the switch chassis.

•

Description—Brief text description.

Temperature

Select the Temperature tab to view the temperature details of the components in the selected FPC.

Name/Value

Displays the temperature details of the sensors present in the selected FPC.

Resource

Select the Resource tab to view the resource details of the selected FPC.


861

®


Table 118: Summary of the Key Output Fields for Chassis Information (continued) Field

Values

Name/Value

Displays resource details: •


State: •

Dead—Held in reset because of errors.

•

Diag—The FPC is running diagnostics.

•

Dormant—Held in reset.

•

Empty—No FPC is present.

•

Online—The FPC is online and running.

•

Probed—Probe is complete. The FPC is awaiting restart of the Packet Forwarding Engine (PFE).

•

Probe-wait—The FPC is waiting for the probe operation to start.

•

Total CPU DRAM—Total DRAM, in megabytes, available to the FPC.

•

Start time—Date and time the switch was last rebooted.

•


•


•


Monitoring System Process Information Purpose Action

Use the monitoring functionality to view the processes running on the switch. To view the software processes running on the switch in the J-Web interface, select Monitor > System View > Process Details. To view the software processes running on the switch in the CLI, enter the following command. show system processes

Meaning

Table 119 on page 862 summarizes the output fields in the system process information display. The display includes the total CPU load and total memory utilization.

Table 119: Summary of System Process Information Output Fields Field

Values

PID

Identifier of the process.

Name

Owner of the process.

State

Current state of the process.

862




Table 119: Summary of System Process Information Output Fields (continued) Field

Values

CPU Load

Percentage of the CPU that is being used by the process.

Memory Utilization

Amount of memory that is being used by the process.

Start Time

Time of day when the process started.



•


•

For more information about show system properties command, see show system uptime on page 1510

Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure) You can use the J-Web interface to rotate log files and delete unnecessary log, temporary, and crash files on the switch. 1.

Cleaning Up Files on page 863

2. Downloading Files on page 864 3. Deleting Files on page 864

Cleaning Up Files If you are running low on storage space, use the file cleanup procedure to quickly identify files to delete. The file cleanup procedure performs the following tasks: •

Rotates log files—Archives the current log files, and creates fresh log files.

•

Deletes log files in /var/log—Deletes files that are not currently being written to.

•

Deletes temporary files in /var/tmp—Deletes files that have not been accessed within two days.

•

Deletes all crash files in /var/crash—Deletes core files that the switch has written during an error.

To rotate log files and delete unnecessary files with the J-Web interface: 1.

Select Maintain > Files.

2. In the Clean Up Files section, click Clean Up Files. The switching platform rotates log

files and identifies files that can be safely deleted. The J-Web interface displays the files that you can delete and the amount of space that will be freed on the file system.


863

®


3. Click one: •

To delete the files and return to the Files page, click OK.

•

To cancel your entries and return to the list of files in the directory, click Cancel.

Downloading Files You can use the J-Web interface to download a copy of an individual log, temporary, or crash file from the switching platform. When you download a file, it is not deleted from the file system. To download files with the J-Web interface: 1.

In the J-Web interface, select Maintain > Files.

2. In the Download and Delete Files section, click one: •

Log Files—Log files in the /var/log directory on the switch.

•

Temporary Files—Lists the temporary files in the /var/tmp directory on the switching platform.

•

Jailed Temporary Files (Install, Session, etc)—Lists the files in the /var/jail/tmp directory on the switching platform.

•

Crash (Core) Files—Lists the core files in the /var/crash directory on the switching platform. The J-Web interface displays the files located in the directory.

3. Select the files that you want to download and click Download. 4. Choose a location for the saved file.

The file is saved as a text file, with a .txt file extension.

Deleting Files You can use the J-Web interface to delete an individual log, temporary, and crash file from the switching platform. When you delete the file, it is permanently removed from the file system.

CAUTION: If you are unsure whether to delete a file from the switching platform, we recommend using the Clean Up Files tool described in Cleaning Up Files. This tool determines which files can be safely deleted from the file system.

To delete files with the J-Web interface: 1.

Select Maintain > Files.

2. In the Download and Delete Files section, click one:

864



•

Log Files—Lists the log files in the /var/log directory on the switching platform.

•

Temporary Files—Lists the temporary files in the /var/tmp directory on the switching platform.

•

Jailed Temporary Files (Install, Session, etc)—Lists the files in the /var/jail/tmp directory on the switching platform.

•

Crash (Core) Files—Lists the core files in the /var/crash directory on the switching platform. The J-Web interface displays the files in the directory.

3. Select the box next to each file you plan to delete. 4. Click Delete.

The J-Web interface displays the files you can delete and the amount of space that will be freed on the file system. 5. Click one of the following buttons on the confirmation page:


•

•

To delete the files and return to the Files page, click OK.

•

To cancel your entries and return to the list of files in the directory, click Cancel.



865

®


866


CHAPTER 35

Configuration Statements for System Monitoring facility-override Syntax Hierarchy Level Release Information

Description

Options

facility-override facility; [edit system syslog host]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Substitute an alternate facility for the default facilities used when messages are directed to a remote destination. facility—Alternate facility to substitute for the default facilities. For a list of the possible

facilities, see Junos OS System Log Alternate Facilities for Remote Logging. Required Privilege Level Related Documentation


Changing the Alternative Facility Name for Remote System Log Messages

•

Junos OS System Log Messages Reference


867

®


file (System Logging) Syntax


Description Options

file filename { facility severity; archive { files number; size size; (no-world-readable | world-readable); } explicit-priority; match "regular-expression"; structured-data { brief; } } [edit system syslog]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the logging of system messages to a file. facility—Class of messages to log. To specify multiple classes, include multiple facility severity statements. For a list of the facilities, see Junos OS System Logging

Facilities and Message Severity Levels. file filename—File in the /var/log directory in which to log messages from the specified

facility. To log messages to more than one file, include more than one file statement. severity—Severity of the messages that belong to the facility specified by the paired facility name. Messages with severities of the specified level and higher are logged.

For a list of the severities, see Junos OS System Logging Facilities and Message Severity Levels. The remaining statements are explained separately. Required Privilege Level Related Documentation

868


Directing System Log Messages to a Log File

•



Chapter 35: Configuration Statements for System Monitoring

files Syntax Hierarchy Level

Release Information

Description

Options

files number; [edit system syslog archive], [edit system syslog file filename archive]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for EX Series switches. Configure the maximum number of archived log files to retain. When the Junos OS logging utility has written a defined maximum amount of data to a log file logfile, it closes the file, compresses it, and renames it to logfile.0.gz (for information about the maximum file size, see size). The utility then opens and writes to a new file called logfile. When the new file reaches the maximum size, the logfile.0.gz file is renamed to logfile.1.gz, and the new file is closed, compressed, and renamed logfile.0.gz. By default, the logging facility creates up to ten archive files in this manner. Once the maximum number of archive files exists, each time the active log file reaches the maximum size, the contents of the oldest archive file are lost (overwritten by the next oldest file). number—Maximum number of archived files.

Range: 1 through 1000 Default: 10 files Required Privilege Level Related Documentation


Specifying Log File Size, Number, and Archiving Properties

•


•

size on page 874


869

®


host Syntax

QFX Series

host (hostname | other-routing-engine) { facility severity; explicit-priority; facility-override facility; log-prefix (System) string; match "regular-expression"; source-address source-address; structured-data { brief; } } host (hostname { facility severity; explicit-priority; facility-override facility; log-prefix (System) string; match "regular-expression"; port; source-address source-address; }

TX Matrix Router and EX Series Switches

host (hostname | other-routing-engine | scc-master) { facility severity; explicit-priority; facility-override facility; log-prefix (System) string; match "regular-expression"; port; source-address source-address; }

TX Matrix Plus Router

host (hostname | other-routing-engine | sfc0-master) { facility severity; explicit-priority; facility-override facility; log-prefix (System) string; match "regular-expression"; port; source-address source-address; }

Hierarchy Level

Release Information

Description

870

[edit logical-systems logical-system-name system syslog], [edit system syslog]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the logging of system messages to a remote destination.



Options

facility—Class of messages to log. To specify multiple classes, include multiple facility severity statements. For a list of the facilities, see Junos OS System Logging Facilities

and Message Severity Levels. hostname—IPv4 address, IPv6 address, or fully qualified hostname of the remote machine

to which to direct messages. To direct messages to multiple remote machines, include a host statement for each one. other-routing-engine—Direct messages to the other Routing Engine on a router or switch

with two Routing Engines installed and operational.

NOTE: The other-routing-engine option is not applicable to the QFX Series.

port—Port number of the remote syslog server that can be modified. scc-master—(TX Matrix routers only) On a T640 router that is part of a routing matrix,

direct messages to the TX Matrix router. severity—Severity of the messages that belong to the facility specified by the paired facility name. Messages with severities of the specified level and higher are logged.

For a list of the severities, see Junos OS System Logging Facilities and Message Severity Levels. sfc0-master—(TX Matrix Plus routers only) On a T1600 router that is part of a routing

matrix, direct messages to the TX Matrix Plus router. The remaining statements are explained separately. Required Privilege Level Related Documentation


Directing System Log Messages to a Remote Machine or the Other Routing Engine

•

Directing Messages to a Remote Destination from the Routing Matrix Based on the TX Matrix Router

•

Directing Messages to a Remote Destination from the Routing Matrix Based on a TX Matrix Plus Router

•



871

®


interface (Accounting or Sampling) Syntax

Hierarchy Level


interface interface-name { engine-id number; engine-type number; source-address address; } [edit forwarding-options accounting name output], [edit forwarding-options sampling family (inet |inet6 |mpls) output], [edit forwarding-options sampling instance instance-name family (inet |inet6 |mpls) output]

Statement introduced before Junos OS Release 7.4. Specify the output interface for monitored traffic. interface-name—Name of the interface.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level

See Configuring Discard Accounting or Configuring Traffic Sampling. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

log-prefix Syntax Hierarchy Level

log-prefix string; [edit system syslog host]

Release Information


Description

Include a text string in each message directed to a remote destination.


872

string—Text string to include in each message.


Adding a Text String to System Log Messages

•




match Syntax Hierarchy Level

Release Information

Description


match "regular-expression"; [edit logical-systems logical-system-name system syslog file filename], [edit logical-systems logical-system-name system syslog user (username | *)], [edit system syslog file filename], [edit system syslog host hostname | other-routing-engine| scc-master)], [edit system syslog user (username | *)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify a text string that must (or must not) appear in a message for the message to be logged to a destination. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Using Regular Expressions to Refine the Set of Logged Messages


873

®


size Syntax Hierarchy Level

Release Information

Description

Options

size size; [edit system syslog archive], [edit system syslog file filename archive]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the maximum amount of data that the Junos OS logging utility writes to a log file logfile before archiving it (closing it, compressing it, and changing its name to logfile.0.gz). The utility then opens and writes to a new file called logfile. For information about the number of archive files that the utility creates in this way, see files. size—Maximum size of each system log file, in kilobytes (KB), megabytes (MB), or

gigabytes (GB). Syntax: xk to specify the number of kilobytes, xm for the number of megabytes, or xg for the number of gigabytes Range: 64 KB through 1 GB Default: 1 MB for MX Series routers and the QFX Series Required Privilege Level Related Documentation

874



•


•

files on page 869



structured-data Syntax

Hierarchy Level

Release Information

Description

structured-data { brief; } [edit logical-systems logical-system-name system syslog file filename], [edit system syslog file filename]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Write system log messages to the log file in structured-data format, which complies with Internet draft draft-ietf-syslog-protocol-23, The syslog Protocol (http://tools.ietf.org/html/draft-ietf-syslog-protocol-23).

NOTE: When this statement is included, other statements that specify the format for messages written to the file are ignored (the explicit-priority statement at the [edit system syslog file filename] hierarchy level and the time-format statement at the [edit system syslog] hierarchy level).



Logging Messages in Structured-Data Format

•


•

explicit-priority

•

time-format on page 878


875

®


syslog Syntax

Hierarchy Level

876

syslog { archive { (binary-data | no-binary-data); files number; size maximum-file-size; start-time "YYYY-MM-DD.hh:mm"; transfer-interval minutes; (world-readable | no-world-readable); } console { facility severity; } file filename { facility severity; explicit-priority; match "regular-expression"; archive { (binary-data | no-binary-data); files number; size maximum-file-size; start-time "YYYY-MM-DD.hh:mm"; transfer-interval minutes; (world-readable | no-world-readable); } structured-data { brief; } } host (hostname | other-routing-engine | scc-master) { facility severity; explicit-priority; facility-override facility; log-prefix string; match "regular-expression"; source-address source-address; structured-data { brief; } port port number; } log-rotate-frequency frequency; source-address source-address; time-format (millisecond | year | year millisecond); user (username | *) { facility severity; match "regular-expression"; } } [edit logical-systems logical-system-name system], [edit system]



Release Information

Description

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Support at the [edit logical-systems logical-system-name system] hierarchy level introduced in Junos OS Release 11.4. Configure the types of system log messages to log to files, a remote destination, user terminals, or the system console. The remaining statements are explained separately.



Junos OS System Log Configuration Overview

•


•

Overview of Single-Chassis System Logging Configuration


877

®


time-format Syntax Hierarchy Level Release Information

Description

time-format (year | millisecond | year millisecond); [edit system syslog]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Include the year, the millisecond, or both, in the timestamp on every standard-format system log message. The additional information is included for messages directed to each destination configured by a file, console, or user statement at the [edit system syslog] hierarchy level, but not to destinations configured by a host statement. By default, the timestamp specifies the month, date, hour, minute, and second when the message was logged—for example, Aug 21 12:36:30. However, the timestamp for traceoption messages is specified in milliseconds by default, and is independent of the [edit system syslog time-format] statement.

NOTE: When the structured-data statement is included at the [edit system syslog file filename] hierarchy level, this statement is ignored for the file.

Options

millisecond—Include the millisecond in the timestamp. year—Include the year in the timestamp.


878


Including the Year or Millisecond in Timestamps

•


•

structured-data on page 875



time-zone Syntax Hierarchy Level Release Information

Description

Default Options

time-zone (GMT hour-offset | time-zone); [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. GMT hour-offset option added in Junos OS Release 7.4. Set the local time zone. To have the time zone change take effect for all processes running on the router or switch, you must reboot the router or switch. UTC GMT hour-offset—Set the time zone relative to UTC time.

Range: –14 through +12 Default: 0 time-zone—Specify the time zone as UTC, which is the default time zone, or as a string

such as PDT (Pacific Daylight Time), or use one of the following continents and major cities: Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura, Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/Windhoek America/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Aruba, America/Asuncion, America/Barbados, America/Belize, America/Bogota, America/Boise, America/Buenos_Aires, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/El_Salvador, America/Ensenada, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/La_Paz, America/Lima, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Mexico_City, America/Miquelon, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince,


879

®


America/Port_of_Spain, America/Porto_Acre, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Whitehorse, America/Winnipeg, America/Yakutat, America/Yellowknife Antarctica/Casey, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_Pole Arctic/Longyearbyen Asia/Aden, Asia/Alma-Ata, Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Irkutsk, Asia/Ishigaki, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon, Asia/Riyadh, Asia/Saigon, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Thimbu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/Yerevan Atlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/Stanley Australia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Darwin, Australia/Hobart, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/Perth, Australia/Sydney Europe/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/Zurich Indian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/Reunion Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap


880





•

Modifying the Default Time Zone for a Router or Switch Running Junos OS

•


user (System Logging) Syntax


Description Options

user (username | *) { facility severity; match "regular-expression"; } [edit system syslog]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the logging of system messages to user terminals. * (the asterisk)—Log messages to the terminal sessions of all users who are currently

logged in. facility—Class of messages to log. To specify multiple classes, include multiple facility severity statements. For a list of the facilities, see Junos OS System Logging Facilities

and Message Severity Levels. severity—Severity of the messages that belong to the facility specified by the paired facility name. Messages with severities the specified level and higher are logged. For

a list of the severities, see Junos OS System Logging Facilities and Message Severity Levels. username—Junos OS login name of the user whose terminal session is to receive system

log messages. To log messages to more than one user’s terminal session, include more than one user statement. The remaining statement is explained separately. Required Privilege Level Related Documentation


Directing System Log Messages to a User Terminal

•

Junos OS System Logging Facilities and Message Severity Levels

•



881

®


world-readable Syntax Hierarchy Level

Release Information

Description


882

world-readable | no-world-readable; [edit system syslog archive], [edit system syslog file filename archive]

Statement introduced before OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Grant all users permission to read log files, or restrict the permission only to the root user and users who have the Junos maintenance permission. no-world-readable



•

Junos System Log Messages Reference


CHAPTER 36

Operational Commands for System Monitoring


883

®


clear log Syntax

Release Information

Description Options

clear log filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Remove contents of a log file. filename—Name of the specific log file to delete. all—(Optional) Delete the specified log file and all archived versions of it.


clear

•

show log on page 1186

clear log on page 884 See file list for an explanation of output fields.

Sample Output clear log

The following sample commands list log file information, clear the contents of a log file, and then display the updated log file information: user@host> file list lcc0-re0:/var/log/sampled detail lcc0-re0: --------------------------------------------------------------------------rw-r----- 1 root wheel 26450 Jun 23 18:47 /var/log/sampled total 1 user@host> clear log lcc0-re0:sampled lcc0-re0: -------------------------------------------------------------------------user@host> file list lcc0-re0:/var/log/sampled detail lcc0-re0: --------------------------------------------------------------------------rw-r----- 1 root wheel 57 Sep 15 03:44 /var/log/sampled total 1

884


Chapter 36: Operational Commands for System Monitoring

file archive Syntax

Release Information

Description

Options

file archive destination destination source source

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Archive, and optionally compress, one or multiple local system files as a single file, locally or at a remote location. destination destination—Destination of the archived file or files. Specify the destination

as a URL or filename. The Junos OS adds one of the following suffixes if the destination filename does not already have it: •

For archived files—The suffix .tar

•

For archived and compressed files—The suffix .tgz

source source—Source of the original file or files. Specify the source as a URL or filename. compress—(Optional) Compress the archived file with the GNU zip (gzip) compression

utility. The compressed files have the suffix .tgz. Required Privilege Level List of Sample Output

Output Fields

maintenance

file archive (Multiple Files) on page 885 file archive (Single File) on page 885 file archive (with Compression) on page 885 When you enter this command, you are provided feedback on the status of your request.

Sample Output file archive (Multiple Files)

The following sample command archives all message files in the local directory /var/log/messages as the single file messages-archive.tar. user@host> file archive source /var/log/messages* destination /var/log/messages-archive.tar /usr/bin/tar: Removing leading / from absolute path names in the archive. user@host>

file archive (Single File)

The following sample command archives one message file in the local directory /var/log/messages as the single file messages-archive.tar. user@host> file archive source /var/log/messages destination /var/log/messages-archive.tar /usr/bin/tar: Removing leading / from absolute path names in the archive. user@host

file archive (with Compression)

The following sample command archives and compresses all message files in the local directory /var/log/messages as the single file messages-archive.tgz.


885

®


user@host> file archive compress source /var/log/messages* destination /var/log/messages-archive.tgz /usr/bin/tar: Removing leading / from absolute path names in the archive.

886



file checksum md5 Syntax Release Information

Description Options

file checksum md5 filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Message Digest 5 (MD5) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the MD5 checksum.



maintenance

•


•


•


•


•


•


•

op on page 317

file checksum md5 on page 887 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum md5

user@host> file checksum md5 jbundle-5.3R2.4-export-signed.tgz MD5 (jbundle-5.3R2.4-export-signed.tgz) = 2a3b69e43f9bd4893729cc16f505a0f5


887

®


file checksum sha1 Syntax Release Information

Description Options

file checksum sha1 filename

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Secure Hash Algorithm (SHA-1) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the SHA-1 checksum.



maintenance

•


•


•


•


•


•


•

op on page 317

file checksum sha1 on page 888 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum sha1

user@host> file checksum sha1 /var/db/scripts/opscript.slax SHA1 (/var/db/scripts/commitscript.slax) = ba9e47120c7ce55cff29afd73eacd370e162c676

888



file checksum sha-256 Syntax Release Information

Description Options

file checksum sha-256 filename

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Calculate the Secure Hash Algorithm 2 family (SHA-256) checksum of a file. pathname—(Optional) Path to a filename. filename—Name of a local file for which to calculate the SHA-256 checksum.



maintenance

•


•


•


•


•


•


•

op on page 317

file checksum sha-256 on page 889 When you enter this command, you are provided feedback on the status of your request.

Sample Output file checksum sha-256

user@host> file checksum sha-256 /var/db/scripts/commitscript.slax SHA256 (/var/db/scripts/commitscript.slax) = 94c2b061fb55399e15babd2529453815601a602b5c98e5c12ed929c9d343dd71


889

®


file compare Syntax

Release Information

Description

file compare (files filename filename)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Compare two local files and describe the differences between them in default, context, or unified output styles: •

Default—In the first line of output, c means lines were changed between the two files, d means lines were deleted between the two files, and a means lines were added

between the two files. The numbers preceding this alphabetical marker represent the first file, and the lines after the alphabetical marker represent the second file. A left angle bracket () in front of output lines refers to the second file. •

Context—The display is divided into two parts. The first part is the first file; the second

part is the second file. Output lines preceded by an exclamation point (!) have changed. Additions are marked with a plus sign (+), and deletions are marked with a minus sign (-). •

Unified—The display is preceded by the line number from the first and the second file

(xx,xxx,x). Before the line number, additions to the file are marked with a plus sign (+), and deletions to the file are marked with a minus sign (-). The body of the output contains the affected lines. Changes are viewed as additions plus deletions. Options

files filename—Names of two local files to compare. context—(Optional) Display output in context format. ignore-white-space—(Optional) Ignore changes in the amount of white space. unified—(Optional) Display output in unified format.


Output Fields

890

none

file compare files on page 891 file compare files context on page 891 file compare files unified on page 891 file compare files unified ignore-white-space on page 891 When you enter this command, you are provided feedback on the status of your request.



Sample Output file compare files

user@host> file compare files /tmp/one /tmp/two 100c100 < full-name "File 1"; --> full-name "File 2"; 102c102 < class foo; # 'foo' is not defined --> class super-user;

file compare files context

user@host> file compare files /tmp/one /tmp/two context *** /tmp/one Wed Dec 3 17:12:50 2003 --- /tmp/two Wed Dec 3 09:13:14 2003 *************** *** 97,104 **** } } user bill { ! full-name "Bill Smith"; ! class foo; # 'foo' is not defined authentication { encrypted-password SECRET; } --- 97,105 ---} } user bill { ! full-name "Bill Smith"; ! uid 1089; ! class super-user; authentication { encrypted-password SECRET; }

file compare files unified

user@host> file compare files /tmp/one /tmp/two unified --- /tmp/one Wed Dec 3 17:12:50 2003 +++ /tmp/two Wed Dec 3 09:13:14 2003 @@ -97,8 +97,9 @@ } } user bill { full-name "Bill Smith"; class foo; # 'foo' is not defined + full-name "Bill Smith"; + uid 1089; + class super-user; authentication { encrypted-passwordSECRET; }

file compare files unified ignore-white-space

user@host> file compare files /tmp/one /tmp/two unified ignore-white-space --- /tmp/one Wed Dec 3 09:13:10 2003 +++ /tmp/two Wed Dec 3 09:13:14 2003 @@ -99,7 +99,7 @@ user bill { full-name "Bill Smith"; uid 1089;


891

®


+

892

class foo; # 'foo' is not defined class super-user; authentication { encrypted-password ; # SECRET-DATA }



file copy Syntax

Release Information

Description

Options

file copy source destination

Command introduced before Junos OS Release 7.4. source-address option added in Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches. Copy files from one place to another on the local router or switch or between the local router or switch and a remote system. source—Source of the original file. Specify this as a URL or filename. destination—Destination of the copied file. Specify this as a URL or filename. If you are

copying a file to the current directory (your home directory on the local router or switch) and are not renaming the file, specify the destination with a period (.). source-address address—(Optional) Source IP host address. This option is useful for

specifying the source address of a secure copy (scp) file transfer. Required Privilege Level List of Sample Output

Output Fields

maintenance

file copy (A File from the Router or Switch to a PC) on page 893 file copy (A Configuration File Between Routing Engines) on page 893 file copy (A Log File Between Routing Engines) on page 893 file copy (A File from the TX Matrix Plus Router to a T1600 Router Connected to the TX Matrix Plus Router) on page 893 When you enter this command, you are provided feedback on the status of your request.

Sample Output file copy (A File from the Router or Switch to a PC) file copy (A Configuration File Between Routing Engines) file copy (A Log File Between Routing Engines) file copy (A File from the TX Matrix Plus Router to a T1600

user@host> file copy /var/tmp/rpd.core.4 berry:/c/junipero/tmp ...transferring.file...... |

0 KB |

0.3 kB/s | ETA: 00:00:00 | 100%

The following sample command copies a configuration file from Routing Engine 0 to Routing Engine 1: user@host> file copy /config/juniper.conf re1:/var/tmp/copied-juniper.conf

The following sample command copies a log file from Routing Engine 0 to Routing Engine 1: user@host> file copy lcc0-re0:/var/log/chassisd lcc0-re1:/var/tmp

The following sample command copies a text file from Routing Engine 1 on the switch-fabric chassis sfc0 to Routing Engine 1 on the line-card chassis lcc0:


893

®


Router Connected to the TX Matrix Plus Router)

894

user@host> file copy sfc0-re1:/tmp/sample.txt lcc0-re1:/var/tmp



file delete Syntax

Release Information

Description Options

file delete filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Delete a file on the local router or switch. filename—Name of the file to delete. For a routing matrix, include chassis information in

the filename if the file to be deleted is not local to the Routing Engine from which the command is issued. purge—(Optional) Overwrite regular files before deleting them.


Output Fields

maintenance

file delete on page 895 file delete (Routing Matrix) on page 895 When you enter this command, you are provided feedback on the status of your request.

Sample Output file delete

user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file delete /var/tmp/snmpd.core user@host> file list /var/tmp dcd.core rpd.core

file delete (Routing Matrix)

user@host> file list lcc0-re0:/var/tmp dcd.core rpd.core snmpd.core user@host> file delete lcc0-re0:/var/tmp/snmpd.core user@host> file list /var/tmp dcd.core rpd.core


895

®


file list Syntax

Release Information

Description Options

file list

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display a list of files on the local router or switch. none—Display a list of all files for the current directory. detail | recursive—(Optional) Display detailed output or descend recursively through the

directory hierarchy, respectively. filename—(Optional) Display a list of files. For a routing matrix, the filename must include

the chassis information. Additional Information


Output Fields

The default directory is the home directory of the user logged in to the router or switch. To view available directories, enter a space and then a backslash (/) after the file list command. To view files within a specific directory, include a backslash followed by the directory and, optionally, subdirectory name after the file list command. maintenance

file list on page 896 file list (Routing Matrix) on page 896 When you enter this command, you are provided feedback on the status of your request.

Sample Output file list

file list (Routing Matrix)

896

user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file list lcc0-re0:var/tmp lcc0-re0: -------------------------------------------------------------------------/var/tmp/: .gdbinit .pccardd Test/ chassisd* chassisd.nathan* check_time* cores/ diagTestPrep* diagtest*



diagtest.regress* do_switchovers* dump_test* err.manoj.log esw_clearstats* esw_counter* esw_debug* esw_debug_ge* esw_filt_test* esw_filter_tnp_addr* esw_getstats* esw_phy* esw_stats*


897

®


file rename Syntax Release Information

Description Options

file rename source destination

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Rename a file on the local router or switch. destination—New name for the file. source—Original name of the file. For a routing matrix, the filename must include the

chassis information. Required Privilege Level List of Sample Output

Output Fields

maintenance

file rename on page 898 file rename (Routing Matrix) on page 898 When you enter this command, you are provided feedback on the status of your request.

Sample Output file rename

The following example lists the files in /var/tmp, renames one of the files, and then displays the list of files again to reveal the newly named file. user@host> file list /var/tmp dcd.core rpd.core snmpd.core user@host> file rename /var/tmp/dcd.core /var/tmp/dcd.core.990413 user@host> file list /var/tmp dcd.core.990413 rpd.core snmpd.core

file rename (Routing Matrix)

The following example lists the files in /var/tmp, renames one of the files, and then displays the list of files again to reveal the newly named file. user@host> file list lcc0-re1:/var/tmp lcc0-re1: -------------------------------------------------------------------------/var/tmp: .pccardd sartre.conf snmpd syslogd.core-tarball.0.tgz user@host> file rename lcc0-re0:/var/tmp/snmpd /var/tmp/snmpd.rr user@host> file list lcc0-re1:/var/tmp

898



lcc0-re1: -------------------------------------------------------------------------/var/tmp: .pccardd sartre.conf snmpd.rr syslogd.core-tarball.0.tgz


899

®


file show Syntax

Release Information

Description Options

file show filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the contents of a file. filename—Name of a file. For a routing matrix, the filename must include the chassis

information. encoding (base64 | raw)—(Optional) Encode file contents with base64 encoding or show

raw text. Required Privilege Level List of Sample Output

Output Fields

maintenance

file show on page 900 file show (Routing Matrix) on page 900 When you enter this command, you are provided feedback on the status of your request.

Sample Output file show

file show (Routing Matrix)

user@host> file show /var/log/messages Apr 13 21:00:08 romney /kernel: so-1/1/2: loopback suspected; going to standby. Apr 13 21:00:40 romney /kernel: so-1/1/2: loopback suspected; going to standby. Apr 13 21:02:48 romney last message repeated 4 times Apr 13 21:07:04 romney last message repeated 8 times Apr 13 21:07:13 romney /kernel: so-1/1/0: Clearing SONET alarm(s) RDI-P Apr 13 21:07:29 romney /kernel: so-1/1/0: Asserting SONET alarm(s) RDI-P ... user@host> file show lcc0-re0:/var/tmp/.gdbinit lcc0-re0: -------------------------------------------------------------------------#################################################################### # Settings #################################################################### set print pretty #################################################################### # Basic stuff #################################################################### define msgbuf printf "%s", msgbufp->msg_ptr end # hex dump of a block of memory # usage: dump address length define dump

900



p $arg0, $arg1 set $ch = $arg0 set $j = 0 set $n = $arg1 while ($j < $n) #printf "%x %x ",&$ch[$j],$ch[$j] printf "%x ",$ch[$j] set $j = $j + 1 if (!($j % 16)) printf "\n" end end end


901

®


monitor list Syntax Release Information




monitor list

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the status of monitored log and trace files. This command has no options. Log files are generated by the routing protocol process or by system logging. The log files generated by system logging are configured with the syslog statement at the [edit system] hierarchy level and the options statement at the [edit routing-options] hierarchy level. The trace files generated by the routing protocol process are those configured with traceoptions statements at the [edit routing-options], [edit interfaces], and [edit protocols protocol] hierarchy levels. trace

•

monitor start on page 903

•

monitor stop on page 905

monitor list on page 902 Table 120 on page 902 describes the output fields for the monitor list command. Output fields are listed in the approximate order in which they appear.

Table 120: monitor list Output Fields Field Name

Field Description

monitor start

Indicates the file is being monitored.

"filename"

Name of the file that is being monitored.

Last changed

Date and time at which the file was last modified.

Sample Output monitor list

902

user@host> monitor list monitor start "vrrpd" (Last changed Dec 03:11:06 20) monitor start "cli-commands" (Last changed Nov 07:3)



monitor start Syntax Release Information

Description

Options Additional Information

monitor start filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Start displaying the system log or trace file and additional entries being added to those files. filename—Specific log or trace file.

Log files are generated by the routing protocol process or by system logging. The log files generated by system logging are configured with the syslog statement at the [edit system] hierarchy level and the options statement at the [edit routing-options] hierarchy level. The trace files generated by the routing protocol process are configured with traceoptions statements at the [edit routing-options], [edit interfaces], and [edit protocols protocol] hierarchy levels.

NOTE: To monitor a log file within a logical system, issue the monitor start logical-system-name/filename command.



trace

•

monitor list on page 902

•

monitor stop on page 905

monitor start on page 903 Table 121 on page 903 describes the output fields for the monitor start command. Output fields are listed in the approximate order in which they appear.

Table 121: monitor start Output Fields Field Name

Field Description

***filename ***

Name of the file from which entries are being displayed. This line is displayed initially and when the command switches between log files.

Date and time

Timestamp for the log entry.

Sample Output monitor start

user@host> monitor start system-log


903

®


*** Jul Jul Jul Jul Jul Jul

904

system-log*** 20 15:07:34 hang 20 15:07:35 hang 20 15:07:35 hang 20 15:07:37 hang 20 15:07:37 hang 20 15:07:37 hang

sshd[5845]: sshd[5845]: sshd[5845]: sshd[5845]: sshd[5845]: sshd[5845]:

log: log: log: log: log: log:

Generating 768 bit RSA key. RSA key generation complete. Connection from 204.69.248.180 port 912 RSA authentication for root accepted. ROOT LOGIN as 'root' from trip.jcmax.com Closing connection to 204.69.248.180



monitor stop Syntax Release Information




monitor stop filename

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Stop displaying the system log or trace file. filename—Specific log or trace file.

Log files are generated by the routing protocol process or by system logging. The log files generated by system logging are those configured with the syslog statement at the [edit system] hierarchy level and the options statement at the [edit routing-options] hierarchy level. The trace files generated by the routing protocol process are those configured with traceoptions statements at the [edit routing-options], [edit interfaces], and [edit protocols protocol] hierarchy levels. trace

•

monitor list on page 902

•

monitor start on page 903

monitor stop on page 905 This command produces no output.

Sample Output monitor stop

user@host> monitor stop


905

®


request chassis cb Syntax

request chassis cb (offline | online) slot slot-number


request chassis cb (offline | online)


request chassis cb (offline | online)

Syntax (QFabric Switch)

request chassis cb (offline | online)interconnect-device name slot slot-number

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS 9.4 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS 11.3 for the QFX Series.

Description

Options

(M120, M320, and MX Series routers and T Series routers, the QFX Series, and EX8200 switches only) Control the operation of the Control Board (CB). For information about the meaning of “CBs” on the switches, see “EX Series Switches Hardware and CLI Terminology Mapping” on page 847. offline—Take the Control Board offline. online—Bring the Control Board online. interconnect-device name—(QFabric switches only) (Optional) Bring the Interconnect

device Control Board either offline or online: slot slot-number—Control Board slot number: •

(TX Matrix and TX Matrix Plus routers only) On a TX Matrix router, if you specify the number of the T640 router by using the lcc number option (the recommended method), replace cb-slot-number with a value from 0 through 1. Likewise, on a TX Matrix Plus router, if you specify the number of the T1600 router by using the lcc number option (the recommended method), replace cb-slot-number with a value from 0 through 1.

•

M320 router—Replace slot-number with a value from 0 through 1.

•

MX480/MX240 routers—Replace slot-number with a value from 0 through 1.

•

MX960 router—Replace slot-number with a value from 0 through 2.

•

EX8208 switch—Replace slot-number with a value from 0 through 2.

•

EX8216 switch—Replace slot-number with a value from 0 through 1.

•

QFabric Switch—Replace slot-number with a value from 0 through 1.

sfc number—(TX Matrix Plus routers only) (Optional) Change the CB status for the TX

Matrix Plus router (or switch-fabric chassis). Replace number with 0.

906





Output Fields

maintenance

•

show chassis environment cb on page 952

•

Switching Control Board Redundancy

•

Routing Engine and Switching Control Board Redundancy Configuration Statements

request chassis cb on page 907 request chassis cb interconnect-device (QFabric Switch) on page 907 When you enter this command, you are provided feedback on the status of your request.

Sample Output request chassis cb

request chassis cb interconnect-device (QFabric Switch)

user@host> request chassis cb offline slot 1 Backup CB 1 cannot be set offline, backup RE is online user@switch> request chassis cb interconnect-device interconnect1 offline slot 1 Backup CB 1 cannot be set offline, backup RE is online


907

®


request chassis fabric plane Syntax Release Information

Description

Options

request chassis fabric plane plane-number (offline | online)

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.4 for EX Series switches. (M120 and MX Series routers and EX8200 switches only) Control the operation of the specified fabric plane. offline—Take the fabric plane offline. Use the request chassis fabric plane plane-number offline command to clear a FAULT state on a fabric plane. To bring the fabric plane

back online, use the request chassis fabric plane plane-number online command. online—Bring the fabric plane online. plane plane-number—Fabric plane number.



Output Fields

•

For the M120 router, replace plane-number with a value from 0 through 3.

•

For the MX480 and MX240 routers, replace plane-number with a value from 0 through 7.

•

For the MX960 router, replace plane-number with a value from 0 through 5.

•

For the EX8208 switch, replace plane-number with a value from 0 through 11.

•


maintenance

•

show chassis fabric plane on page 1036

•

show chassis fabric plane-location on page 1059

•

Creating a Fabric Port Group

•

Fabric Management Overview

request chassis fabric plane 0 online on page 908 request chassis fabric plane 0 offline on page 908 request chassis fabric plane 0 online (EX8200 switch) on page 909 When you enter this command, you are provided feedback on the status of your request.

Sample Output request chassis fabric plane 0 online

user@host> request chassis fabric plane 0 online Online initiated, use “show chassis fabric plane” to verify

request chassis fabric plane 0 offline

user@host> request chassis fabric plane 0 offline

908



Offline initiated, use “show chassis fabric plane” to verify

request chassis fabric plane 0 online (EX8200 switch)

user@host> request chassis fabric plane 0 online Plane 0 is already active


909

®


request chassis fpc Syntax

request chassis fpc (offline | online | restart) slot slot-number





Syntax (QFX Series)

Syntax (PTX Series Packet Transport Switches) Release Information

Description

Options

request chassis fpc request chassis fpc (offline | online | restart) slot slot-number

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS 11.3 for the QFX Series. Command introduced in Junos OS 12.1 for the PTX Series Packet Transport Switches. (M20, M40, M40e, M120, M160, M320, MX Series, and T Series routers; EX Series switches and PTX Series Packet Transport Switches only) Control the operation of the Flexible PIC Concentrator (FPC). For information about the meaning of “FPCs” on the switches, see “EX Series Switches Hardware and CLI Terminology Mapping” on page 847. offline—Take the FPC offline. online—Bring the FPC online. interconnect-device name—(QFX Series only) Bring the Flexible Port Concentrator (FPC)

on the Interconnect device either offline or online: •

(QFabric Switch) On a QFabric switch, specify the name of the Interconnect device containing the Flexible Port Concentrator (FPC) you want to bring either offline or online.

restart—Restart the FPC. slot slot-number—FPC slot number:

910

•

M20 router—0 through 3.

•

M120 router—0 through 5.

•

MX240 router—0 through 2. On the MX240 router, slot-number corresponds to the Dense Port Concentrator (DPC) slot number. If an MPC is installed, slot-number corresponds to the MPC slot number.



•


•


•

TX Matrix and TX Matrix Plus routers only—On the TX Matrix router, if you specify the number of the T640 router by using the lcc number option (the recommended method), replace slot-number with a value from 0 through 7. Otherwise, replace slot-number with a value from 0 through 31. Likewise, on a TX Matrix Plus router, if you specify the number of the T1600 router by using the lcc number option (the recommended method), replace slot-number with a value from 0 through 7. Otherwise, replace slot-number with a value from 0 through 31. For example, the following commands have the same result: user@host> request chassis fpc lcc 1 slot 1 offline user@host> request chassis fpc slot 9 offline

•

Other routers—0 through 7.

•

QFabric Switch —Replace slot-number with a value from 0 through 2.

•


EX4200 switches in a Virtual Chassis configuration—Replace slot-number with a value from 0 through 9.

•

EX6210 switches—Replace slot-number with a value from 0 through 9.

NOTE: These commands are not supported for slots 4 and 5 when a Switch Fabric and Routing Engine (SRE) module is installed in those slots. These commands are supported for slots 4 and 5 only if a line card is installed in them.

•

•


•


PTX5000 Packet Transport Switch—Replace slot-number with a value from 0 through 7.

all-members—(MX Series routers only) (Optional) Change FPC status of all members of

the Virtual Chassis configuration. local—(MX Series routers only) (Optional) Change FPC status of the local Virtual Chassis

member.


911

®


member member-id—(MX Series routers only) (Optional) Change FPC status of the

specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

control the FPC in a specified T640 router that is connected to the TX Matrix router. On a TX Matrix Plus router, control the FPC in a specified T1600 router that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. Required Privilege Level Related Documentation


maintenance

•

show chassis fpc on page 1062

•

show chassis fpc-feb-connectivity

•

show chassis fabric fpcs on page 1009

•

Configuring the Junos OS to Make a Flexible PIC Concentrator Stay Offline

•

Configuring the Junos OS to Resynchronize FPC Sequence Numbers with Active FPCs when an FPC Comes Online

•

MX960 Flexible PIC Concentrator Description

request chassis fpc on page 912 When you enter this command, you are provided feedback on the status of your request.

Sample Output request chassis fpc

912

user@host> request chassis fpc online slot 0 FPC 0 already online



request system configuration rescue delete Syntax Release Information

Description

request system configuration rescue delete

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Delete an existing rescue configuration.





•


•


•


request system configuration rescue delete on page 913 This command produces no output.

Sample Output request system configuration rescue delete

user@host> request system configuration rescue delete


913

®


request system configuration rescue save Syntax Release Information

Description

request system configuration rescue save

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Save the most recently committed configuration as the rescue configuration so that you can return to it at any time by using the rollback command.





•


•


•


request system configuration rescue save on page 914 This command produces no output.

Sample Output request system configuration rescue save

914

user@host> request system configuration rescue save




Description



Options




maintenance

•


•


•






915

®



Description



Options




maintenance

•


•


•




916







Options




maintenance

•


•


•






917

®


show chassis alarms Syntax

show chassis alarms


show chassis alarms


Syntax (QFX Series)


Description Options

show chassis alarms show chassis alarms show chassis alarms show chassis alarms

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option for the TX Matrix Plus router introduced in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Command introduced in Junos OS Release 12.1 for the PTX Series Packet Transport Switches. Display information about the conditions that have been configured to trigger alarms. none—Display information about the conditions that have been configured to trigger

alarms. all-members—(MX Series routers only) (Optional) Display information about alarm

conditions for all the member routers of the Virtual Chassis configuration. interconnect-device name—(QFabric switches only) (Optional) Display information about

alarm conditions for the Interconnect device. lcc number — (TX Matrix and TX Matrix Plus routers only) (Optional) On the TX Matrix

router, show information about a specified T640 router (or line-card chassis) that is connected to the TX Matrix router. On the TX Matrix Plus router, show information about a specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display information about alarm conditions

for the local Virtual Chassis member.

918



member member-id—(MX Series routers only) (Optional) Display information about alarm

conditions for the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. node-device name—(QFabric switches only) (Optional) Display information about alarm

conditions for the Node device. scc—(TX Matrix router only) (Optional) Show information about the TX Matrix router (or

switch-card chassis). sfc number—(TX Matrix Plus router only) (Optional) Show information about the TX

Matrix Plus router (or switch-fabric chassis). Replace number with 0. Additional Information

You cannot clear the alarms for chassis components. Instead, you must remedy the cause of the alarm. When a chassis alarm is lit, it indicates that you are running the router or switch in a manner that we do not recommend. On routers, you can manually silence external devices connected to the alarm relay contacts by pressing the alarm cutoff button, located on the craft interface. Silencing the device does not remove the alarm messages from the display (if present on the router) or extinguish the alarm LEDs. In addition, new alarms that occur after you silence an external device reactivate the external device. In Junos OS release 11.1 and later, alarms for fans also show the slot number of the fans in the CLI output. In Junos OS Release 11.2 and later, the command output on EX8200 switches shows the detailed location (Plane/FPC/PFE) for link errors in the chassis. In Junos OS Release 10.2 and later, an alarm is shown on T Series routers for a standby sonic clock generator (SCG) that is offline or absent.



view

•

Configuring an Alarm Entry and Its Attributes

•

Chassis Conditions That Trigger Alarms

show chassis alarms (Alarms Active) on page 920 show chassis alarms (No Alarms Active) on page 920 show chassis alarms (Fan Tray) on page 920 show chassis alarms (T4000 Router) on page 920 show chassis alarms (Unreachable Destinations Present on a T Series Router) on page 920 show chassis alarms (FPC Offline Due to Unreachable Destinations on a T Series Router) on page 921 show chassis alarms (SCG Absent on a T Series Router) on page 921 show chassis alarms (Alarms Active on a TX Matrix Router) on page 921 show chassis alarms (Backup Routing Engine) on page 922 show chassis alarms (Alarms Active on the QFX Series) on page 922


919

®


show chassis alarms node-device (Alarms Active on the QFabric Switch) on page 922 show chassis alarms (Alarms Active on the QFabric Switch) on page 922 show chassis alarms (Alarms Active on an EX8200 Switch) on page 922 show chassis alarms (Alarms Active on a PTX5000 Packet Transport Switch) on page 923 Output Fields

Table 122 on page 920 lists the output fields for the show chassis alarms command. Output fields are listed in the approximate order in which they appear.

Table 122: show chassis alarms Output Fields Field Name

Field Description

Alarm time

Date and time the alarm was first recorded.

Class

Severity class for this alarm: Minor or Major.

Description

Information about the alarm.

Sample Output show chassis alarms (Alarms Active)

user@host> show chassis alarms 3 alarms are currently active Alarm time Class Description 2000-02-07 10:12:22 UTC Major fxp0: ethernet link down 2000-02-07 10:11:54 UTC Minor YELLOW ALARM - PEM 1 Removed 2000-02-07 10:11:03 UTC Minor YELLOW ALARM - Lower Fan Tray Removed

show chassis alarms (No Alarms Active)

user@host> show chassis alarms No alarms are currently active

show chassis alarms (Fan Tray)

user@host> show chassis alarms 4 alarms currently active Alarm time Class 2010-11-11 20:27:38 UTC Major 2010-11-11 20:27:13 UTC Minor 2010-11-11 20:27:13 UTC Major 2010-11-11 20:27:13 UTC Major

Description Side Fan Tray Side Fan Tray Side Fan Tray Side Fan Tray

user@host> show chassis alarms 9 alarms currently active Alarm time Class 2007-06-02 01:41:10 UTC Minor 2007-06-02 01:41:10 UTC Minor 2007-06-02 01:41:10 UTC Minor 2007-05-30 19:37:33 UTC Major 2007-05-30 19:37:29 UTC Minor 2007-05-30 19:37:13 UTC Major 2007-05-30 19:37:13 UTC Major 2007-05-30 19:37:03 UTC Major 2007-05-30 19:37:03 UTC Minor

Description RE 0 Not Supported CB 0 Not Supported Mixed Master and Backup RE types SPMB 1 not online Front Bottom Fan Tray Absent PEM 1 Input Failure PEM 0 Not OK PEM 0 Improper for Platform Backup RE Active

user@host> show chassis alarms 10 alarms currently active Alarm time Class

Description

show chassis alarms (T4000 Router)

show chassis alarms (Unreachable

920

7 7 5 0

Failure Overspeed Failure Failure



Destinations Present on a T Series Router)

2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30 2011-08-30

show chassis alarms (FPC Offline Due to Unreachable Destinations on a T Series Router)

user@host> show chassis alarms 10 alarms currently active Alarm time Class 2011-08-30 18:43:53 PDT Major 2011-08-30 18:43:53 PDT Major 2011-08-30 18:43:52 PDT Major 2011-08-30 18:43:52 PDT Major 2011-08-30 18:43:52 PDT Minor 2011-08-30 18:43:33 PDT Minor 2011-08-30 18:43:28 PDT Minor 2011-08-30 18:43:05 PDT Minor 2011-08-30 18:43:28 PDT Minor 2011-08-30 18:43:05 PDT Major

Description FPC 7 offline due FPC 5 offline due FPC 3 offline due FPC 2 offline due SIB 0 Not Online SIB 4 Not Online SIB 3 Not Online SIB 2 Not Online SIB 1 Not Online PEM 1 Not Ok

show chassis alarms (SCG Absent on a T Series Router)

user@host> show chassis alarms 4 alarms currently active Alarm time Class 2011-01-23 21:42:46 PST Major

Description SCG 0 NO EXT CLK MEAS-BKUP SCG ABS

show chassis alarms (Alarms Active on a TX Matrix Router)

18:43:53 18:43:53 18:43:52 18:43:52 18:43:52 18:43:33 18:43:28 18:43:05 18:43:28 18:43:05

PDT PDT PDT PDT PDT PDT PDT PDT PDT PDT

Major Major Major Major Minor Minor Minor Minor Minor Major

FPC FPC FPC FPC SIB SIB SIB SIB SIB PEM

7 5 3 2 0 4 3 2 1 1

has has has has Not Not Not Not Not Not

unreachable unreachable unreachable unreachable Online Online Online Online Online Ok

to to to to

destinations destinations destinations destinations

unreachable unreachable unreachable unreachable

destinations destinations destinations destinations

user@host> show chassis alarms scc-re0: -------------------------------------------------------------------------8 alarms currently active Alarm time Class Description 2004-08-05 18:43:53 PDT Minor LCC 0 Minor Errors 2004-08-05 18:43:53 PDT Minor SIB 3 Not Online 2004-08-05 18:43:52 PDT Major SIB 2 Absent 2004-08-05 18:43:52 PDT Major SIB 1 Absent 2004-08-05 18:43:52 PDT Major SIB 0 Absent 2004-08-05 18:43:33 PDT Major LCC 2 Major Errors 2004-08-05 18:43:28 PDT Major LCC 0 Major Errors 2004-08-05 18:43:05 PDT Minor LCC 2 Minor Errors lcc0-re0: -------------------------------------------------------------------------5 alarms currently active Alarm time Class Description 2004-08-05 18:43:53 PDT Minor SIB 3 Not Online 2004-08-05 18:43:49 PDT Major SIB 2 Absent 2004-08-05 18:43:49 PDT Major SIB 1 Absent 2004-08-05 18:43:49 PDT Major SIB 0 Absent 2004-08-05 18:43:28 PDT Major PEM 0 Not OK lcc2-re0: -------------------------------------------------------------------------5 alarms currently active Alarm time Class Description 2004-08-05 18:43:35 PDT Minor SIB 3 Not Online 2004-08-05 18:43:33 PDT Major SIB 2 Absent 2004-08-05 18:43:33 PDT Major SIB 1 Absent


921

®


2004-08-05 18:43:33 PDT 2004-08-05 18:43:05 PDT

show chassis alarms (Backup Routing Engine)

Major Minor

user@host> show chassis alarms 2 alarms are currently active Alarm time Class 2005-04-07 10:12:22 PDT Minor 2005-04-07 10:11:54 PDT Major

SIB 0 Absent PEM 1 Absent

Description Host 1 Boot from alternate media Host 1 compact-flash missing in Boot List

show chassis alarms (Alarms Active on the QFX Series)

user@switch> show chassis alarms 1 alarms currently active Alarm time Class Description 2012-03-05 2:10:24 UTC Major FPC 0 PEM 0 Airflow not matching Chassis Airflow

show chassis alarms node-device (Alarms Active on the QFabric Switch)

user@switch> show chassis alarms node-device ED3691 node-device ED3694 3 alarms currently active Alarm time Class Description 2011-08-24 16:04:15 UTC Major ED3694:fte-0/1/2: Link down 2011-08-24 16:04:14 UTC Major ED3694:fte-0/1/0: Link down 2011-08-24 14:21:14 UTC Major ED3694 PEM 0 is not supported/powered

show chassis alarms (Alarms Active on the QFabric Switch)

user@switch> show chassis alarms IC-A0001: -------------------------------------------------------------------------1 alarms currently active Alarm time Class Description 2011-08-24 16:04:15 UTC Minor Backup RE Active ED3694: -------------------------------------------------------------------------3 alarms currently active Alarm time Class Description 2011-08-24 16:04:15 UTC Major ED3694:fte-0/1/2: Link down 2011-08-24 16:04:14 UTC Major ED3694:fte-0/1/0: Link down 2011-08-24 14:21:14 UTC Major ED3694 PEM 0 is not supported/powered SNG-0: -------------------------------------------------------------------------NW-NG-0: -------------------------------------------------------------------------1 alarms currently active Alarm time Class Description 2011-08-24 15:49:27 UTC Major ED3691 PEM 0 is not supported/powered

show chassis alarms (Alarms Active on an EX8200 Switch)

922

user@switch> show chassis alarms 6 alarms currently active Alarm time Class Description 2010-12-02 19:15:22 UTC Major Fan Tray Failure 2010-12-02 19:15:22 UTC Major Fan Tray Failure 2010-12-02 19:15:14 UTC Minor Check CB 0 Fabric Chip 1 on Plane/FPC/PFE: 1/5/0, 1/5/1, 1/5/2, 1/5/3, 1/7/0, 1/7/1, 1/7/2, 1/7/3, 2/5/0, 2/5/1, ... 2010-12-02 19:15:14 UTC Minor Check CB 0 Fabric Chip 0 on Plane/FPC/PFE: 1/5/0, 1/5/1, 1/5/2, 1/5/3, 1/7/0, 1/7/1, 1/7/2, 1/7/3, 2/5/0, 2/5/1, ...



2010-12-02 19:14:18 UTC 2010-12-02 19:14:18 UTC

show chassis alarms (Alarms Active on a PTX5000 Packet Transport Switch)

Major Minor

PSU 1 Output Failure Loss of communication with Backup RE

user@switch> show chassis alarms 23 alarms currently Alarm time 2011-07-12 16:22:05 2011-07-12 16:22:05 2011-07-12 16:21:57 2011-07-12 16:21:57 2011-07-12 15:56:06 2011-07-12 15:56:06 2011-07-12 15:56:06 2011-07-12 15:28:20 2011-07-12 15:19:14


active Class PDT Minor PDT Major PDT Minor PDT Major PDT Major PDT Minor PDT Major PDT Major PDT Minor

Description No Redundant Power for Rear Chassis PDU 0 PSM 1 Not OK No Redundant Power for Fan 0-2 PDU 0 PSM 0 Not OK PDU 1 PSM 2 Not OK No Redundant Power for FPC 0-7 PDU 0 PSM 3 Not OK PDU 0 PSM 2 Not OK Backup RE Active

923

®


show chassis environment Syntax


Syntax (T4000 Router)








Syntax (QFX Series)

Syntax (PTX Series Packet Transport Switches)

Release Information

924

show chassis environment show chassis environment Class Item Status Temp Routing Engine OK Fan Fan OK

show chassis environment (J4300 or J6300 Router)

user@host> show chassis environment Class Item Status Temp Routing Engine OK Fan Fan 0 OK Fan 1 OK

show chassis environment (M5 Router)

user@host> show chassis environment Class Item Status Power Power Supply A OK Power Supply B Absent Temp FPC 0 OK FEB OK PS Intake OK PS Exhaust OK Routing Engine OK Fans Left Fan 1 OK

928

Measurement 40 degrees C / 104 degrees F

Measurement 41 degrees C / 105 degrees F

Measurement

30 degrees C / 86 degrees 33 degrees C / 91 degrees 27 degrees C / 80 degrees 27 degrees C / 80 degrees 34 degrees C / 93 degrees Spinning at normal speed

F F F F F



Misc

show chassis environment (M7i Router)


show chassis environment (M10i Router)

Left Fan 2 Left Fan 3 Left Fan 4 Craft Interface

OK OK OK OK

user@host> show chassis environment Class Item Status Power Power Supply 0 OK Power Supply 1 Absent Temp Intake OK FPC 0 OK Power Supplies OK CFEB Intake OK CFEB Exhaust OK Routing Engine OK Fans Fan 1 OK Fan 2 OK Fan 3 OK Fan 4 OK

user@host> show chassis environment Class Item Status Power Power Supply A OK Power Supply B Failed Temp FPC 0 OK FPC 1 OK FEB OK PS Intake OK PS Exhaust OK Routing Engine OK Fans Left Fan 1 OK Left Fan 2 OK Left Fan 3 OK Left Fan 4 OK Misc Craft Interface OK

user@host> show chassis environment Class Item Status Power Power Supply 0 OK Power Supply 1 OK Power Supply 2 Absent Power Supply 3 Absent Temp Intake OK FPC 0 OK FPC 1 OK Lower Power Supplies OK Upper Power Supplies OK CFEB Intake OK CFEB Exhaust OK Routing Engine 0 OK Routing Engine 1 OK Fans Fan Tray 0 Fan 1 OK Fan Tray 0 Fan 2 OK Fan Tray 0 Fan 3 OK Fan Tray 0 Fan 4 OK Fan Tray 0 Fan 5 OK Fan Tray 0 Fan 6 OK


Spinning at normal speed Spinning at normal speed Spinning at normal speed

Measurement

22 degrees C / 71 degrees 23 degrees C / 73 degrees 23 degrees C / 73 degrees 24 degrees C / 75 degrees 29 degrees C / 84 degrees 26 degrees C / 78 degrees Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

F F F F F F

Measurement

36 degrees C / 96 degrees 35 degrees C / 95 degrees 34 degrees C / 93 degrees 31 degrees C / 87 degrees 34 degrees C / 93 degrees 35 degrees C / 95 degrees Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

F F F F F F

Measurement

26 degrees C / 78 degrees 27 degrees C / 80 degrees 28 degrees C / 82 degrees 29 degrees C / 84 degrees 28 degrees C / 82 degrees 27 degrees C / 80 degrees 36 degrees C / 96 degrees 31 degrees C / 87 degrees 27 degrees C / 80 degrees Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

F F F F F F F F F

929

®


Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan



show chassis environment (M40e Router)

930

Tray Tray Tray Tray Tray Tray Tray Tray Tray Tray

0 0 1 1 1 1 1 1 1 1

Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan

7 8 1 2 3 4 5 6 7 8

OK OK Absent Absent Absent Absent Absent Absent Absent Absent

user@host> show chassis environment Class Item Status Power Power Supply A OK Power Supply B Absent Temp FPC 0 OK FPC 1 OK Power Supply A OK Power Supply B Absent SSB 0 OK Backplane OK Routing Engine 0 OK Routing Engine 1 Testing Fans Rear Fan OK Front Upper Fan OK Front Middle Fan OK Front Bottom Fan OK Misc Craft Interface OK

user@host> show chassis environment Class Item Status Power Power Supply A OK Power Supply B Absent Temp FPC 3 OK FPC 6 OK SCB OK Backplane @ A1 OK Backplane @ A2 OK Routing Engine OK Fans Top Impeller OK Bottom impeller OK Rear Left Fan OK Rear Center Fan OK Rear Right Fan OK Misc Craft Interface OK

user@host> show chassis environment Class Item Status Power PEM 0 OK PEM 1 Absent Temp PCG 0 OK PCG 1 OK Routing Engine 0 OK Routing Engine 1 OK MCS 0 OK MCS 1 OK SFM 0 SPP OK

Spinning at normal speed Spinning at normal speed

Measurement

28 degrees C / 82 degrees F 27 degrees C / 80 degrees F 22 degrees C / 71 degrees F 30 degrees C / 86 degrees F 22 degrees C / 71 degrees F 26 degrees C / 78 degrees F Spinning Spinning Spinning Spinning

at at at at

normal normal normal normal

speed speed speed speed

Measurement

24 degrees C / 75 degrees 26 degrees C / 78 degrees 26 degrees C / 78 degrees 28 degrees C / 82 degrees 23 degrees C / 73 degrees 26 degrees C / 78 degrees Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

F F F F F F

Measurement

44 47 40 37 45 42 40

degrees degrees degrees degrees degrees degrees degrees

C C C C C C C

/ / / / / / /

111 degrees F 116 degrees F 104 degrees F 98 degrees F 113 degrees F 107 degrees F 104 degrees F



Fans

Misc


SFM 0 SPR SFM 1 SPP SFM 1 SPR FPC 0 FPC 1 FPC 2 FPC 4 FPC 5 FPC 6 FPC 7 FPM CMB FPM Display Rear Bottom Blower Rear Top Blower Front Top Blower Fan Tray Rear Left Fan Tray Rear Right Fan Tray Front Left Fan Tray Front Right CIP

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B FEB 3 Intake FEB 3 Exhaust A FEB 3 Exhaust B FEB 4 Intake FEB 4 Exhaust A FEB 4 Exhaust B FPC 2 Exhaust A FPC 2 Exhaust B FPC 3 Exhaust A FPC 3 Exhaust B FPC 4 Exhaust A FPC 4 Exhaust B Fans Front Top Tray Fan 1 Front Top Tray Fan 2 Front Top Tray Fan 3 Front Top Tray Fan 4 Front Top Tray Fan 5 Front Top Tray Fan 6 Front Top Tray Fan 7 Front Top Tray Fan 8 Front Bottom Tray Fan 1 Front Bottom Tray Fan 2 Front Bottom Tray Fan 3 Front Bottom Tray Fan 4 Front Bottom Tray Fan 5 Front Bottom Tray Fan 6 Front Bottom Tray Fan 7


44 degrees C / 111 degrees F 43 degrees C / 109 degrees F 45 degrees C / 113 degrees F 38 degrees C / 100 degrees F 40 degrees C / 104 degrees F 38 degrees C / 100 degrees F 34 degrees C / 93 degrees F 43 degrees C / 109 degrees F 41 degrees C / 105 degrees F 43 degrees C / 109 degrees F 28 degrees C / 82 degrees F 28 degrees C / 82 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

Status OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Measurement

43 degrees C / 109 degrees F 44 degrees C / 111 degrees F 33 degrees C / 91 degrees F 36 degrees C / 96 degrees F 35 degrees C / 95 degrees F 34 degrees C / 93 degrees F 38 degrees C / 100 degrees F 35 degrees C / 95 degrees F 35 degrees C / 95 degrees F 37 degrees C / 98 degrees F 39 degrees C / 102 degrees F 33 degrees C / 91 degrees F 39 degrees C / 102 degrees F 36 degrees C / 96 degrees F 32 degrees C / 89 degrees F 31 degrees C / 87 degrees F 32 degrees C / 89 degrees F 33 degrees C / 91 degrees F 32 degrees C / 89 degrees F 30 degrees C / 86 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

931

®


Front Bottom Tray Fan 8 Rear Top Tray Fan 1 Rear Top Tray Fan 2 Rear Top Tray Fan 3 Rear Top Tray Fan 4 Rear Top Tray Fan 5 Rear Top Tray Fan 6 Rear Top Tray Fan 7 Rear Top Tray Fan 8 Rear Bottom Tray Fan 1 Rear Bottom Tray Fan 2 Rear Bottom Tray Fan 3 Rear Bottom Tray Fan 4 Rear Bottom Tray Fan 5 Rear Bottom Tray Fan 6 Rear Bottom Tray Fan 7 Rear Bottom Tray Fan 8



932

user@host> show chassis environment Class Item Status Power PEM 0 OK Temp PCG 0 OK PCG 1 Absent Routing Engine 0 OK Routing Engine 1 Absent MCS 0 OK SFM 0 SPP OK SFM 0 SPR OK SFM 1 SPP OK SFM 1 SPR OK SFM 2 SPP OK SFM 2 SPR OK SFM 3 SPP OK SFM 3 SPR OK FPC 0 OK FPC 6 OK FPM CMB OK FPM Display OK Fans Rear Bottom Blower OK Rear Top Blower OK Front Top Blower OK Fan Tray Rear Left OK Fan Tray Rear Right OK Fan Tray Front Left OK Fan Tray Front Right OK Misc CIP OK

user@host> show chassis environment Class Item Status Temp PEM 0 Absent PEM 1 Absent PEM 2 OK PEM 3 OK Routing Engine 0 OK Routing Engine 1 OK CB 0 OK CB 1 OK SIB 0 OK SIB 1 OK SIB 2 OK

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning

at at at at at at at at at at at at at at at at at

normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal

speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed

Measurement PEM 1 Absent 45 degrees C / 113 degrees F 35 degrees C / 95 degrees F 50 degrees C / 122 degrees F 47 degrees C / 116 degrees F 49 degrees C / 120 degrees F 50 degrees C / 122 degrees F 50 degrees C / 122 degrees F 51 degrees C / 123 degrees F 52 degrees C / 125 degrees F 52 degrees C / 125 degrees F 48 degrees C / 118 degrees F 45 degrees C / 113 degrees F 43 degrees C / 109 degrees F 31 degrees C / 87 degrees F 33 degrees C / 91 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

Measurement

33 32 36 36 38 29 38

degrees degrees degrees degrees degrees degrees degrees

C C C C C C C

/ / / / / / /

91 degrees F 89 degrees F 96 degrees F 96 degrees F 100 degrees F 84 degrees F 100 degrees F



Fan

Misc

show chassis environment (MX240 Router)

SIB 3 FPC 0 Intake FPC 0 Exhaust FPC 1 Intake FPC 1 Exhaust FPC 2 Intake FPC 2 Exhaust FPC 3 Intake FPC 3 Exhaust FPC 6 Intake FPC 6 Exhaust FPC 7 Intake FPC 7 Exhaust FPM GBUS Top Left Front fan Top Right Rear fan Top Right Front fan Top Left Rear fan Bottom Left Front fan Bottom Right Rear fan Bottom Right Front fan Bottom Left Rear fan Rear Fan 1 (TOP) Rear Fan 2 Rear Fan 3 Rear Fan 4 Rear Fan 5 Rear Fan 6 Rear Fan 7 (Bottom) CIP

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 0 ACBC CB 0 SF A CB 0 SF B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 SF A CB 1 SF B FPC 1 Intake FPC 1 Exhaust A FPC 1 Exhaust B FPC 1 I3 0 TSensor FPC 1 I3 0 Chip FPC 1 I3 1 TSensor FPC 1 I3 1 Chip FPC 1 I3 2 TSensor FPC 1 I3 2 Chip


41 degrees C / 105 degrees F 28 degrees C / 82 degrees F 40 degrees C / 104 degrees F 29 degrees C / 84 degrees F 39 degrees C / 102 degrees F 28 degrees C / 82 degrees F 38 degrees C / 100 degrees F 28 degrees C / 82 degrees F 39 degrees C / 102 degrees F 27 degrees C / 80 degrees F 39 degrees C / 102 degrees F 27 degrees C / 80 degrees F 42 degrees C / 107 degrees F 30 degrees C / 86 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

Status OK OK Absent Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Measurement 40 degrees C / 104 degrees F 45 degrees C / 113 degrees F

39 37 36 34 38 37 49 41 37 34 39 38 47 41 33 38 53 50 53 49 52 47 49

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / /

102 degrees F 98 degrees F 96 degrees F 93 degrees F 100 degrees F 98 degrees F 120 degrees F 105 degrees F 98 degrees F 93 degrees F 102 degrees F 100 degrees F 116 degrees F 105 degrees F 91 degrees F 100 degrees F 127 degrees F 122 degrees F 127 degrees F 120 degrees F 125 degrees F 116 degrees F 120 degrees F

933

®


Fans

show chassis environment (MX240 Router with Enhanced MX SCB)

934

FPC 1 I3 3 TSensor FPC 1 I3 3 Chip FPC 1 IA 0 TSensor FPC 1 IA 0 Chip FPC 1 IA 1 TSensor FPC 1 IA 1 Chip FPC 2 Intake FPC 2 Exhaust A FPC 2 Exhaust B FPC 2 I3 0 TSensor FPC 2 I3 0 Chip FPC 2 I3 1 TSensor FPC 2 I3 1 Chip FPC 2 I3 2 TSensor FPC 2 I3 2 Chip FPC 2 I3 3 TSensor FPC 2 I3 3 Chip FPC 2 IA 0 TSensor FPC 2 IA 0 Chip FPC 2 IA 1 TSensor FPC 2 IA 1 Chip Front Fan Middle Fan Rear Fan

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 0 ACBC CB 0 XF A CB 0 XF B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 XF A CB 1 XF B FPC 1 Intake FPC 1 Exhaust A FPC 1 Exhaust B FPC 1 I3 0 TSensor FPC 1 I3 0 Chip FPC 1 I3 1 TSensor FPC 1 I3 1 Chip FPC 1 I3 2 TSensor FPC 1 I3 2 Chip FPC 1 I3 3 TSensor FPC 1 I3 3 Chip FPC 1 IA 0 TSensor FPC 1 IA 0 Chip FPC 1 IA 1 TSensor FPC 1 IA 1 Chip FPC 2 Intake

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

44 degrees C / 111 degrees F 46 degrees C / 114 degrees F 45 degrees C / 113 degrees F 44 degrees C / 111 degrees F 44 degrees C / 111 degrees F 48 degrees C / 118 degrees F 32 degrees C / 89 degrees F 40 degrees C / 104 degrees F 52 degrees C / 125 degrees F 52 degrees C / 125 degrees F 56 degrees C / 132 degrees F 52 degrees C / 125 degrees F 55 degrees C / 131 degrees F 49 degrees C / 120 degrees F 52 degrees C / 125 degrees F 44 degrees C / 111 degrees F 48 degrees C / 118 degrees F 50 degrees C / 122 degrees F 48 degrees C / 118 degrees F 47 degrees C / 116 degrees F 53 degrees C / 127 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed

Status OK OK Absent Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK


39 37 36 34 38 37 49 41 37 34 39 38 47 41 33 38 53 50 53 49 52 47 49 44 46 45 44 44 48 32

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

102 degrees F 98 degrees F 96 degrees F 93 degrees F 100 degrees F 98 degrees F 120 degrees F 105 degrees F 98 degrees F 93 degrees F 102 degrees F 100 degrees F 116 degrees F 105 degrees F 91 degrees F 100 degrees F 127 degrees F 122 degrees F 127 degrees F 120 degrees F 125 degrees F 116 degrees F 120 degrees F 111 degrees F 114 degrees F 113 degrees F 111 degrees F 111 degrees F 118 degrees F 89 degrees F



Fans


FPC 2 Exhaust A FPC 2 Exhaust B FPC 2 I3 0 TSensor FPC 2 I3 0 Chip FPC 2 I3 1 TSensor FPC 2 I3 1 Chip FPC 2 I3 2 TSensor FPC 2 I3 2 Chip FPC 2 I3 3 TSensor FPC 2 I3 3 Chip FPC 2 IA 0 TSensor FPC 2 IA 0 Chip FPC 2 IA 1 TSensor FPC 2 IA 1 Chip Front Fan Middle Fan Rear Fan

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 0 ACBC CB 0 SF A CB 0 SF B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 SF A CB 1 SF B FPC 0 Intake FPC 0 Exhaust A FPC 0 Exhaust B FPC 0 I3 0 TSensor FPC 0 I3 0 Chip FPC 0 I3 1 TSensor FPC 0 I3 1 Chip FPC 0 I3 2 TSensor FPC 0 I3 2 Chip FPC 0 I3 3 TSensor FPC 0 I3 3 Chip FPC 0 IA 0 TSensor FPC 0 IA 0 Chip FPC 0 IA 1 TSensor FPC 0 IA 1 Chip FPC 1 Intake FPC 1 Exhaust A FPC 1 Exhaust B FPC 1 I3 0 TSensor FPC 1 I3 0 Chip FPC 1 I3 1 TSensor FPC 1 I3 1 Chip FPC 1 I3 2 TSensor


OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

40 degrees C / 104 52 degrees C / 125 52 degrees C / 125 56 degrees C / 132 52 degrees C / 125 55 degrees C / 131 49 degrees C / 120 52 degrees C / 125 44 degrees C / 111 48 degrees C / 118 50 degrees C / 122 48 degrees C / 118 47 degrees C / 116 53 degrees C / 127 Spinning at normal Spinning at normal Spinning at normal

Status OK OK Absent Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK


44 45 36 38 39 37 51 44 36 39 40 37 50 43 36 39 51 49 56 47 52 46 48 42 45 45 45 44 48 37 41 52 51 57 48 52 46

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees speed speed speed

F F F F F F F F F F F F F F

111 degrees F 113 degrees F 96 degrees F 100 degrees F 102 degrees F 98 degrees F 123 degrees F 111 degrees F 96 degrees F 102 degrees F 104 degrees F 98 degrees F 122 degrees F 109 degrees F 96 degrees F 102 degrees F 123 degrees F 120 degrees F 132 degrees F 116 degrees F 125 degrees F 114 degrees F 118 degrees F 107 degrees F 113 degrees F 113 degrees F 113 degrees F 111 degrees F 118 degrees F 98 degrees F 105 degrees F 125 degrees F 123 degrees F 134 degrees F 118 degrees F 125 degrees F 114 degrees F

935

®


Fans


936

FPC 1 I3 2 Chip FPC 1 I3 3 TSensor FPC 1 I3 3 Chip FPC 1 IA 0 TSensor FPC 1 IA 0 Chip FPC 1 IA 1 TSensor FPC 1 IA 1 Chip Top Rear Fan Bottom Rear Fan Top Middle Fan Bottom Middle Fan Top Front Fan Bottom Front Fan

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 0 ACBC CB 0 XF A CB 0 XF B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 XF A CB 1 XF B FPC 0 Intake FPC 0 Exhaust A FPC 0 Exhaust B FPC 0 I3 0 TSensor FPC 0 I3 0 Chip FPC 0 I3 1 TSensor FPC 0 I3 1 Chip FPC 0 I3 2 TSensor FPC 0 I3 2 Chip FPC 0 I3 3 TSensor FPC 0 I3 3 Chip FPC 0 IA 0 TSensor FPC 0 IA 0 Chip FPC 0 IA 1 TSensor FPC 0 IA 1 Chip FPC 1 Intake FPC 1 Exhaust A FPC 1 Exhaust B FPC 1 I3 0 TSensor FPC 1 I3 0 Chip FPC 1 I3 1 TSensor FPC 1 I3 1 Chip FPC 1 I3 2 TSensor FPC 1 I3 2 Chip FPC 1 I3 3 TSensor FPC 1 I3 3 Chip FPC 1 IA 0 TSensor

OK OK OK OK OK OK OK OK OK OK OK OK OK

50 degrees C / 122 42 degrees C / 107 46 degrees C / 114 49 degrees C / 120 48 degrees C / 118 46 degrees C / 114 50 degrees C / 122 Spinning at normal Spinning at normal Spinning at normal Spinning at normal Spinning at normal Spinning at normal

Status OK OK Absent Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK


44 45 36 38 39 37 51 44 36 39 40 37 50 43 36 39 51 49 56 47 52 46 48 42 45 45 45 44 48 37 41 52 51 57 48 52 46 50 42 46 49

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

degrees degrees degrees degrees degrees degrees degrees speed speed speed speed speed speed

F F F F F F F

111 degrees F 113 degrees F 96 degrees F 100 degrees F 102 degrees F 98 degrees F 123 degrees F 111 degrees F 96 degrees F 102 degrees F 104 degrees F 98 degrees F 122 degrees F 109 degrees F 96 degrees F 102 degrees F 123 degrees F 120 degrees F 132 degrees F 116 degrees F 125 degrees F 114 degrees F 118 degrees F 107 degrees F 113 degrees F 113 degrees F 113 degrees F 111 degrees F 118 degrees F 98 degrees F 105 degrees F 125 degrees F 123 degrees F 134 degrees F 118 degrees F 125 degrees F 114 degrees F 122 degrees F 107 degrees F 114 degrees F 120 degrees F



OK OK OK OK OK OK OK OK OK

48 degrees C / 118 46 degrees C / 114 50 degrees C / 122 Spinning at normal Spinning at normal Spinning at normal Spinning at normal Spinning at normal Spinning at normal

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0 Routing Engine 1 CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 SF A CB 1 SF B CB 2 Intake CB 2 Exhaust A CB 2 Exhaust B CB 2 ACBC CB 2 SF A CB 2 SF B FPC 4 Intake FPC 4 Exhaust A FPC 4 Exhaust B FPC 7 Intake FPC 7 Exhaust A FPC 7 Exhaust B Fans Top Fan Tray Temp Top Tray Fan 1 Top Tray Fan 2 Top Tray Fan 3 Top Tray Fan 4 Top Tray Fan 5 Top Tray Fan 6 Bottom Fan Tray Temp Bottom Tray Fan 1 Bottom Tray Fan 2 Bottom Tray Fan 3 Bottom Tray Fan 4 Bottom Tray Fan 5 Bottom Tray Fan 6

Status Absent Absent Check OK OK Absent OK OK OK Absent Absent Absent Absent Absent Absent Absent Absent Absent Absent Absent Absent OK OK OK OK OK OK Failed OK OK OK OK OK OK Failed OK OK OK OK OK OK

Measurement

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 PEM 2 PEM 3 Routing Engine 0

Status Absent OK OK OK OK

Measurement

Fans




FPC 1 IA 0 Chip FPC 1 IA 1 TSensor FPC 1 IA 1 Chip Top Rear Fan Bottom Rear Fan Top Middle Fan Bottom Middle Fan Top Front Fan Bottom Front Fan

degrees F degrees F degrees F speed speed speed speed speed speed

35 degrees C / 95 degrees F 37 degrees C / 98 degrees F 24 degrees C / 75 degrees F 30 degrees C / 86 degrees F 27 degrees C / 80 degrees F

24 36 38 24 36 42

degrees degrees degrees degrees degrees degrees

C C C C C C

/ / / / / /

75 degrees F 96 degrees F 100 degrees F 75 degrees F 96 degrees F 107 degrees F

Spinning Spinning Spinning Spinning Spinning Spinning

at at at at at at

normal normal normal normal normal normal

speed speed speed speed speed speed

Spinning Spinning Spinning Spinning Spinning Spinning

at at at at at at

normal normal normal normal normal normal

speed speed speed speed speed speed

50 50 50 42

degrees degrees degrees degrees

C C C C

/ / / /

122 122 122 107


F F F F

937

®


Routing Engine 0 CPU Routing Engine 1 Routing Engine 1 CPU CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 0 ACBC CB 0 XF A CB 0 XF B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B CB 1 ACBC CB 1 XF A CB 1 XF B CB 2 Intake CB 2 Exhaust A CB 2 Exhaust B CB 2 ACBC CB 2 XF A CB 2 XF B FPC 0 Intake FPC 0 Exhaust A FPC 0 Exhaust B FPC 0 I3 0 TSensor FPC 0 I3 0 Chip FPC 0 I3 1 TSensor FPC 0 I3 1 Chip FPC 0 I3 2 TSensor FPC 0 I3 2 Chip FPC 0 I3 3 TSensor FPC 0 I3 3 Chip FPC 0 IA 0 TSensor FPC 0 IA 0 Chip FPC 0 IA 1 TSensor FPC 0 IA 1 Chip FPC 1 Intake FPC 1 Exhaust A FPC 1 Exhaust B FPC 1 LU 0 TCAM TSensor FPC 1 LU 0 TCAM Chip FPC 1 LU 0 TSensor FPC 1 LU 0 Chip FPC 1 MQ 0 TSensor FPC 1 MQ 0 Chip FPC 1 LU 1 TCAM TSensor FPC 1 LU 1 TCAM Chip FPC 1 LU 1 TSensor FPC 1 LU 1 Chip FPC 1 MQ 1 TSensor FPC 1 MQ 1 Chip FPC 2 Intake FPC 2 Exhaust A FPC 2 Exhaust B FPC 2 I3 0 TSensor FPC 2 I3 0 Chip FPC 2 I3 1 TSensor FPC 2 I3 1 Chip FPC 2 I3 2 TSensor FPC 2 I3 2 Chip FPC 2 I3 3 TSensor

938

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

51 39 44 35 36 43 38 53 47 35 35 41 38 52 47 32 30 35 33 51 50 35 39 50 50 56 47 50 45 48 41 44 45 45 44 48 36 47 43 53 57 53 60 53 56 51 52 51 53 51 58 35 39 54 52 59 48 52 47 49 41

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

123 degrees F 102 degrees F 111 degrees F 95 degrees F 96 degrees F 109 degrees F 100 degrees F 127 degrees F 116 degrees F 95 degrees F 95 degrees F 105 degrees F 100 degrees F 125 degrees F 116 degrees F 89 degrees F 86 degrees F 95 degrees F 91 degrees F 123 degrees F 122 degrees F 95 degrees F 102 degrees F 122 degrees F 122 degrees F 132 degrees F 116 degrees F 122 degrees F 113 degrees F 118 degrees F 105 degrees F 111 degrees F 113 degrees F 113 degrees F 111 degrees F 118 degrees F 96 degrees F 116 degrees F 109 degrees F 127 degrees F 134 degrees F 127 degrees F 140 degrees F 127 degrees F 132 degrees F 123 degrees F 125 degrees F 123 degrees F 127 degrees F 123 degrees F 136 degrees F 95 degrees F 102 degrees F 129 degrees F 125 degrees F 138 degrees F 118 degrees F 125 degrees F 116 degrees F 120 degrees F 105 degrees F



FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC


2 I3 3 Chip 2 IA 0 TSensor 2 IA 0 Chip 2 IA 1 TSensor 2 IA 1 Chip 3 Intake 3 Exhaust A 3 Exhaust B 3 I3 0 TSensor 3 I3 0 Chip 3 I3 1 TSensor 3 I3 1 Chip 3 IA 0 TSensor 3 IA 0 Chip 5 Intake 5 Exhaust A 5 Exhaust B 5 LU 0 TSensor 5 LU 0 Chip 5 LU 1 TSensor 5 LU 1 Chip 5 LU 2 TSensor 5 LU 2 Chip 5 LU 3 TSensor 5 LU 3 Chip 5 MQ 0 TSensor 5 MQ 0 Chip 5 MQ 1 TSensor 5 MQ 1 Chip 5 MQ 2 TSensor 5 MQ 2 Chip 5 MQ 3 TSensor 5 MQ 3 Chip 7 Intake 7 Exhaust A 7 Exhaust B 7 QX 0 TSensor 7 QX 0 Chip 7 LU 0 TCAM TSensor 7 LU 0 TCAM Chip 7 LU 0 TSensor 7 LU 0 Chip 7 MQ 0 TSensor 7 MQ 0 Chip 8 Intake 8 Exhaust A 8 Exhaust B 8 I3 0 TSensor 8 I3 0 Chip 8 BDS 0 TSensor 8 BDS 0 Chip 8 IA 0 TSensor 8 IA 0 Chip 10 Intake 10 Exhaust A 10 Exhaust B 10 I3 0 TSensor 10 I3 0 Chip 10 I3 1 TSensor 10 I3 1 Chip 10 I3 2 TSensor


44 47 46 45 49 34 34 47 48 52 46 48 41 40 42 42 53 53 54 53 61 53 51 53 53 47 52 47 52 47 46 47 45 36 35 33 42 47 42 44 42 46 42 45 33 33 36 38 43 37 36 37 37 38 36 41 40 42 40 44 42

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

111 degrees F 116 degrees F 114 degrees F 113 degrees F 120 degrees F 93 degrees F 93 degrees F 116 degrees F 118 degrees F 125 degrees F 114 degrees F 118 degrees F 105 degrees F 104 degrees F 107 degrees F 107 degrees F 127 degrees F 127 degrees F 129 degrees F 127 degrees F 141 degrees F 127 degrees F 123 degrees F 127 degrees F 127 degrees F 116 degrees F 125 degrees F 116 degrees F 125 degrees F 116 degrees F 114 degrees F 116 degrees F 113 degrees F 96 degrees F 95 degrees F 91 degrees F 107 degrees F 116 degrees F 107 degrees F 111 degrees F 107 degrees F 114 degrees F 107 degrees F 113 degrees F 91 degrees F 91 degrees F 96 degrees F 100 degrees F 109 degrees F 98 degrees F 96 degrees F 98 degrees F 98 degrees F 100 degrees F 96 degrees F 105 degrees F 104 degrees F 107 degrees F 104 degrees F 111 degrees F 107 degrees F

939

®


Fans

show chassis environment (T320 Router)

940

FPC 10 I3 2 Chip FPC 10 I3 3 TSensor FPC 10 I3 3 Chip FPC 10 IA 0 TSensor FPC 10 IA 0 Chip FPC 10 IA 1 TSensor FPC 10 IA 1 Chip Top Fan Tray Temp Top Tray Fan 1 Top Tray Fan 2 Top Tray Fan 3 Top Tray Fan 4 Top Tray Fan 5 Top Tray Fan 6 Bottom Fan Tray Temp Bottom Tray Fan 1 Bottom Tray Fan 2 Bottom Tray Fan 3 Bottom Tray Fan 4 Bottom Tray Fan 5 Bottom Tray Fan 6

user@host> show chassis environment Class Item Status Power PEM 0 OK PEM 1 Absent Temp SCG 0 OK SCG 1 OK Routing Engine 0 OK Routing Engine 1 OK CB 0 OK CB 1 OK SIB 0 OK SIB 1 OK SIB 2 OK FPC 0 Top OK FPC 0 Bottom OK FPC 1 Top OK FPC 1 Bottom OK FPC 2 Top OK FPC 2 Bottom OK FPM GBUS OK FPM Display OK Fans Top Left Front fan OK Top Left Middle fan OK Top Left Rear fan OK Top Right Front fan OK Top Right Middle fan OK Top Right Rear fan OK Bottom Left Front fan OK Bottom Left Middle fan OK Bottom Left Rear fan OK Bottom Right Front fan OK Bottom Right Middle fan OK Bottom Right Rear fan OK Rear Tray Top fan OK Rear Tray Second fan OK Rear Tray Middle fan OK Rear Tray Fourth fan OK Rear Tray Bottom fan OK Misc CIP OK

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

43 degrees C / 109 degrees F 39 degrees C / 102 degrees F 44 degrees C / 111 degrees F 36 degrees C / 96 degrees F 36 degrees C / 96 degrees F 43 degrees C / 109 degrees F 42 degrees C / 107 degrees F 37 degrees C / 98 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed 28 degrees C / 82 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

Measurement

28 degrees C / 82 degrees F 28 degrees C / 82 degrees F 31 degrees C / 87 degrees F 30 degrees C / 86 degrees F 32 degrees C / 89 degrees F 32 degrees C / 89 degrees F 33 degrees C / 91 degrees F 33 degrees C / 91 degrees F 34 degrees C / 93 degrees F 38 degrees C / 100 degrees F 32 degrees C / 89 degrees F 38 degrees C / 100 degrees F 33 degrees C / 91 degrees F 36 degrees C / 96 degrees F 31 degrees C / 87 degrees F 26 degrees C / 78 degrees F 29 degrees C / 84 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed



SPMB 0 SPMB 1



OK OK

user@host> show chassis environment Class Item Status Temp PEM 0 Absent PEM 1 OK SCG 0 OK SCG 1 OK Routing Engine 0 Present Routing Engine 1 OK CB 0 Present CB 1 OK SIB 0 Absent SIB 1 Absent SIB 2 Absent SIB 3 Absent SIB 4 Absent FPC 4 Top Testing FPC 4 Bottom Testing FPC 5 Top Testing FPC 5 Bottom Testing FPC 6 Top Testing FPC 6 Bottom Testing FPM GBUS OK FPM Display Absent Fans Top Left Front fan OK Top Left Middle fan OK Top Left Rear fan OK Top Right Front fan OK Top Right Middle fan OK Top Right Rear fan OK Bottom Left Front fan OK Bottom Left Middle fan OK Bottom Left Rear fan OK Bottom Right Front fan OK Bottom Right Middle fan OK Bottom Right Rear fan OK Fourth Blower from top OK Bottom Blower OK Middle Blower OK Top Blower OK Second Blower from top OK Misc CIP OK SPMB 0 OK SPMB 1 OK

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 SCG 0 SCG 1 Routing Engine 0 Routing Engine 0 CPU Routing Engine 1 Routing Engine 1 CPU CB 0 CB 1


Measurement 22 degrees C / 71 degrees F 30 degrees C / 86 degrees F 30 degrees C / 86 degrees F 27 degrees C / 80 degrees F 33 degrees C / 91 degrees F

23 degrees C / 73 degrees F Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning

Status OK Absent OK OK OK OK OK OK OK OK

at at at at at at at at at at at at at at at at at

normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal

speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed

Measurement 33 degrees C / 91 degrees F 33 33 33 50 32 46 32 33

degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C

/ / / / / / / /

91 degrees F 91 degrees F 91 degrees F 122 degrees F 89 degrees F 114 degrees F 89 degrees F 91 degrees F

941

®


Fans

942

SIB SIB SIB SIB SIB FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPM FPM Top Top Top Top

0 1 2 3 4 0 Fan Intake 0 Fan Exhaust 0 PMB 0 LMB0 0 LMB1 0 LMB2 0 PFE1 LU2 0 PFE1 LU0 0 PFE0 LU0 0 XF1 0 XF0 0 XM1 0 XM0 0 PFE0 LU1 0 PFE0 LU2 0 PFE1 LU1 3 Fan Intake 3 Fan Exhaust 3 PMB 3 LMB0 3 LMB1 3 LMB2 3 PFE1 LU2 3 PFE1 LU0 3 PFE0 LU0 3 XF1 3 XF0 3 XM1 3 XM0 3 PFE0 LU1 3 PFE0 LU2 3 PFE1 LU1 5 Top 5 Bottom 6 Fan Intake 6 Fan Exhaust 6 PMB 6 LMB0 6 LMB1 6 LMB2 6 PFE1 LU2 6 PFE1 LU0 6 PFE0 LU0 6 XF1 6 XF0 6 XM1 6 XM0 6 PFE0 LU1 6 PFE0 LU2 6 PFE1 LU1 GBUS Display Left Front fan Left Middle fan Left Rear fan Right Front fan


42 degrees C / 107 degrees F 42 degrees C / 107 degrees F 42 degrees C / 107 degrees F 43 degrees C / 109 degrees F 45 degrees C / 113 degrees F 34 degrees C / 93 degrees F 48 degrees C / 118 degrees F 47 degrees C / 116 degrees F 50 degrees C / 122 degrees F 41 degrees C / 105 degrees F 35 degrees C / 95 degrees F 46 degrees C / 114 degrees F 41 degrees C / 105 degrees F 57 degrees C / 134 degrees F 46 degrees C / 114 degrees F 52 degrees C / 125 degrees F 41 degrees C / 105 degrees F 50 degrees C / 122 degrees F 56 degrees C / 132 degrees F 45 degrees C / 113 degrees F 37 degrees C / 98 degrees F 36 degrees C / 96 degrees F 51 degrees C / 123 degrees F 43 degrees C / 109 degrees F 57 degrees C / 134 degrees F 54 degrees C / 129 degrees F 38 degrees C / 100 degrees F 63 degrees C / 145 degrees F 45 degrees C / 113 degrees F 69 degrees C / 156 degrees F 62 degrees C / 143 degrees F 63 degrees C / 145 degrees F 43 degrees C / 109 degrees F 67 degrees C / 152 degrees F 63 degrees C / 145 degrees F 66 degrees C / 150 degrees F 41 degrees C / 105 degrees F 39 degrees C / 102 degrees F 38 degrees C / 100 degrees F 33 degrees C / 91 degrees F 49 degrees C / 120 degrees F 40 degrees C / 104 degrees F 60 degrees C / 140 degrees F 58 degrees C / 136 degrees F 40 degrees C / 104 degrees F 69 degrees C / 156 degrees F 45 degrees C / 113 degrees F 71 degrees C / 159 degrees F 58 degrees C / 136 degrees F 65 degrees C / 149 degrees F 39 degrees C / 102 degrees F 66 degrees C / 150 degrees F 69 degrees C / 156 degrees F 69 degrees C / 156 degrees F 42 degrees C / 107 degrees F 24 degrees C / 75 degrees F 27 degrees C / 80 degrees F Spinning at high speed Spinning at high speed Spinning at high speed Spinning at high speed



Misc

show chassis environment (TX Matrix Router)

Top Right Middle fan Top Right Rear fan Bottom Left Front fan Bottom Left Middle fan Bottom Left Rear fan Bottom Right Front fan Bottom Right Middle fan Bottom Right Rear fan Rear Tray Top fan Rear Tray Second fan Rear Tray Third fan Rear Tray Fourth fan Rear Tray Fifth fan Rear Tray Sixth fan Rear Tray Seventh fan Rear Tray Bottom fan CIP SPMB 0 SPMB 1

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning

at at at at at at at at at at at at at at at at

high high high high high high high high high high high high high high high high

speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed speed

user@host> show chassis environment scc-re0: -------------------------------------------------------------------------Class Item Status Measurement Temp PEM 0 Absent PEM 1 OK 29 degrees C / 84 degrees F Routing Engine 0 OK 34 degrees C / 93 degrees F Routing Engine 1 OK 34 degrees C / 93 degrees F CB 0 OK 32 degrees C / 89 degrees F CB 1 OK 32 degrees C / 89 degrees F SIB 0 OK 44 degrees C / 111 degrees F SIB 0 (B) OK 44 degrees C / 111 degrees F FPM GBUS OK 27 degrees C / 80 degrees F FPM Display OK 32 degrees C / 89 degrees F Fans Top Left Front fan OK Spinning at normal speed Top Left Middle fan OK Spinning at normal speed Top Left Rear fan OK Spinning at normal speed Top Right Front fan OK Spinning at normal speed Top Right Middle fan OK Spinning at normal speed Top Right Rear fan OK Spinning at normal speed Bottom Left Front fan OK Spinning at normal speed Bottom Left Middle fan OK Spinning at normal speed Bottom Left Rear fan OK Spinning at normal speed Bottom Right Front fan OK Spinning at normal speed Bottom Right Middle fan OK Spinning at normal speed Bottom Right Rear fan OK Spinning at normal speed Rear Tray Top fan OK Spinning at normal speed Rear Tray Second fan OK Spinning at normal speed Rear Tray Third fan OK Spinning at normal speed Rear Tray Fourth fan OK Spinning at normal speed Rear Tray Fifth fan OK Spinning at normal speed Rear Tray Sixth fan OK Spinning at normal speed Rear Tray Seventh fan OK Spinning at normal speed Rear Tray Bottom fan OK Spinning at normal speed Misc CIP 0 OK CIP 1 OK SPMB 0 OK SPMB 1 OK lcc0-re0: --------------------------------------------------------------------------


943

®


Class Item Status Temp PEM 0 OK PEM 1 Absent SCG 0 OK SCG 1 Absent Routing Engine 0 OK Routing Engine 1 OK CB 0 OK CB 1 OK SIB 0 OK SIB 0 (B) OK FPC 0 Top OK FPC 0 Bottom OK FPC 1 Top OK FPC 1 Bottom OK FPM GBUS OK FPM Display OK Fans Top Left Front fan OK Top Left Middle fan OK Top Left Rear fan OK Top Right Front fan OK Top Right Middle fan OK Top Right Rear fan OK Bottom Left Front fan OK Bottom Left Middle fan OK Bottom Left Rear fan OK Bottom Right Front fan OK Bottom Right Middle fan OK Bottom Right Rear fan OK Rear Tray Top fan OK Rear Tray Second fan OK Rear Tray Third fan OK Rear Tray Fourth fan OK Rear Tray Fifth fan OK Rear Tray Sixth fan OK Rear Tray Seventh fan OK Rear Tray Bottom fan OK Misc CIP OK SPMB 0 OK SPMB 1 OK

Measurement 29 degrees C / 84 degrees F 35 degrees C / 95 degrees F 39 degrees C / 102 degrees F 36 degrees C / 96 degrees F 32 degrees C / 89 degrees F 32 degrees C / 89 degrees F 40 degrees C / 104 degrees F 51 degrees C / 123 degrees F 45 degrees C / 113 degrees F 31 degrees C / 87 degrees F 34 degrees C / 93 degrees F 31 degrees C / 87 degrees F 30 degrees C / 86 degrees F 34 degrees C / 93 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

lcc2-re0: -------------------------------------------------------------------------Class Item Status Measurement Temp PEM 0 OK 29 degrees C / 84 degrees F PEM 1 Absent SCG 0 OK 32 degrees C / 89 degrees F SCG 1 Absent Routing Engine 0 OK 31 degrees C / 87 degrees F Routing Engine 1 OK 32 degrees C / 89 degrees F CB 0 OK 30 degrees C / 86 degrees F SIB 0 OK 38 degrees C / 100 degrees F SIB 0 (B) OK 49 degrees C / 120 degrees F FPC 0 Top OK 45 degrees C / 113 degrees F FPC 0 Bottom OK 33 degrees C / 91 degrees F FPC 1 Top OK 37 degrees C / 98 degrees F FPC 1 Bottom OK 33 degrees C / 91 degrees F FPM GBUS OK 30 degrees C / 86 degrees F FPM Display OK 34 degrees C / 93 degrees F Fans Top Left Front fan OK Spinning at normal speed

944



Top Left Middle fan

OK

Spinning at normal speed

...


show chassis environment (TX Matrix Plus Router)

user@host> show chassis environment Class Item Temp PEM 0 PEM 1 SCG 0 SCG 1 Routing Engine 0 Routing Engine 1 CB 0 CB 1 SIB 0 SIB 0 (B) SIB 1 SIB 1 (B) SIB 2 SIB 2 (B) SIB 3 SIB 3 (B) SIB 4 SIB 4 (B) FPC 0 Top FPC 0 Bottom FPC 1 Top FPC 1 Bottom FPM GBUS FPM Display Fans Top Left Front fan Top Left Middle fan Top Left Rear fan Top Right Front fan Top Right Middle fan Top Right Rear fan Bottom Left Front fan Bottom Left Middle fan Bottom Left Rear fan Bottom Right Front fan Bottom Right Middle fan Bottom Right Rear fan Rear Tray Top fan Rear Tray Second fan Rear Tray Third fan Rear Tray Fourth fan Rear Tray Fifth fan Rear Tray Sixth fan Rear Tray Seventh fan Rear Tray Bottom fan Misc CIP SPMB 0 SPMB 1

Status OK Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Measurement 27 degrees C / 80 degrees F 31 degrees C / 87 degrees F 35 degrees C / 95 degrees F 30 degrees C / 86 degrees F 30 degrees C / 86 degrees F 31 degrees C / 87 degrees F 31 degrees C / 87 degrees F 41 degrees C / 105 degrees F 34 degrees C / 93 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 0 degrees C / 32 degrees F 49 degrees C / 120 degrees F 50 degrees C / 122 degrees F 48 degrees C / 118 degrees F 49 degrees C / 120 degrees F 27 degrees C / 80 degrees F 30 degrees C / 86 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed

user@host> show chassis environment sfc0-re0: -------------------------------------------------------------------------Class Item Status Measurement Temp PEM 0 OK 28 degrees C / 82 degrees F PEM 1 Absent Routing Engine 0 OK 27 degrees C / 80 degrees F Routing Engine 1 OK 29 degrees C / 84 degrees F


945

®


Fans

946

CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B SIB F13 0 SIB F13 0 (B) SIB F13 1 SIB F13 1 (B) SIB F2S 0/0 SIB F2S 0/2 SIB F2S 0/4 SIB F2S 0/6 SIB F2S 1/0 SIB F2S 1/2 SIB F2S 1/4 SIB F2S 1/6 SIB F2S 2/0 SIB F2S 2/2 SIB F2S 2/4 CIP 0 Intake CIP 0 Exhaust A CIP 0 Exhaust B CIP 1 Intake CIP 1 Exhaust A CIP 1 Exhaust B Fan Tray 0 Fan 1 Fan Tray 0 Fan 2 Fan Tray 0 Fan 3 Fan Tray 0 Fan 4 Fan Tray 0 Fan 5 Fan Tray 0 Fan 6 Fan Tray 1 Fan 1 Fan Tray 1 Fan 2 Fan Tray 1 Fan 3 Fan Tray 1 Fan 4 Fan Tray 1 Fan 5 Fan Tray 1 Fan 6 Fan Tray 2 Fan 1 Fan Tray 2 Fan 2 Fan Tray 2 Fan 3 Fan Tray 2 Fan 4 Fan Tray 2 Fan 5 Fan Tray 2 Fan 6 Fan Tray 2 Fan 7 Fan Tray 2 Fan 8 Fan Tray 2 Fan 9 Fan Tray 3 Fan 1 Fan Tray 3 Fan 2 Fan Tray 3 Fan 3 Fan Tray 3 Fan 4 Fan Tray 3 Fan 5 Fan Tray 3 Fan 6 Fan Tray 3 Fan 7 Fan Tray 3 Fan 8 Fan Tray 3 Fan 9 Fan Tray 4 Fan 1 Fan Tray 4 Fan 2 Fan Tray 4 Fan 3 Fan Tray 4 Fan 4


26 degrees C / 78 degrees F 25 degrees C / 77 degrees F 25 degrees C / 77 degrees F 26 degrees C / 78 degrees F 26 degrees C / 78 degrees F 26 degrees C / 78 degrees F 47 degrees C / 116 degrees F 48 degrees C / 118 degrees F 38 degrees C / 100 degrees F 37 degrees C / 98 degrees F 27 degrees C / 80 degrees F 28 degrees C / 82 degrees F 27 degrees C / 80 degrees F 28 degrees C / 82 degrees F 26 degrees C / 78 degrees F 26 degrees C / 78 degrees F 26 degrees C / 78 degrees F 26 degrees C / 78 degrees F 25 degrees C / 77 degrees F 25 degrees C / 77 degrees F 23 degrees C / 73 degrees F 23 degrees C / 73 degrees F 24 degrees C / 75 degrees F 24 degrees C / 75 degrees F 24 degrees C / 75 degrees F 25 degrees C / 77 degrees F 25 degrees C / 77 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed Spinning at normal speed



Misc

Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray Fan Tray SPMB 0 SPMB 1

4 4 4 4 4 5 5 5 5 5 5 5 5 5

Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan Fan

5 6 7 8 9 1 2 3 4 5 6 7 8 9

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning Spinning

at at at at at at at at at at at at at at

normal normal normal normal normal normal normal normal normal normal normal normal normal normal

speed speed speed speed speed speed speed speed speed speed speed speed speed speed

lcc0-re0: -------------------------------------------------------------------------Class Item Status Measurement Temp PEM 0 OK 27 degrees C / 80 degrees F PEM 1 Absent SCG 0 OK 31 degrees C / 87 degrees F SCG 1 OK 35 degrees C / 95 degrees F Routing Engine 0 OK 30 degrees C / 86 degrees F Routing Engine 1 OK 30 degrees C / 86 degrees F CB 0 OK 31 degrees C / 87 degrees F CB 1 OK 31 degrees C / 87 degrees F SIB 0 OK 41 degrees C / 105 degrees F SIB 0 (B) OK 34 degrees C / 93 degrees F SIB 1 OK 0 degrees C / 32 degrees F SIB 1 (B) OK 0 degrees C / 32 degrees F SIB 2 OK 0 degrees C / 32 degrees F SIB 2 (B) OK 0 degrees C / 32 degrees F SIB 3 OK 0 degrees C / 32 degrees F SIB 3 (B) OK 0 degrees C / 32 degrees F SIB 4 OK 0 degrees C / 32 degrees F SIB 4 (B) OK 0 degrees C / 32 degrees F FPC 0 Top OK 49 degrees C / 120 degrees F FPC 0 Bottom OK 50 degrees C / 122 degrees F FPC 1 Top OK 48 degrees C / 118 degrees F FPC 1 Bottom OK 49 degrees C / 120 degrees F FPM GBUS OK 27 degrees C / 80 degrees F FPM Display OK 30 degrees C / 86 degrees F Fans Top Left Front fan OK Spinning at normal speed Top Left Middle fan OK Spinning at normal speed Top Left Rear fan OK Spinning at normal speed Top Right Front fan OK Spinning at normal speed Top Right Middle fan OK Spinning at normal speed Top Right Rear fan OK Spinning at normal speed Bottom Left Front fan OK Spinning at normal speed Bottom Left Middle fan OK Spinning at normal speed Bottom Left Rear fan OK Spinning at normal speed Bottom Right Front fan OK Spinning at normal speed Bottom Right Middle fan OK Spinning at normal speed Bottom Right Rear fan OK Spinning at normal speed Rear Tray Top fan OK Spinning at normal speed Rear Tray Second fan OK Spinning at normal speed Rear Tray Third fan OK Spinning at normal speed Rear Tray Fourth fan OK Spinning at normal speed Rear Tray Fifth fan OK Spinning at normal speed


947

®


OK OK OK OK OK OK

Spinning at normal speed Spinning at normal speed Spinning at normal speed

user@host> show chassis environment Class Item Power FPC 0 Power Supply 0 FPC 0 Power Supply 1 Temp FPC 0 CPU FPC 0 EX-PFE1 FPC 0 EX-PFE2 FPC 0 GEPHY Front Left FPC 0 GEPHY Front Right FPC 0 Uplink Conn Fans FPC 0 Fan 1 FPC 0 Fan 2 FPC 0 Fan 3

Status OK Absent OK OK OK OK OK OK OK OK OK

Measurement

user@switch> show chassis environment Class Item Power FPC 0 Power Supply 0 FPC 0 Power Supply 1 Temp FPC 0 Sensor TopLeft I FPC 0 Sensor TopRight I FPC 0 Sensor TopLeft E FPC 0 Sensor TopRight E FPC 0 Sensor TopMiddle I FPC 0 Sensor TopMiddle E FPC 0 Sensor Bottom I FPC 0 Sensor Bottom E FPC 0 Sensor Die Temp FPC 0 Sensor Mgmnt Brd I FPC 0 Sensor Switch I Fans FPC 0 Fan 1 (left) FPC 0 Fan 2 (right) FPC 0 Fan 3 (middle)

Status OK OK OK OK OK OK OK OK OK OK OK OK OK Failed OK OK

Measurement

Misc

show chassis environment (EX4200 Standalone Switch)

show chassis environment (QFX Series)

show chassis environment node-device (QFabric Switch)

show chassis environment pem (QFX Series)

948

Rear Rear Rear CIP SPMB SPMB

Tray Sixth fan Tray Seventh fan Tray Bottom fan 0 1

41 degrees C / 105 degrees F 42 degrees C / 107 degrees F 46 degrees C / 114 degrees F 25 degrees C / 77 degrees F 27 degrees C / 80 degrees F 29 degrees C / 84 degrees F Spinning at normal speed Spinning at normal speed Spinning at normal speed

26 24 30 30 30 38 34 38 38 24 28

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C

/ / / / / / / / / / /

78 degrees F 75 degrees F 86 degrees F 86 degrees F 86 degrees F 100 degrees F 93 degrees F 100 degrees F 100 degrees F 75 degrees F 82 degrees F

Spinning at normal speed Spinning at normal speed

user@switch> show chassis environment node-device node1 Class Item Status Measurement Power node1 Power Supply 0 Absent node1 Power Supply 1 Absent Fans node1 Fan Tray 0 Testing node1 Fan Tray 1 Testing node1 Fan Tray 2 Testing user@switch> show chassis environment pem FPC 0 PEM 0 status: State Check Airflow Front to Back Temperature OK AC Input: OK DC Output Voltage(V) Current(A) 12 10 FPC 0 PEM 1 status: State Online Airflow Back to Front Temperature OK

Power(W) 120

Load(%) 18



AC Input: DC Output

show chassis environment (PTX5000 Packet Transport Switch)

OK Voltage(V) Current(A) 11 10

user@switch> show chassis environment Class Item Temp PDU 0 PDU 0 PSM 0 PDU 0 PSM 1 PDU 0 PSM 2 PDU 0 PSM 3 PDU 1 CCG 0 CCG 1 Routing Engine 0 Routing Engine 0 CPU Routing Engine 1 Routing Engine 1 CPU CB 0 Intake CB 0 Exhaust A CB 0 Exhaust B CB 1 Intake CB 1 Exhaust A CB 1 Exhaust B SIB 0 Intake SIB 0 Exhaust SIB 0 Junction SIB 1 Intake SIB 1 Exhaust SIB 1 Junction SIB 2 Intake SIB 2 Exhaust SIB 2 Junction SIB 3 Intake SIB 3 Exhaust SIB 3 Junction SIB 4 Intake SIB 4 Exhaust SIB 4 Junction SIB 5 Intake SIB 5 Exhaust SIB 5 Junction SIB 6 Intake SIB 6 Exhaust SIB 6 Junction SIB 7 Intake SIB 7 Exhaust SIB 7 Junction SIB 8 Intake SIB 8 Exhaust SIB 8 Junction FPC 0 PMB FPC 0 Intake FPC 0 Exhaust A FPC 0 Exhaust B FPC 0 TL0 FPC 0 TQ0 FPC 0 TL1 FPC 0 TQ1 FPC 0 TL2 FPC 0 TQ2


Status OK OK OK OK OK Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Power(W) 110

Load(%) 17

Measurement 36 38 38 37


C C C C

/ / / /

96 degrees F 100 degrees F 100 degrees F 98 degrees F

44 44 62 75 51 64 38 46 42 35 39 36 39 37 43 39 36 46 37 37 42 40 40 45 47 44 58 58 43 71 57 42 65 58 42 66 57 42 70 35 33 51 43 48 53 56 58 55 56

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

111 degrees F 111 degrees F 143 degrees F 167 degrees F 123 degrees F 147 degrees F 100 degrees F 114 degrees F 107 degrees F 95 degrees F 102 degrees F 96 degrees F 102 degrees F 98 degrees F 109 degrees F 102 degrees F 96 degrees F 114 degrees F 98 degrees F 98 degrees F 107 degrees F 104 degrees F 104 degrees F 113 degrees F 116 degrees F 111 degrees F 136 degrees F 136 degrees F 109 degrees F 159 degrees F 134 degrees F 107 degrees F 149 degrees F 136 degrees F 107 degrees F 150 degrees F 134 degrees F 107 degrees F 158 degrees F 95 degrees F 91 degrees F 123 degrees F 109 degrees F 118 degrees F 127 degrees F 132 degrees F 136 degrees F 131 degrees F 132 degrees F

949

®


FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC PIC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC PIC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC PIC PIC PIC PIC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC FPC

950

0 TL3 0 TQ3 2 PMB 2 Intake 2 Exhaust A 2 Exhaust B 2 TL0 2 TQ0 2 TL1 2 TQ1 2 TL2 2 TQ2 2 TL3 2 TQ3 2/0 Ambient 3 PMB 3 Intake 3 Exhaust A 3 Exhaust B 3 TL0 3 TQ0 3 TL1 3 TQ1 3 TL2 3 TQ2 3 TL3 3 TQ3 3/1 5 PMB 5 Intake 5 Exhaust A 5 Exhaust B 5 TL0 5 TQ0 5 TL1 5 TQ1 5 TL2 5 TQ2 5 TL3 5 TQ3 5/0 Ambient 5/1 Ambient 5/1 cfp-5/1/0 5/1 cfp-5/1/1 6 PMB 6 Intake 6 Exhaust A 6 Exhaust B 6 TL0 6 TQ0 6 TL1 6 TQ1 6 TL2 6 TQ2 6 TL3 6 TQ3 7 PMB 7 Intake 7 Exhaust A 7 Exhaust B 7 TL0

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK Absent OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

59 59 35 34 51 52 53 53 57 58 54 59 60 64 49 34 35 54 49 49 55 56 58 56 59 62 63

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / /

138 degrees F 138 degrees F 95 degrees F 93 degrees F 123 degrees F 125 degrees F 127 degrees F 127 degrees F 134 degrees F 136 degrees F 129 degrees F 138 degrees F 140 degrees F 147 degrees F 120 degrees F 93 degrees F 95 degrees F 129 degrees F 120 degrees F 120 degrees F 131 degrees F 132 degrees F 136 degrees F 132 degrees F 138 degrees F 143 degrees F 145 degrees F

35 34 51 53 54 52 61 60 55 55 59 58 51 34 34 36 36 33 51 39 44 54 59 58 60 57 65 60 35 33 53 40 46

degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees degrees

C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

95 degrees F 93 degrees F 123 degrees F 127 degrees F 129 degrees F 125 degrees F 141 degrees F 140 degrees F 131 degrees F 131 degrees F 138 degrees F 136 degrees F 123 degrees F 93 degrees F 93 degrees F 96 degrees F 96 degrees F 91 degrees F 123 degrees F 102 degrees F 111 degrees F 129 degrees F 138 degrees F 136 degrees F 140 degrees F 134 degrees F 149 degrees F 140 degrees F 95 degrees F 91 degrees F 127 degrees F 104 degrees F 114 degrees F



Fans

Misc


FPC 7 TQ0 FPC 7 TL1 FPC 7 TQ1 FPC 7 TL2 FPC 7 TQ2 FPC 7 TL3 FPC 7 TQ3 FPM I2CS Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 0 Fan Fan Tray 1 Fan Fan Tray 1 Fan Fan Tray 1 Fan Fan Tray 1 Fan Fan Tray 1 Fan Fan Tray 1 Fan Fan Tray 2 Fan Fan Tray 2 Fan Fan Tray 2 Fan Fan Tray 2 Fan Fan Tray 2 Fan Fan Tray 2 Fan SPMB 0 Intake SPMB 1 Intake

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 1 2 3 4 5 6

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

58 degrees 53 degrees 59 degrees 56 degrees 61 degrees 63 degrees 63 degrees 37 degrees 3042 RPM 3042 RPM 3000 RPM 3042 RPM 3000 RPM 3042 RPM 3085 RPM 3042 RPM 3042 RPM 3085 RPM 3085 RPM 3128 RPM 3128 RPM 3042 RPM 2299 RPM 2399 RPM 2299 RPM 2266 RPM 2266 RPM 2366 RPM 2199 RPM 2133 RPM 2366 RPM 2233 RPM 2399 RPM 2233 RPM 50 degrees 40 degrees

C C C C C C C C

/ / / / / / / /

136 degrees F 127 degrees F 138 degrees F 132 degrees F 141 degrees F 145 degrees F 145 degrees F 98 degrees F

C / 122 degrees F C / 104 degrees F

951

®


show chassis environment cb Syntax

show chassis environment cb







Release Information

Command introduced before Junos Release 7.4. Command introduced in Junos OS Release 9.4 for EX Series switches. Command introduced in Junos OS Release 12.1 for PTX Series Packet Transport Switches. Command introduced in Junos OS Release 12.1 for T4000 Core Routers. sfc option introduced for the TX Matrix Plus router in Junos Release 9.6.

Description

(M120, M320. MX Series, and T Series routers, EX8200 switches, and PTX Series Packet Transport Switches only) Display environmental information about the Control Boards (CBs). For information about the meaning of “CBs” on the switches, see “EX Series Switches Hardware and CLI Terminology Mapping” on page 847.

Options

none—Display environmental information about all CBs. For a TX Matrix router, display

environmental information about all CBs on the TX Matrix router and its attached T640 routers. For a TX Matrix Plus router, display environmental information about all CBs on the TX Matrix Plus router and its attached T1600 routers. all-members—(MX Series routers only) (Optional) Display environmental information

about the CBs on all the members of the Virtual Chassis configuration. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) For a TX Matrix router,

display environmental information about the CBs in a specified T640 router (or line-card chassis) that is connected to the TX Matrix router. For a TX Matrix Plus router, display environmental information about the CBs in a specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display environmental information about the

CBs on the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display environmental

information about the CBs on the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1.

952



scc —(TX Matrix router only) (Optional) Display environmental information about the

CBs in the TX Matrix router (or switch-card chassis). sfc number—(TX Matrix Plus router only) (Optional) Display environmental information

about the CBs in the TX Matrix Plus router (or switch-fabric chassis). slot—(Optional) Display environmental information about the specified CB. On routers

and PTX Series switches, replace slot with 0 or 1. On EX series switches, replace slot with 0, 1, or 2. Required Privilege Level

view



•

request chassis cb on page 906

•

Switching Control Board Redundancy

•

Routing Engine and Switching Control Board Redundancy Configuration Statements

show chassis environment cb (M120 Router) on page 954 show chassis environment cb (M320 Router) on page 955 show chassis environment cb (MX80 Router) on page 955 show chassis environment cb (MX240 Router) on page 955 show chassis environment cb (MX240 Router with Enhanced MX SCB) on page 956 show chassis environment cb (MX480 Router) on page 956 show chassis environment cb (MX480 Router with Enhanced MX SCB) on page 957 show chassis environment cb (MX960 Router) on page 957 show chassis environment cb (MX960 Router with Enhanced MX SCB) on page 957 show chassis environment cb (T4000 Core Router) on page 958 show chassis environment cb (TX Matrix Router) on page 959 show chassis environment cb (TX Matrix Plus Router) on page 959 show chassis environment cb (EX8200 Switch) on page 963 show chassis environment cb (EX8208 Switch) on page 964 show chassis environment cb (PTX5000 Packet Transport Switch) on page 965

Output Fields

Table 124 on page 953 lists the output fields for the show chassis environment cb command. Output fields are listed in the approximate order in which they appear.

Table 124: show chassis environment cb Output Fields Field Name

Field Description

State

Status of the CB. If two CBs are installed and online, one is functioning as the master, and the other is the standby. •

Online—CB is online and running.

•

Offline— CB is powered down.

NOTE: On the EX8208 switch, the installation can include three CBs. See “EX Series Switches Hardware and CLI Terminology Mapping” on page 847.


953

®


Table 124: show chassis environment cb Output Fields (continued) Field Name

Field Description

Temperature

Temperature in Celsius (C) and Fahrenheit (F) of the air flowing past the CB. •

Temperature Intake—Measures the temperature of the air intake to cool the power supplies.

•

Temperature Exhaust—Measures the temperature of the hot air exhaust.

Power

Power required and measured on the CB. The left column displays the required power, in volts. The right column displays the measured power, in millivolts.

BUS Revision

Revision level of the generic bus device. (Not on switches.)

FPGA Revision

Revision level of the field-programmable gate array (FPGA). (Not on switches.)

PMBus device (on

Enhanced SCB on MX 240, MX480, and MX960 routers allows the system to save power by supplying only the amount of voltage that is required. Configurable PMBus devices are used to provide the voltage for each individual device. There is one PMBus device for each XF ASIC so that the output can be customized to each device. The following PMBus device information is displayed for routers with Enhanced MX SCB:

MX240, MX480, and MX960 routers with Enhanced MX SCB)

•

Expected voltage

•

Measured voltage

•

Measured current

•

Calculated power

Sample Output show chassis environment cb (M120 Router)

954

user@host> show chassis environment cb CB 0 status: State Online Master Temperature 33 degrees C / 91 degrees F Power 1.2 V 1214 mV 1.5 V 1495 mV 2.5 V 2494 mV 3.3 V 3319 mV 5.0 V 5085 mV 3.3 V bias 3296 mV Bus Revision 12 FPGA Revision 17 CB 1 status: State Online Standby Temperature 34 degrees C / 93 degrees F Power 1.2 V 1195 mV 1.5 V 1495 mV 2.5 V 2504 mV 3.3 V 3312 mV 5.0 V 5111 mV 3.3 V bias 3296 mV Bus Revision 12 FPGA Revision 17



show chassis environment cb (M320 Router)

user@host> show chassis environment cb CB 0 status: State Online Master Temperature 29 degrees C / 84 degrees F Power: 1.8 V 1805 mV 2.5 V 2501 mV 3.3 V 3293 mV 4.6 V 4725 mV 5.0 V 5032 mV 12.0 V 11975 mV 3.3 V bias 3286 mV 8.0 V bias 7589 mV BUS Revision 40 FPGA Revision 7 CB 1 status: State Online Standby Temperature 32 degrees C / 89 degrees F Power: 1.8 V 1802 mV 2.5 V 2482 mV 3.3 V 3289 mV 4.6 V 4720 mV 5.0 V 5001 mV 12.0 V 11946 mV 3.3 V bias 3274 mV 8.0 V bias 7562 mV BUS Revision 40 FPGA Revision 7

show chassis environment cb (MX80 Router)

user@host> show chassis environment cb CB 0 status: State Online Master Temperature 36 degrees C / 96 degrees F Power 1 1.0 V 1034 mV 1.0 V MQ 1037 mV 1.0 V LU 1005 mV 1.2 V 1218 mV 1.5 V 1524 mV 1.8 V 1814 mV 2.5 V 2558 mV 3.3 V 3296 mV 5.0 V 5233 mV 5.0 V bias 5207 mV 12.0 V 12162 mV


user@host> show chassis environment cb CB 0 status: State Online Standby Temperature 37 degrees C / 98 degrees F Power 1 1.2 V 1208 mV 1.5 V 1521 mV 1.8 V 1811 mV 2.5 V 2513 mV 3.3 V 3332 mV 5.0 V 5059 mV 12.0 V 12162 mV 1.25 V 1260 mV


955

®


3.3 V SM3 5.0 V RE 12.0 V RE Power 2 11.3 V bias PEM 4.6 V bias MidPlane 11.3 V bias FPD 11.3 V bias POE 0 11.3 V bias POE 1 Bus Revision FPGA Revision

show chassis environment cb (MX240 Router with Enhanced MX SCB)


956

3306 mV 5085 mV 11872 mV 11272 4827 11272 11292 11253 42 1

mV mV mV mV mV

user@host> show chassis environment cb CB 0 status: State Online Standby Temperature 37 degrees C / 98 degrees F Power 1 1.2 V 1208 mV 1.5 V 1521 mV 1.8 V 1811 mV 2.5 V 2513 mV 3.3 V 3332 mV 5.0 V 5059 mV 12.0 V 12162 mV 1.25 V 1260 mV 3.3 V SM3 3306 mV 5.0 V RE 5085 mV 12.0 V RE 11872 mV Power 2 11.3 V bias PEM 11272 mV 4.6 V bias MidPlane 4827 mV 11.3 V bias FPD 11272 mV 11.3 V bias POE 0 11292 mV 11.3 V bias POE 1 11253 mV Bus Revision 42 FPGA Revision 1 PMBus Expected Measured Measured Calculated device voltage voltage current power XF ASIC A 1000 mV 997 mV 11031 mA 10997 mW XF ASIC B 1000 mV 996 mV 12125 mA 12076 mW user@host> show chassis environment cb CB 0 status: State Online Master Temperature 41 degrees C / 105 degrees F Power 1 1.2 V 1202 mV 1.5 V 1511 mV 1.8 V 1798 mV 2.5 V 2507 mV 3.3 V 3312 mV 5.0 V 5027 mV 12.0 V 12200 mV 1.25 V 1260 mV 3.3 V SM3 3293 mV 5 V RE 5040 mV 12 V RE 11910 mV Power 2 11.3 V bias PEM 11156 mV 4.6 V bias MidPlane 4801 mV 11.3 V bias FPD 11214 mV



11.3 V bias POE 0 11.3 V bias POE 1 Bus Revision FPGA Revision


11098 mV 11330 mV 42 1

user@host> show chassis environment cb CB 0 status: State Online Master Temperature 41 degrees C / 105 degrees F Power 1 1.2 V 1202 mV 1.5 V 1511 mV 1.8 V 1798 mV 2.5 V 2507 mV 3.3 V 3312 mV 5.0 V 5027 mV 12.0 V 12200 mV 1.25 V 1260 mV 3.3 V SM3 3293 mV 5 V RE 5040 mV 12 V RE 11910 mV Power 2 11.3 V bias PEM 11156 mV 4.6 V bias MidPlane 4801 mV 11.3 V bias FPD 11214 mV 11.3 V bias POE 0 11098 mV 11.3 V bias POE 1 11330 mV Bus Revision 42 FPGA Revision 1 PMBus Expected Measured Measured Calculated device voltage voltage current power XF ASIC A 1000 mV 997 mV 11031 mA 10997 mW XF ASIC B 1000 mV 996 mV 12125 mA 12076 mW


user@host> show chassis environment cb CB 0 status: State Online Master Temperature 24 degrees C / 75 degrees F Power 1 1.2 V 1965 mV 1.5 V 2465 mV 1.8 V 2990 mV 2.5 V 3296 mV 3.3 V 3296 mV 5.0 V 6593 mV 12.0 V 13187 mV 3.3 V bias 3296 mV 1.25 V 1994 mV 3.3 V SM3 3296 mV 5 V RE 6593 mV 12 V RE 13174 mV Power 2 Sensor failure Bus Revision 4 FPGA Revision 3


user@host> show chassis environment cb CB 0 status: State Online Master Temperature 24 degrees C / 75 degrees F Power 1


957

®


1.2 V 1.5 V 1.8 V 2.5 V 3.3 V 5.0 V 12.0 V 3.3 V bias 1.25 V 3.3 V SM3 5 V RE 12 V RE Power 2 Bus Revision FPGA Revision PMBus device XF ASIC A XF ASIC B

show chassis environment cb (T4000 Core Router)

958

1965 mV 2465 mV 2990 mV 3296 mV 3296 mV 6593 mV 13187 mV 3296 mV 1994 mV 3296 mV 6593 mV 13174 mV Sensor failure 4 3 Expected Measured Measured voltage voltage current 1000 mV 997 mV 11031 mA 1000 mV 996 mV 12125 mA

Calculated power 10997 mW 12076 mW

user@host> show chassis environment cb CB 0 status: State Online Master Temperature 33 degrees C / 91 degrees F Power 1 1.8 V 1805 mV 2.5 V 2523 mV 3.3 V 3324 mV 3.3 V bias 3296 mV 4.6 V 4680 mV 5.0 V 4893 mV 8.0 V bias 7572 mV 12.0 V 11916 mV Power 2 1.0 V 993 mV 1.2 V 1210 mV 3.3 V RE 3330 mV Bus Revision 51 FPGA Revision 5 CB 1 status: State Online Standby Temperature 33 degrees C / 91 degrees F Power 1 1.8 V 1810 mV 2.5 V 2496 mV 3.3 V 3308 mV 3.3 V bias 3286 mV 4.6 V 4692 mV 5.0 V 4954 mV 8.0 V bias 7282 mV 12.0 V 11926 mV Power 2 1.0 V 993 mV 1.2 V 1185 mV 3.3 V RE 3316 mV Bus Revision 51 FPGA Revision 5



show chassis environment cb (TX Matrix Router)

user@host> show chassis environment cb -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 32 degrees C / 89 degrees F Power: 1.8 V 1797 mV 2.5 V 2477 mV 3.3 V 3311 mV 4.6 V 4727 mV 5.0 V 5015 mV 12.0 V 12185 mV 3.3 V bias 3304 mV 8.0 V bias 7870 mV BUS Revision 40 FPGA Revision 1 CB 1 status: State Online Standby ... lcc0-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 32 degrees C / 89 degrees F Power: 1.8 V 1787 mV 2.5 V 2473 mV 3.3 V 3306 mV 4.6 V 4793 mV 5.0 V 5025 mV 12.0 V 12156 mV 3.3 V bias 3289 mV 8.0 V bias 7609 mV BUS Revision 40 FPGA Revision 5 CB 1 status: State Online Standby .... BUS Revision 40 FPGA Revision 5 lcc2-re0: -------------------------------------------------------------------------CB 0 status: State Online Master ... CB 1 status: State Online Standby ...

show chassis environment cb (TX Matrix Plus Router)

user@host> show chassis environment cb sfc0-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 38 degrees C / 100 degrees F Power 1 1.0 V 1005 mV 1.1 V 1108 mV 1.2 V 1205 mV


959

®


1.25 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 9.0 V 9.0 V RE Power 2 3.9 V 5.0 V 9.0 V Bus Revision FPGA Revision CB 1 status: State Temperature Power 1 1.0 V 1.1 V 1.2 V 1.25 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 9.0 V 9.0 V RE Power 2 3.9 V 5.0 V 9.0 V Bus Revision FPGA Revision

1269 1508 1814 2507 3306 3300 9058 9107

mV mV mV mV mV mV mV mV

3963 mV 5020 mV 9087 mV 79 23 Online Standby 39 degrees C / 102 degrees F 1002 1105 1198 1276 1504 1804 2507 3300 3293 9039 9049

mV mV mV mV mV mV mV mV mV mV mV

3892 mV 5040 mV 9058 mV 79 23

lcc0-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 39 degrees C / 102 degrees F Power 1 1.8 V 1799 mV 2.5 V 2499 mV 3.3 V 3327 mV 3.3 V bias 3299 mV 4.6 V 4673 mV 5.0 V 4918 mV 8.0 V bias 7308 mV 12.0 V 11887 mV Power 2 1.0 V 996 mV 1.2 V 1199 mV 3.3 V RE 3319 mV Bus Revision 51 FPGA Revision 3 CB 1 status: State Online Standby Temperature 40 degrees C / 104 degrees F Power 1 1.8 V 1800 mV

960



2.5 V 3.3 V 3.3 V bias 4.6 V 5.0 V 8.0 V bias 12.0 V Power 2 1.0 V 1.2 V 3.3 V RE Bus Revision FPGA Revision

2496 3322 3284 4680 4954 7284 11902

mV mV mV mV mV mV mV

998 mV 1205 mV 3327 mV 51 3

lcc1-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 41 degrees C / 105 degrees F Power 1 1.8 V 1804 mV 2.5 V 2517 mV 3.3 V 3300 mV 3.3 V bias 3284 mV 4.6 V 4681 mV 5.0 V 4927 mV 8.0 V bias 7357 mV 12.0 V 11907 mV Power 2 1.0 V 991 mV 1.2 V 1202 mV 3.3 V RE 3301 mV Bus Revision 51 FPGA Revision 3 CB 1 status: State Online Standby Temperature 40 degrees C / 104 degrees F Power 1 1.8 V 1805 mV 2.5 V 2528 mV 3.3 V 3324 mV 3.3 V bias 3289 mV 4.6 V 4694 mV 5.0 V 4959 mV 8.0 V bias 7311 mV 12.0 V 11926 mV Power 2 1.0 V 998 mV 1.2 V 1200 mV 3.3 V RE 3313 mV Bus Revision 51 FPGA Revision 3 lcc2-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 41 degrees C / 105 degrees F Power 1 1.8 V 1805 mV 2.5 V 2494 mV


961

®


3.3 V 3.3 V bias 4.6 V 5.0 V 8.0 V bias 12.0 V Power 2 1.0 V 1.2 V 3.3 V RE Bus Revision FPGA Revision CB 1 status: State Temperature Power 1 1.8 V 2.5 V 3.3 V 3.3 V bias 4.6 V 5.0 V 8.0 V bias 12.0 V Power 2 1.0 V 1.2 V 3.3 V RE Bus Revision FPGA Revision

3333 3296 4673 4901 7343 11916

mV mV mV mV mV mV

993 mV 1213 mV 3328 mV 51 3 Online Standby 41 degrees C / 105 degrees F 1804 2523 3334 3291 4697 4969 7308 11936


996 mV 1200 mV 3328 mV 51 3

lcc3-re0: -------------------------------------------------------------------------CB 0 status: State Online Master Temperature 37 degrees C / 98 degrees F Power 1 1.8 V 1809 mV 2.5 V 2510 mV 3.3 V 3296 mV 3.3 V bias 3291 mV 4.6 V 4670 mV 5.0 V 4905 mV 8.0 V bias 7211 mV 12.0 V 11882 mV Power 2 1.0 V 996 mV 1.2 V 1188 mV 3.3 V RE 3326 mV Bus Revision 51 FPGA Revision 5 CB 1 status: State Online Standby Temperature 38 degrees C / 100 degrees F Power 1 1.8 V 1813 mV 2.5 V 2510 mV 3.3 V 3322 mV 3.3 V bias 3289 mV 4.6 V 4692 mV 5.0 V 4967 mV

962



8.0 V bias 12.0 V Power 2 1.0 V 1.2 V 3.3 V RE Bus Revision FPGA Revision

show chassis environment cb (EX8200 Switch)

7194 mV 11916 mV 996 mV 1205 mV 3273 mV 51 5

user@host> show chassis environment cb CB 0 status: State Temperature Intake Temperature Exhaust Power 1 1.1 V 1.2 V 1.2 V * 1.2 V * 1.25 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 5.0 V 12.0 V Power 2 3.3 V bias * 3.3 V bias * 3.3 V bias * 3.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 5.0 V bias CB 1 status: State Temperature Intake Temperature Exhaust Power 1 1.1 V 1.2 V 1.2 V * 1.2 V * 1.25 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 5.0 V 12.0 V Power 2 3.3 V bias * 3.3 V bias * 3.3 V bias *


Online Master 20 degrees C / 68 degrees F 24 degrees C / 75 degrees F 1086 1179 1182 1182 1211 1472 1756 2449 3254 3300 4911 11891

mV mV mV mV mV mV mV mV mV mV mV mV

3615 3615 3567 3664 4224 4215 4224 4205 4195 4215 4920


Online Standby 19 degrees C / 66 degrees F 23 degrees C / 73 degrees F 1082 1169 1179 1179 1214 1482 1759 2481 3248 3306 4911 11910

mV mV mV mV mV mV mV mV mV mV mV mV

3644 mV 3664 mV 3586 mV

963

®


3.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 5.0 V bias CB 2 status: State Temperature Intake Temperature Exhaust Power 1 1.2 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 12.0 V

show chassis environment cb (EX8208 Switch)

964

3654 4224 4215 4224 4205 4244 4215 4930


Online 19 degrees C / 66 degrees F 23 degrees C / 73 degrees F 1195 1511 1804 2526 3300 3306 12220


user@host> show chassis environment cb CB 0 status: State Online Master Temperature Intake 20 degrees C / Temperature Exhaust 24 degrees C / Power 1 1.1 V 1086 mV 1.2 V 1179 mV 1.2 V * 1182 mV 1.2 V * 1182 mV 1.25 V 1211 mV 1.5 V 1466 mV 1.8 V 1759 mV 2.5 V 2455 mV 3.3 V 3261 mV 3.3 V bias 3300 mV 5.0 V 4930 mV 12.0 V 11891 mV Power 2 3.3 V bias * 3606 mV 3.3 V bias * 3615 mV 3.3 V bias * 3567 mV 3.3 V bias * 3673 mV 4.3 V bias * 4224 mV 4.3 V bias * 4215 mV 4.3 V bias * 4234 mV 4.3 V bias * 4205 mV 4.3 V bias * 4186 mV 4.3 V bias * 4215 mV 5.0 V bias 4940 mV CB 1 status: State Online Standby Temperature Intake 19 degrees C / Temperature Exhaust 23 degrees C / Power 1 1.1 V 1086 mV 1.2 V 1169 mV 1.2 V * 1179 mV 1.2 V * 1179 mV 1.25 V 1211 mV

68 degrees F 75 degrees F

66 degrees F 73 degrees F



1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 5.0 V 12.0 V Power 2 3.3 V bias * 3.3 V bias * 3.3 V bias * 3.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 4.3 V bias * 5.0 V bias CB 2 status: State Temperature Intake Temperature Exhaust Power 1 1.2 V 1.5 V 1.8 V 2.5 V 3.3 V 3.3 V bias 12.0 V

show chassis environment cb (PTX5000 Packet Transport Switch)

1479 1759 2475 3235 3306 4930 11891


3644 3664 3586 3654 4215 4224 4215 4215 4234 4224 4920




user@host> show chassis environment cb CB 0 status: State Online Master Intake Temperature 38 degrees C / Exhaust A Temperature 45 degrees C / Exhaust B Temperature 42 degrees C / Power 1 1.2 V 1200 mV 1.25 V 1250 mV 2.5 V 2500 mV 3.3 V 3300 mV Power 2 1.0 V 1000 mV 3.3 V bias 3293 mV 3.9 V 3921 mV Bus Revision 132 FPGA Revision 27 CB 1 status: State Online Standby Intake Temperature 34 degrees C / Exhaust A Temperature 39 degrees C / Exhaust B Temperature 36 degrees C / Power 1 1.2 V 1199 mV 1.25 V 1250 mV 2.5 V 2499 mV 3.3 V 3299 mV Power 2 1.0 V 1000 mV


100 degrees F 113 degrees F 107 degrees F

93 degrees F 102 degrees F 96 degrees F

965

®


3.3 V bias 3.9 V Bus Revision FPGA Revision

966

3312 mV 3961 mV 132 28



show chassis environment fpc Syntax

show chassis environment fpc





Syntax (QFX Series)

show chassis environment fpc interconnect-device name

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Command introduced in Junos OS Release 12.1 for the PTX Series Packet Transport Switches. Command introduced in Junos OS Release 12.1 for the T4000 Core Routers.

Description

Options

(M40e, M120, M160, M320, MX Series, and T Series routers; EX Series, QFX Series, and PTX Series switches only) Display environmental information about Flexible PIC Concentrators (FPCs). none—Display environmental information about all FPCs. On a TX Matrix router, display

environmental information about all FPCs on the TX Matrix router and its attached T640 routers. On a TX Matrix Plus router, display environmental information about all FPCs on the TX Matrix Plus router and its attached T1600 routers. all-members—(MX Series routers only) (Optional) Display environmental information

for the FPCs in all the members of the Virtual Chassis configuration. interconnect-device name—(QFabric switches only) (Optional) Display chassis

environmental information for the Interconnect device. lcc number—(TX Matrix and TX Matrix Plus routers only) (Optional) On a TX Matrix router,

display environmental information about the FPC in a T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, display environmental information about the FPC in a T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display environmental information for the

FPCs in the local Virtual Chassis member.


967

®


member member-id—(MX Series routers only) (Optional) Display environmental

information for the FPCs in the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. slot or fpc-slot—(Optional) Display environmental information about an individual FPC: •

(TX Matrix and TX Matrix Plus routers only) On a TX Matrix router, if you specify the number of the T640 router by using only the lcc number option (the recommended method), replace slot with a value from 0 through 7. Similarly, on a TX Matrix Plus router, if you specify the number of the T1600 router by using only the lcc number option (the recommended method), replace slot with a value from 0 through 7. Otherwise, replace slot with a value from 0 through 31. For example, the following commands have the same result: user@host> show chassis environment fpc 1 lcc 1 user@host> show chassis environment fpc 9


968

•

M120 router—Replace slot with a value from 0 through 5.

•

MX240 router—Replace slot with a value from 0 through 2.

•


•


•

Other routers—Replace slot with a value from 0 through 7.

•


EX3200 switches and EX4200 standalone switches—Replace slot with 0.

•

EX4200 switches in a Virtual Chassis configuration—Replace slot with a value from 0 through 9.

•

EX6210 switches–Replace slot with a value from 0 through 9.

•

EX8208 switches—Replace slot with a value from 0 through 7.

•

EX8216 switches—Replace slot with a value from 0 through 15.

•

QFX3500 switches —Replace fpc-slot with 0 through 15.

•

PTX5000 Packet Transport Switch—Replace fpc-slot with 0 through 7.

view

•

request chassis fpc on page 910

•

show chassis fpc on page 1062

•

show chassis fpc-feb-connectivity

•

Configuring the Junos OS to Resynchronize FPC Sequence Numbers with Active FPCs when an FPC Comes Online

•

MX960 Flexible PIC Concentrator Description




show chassis environment fpc (M120 Router) on page 970 show chassis environment fpc (M160 Router) on page 971 show chassis environment fpc (M320 Router) on page 971 show chassis environment fpc (MX240 Router) on page 972 show chassis environment fpc (MX480 Router) on page 973 show chassis environment fpc (MX960 Router) on page 974 show chassis environment fpc (MX480 Router with 100-Gigabit Ethernet CFP) on page 975 show chassis environment fpc (T320, T640, and T1600 Routers) on page 976 show chassis environment fpc (T4000 Router) on page 977 show chassis environment fpc lcc (TX Matrix Router) on page 981 show chassis environment fpc lcc (TX Matrix Plus Router) on page 982 show chassis environment fpc (QFX Series) on page 983 show chassis environment fpc interconnect-device (QFabric Switches) on page 983 show chassis environment fpc 0 (PTX5000 Packet Transport Switch) on page 983

Output Fields

Table 125 on page 969 lists the output fields for the show chassis environment fpc command. Output fields are listed in the approximate order in which they appear.

Table 125: show chassis environment fpc Output Fields Field Name

Field Description

State

Status of the FPC: •

Unknown—FPC is not detected by the router.

•

Empty—No FPC is present.

•

Present—FPC is detected by the chassis daemon but is either not supported by the current version

of the Junos OS, or the FPC is coming up but not yet online. •

Ready—FPC is in intermediate or transition state.

•

Announce online—Intermediate state during which the FPC is coming up but not yet online, and the

chassis manager acknowledges the chassis FPC online initiative. •

Online—FPC is online and running.

•

Offline—FPC is powered down.

•

Diagnostics—FPC is set to operate in diagnostics mode.

Temperature

(M40e and M160 routers and QFX Series only) Temperature of the air flowing past the FPC.

PMB Temperature

(PTX Series only) Temperature of the air flowing past the PMB (bottom of the FPC).

Temperature Intake

(M320 routers and PTX Series only) Temperature of the air flowing into the chassis.

Temperature Top

(T Series routers only) Temperature of the air flowing past the top of the FPC.

Temperature Exhaust

(M120 and M320 routers and PTX Series only) Temperature of the air flowing out of the chassis. The PTX Series Packet Transport Switches include exhaust temperatures for multiple zones (Exhaust A andExhaust B).

Temperature Bottom

(T Series routers only) Temperature of the air flowing past the bottom of the FPC.


969

®


Table 125: show chassis environment fpc Output Fields (continued) Field Name

Field Description

TL n Temperature

(PTX Series only) Temperature of the air flowing past the specified TL area of the Packet Forwarding Engine on the FPC.

TQ n Temperature

(PTX Series only) Temperature of the air flowing past the specified TQ area of the Packet Forwarding Engine on the FPC.

Temperature MMBO

(T640 router only) Temperature of the air flowing past the type 3 FPC.

Temperature MMB1

(M320 and T Series routers only) Temperature of the air flowing past the type 1, type 2, and type 3 FPC.

Power

Information about the voltage supplied to the FPC. The left column displays the required power, in volts. The right column displays the measured power, in millivolts.

CMB Revision or BUS revision

Revision level of the chassis management bus device (M Series router) or bus (T Series routers).

Sample Output show chassis environment fpc (M120 Router)

970

user@host> show chassis environment fpc FPC 2 status: State Online Temperature Exhaust A 32 degrees Temperature Exhaust B 31 degrees Power A-Board 1.2 V 1202 mV 1.5 V 1508 mV 1.8 V 1798 mV 2.5 V 2507 mV 3.3 V 3351 mV 5.0 V 4995 mV 3.3 V bias 3296 mV 1.2 V Rocket IO 1205 mV 1.5 V Rocket IO 1501 mV I2C Slave Revision 12 FPC 3 status: State Online Temperature Exhaust A 31 degrees Temperature Exhaust B 33 degrees Power A-Board 1.2 V 1211 mV 1.5 V 1501 mV 1.8 V 1798 mV 2.5 V 2471 mV 3.3 V 3293 mV 5.0 V 4930 mV 3.3 V bias 3296 mV 1.2 V Rocket IO 1205 mV 1.5 V Rocket IO 1501 mV Power B-Board 1.2 V 1214 mV 1.5 V 1501 mV 2.5 V 2471 mV





3.3 V 5.0 V 3.3 V bias 1.2 V Rocket IO 1.5 V Rocket IO I2C Slave Revision FPC 4 status: State Temperature Exhaust A Temperature Exhaust B Power A-Board 1.2 V 1.5 V 1.8 V 2.5 V 3.3 V 5.0 V 3.3 V bias 1.2 V Rocket IO 1.5 V Rocket IO I2C Slave Revision

show chassis environment fpc (M160 Router)

show chassis environment fpc (M320 Router)

3300 4943 3296 1205 1501 12

mV mV mV mV mV

Online 32 degrees C / 89 degrees F 30 degrees C / 86 degrees F 1195 1504 1801 2504 3293 4917 3296 1202 1492 12

mV mV mV mV mV mV mV mV mV

user@host> show chassis environment fpc FPC 0 status: State Online Temperature 42 degrees C / 107 degrees F Power: 1.5 V 1500 mV 2.5 V 2509 mV 3.3 V 3308 mV 5.0 V 4991 mV 5.0 V bias 4952 mV 8.0 V bias 8307 mV CMB Revision 12 FPC 1 status: State Online Temperature 45 degrees C / 113 degrees F Power: 1.5 V 1498 mV 2.5 V 2501 mV 3.3 V 3319 mV 5.0 V 5020 mV 5.0 V bias 5025 mV 8.0 V bias 8307 mV CMB Revision 12 user@host> show chassis environment fpc FPC 0 status: State Online Temperature Intake 27 degrees C / 80 degrees F Temperature Exhaust 38 degrees C / 100 degrees F Temperature MMB1 31 degrees C / 87 degrees F Power: 1.5 V 1487 mV 1.5 V * 1494 mV 1.8 V 1821 mV 2.5 V 2533 mV 3.3 V 3323 mV 5.0 V 5028 mV 3.3 V bias 3296 mV 5.0 V bias 4984 mV


971

®


CMB Revision FPC 1 status: State Temperature Intake Temperature Exhaust Temperature MMB1 Power: 1.5 V 1.5 V * 1.8 V 2.5 V 3.3 V 5.0 V 3.3 V bias 5.0 V bias CMB Revision FPC 2 status: State Temperature Intake Temperature Exhaust Temperature MMB1 Power: 1.5 V 1.5 V * 1.8 V 2.5 V 3.3 V 5.0 V 3.3 V bias 5.0 V bias CMB Revision FPC 3 status: ...

show chassis environment fpc (MX240 Router)

972

16 Online 27 degrees C / 80 degrees F 37 degrees C / 98 degrees F 32 degrees C / 89 degrees F 1504 1499 1820 2529 3328 5013 3294 4984 16


Online 28 degrees C / 82 degrees F 38 degrees C / 100 degrees F 32 degrees C / 89 degrees F 1498 1487 1816 2531 3324 5025 3277 5013 17


user@host> show chassis environment fpc FPC 1 status: State Online Temperature Intake 34 degrees Temperature Exhaust A 39 degrees Temperature Exhaust B 53 degrees Temperature I3 0 TSensor 51 degrees Temperature I3 0 Chip 54 degrees Temperature I3 1 TSensor 50 degrees Temperature I3 1 Chip 53 degrees Temperature I3 2 TSensor 48 degrees Temperature I3 2 Chip 51 degrees Temperature I3 3 TSensor 45 degrees Temperature I3 3 Chip 48 degrees Temperature IA 0 TSensor 45 degrees Temperature IA 0 Chip 45 degrees Temperature IA 1 TSensor 45 degrees Temperature IA 1 Chip 49 degrees Power 1.5 V 1492 mV 2.5 V 2507 mV 3.3 V 3306 mV 1.8 V PFE 0 1801 mV 1.8 V PFE 1 1804 mV 1.8 V PFE 2 1798 mV 1.8 V PFE 3 1798 mV 1.2 V PFE 0 1169 mV

C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / /

93 degrees F 102 degrees F 127 degrees F 123 degrees F 129 degrees F 122 degrees F 127 degrees F 118 degrees F 123 degrees F 113 degrees F 118 degrees F 113 degrees F 113 degrees F 113 degrees F 120 degrees F



1.2 V PFE 1 1.2 V PFE 2 1.2 V PFE 3 I2C Slave Revision FPC 2 status: State Temperature Intake Temperature Exhaust A Temperature Exhaust B Temperature I3 0 TSensor Temperature I3 0 Chip Temperature I3 1 TSensor Temperature I3 1 Chip Temperature I3 2 TSensor Temperature I3 2 Chip Temperature I3 3 TSensor Temperature I3 3 Chip Temperature IA 0 TSensor Temperature IA 0 Chip Temperature IA 1 TSensor Temperature IA 1 Chip Power 1.5 V 2.5 V 3.3 V 1.8 V PFE 0 1.8 V PFE 1 1.8 V PFE 2 1.8 V PFE 3 1.2 V PFE 0 1.2 V PFE 1 1.2 V PFE 2 1.2 V PFE 3 I2C Slave Revision


1189 mV 1182 mV 1176 mV 42 Online 33 degrees 41 degrees 53 degrees 53 degrees 58 degrees 52 degrees 56 degrees 50 degrees 52 degrees 46 degrees 49 degrees 51 degrees 49 degrees 48 degrees 53 degrees 1492 2445 3293 1827 1775 1788 1798 1250 1234 1231 1192 42

/ / / / / / / / / / / / / / /



/ / / / / / / / / / / / / / /



user@host> show chassis environment fpc FPC 1 status: State Online Temperature Intake 36 degrees Temperature Exhaust A 41 degrees Temperature Exhaust B 55 degrees Temperature I3 0 TSensor 55 degrees Temperature I3 0 Chip 57 degrees Temperature I3 1 TSensor 53 degrees Temperature I3 1 Chip 53 degrees Temperature I3 2 TSensor 52 degrees Temperature I3 2 Chip 49 degrees Temperature I3 3 TSensor 47 degrees Temperature I3 3 Chip 47 degrees Temperature IA 0 TSensor 54 degrees Temperature IA 0 Chip 58 degrees Temperature IA 1 TSensor 48 degrees Temperature IA 1 Chip 53 degrees Power 1.5 V 1479 mV 2.5 V 2542 mV 3.3 V 3319 mV 1.8 V PFE 0 1811 mV 1.8 V PFE 1 1804 mV 1.8 V PFE 2 1804 mV 1.8 V PFE 3 1814 mV



973

®


1.2 V PFE 0 1.2 V PFE 1 1.2 V PFE 2 1.2 V PFE 3 I2C Slave Revision


974

1192 1202 1205 1189 40

mV mV mV mV

user@host> show chassis environment fpc FPC 5 status: State Online Temperature Intake 27 degrees Temperature Exhaust A 34 degrees Temperature Exhaust B 40 degrees Temperature I3 0 TSensor 39 degrees Temperature I3 0 Chip 41 degrees Temperature I3 1 TSensor 38 degrees Temperature I3 1 Chip 37 degrees Temperature I3 2 TSensor 37 degrees Temperature I3 2 Chip 34 degrees Temperature I3 3 TSensor 32 degrees Temperature I3 3 Chip 33 degrees Temperature IA 0 TSensor 39 degrees Temperature IA 0 Chip 44 degrees Temperature IA 1 TSensor 36 degrees Temperature IA 1 Chip 44 degrees Power 1.5 V 1479 mV 2.5 V 2523 mV 3.3 V 3254 mV 1.8 V PFE 0 1798 mV 1.8 V PFE 1 1798 mV 1.8 V PFE 2 1807 mV 1.8 V PFE 3 1791 mV 1.2 V PFE 0 1173 mV 1.2 V PFE 1 1179 mV 1.2 V PFE 2 1179 mV 1.2 V PFE 3 1185 mV I2C Slave Revision 6 FPC 6 status: State Online Temperature Intake 25 degrees Temperature Exhaust A 38 degrees Temperature Exhaust B 38 degrees Temperature I3 0 TSensor 40 degrees Temperature I3 0 Chip 40 degrees Temperature I3 1 TSensor 40 degrees Temperature I3 1 Chip 38 degrees Temperature I3 2 TSensor 37 degrees Temperature I3 2 Chip 32 degrees Temperature I3 3 TSensor 34 degrees Temperature I3 3 Chip 33 degrees Temperature IA 0 TSensor 45 degrees Temperature IA 0 Chip 47 degrees Temperature IA 1 TSensor 37 degrees Temperature IA 1 Chip 42 degrees Power 1.5 V 1485 mV 2.5 V 2510 mV 3.3 V 3332 mV 1.8 V PFE 0 1801 mV 1.8 V PFE 1 1814 mV 1.8 V PFE 2 1804 mV


/ / / / / / / / / / / / / / /



/ / / / / / / / / / / / / / /




1.8 V PFE 3 1.2 V PFE 0 1.2 V PFE 1 1.2 V PFE 2 1.2 V PFE 3 I2C Slave Revision

show chassis environment fpc (MX480 Router with 100-Gigabit Ethernet CFP)

1820 1192 1189 1202 1156 40

mV mV mV mV mV

user@host> show chassis environment fpc FPC 1 status: State Online Temperature Intake 40 degrees C / 104 degrees F Temperature Exhaust A 42 degrees C / 107 degrees F Temperature Exhaust B 52 degrees C / 125 degrees F Temperature LU 0 TSen 46 degrees C / 114 degrees F Temperature LU 0 Chip 55 degrees C / 131 degrees F Temperature LU 1 TSen 46 degrees C / 114 degrees F Temperature LU 1 Chip 48 degrees C / 118 degrees F Temperature LU 2 TSen 46 degrees C / 114 degrees F Temperature LU 2 Chip 61 degrees C / 141 degrees F Temperature LU 3 TSen 46 degrees C / 114 degrees F Temperature LU 3 Chip 69 degrees C / 156 degrees F Temperature XM 0 TSen 46 degrees C / 114 degrees F Temperature XM 0 Chip -18 degrees C / 0 degrees F Temperature XF 0 TSen 46 degrees C / 114 degrees F Temperature XF 0 Chip 77 degrees C / 170 degrees F Power MPC-BIAS3V3-zl2105 3285 mV MPC-VDD3V3-zl6100 3305 mV MPC-VDD2V5-zl6100 2500 mV MPC-VDD1V8-zl2004 1801 mV MPC-AVDD1V0-zl2004 996 mV MPC-VDD1V2-zl6100 1199 mV MPC-VDD1V5A-zl2004 1492 mV MPC-VDD1V5B-zl2004 1499 mV MPC-XF_0V9-zl2004 995 mV MPC-PCIE_1V0-zl6100 1000 mV MPC-LU0_1V0-zl2004 995 mV MPC-LU1_1V0-zl2004 995 mV MPC-LU2_1V0-zl2004 991 mV MPC-LU3_1V0-zl2004 993 mV MPC-12VA-BMR453 12019 mV MPC-12VB-BMR453 12060 mV MPC-PMB_1V1-zl2006 1091 mV MPC-PMB_1V2-zl2106 1198 mV MPC-XM_0V9-vt273m 899 mV I2C Slave Revision 106 FPC 2 status: State Online Temperature Intake 31 degrees C / 87 degrees F Temperature Exhaust A 38 degrees C / 100 degrees F Temperature Exhaust B 48 degrees C / 118 degrees F Temperature I3 0 TSensor 47 degrees C / 116 degrees F Temperature I3 0 Chip 51 degrees C / 123 degrees F Temperature I3 1 TSensor 45 degrees C / 113 degrees F Temperature I3 1 Chip 50 degrees C / 122 degrees F Temperature I3 2 TSensor 42 degrees C / 107 degrees F Temperature I3 2 Chip 48 degrees C / 118 degrees F Temperature I3 3 TSensor 40 degrees C / 104 degrees F Temperature I3 3 Chip 43 degrees C / 109 degrees F Temperature IA 0 TSensor 46 degrees C / 114 degrees F Temperature IA 0 Chip 44 degrees C / 111 degrees F


975

®


Temperature IA 1 TSensor Temperature IA 1 Chip Power 1.2 V PFE 0 1.2 V PFE 1 1.2 V PFE 2 1.2 V PFE 3 1.5 V 1.8 V PFE 0 1.8 V PFE 1 1.8 V PFE 2 1.8 V PFE 3 2.5 V 3.3 V I2C Slave Revision

show chassis environment fpc (T320, T640, and T1600 Routers)

976

44 degrees C / 111 degrees F 48 degrees C / 118 degrees F 1231 1227 1243 1211 1511 1811 1820 1804 1817 2475 3300 42


user@host> show chassis environment fpc FPC 0 status: State Online Temperature Top 42 degrees Temperature Bottom 36 degrees Temperature MMB1 39 degrees Power: 1.8 V 1959 mV 2.5 V 2495 mV 3.3 V 3344 mV 5.0 V 5047 mV 1.8 V bias 1787 mV 3.3 V bias 3291 mV 5.0 V bias 4998 mV 8.0 V bias 7343 mV BUS Revision 40 FPC 1 status: State Online Temperature Top 42 degrees Temperature Bottom 39 degrees Temperature MMB1 40 degrees Power: 1.8 V 1956 mV 2.5 V 2498 mV 3.3 V 3340 mV 5.0 V 5023 mV 1.8 V bias 1782 mV 3.3 V bias 3277 mV 5.0 V bias 4989 mV 8.0 V bias 7289 mV BUS Revision 40 FPC 2 status: State Online Temperature Top 43 degrees Temperature Bottom 39 degrees Temperature MMB1 41 degrees Power: 1.8 V 1963 mV 2.5 V 2503 mV 3.3 V 3340 mV 5.0 V 5042 mV 1.8 V bias 1797 mV 3.3 V bias 3311 mV 5.0 V bias 5013 mV

C / 107 degrees F C / 96 degrees F C / 102 degrees F





8.0 V bias BUS Revision

show chassis environment fpc (T4000 Router)

7221 mV 40

user@host> show chassis environment fpc FPC 0 status: State Online Fan Intake 34 degrees Fan Exhaust 48 degrees PMB 47 degrees LMB0 50 degrees LMB1 41 degrees LMB2 35 degrees PFE1 LU2 46 degrees PFE1 LU0 41 degrees PFE0 LU0 57 degrees XF1 47 degrees XF0 52 degrees XM1 41 degrees XM0 50 degrees PFE0 LU1 56 degrees PFE0 LU2 45 degrees PFE1 LU1 37 degrees Power 1 1.0 V 991 mV 1.2 V bias 1195 mV 1.8 V 1788 mV 2.5 V 2483 mV 3.3 V 3289 mV 3.3 V bias 3299 mV 12.0 V A 10608 mV 12.0 V B 10637 mV Power 2 0.9 V 881 mV 0.9 V PFE0 916 mV 0.9 V PFE1 903 mV 1.0 V PFE0 1012 mV 1.0 V PFE1 1002 mV 1.1 V 1095 mV 1.5 V_0 1494 mV 1.5 V_1 1479 mV Power 3 1.0 V PFE0 1000 mV 1.0 V PFE1 1002 mV 1.0 V PFE0 * 995 mV 1.0 V PFE1 * 995 mV 1.8 V PFE 0 1788 mV 1.8 V PFE 1 1789 mV 2.5 V 2482 mV 12.0 V 11614 mV Power 4 1.0 V PFE0 LU0 1003 mV 1.0 V PFE1 LU0 1003 mV 1.0 V PFE1 LU2 1004 mV 1.0 V PFE0 LU0 * 995 mV 1.0 V PFE1 LU0 * 998 mV 1.0 V PFE1 LU2 * 996 mV 12.0 V 11643 mV 12.0 V C 11711 mV Power (Base/PMB/MMB) LMB0 VDD2V5 2488 mV LMB0 VDD1V8 1788 mV


C C C C C C C C C C C C C C C C

/ / / / / / / / / / / / / / / /

93 degrees F 118 degrees F 116 degrees F 122 degrees F 105 degrees F 95 degrees F 114 degrees F 105 degrees F 134 degrees F 116 degrees F 125 degrees F 105 degrees F 122 degrees F 132 degrees F 113 degrees F 98 degrees F

977

®


LMB0 VDD1V5 LMB0 PFE0 LU0 LMB0 PFE0 LU0 LMB0 VDD12V0 LMB1 VDD2V5 LMB1 VDD1V8 LMB1 VDD1V5 LMB1 PFE0 LU2 LMB1 PFE0 LU2 LMB1 VDD12V0 LMB2 VDD2V5 LMB2 VDD1V8 LMB2 VDD1V5 LMB2 PFE1 LU1 LMB2 PFE1 LU1 LMB2 VDD12V0 PMB 1.05v PMB 1.5v PMB 2.5v PMB 3.3v Bus Revision FPC 3 status: State Fan Intake Fan Exhaust PMB LMB0 LMB1 LMB2 PFE1 LU2 PFE1 LU0 PFE0 LU0 XF1 XF0 XM1 XM0 PFE0 LU1 PFE0 LU2 PFE1 LU1 Power 1 1.0 V 1.2 V bias 1.8 V 2.5 V 3.3 V 3.3 V bias 12.0 V A 12.0 V B Power 2 0.9 V 0.9 V PFE0 0.9 V PFE1 1.0 V PFE0 1.0 V PFE1 1.1 V 1.5 V_0 1.5 V_1 Power 3 0.92 V PFE1 1.0 V PFE0 1.0 V PFE0 *

978

AVDD1V0 VDD1V0

AVDD1V0 VDD1V0

AVDD1V0 VDD1V0

1496 1002 1000 10752 2472 1792 1480 994 1002 10800 2472 1792 1486 996 998 10704 1049 1500 2500 3299 113

mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV

Online 37 degrees 51 degrees 43 degrees 57 degrees 54 degrees 38 degrees 63 degrees 45 degrees 69 degrees 62 degrees 63 degrees 43 degrees 67 degrees 63 degrees 66 degrees 41 degrees 1002 1201 1785 2485 3288 3285 10412 10515


882 920 905 1015 1001 1094 1495 1478



/ / / / / / / / / / / / / / / /


998 mV 997 mV 992 mV



1.0 V PFE1 * 1.8 V PFE 0 1.8 V PFE 1 2.5 V 12.0 V Power 4 1.0 V PFE0 LU0 1.0 V PFE1 LU0 1.0 V PFE1 LU2 1.0 V PFE0 LU0 * 1.0 V PFE1 LU0 * 1.0 V PFE1 LU2 * 12.0 V 12.0 V C Power (Base/PMB/MMB) LMB0 VDD2V5 LMB0 VDD1V8 LMB0 VDD1V5 LMB0 PFE0 LU0 AVDD1V0 LMB0 PFE0 LU0 VDD1V0 LMB0 VDD12V0 LMB1 VDD2V5 LMB1 VDD1V8 LMB1 VDD1V5 LMB1 PFE0 LU2 AVDD1V0 LMB1 PFE0 LU2 VDD1V0 LMB1 VDD12V0 LMB2 VDD2V5 LMB2 VDD1V8 LMB2 VDD1V5 LMB2 PFE1 LU1 AVDD1V0 LMB2 PFE1 LU1 VDD1V0 LMB2 VDD12V0 PMB 1.05v PMB 1.5v PMB 2.5v PMB 3.3v Bus Revision FPC 5 status: State Temperature Top Temperature Bottom Power 1.8 V 1.8 V bias 3.3 V 3.3 V bias 5.0 V bias 5.0 V TOP 8.0 V bias Power (Base/PMB/MMB) 1.2 V 1.5 V 5.0 V BOT 12.0 V TOP Base 12.0 V BOT Base 1.1 V PMB 1.2 V PMB 1.5 V PMB 1.8 V PMB 2.5 V PMB


991 1780 1797 2492 11604

mV mV mV mV mV

1003 1004 1003 1000 1001 1003 11653 11672


2512 1790 1500 1004 1002 10608 2472 1788 1480 1000 1004 10672 2488 1798 1494 1000 1004 10528 1050 1500 2499 3299 113

mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV



1202 1504 5079 11848 11780 1111 1189 1494 1819 2503

mV mV mV mV mV mV mV mV mV mV

979

®


3.3 V PMB 5.0 V PMB 12.0 V PMB 0.75 MMB TOP 1.5 V MMB TOP 1.8 V MMB TOP 2.5 V MMB TOP 1.2 V MMB TOP 5.0 V MMB TOP 12.0 V MMB TOP 3.3 V MMB TOP 0.75 MMB BOT 1.5 V MMB BOT 1.8 V MMB BOT 2.5 V MMB BOT 1.2 V MMB BOT 5.0 V MMB BOT 12.0 V MMB BOT 3.3 V MMB BOT APS 00 APS 01 APS 02 5.0 V PIC 0 APS 10 APS 11 APS 12 5.0 V PIC 1 Bus Revision FPC 6 status: State Fan Intake Fan Exhaust PMB LMB0 LMB1 LMB2 PFE1 LU2 PFE1 LU0 PFE0 LU0 XF1 XF0 XM1 XM0 PFE0 LU1 PFE0 LU2 PFE1 LU1 Power 1 1.0 V 1.2 V bias 1.8 V 2.5 V 3.3 V 3.3 V bias 12.0 V A 12.0 V B Power 2 0.9 V 0.9 V PFE0 0.9 V PFE1 1.0 V PFE0 1.0 V PFE1

980

3294 5035 11788 766 1484 1772 2485 1137 4946 11772 3289 759 1482 1792 2490 1145 4922 11625 3282 2495 3308 3301 4967 2512 3316 3304 5081 49

mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV mV

Online 34 degrees 49 degrees 40 degrees 60 degrees 58 degrees 40 degrees 69 degrees 45 degrees 71 degrees 58 degrees 65 degrees 40 degrees 66 degrees 69 degrees 68 degrees 42 degrees 998 1191 1781 2487 3302 3300 10388 10388


902 921 907 996 974

mV mV mV mV mV


/ / / / / / / / / / / / / / / /




1.1 V 1.5 V_0 1.5 V_1 Power 3 1.0 V PFE0 1.0 V PFE1 1.0 V PFE0 * 1.0 V PFE1 * 1.8 V PFE 0 1.8 V PFE 1 2.5 V 12.0 V Power 4 1.0 V PFE0 LU0 1.0 V PFE1 LU0 1.0 V PFE1 LU2 1.0 V PFE0 LU0 * 1.0 V PFE1 LU0 * 1.0 V PFE1 LU2 * 12.0 V 12.0 V C Power (Base/PMB/MMB) LMB0 VDD2V5 LMB0 VDD1V8 LMB0 VDD1V5 LMB0 PFE0 LU0 AVDD1V0 LMB0 PFE0 LU0 VDD1V0 LMB0 VDD12V0 LMB1 VDD2V5 LMB1 VDD1V8 LMB1 VDD1V5 LMB1 PFE0 LU2 AVDD1V0 LMB1 PFE0 LU2 VDD1V0 LMB1 VDD12V0 LMB2 VDD2V5 LMB2 VDD1V8 LMB2 VDD1V5 LMB2 PFE1 LU1 AVDD1V0 LMB2 PFE1 LU1 VDD1V0 LMB2 VDD12V0 PMB 1.05v PMB 1.5v PMB 2.5v PMB 3.3v Bus Revision

show chassis environment fpc lcc (TX Matrix Router)

1095 mV 1495 mV 1478 mV 997 998 993 991 1796 1789 2465 11609


1003 1006 1002 1000 998 998 11638 11702


2484 1780 1496 998 1004 10528 2472 1776 1474 994 1004 10544 2476 1790 1492 996 1010 10528 1050 1499 2500 3300 80


user@host> show chassis environment fpc lcc 0 lcc0-re0: -------------------------------------------------------------------------FPC 1 status: State Online Temperature Top 30 degrees C / 86 degrees F Temperature Bottom 25 degrees C / 77 degrees F Temperature MMB0 Absent Temperature MMB1 27 degrees C / 80 degrees F Power: 1.8 V 1813 mV 2.5 V 2504 mV 3.3 V 3338 mV 5.0 V 5037 mV 1.8 V bias 1797 mV


981

®


3.3 V bias 5.0 V bias 8.0 V bias BUS Revision FPC 2 status: State Temperature Top Temperature Bottom Temperature MMB0 Temperature MMB1 Power: 1.8 V 2.5 V 3.3 V 5.0 V 1.8 V bias 3.3 V bias 5.0 V bias 8.0 V bias BUS Revision

show chassis environment fpc lcc (TX Matrix Plus Router)

982

3301 mV 5013 mV 7345 mV 40

37 26 32 27 1791 2517 3308 5052 1797 3289 4991 7477 40

Online degrees degrees degrees degrees

C C C C

/ / / /

98 78 89 80


F F F F


user@host> show chassis environment fpc lcc 0 lcc0-re0: -------------------------------------------------------------------------FPC 1 status: State Online Temperature Top 46 degrees C / 114 degrees F Temperature Bottom 47 degrees C / 116 degrees F Power 1.8 V 1788 mV 1.8 V bias 1787 mV 3.3 V 3321 mV 3.3 V bias 3306 mV 5.0 V bias 5018 mV 5.0 V TOP 5037 mV 8.0 V bias 7223 mV Power (Base/PMB/MMB) 1.2 V 1205 mV 1.5 V 1503 mV 5.0 V BOT 5084 mV 12.0 V TOP Base 11775 mV 12.0 V BOT Base 11794 mV 1.1 V PMB 1108 mV 1.2 V PMB 1196 mV 1.5 V PMB 1499 mV 1.8 V PMB 1811 mV 2.5 V PMB 2515 mV 3.3 V PMB 3318 mV 5.0 V PMB 5030 mV 12.0 V PMB 11832 mV 0.75 MMB TOP 752 mV 1.5 V MMB TOP 1489 mV 1.8 V MMB TOP 1782 mV 2.5 V MMB TOP 2498 mV 1.2 V MMB TOP 1155 mV 5.0 V MMB TOP 4902 mV 12.0 V MMB TOP 11721 mV 3.3 V MMB TOP 3316 mV 0.75 MMB BOT 754 mV 1.5 V MMB BOT 1482 mV 1.8 V MMB BOT 1758 mV



2.5 V MMB BOT 1.2 V MMB BOT 5.0 V MMB BOT 12.0 V MMB BOT 3.3 V MMB BOT APS 00 APS 01 APS 02 5.0 V PIC 0 APS 10 APS 11 APS 12 5.0 V PIC 1 Bus Revision

show chassis environment fpc (QFX Series) show chassis environment fpc interconnect-device (QFabric Switches)

show chassis environment fpc 0 (PTX5000 Packet Transport Switch)

2488 1157 4962 11691 3308 1484 2503 3313 5025 1501 2466 3311 5081 49

mV mV mV mV mV mV mV mV mV mV mV mV mV

user@switch> show chassis environment fpc 0 FPC 0 status: State Online Temperature 42 degrees C / 107 degrees F user@switch> show chassis environment fpc interconnect-device interconnect1 0 FC 0 FPC 0 status: State Online Left Intake Temperature 24 degrees C / 75 degrees F Right Intake Temperature 24 degrees C / 75 degrees F Left Exhaust Temperature 27 degrees C / 80 degrees F Right Exhaust Temperature 27 degrees C / 80 degrees F Power BIAS 3V3 3330 mV VDD 3V3 3300 mV VDD 2V5 2502 mV VDD 1V5 1496 mV VDD 1V2 1194 mV VDD 1V0 1000 mV SW0 VDD 1V0 1020 mV SW0 CVDD 1V025 1032 mV SW1 VDD 1V0 1022 mV SW1 CVDD 1V025 1030 mV VDD 12V0 DIV3_33 3414 mV user@switch> show chassis environment fpc 0 FPC 0 status: State Online PMB Temperature 35 degrees C Intake Temperature 33 degrees C Exhaust A Temperature 51 degrees C Exhaust B Temperature 43 degrees C TL0 Temperature 48 degrees C TQ0 Temperature 53 degrees C TL1 Temperature 56 degrees C TQ1 Temperature 58 degrees C TL2 Temperature 55 degrees C TQ2 Temperature 57 degrees C TL3 Temperature 59 degrees C TQ3 Temperature 59 degrees C Power PMB 1.05v 1049 mV PMB 1.5v 1500 mV PMB 2.5v 2500 mV PMB 3.3v 3299 mV


/ / / / / / / / / / / /

95 degrees F 91 degrees F 123 degrees F 109 degrees F 118 degrees F 127 degrees F 132 degrees F 136 degrees F 131 degrees F 134 degrees F 138 degrees F 138 degrees F

983

®


PFE0 1.5v PFE0 1.0v TQ0 0.9v TL0 0.9v PFE1 1.5v PFE1 1.0v TQ1 0.9v TL1 0.9v PFE2 1.5v PFE2 1.0v TQ2 0.9v TL2 0.9v PFE3 1.5v PFE3 1.0v TQ3 0.9v TL3 0.9v Bias 3.3v FPC 3.3v FPC 2.5v SAM 0.9v A 12.0v B 12.0v

984

1500 999 900 900 1499 999 899 900 1500 1000 900 900 1499 1000 900 900 3327 3300 2500 900 2014 2030




show chassis environment routing-engine Syntax

show chassis environment routing-engine





Syntax (MX Series Routers)


Syntax (QFX Series)

show chassis environment routing-engine interconnect-device name

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. sfc option introduced for the TX Matrix Plus router in Junos OS Release 9.6. Command introduced in Junos OS Release 11.1 for the QFX Series. Command introduced in Junos OS Release 12.1 for the PTX Series Packet Transport Switches. Command introduced in Junos OS Release 12.1 for the T4000 Core Routers.

Description Options

Display Routing Engine environmental status information. none—Display environmental information about all Routing Engines. For a TX Matrix

router, display environmental information about all Routing Engines on the TX Matrix router and its attached T640 routers. For a TX Matrix Plus router, display environmental information about all Routing Engines on the TX Matrix Plus router and its attached T1600 routers. all-members—(MX Series routers only) (Optional) Display environmental information

about the Routing Engines in all member routers in the Virtual Chassis configuration. interconnect-device name—(QFabric switches only) (Optional) Display environmental

information about the Routing Engines for the Interconnect device. lcc number—(TX Matrix and TX Matrix routers only) (Optional) On a TX Matrix router,

display environmental information about the Routing Engine in a specified T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, display environmental information about the Routing Engine in a specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3.


985

®


local—(MX Series routers only) (Optional) Display environmental information about the

Routing Engines in the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display environmental

information about the Routing Engines in the specified member in the Virtual Chassis configuration. Replace member-id with the value of 0 or 1. scc—(TX Matrix router only) (Optional) Display environmental information about the

Routing Engine in the TX Matrix router (or switch-card chassis). sfc—(TX Matrix Plus router only) (Optional) Display environmental information about

the Routing Engine in the TX Matrix Plus router (or switch-fabric chassis). slot—(Optional) Display environmental information about an individual Routing Engine.

On M10i, M20, M40e, M120, M160, M320, MX Series, and T Series routers, replace slot with 0 or 1. On M5, M7i, M10, and M40 routers and on the J Series router, replace slot with 0. On EX3200 and EX4200 standalone switches, replace slot with 0. On EX4200 switches in a Virtual Chassis configuration and on EX8208 and EX8216 switches, replace slot with 0 or 1. On the QFX3500 switch, there is only one Routing Engine, so you do not need to specify the slot number. On PTX Series Packet Transport Switches, replace slot with 0 or 1 Required Privilege Level List of Sample Output

Output Fields

view

show chassis environment routing-engine (Nonredundant) on page 987 show chassis environment routing-engine (Redundant) on page 987 show chassis environment routing-engine (TX Matrix Plus Router) on page 987 show chassis environment routing-engine (T4000 Core Router) on page 987 show chassis environment routing-engine (QFX Series) on page 987 show chassis environment routing-engine interconnect-device (QFabric Switch) on page 988 show chassis environment routing-engine (PTX5000 Packet Transport Switch) on page 988 Table 126 on page 986 lists the output fields for the show chassis environment routing-engine command. Output fields are listed in the approximate order in which they appear.

Table 126: show chassis environment routing-engine Output Fields Field Name

Field Description

Routing engine slot status

Number of the Routing Engine slot: 0 or 1.

State

Status of the Routing Engine:

Temperature

986

•

Online Master—Routing Engine is online, operating as Master.

•

Online Standby—Routing Engine is online, operating as Standby.

•

Offline—Routing Engine is offline.

Temperature of the air flowing past the Routing Engine.



Table 126: show chassis environment routing-engine Output Fields (continued) Field Name

Field Description

CPU Temperature

(PTX Series and T4000 Core Routers only) Temperature of the air flowing past the Routing Engine CPU.

Sample Output show chassis environment routing-engine (Nonredundant) show chassis environment routing-engine (Redundant)

show chassis environment routing-engine (TX Matrix Plus Router)

user@host> show chassis environment routing-engine Routing Engine 0 status: State Online Master Temperature 27 degrees C / 80 degrees user@host> show chassis environment routing-engine Route Engine 0 status: State: Online Master Temperature: 26 degrees C / 78 degrees F Route Engine 1 status: State: Online Standby Temperature: 26 degrees C / 78 degrees F user@host> show chassis environment routing-engine sfc0-re0: -------------------------------------------------------------------------Routing Engine 0 status: State Online Master Temperature 26 degrees C / 78 degrees F Routing Engine 1 status: State Online Standby Temperature 28 degrees C / 82 degrees F lcc0-re0: -------------------------------------------------------------------------Routing Engine 0 status: State Online Master Temperature 30 degrees C / 86 degrees F Routing Engine 1 status: State Online Standby Temperature 29 degrees C / 84 degrees F

show chassis environment routing-engine (T4000 Core Router)

user@host> show chassis environment routing-engine Routing Engine 0 status: State Online Master Temperature 33 degrees C / 91 degrees F CPU Temperature 50 degrees C / 122 degrees F Routing Engine 1 status: State Online Standby Temperature 33 degrees C / 91 degrees F CPU Temperature 46 degrees C / 114 degrees F


user@switch> show chassis environment routing-engine Routing Engine 0 status: State Online Master Temperature 42 degrees C / 107 degrees F


987

®


routing-engine (QFX Series) show chassis environment routing-engine interconnect-device (QFabric Switch)

show chassis environment routing-engine (PTX5000 Packet Transport Switch)

988

user@switch> show chassis environment routing-engine interconnect-device interconnect1 routing-engine interconnect-device interconnect1 Routing Engine 0 status: State Online Standby Temperature 52 degrees C / 125 degrees F Routing Engine 1 status: State Online Master Temperature 57 degrees C / 134 degrees F user@switch> show chassis environment routing-engine Routing Engine 0 status: State Online Master Temperature 55 degrees C / 131 degrees CPU Temperature 66 degrees C / 150 degrees Routing Engine 1 status: State Online Standby Temperature 52 degrees C / 125 degrees CPU Temperature 64 degrees C / 147 degrees

F F

F F



show chassis ethernet-switch Syntax

Syntax (EX8200 Switch)

show chassis ethernet-switch show chassis ethernet-switch show chassis ethernet-switch Link is good on port 0 connected to device: FPC0 Speed is 100 MB Duplex is full Link is good on port 1 connected to device: FPC1 Speed is 100 MB Duplex is full


993

®


Link is good on port 2 connected to device: FPC2 Speed is 100 MB Duplex is full Link is good on port 3 connected to device: FPC3 Speed is 100 MBb Duplex is full Link is good on port 7 connected to device: Local controller Speed is 100 MB Duplex is full Link is good on port 9 connected to device: SPMB Speed is 100 MB Duplex is full Link is good on port 13 connected to device: FPC5 Speed is 100 MB Duplex is full

show chassis ethernet-switch (TX Matrix Router)

user@host> show chassis ethernet-switch scc-re0: -------------------------------------------------------------------------Link is good on FE port 4 connected to device: LCC0 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 6 connected to device: LCC2 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 8 connected to device: SPMB Speed is 100 MB Duplex is full Autonegotiate is Enabled lcc0-re0: -------------------------------------------------------------------------Link is good on FE port 1 connected to device: FPC1 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 2 connected to device: FPC2 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 8 connected to device: SPMB Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 10 connected to device: SCC Speed is 100 MB Duplex is full Autonegotiate is Enabled

994



lcc2-re0: -------------------------------------------------------------------------Link is good on FE port 0 connected to device: FPC0 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 1 connected to device: FPC1 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 2 connected to device: FPC2 Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 8 connected to device: SPMB Speed is 100 MB Duplex is full Autonegotiate is Enabled Link is good on FE port 10 connected to device: SCC Speed is 100 MB Duplex is full Autonegotiate is Enabled

show chassis ethernet-switch errors

user@host> show chassis ethernet-switch errors Accumulated error counts for port 0 connected MLT3 2 Lock 0 Xmit 0 ESD 0 False carrier 2 Disconnects 0 FX mode 0 Accumulated error counts for port 1 connected MLT3 2 Lock 0 Xmit 0 ESD 0 False carrier 2 Disconnects 0 FX mode 0 Accumulated error counts for port 2 connected MLT3 2 Lock 0 Xmit 0 ESD 0 False carrier 3 Disconnects 0 FX mode 0 Accumulated error counts for port 3 connected MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 Accumulated error counts for port 4 connected


to device FPC0:

to device FPC1:

to device FPC2:

to device FPC3:

to device Nothing:

995

®


MLT3 Lock Xmit ESD False carrier Disconnects FX mode

0 0 0 0 0 0 0

...

show chassis ethernet-switch statistics

user@host> show chassis ethernet-switch statistics Statistics for port 0 connected to device FPC0: TX Unicast packets 68113 TX Multicast packets 0 TX Broadcast packets 20851 TX Late collisions 0 TX Excessive collisions 0 TX Dropped packets 0 RX RX RX RX RX RX RX RX

Unicast packets Multicast packets Broadcast packets FCS Errors Alignment Errors Dropped Packets Fragments Symbol Errors

67410 0 20852 0 0 0 0 0

Statistics for port 1 connected to device FPC1: TX Unicast packets 66496 TX Multicast packets 0 TX Broadcast packets 20080 TX Late collisions 0 TX Excessive collisions 0 TX Dropped packets 0 RX RX RX RX RX RX RX RX


66037 0 20080 0 0 0 0 0

Statistics for port 2 connected to device FPC2: TX Unicast packets 64206 TX Multicast packets 0 TX Broadcast packets 21183 TX Late collisions 0 TX Excessive collisions 0 TX Dropped packets 0 RX RX RX RX RX RX RX RX

996


63671 0 21183 0 0 0 0 0



Statistics for port 3 connected to device FPC3: ...

show chassis ethernet-switch errors (TX Matrix Plus Router)

user@host> show chassis ethernet-switch errors sfc0-re0: -------------------------------------------------------------------------Displaying error for switch 0 Displaying error for switch 1 Accumulated error counts for port 0 connected to device LCC0: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 lcc0-re0: -------------------------------------------------------------------------Displaying error for switch 0 Accumulated error counts for port 6 connected to device FPC0: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 5 Disconnects 0 FX mode 0 Accumulated error counts for port 7 connected to device FPC1: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 7 Disconnects 0 FX mode 0 Accumulated error counts for port 19 connected to device Other RE: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 Accumulated error counts for port 20 connected to device SFC0: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0

show chassis ethernet-switch sfc errors (TX Matrix Plus Router)

user@host> show chassis ethernet-switch errors switch sfc sfc0-re0: -------------------------------------------------------------------------Displaying error for switch 1 Accumulated error counts for port 0 connected to device LCC0: MLT3 0 Lock 0


997

®


Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 Accumulated error counts for port 2 connected to device LCC1: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 Accumulated error counts for port 4 connected to device LCC2: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 Accumulated error counts for port 6 connected to device LCC3: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0 lcc0-re0: -------------------------------------------------------------------------error: command is not valid on the t1600 lcc1-re0: -------------------------------------------------------------------------error: command is not valid on the t1600 lcc2-re0: -------------------------------------------------------------------------error: command is not valid on the t1600 lcc3-re0: -------------------------------------------------------------------------error: command is not valid on the t1600

show chassis ethernet-switch statistics (TX Matrix Plus Router)

998

user@host> show chassis ethernet-switch statistics sfc0-re0: -------------------------------------------------------------------------Displaying port statistics for switch 0 Statistics for port 1 connected to device 1GSW: TX Packets 64 Octets 5183577 TX Packets 65-127 Octets 67820 TX Packets 128-255 Octets 772 TX Packets 256-511 Octets 136 TX Packets 512-1023 Octets 68 TX Packets 1024-1518 Octets 10881 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0



TX Octets 5263254 TX Multicast Packets 16 TX Broadcast Packets 723403 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 349922253 TX Packet OK Counter 5263254 TX Pause Packet Counter 0 TX Unicast Counter 4539835 RX Packets 64 Octets 6513629 RX Packets 65-127 Octets 88761 RX Packets 128-255 Octets 6382 RX Packets 256-511 Octets 22027 RX Packets 512-1023 Octets 4319 RX Packets 1024-1518 Octets 49922 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 6685040 RX Multicast Packets 4 RX Broadcast Packets 2137376 RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 509224602 RX Unicast Frame Count 4547660 RX Packet OK Count 6685040 Statistics for port 9 connected to device RE1: TX Packets 64 Octets 2500318 TX Packets 65-127 Octets 443 TX Packets 128-255 Octets 0 TX Packets 256-511 Octets 0 TX Packets 512-1023 Octets 0 TX Packets 1024-1518 Octets 0 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0 TX Octets 2500761 TX Multicast Packets 4 TX Broadcast Packets 2500757 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 160049670 TX Packet OK Counter 0 TX Pause Packet Counter 0 TX Unicast Counter 0 RX Packets 64 Octets 701191 RX Packets 65-127 Octets 5882 RX Packets 128-255 Octets 2


999

®


RX Packets 256-511 Octets 0 RX Packets 512-1023 Octets 17965 RX Packets 1024-1518 Octets 7 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 725047 RX Multicast Packets 8 RX Broadcast Packets 2500757 RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 62402656 RX Unicast Frame Count 0 RX Packet OK Count 0 Statistics for port 17 connected to device RE0: TX Packets 64 Octets 7214818 TX Packets 65-127 Octets 94640 TX Packets 128-255 Octets 6384 TX Packets 256-511 Octets 22027 TX Packets 512-1023 Octets 22284 TX Packets 1024-1518 Octets 49929 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0 TX Octets 7410082 TX Multicast Packets 12 TX Broadcast Packets 2497247 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 571626932 TX Packet OK Counter 0 TX Pause Packet Counter 0 TX Unicast Counter 0 RX Packets 64 Octets 4823701 RX Packets 65-127 Octets 67812 RX Packets 128-255 Octets 772 RX Packets 256-511 Octets 136 RX Packets 512-1023 Octets 68 RX Packets 1024-1518 Octets 10881 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 4903370 RX Multicast Packets 8 RX Broadcast Packets 2497247 RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0

1000



RX RX RX RX RX RX RX RX

Undersize Packets Oversize Packets Jabbers Control Frame Counter Pause Frame Counter Byte Counter Unicast Frame Count Packet OK Count

0 0 0 0 0 326889517 0 0

Displaying port statistics for switch 1 Statistics for port 0 connected to device LCC0: TX Packets 64 Octets 5053443 TX Packets 65-127 Octets 59737 TX Packets 128-255 Octets 768 TX Packets 256-511 Octets 87 TX Packets 512-1023 Octets 68 TX Packets 1024-1518 Octets 85 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX 1519-1522 Good Vlan frms 0 TX Octets 5114188 TX Multicast Packets 16 TX Broadcast Packets 1125742 TX Single Collision frames 0 TX Mult. Collision frames 0 TX Late Collisions 0 TX Excessive Collisions 0 TX Collision frames 0 TX PAUSEMAC Ctrl Frames 0 TX MAC ctrl frames 0 TX Frame deferred Xmns 0 TX Frame excessive deferl 0 TX Oversize Packets 0 TX Jabbers 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 329291449 RX Packets 64 Octets 5640175 RX Packets 65-127 Octets 79875 RX Packets 128-255 Octets 6338 RX Packets 256-511 Octets 165 RX Packets 512-1023 Octets 4317 RX Packets 1024-1518 Octets 10 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Octets 5730880 RX Multicast Packets 4 RX Broadcast Packets 1735007 RX FCS Errors 0 RX Align Errors 0 RX Fragments 0 RX Symbol errors 0 RX Unsupported opcodes 0 RX Out of Range Length 0 RX False Carrier Errors 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX 1519-1522 Good Vlan frms 0


1001

®


RX MTU Exceed Counter 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 371282850 Statistics for port 18 connected to device SPMB: TX Packets 64 Octets 2990326 TX Packets 65-127 Octets 8572 TX Packets 128-255 Octets 4 TX Packets 256-511 Octets 49 TX Packets 512-1023 Octets 0 TX Packets 1024-1518 Octets 10793 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX 1519-1522 Good Vlan frms 0 TX Octets 3009744 TX Multicast Packets 20 TX Broadcast Packets 2458322 TX Single Collision frames 0 TX Mult. Collision frames 0 TX Late Collisions 0 TX Excessive Collisions 0 TX Collision frames 0 TX PAUSEMAC Ctrl Frames 0 TX MAC ctrl frames 0 TX Frame deferred Xmns 0 TX Frame excessive deferl 0 TX Oversize Packets 0 TX Jabbers 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 203712524 RX Packets 64 Octets 873454 RX Packets 65-127 Octets 8886 RX Packets 128-255 Octets 44 RX Packets 256-511 Octets 21862 RX Packets 512-1023 Octets 2 RX Packets 1024-1518 Octets 49912 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Octets 954160 RX Multicast Packets 0 RX Broadcast Packets 402369 RX FCS Errors 0 RX Align Errors 0 RX Fragments 0 RX Symbol errors 0 RX Unsupported opcodes 0 RX Out of Range Length 0 RX False Carrier Errors 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX 1519-1522 Good Vlan frms 0 RX MTU Exceed Counter 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 137941752 ...

1002



show chassis ethernet-switch (T4000 Router)

user@host> show chassis ethernet-switch Displaying summary for switch 0 Link is good on GE port 6 connected to device: FPC0 Speed is 100Mb Duplex is full Autonegotiate is Enabled False carrier sense count = 04 Link is good on GE port 9 connected to device: FPC3 Speed is 100Mb Duplex is full Autonegotiate is Enabled False carrier sense count = 03 Link is good on GE port 11 connected to device: FPC5 Speed is 100Mb Duplex is full Autonegotiate is Enabled False carrier sense count = 03 Link is good on GE port 12 connected to device: FPC6 Speed is 100Mb Duplex is full Autonegotiate is Enabled False carrier sense count = 03 Link is good on GE port 14 connected to device: SPMB Speed is 1000Mb Duplex is full Autonegotiate is Enabled Link is good on GE port 18 connected to device: RE Speed is 1000Mb Duplex is full Autonegotiate is Disabled Link is good on GE port 19 connected to device: Other RE Speed is 1000Mb Duplex is full Autonegotiate is Enabled

show chassis ethernet-switch errors (T4000 Router)

user@host> show chassis ethernet-switch errors Displaying error for switch 0 Accumulated error counts for port 6 connected to device FPC0: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 4 Disconnects 0 FX mode 0 Accumulated error counts for port 9 connected to device FPC3: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 3 Disconnects 0 FX mode 0


1003

®


Accumulated error counts for port 11 connected to device FPC5: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 3 Disconnects 0 FX mode 0 Accumulated error counts for port 12 connected to device FPC6: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 3 Disconnects 0 FX mode 0 Accumulated error counts for port 19 connected to device Other RE: MLT3 0 Lock 0 Xmit 0 ESD 0 False carrier 0 Disconnects 0 FX mode 0

show chassis ethernet-switch (PTX5000 Packet Transport Switch)

user@host> show chassis ethernet-switch Displaying summary for switch 0 Link is good on XE port 2 connected to device: SPMB Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 11 connected to device: FPC7 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 12 connected to device: FPC6 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 13 connected to device: FPC5 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 15 connected to device: FPC3 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled

1004



Link is good on XE port 16 connected to device: FPC2 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 18 connected to device: FPC0 Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 19 connected to device: OTHER RE Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled Link is good on XE port 20 connected to device: RE Speed is 1000Mb Duplex is full Autonegotiate is Disabled Flow Control TX is Disabled Flow Control RX is Disabled

show chassis ethernet-switch statistics (PTX5000 Packet Transport Switch)

user@host> show chassis ethernet-switch statistics Displaying port statistics for switch 0 Statistics for port 2 connected to device SPMB: TX Packets 64 Octets 10942 TX Packets 65-127 Octets 843 TX Packets 128-255 Octets 2 TX Packets 256-511 Octets 2 TX Packets 512-1023 Octets 0 TX Packets 1024-1518 Octets 6862 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0 TX Octets 18651 TX Multicast Packets 6 TX Broadcast Packets 10331 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 8105166 TX Packet OK Counter 0 TX Pause Packet Counter 0 TX Unicast Counter 0 RX Packets 64 Octets 8679 RX Packets 65-127 Octets 2364 RX Packets 128-255 Octets 531 RX Packets 256-511 Octets 112 RX Packets 512-1023 Octets 26 RX Packets 1024-1518 Octets 8 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0


1005

®


RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 11720 RX Multicast Packets 0 RX Broadcast Packets 10331 RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 938105 RX Unicast Frame Count 0 RX Packet OK Count 0 Statistics for port 11 connected to device FPC7: TX Packets 64 Octets 14492 TX Packets 65-127 Octets 3542 TX Packets 128-255 Octets 6 TX Packets 256-511 Octets 45 TX Packets 512-1023 Octets 60 Continued... Statistics for port 18 connected to device FPC0: TX Packets 64 Octets 15212 TX Packets 65-127 Octets 3810 TX Packets 128-255 Octets 6 TX Packets 256-511 Octets 43 TX Packets 512-1023 Octets 66 TX Packets 1024-1518 Octets 169 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0 TX Octets 19306 TX Multicast Packets 0 TX Broadcast Packets 10886 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 1569412 TX Packet OK Counter 0 TX Pause Packet Counter 0 TX Unicast Counter 0 RX Packets 64 Octets 17994 RX Packets 65-127 Octets 8006 RX Packets 128-255 Octets 230 RX Packets 256-511 Octets 19 RX Packets 512-1023 Octets 53 RX Packets 1024-1518 Octets 11 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 26313 RX Multicast Packets 0 RX Broadcast Packets 10886

1006



RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX Control Frame Counter 2 RX Pause Frame Counter 2 RX Byte Counter 1836287 RX Unicast Frame Count 0 RX Packet OK Count 0 Statistics for port 19 connected to device OTHER RE: TX Packets 64 Octets 10234 TX Packets 65-127 Octets 162 TX Packets 128-255 Octets 0 TX Packets 256-511 Octets 0 TX Packets 512-1023 Octets 0 TX Packets 1024-1518 Octets 0 TX Packets 1519-2047 Octets 0 TX Packets 2048-4095 Octets 0 TX Packets 4096-9216 Octets 0 TX Packets 9217-16383 Octets 0 TX Octets 10396 TX Multicast Packets 8 TX Broadcast Packets 10317 TX PAUSEMAC Ctrl Frames 0 TX Oversize Packets 0 TX FCS Error Counter 0 TX Fragment Counter 0 TX Byte Counter 666260 TX Packet OK Counter 0 TX Pause Packet Counter 0 TX Unicast Counter 0 RX Packets 64 Octets 4073 RX Packets 65-127 Octets 325 RX Packets 128-255 Octets 1 RX Packets 256-511 Octets 0 RX Packets 512-1023 Octets 0 RX Packets 1024-1518 Octets 72 RX Packets 1519-2047 Octets 0 RX Packets 2048-4095 Octets 0 RX Packets 4096-9216 Octets 0 RX Packets 9217-16383 Octets 0 RX Octets 4471 RX Multicast Packets 0 RX Broadcast Packets 10317 RX FCS Errors 0 RX Fragments 0 RX MAC Control Packets 0 RX Out of Range Length 0 RX Undersize Packets 0 RX Oversize Packets 0 RX Jabbers 0 RX Control Frame Counter 0 RX Pause Frame Counter 0 RX Byte Counter 387333 RX Unicast Frame Count 0 RX Packet OK Count 0 Statistics for port 20 connected to device RE: TX Packets 64 Octets 658856


1007

®


TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX

Packets 65-127 Octets 45535 Packets 128-255 Octets 1900 Packets 256-511 Octets 532 Packets 512-1023 Octets 372 Packets 1024-1518 Octets 191 Packets 1519-2047 Octets 0 Packets 2048-4095 Octets 0 Packets 4096-9216 Octets 0 Packets 9217-16383 Octets 0 Octets 707386 Multicast Packets 0 Broadcast Packets 10421 PAUSEMAC Ctrl Frames 0 Oversize Packets 0 FCS Error Counter 0 Fragment Counter 0 Byte Counter 46608676 Packet OK Counter 0 Pause Packet Counter 0 Unicast Counter 0 Packets 64 Octets 27394 Packets 65-127 Octets 20271 Packets 128-255 Octets 78 Packets 256-511 Octets 215 Packets 512-1023 Octets 269 Packets 1024-1518 Octets 253370 Packets 1519-2047 Octets 0 Packets 2048-4095 Octets 0 Packets 4096-9216 Octets 0 Packets 9217-16383 Octets 0 Octets 301597 Multicast Packets 8 Broadcast Packets 10421 FCS Errors 0 Fragments 0 MAC Control Packets 0 Out of Range Length 0 Undersize Packets 0 Oversize Packets 0 Jabbers 0 Control Frame Counter 0 Pause Frame Counter 0 Byte Counter 275043436 Unicast Frame Count 0 Packet OK Count 0

Continued ...

show chassis ethernet-switch port-state (PTX5000 Packet Transport Switch)

1008

user@host> Displaying Port Target

show chassis ethernet-switch port-state port state for switch 0 : 02 : SPMB

Error reading port 2 connected to device: SPMB



show chassis fabric fpcs Syntax

show chassis fabric fpcs



Syntax (T4000 Core Router)



Description

Options


Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.4 for EX Series switches. Command introduced in Junos OS Release 12.1 for PTX Series Packet Transport Switches. (M320, MX Series, and T Series routers, EX8200 switches, and PTX Series Packet Transport Switches only) Display the state of the electrical switch fabric links between the Flexible PIC Concentrators (FPCs) and the Switch Interface Boards (SIBs). none—Display the switch fabric link state. On a TX Matrix router, display the switching

fabric link states for the FPCs in all T640 routers connected to the TX Matrix router. On a TX Matrix Plus router, display the switching fabric link states for the FPCs in all T1600 routers connected to the TX Matrix Plus router. all-members—(MX Series routers only) (Optional) Display the switching fabric link states

for the FPCs in all members of the Virtual Chassis configuration. lcc number—(TX Matrix and TX Matrix Plus router only) (Optional) On a TX Matrix router,

display the switch fabric link state for the FPCs in the specified T640 router (or line-card chassis) that is connected to the TX Matrix router. On a TX Matrix Plus router, display the switch fabric link state for the FPCs in the specified T1600 router (or line-card chassis) that is connected to the TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display the switching fabric link states for the

FPCs in the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display the switching fabric

link states for the FPCs in the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. slot fpc-slot—(PTX Series Packet Transport Switches only) (Optional) Display the fabric

state of the specified FPC slot. If no value is provided, display the status of all FPCs.


1009

®



Output Fields

1010

view

show chassis fabric fpcs (M320 Router) on page 1011 show chassis fabric fpcs (MX240 Router) on page 1012 show chassis fabric fpcs (MX480 Router) on page 1012 show chassis fabric fpcs (MX960 Router) on page 1013 show chassis fabric fpcs (T320 Router) on page 1014 show chassis fabric fpcs (T640 Router) on page 1015 show chassis fabric fpcs (TX Matrix Router) on page 1015 show chassis fabric fpcs (T1600 Router) on page 1016 show chassis fabric fpcs (T4000 Core Router) on page 1018 show chassis fabric fpcs (TX Matrix Plus Router) on page 1019 show chassis fabric fpcs lcc (TX Matrix Plus Router) on page 1026 show chassis fabric fpcs (EX8200 Switch) on page 1027 show chassis fabric fpcs (PTX Series Packet Transport Switches) on page 1028 Table 128 on page 1011 lists the output fields for the show chassis fabric fpcs command. Output fields are listed in the approximate order in which they appear.



Table 128: show chassis fabric fpcs Output Fields Field Name

Field Description

Fabric management FPC state

Switching fabric link (link from SIB to FPC) state for each FPC: •

Unused—FPC is not present.

•

Destination error on PFEs list of PFE numbers—Destination errors

to the listed Packet Forwarding Engines. Indicates that the link is not carrying traffic to the listed Packet Forwarding Engines. NOTE: In Junos OS Release 9.6 and later, the list of Packet Forwarding Engines with destination errors is displayed in the output. In Junos OS Releases before 9.6, the output only indicates that there are destination errors. However, the list of Packet Forwarding Engines with destination errors is not displayed. •

Links ok—Link between the spare SIB and FPC is eligible to carry

traffic. •

Link error—Link between the SIB and FPC has CRC errors.

However, the link is still eligible to carry traffic. •

Plane disabled—Fabric plane has been disabled for the following

reasons: •

Destination errors have exceeded the thresholds.

•

Run-time link errors have exceeded the thresholds.

•

Initialization time link errors detected, and link training was unsuccessful.

•

Plane Disabled, Links Error (PTX Series Packet Transport

Switches only)—The plane is disabled because of link errors detected at the FPC RX. •

Plane Disabled, Links Down (PTX Series Packet Transport

Switches only)—The plane is disabled because of link errors detected at the SIB RX. •

Plane enabled—Link between the active SIB and FPC is eligible

to carry traffic. NOTE: On the Enhanced MX SCB with MPC, a maximum of 4 planes are operational and running. On all the other SCBs with MPC, all the planes are operational and running. •

Plane Enabled, Links OK (PTX Series Packet Transport Switches

only)—The FPC CCL RX link is eligible to carry traffic.

Sample Output show chassis fabric fpcs (M320 Router)

user@host> show chassis fabric fpcs Fabric management FPC state: FPC #2 PFE #1 SIB #0 Plane enabled SIB #1 Plane enabled SIB #2 Plane enabled


1011

®


SIB #3 Plane enabled

show chassis fabric fpcs (MX240 Router)

user@host> show chassis fabric fpcs Fabric management FPC state: FPC 2 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok Plane 6: Links ok Plane 7: Links ok PFE #1 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok Plane 6: Links ok Plane 7: Links ok PFE #2 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok Plane 6: Links ok Plane 7: Links ok PFE #3 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok Plane 6: Links ok Plane 7: Links ok


user@host> show chassis fabric fpcs FPC 0 PFE #0 Plane Plane Plane Plane Plane Plane Plane Plane PFE #1 Plane Plane Plane Plane Plane

1012

0: 1: 2: 3: 4: 5: 6: 7:

Plane Plane Plane Plane Links Links Links Links

enabled enabled enabled enabled ok ok ok ok

0: 1: 2: 3: 4:

Plane Plane Plane Plane Links

enabled enabled enabled enabled ok



Plane Plane Plane PFE #2 Plane Plane Plane Plane Plane Plane Plane Plane PFE #3 Plane Plane Plane Plane Plane Plane Plane Plane FPC 1 PFE #0 Plane Plane Plane Plane Plane Plane Plane Plane PFE #1 Plane Plane Plane Plane Plane Plane Plane Plane


5: Links ok 6: Links ok 7: Links ok 0: 1: 2: 3: 4: 5: 6: 7:



0: 1: 2: 3: 4: 5: 6: 7:



0: 1: 2: 3: 4: 5: 6: 7:

Plane Plane Plane Plane Plane Plane Plane Plane

enabled enabled enabled enabled enabled enabled enabled enabled

0: 1: 2: 3: 4: 5: 6: 7:

Plane Plane Plane Plane Plane Plane Plane Plane

enabled enabled enabled enabled enabled enabled enabled enabled

user@host> show chassis fabric fpcs FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok PFE #1 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok PFE #2 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled


1013

®


Plane Plane Plane PFE #3 Plane Plane Plane Plane Plane Plane FPC 1 PFE #0 Plane Plane Plane Plane Plane Plane PFE #1 Plane Plane Plane Plane Plane Plane FPC 2 PFE #0 Plane Plane Plane Plane Plane Plane PFE #1 Plane Plane Plane Plane Plane Plane PFE #2 Plane Plane Plane Plane Plane ...

show chassis fabric fpcs (T320 Router)

1014

3: Plane enabled 4: Links ok 5: Links ok 0: 1: 2: 3: 4: 5:

Plane Plane Plane Plane Links Links

enabled enabled enabled enabled ok ok

0: 1: 2: 3: 4: 5:

Plane Plane Plane Plane Plane Plane

enabled enabled enabled enabled enabled enabled

0: 1: 2: 3: 4: 5:

Plane Plane Plane Plane Plane Plane

enabled enabled enabled enabled enabled enabled

0: 1: 2: 3: 4: 5:



0: 1: 2: 3: 4: 5:



0: 1: 2: 3: 4:

Plane Plane Plane Plane Links

enabled enabled enabled enabled ok

user@host> show chassis fabric fpcs FPC #3 PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled FPC #5 PFE #1 SIB #0 Links ok



SIB #1 Plane enabled SIB #2 Plane enabled FPC #7 PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled


user@host> show chassis fabric fpcs Fabric management FPC state: FPC #2 PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #3 PFE #1 SIB #2 Plane enabled SIB #3 Link error Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

SIB #4

...

show chassis fabric fpcs (TX Matrix Router)

user@host> show chassis fabric fpcs lcc0-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #0 PFE #1 SIB #0 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #2 PFE #1 SIB #0 Links ok SIB #2 Links ok


1015

®


SIB #3 Links ok SIB #4 Links ok

FPC #3

PFE #1 SIB #2 Plane enabled SIB #3 Link error Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21


0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

SIB #4

... FPC #4 PFE #0 SIB #4 PFE #1 SIB #4 FPC #5 PFE #1 SIB #4 FPC #6 PFE #1 SIB #4

Links ok Links ok

Links ok

Links ok

lcc2-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #0 PFE #1 SIB #4 Links ok FPC #1 PFE #1 SIB #4 Links ok FPC #2 PFE #0 SIB #4 Links ok PFE #1 SIB #4 Links ok FPC #4 PFE #0 SIB #4 Links ok PFE #1 SIB #4 Links ok FPC #5 PFE #1 SIB #4 Links ok


1016

user@host> show chassis fabric fpcs Fabric management FPC state: FPC #0 PFE #0 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3



Plane enabled SIB #4 Plane enabled PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #1 PFE #0 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #2 PFE #0 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #4 PFE #0 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled


1017

®


PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #3 PFE #1 SIB #2 Plane enabled SIB #3 Link error Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21


0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

SIB #4

show chassis fabric fpcs (T4000 Core Router)

1018

Fabric management FPC #2 PFE #0 SIB #0 Links SIB #1 Plane SIB #2 Plane SIB #3 Plane SIB #4 Plane FPC #3 PFE #0 SIB #0 Links SIB #1 Plane SIB #2 Plane SIB #3 Plane SIB #4 Plane FPC #5 PFE #0 SIB #0 Links SIB #1 Plane SIB #2 Plane SIB #3 Plane SIB #4 Plane PFE #1

FPC state:

ok enabled enabled enabled enabled





SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled FPC #6 PFE #0 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled PFE #1 SIB #0 Links ok SIB #1 Plane enabled SIB #2 Plane enabled SIB #3 Plane enabled SIB #4 Plane enabled

show chassis fabric fpcs (TX Matrix Plus Router)

user@host> show chassis fabric fpcs lcc0-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #0 PFE #1 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #2 PFE #0 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4


1019

®


Links ok PFE #1 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #3 PFE #1 SIB #2 Plane enabled SIB #3 Link error Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21


0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

SIB #4

FPC #4 PFE #0 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #6 PFE #0 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Unused

1020



SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #7 PFE #0 SIB #0 Unused SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok lcc1-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #2 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #4 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0


1021

®


Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Destination error on PFEs 93

1

8

9

29

40

65

72

73

104

SIB #4 Links ok FPC #6 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #7 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok lcc2-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #0 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4

1022



Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #2 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #4 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #5 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0


1023

®


Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #6 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #7 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok lcc3-re0: -------------------------------------------------------------------------Fabric management FPC state: FPC #0 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1

1024



SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #2 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #4 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #5 PFE #0 SIB #0 Links ok SIB #1


1025

®


Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #6 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok PFE #1 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok FPC #7 PFE #0 SIB #0 Links ok SIB #1 Links ok SIB #2 Links ok SIB #3 Links ok SIB #4 Links ok

show chassis fabric fpcs lcc (TX Matrix Plus Router)

1026

user@host> show chassis fabric fpcs lcc 0 lcc0-re1: -------------------------------------------------------------------------Fabric management FPC state: FPC #3 PFE #1 SIB #2



Plane enabled SIB #3 Link error Destination error on PFEs 8 9 10 11 12 13

0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21


0 14

1 15

2 16

3 17

4 18

5 19

6 20

7 21

SIB #4

FPC #4 PFE #0 SIB #0 SIB #1 SIB #2 SIB #3 SIB #4 PFE #1 SIB #0 SIB #1 SIB #2 SIB #3 SIB #4 FPC #6 PFE #0 SIB #0 SIB #1 SIB #2 SIB #3 SIB #4 PFE #1 SIB #0 SIB #1 SIB #2 SIB #3 SIB #4 FPC #7 PFE #0 SIB #0 SIB #1 SIB #2 SIB #3 SIB #4

show chassis fabric fpcs (EX8200 Switch)

Links Links Links Links Links

ok ok ok ok ok


ok ok ok ok ok


ok ok ok ok ok


ok ok ok ok ok


ok ok ok ok ok

user@host> show chassis fabric fpcs Fabric management FPC state FPC 6 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Links ok Plane 5: Links ok Plane 6: Links ok Plane 7: Links ok Plane 8: Plane enabled Plane 9: Plane enabled Plane 10: Plane enabled Plane 11: Plane enabled PFE #1 Plane 0: Plane enabled Plane 1: Plane enabled


1027

®


Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane FPC 7 PFE #0 Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane PFE #1 Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane Plane

show chassis fabric fpcs (PTX Series Packet Transport Switches)

1028

2: Plane enabled 3: Plane enabled 4: Links ok 5: Links ok 6: Links ok 7: Links ok 8: Plane enabled 9: Plane enabled 10: Plane enabled 11: Plane enabled

0: Plane enabled 1: Plane enabled 2: Plane enabled 3: Plane enabled 4: Links ok 5: Links ok 6: Links ok 7: Links ok 8: Plane enabled 9: Plane enabled 10: Plane enabled 11: Plane enabled 0: Plane enabled 1: Plane enabled 2: Plane enabled 3: Plane enabled 4: Links ok 5: Links ok 6: Links ok 7: Links ok 8: Plane enabled 9: Plane enabled 10: Plane enabled 11: Plane enabled

user@host> show chassis fabric fpcs slot 0 Fabric management FPC state: FPC #0 PFE #0 SIB0_Fcore0 (plane 0) Plane SIB0_Fcore1 (plane 1) Plane SIB1_Fcore0 (plane 2) Plane SIB1_Fcore1 (plane 3) Plane SIB2_Fcore0 (plane 4) Plane SIB2_Fcore1 (plane 5) Plane SIB3_Fcore0 (plane 6) Plane SIB3_Fcore1 (plane 7) Plane SIB5_Fcore0 (plane 10) Plane SIB5_Fcore1 (plane 11) Plane SIB6_Fcore0 (plane 12) Plane SIB6_Fcore1 (plane 13) Plane SIB7_Fcore0 (plane 14) Plane SIB7_Fcore1 (plane 15) Plane SIB8_Fcore0 (plane 16) Plane SIB8_Fcore1 (plane 17) Plane

Enabled, Links OK Enabled, Links OK Disabled, Links Down Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK Enabled, Links OK



show chassis fabric map Syntax

show chassis fabric map plane


show chassis fabric map

Release Information

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.4 for EX Series switches.

Description

(M120 and MX Series routers and EX8200 switches only) On the M120 router, display the state of the switching fabric map for connections from the Forwarding Engine Boards (FEBs) to the ports on the fabric planes, as interpreted by the fabric plane. On the MX Series router and the EX8200 switch, display the state of the switching fabric map for connections from each Packet Forwarding Engine on the Dense Port Concentrators (DPCs) to the ports on the fabric planes, as interpreted by the fabric plane. For information about the meaning of “fabric plane”, “DPCs”, and “SIBs” on the switches, see “EX Series Switches Hardware and CLI Terminology Mapping” on page 847.

Options

none—Display the switching fabric map state for the M120 or MX Series router or EX8200

switch. all-members—(MX Series routers only) (Optional) Display the switching fabric map state

for all the members of the Virtual Chassis configuration. local—(MX Series routers only) (Optional) Display the switching fabric map state for the

local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display the switching fabric

map state for the specified member of the Virtual Chassis configuration. Replace the member-id with a value of 0 or 1. plane plane-number—(Optional) Display the state of the fabric link for the specified plane

number.


•

For the M120 router, replace plane-number with a value from 0 through 3.

•

For the MX480 and MX240 routers, replace plane-number with a value from 0 through 7.

•

For the MX960 router, replace plane-number with a value from 0 through 5.

•


•


view


1029

®



Output Fields

show chassis fabric map (M120 Router) on page 1030 show chassis fabric map (MX Series Routers) on page 1030 show chassis fabric map plane 1 (EX8200 Switch) on page 1034 Table 129 on page 1030 lists the output fields for the show chassis fabric map command. Output fields are listed in the approximate order in which they appear.

Table 129: show chassis fabric map Output Fields Field Name

Field Description

in-links

Fabric map for receive side links.

out-links

Fabric map for transmit side links.

state

State of the fabric link: •

RESET—Link between SIB and FPC/DPC is powered down on

purpose. This is done in all non-dual PFE based boards. •

UP—Link between SIB and FPC/DPC is up and running.

•

DOWN—Link between SIB and FPC/DPC is powered down.

•

FAULT—SIB is in alarmed state where the SIB’s plane is not

operational for the following reasons: •

On-board F-chip is not operational.

•

Fiber optic connector faults.

•

FPC connector faults.

•

SIB midplane connector faults.

Sample Output show chassis fabric map (M120 Router)

user@host> show chassis fabric map FEB0->CB0F0_00 up CB0F0_08->FEB7 Down FEB1->CB0F0_01 Down CB0F0_09->FEB6 Down FEB6->CB0F0_02 Down CB0F0_10->FEB1 Down FEB2->CB0F0_03 Down CB0F0_11->FEB0 up FEB3->CB0F0_04 Down CB0F0_12->FEB3 Down FEB4->CB0F0_05 up CB0F0_13->FEB2 Down FEB7->CB0F0_06 Down CB0F0_14->FEB5 Down FEB5->CB0F0_07 Down CB0F0_15->FEB4 up:

show chassis fabric map (MX Series Routers)

1030

user@host> show chassis fabric map DPC4PFE0->CB0F0_00_0 up DPC4PFE1->CB0F0_00_1 up DPC4PFE2->CB0F0_00_2 up DPC4PFE3->CB0F0_00_3 up DPC7PFE0->CB0F0_01_0 Down DPC7PFE1->CB0F0_01_1 Down DPC7PFE2->CB0F0_01_2 Down

CB0F0_00_0->DPC4PFE0 CB0F0_00_1->DPC4PFE1 CB0F0_00_2->DPC4PFE2 CB0F0_00_3->DPC4PFE3 CB0F0_01_0->DPC7PFE0 CB0F0_01_1->DPC7PFE1 CB0F0_01_2->DPC7PFE2

up up up up Down Down Down



DPC7PFE3->CB0F0_01_3 DPC3PFE0->CB0F0_03_0 DPC3PFE1->CB0F0_03_1 DPC3PFE2->CB0F0_03_2 DPC3PFE3->CB0F0_03_3 DPC8PFE0->CB0F0_05_0 DPC8PFE1->CB0F0_05_1 DPC8PFE2->CB0F0_05_2 DPC8PFE3->CB0F0_05_3 DPC1PFE0->CB0F0_06_0 DPC1PFE1->CB0F0_06_1 DPC1PFE2->CB0F0_06_2 DPC1PFE3->CB0F0_06_3 DPC10PFE0->CB0F0_07_0 DPC10PFE1->CB0F0_07_1 DPC10PFE2->CB0F0_07_2 DPC10PFE3->CB0F0_07_3 DPC11PFE0->CB0F0_08_0 DPC11PFE1->CB0F0_08_1 DPC11PFE2->CB0F0_08_2 DPC11PFE3->CB0F0_08_3 DPC0PFE0->CB0F0_09_0 DPC0PFE1->CB0F0_09_1 DPC0PFE2->CB0F0_09_2 DPC0PFE3->CB0F0_09_3 DPC9PFE0->CB0F0_11_0 DPC9PFE1->CB0F0_11_1 DPC9PFE2->CB0F0_11_2 DPC9PFE3->CB0F0_11_3 DPC2PFE0->CB0F0_13_0 DPC2PFE1->CB0F0_13_1 DPC2PFE2->CB0F0_13_2 DPC2PFE3->CB0F0_13_3 DPC6PFE0->CB0F0_14_0 DPC6PFE1->CB0F0_14_1 DPC6PFE2->CB0F0_14_2 DPC6PFE3->CB0F0_14_3 DPC5PFE0->CB0F0_15_0 DPC5PFE1->CB0F0_15_1 DPC5PFE2->CB0F0_15_2 DPC5PFE3->CB0F0_15_3 DPC4PFE0->CB0F1_00_0 DPC4PFE1->CB0F1_00_1 DPC4PFE2->CB0F1_00_2 DPC4PFE3->CB0F1_00_3 DPC7PFE0->CB0F1_01_0 DPC7PFE1->CB0F1_01_1 DPC7PFE2->CB0F1_01_2 DPC7PFE3->CB0F1_01_3 DPC3PFE0->CB0F1_03_0 DPC3PFE1->CB0F1_03_1 DPC3PFE2->CB0F1_03_2 DPC3PFE3->CB0F1_03_3 DPC8PFE0->CB0F1_05_0 DPC8PFE1->CB0F1_05_1 DPC8PFE2->CB0F1_05_2 DPC8PFE3->CB0F1_05_3 DPC1PFE0->CB0F1_06_0 DPC1PFE1->CB0F1_06_1 DPC1PFE2->CB0F1_06_2 DPC1PFE3->CB0F1_06_3


Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down

CB0F0_01_3->DPC7PFE3 CB0F0_03_0->DPC3PFE0 CB0F0_03_1->DPC3PFE1 CB0F0_03_2->DPC3PFE2 CB0F0_03_3->DPC3PFE3 CB0F0_05_0->DPC8PFE0 CB0F0_05_1->DPC8PFE1 CB0F0_05_2->DPC8PFE2 CB0F0_05_3->DPC8PFE3 CB0F0_06_0->DPC1PFE0 CB0F0_06_1->DPC1PFE1 CB0F0_06_2->DPC1PFE2 CB0F0_06_3->DPC1PFE3 CB0F0_07_0->DPC10PFE0 CB0F0_07_1->DPC10PFE1 CB0F0_07_2->DPC10PFE2 CB0F0_07_3->DPC10PFE3 CB0F0_08_0->DPC11PFE0 CB0F0_08_1->DPC11PFE1 CB0F0_08_2->DPC11PFE2 CB0F0_08_3->DPC11PFE3 CB0F0_09_0->DPC0PFE0 CB0F0_09_1->DPC0PFE1 CB0F0_09_2->DPC0PFE2 CB0F0_09_3->DPC0PFE3 CB0F0_11_0->DPC9PFE0 CB0F0_11_1->DPC9PFE1 CB0F0_11_2->DPC9PFE2 CB0F0_11_3->DPC9PFE3 CB0F0_13_0->DPC2PFE0 CB0F0_13_1->DPC2PFE1 CB0F0_13_2->DPC2PFE2 CB0F0_13_3->DPC2PFE3 CB0F0_14_0->DPC6PFE0 CB0F0_14_1->DPC6PFE1 CB0F0_14_2->DPC6PFE2 CB0F0_14_3->DPC6PFE3 CB0F0_15_0->DPC5PFE0 CB0F0_15_1->DPC5PFE1 CB0F0_15_2->DPC5PFE2 CB0F0_15_3->DPC5PFE3 CB0F1_00_0->DPC4PFE0 CB0F1_00_1->DPC4PFE1 CB0F1_00_2->DPC4PFE2 CB0F1_00_3->DPC4PFE3 CB0F1_01_0->DPC7PFE0 CB0F1_01_1->DPC7PFE1 CB0F1_01_2->DPC7PFE2 CB0F1_01_3->DPC7PFE3 CB0F1_03_0->DPC3PFE0 CB0F1_03_1->DPC3PFE1 CB0F1_03_2->DPC3PFE2 CB0F1_03_3->DPC3PFE3 CB0F1_05_0->DPC8PFE0 CB0F1_05_1->DPC8PFE1 CB0F1_05_2->DPC8PFE2 CB0F1_05_3->DPC8PFE3 CB0F1_06_0->DPC1PFE0 CB0F1_06_1->DPC1PFE1 CB0F1_06_2->DPC1PFE2 CB0F1_06_3->DPC1PFE3

Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down

1031

®



1032

Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down


Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down





Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down


Down Down Down up up up up Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down up up up up Down Down Down Down Down Down

1033

®


DPC5PFE2->CB1F1_15_2 DPC5PFE3->CB1F1_15_3 plane 4 is not up plane 5 is not up

show chassis fabric map plane 1 (EX8200 Switch)

1034

Down Down

CB1F1_15_2->DPC5PFE2 CB1F1_15_3->DPC5PFE3

Down Down

user@host> show chassis fabric map plane 1 regress@tp-grande01> show chassis fabric map plane 1 DPC6PFE0->CB0F0_00_0 Down CB0F0_00_0->DPC6PFE0 DPC6PFE1->CB0F0_00_1 Down CB0F0_00_1->DPC6PFE1 DPC6PFE2->CB0F0_00_2 Down CB0F0_00_2->DPC6PFE2 DPC6PFE3->CB0F0_00_3 Down CB0F0_00_3->DPC6PFE3 DPC0PFE0->CB0F0_01_0 Down CB0F0_01_0->DPC0PFE0 DPC0PFE1->CB0F0_01_1 Down CB0F0_01_1->DPC0PFE1 DPC0PFE2->CB0F0_01_2 Down CB0F0_01_2->DPC0PFE2 DPC0PFE3->CB0F0_01_3 Down CB0F0_01_3->DPC0PFE3 DPC5PFE0->CB0F0_02_0 Down CB0F0_02_0->DPC5PFE0 DPC5PFE1->CB0F0_02_1 Down CB0F0_02_1->DPC5PFE1 DPC5PFE2->CB0F0_02_2 Down CB0F0_02_2->DPC5PFE2 DPC5PFE3->CB0F0_02_3 Down CB0F0_02_3->DPC5PFE3 DPC3PFE0->CB0F0_03_0 Down CB0F0_03_0->DPC3PFE0 DPC3PFE1->CB0F0_03_1 Down CB0F0_03_1->DPC3PFE1 DPC3PFE2->CB0F0_03_2 Down CB0F0_03_2->DPC3PFE2 DPC3PFE3->CB0F0_03_3 Down CB0F0_03_3->DPC3PFE3 DPC4PFE0->CB0F0_04_0 Down CB0F0_04_0->DPC4PFE0 DPC4PFE1->CB0F0_04_1 Down CB0F0_04_1->DPC4PFE1 DPC4PFE2->CB0F0_04_2 Down CB0F0_04_2->DPC4PFE2 DPC4PFE3->CB0F0_04_3 Down CB0F0_04_3->DPC4PFE3 DPC2PFE0->CB0F0_05_0 Down CB0F0_05_0->DPC2PFE0 DPC2PFE1->CB0F0_05_1 Down CB0F0_05_1->DPC2PFE1 DPC2PFE2->CB0F0_05_2 Down CB0F0_05_2->DPC2PFE2 DPC2PFE3->CB0F0_05_3 Down CB0F0_05_3->DPC2PFE3 DPC7PFE0->CB0F0_06_0 Down CB0F0_06_0->DPC7PFE0 DPC7PFE1->CB0F0_06_1 Down CB0F0_06_1->DPC7PFE1 DPC7PFE2->CB0F0_06_2 Down CB0F0_06_2->DPC7PFE2 DPC7PFE3->CB0F0_06_3 Down CB0F0_06_3->DPC7PFE3 DPC1PFE0->CB0F0_07_0 Down CB0F0_07_0->DPC1PFE0 DPC1PFE1->CB0F0_07_1 Down CB0F0_07_1->DPC1PFE1 DPC1PFE2->CB0F0_07_2 Down CB0F0_07_2->DPC1PFE2 DPC1PFE3->CB0F0_07_3 Down CB0F0_07_3->DPC1PFE3 DPC0PFE0->CB0F0_08_0 Down CB0F0_08_0->DPC0PFE0 DPC0PFE1->CB0F0_08_1 Down CB0F0_08_1->DPC0PFE1 DPC0PFE2->CB0F0_08_2 Down CB0F0_08_2->DPC0PFE2 DPC0PFE3->CB0F0_08_3 Down CB0F0_08_3->DPC0PFE3 DPC7PFE0->CB0F0_09_0 Down CB0F0_09_0->DPC7PFE0 DPC7PFE1->CB0F0_09_1 Down CB0F0_09_1->DPC7PFE1 DPC7PFE2->CB0F0_09_2 Down CB0F0_09_2->DPC7PFE2 DPC7PFE3->CB0F0_09_3 Down CB0F0_09_3->DPC7PFE3 DPC1PFE0->CB0F0_10_0 Down CB0F0_10_0->DPC1PFE0 DPC1PFE1->CB0F0_10_1 Down CB0F0_10_1->DPC1PFE1 DPC1PFE2->CB0F0_10_2 Down CB0F0_10_2->DPC1PFE2 DPC1PFE3->CB0F0_10_3 Down CB0F0_10_3->DPC1PFE3 DPC4PFE0->CB0F0_11_0 Down CB0F0_11_0->DPC4PFE0 DPC4PFE1->CB0F0_11_1 Down CB0F0_11_1->DPC4PFE1 DPC4PFE2->CB0F0_11_2 Down CB0F0_11_2->DPC4PFE2 DPC4PFE3->CB0F0_11_3 Down CB0F0_11_3->DPC4PFE3 DPC2PFE0->CB0F0_12_0 Down CB0F0_12_0->DPC2PFE0 DPC2PFE1->CB0F0_12_1 Down CB0F0_12_1->DPC2PFE1 DPC2PFE2->CB0F0_12_2 Down CB0F0_12_2->DPC2PFE2 DPC2PFE3->CB0F0_12_3 Down CB0F0_12_3->DPC2PFE3 DPC5PFE0->CB0F0_13_0 Down CB0F0_13_0->DPC5PFE0 DPC5PFE1->CB0F0_13_1 Down CB0F0_13_1->DPC5PFE1

Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down



DPC5PFE2->CB0F0_13_2 DPC5PFE3->CB0F0_13_3 DPC3PFE0->CB0F0_14_0 DPC3PFE1->CB0F0_14_1 DPC3PFE2->CB0F0_14_2 DPC3PFE3->CB0F0_14_3 DPC6PFE0->CB0F0_15_0 DPC6PFE1->CB0F0_15_1 DPC6PFE2->CB0F0_15_2 DPC6PFE3->CB0F0_15_3


Down Down Down Down Down Down Down Down Down Down

CB0F0_13_2->DPC5PFE2 CB0F0_13_3->DPC5PFE3 CB0F0_14_0->DPC3PFE0 CB0F0_14_1->DPC3PFE1 CB0F0_14_2->DPC3PFE2 CB0F0_14_3->DPC3PFE3 CB0F0_15_0->DPC6PFE0 CB0F0_15_1->DPC6PFE1 CB0F0_15_2->DPC6PFE2 CB0F0_15_3->DPC6PFE3

Down Down Down Down Down Down Down Down Down Down

1035

®


show chassis fabric plane Syntax

show chassis fabric plane





Release Information

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.4 for EX Series switches. detail, extensive, lcc, sfc, and terse options introduced for the TX Matrix Plus router in Junos OS Release 9.6.

Description

(TX Matrix Plus, T1600, M120, and MX Series routers and EX8200 switches only) On the M120 router, display the state of all fabric plane connections to the Forwarding Engine Boards (FEBs). On MX Series routers, display the state of all fabric plane connections to the Dense Port Concentrators (DPCs) and Packet Forwarding Engines (PFEs) on the Flexible PIC Concentrators (FPCs). On the TX Matrix Plus router and T1600 routers in a routing matrix, display the state of the fabric management plane and the logical planes on the switch-fabric chassis (SFC) and line-card chassis (LCC). On EX8200 switches, display the state of all fabric planes. This command can be used on the master Routing Engine only.

Options

detail—(TX Matrix Plus and T1600 routers in a routing matrix, and MX Series routers only)

(Optional) Display detailed output for the fabric management plane. Show Switch Interface Board (SIB) states for the TXP-F13 SIB and TXP-F2S SIB. extensive—(TX Matrix Plus and T1600 routers in a routing matrix, and MX Series routers

only) (Optional) Display extensive output for the fabric management plane, including the state of the optical links between the F13 SIB on the TX Matrix Plus router and the TXP-T1600 SIB (ST-SIB-L) on the T1600 router. terse—(TX Matrix Plus router and MX Series routers only) (Optional) Display terse output

for the fabric management plane. all-members—(MX Series routers only) (Optional) Display the state of all fabric plane

connections on all members of the Virtual Chassis configuration. lcc number—(TX Matrix Plus router only) (Optional) T1600 router (LCC) that is connected

to a TX Matrix Plus router. Replace number with a value from 0 through 3. local—(MX Series routers only) (Optional) Display the state of all fabric plane connections

on the local Virtual Chassis member.

1036



member member-id—(MX Series routers only) (Optional) Display the state of all fabric

plane connections on the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. sfc number—(TX Matrix Plus router only) (Optional) Show information about the TX

Matrix Plus router (SFC). Replace number with 0. Required Privilege Level Related Documentation


Output Fields

view

•

request chassis fabric plane on page 908

•

show chassis fabric plane-location on page 1059

show chassis fabric plane (M120 Router) on page 1043 show chassis fabric plane (MX240 Router) on page 1043 show chassis fabric plane (MX480 Router) on page 1045 show chassis fabric plane (MX960 Router) on page 1046 show chassis fabric plane (TX Matrix Plus Router) on page 1047 show chassis fabric plane detail (TX Matrix Plus Router) on page 1047 show chassis fabric plane extensive (TX Matrix Plus Router) on page 1048 show chassis fabric plane terse (TX Matrix Plus Router) on page 1050 show chassis fabric plane lcc (TX Matrix Plus Router) on page 1050 show chassis fabric plane sfc (TX Matrix Plus Router) on page 1051 show chassis fabric plane (T1600 Router) on page 1051 show chassis fabric plane extensive (T1600 Router) on page 1051 show chassis fabric plane detail (T1600 Router) on page 1054 show chassis fabric plane extensive (TX Matrix Plus Router) on page 1054 show chassis fabric plane (EX8200 Switch) on page 1057 Table 130 on page 1037 lists the output fields for the show chassis fabric plane command. Output fields are listed in the approximate order in which they appear.

Table 130: show chassis fabric plane Output Fields Field Name

Field Description

Level of output

Plane

(TX Matrix Plus, MX Series, and M120 routers and EX8200 switches only) Number of the plane.

none


1037

®


Table 130: show chassis fabric plane Output Fields (continued) Field Name

Field Description

Level of output

Plane state

(MX Series and M120 routers and EX8200 switches only) State of each plane:

none

•

ACTIVE—SIB is operational and running.

NOTE: On the Enhanced MX SCB with Trio MPC, a maximum of 4 planes are operational and running. On all the other SCBs with Trio MPC, all the planes are operational and running. •

FAULTY— SIB is in alarmed state where the SIB’s plane is not

operational for the following reasons:

FEB

•

On-board fabric ASIC is not operational.

•


•


•


(M120 routers only) FEB number and state of links to each FEB: •

Link error—Link between SIB and FPC is not operational.

•

Links ok—Link between SIB and FPC is active.

•

Unused—No FPC is present.

none

FPC

(MX Series routers only) Slot number of each Dense Port Concentrator (DPC) or Flexible PIC Concentrator (FPC). An FPC occupies two DPC slots on an MX Series router. The interface corresponds to the lowest numbered DPC slotfor which the FPC is installed.

none

PFE

(MX Series and M120 routers only) Slot number of each Packet Forwarding Engine and the state of the links to the DCP: Links ok, Link error, or Unused. Each DPC includes four Packet Forwarding Engines.

none

Links ok: Link between SIB and FPC is active.Link error: Link between SIB and FPC is not operational.Unused: No FPC is present.

1038




Field Description

Level of output

State

(TX Matrix Plus and T1600 routers in a routing matrix only)—State of the fabric plane:

none

•

Online: Fabric plane is operational and running and links on the

SIB are operational. •

Offline: Fabric plane state is Offline because the plane does not

have four or more F2S and one F13 online. •

Empty: Fabric plane state is Empty if all SIBs in the plane are absent.

•

Spare: Fabric plane is redundant and can be operational if the

operational fabric plane encounters an error. •

Check: Fabric plane is in alarmed state due to the following reason

and the cause of the error must be resolved: •

•

Uptime

One or more SIBs (belonging to the fabric plane) in the Online or Spare states has transitioned to the Check state. Check state of the SIB can be caused by link errors or destination errors.

Fault: Fabric plane is in alarmed state if one or more SIBs belonging to the plane are in the Fault state. A SIB can be in the Fault state because of the following reasons: •


•


•


•


•

Link errors have exceeded the threshold.

(TX Matrix Plus and T1600 routers in a routing matrix only)—Time the fabric plane has been up and running.

none

Fabric Management Plane State Output Fields for the show chassis fabric plane extensive Command on a TX Matrix Plus Router


1039

®



Field Description

Level of output

PLANE number

State of the fabric plane:

extensive

•

Online: Fabric plane is operational and running and links on the

SIB are operational. •

Offline: Fabric plane state is Offline because the plane does not

have 4 or more F2S and 1 F13 online. •

Empty: Fabric plane state is Empty if all SIBs in the plane are absent.

•

Spare: Fabric plane is redundant and can be operational if the

operational fabric plane encounters an error. •

Check: Fabric plane is in alarmed state due to the following

reasons and the cause of the error must be resolved: •

•

SIB F13/F2S slot-number

One or more SIBs (belonging to the fabric plane) in the Online or Spare states has transitioned to the Check state. Check state of the SIB can be caused because of link errors or destination errors.

Fault: Fabric plane is in alarmed state if one or more SIBs belonging to the plane are in the Fault state. A SIB can be in the Fault state because of the following reasons: •


•


•


•


•

Link errors have exceeded the threshold.

State of the TXP-F13 SIB or TXP-F2S SIB:

extensive

•

Activating—Transitional state when the SIB is transitioning to the Online or Spare state.

•

Deactivating—Transitional state when the SIB is going offline.

•

Online—SIB is operational and running.

•

Offline—SIB is powered down.

•

Spare—SIB is redundant and will move to active state if one of

the working SIBs fails to pass traffic. •

Empty—No SIB is present.

•

Fault— SIB is in alarmed state because of the following reasons

and the cause of the error must be resolved:

•

•


•


•


•


•

Link errors have exceeded the threshold

Check—SIB is in alarmed state where the SIB is partially

operational because of link or destination errors. Only a SIB that is Online or Spare can transition to the Check state. NOTE: If a SIB is not inserted properly, the SIB cannot transition to the Online or Spare state, and therefore cannot transition to the Check state.

1040




Field Description

Level of output

SIB F13 slot-number Odd/Even

State of the TXP-F13 SIB even and odd port connection optical links from the TX Matrix Plus router (SFC) to the T1600 router (LCC) in the routing matrix . The left four ports on the SFC are labeled Even and provide connections to one even-numbered LCC—LCC0 or LCC2. The right four ports on the SFC are labeled Odd and provide connections to one odd-numbered LCC—LCC1 or LCC3.

extensive

LCC number, SIB slot-number

State of the SIB on the LCC that is connected to the Even or Odd port on the TXP-F13 SIB faceplate:

extensive

•

Links ok—Links between the TXP-F13 SIB on the SFC and the LCC

is active. •

Link error—Link between the TXP-F13 SIB on the SFC and the LCC

is not operational. •

SG number Port number

SIB F2S slot-number

Unused—No SIB is present.

State of the SG chip ports on the LCC: •

Links ok—Link is active.

•

Link error—Link is not operational.

•

Unused—Port is not in use.

State of the intra-chassis links between the TXP-F2S and TXP-F13 SIB.

extensive

extensive

Fabric Management SIB State Output Fields for the show chassis fabric plane extensive Command on a TX Matrix Plus Router


1041

®



Field Description

Level of output

SIB slot-number

State of the SIBs on the T1600 router (LCC) in the routing matrix:

extensive

•

Activating—Transitional state when the SIB is coming online.

•

Deactivating—Transitional state when the SIB is going offline.

•

Connected—SIBS on an LCC are connected and trained, but are

either not online or are spare, because the plane on the the TX Matrix Plus router (SFC) is still offline. The LCC SIB transitions to the Connected state when the F13 SIB to which it connects is online but the SFC plane (to which the LCC SIB connects) is offline for some reason; for instance, when there are insufficient number of F2 SIBs in the plane. •

Disconnected—If an F13 SIB on the TX Matrix Plus router (SFC)

goes offline, then the SIBs on the LCCs connected to the F13 SIB get disconnected. The Disconnected state is valid only for SIBs on an LCC. An LCC SIB transitions to the Disconnected state when the F13 SIB to which it connects goes Offline, irrespective of the state of the SFC plane. SFC Error—If an F13 SIB on the TX Matrix Plus router (SFC) transitions to the Fault state (because of link errors, for instance),

and if an LCC SIB connected to the F13 SIB comes online, the LCC SIB transitions to the SFC Error state. This state indicates that the F13 SIB to which the LCC SIB is connected has errors NOTE: The Connected, Disconnected, and SFC Error states are only applicable to the SIBs on an LCC. •

Online—SIB is operational and running.

•

Offline—SIB is powered down.

•

Spare—SIB is redundant and will move to active state if one of

the working SIBs fails to pass traffic. •

Empty—No SIB is present.

•

Fault— SIB is in alarmed state where the SIB’s plane is not

operational for the following reasons:

•

•


•


•


•


•

Link errors have exceeded the threshold

Check—SIB is in alarmed state where the SIB is partially

operational because of link or destination errors. Only a SIB that is Online or Spare can transition to the Check state. NOTE: If a SIB is not inserted properly, the SIB cannot transition to the Online or Spare state, and therefore cannot transition to the Check state.

1042




Field Description

Level of output

LCC SIB Link State

State of the LCC SIB link:

extensive

SG number Port number

•


•


•

Unused—SIB is not in use.

State of the SG chip ports on the LCC: •


•


•

Unused—Port is not in use.

extensive

Sample Output show chassis fabric plane (M120 Router)

user@host> show chassis fabric plane Fabric management PLANE state Plane 0 Plane state: ACTIVE FEB 0: Links ok FEB 1: Links ok FEB 2: Links ok FEB 3: Links ok FEB 4: Links ok FEB 5: Links ok Plane 1 Plane state: ACTIVE FEB 0: Links ok FEB 1: Links ok FEB 2: Links ok FEB 3: Links ok FEB 4: Links ok FEB 5: Links ok Plane 2 Plane state: ACTIVE FEB 0: Links ok FEB 1: Links ok FEB 2: Links ok FEB 3: Links ok FEB 4: Links ok FEB 5: Links ok Plane 3 Plane state: ACTIVE FEB 0: Links ok FEB 1: Links ok FEB 2: Links ok FEB 3: Links ok FEB 4: Links ok FEB 5: Links ok

show chassis fabric plane (MX240 Router)

user@host> show chassis fabric plane Plane 0 Plane state: ACTIVE FPC 1 PFE 0 :Links ok


1043

®


PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 1 Plane state: ACTIVE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 2 Plane state: ACTIVE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 3 Plane state: ACTIVE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 4 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 5 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links

1044

ok ok ok ok ok ok ok

ok ok ok ok ok ok ok ok




ok ok



PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 6 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 7 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links FPC 2 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links


ok ok ok ok ok ok



user@host> show chassis fabric plane Fabric management PLANE state Plane 0 Plane state: ACTIVE FPC 1 PFE 0 :Links ok PFE 1 :Links ok PFE 2 :Links ok PFE 3 :Links ok Plane 1 Plane state: ACTIVE FPC 1 PFE 0 :Links ok PFE 1 :Links ok PFE 2 :Links ok PFE 3 :Links ok Plane 2 Plane state: ACTIVE FPC 1 PFE 0 :Links ok PFE 1 :Links ok PFE 2 :Links ok PFE 3 :Links ok Plane 3 Plane state: ACTIVE FPC 1 PFE 0 :Links ok PFE 1 :Links ok PFE 2 :Links ok


1045

®


PFE 3 :Links Plane 4 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 5 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 6 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links Plane 7 Plane state: SPARE FPC 1 PFE 0 :Links PFE 1 :Links PFE 2 :Links PFE 3 :Links


1046

ok

ok ok ok ok

ok ok ok ok

ok ok ok ok

ok ok ok ok

user@host> show chassis fabric plane Plane 0 Plane state: ACTIVE FPC 0 PFE 0 :Links ok FPC 2 PFE 0 :Links ok PFE 1 :Links ok Plane 1 Plane state: ACTIVE FPC 0 PFE 0 :Links ok FPC 2 PFE 0 :Links ok PFE 1 :Links ok Plane 2 Plane state: ACTIVE FPC 0 PFE 0 :Links ok FPC 2 PFE 0 :Links ok PFE 1 :Links ok Plane 3 Plane state: ACTIVE FPC 0 PFE 0 :Links ok FPC 2 PFE 0 :Links ok PFE 1 :Links ok



show chassis fabric plane (TX Matrix Plus Router)

user@host> show chassis fabric plane sfc0-re0: -------------------------------------------------------------------------Plane State Uptime 0 Spare 1 Online 1 hour, 11 minutes, 26 seconds 2 Online 1 hour, 11 minutes, 25 seconds 3 Online 1 hour, 11 minutes, 20 seconds 4 Online 1 hour, 11 minutes, 12 seconds lcc0-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 5 hours, 11 minutes, 39 seconds 2 Online 5 hours, 11 minutes, 39 seconds 3 Online 5 hours, 11 minutes, 39 seconds 4 Online 5 hours, 11 minutes, 39 seconds lcc1-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 5 hours, 11 minutes, 40 seconds 2 Online 5 hours, 11 minutes, 40 seconds 3 Online 5 hours, 11 minutes, 40 seconds 4 Online 5 hours, 11 minutes, 40 seconds

show chassis fabric plane detail (TX Matrix Plus Router)

user@host> show chassis fabric plane detail sfc0-re0: -------------------------------------------------------------------------Fabric Management PLANE State: PLANE 0: Spare SIB F13 0 : Spare SIB F13 1 : Empty SIB F2S 0/0 : Spare SIB F2S 0/2 : Spare SIB F2S 0/4 : Spare SIB F2S 0/6 : Spare PLANE 1: Online SIB F13 3 : Online SIB F13 4 : Empty SIB F2S 1/0 : Online SIB F2S 1/2 : Online SIB F2S 1/4 : Online SIB F2S 1/6 : Online PLANE 2: Online SIB F13 6 : Online SIB F13 7 : Empty SIB F2S 2/0 : Online SIB F2S 2/2 : Online SIB F2S 2/4 : Online SIB F2S 2/6 : Online PLANE 3: Online SIB F13 8 : Online SIB F13 9 : Online SIB F2S 3/0 : Online SIB F2S 3/2 : Online SIB F2S 3/4 : Online SIB F2S 3/6 : Online PLANE 4: Online


1047

®


SIB SIB SIB SIB SIB SIB

F13 F13 F2S F2S F2S F2S

11 12 4/0 4/2 4/4 4/6

: : : : : :

Online Online Online Online Online Online

lcc0-re0: -------------------------------------------------------------------------Fabric Management SIB State: SIB 0 : Spare SIB 1 : Online SIB 2 : Online SIB 3 : Online SIB 4 : Online lcc1-re0: -------------------------------------------------------------------------Fabric Management SIB State: SIB 0 : Spare SIB 1 : Online SIB 2 : Online SIB 3 : Online SIB 4 : Online

show chassis fabric plane extensive (TX Matrix Plus Router)

1048

user@host> show chassis fabric plane extensive sfc0-re0: -------------------------------------------------------------------------Fabric Management PLANE State: PLANE 0: Spare SIB F13 0 : Spare SIB F13 1 : Empty SIB F2S 0/0 : Spare SIB F2S 0/2 : Spare SIB F2S 0/4 : Spare SIB F2S 0/6 : Spare SIB F13 0 Even: LCC 0, SIB 0 : Links ok SG 0 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 1 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 2 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 3 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SIB F13 0 Odd: LCC 1, SIB 0 : Links ok SG 0



Port Port Port Port

0 1 2 3

: : : :

Links Links Links Links

ok ok ok ok

0 1 2 3

: : : :


ok ok ok ok

0 1 2 3

: : : :


ok ok ok ok

0 : Links 1 : Links 2 : Links 3 : Links Links ok Links ok Links ok Links ok

ok ok ok ok

SG 1 Port Port Port Port SG 2 Port Port Port Port SG 3 Port Port Port Port SIB F2S 0/0: SIB F2S 0/2: SIB F2S 0/4: SIB F2S 0/6: SIB F13 1 Even: LCC 2, SIB 0 SG 0 Port Port Port Port SG 1 Port Port Port Port SG 2 Port Port Port Port SG 3 Port Port Port Port SIB F13 1 Odd: LCC 3, SIB 0 SG 0 Port Port Port Port SG 1 Port Port Port Port SG 2 Port Port Port


: Unused 0 1 2 3

: : : :

Unused Unused Unused Unused

0 1 2 3

: : : :


0 1 2 3

: : : :


0 1 2 3

: : : :


: Unused 0 1 2 3

: : : :


0 1 2 3

: : : :


0 1 2

: Unused : Unused : Unused

1049

®


Port 3

: Unused

SG 3 Port 0 : Port 1 : Port 2 : Port 3 : SIB F2S 0/0: Unused SIB F2S 0/2: Unused SIB F2S 0/4: Unused SIB F2S 0/6: Unused PLANE 1: Online SIB F13 3 : Online SIB F13 4 : Empty SIB F2S 1/0 : Online SIB F2S 1/2 : Online SIB F2S 1/4 : Online SIB F2S 1/6 : Online SIB F13 3 Even: ...

show chassis fabric plane terse (TX Matrix Plus Router)


user@host> show chassis fabric plane terse sfc0-re0: -------------------------------------------------------------------------Plane State Uptime 0 Spare 1 Online 1 hour, 16 minutes, 14 seconds 2 Online 1 hour, 16 minutes, 13 seconds 3 Online 1 hour, 16 minutes, 8 seconds 4 Online 1 hour, 16 minutes lcc0-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 5 hours, 16 minutes, 27 seconds 2 Online 5 hours, 16 minutes, 27 seconds 3 Online 5 hours, 16 minutes, 27 seconds 4 Online 5 hours, 16 minutes, 27 seconds lcc1-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 5 hours, 16 minutes, 28 seconds 2 Online 5 hours, 16 minutes, 28 seconds 3 Online 5 hours, 16 minutes, 28 seconds 4 Online 5 hours, 16 minutes, 28 seconds

show chassis fabric plane lcc (TX Matrix Plus Router)

1050

user@host> show chassis fabric plane lcc 1 lcc1-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 5 hours, 17 minutes, 52 seconds 2 Online 5 hours, 17 minutes, 52 seconds 3 Online 5 hours, 17 minutes, 52 seconds 4 Online 5 hours, 17 minutes, 52 seconds



show chassis fabric plane sfc (TX Matrix Plus Router)

user@host> show chassis fabric plane sfc 0 sfc0-re0: -------------------------------------------------------------------------Plane State Uptime 0 Spare 1 Online 1 hour, 4 minutes, 43 seconds 2 Online 1 hour, 4 minutes, 38 seconds 3 Online 1 hour, 4 minutes, 35 seconds 4 Online 1 hour, 4 minutes, 33 seconds lcc0-re0: -------------------------------------------------------------------------SIB State Uptime 0 Spare 1 Online 1 hour, 7 minutes, 24 seconds 2 Online 1 hour, 7 minutes, 24 seconds 3 Online 1 hour, 7 minutes, 24 seconds 4 Online 1 hour, 7 minutes, 24 seconds lcc1-re0: -------------------------------------------------------------------------SIB State Uptime 0 Offline 1 Online 1 hour, 7 minutes, 22 seconds 2 Online 1 hour, 7 minutes, 22 seconds 3 Online 1 hour, 7 minutes, 22 seconds 4 Online 1 hour, 7 minutes, 22 seconds

show chassis fabric plane (T1600 Router)

show chassis fabric plane extensive (T1600 Router)

user@host> show chassis fabric plane Plane State Uptime 0 Online 15 hours, 1 Online 15 hours, 2 Fault 3 Online 15 hours, 4 Online 15 hours,

42 minutes, 9 seconds 42 minutes, 9 seconds 42 minutes, 9 seconds 42 minutes, 9 seconds

user@host> show chassis fabric plane extensive Fabric Management PLANE State: PLANE 0: Online ST-SIB-L 0: Links ok SG 0 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 1 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 2 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 3 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok


1051

®


ST-SIB-L 0 FPC 4 PFE 0: Links ok PFE 1: Links ok FPC 6 PFE 0: Links ok PFE 1: Links ok FPC 7 PFE 0: Links ok PLANE 1: Online ST-SIB-L 1: Links ok SG 0 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 1 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 2 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 3 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links ST-SIB-L 1 FPC 4 PFE 0: Links ok PFE 1: Links ok FPC 6 PFE 0: Links ok PFE 1: Links ok FPC 7 PFE 0: Links ok PLANE 2: Online ST-SIB-L 2: Links ok SG 0 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 1 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 2 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 3 Port 0 : Links Port 1 : Links Port 2 : Links

1052

ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok

ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok



Port 3 : Links ST-SIB-L 2 FPC 4 PFE 0: Links ok PFE 1: Links ok FPC 6 PFE 0: Links ok PFE 1: Links ok FPC 7 PFE 0: Links ok PLANE 3: Spare ST-SIB-L 3: Links ok SG 0 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 1 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 2 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 3 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links ST-SIB-L 3 FPC 4 PFE 0: Links ok PFE 1: Links ok FPC 6 PFE 0: Links ok PFE 1: Links ok FPC 7 PFE 0: Links ok PLANE 4: Online ST-SIB-L 4: Links ok SG 0 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 1 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 2 Port 0 : Links Port 1 : Links Port 2 : Links Port 3 : Links SG 3 Port 0 : Links Port 1 : Links


ok

ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok ok

ok ok ok ok ok ok ok ok ok ok ok ok ok ok

1053

®


Port 2 Port 3 ST-SIB-L 4 FPC 4 PFE 0: PFE 1: FPC 6 PFE 0: PFE 1: FPC 7 PFE 0:

: Links ok : Links ok

Links ok Links ok Links ok Links ok Links ok

show chassis fabric plane detail (T1600 Router)

user@host> show chassis fabric plane detail Fabric Management PLANE State: PLANE 0: Online PLANE 1: Online PLANE 2: Online PLANE 3: Spare PLANE 4: Online

show chassis fabric plane extensive (TX Matrix Plus Router)

user@host> show chassis fabric plane extensive sfc0-re0: -------------------------------------------------------------------------Fabric Management PLANE State: PLANE 0: Online SIB F13 0 : Online SIB F13 1 : Empty SIB F2S 0/0 : Online SIB F2S 0/2 : Online SIB F2S 0/4 : Online SIB F2S 0/6 : Online SIB F13 0 Even: LCC 0, SIB 0 : Unused SG 0 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 1 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 2 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 3 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SIB F13 0 Odd: LCC 1, SIB 0 : Links ok SG 0 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 1

1054



Port Port Port Port

0 1 2 3

: : : :


ok ok ok ok

0 1 2 3

: : : :


ok ok ok ok

0 : Links 1 : Links 2 : Links 3 : Links Links ok Links ok Links ok Links ok

ok ok ok ok

SG 2 Port Port Port Port SG 3 Port Port Port Port SIB F2S 0/0: SIB F2S 0/2: SIB F2S 0/4: SIB F2S 0/6: SIB F13 1 Even: LCC 2, SIB 0 SG 0 Port Port Port Port SG 1

: Unused 0 1 2 3

: : : :


0 1 2 3

: : : :


0 1 2 3

: : : :


0 1 2 3

: : : :


... Port Port Port Port SG 2 Port Port Port Port SG 3 Port Port Port Port SIB F13 1 Odd: LCC 3, SIB 0 SG 0 Port Port Port Port SG 1 Port Port Port Port SG 2 Port Port Port Port SG 3 Port Port


: Unused 0 1 2 3

: : : :


0 1 2 3

: : : :


0 1 2 3

: : : :


0 1

: Unused : Unused

1055

®


Port 2 : Unused Port 3 : Unused SIB F2S 0/0: Unused SIB F2S 0/2: Unused SIB F2S 0/4: Unused SIB F2S 0/6: Unused PLANE 1: Fault SIB F13 3 : Fault SIB F13 4 : Empty SIB F2S 1/0 : Fault SIB F2S 1/2 : Fault SIB F2S 1/4 : Online SIB F2S 1/6 : Online SIB F13 3 Even: LCC 0, SIB 1 : Unused SG 0 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 1 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 2 Port 0 : Unused Port 1 : Unused Port 2 : Unused Port 3 : Unused SG 3 Port 0 : Unused ... lcc1-re1: -------------------------------------------------------------------------Fabric Management SIB State: SIB 0 : Online LCC SIB Link State : Links ok SG 0 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 1 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 2 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SG 3 Port 0 : Links ok Port 1 : Links ok Port 2 : Links ok Port 3 : Links ok SIB 1 : Fault LCC SIB Link State : Link error SG 0

1056



Port Port Port Port

0 1 2 3

: : : :

Link Link Link Link

error error error error

0 1 2 3

: : : :

Link Link Link Link


0 1 2 3

: : : :

Link Link Link Link


Port 0 : Port 1 : Port 2 : Port 3 : 2 : Online LCC SIB Link State SG 0 Port 0 : Port 1 : Port 2 : Port 3 : SG 1 Port 0 : Port 1 : Port 2 : Port 3 : SG 2 Port 0 : Port 1 : Port 2 : Port 3 : SG 3 Port 0 : Port 1 : Port 2 : Port 3 : 3 : Check LCC SIB Link State SG 0 Port 0 : Port 1 : Port 2 :

Link Link Link Link


SG 1 Port Port Port Port SG 2 Port Port Port Port SG 3

SIB

SIB

show chassis fabric plane (EX8200 Switch)

: Links ok Links Links Links Links

ok ok ok ok


ok ok ok ok


ok ok ok ok


ok ok ok ok

: Link error Link error Link error Link error

user@host> show chassis fabric plane Fabric management PLANE state Plane 0 Plane state: ACTIVE Plane 1 Plane state: ACTIVE Plane 2 Plane state: ACTIVE Plane 3 Plane state: ACTIVE Plane 4 Plane state: SPARE Plane 5


1057

®


Plane state: Plane 6 Plane state: Plane 7 Plane state: Plane 8 Plane state: Plane 9 Plane state: Plane 10 Plane state: Plane 11 Plane state:

1058

SPARE SPARE SPARE ACTIVE ACTIVE ACTIVE ACTIVE



show chassis fabric plane-location Syntax

show chassis fabric plane-location


show chassis fabric plane-location

Release Information

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.4 for EX Series switches. Command introduced in Junos OS Release 12.1 for PTX Series Packet Transport Switches.

Description

(M120, MX Series routers, and EX8200 switches only) Display the Control Board (CB) location of each plane. This command can be used on the master Routing Engine or the backup Routing Engine. For information about the meaning of “CBs” and “fabric plane” on the switches, see “EX Series Switches Hardware and CLI Terminology Mapping” on page 847. (TX Matrix Plus routers only) Display the SIB location of each fabric plane. (PTX Series Packet Transport Switches only) Display the fabric plane location of each SIB.

Options

all-members—(MX Series routers only) (Optional) Display the CB location of each fabric

plane on the Routing Engines in all member routers in the Virtual Chassis configuration. local—(MX Series routers only) (Optional) Display the CB location of each fabric plane

on the Routing Engines in the local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display the CB location of each

fabric plane on the Routing Engines in the specified member in the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. Required Privilege Level List of Sample Output

Output Fields

view

show chassis fabric plane-location (M120 Router) on page 1060 show chassis fabric plane-location (MX240 and MX480 Routers) on page 1060 show chassis fabric plane-location (MX960 Router) on page 1060 show chassis fabric plane-location (TX Matrix Plus Router) on page 1060 show chassis fabric plane-location (EX8200 Switch) on page 1061 show chassis fabric plane-location (PTX Series Packet Transport Switches) on page 1061 Table 131 on page 1060 lists the output fields for the show chassis fabric plane-location command. Output fields are listed in the approximate order in which they appear.


1059

®


Table 131: show chassis fabric plane-location Output Fields Field Name

Field Description

Plane n

Plane number. (PTX Series Packet Transport Switches only) Plane numbers associated with the SIB.

Control Board n

Control board number.

SFC ABS-SIB-F13

(TX Matrix Plus routers only) Switch Interface Board (SIB) slot number on the F13 SIB.

SFC ABS-SIB-F2S

(TX Matrix Plus routers only) SIB slot number on the F2S.

LCC ST-SIB-L

(TX Matrix Plus routers only) Line-card chassis (LCC) SIB slot number.

SIB

(PTX Series Packet Transport Switches only) SIB number.

Sample Output show chassis fabric plane-location (M120 Router)

user@host> show chassis fabric plane-location ------------Fabric Plane Locations------------Plane 0 Control Board 0 Plane 1 Control Board 0 Plane 2 Control Board 1 Plane 3 Control Board 1

show chassis fabric plane-location (MX240 and MX480 Routers)

user@host> show chassis fabric plane-location ------------Fabric Plane Locations------------Plane 0 Control Board 0 Plane 1 Control Board 0 Plane 2 Control Board 0 Plane 3 Control Board 0 Plane 4 Control Board 1 Plane 5 Control Board 1 Plane 6 Control Board 1 Plane 7 Control Board 1

show chassis fabric plane-location (MX960 Router)

user@host> show chassis fabric plane-location ------------Fabric Plane Locations------------Plane 0 Control Board 0 Plane 1 Control Board 0 Plane 2 Control Board 1 Plane 3 Control Board 1 Plane 4 Control Board 2 Plane 5 Control Board 2

show chassis fabric plane-location (TX Matrix Plus Router)

user@host> show chassis fabric plane-location Fabric Plane Locations : Plane SFC ABS-SIB-F13 SFC ABS-SIB-F2 0 0, 1 0/0, 0/2, 0/4, 0/6 1 3, 4 1/0, 1/2, 1/4, 1/6 2 6, 7 2/0, 2/2, 2/4, 2/6

1060

LCC ST-SIB-L 0 1 2



3 4

8, 9 11, 12

3/0, 3/2, 3/4, 3/6 4/0, 4/2, 4/4, 4/6

show chassis fabric plane-location (EX8200 Switch)

user@host> show chassis fabric plane-location ------------Fabric Plane Locations------------Plane 0 Control Board 0 Plane 1 Control Board 0 Plane 2 Control Board 0 Plane 3 Control Board 0 Plane 4 Control Board 1 Plane 5 Control Board 1 Plane 6 Control Board 1 Plane 7 Control Board 1 Plane 8 Control Board 2 Plane 9 Control Board 2 Plane 10 Control Board 2 Plane 11 Control Board 2

show chassis fabric plane-location (PTX Series Packet Transport Switches)

user@host> show chassis fabric plane-location ------------Fabric Plane Locations------------SIB Planes 0 0 1 1 2 3 2 4 5 3 6 7 4 8 9 5 10 11 6 12 13 7 14 15 8 16 17


3 4

1061

®


show chassis fpc Syntax


show chassis fpc | show chassis fpc |

Syntax (T4000 router)

show chassis fpc


show chassis fpc |


Syntax (QFX Series)


Description

Options

show chassis fpc | show chassis fpc show chassis fpc |

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Command introduced in Junos OS Release 12.1 for PTX Series Packet Transport Switches. Display status information about the installed Flexible PIC Concentrators (FPCs)and PICs. none—Display status information for all FPCs. On a TX Matrix router, display status

information for all FPCs on the attached T640 routers in the routing matrix. On a TX Matrix Plus router, display status information for all FPCs on the attached T1600 routers in the routing matrix.

1062



NOTE: In EX8200 switches, line cards initialize Packet Forwarding Engine during start up. If an error occurs during hardware initialization, the FPCs with bad hardware parts power down after transferring the debug information to the Routing Engine. The Routing Engine marks the FPC offline, logs the error in system log messages (/var/log/messages), and generates an alarm to inform the user. See the following sample output: user@host> show chassis fpc Temp CPU Utilization (%) Utilization (%) Slot State (C) Total Interrupt Buffer 0 Empty 1 Empty 2 Empty 3 Empty 4 Empty 5 Offline ---Hard FPC error--6 Empty 7 Online 26 4 0 32

Memory DRAM (MB) Heap

1024

0

The following sample output shows the alarm raised for the failed FPCs. user@host > show chassis alarms 4 alarms currently active Alarm time Class 2011-03-24 00:52:51 UTC Major 2011-03-24 00:52:31 UTC Major 2011-03-24 00:52:31 UTC Major 2011-03-24 00:51:26 UTC Minor RE

Description FPC 5 Hard errors Fan Tray Failure Fan Tray Failure Loss of communication with Backup

detail—(Optional) Display detailed status information for all FPCs or for the FPC in the

specified slot (see fpc-slot or slot). all-members—(MX Series routers only) (Optional) Display status information for all FPCs

on all members of the Virtual Chassis configuration. interconnect-device name—(QFabric switches only) (Optional) Display status information

for all FPCs on the Interconnect device. fpc-slot—(Optional) FPC slot number: •


(TX Matrix and TX Matrix Plus router only—On a TX Matrix router, if you specify the number of the T640 router (or line-card chassis) by using the lcc number option (the recommended method), replace fpc-slot with a value from 0 through 7. Otherwise, replace fpc-slot with a value from 0 through 31. Likewise, on a TX Matrix Plus router, if you specify the number of the T1600 router (or line-card chassis) by using the lcc number option (the recommended method), replace fpc-slot with a value from 0 through 7. Otherwise, replace fpc-slot with a value from 0 through 31. For example, the following commands have the same result:

1063

®


user@host> show chassis fpc detail 1 lcc 1 user@host> show chassis fpc detail 9 •

M120 router—Replace fpc-slot with a value from 0 through 5.

•

MX80 router—Replace fpc-slot with a value from 0 through 1.

•


•


•

MX-960 router—Replace fpc-slot with a value from 0 through 11.

•

Other routers—Replace fpc-slot with a value from 0 through 7.

•

EX Series switches:

•

•

•

EX3200 switches and EX4200 standalone switches—Replace fpc-slot with 0.

•

EX4200 switches in a Virtual Chassis configuration—Replace fpc-slot with a value from 0 through 9.

•

EX6210 switches—Replace fpc-slot with a value from 0 through 9.

•


•


QFX Series: •

QFX3500 switches—Replace fpc-slot with 0.

•

QFabric switches—Replace fpc-slot with 0 through 31 on the Interconnect device.

PTX Series Packet Transport Switches: •

PTX5000 Packet Transport Switch—Replace fpc-slot a value from with 0 through 7.

local—(MX Series routers only) (Optional) Display status information for all FPCs on the

local Virtual Chassis member. member member-id—(MX Series routers only) (Optional) Display status information for

all FPCs on the specified member of the Virtual Chassis configuration. Replace member-id with a value of 0 or 1. node-device name—(QFabric switches only) (Optional) Display status information for

each Node device. Each Node device is equivalent to an FPC. pic-status—(Optional) Display status information for all PICs or for the PIC in the specified

slot (see fpc-slot).

1064



NOTE: On T1600 routers, Type 4 FPCs with ASICs based on the SL2.0 chipset do not support the 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (10x10GE [LAN/WAN] SFPP). If you issue the show chassis fpc command with the pic-status option, the CLI displays the string “Not Supported” for 10x10GE(LAN/WAN) SFPP PICs installed on such FPCs. The following is a sample output: user@host> show chassis fpc pic-status Slot 0 Online E2-FPC Type 1 PIC 0 Online 1x G/E SFP, 1000 BASE PIC 1 Online Adaptive Services-II PIC 2 Online 1x G/E IQ, 1000 BASE PIC 3 Online 1x G/E IQ, 1000 BASE Slot 1 Online FPC Type 3-ES PIC 0 Present UNUSED- Not Supported Slot 2 Online FPC Type 4-ES PIC 0 Offline 4x OC-192 SONET XFP PIC 1 Present 10x10GE(LAN/WAN) SFPP- Not Supported show system processes PID TT STAT TIME COMMAND 0 ?? DLs 0:00.70 (swapper) 1 ?? Is 0:00.35 /sbin/init -2 ?? DL 0:00.00 (pagedaemon) 3 ?? DL 0:00.00 (vmdaemon) 4 ?? DL 0:42.37 (update) 5 ?? DL 0:00.00 (if_jnx) 80 ?? Ss 0:14.66 syslogd -s 96 ?? Is 0:00.01 portmap 128 ?? Is 0:02.70 cron 173 ?? Is 0:02.24 /usr/local/sbin/sshd (sshd1) 189 ?? S 0:03.80 /sbin/watchdog -t180 190 ?? I 0:00.03 /usr/sbin/tnetd -N 191 ?? S 2:24.76 /sbin/ifd -N 192 ?? S< 0:55.44 /usr/sbin/xntpd -N 195 ?? S 0:53.11 /usr/sbin/snmpd -N 196 ?? S 1:15.73 /usr/sbin/mib2d -N 198 ?? I 0:00.75 /usr/sbin/inetd -N 2677 ?? I 0:00.01 /usr/sbin/mgd -N 2712 ?? Ss 0:00.24 rlogind 2735 ?? R 0:00.00 /bin/ps -ax 1985 p0- S 0:07.41 ./rpd -N 2713 p0 Is 0:00.24 -tcsh (tcsh) 2726 p0 S+ 0:00.07 cli user@host> show system processes brief last pid: 543; load averages: 0.00, 37 processes: 1 running, 36 sleeping

0.00,

0.00

18:29:47

Mem: 25M Active, 3976K Inact, 19M Wired, 8346K Buf, 202M Free Swap: 528M Total, 64K Used, 528M Free

show system processes detail

user@host> show system processes detail PID UID PPID CPU PRI NI RSS WCHAN STARTED TT STAT 3151 1049 3129 2 28 0 672 1:13PM p0 R+ 1 0 0 0 10 0 376 wait 1:51PM ?? Is 2 0 0 0 -18 0 12 psleep 1:51PM ?? DL


TIME COMMAND 0:00.00 ps -ax -r 0:00.29 /sbin/ini 0:00.00 (pagedae

1261

®


3 4 5 27 81 119 134 151 183 206 207 208 210 211 215 219 220 221 222 735 736 1380 3019 3122 3128 3129 0

show system processes extensive

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1049 0

0 0 28 0 12 psleep 1:51PM 0 0 28 0 12 update 1:51PM 0 0 2 0 12 pfesel 1:51PM 1 0 10 0 17936 mfsidl 1:51PM 1 0 2 0 496 select 1:52PM 1 0 2 0 492 select 1:52PM 1 0 2 0 580 select 1:52PM 1 0 18 0 532 pause 1:52PM 1 0 2 0 420 select 1:52PM 1 0 18 0 72 pause 1:52PM 1 0 2 0 520 select 1:52PM 1 0 2 0 536 select 1:52PM 1 255 2 -12 740 select 1:52PM 1 0 2 0 376 select 1:52PM 1 0 2 0 548 select 1:52PM 1 0 3 0 540 ttyin 1:52PM 1 0 3 0 540 ttyin 1:52PM 1 0 3 0 540 ttyin 1:52PM 1 0 3 0 540 ttyin 1:52PM 1 0 2 0 468 select 2:47PM 1 0 2 0 212 select 2:47PM 1 0 3 0 888 ttyin 7:32PM 207 0 2 0 636 select 10:49AM 1380 0 2 0 1764 select 12:33PM 215 0 2 0 580 select 12:45PM 3128 0 18 0 944 pause 12:45PM 0 0 -18 0 0 sched 1:51PM

user@host> show system processes extensive last pid: 544; load averages: 0.00, 37 processes: 1 running, 36 sleeping

0.00,

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? v0 v1 v2 v3 ?? ?? d0 ?? d0 ?? p0 ??

0.00

DL DL IL Is Ss Is S Is Ss S I S S< S I Is+ Is+ Is+ Is+ S S Is+ Ss S Ss Ss DLs

0:00.00 0:07.15 0:02.90 0:00.46 0:31.21 0:00.00 0:02.95 0:00.34 0:00.07 0:00.51 0:00.16 0:08.21 0:05.83 0:00.03 0:00.50 0:00.02 0:00.01 0:00.01 0:00.01 0:19.14 0:14.13 0:00.46 0:02.93 0:00.77 0:00.12 0:00.14 0:00.10

18:30:33

Mem: 25M Active, 3968K Inact, 19M Wired, 8346K Buf, 202M Free Swap: 528M Total, 64K Used, 528M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU 544 root 30 0 604K 768K RUN 0:00 0.00% 0.00% 3 root 28 0 0K 12K psleep 0:00 0.00% 0.00% 4 root 28 0 0K 12K update 0:03 0.00% 0.00% 528 aviva 18 0 660K 948K pause 0:00 0.00% 0.00% 204 root 18 0 300K 544K pause 0:00 0.00% 0.00% 131 root 18 0 332K 532K pause 0:00 0.00% 0.00% 186 root 18 0 196K 68K pause 0:00 0.00% 0.00% 27 root 10 0 512M 16288K mfsidl 0:00 0.00% 0.00% 1 root 10 0 620K 344K wait 0:00 0.00% 0.00% 304 root 3 0 884K 900K ttyin 0:00 0.00% 0.00% 200 root 3 0 180K 540K ttyin 0:00 0.00% 0.00% 203 root 3 0 180K 540K ttyin 0:00 0.00% 0.00% 202 root 3 0 180K 540K ttyin 0:00 0.00% 0.00% 201 root 3 0 180K 540K ttyin 0:00 0.00% 0.00% 194 root 2 0 2248K 1640K select 0:11 0.00% 0.00% 205 root 2 0 964K 800K select 0:12 0.00% 0.00% 189 root 2 -12 352K 740K select 0:03 0.00% 0.00% 114 root 2 0 296K 612K select 0:00 0.00% 0.00% 188 root 2 0 780K 600K select 0:00 0.00% 0.00% 527 root 2 0 176K 580K select 0:00 0.00% 0.00% 195 root 2 0 212K 552K select 0:00 0.00% 0.00% 187 root 2 0 192K 532K select 0:00 0.00% 0.00% 83 root 2 0 188K 520K select 0:00 0.00% 0.00% 538 root 2 0 1324K 516K select 0:00 0.00% 0.00% 99 daemon 2 0 176K 492K select 0:00 0.00% 0.00% 163 root 2 0 572K 420K select 0:00 0.00% 0.00%

1262

(vmdaemo (update) (if_pfe) mfs /dev/ syslogd portmap amd -p -a cron /usr/loca /sbin/wat /usr/sbin /sbin/dcd /usr/sbin /usr/sbin /usr/sbin /usr/libe /usr/libe /usr/libe /usr/libe /usr/sbin /usr/sbin bash tnp.chass ./rpd -N rlogind -tcsh (tc (swapper

COMMAND top vmdaemon update tcsh csh cron watchdog mount_mfs init bash getty getty getty getty rpd tnp.chassisd xntpd amd dcd rlogind inetd tnetd syslogd mgd portmap nsrexecd



192 191 537 193 5 2 0

show system processes lcc wide (TX Matrix Routing Matrix)

show system processes summary

root root aviva root root root root

2 2 2 2 2 -18 -18

0 0 0 0 0 0 0

560K 1284K 636K 312K 0K 0K 0K

400K 376K 364K 204K 12K 12K 0K

select select select select pfesel psleep sched

0:10 0:00 0:00 0:07 0:00 0:00 0:00

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

snmpd mgd cli mib2d if_pfe pagedaemon swapper

user@host> show system processes lcc 2 wide lcc2-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? DLs 0:00.00 (swapper) 1 ?? ILs 0:00.10 /sbin/preinit -- (init) 2 ?? DL 0:00.00 (pagedaemon) 3 ?? DL 0:00.00 (vmdaemon) 4 ?? DL 0:00.00 (bufdaemon) 5 ?? DL 0:00.04 (syncer) 6 ?? DL 0:00.00 (netdaemon) 7 ?? IL 0:00.00 (if_pic_listen) 8 ?? IL 0:00.00 (scs_housekeeping) 9 ?? IL 0:00.00 (if_pfe_listen) 10 ?? DL 0:00.00 (vmuncachedaemon) 11 ?? SL 0:00.02 (cb_poll) 172 ?? ILs 0:00.21 mfs -o noauto /dev/ad1s1b /tmp (newfs) 2909 ?? Is 0:00.00 pccardd 2932 ?? Ss 0:00.07 syslogd -r -s 3039 ?? Is 0:00.00 cron 3217 ?? I 0:00.00 /sbin/watchdog -d 3218 ?? I 0:00.02 /usr/sbin/tnetd -N 3221 ?? S 0:00.11 /usr/sbin/alarmd -N 3222 ?? S 0:00.85 /usr/sbin/craftd -N 3223 ?? S 0:00.05 /usr/sbin/mgd -N 3224 ?? I 0:00.02 /usr/sbin/inetd -N 3225 ?? I 0:00.00 /usr/sbin/tnp.sntpd -N 3226 ?? I 0:00.01 /usr/sbin/tnp.sntpc -N 3228 ?? I 0:00.01 /usr/sbin/smartd -N 3231 ?? I 0:00.01 /usr/sbin/eccd -N 3425 ?? S 0:00.09 /usr/sbin/dfwd -N 3426 ?? S 0:00.19 /sbin/dcd -N 3427 ?? I 0:00.04 /usr/sbin/pfed -N 3430 ?? S 0:00.10 /usr/sbin/ksyncd -N 3482 ?? S 1:53.63 /usr/sbin/chassisd -N 4285 ?? SL 0:00.01 (peer proxy) 4286 ?? SL 0:00.00 (peer proxy) 4303 ?? Ss 0:00.00 mgd: (mgd) (root) (mgd) 4304 ?? R 0:00.00 /bin/ps -ax -ww 3270 d0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyd0 user@host> show system processes summary last pid: 543; load averages: 0.00, 37 processes: 1 running, 36 sleeping

0.00,

0.00

18:29:47

Mem: 25M Active, 3976K Inact, 19M Wired, 8346K Buf, 202M Free Swap: 528M Total, 64K Used, 528M Free PID USERNAME PRI NICE SIZE 527 root 2 0 176K 543 root 30 0 604K


RES STATE 580K select 768K RUN

TIME 0:00 0:00

WCPU 0.04% 0.00%

CPU COMMAND 0.04% rlogind 0.00% top

1263

®


show system processes (TX Matrix Plus Router)

1264

user@host> show system processes sfc0-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? WLs 0:00.00 [swapper] 1 ?? ILs 0:00.18 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.20 [g_event] 3 ?? DL 0:00.39 [g_up] 4 ?? DL 0:00.32 [g_down] 5 ?? DL 0:00.00 [thread taskq] 6 ?? DL 0:00.09 [kqueue taskq] 7 ?? DL 0:00.01 [pagedaemon] 8 ?? DL 0:00.00 [vmdaemon] 9 ?? DL 0:06.63 [pagezero] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 310:52.98 [idle] 12 ?? WL 0:11.03 [swi2: net] 13 ?? WL 0:27.58 [swi7: clock sio] 14 ?? WL 0:00.00 [swi6: vm] 15 ?? DL 0:03.02 [yarrow] 16 ?? WL 0:00.00 [swi9: +] 17 ?? WL 0:00.00 [swi8: +] 18 ?? WL 0:00.00 [swi5: cambio] 19 ?? WL 0:00.00 [swi9: task queue] 20 ?? WL 0:11.41 [irq16: uhci0 uhci*] 21 ?? DL 0:00.00 [usb0] 22 ?? DL 0:00.00 [usbtask] 23 ?? WL 0:39.51 [irq17: uhci1 uhci*] 24 ?? DL 0:00.00 [usb1] 25 ?? WL 0:00.00 [irq18: uhci2 uhci*] 26 ?? DL 0:00.83 [usb2] 27 ?? DL 0:00.00 [usb3] 28 ?? DL 0:00.00 [usb4] 29 ?? DL 0:00.00 [usb5] 30 ?? DL 0:00.73 [usb6] 31 ?? DL 0:00.00 [usb7] 32 ?? WL 0:00.00 [irq14: ata0] 33 ?? WL 0:00.00 [irq15: ata1] 34 ?? WL 0:00.00 [irq1: atkbd0] 35 ?? WL 0:00.00 [swi0: sio] 36 ?? WL 0:00.00 [irq11: isab0] 37 ?? WL 0:00.00 [swi3: ip6opt ipopt] 38 ?? WL 0:00.00 [swi4: ip6mismatch+] 39 ?? WL 0:00.00 [swi1: ipfwd] 40 ?? DL 0:00.02 [bufdaemon] 41 ?? DL 0:00.02 [vnlru] 42 ?? DL 0:00.39 [syncer] 43 ?? DL 0:00.05 [softdepflush] 44 ?? DL 0:00.00 [netdaemon] 45 ?? DL 0:00.02 [vmuncachedaemon] 46 ?? DL 0:00.00 [if_pic_listen] 47 ?? DL 0:00.35 [vmkmemdaemon] 48 ?? DL 0:00.00 [cb_poll] 49 ?? DL 0:00.06 [if_pfe_listen] 50 ?? DL 0:00.00 [scs_housekeeping] 51 ?? IL 0:00.00 [kern_dump_proc] 52 ?? IL 0:00.00 [nfsiod 0] 53 ?? IL 0:00.00 [nfsiod 1] 54 ?? IL 0:00.00 [nfsiod 2] 55 ?? IL 0:00.00 [nfsiod 3] 56 ?? DL 0:00.37 [schedcpu]



57 79 100 118 139 160 181 217 227 1341 1342 1343 1345 1350 1502 1503 1504 1507 1508 1509 1512 1513 1517 1525 1526 1527 1616 1617 1618 1619 2391 7331 9538 9613 23781 23926 36867 36874 36876 36877 36878 36907 37775 45727 45729 45730 45731 45732 45733 45734 45735 45736 45737 45738 45739 45740 45741 45742 45743 45744 45745


?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

DL DL DL DL DL DL DL DL DL SL SL SL SL Is S S S S S S I S S S S I DL DL DL DL Is Ss DL DL Ss Ss S S S S S S S S S S< SN S S S I S S S S S S I S S S

0:00.56 0:02.58 0:00.03 0:00.01 0:00.95 0:00.12 0:00.00 0:00.02 0:00.05 0:01.34 0:01.68 0:41.40 0:33.83 0:00.01 0:00.01 0:00.86 0:00.01 0:01.32 0:14.54 0:01.19 0:00.05 0:00.10 0:00.11 0:01.10 0:01.43 0:00.01 0:00.30 0:00.32 0:00.34 0:00.30 0:00.01 0:00.03 0:01.16 0:00.18 0:00.01 0:00.01 0:03.14 0:00.08 0:00.17 0:00.15 0:05.05 0:25.07 0:00.01 0:00.02 0:00.38 0:00.12 0:00.10 0:00.03 0:00.09 0:00.30 0:00.00 0:00.06 0:00.05 0:00.10 0:00.05 0:00.07 0:00.01 0:00.01 0:00.08 0:00.05 0:00.25

[md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] [bcmLINK.1] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N /usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/smartd -N /usr/sbin/idpd -N /usr/sbin/license-check -U -M -p 10 -i 10 /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] [peer proxy] telnetd telnetd [jsr_kkcm] [peer proxy] telnetd mgd: (mgd) (regress)/dev/ttyp2 (mgd) /usr/sbin/rpd -N /usr/sbin/lmpd /usr/sbin/lacpd -N /usr/sbin/bfdd -N /usr/sbin/ppmd -N /usr/sbin/chassisd -N /usr/sbin/bdbrepd -N /usr/sbin/xntpd -j -N -g (ntpd) /usr/sbin/l2ald -N /usr/sbin/apsd -N /usr/sbin/sampled -N /usr/sbin/ilmid -N /usr/sbin/rmopd -N /usr/sbin/cosd /usr/sbin/rtspd -N /usr/sbin/fsad -N /usr/sbin/rdd -N /usr/sbin/pppd -N /usr/sbin/dfcd -N /usr/sbin/lfmd -N /usr/sbin/mplsoamd -N /usr/sbin/sendd -N /usr/sbin/appidd -N /usr/sbin/mspd -N /usr/sbin/jdiameterd -N

1265

®


45746 45747 45748 45750 45751 45752 45764 56479 56480 1142 1160 6527 2392 2393 2394 2395 23782 23881 23925 7332 7333 23780

?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0d0 p1 p1 p1 p1 p2 p2 p2 p3 p3 p3

S S S S S S S Ss R I S Is+ Is I I I+ Is I S+ Is I S+

0:00.10 0:00.19 0:00.63 0:00.45 0:00.15 0:00.15 0:20.59 0:00.00 0:00.00 0:00.01 0:29.17 0:00.00 0:00.00 0:00.00 0:00.00 0:00.01 0:00.00 0:00.00 0:00.03 0:00.00 0:00.00 0:00.02

/usr/sbin/pfed -N /usr/sbin/lpdfd -N /sbin/dcd -N /usr/sbin/mib2d -N /usr/sbin/dfwd -N /usr/sbin/irsd -N /usr/sbin/snmpd -N mgd: (mgd) (root) (mgd) /bin/ps -ax /usr/sbin/usbd -N /usr/sbin/eventd -N -r -s -A /usr/libexec/getty std.9600 ttyd0 login [pam] (login) -csh (csh) su -su (csh) login [pam] (login) -csh (csh) cli login [pam] (login) -csh (csh) telnet aj

lcc0-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? WLs 0:00.00 [swapper] 1 ?? ILs 0:00.16 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.01 [g_event] 3 ?? DL 0:00.16 [g_up] 4 ?? DL 0:00.11 [g_down] 5 ?? DL 0:00.00 [thread taskq] 6 ?? DL 0:00.00 [kqueue taskq] 7 ?? DL 0:00.00 [pagedaemon] 8 ?? DL 0:00.00 [vmdaemon] 9 ?? DL 0:01.77 [pagezero] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 17:22.31 [idle] 12 ?? WL 0:00.32 [swi2: net] 13 ?? WL 0:01.21 [swi7: clock sio] 14 ?? WL 0:00.00 [swi6: vm] 15 ?? DL 0:00.10 [yarrow] 16 ?? WL 0:00.00 [swi9: +] 17 ?? WL 0:00.00 [swi8: +] 18 ?? WL 0:00.00 [swi5: cambio] 19 ?? WL 0:00.00 [swi9: task queue] 20 ?? WL 0:02.73 [irq10: bcm0 uhci1*] 21 ?? WL 0:00.02 [irq11: cb0 uhci0+*] 22 ?? DL 0:00.00 [usb0] 23 ?? DL 0:00.00 [usbtask] 24 ?? DL 0:00.00 [usb1] 25 ?? DL 0:00.05 [usb2] 26 ?? DL 0:00.00 [usb3] 27 ?? DL 0:00.00 [usb4] 28 ?? DL 0:00.00 [usb5] 29 ?? DL 0:00.04 [usb6] 30 ?? DL 0:00.00 [usb7] 31 ?? WL 0:00.00 [irq14: ata0] 32 ?? WL 0:00.00 [irq15: ata1] 33 ?? WL 0:00.00 [irq1: atkbd0] 34 ?? WL 0:00.00 [swi0: sio]

1266



35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 77 98 116 137 158 179 215 225 1078 1363 1364 1365 1370 1522 1523 1524 1526 1527 1528 1529 1532 1533 1534 1536 1540 1541 1542 2089 2090 2091 2657 2658 2659 2660 2661 2662 2667 2690 2691 1164


?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0-

WL WL WL DL DL DL DL DL DL DL DL DL DL DL IL IL IL IL IL DL DL DL DL DL DL DL DL DL DL DL SL SL SL Is S S I S S I S I I I S I S I DL DL DL S S S S S S S Ss R S

0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.01 0:00.73 0:03.54 0:00.37 0:00.02 0:00.56 0:00.15 0:00.00 0:00.03 0:00.03 0:00.00 0:00.09 0:00.10 0:03.08 0:00.00 0:00.00 0:00.05 0:00.01 0:04.98 0:00.04 0:00.40 0:00.08 0:00.04 0:00.00 0:00.00 0:00.01 0:00.07 0:00.11 0:00.00 0:00.01 0:00.01 0:00.01 0:00.02 0:00.02 0:00.05 0:00.01 0:00.01 0:00.01 0:00.13 0:00.00 0:00.00 0:00.00

[swi3: ip6opt ipopt] [swi4: ip6mismatch+] [swi1: ipfwd] [bufdaemon] [vnlru] [syncer] [softdepflush] [netdaemon] [vmuncachedaemon] [if_pic_listen] [vmkmemdaemon] [cb_poll] [if_pfe_listen] [scs_housekeeping] [kern_dump_proc] [nfsiod 0] [nfsiod 1] [nfsiod 2] [nfsiod 3] [schedcpu] [md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8] [jsr_kkcm] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/chassisd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N /usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/tnp.sntpc -N /usr/sbin/smartd -N /usr/sbin/jcsd -N /usr/sbin/idpd -N /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] /usr/sbin/dfwd -N /sbin/dcd -N /usr/sbin/snmpd -N /usr/sbin/mib2d -N /usr/sbin/pfed -N /usr/sbin/irsd -N /usr/sbin/ksyncd -N mgd: (mgd) (root) (mgd) /bin/ps -ax /usr/sbin/usbd -N

1267

®


1182 1543

d0- S d0 Is+

0:00.34 /usr/sbin/eventd -N -r -s -A 0:00.00 /usr/libexec/getty std.9600 ttyd0

lcc1-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? WLs 0:00.00 [swapper] 1 ?? ILs 0:00.17 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.01 [g_event] 3 ?? DL 0:00.16 [g_up] 4 ?? DL 0:00.11 [g_down] 5 ?? DL 0:00.00 [thread taskq] 6 ?? DL 0:00.00 [kqueue taskq] 7 ?? DL 0:00.00 [pagedaemon] 8 ?? DL 0:00.00 [vmdaemon] 9 ?? DL 0:01.77 [pagezero] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 17:22.83 [idle] 12 ?? WL 0:00.35 [swi2: net] 13 ?? WL 0:01.20 [swi7: clock sio] 14 ?? WL 0:00.00 [swi6: vm] 15 ?? DL 0:00.10 [yarrow] 16 ?? WL 0:00.00 [swi9: +] 17 ?? WL 0:00.00 [swi8: +] 18 ?? WL 0:00.00 [swi5: cambio] 19 ?? WL 0:00.00 [swi9: task queue] 20 ?? WL 0:02.87 [irq10: bcm0 uhci1*] 21 ?? WL 0:00.02 [irq11: cb0 uhci0+*] 22 ?? DL 0:00.00 [usb0] 23 ?? DL 0:00.00 [usbtask] 24 ?? DL 0:00.00 [usb1] 25 ?? DL 0:00.05 [usb2] 26 ?? DL 0:00.00 [usb3] 27 ?? DL 0:00.00 [usb4] 28 ?? DL 0:00.00 [usb5] 29 ?? DL 0:00.04 [usb6] 30 ?? DL 0:00.00 [usb7] 31 ?? WL 0:00.00 [irq14: ata0] 32 ?? WL 0:00.00 [irq15: ata1] 33 ?? WL 0:00.00 [irq1: atkbd0] 34 ?? WL 0:00.00 [swi0: sio] 35 ?? WL 0:00.00 [swi3: ip6opt ipopt] 36 ?? WL 0:00.00 [swi4: ip6mismatch+] 37 ?? WL 0:00.00 [swi1: ipfwd] 38 ?? DL 0:00.00 [bufdaemon] 39 ?? DL 0:00.00 [vnlru] 40 ?? DL 0:00.01 [syncer] 41 ?? DL 0:00.00 [softdepflush] 42 ?? DL 0:00.00 [netdaemon] 43 ?? DL 0:00.00 [vmuncachedaemon] 44 ?? DL 0:00.00 [if_pic_listen] 45 ?? DL 0:00.02 [vmkmemdaemon] 46 ?? DL 0:00.01 [cb_poll] 47 ?? DL 0:00.00 [if_pfe_listen] 48 ?? DL 0:00.00 [scs_housekeeping] 49 ?? IL 0:00.00 [kern_dump_proc] 50 ?? IL 0:00.00 [nfsiod 0] 51 ?? IL 0:00.00 [nfsiod 1] 52 ?? IL 0:00.00 [nfsiod 2] 53 ?? IL 0:00.00 [nfsiod 3] 54 ?? DL 0:00.02 [schedcpu]

1268



55 77 98 116 137 158 179 215 225 1052 1337 1338 1339 1344 1496 1497 1498 1500 1501 1502 1503 1506 1507 1508 1510 1514 1515 1516 2068 2069 2070 2666 2667 2668 2669 2670 2671 2675 2699 2700 1138 1156 1517

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0d0

DL DL DL DL DL DL DL DL DL DL SL SL SL Is S S I S S I S I I I S I S I DL DL DL S S S S S S S Ss R S S Is+

0:00.75 0:03.40 0:00.37 0:00.02 0:00.56 0:00.15 0:00.00 0:00.03 0:00.03 0:00.00 0:00.09 0:00.10 0:03.10 0:00.00 0:00.00 0:00.05 0:00.01 0:04.97 0:00.04 0:00.40 0:00.08 0:00.04 0:00.00 0:00.00 0:00.01 0:00.07 0:00.18 0:00.00 0:00.01 0:00.01 0:00.01 0:00.02 0:00.01 0:00.01 0:00.05 0:00.01 0:00.02 0:00.13 0:00.00 0:00.00 0:00.00 0:00.37 0:00.00

[md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8] [jsr_kkcm] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/chassisd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N /usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/tnp.sntpc -N /usr/sbin/smartd -N /usr/sbin/jcsd -N /usr/sbin/idpd -N /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] /sbin/dcd -N /usr/sbin/irsd -N /usr/sbin/pfed -N /usr/sbin/snmpd -N /usr/sbin/mib2d -N /usr/sbin/dfwd -N /usr/sbin/ksyncd -N mgd: (mgd) (root) (mgd) /bin/ps -ax /usr/sbin/usbd -N /usr/sbin/eventd -N -r -s -A /usr/libexec/getty std.9600 ttyd0

lcc2-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? WLs 0:00.00 [swapper] 1 ?? ILs 0:00.18 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.01 [g_event] 3 ?? DL 0:00.17 [g_up] 4 ?? DL 0:00.12 [g_down] 5 ?? DL 0:00.00 [thread taskq] 6 ?? DL 0:00.00 [kqueue taskq] 7 ?? DL 0:00.00 [pagedaemon] 8 ?? DL 0:00.00 [vmdaemon] 9 ?? DL 0:01.77 [pagezero] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 17:19.13 [idle] 12 ?? WL 0:00.36 [swi2: net] 13 ?? WL 0:01.20 [swi7: clock sio]


1269

®


14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 77 98 116 137 158 179 215 225 1052 1337 1338 1339 1344 1496 1497 1498 1500 1501 1502

1270

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

WL DL WL WL WL WL WL WL DL DL DL DL DL DL DL DL DL WL WL WL WL WL WL WL DL DL DL DL DL DL DL DL DL DL DL IL IL IL IL IL DL DL DL DL DL DL DL DL DL DL DL SL SL SL Is S S S R S I

0:00.00 0:00.13 0:00.00 0:00.00 0:00.00 0:00.00 0:03.03 0:00.02 0:00.00 0:00.00 0:00.00 0:00.05 0:00.00 0:00.00 0:00.00 0:00.04 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.75 0:03.48 0:00.59 0:00.02 0:00.56 0:00.15 0:00.00 0:00.03 0:00.03 0:00.00 0:00.09 0:00.10 0:03.22 0:00.00 0:00.00 0:00.05 0:00.01 0:05.17 0:00.04 0:00.39

[swi6: vm] [yarrow] [swi9: +] [swi8: +] [swi5: cambio] [swi9: task queue] [irq10: bcm0 uhci1*] [irq11: cb0 uhci0+*] [usb0] [usbtask] [usb1] [usb2] [usb3] [usb4] [usb5] [usb6] [usb7] [irq14: ata0] [irq15: ata1] [irq1: atkbd0] [swi0: sio] [swi3: ip6opt ipopt] [swi4: ip6mismatch+] [swi1: ipfwd] [bufdaemon] [vnlru] [syncer] [softdepflush] [netdaemon] [vmuncachedaemon] [if_pic_listen] [vmkmemdaemon] [cb_poll] [if_pfe_listen] [scs_housekeeping] [kern_dump_proc] [nfsiod 0] [nfsiod 1] [nfsiod 2] [nfsiod 3] [schedcpu] [md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8] [jsr_kkcm] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/chassisd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N



1503 1506 1507 1508 1510 1514 1515 1516 2591 2592 2593 2597 3192 3193 3194 3195 3196 3197 3198 3228 3229 1138 1156 1517 ...

show system processes sfc (TX Matrix Plus Router)

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0d0

S I I I S I S I DL DL DL DL S S S S S S S Ss R S S Is+

0:00.08 0:00.05 0:00.00 0:00.00 0:00.01 0:00.07 0:00.17 0:00.00 0:00.01 0:00.01 0:00.01 0:00.00 0:00.01 0:00.05 0:00.02 0:00.01 0:00.01 0:00.02 0:00.13 0:00.00 0:00.00 0:00.00 0:00.42 0:00.00

/usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/tnp.sntpc -N /usr/sbin/smartd -N /usr/sbin/jcsd -N /usr/sbin/idpd -N /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] [peer proxy] /usr/sbin/irsd -N /usr/sbin/snmpd -N /sbin/dcd -N /usr/sbin/pfed -N /usr/sbin/mib2d -N /usr/sbin/dfwd -N /usr/sbin/ksyncd -N mgd: (mgd) (root) (mgd) /bin/ps -ax /usr/sbin/usbd -N /usr/sbin/eventd -N -r -s -A /usr/libexec/getty std.9600 ttyd0

user@host> show system processes sfc 0 sfc0-re0: -------------------------------------------------------------------------PID TT STAT TIME COMMAND 0 ?? WLs 0:00.00 [swapper] 1 ?? SLs 0:00.18 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.20 [g_event] 3 ?? DL 0:00.39 [g_up] 4 ?? DL 0:00.32 [g_down] 5 ?? DL 0:00.00 [thread taskq] 6 ?? DL 0:00.09 [kqueue taskq] 7 ?? DL 0:00.01 [pagedaemon] 8 ?? DL 0:00.00 [vmdaemon] 9 ?? DL 0:06.63 [pagezero] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 312:09.00 [idle] 12 ?? WL 0:11.07 [swi2: net] 13 ?? WL 0:27.70 [swi7: clock sio] 14 ?? WL 0:00.00 [swi6: vm] 15 ?? DL 0:03.03 [yarrow] 16 ?? WL 0:00.00 [swi9: +] 17 ?? WL 0:00.00 [swi8: +] 18 ?? WL 0:00.00 [swi5: cambio] 19 ?? WL 0:00.00 [swi9: task queue] 20 ?? WL 0:11.46 [irq16: uhci0 uhci*] 21 ?? DL 0:00.00 [usb0] 22 ?? DL 0:00.00 [usbtask] 23 ?? WL 0:39.63 [irq17: uhci1 uhci*] 24 ?? DL 0:00.00 [usb1] 25 ?? WL 0:00.00 [irq18: uhci2 uhci*] 26 ?? DL 0:00.84 [usb2] 27 ?? DL 0:00.00 [usb3] 28 ?? DL 0:00.00 [usb4] 29 ?? DL 0:00.00 [usb5] 30 ?? DL 0:00.73 [usb6]


1271

®


31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 79 100 118 139 160 181 217 227 1341 1342 1343 1345 1350 1502 1503 1504 1507 1508 1509 1512 1513 1517 1525 1526 1527 1616 1617 1618 1619 2391 7331 9538 9613 23781

1272

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

DL WL WL WL WL WL WL WL WL DL DL DL DL DL DL DL DL DL DL DL IL IL IL IL IL DL DL DL DL DL DL DL DL DL DL SL SL SL SL Is S S I S S S S S S S S I DL DL DL DL Is Ss DL DL Ss

0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.02 0:00.39 0:00.05 0:00.00 0:00.02 0:00.00 0:00.35 0:00.00 0:00.06 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.37 0:00.56 0:02.58 0:00.03 0:00.01 0:00.95 0:00.12 0:00.00 0:00.02 0:00.05 0:01.35 0:01.69 0:41.57 0:33.97 0:00.01 0:00.01 0:00.86 0:00.01 0:01.32 0:14.54 0:01.20 0:00.05 0:00.10 0:00.11 0:01.11 0:01.43 0:00.01 0:00.30 0:00.32 0:00.34 0:00.30 0:00.01 0:00.03 0:01.16 0:00.18 0:00.01

[usb7] [irq14: ata0] [irq15: ata1] [irq1: atkbd0] [swi0: sio] [irq11: isab0] [swi3: ip6opt ipopt] [swi4: ip6mismatch+] [swi1: ipfwd] [bufdaemon] [vnlru] [syncer] [softdepflush] [netdaemon] [vmuncachedaemon] [if_pic_listen] [vmkmemdaemon] [cb_poll] [if_pfe_listen] [scs_housekeeping] [kern_dump_proc] [nfsiod 0] [nfsiod 1] [nfsiod 2] [nfsiod 3] [schedcpu] [md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] [bcmLINK.1] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N /usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/smartd -N /usr/sbin/idpd -N /usr/sbin/license-check -U -M -p 10 -i 10 /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] [peer proxy] telnetd telnetd [jsr_kkcm] [peer proxy] telnetd



23926 36867 36874 36876 36877 36878 36907 37775 45727 45729 45730 45731 45732 45733 45734 45735 45736 45737 45738 45739 45740 45741 45742 45743 45744 45745 45746 45747 45748 45750 45751 45752 45764 56481 56548 56577 56578 1142 1160 6527 56482 56483 56547 2392 2393 2394 2395 23782 23881 23925 7332 7333 23780

show system processes lcc wide (TX Matrix Plus Routing Matrix)

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0d0 p0 p0 p0 p1 p1 p1 p1 p2 p2 p2 p3 p3 p3

Ss S S S S S S S S S S< SN S S S I S S S S S S I S S S S S S S S S S Ss Rs Ss R S S Is+ Is S S+ Is I I I+ Is I S+ Is I S+

0:00.03 0:03.14 0:00.08 0:00.17 0:00.15 0:05.05 0:26.63 0:00.01 0:00.02 0:00.40 0:00.13 0:00.10 0:00.03 0:00.09 0:00.31 0:00.00 0:00.06 0:00.05 0:00.10 0:00.05 0:00.08 0:00.01 0:00.01 0:00.08 0:00.05 0:00.27 0:00.10 0:00.19 0:00.64 0:00.46 0:00.16 0:00.15 0:20.60 0:00.02 0:00.19 0:00.00 0:00.00 0:00.01 0:29.71 0:00.00 0:00.00 0:00.01 0:00.02 0:00.00 0:00.00 0:00.00 0:00.01 0:00.00 0:00.00 0:00.03 0:00.00 0:00.00 0:00.02

mgd: (mgd) (regress)/dev/ttyp2 (mgd) /usr/sbin/rpd -N /usr/sbin/lmpd /usr/sbin/lacpd -N /usr/sbin/bfdd -N /usr/sbin/ppmd -N /usr/sbin/chassisd -N /usr/sbin/bdbrepd -N /usr/sbin/xntpd -j -N -g (ntpd) /usr/sbin/l2ald -N /usr/sbin/apsd -N /usr/sbin/sampled -N /usr/sbin/ilmid -N /usr/sbin/rmopd -N /usr/sbin/cosd /usr/sbin/rtspd -N /usr/sbin/fsad -N /usr/sbin/rdd -N /usr/sbin/pppd -N /usr/sbin/dfcd -N /usr/sbin/lfmd -N /usr/sbin/mplsoamd -N /usr/sbin/sendd -N /usr/sbin/appidd -N /usr/sbin/mspd -N /usr/sbin/jdiameterd -N /usr/sbin/pfed -N /usr/sbin/lpdfd -N /sbin/dcd -N /usr/sbin/mib2d -N /usr/sbin/dfwd -N /usr/sbin/irsd -N /usr/sbin/snmpd -N telnetd mgd: (mgd) (regress)/dev/ttyp0 (mgd) mgd: (mgd) (root) (mgd) /bin/ps -ax /usr/sbin/usbd -N /usr/sbin/eventd -N -r -s -A /usr/libexec/getty std.9600 ttyd0 login [pam] (login) -csh (csh) cli login [pam] (login) -csh (csh) su -su (csh) login [pam] (login) -csh (csh) cli login [pam] (login) -csh (csh) telnet aj

user@host> show system processes lcc 2 wide lcc2-re0: -------------------------------------------------------------------------PID TT STAT TIME PROVIDER COMMAND 0 ?? WLs 0:00.00 (null) [swapper] 1 ?? ILs 0:00.19 /packages/mnt/jbase/sbin/init -2 ?? DL 0:00.02 [g_event]


1273

®


3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 77 98 116 137 158 179 215 225

1274

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

DL DL DL DL DL DL DL DL RL WL WL WL DL WL WL WL WL WL WL DL DL DL DL DL DL DL DL DL WL WL WL WL WL WL WL DL DL DL DL DL DL DL DL DL DL DL IL IL IL IL IL DL DL DL DL DL DL DL DL DL DL

0:00.19 0:00.13 0:00.00 0:00.00 0:00.00 0:00.00 0:01.77 0:00.00 20:33.81 0:00.38 0:01.43 0:00.00 0:00.14 0:00.00 0:00.00 0:00.00 0:00.00 0:03.18 0:00.03 0:00.00 0:00.00 0:00.00 0:00.06 0:00.00 0:00.00 0:00.00 0:00.05 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.01 0:00.00 0:00.00 0:00.00 0:00.03 0:00.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.02 0:00.75 0:03.84 0:00.59 0:00.02 0:00.72 0:00.15 0:00.00 0:00.03 0:00.03

[g_up] [g_down] [thread taskq] [kqueue taskq] [pagedaemon] [vmdaemon] [pagezero] [ktrace] [idle] [swi2: net] [swi7: clock sio] [swi6: vm] [yarrow] [swi9: +] [swi8: +] [swi5: cambio] [swi9: task queue] [irq10: bcm0 uhci1*] [irq11: cb0 uhci0+*] [usb0] [usbtask] [usb1] [usb2] [usb3] [usb4] [usb5] [usb6] [usb7] [irq14: ata0] [irq15: ata1] [irq1: atkbd0] [swi0: sio] [swi3: ip6opt ipopt] [swi4: ip6mismatch+] [swi1: ipfwd] [bufdaemon] [vnlru] [syncer] [softdepflush] [netdaemon] [vmuncachedaemon] [if_pic_listen] [vmkmemdaemon] [cb_poll] [if_pfe_listen] [scs_housekeeping] [kern_dump_proc] [nfsiod 0] [nfsiod 1] [nfsiod 2] [nfsiod 3] [schedcpu] [md0] [md1] [md2] [md3] [md4] [md5] [md6] [md7] [md8]



1052 1337 1338 1339 1344 1496 1497 1498 1500 1501 1502 1503 1506 1507 1508 1510 1514 1515 1516 2591 2592 2593 2597 3192 3193 3194 3195 3196 3197 3198 3559 3560 1138 1156 1517

show system processes (QFX Series)

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0d0

DL SL SL SL Is I S I S S I S I I I S I S I DL DL DL DL S S S I S I S Ss R S S Is+

0:00.00 0:00.11 0:00.12 0:03.82 0:00.00 0:00.00 0:00.06 0:00.01 0:09.93 0:00.05 0:00.39 0:00.09 0:00.05 0:00.00 0:00.00 0:00.01 0:00.07 0:00.17 0:00.00 0:00.01 0:00.01 0:00.01 0:00.01 0:00.02 0:00.05 0:00.04 0:00.01 0:00.02 0:00.03 0:00.15 0:00.00 0:00.00 0:00.00 0:00.50 0:00.00

[jsr_kkcm] [bcmTX] [bcmXGS3AsyncTX] [bcmLINK.0] /usr/sbin/cron /sbin/watchdog -t-1 /usr/libexec/bslockd -mp -N /usr/sbin/tnetd -N /usr/sbin/chassisd -N /usr/sbin/alarmd -N /usr/sbin/craftd -N /usr/sbin/mgd -N /usr/sbin/inetd -N /usr/sbin/tnp.sntpd -N /usr/sbin/tnp.sntpc -N /usr/sbin/smartd -N /usr/sbin/jcsd -N /usr/sbin/idpd -N /usr/libexec/getty Pc ttyv0 [peer proxy] [peer proxy] [peer proxy] [peer proxy] /usr/sbin/irsd -N /usr/sbin/snmpd -N /sbin/dcd -N /usr/sbin/pfed -N /usr/sbin/mib2d -N /usr/sbin/dfwd -N /usr/sbin/ksyncd -N mgd: (mgd) (root) (mgd) /bin/ps -ax -Jpww /usr/sbin/usbd -N /usr/sbin/eventd -N -r -s -A /usr/libexec/getty std.9600 ttyd0

user@switch> show system processes PID TT STAT TIME COMMAND 0 ?? WLs -2341043:-31.01 [swapper] 1 ?? SLs 0:01.34 /packages/mnt/jbase/sbin/init -2 ?? DL 2:48.31 [g_event] 3 ?? DL 1:47.44 [g_up] 4 ?? DL 1:37.82 [g_down] 5 ?? DL 0:00.00 [kdm_tcp_poller] 6 ?? DL 0:00.00 [thread taskq] 7 ?? DL 0:04.86 [kqueue taskq] 9 ?? DL 0:03.94 [pagedaemon] 10 ?? DL 0:00.00 [ktrace] 11 ?? RL 0:00.00 [idle: cpu31] 12 ?? RL 0:00.00 [idle: cpu30] 13 ?? RL 0:00.00 [idle: cpu29] 14 ?? RL 0:00.00 [idle: cpu28] 15 ?? RL 0:00.00 [idle: cpu27] 16 ?? RL 0:00.00 [idle: cpu26] 17 ?? RL 0:00.00 [idle: cpu25] 18 ?? RL 0:00.00 [idle: cpu24] 19 ?? RL 0:00.00 [idle: cpu23] 20 ?? RL 0:00.00 [idle: cpu22] 21 ?? RL 0:00.00 [idle: cpu21] 22 ?? RL 0:00.00 [idle: cpu20] 23 ?? RL 0:00.00 [idle: cpu19]


1275

®


24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 95

1276

?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

RL RL RL RL RL RL RL RL RL RL RL RL RL RL RL RL RL RL RL WL WL WL DL WL WL WL WL WL WL DL DL WL WL WL WL WL DL DL DL DL DL DL DL DL DL SL SL SL SL SL SL DL DL SL SL SL SL WL RL DL DL

0:00.00 [idle: cpu18] 0:00.00 [idle: cpu17] 0:00.00 [idle: cpu16] 0:00.00 [idle: cpu15] 0:00.00 [idle: cpu14] 0:00.00 [idle: cpu13] 0:00.00 [idle: cpu12] 0:00.00 [idle: cpu11] 0:00.00 [idle: cpu10] 0:00.00 [idle: cpu9] 18184:07.25 [idle: cpu8] 0:00.00 [idle: cpu7] 17862:11.31 [idle: cpu6] 19343:45.16 [idle: cpu5] 5192:38.30 [idle: cpu4] 0:00.00 [idle: cpu3] 19278:02.24 [idle: cpu2] 19291:00.72 [idle: cpu1] 18910:31.21 [idle: cpu0] 19:03.74 [swi2: net] 261:43.82 [swi7: clock sio] 0:00.00 [swi6: vm] 2:18.57 [yarrow] 0:00.00 [swi9: +] 0:00.00 [swi8: +] 0:12.36 [swi5: cambio] 0:00.00 [swi9: task queue] 0:00.00 [swi0: sio] 0:32.40 [irq39: ehci0] 0:00.21 [usb0] 0:00.00 [usbtask] 0:00.00 [irq22: xlr_lbus0] 0:00.00 [irq38: xlr_lbus0] 0:00.00 [swi3: ip6opt ipopt] 0:00.00 [swi4: ip6mismatch+] 0:00.00 [swi1: ipfwd] 0:18.65 [pagezero] 0:18.59 [bufdaemon] 1:10.44 [vnlru_mem] 1:51.66 [syncer] 0:20.22 [vnlru] 0:40.48 [softdepflush] 0:00.00 [netdaemon] 20:47.67 [vmkmemdaemon] 0:00.00 [if_pfe_listen] 0:02.80 [kdm_checkkcore] 0:03.34 [kdm_savekcore] 0:04.31 [kdm_livekcore] 0:06.14 [kdm_logger] 0:04.31 [kdm_kdb] 0:00.02 [devrt_kernel_thread] 0:21.54 [vmuncachedaemon] 0:00.00 [if_pic_listen0] 0:00.00 [nfsiod 0] 0:00.00 [nfsiod 1] 0:00.00 [nfsiod 2] 0:00.00 [nfsiod 3] 5:59.98 [irq13: +] 105:06.81 [pkt_sender: cpu0] 0:03.62 [md0] 0:37.04 [md1]



115 135 155 175 195 231 755 847 849 850 852 853 855 857 896 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 971 972 973 974 975 976 977 978 979 982 983 1043 1048 1111 1112 12816 30893 30897 30905 30909 30910 30914 30937 661 860 30896 30908 30913


?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? d0d0 p0 p1 p2

DL DL DL DL DL DL Ss S S S S S L S S S S S DL S S S S S S S S S S S S S S S S S S S S S S S S S DL WL DL S Ss Ss Ss Ss Ss Ss R S Ss+ Ss+ Ss+ Ss+

0:06.01 [md2] 0:00.75 [md3] 0:21.17 [md4] 0:01.90 [md5] 0:06.26 [md6] 0:00.01 [md7] 0:04.17 /usr/sbin/cron 0:00.10 /usr/sbin/tnetd -N 0:06.82 /usr/sbin/mgd -N 0:00.32 /usr/sbin/inetd -N 1:05.34 /usr/sbin/dhcpd -N 0:00.18 /usr/sbin/inetd -p /var/run/inetd_4.pid -N -JU __juni 1181:02.21 /usr/sbin/dc-pfe -N (pafxpc) 17:55.86 /usr/sbin/vccpd -N 93:43.45 /usr/sbin/chassism -N 0:02.89 /sbin/watchdog -t-1 3:34.00 /sbin/dcd -N 10:30.13 /usr/sbin/chassisd -N 0:00.21 [peer proxy] 4:07.43 /usr/sbin/alarmd -N 0:31.69 /usr/sbin/craftd -N 0:55.16 /usr/sbin/mib2d -N 3:40.64 /usr/sbin/rpd -N 0:00.03 /usr/sbin/tnp.sntpd -N 0:51.94 /usr/sbin/pfed -N 0:47.31 /usr/sbin/rmopd -N 0:33.65 /usr/sbin/cosd 1:48.41 /usr/sbin/ppmd -N 0:07.18 /usr/sbin/dfwd -N 1:02.56 /usr/sbin/bfdd -N 0:00.63 /usr/sbin/rdd -N 0:40.61 /usr/sbin/dfcd -N 0:07.81 /usr/sbin/bdbrepd -N 0:00.28 /usr/sbin/sendd -N 1:37.69 /usr/sbin/xntpd -j -N -g -JU __juniper_private4__ (nt 5:56.28 /usr/sbin/snmpd -N -JU __juniper_private4__ 16:46.82 /usr/sbin/jdiameterd -N 2:34.13 /usr/sbin/eswd -N 1:03.05 /usr/sbin/sflowd -N 0:22.30 /usr/sbin/fcd -N 1:07.01 /usr/sbin/vccpdf -N 0:25.25 /usr/sbin/mcsnoopd -N 3:45.68 /usr/sbin/rpdf -N 0:37.87 /usr/sbin/lacpd -N 0:01.29 [peer proxy] 0:00.00 [swi2: FMNITHRD+] 0:00.03 [peer proxy] 15:35.32 /usr/sbin/sfid -N 0:00.65 sshd: tlewis@ttyp0 (sshd) 0:00.15 mgd: (mgd) (tlewis)/dev/ttyp0 (mgd) 0:00.64 sshd: tlewis@ttyp1 (sshd) 0:00.15 mgd: (mgd) (tlewis)/dev/ttyp1 (mgd) 0:01.26 sshd: tcheng@ttyp2 (sshd) 0:00.80 mgd: (mgd) (tcheng)/dev/ttyp2 (mgd) 0:00.03 /bin/ps -ax 0:21.24 /usr/sbin/eventd -N -r -s -A 0:00.07 /usr/libexec/getty std.9600 ttyd0 0:00.55 -cli (cli) 0:00.50 -cli (cli) 0:00.85 -cli (cli)

1277

®


1278


PART 10

EX3300, EX4200, and EX4500 Virtual Chassis •

EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations on page 1281

•

EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples on page 1311

•

Configuring EX3300, EX4200, and EX4500 Virtual Chassis on page 1407

•

Verifying EX3300, EX4200, and EX4500 Virtual Chassis Configuration on page 1453

•

Troubleshooting EX3300, EX4200, and EX4500 Virtual Chassis on page 1465

•

Configuration Statements for EX3300, EX4200, and EX4500 Virtual Chassis on page 1471

•

Operational Commands for EX3300, EX4200, and EX4500 Virtual Chassis on page 1495


1279

®


1280


CHAPTER 37

EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations •


•

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Components on page 1285

•

Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected on page 1290

•

Understanding Software Upgrade in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1291

•

Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis on page 1291

•

Understanding Nonvolatile Storage in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1294

•

Understanding the High-Speed Interconnection of the EX4200 and EX4500 Virtual Chassis Members on page 1294

•

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation on page 1294

•

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Configuration on page 1296

•

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Switch Version Compatibility on page 1298

•

Understanding Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1298

•

Understanding Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1305

•

Understanding Automatic Software Update on EX3300, EX4200, and EX4500 Virtual Chassis Member Switches on page 1308

EX3300, EX4200, and EX4500 Virtual Chassis Overview The Juniper Networks EX3300 Ethernet Switch, the Juniper Networks EX4200 Ethernet Switch, and the Juniper Networks EX4500 Ethernet Switch support the Virtual Chassis


1281

®


flexible, scaling switch solution. You can connect individual switches together to form one unit and manage the unit as a single chassis. This topic pertains to the following Virtual Chassis: •

An EX3300 Virtual Chassis, composed of up to six EX3300 switches

•

An EX4200 Virtual Chassis, composed of up to ten EX4200 switches

•

An EX4500 Virtual Chassis, composed of up to ten EX4500 switches

•

A mixed EX4200 and EX4500 Virtual Chassis, a Virtual Chassis composed of up to ten total EX4200 and EX4500 switches

NOTE: You can also create a Virtual Chassis with Juniper Networks EX8200 Ethernet Switches. The EX8200 Virtual Chassis is not covered in this document. See “EX8200 Virtual Chassis Overview” on page 1538.


Basic Configuration of a Virtual Chassis on page 1282

•

Expanding Configurations—Within a Single Wiring Closet and Across Wiring Closets on page 1282

•

Global Management of Member Switches in a Virtual Chassis on page 1284

•

High Availability Through Redundant Routing Engines on page 1284

•

Adaptability as an Access Switch or Distribution Switch on page 1284

Basic Configuration of a Virtual Chassis You need to interconnect at least two switches to form a Virtual Chassis. You interconnect EX3300 switches into a Virtual Chassis by interconnecting uplink port connections configured as Virtual Chassis ports (VCPs) between two or more switches. By default, uplink ports 2 and 3 on EX3300 switches are configured as VCPs. See “Configuring an EX3300 Virtual Chassis (CLI Procedure)” on page 1446. You interconnect EX4200 and EX4500 switches in a Virtual Chassis by interconnecting the switches through the dedicated VCPs on the rear panel of the EX4200 switches, the dedicated VCPs on the Virtual Chassis modules in the EX4500 switches, or the ports that you have configured as VCPs on the switches. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408 or “Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure)” on page 1414.

Expanding Configurations—Within a Single Wiring Closet and Across Wiring Closets You can easily expand the Virtual Chassis configuration to include more member switches. Simply add member switches to an EX3300 Virtual Chassis by cabling new EX3300 switches using the uplink ports configured as VCPs. Within a single wiring closet, simply add member switches to an EX4200 or an EX4500 Virtual Chassis by cabling together the dedicated VCPs.

1282


Chapter 37: EX3300, EX4200, and EX4500 Virtual Chassis—Overview, Components, and Configurations

You can also expand a Virtual Chassis configuration beyond a single wiring closet. Interconnect switches located in multiple wiring closets or in multiple data center racks by installing SFP, SFP+, or XFP uplink modules and connecting the uplink module ports on EX4200 member switches or by connecting the 10-Gigabit Ethernet SFP+ network interfaces on the EX4500 member switches. You must then configure the SFP, SFP+, or XFP connections as VCPs. You must always use the uplink ports on an EX3300 switch to connect an EX3300 Virtual Chassis both within a wiring closet and across wiring closets. Uplink ports 2 and 3 are automatically configured as VCPs on EX3300 switches. To use SFP, SFP+, and XFP uplink module ports or network interfaces for interconnecting member switches, you must explicitly configure them as VCPs on EX4200 and EX4500 member switches. When you are creating a Virtual Chassis configuration with multiple members, you might want to deterministically control the role and member ID assigned to each member switch. You can do this by creating a preprovisioned configuration. You can add switches to a preprovisioned configuration by using the autoprovisioning feature to automatically configure the uplink ports as VCPs on the switches being added. For detailed information, see: To add a new switch to a wiring closet, see: •

Adding a New Switch to an Existing EX3300 Virtual Chassis (CLI Procedure) on page 1450

•


•

Adding an EX4200 Switch to a Preprovisioned EX4500 Virtual Chassis or a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) on page 1424

•

Adding an EX4500 Switch to a Preprovisioned EX4200 Virtual Chassis (CLI Procedure) on page 1425

•

Adding an EX4500 Switch to a Nonprovisioned EX4200 Virtual Chassis (CLI Procedure) on page 1427

To manually configure a VCP, see: •

Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure) on page 1434

•

Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure) on page 1438

To use preprovisioning to configure a Virtual Chassis or autoprovisioning to add a switch to a Virtual Chassis, see: •


•

Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) on page 1414

•



1283

®


Global Management of Member Switches in a Virtual Chassis The interconnected member switches in a Virtual Chassis configuration operate as a single network entity. You run EZSetup only once to specify the identification parameters for the master, and these parameters implicitly apply to all members of the Virtual Chassis configuration. You can view the Virtual Chassis configuration as a single device in the J-Web user interface (on platforms and software that support J-Web) and apply various device management functions to all members of the Virtual Chassis configuration. The serial console port and dedicated out-of-band management port that are on the rear panel of the individual switches have global virtual counterparts when the switches are interconnected in a Virtual Chassis configuration. A PC or laptop allows you to connect to the master switch by connecting a terminal directly to the console port of any member switch. A virtual management Ethernet (VME) interface allows you to remotely manage the Virtual Chassis configuration by connecting to the out-of-band management port of any member switch through a single IP address. See “Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis” on page 1291.

High Availability Through Redundant Routing Engines A Virtual Chassis configuration always has a switch in the master role and a switch in the backup role. In a Virtual Chassis, the master Routing Engine is the Routing Engine on the switch in the master role and the backup Routing Engine is the Routing Engine on the switch in the backup role. These redundant Routing Engines within the Virtual Chassis handle all routing protocol processes, control the Virtual Chassis configuration, and provide resiliency by keeping the Virtual Chassis operational when one Routing Engine fails. See “High Availability Features for EX Series Switches Overview” on page 33 for further information on redundant Routing Engines and additional high availability features.

Adaptability as an Access Switch or Distribution Switch A Virtual Chassis configuration supports a variety of user environments, because it can be composed of different models of switches. You can select different switch models to support various functions. For example, you might set up one Virtual Chassis access switch configuration composed of the full Power over Ethernet (PoE) models to support users sitting in cubicles equipped with PCs and Voice over IP (VoIP) phones. You could set up another Virtual Chassis configuration with partial PoE models to support the company's internal servers and configure one more Virtual Chassis configuration with partial PoE models to support the company's external servers. Alternatively, you can use the Virtual Chassis as a distribution switch. Related Documentation

1284

•


•


•

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Switch Version Compatibility on page 1298

•




•


•


•


Understanding EX3300, EX4200, and EX4500 Virtual Chassis Components This topic describes the components of EX3300, EX4200, EX4500, and mixed EX4200 and EX4500 Virtual Chassis. This topic covers: •

Number of Switches per Virtual Chassis on page 1285

•

Virtual Chassis Ports (VCPs) on page 1285

•

Master Role on page 1286

•

Backup Role on page 1287

•

Linecard Role on page 1287

•

Member Switch and Member ID on page 1288

•

Mastership Priority on page 1288

•

Virtual Chassis Identifier (VCID) on page 1289

Number of Switches per Virtual Chassis You can interconnect up to six Juniper Networks EX3300 Ethernet Switches in an EX3300 Virtual Chassis You can interconnect up to ten Juniper Networks EX4200 Ethernet Switches in an EX4200 Virtual Chassis. Starting in Junos OS Release 11.4, you can interconnect up to ten Juniper Networks EX4500 Ethernet Switches in an EX4500 Virtual Chassis. You can connect up to two EX4500 switches in an EX4500 Virtual Chassis in prior Junos OS releases. You can interconnect up to ten EX4200 and EX4500 Ethernet Switches in a mixed EX4200 and EX4500 Virtual Chassis. You can interconnect up to nine EX4200 switches in a mixed EX4200 and EX4500 Virtual Chassis. Starting in Junos OS Release 11.4, you can configure up to nine EX4500 switches in a mixed EX4200 and EX4500 Virtual Chassis. You can connect up to two EX4500 switches in a mixed EX4200 and EX4500 Virtual Chassis in prior Junos OS releases.

Virtual Chassis Ports (VCPs) You use Virtual Chassis ports (VCPs) to interconnect the member switches in a Virtual Chassis. Some switches have dedicated VCPs. Dedicated VCPs allow you to interconnect switches without requiring any additional interface configuration. These switches have dedicated VCPs:


1285

®


•

EX4200 switches, on the rear panel

•

EX4500 switches, on the Virtual Chassis module.

To interconnect switches that do not have dedicated VCPs or to interconnect switches across greater distances than allowed by a dedicated-VCP connection, you configure a fiber-optic port as a VCP. You can configure those VCPs on these switches: •

EX3300 switches, through an uplink port

NOTE: Uplink ports 2 and 3 on EX3300 switches are configured as VCPs by default.

•

EX4200 switches, through uplink module ports (SFP, SFP+, or XFP) or through an SFP+ port on the EX4200-24F switch

•

EX4500 switches, through any SFP+ port

Master Role The member that functions in the master role in the Virtual Chassis: •

Manages the member switches.

•

Runs Juniper Networks Junos operating system (Junos OS) for Juniper Networks EX Series Ethernet Switches in a master role.

•

Runs the chassis management processes and control protocols.

•

Represents all the member switches interconnected within the Virtual Chassis configuration. (The hostname and other properties that you assign to this switch during setup apply to all members of the Virtual Chassis configuration.)

When an EX3300, EX4200, or EX4500 switch is powered on as a standalone switch, it is considered the master member. In a Virtual Chassis, one member functions as the master and a second member functions as the backup: •

In a preprovisioned configuration, one of the two members assigned as routing-engine functions as the master member. The selection of which member assigned as routing-engine functions as master and which as backup is determined by the software based on the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290.

•

In a configuration that is not preprovisioned, the selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm.

In a mixed EX4200 and EX4500 Virtual Chassis, any switch can be configured in any role in any configuration. If an EX4200 switch is configured in the master role, for instance, an EX4200 switch or an EX4500 switch can be configured in the backup role.

1286



Backup Role The member that functions in the backup role in the Virtual Chassis: •

Maintains a state of readiness to take over the master role if the master fails.

•

Runs Junos OS for EX Series switches in a backup role.

•

Synchronizes with the master in terms of protocol states, forwarding tables, and so forth, so that it is prepared to preserve routing information and maintain network connectivity without disruption in case the master is unavailable.

You must have at least two member switches in the Virtual Chassis configuration in order to have a backup member. •

In a preprovisioned configuration, one of the two members assigned as routing-engine functions in the backup role. The selection of which member assigned as routing-engine functions as master and which as backup is determined by the software based on the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290.

•

In a configuration that is not preprovisioned, the selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm.

In a mixed EX4200 and EX4500 Virtual Chassis, any switch can be configured in any role in any configuration. If an EX4200 switch is configured in the master role, for instance, an EX4200 switch or an EX4500 switch can be configured in the backup role.

Linecard Role A member that functions in the linecard role in the Virtual Chassis: •

Runs only a subset of Junos OS for EX Series switches.

•

Does not run the chassis control protocols.

•

Can detect certain error conditions (such as an unplugged cable) on any interfaces that have been configured on it through the master.

The Virtual Chassis configuration must have at least three members in order to include a linecard member. •

In a preprovisioned configuration, you can explicitly configure a member with the role of linecard, which makes it ineligible for functioning as a master or backup.

•

In a configuration that is not preprovisioned, the members that are not selected as master or backup function as linecard members of the Virtual Chassis configuration. The selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm. A switch with a mastership priority of 0 will always be in the linecard role.


1287

®


Member Switch and Member ID Each physically discrete EX3300, EX4200, or EX4500 switch is a potential member of a Virtual Chassis configuration. When an EX3300, EX4200, or EX4500 switch is powered on, it receives a member ID that is displayed on the front-panel LCD. If the switch is powered on as a standalone switch, that member’s member ID is always 0. When the switch is interconnected with other switches in a Virtual Chassis configuration, its member ID is assigned by the master based on various factors, such as the order in which the switch was added to the Virtual Chassis configuration or the member ID assigned by a preprovisioned configuration. If the Virtual Chassis configuration previously included a member switch and that member was physically disconnected or removed from the Virtual Chassis configuration, its member ID is not available for assignment as part of the standard sequential assignment by the master. For example, you might have a Virtual Chassis configuration composed of member 0, member 2, and member 3, because member 1 was removed. When you add another member switch and power it on, the master assigns it as member 4. The member ID distinguishes the member switches from one another. You use the member ID: •

To assign a mastership priority value to a member switch

•

To configure interfaces for a member switch (The function is similar to that of a slot number on Juniper Networks routers.)

•

To apply some operational commands to a member switch

•

To display status or characteristics of a member switch

Mastership Priority In a configuration that is not preprovisioned, you can designate the role (master, backup, or linecard) that a member switch performs within the Virtual Chassis configuration by configuring its mastership priority (from 0 to 255). The mastership priority value is the factor with the highest precedence for selecting the master of the Virtual Chassis configuration. A switch with a mastership priority of 0 will never assume the backup or master role. The default value for mastership priority is 128 for EX3300, EX4200, and EX4500 switches. When a switch is powered on, it receives the default mastership priority value. Because it is the only member of the Virtual Chassis configuration, it is also the master. When you interconnect a standalone switch to an existing Virtual Chassis configuration (which implicitly includes its own master), we recommend that you explicitly configure the mastership priority of the members that you want to function as the master and backup.

1288



NOTE: Configuring the same mastership priority value for both the master and backup helps to ensure a smooth transition from master to backup in case the master becomes unavailable. It prevents the original master from preempting control from the backup in situations where the backup has taken control of the Virtual Chassis configuration due to the original master being unavailable.

In a preprovisioned configuration, the mastership priority value is assigned by the software, based on the specified role.

Virtual Chassis Identifier (VCID) All members of a Virtual Chassis configuration share one Virtual Chassis identifier (VCID). This identifier is derived from internal parameters. When you are monitoring a Virtual Chassis configuration, the VCID is displayed in certain interface views and is also part of the show virtual-chassis status output. Related Documentation

•


•


•


•

Example: Configuring an EX4200 Virtual Chassis Using a Preprovisioned Configuration File on page 1365

•


•



1289

®


Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected All switches that are interconnected in a Virtual Chassis configuration are member switches of that Virtual Chassis. Each Virtual Chassis configuration has one member that functions as the master and controls the Virtual Chassis configuration. When a Virtual Chassis configuration boots, the Juniper Networks Junos operating system (Junos OS) on the switches automatically runs a master election algorithm to determine which member switch takes the role of master. The algorithm proceeds from the top condition downward until the stated condition is satisfied: 1.

Choose the member with the highest user-configured mastership priority (255 is the highest possible value). A switch with a mastership priority of 0 will always stay in the linecard role.

2. Choose the member that was master the last time the Virtual Chassis configuration

booted. 3. Choose the member that has been included in the Virtual Chassis configuration for

the longest period of time. (For this to be a deciding factor, there has to be a minimum time lapse of 1 minute between the power-ons of the individual interconnected member switches.) 4. Choose the member with the lowest MAC address.

The variations among switches and switch models do not impact the master election algorithm. To ensure that a specific member is elected as the master: 1.

Power on only the switch that you want to configure as master of the Virtual Chassis configuration.

2. Configure the mastership priority of that member to have the highest possible value

(255). 3. Continue to configure other members through the master member. 4. Power on the other members.

You can also specify the switch roles by preprovisioning your Virtual Chassis. Preprovisioning a Virtual Chassis allows you to manually assign the member ID and role for each switch in the Virtual Chassis. See “Configuring an EX3300 Virtual Chassis (CLI Procedure)” on page 1446 and “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408. Related Documentation

1290

•


•


•




Understanding Software Upgrade in an EX3300, EX4200, or EX4500 Virtual Chassis In a Virtual Chassis composed of multiple switches, each member switch runs Juniper Networks Junos operating system (Junos OS). For ease of management, a Virtual Chassis provides flexible methods to upgrade Junos OS. You can install a new Junos OS release on the entire Virtual Chassis or on a particular member in the Virtual Chassis by using the same CLI command that you use to install Junos OS on standalone switches, the request system software add command. In a mixed EX4200 and EX4500 Virtual Chassis, the member switches must be running the same version of Junos OS. You can upgrade all member switches simultaneously by specifying a path to both an EX4200 Junos OS image and an EX4500 Junos OS image in the same request system software add command. See “Installing Software on a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure)” on page 1417. For EX4200 Virtual Chassis, EX4500 Virtual Chassis, and mixed EX4200 and EX4500 Virtual Chassis, you can also use nonstop software upgrade (NSSU) to upgrade Junos OS on all members. NSSU provides an orderly upgrade of each member of the Virtual Chassis and takes advantage of graceful Routing Engine switchover, nonstop active routing, and link aggregation to minimize traffic disruption during the upgrade. For more information on NSSU, see “Understanding Nonstop Software Upgrade on EX Series Switches” on page 1668. Related Documentation

•


•

Understanding Automatic Software Update on EX4200 and EX4500 Virtual Chassis Member Switches on page 1308

•


•

Upgrading Software on an EX4200 Virtual Chassis, EX4500 Virtual Chassis, or Mixed EX4200 and EX4500 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) on page 1710

Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis A Virtual Chassis is composed of multiple switches, so it has multiple console ports and multiple out-of-band management Ethernet ports located on the switches. You can connect a PC or laptop directly to a console port of any member switch to set up and configure the Virtual Chassis. When you connect to the console port of any member switch, the console session is redirected to the master switch, as shown in Figure 21 on page 1292.


1291

®


Figure 21: Console Session Redirection (EX4200 Virtual Chassis Pictured)

If the master becomes unavailable, the console session is disconnected from the old master and a new session is established with the newly elected master. An out-of-band management Ethernet port is often referred to simply as a management Ethernet port. It uses a dedicated management channel for device maintenance and allows a system administrator to monitor and manage the switch by remote control. The Virtual Chassis configuration can be managed remotely through SSH or Telnet using a global management interface called the virtual management Ethernet (VME) interface. The VME interface is a logical interface representing any and all of the out-of-band management ports on the member switches. When you connect to the Virtual Chassis configuration using the VME interface’s IP address, the connection is redirected to the master member as shown in Figure 22 on page 1293.

1292



Figure 22: Management Ethernet Port Redirection to the VME Interface

If the master management Ethernet link is unavailable, the session is redirected through the backup management Ethernet link. If there is no active management Ethernet link on the backup, the VME interface chooses a management Ethernet link on one of the linecard members, selecting the linecard member with the lowest member ID as its first choice. You can configure an IP address for the VME global management interface at any time. You can perform remote configuration and administration of all members of the Virtual Chassis configuration through the VME interface. Related Documentation

•


•



1293

®


•


Understanding Nonvolatile Storage in an EX3300, EX4200, or EX4500 Virtual Chassis The EX3300, EX4200, and EX4500 switches store the Juniper Networks Junos operating system (Junos OS) system files in internal flash memory. In the Virtual Chassis configurations, both the master and the backup switch store the configuration information for all the member switches. •

Nonvolatile Memory Features on page 1294

Nonvolatile Memory Features Junos OS optimizes the way the Virtual Chassis stores its configuration if a member switch or the Virtual Chassis configuration is shut down improperly:


•

If the master is not available, the backup switch takes on the role of the master and its internal flash memory takes over as the alternate location for maintaining nonvolatile configuration memory.

•

If a member switch is taken offline for repair, the master stores the configuration of the member switch.

•

Command Forwarding Usage with an EX3300, EX4200, or EX4500 Virtual Chassis on page 1453

•


Understanding the High-Speed Interconnection of the EX4200 and EX4500 Virtual Chassis Members Two high-speed Virtual Chassis ports (VCPs) on the EX4200 and EX4500 switches enable the member switches to be interconnected and operate as a single, powerful device. Each VCP interface is 32 Gbps bidirectional. When VCP interfaces are used to form a ring topology, each segment provides 64 Gbps bidirectional bandwidth. Because the VCP links act as point-to-point links, multiple segments of the ring can be used simultaneously. This allows the Virtual Chassis configuration bandwidth to scale as you interconnect more members within the ring topology. Related Documentation

•


•

Virtual Chassis Cabling Configuration Examples for EX4200 Switches

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation You can combine physical Ethernet ports belonging to different member switches of a Virtual Chassis configuration to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet

1294



link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links fails, the system automatically load-balances traffic across all remaining links. Similarly, if a Virtual Chassis member switch that has LAG member interfaces on multiple member switches fails for any reason, the traffic traversing the LAG can be redirected through the active member switch. This setup has benefits for failover purposes and can be especially beneficial in cases when a member switch needs to be inactive for a period of time. You can select up to four uplink module ports or SFP network ports on an EX4200 switch that have been configured as Virtual Chassis ports (VCPs) to form a LAG. When you set uplink module ports or SFP network ports on Virtual Chassis member switches as uplink VCPs, connect two or more of those uplink VCPs on one member to at least two uplink VCPs on another member, and configure those uplink VCPs to operate at the same link speed, the uplink VCPs automatically form a LAG. Each LAG is assigned a positive-integer identifier called a trunk ID. You can also convert the SFP+ 10-Gigabit Ethernet ports on an EX4500 switch to VCP ports. These VCP ports can be used to connect EX4500 switches together or to connect EX4500 switches to EX4200 switches. Up to 8 VCPs can be a part of the same LAG between two EX4500 switches. A LAG over uplink VCPs provides higher overall bandwidth for forwarding traffic between the member switches connected by the uplink VCPs, faster management communications, and greater redundancy of operations among the members than would be available without the LAG. All EX4200 switches as well as EX4500 switches using a VCP module have two dedicated VCPs. A LAG over uplink VCPs provides an additional Virtual Chassis link throughput of 20 Gbps for the switches. Up to eight Virtual Chassis LAGs can be created per member. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 for information about configuring uplink module ports and SFP network ports as uplink VCPs.

NOTE: The interfaces that are included within a bundle or LAG are sometimes referred to as member interfaces. Do not confuse this term with member switches, which refers to EX4200 or EX4500 switches that are interconnected as a Virtual Chassis. It is possible to create a LAG that is composed of member interfaces that are located in different member switches of a Virtual Chassis.


•


•


•

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch on page 1354


1295

®


•

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch on page 1360

•

Example: Configuring an EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets on page 1341

•

Example: Connecting EX4500 Member Switches in a Virtual Chassis Across Wiring Closets on page 1348

•

Example: Configuring Link Aggregation Groups Using EX4200 Uplink Virtual Chassis Ports on page 1386

Understanding EX3300, EX4200, and EX4500 Virtual Chassis Configuration You configure and manage almost all aspects of an EX3300, EX4200, or EX4500 Virtual Chassis configuration through the master switch of the Virtual Chassis. However, you can also configure Virtual Chassis parameters when a switch is a standalone switch not interconnected with other members. EX3300, EX4200, and EX4500 switches have some innate characteristics of a Virtual Chassis by default. A standalone switch is assigned member ID 0 and is the master of itself. Therefore, you can edit its Virtual Chassis configuration. When the standalone switch is interconnected with an existing Virtual Chassis configuration, the Virtual Chassis configuration statements and any uplink Virtual Chassis port (VCP) settings that you previously specified on the standalone switch remain part of its configuration. A switch is not recognized as a member of a Virtual Chassis until it is interconnected with the master or interconnected with an existing member of the Virtual Chassis. An EX3300 switch has no dedicated VCPs. An EX3300 Virtual Chassis is connected using uplink port connections that can span up to 6.2 miles (10 km). By default, uplink ports 2 and 3 on any EX3300 switch are configured as VCPs. You can change this default configuration or configure another uplink module port as a VCP on an EX3300 switch. You can expand the uplink connections over long distances. When an EX4200 or EX4500 switch is located too far away to be interconnected through dedicated VCPs, you can specify an uplink module port or a network interface as a VCP. A link aggregation group (LAG) will be formed automatically when the new switch is added to the configuration if more than one such link with the same speed is detected between uplink VCPs on the new member and an existing member. See “Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation” on page 1294. When an uplink port or a network interface is set as a VCP, it cannot be used for any additional purpose. If you want to use the uplink module port or network interface for another purpose, you can delete the VCP setting. You can execute this command directly on the member whose uplink VCP setting you want to delete or through the master of the Virtual Chassis configuration.

1296



CAUTION: Deleting a VCP in a Virtual Chassis chain configuration can cause the Virtual Chassis configuration to split. For more information, see “Understanding Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis” on page 1305.

You can create a preprovisioned configuration. This type of configuration allows you to deterministically control the member ID and role assigned to a member switch by associating the switch with its serial number. For an example of a preprovisioned configuration, see “Example: Configuring an EX4200 Virtual Chassis Using a Preprovisioned Configuration File” on page 1365.

NOTE: If a switch is interconnected with other switches in a Virtual Chassis configuration, each individual switch that is included as a member of the configuration is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a Virtual Chassis configuration, you specify the appropriate member ID (0 through 9) as the slot element of the interface name. The default factory settings for a Virtual Chassis configuration include FPC 0 as a member of the default VLAN because FPC 0 is configured as part of the ethernet-switching family. In order to include FPC 1 through FPC 9 in the default VLAN, add the ethernet-switching family to the configurations for those interfaces.


•


•


•


•


•

request virtual-chassis vc-port on page 1505


1297

®


Understanding EX3300, EX4200, and EX4500 Virtual Chassis Switch Version Compatibility EX3300, EX4200, or EX4500 switches must be running the same software versions to be interconnected into a Virtual Chassis. The master checks the hardware version, the Juniper Networks Junos operating system (Junos OS) version, and other component versions running in a switch that is physically interconnected to its Virtual Chassis port (VCP). Different hardware models can be members of the same Virtual Chassis configuration. However, the master will not assign a member ID to a switch that is running a different software version. A switch that is running a different version of software will not be allowed to join the Virtual Chassis configuration. Related Documentation

•


•


•


•


Understanding Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link failure or switch failure in a Virtual Chassis. If a link between two members fails, traffic flow between those members must be rerouted quickly so that there is minimal traffic loss. Fast failover is effective only for Virtual Chassis members configured in ring topologies using identical port types. Fast failover is supported for the following Virtual Chassis: •


•


•


•


In a mixed EX4200 and EX4500 Virtual Chassis, fast failover is supported for EX4200 switch to EX4200 switch connections, EX4500 switch to EX4500 switch connections, and EX4200 switch to EX4500 switch connections. This topic describes:

1298

•

Supported Topologies for Fast Failover on page 1299

•

How Fast Failover Works on page 1299

•

Effects of Topology Changes on a Fast Failover Configuration on page 1304



Supported Topologies for Fast Failover For fast failover to be effective, the Virtual Chassis members must be configured in a ring topology. The ring topology can be formed by using either dedicated Virtual Chassis ports (VCPs) or user-configured uplink VCPs. Fast failover is supported only in a ring topology that uses identical port types, for example, either a topology that uses all dedicated VCPs or one that uses all uplink VCPs. Fast failover is not supported in a ring topology that includes both dedicated VCPs and uplink VCPs. Fast failover is supported, however, in a Virtual Chassis configuration that consists of multiple rings.

How Fast Failover Works When fast failover is activated, each VCP is automatically configured with a backup port of the same type (dedicated VCP, SFP uplink VCP, or XFP uplink VCP). If a VCP fails, its backup port is used to send traffic. These backup ports act as standby ports and are not meant for load-balancing traffic or any other purposes.

Fast Failover in a Ring Topology Using Dedicated VCPs When fast failover is activated in a ring topology that uses dedicated VCPs, each VCP is automatically configured with a backup port of the same type. If a VCP fails, its backup port is used to send traffic. Figure 23 on page 1300 shows normal traffic flow in a ring topology using dedicated VCPs.


1299

®


Figure 23: Normal Traffic Flow in a Ring Topology Using Dedicated VCPs

Figure 24 on page 1301 shows traffic redirected by fast failover.

1300



Figure 24: Traffic Redirected by Fast Failover After a Dedicated VCP Link Failure

When the failed link is restored, the Virtual Chassis reconfigures the topology to the topology's original state.

Fast Failover in a Ring Topology Using Uplink Module VCPs In a ring topology that uses uplink VCPs, each uplink VCP is automatically configured with a backup uplink VCP. If an uplink VCP fails, its backup port is used to send traffic. Figure 25 on page 1302 shows normal traffic flow in a ring topology using SFP uplink VCPs. Normal traffic flow in a ring topology using XFP uplink VCPs is the same.

NOTE: To use SFP or XFP uplink ports as VCPs, you must configure them to be VCPs using the request virtual-chassis vc-port command. Once configured, they are converted into VCPs. For example, xe-0/1/0 becomes vcp-255/1/0 after you configure it to be a VCP.


1301

®


Figure 25: Normal Traffic Flow in a Ring Topology Using SFP Uplink VCPs

Figure 26 on page 1303 shows traffic redirected by fast failover.

1302



Figure 26: Traffic Redirected by Fast Failover After SFP Uplink VCP Link Failure

In a ring topology that uses SFP uplink VCPs, there are four ports per module. Consecutive pairs of ports are automatically configured as backup ports for each other. For example, if a Virtual Chassis member has an SFP uplink module installed, uplink module VCPs ge-0/1/0 and ge-0/1/1 are automatically configured as backup ports for each other. Similarly, ports ge-0/1/2 and ge-0/1/3 are automatically configured as backup ports for each other. In a ring topology that uses XFP uplink module VCPs, there are only two ports per uplink module. Similarly to a topology that uses SFP uplink module VCPs, each port is automatically configured to back up the other port in the uplink module (for example, xe-0/1/0 is the backup for xe-0/1/1).

Fast Failover in a Virtual Chassis Configuration Using Multiple Ring Topologies Fast failover is supported in a Virtual Chassis configuration with a multiple-ring topology, as shown in Figure 27 on page 1304.


1303

®


Figure 27: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings

In this scenario, the Virtual Chassis configuration has three rings: two rings that use dedicated VCPs and one ring that uses SFP uplink module VCPs. Fast failover works independently on each ring. Each dedicated VCP in a ring is backed up by another dedicated VCP. Similarly, each SFP uplink module VCP is backed up by another SFP uplink module VCP. Fast failover does not support a ring topology consisting of a mix of dedicated VCPs and uplink module VCPs.

Effects of Topology Changes on a Fast Failover Configuration Once the fast failover feature has been activated, topology changes to the Virtual Chassis configuration do not affect the fast failover configuration. In the event of a link or switch failure, fast failover functions normally. Related Documentation

1304

•


•

Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When an EX4200 Virtual Chassis Switch or Intermember Link Fails on page 1380

•




Understanding Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis In an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis, two or more switches are connected together to form a unit that is managed as a single chassis. If there is a disruption to the Virtual Chassis configuration due to member switches failing or being removed from the configuration, the Virtual Chassis configuration splits into two separate Virtual Chassis. This situation could cause disruptions in the network if the two separate configurations share common resources, such as global IP addresses. The split and merge feature provides a method to prevent the separate Virtual Chassis configurations from adversely affecting the network and also allows the two parts to merge back into a single Virtual Chassis configuration.

NOTE: If a Virtual Chassis configuration splits into separate parts, we recommend that you resolve the problem that caused the Virtual Chassis configuration to split as soon as possible.

You can also use this feature to merge two active but separate Virtual Chassis that have not previously been part of the same configuration into one Virtual Chassis configuration.

NOTE: The split and merge feature is enabled by default on EX3300, EX4200, and EX4500 switches. You can disable the split and merge feature by using the set virtual-chassis no-split-detection command.


What Happens When a Virtual Chassis Configuration Splits on page 1305

•

Merging Virtual Chassis Configurations on page 1306

What Happens When a Virtual Chassis Configuration Splits When a Virtual Chassis configuration splits into two separate Virtual Chassis configurations, the individual member switches detect this topology change and run the master election algorithm to select a new master for each of the two Virtual Chassis configurations. The new masters then determine whether their Virtual Chassis configuration remains active. One of the configurations remains active based on the following: •

It contains both the stable master and the stable backup (that is, the master and backup from the original Virtual Chassis configuration before the split).

•

It contains the stable master and the configuration is greater than half the Virtual Chassis size.

•

It contains the stable backup and is at least half the Virtual Chassis size.


1305

®


In accordance with the rules given in the second and third list items, if the Virtual Chassis configuration splits into two equal parts and the stable master and stable backup are in different parts, then the part that contains the stable backup becomes active.

NOTE: The number of members in the Virtual Chassis configuration includes all member switches connected to date minus the number whose Virtual Chassis member IDs have been recycled (that is, made available for reassignment). Therefore, the size of the Virtual Chassis configuration increases when a new member switch is detected and decreases when a member switch's ID is recycled.

These rules ensure that only one of the two separate Virtual Chassis configurations created by the split remains active. The member switches in the inactive Virtual Chassis configuration remain in a linecard role. For the inactive members to become active again, one of the following things must happen: •

The problem that caused the original Virtual Chassis configuration to split is resolved, allowing the two Virtual Chassis configurations to merge.

•

You load the factory default configuration on the inactive members, which causes the inactive members to function as standalone switches or become part of a different Virtual Chassis configuration.

NOTE: When you remove a member switch from a Virtual Chassis configuration, we recommend that you recycle the member ID using the request virtual-chassis recycle command.

Merging Virtual Chassis Configurations There are two scenarios in which separate Virtual Chassis merge: •

A Virtual Chassis configuration that had split into two is now merging back into a single configuration because the problem that had caused it to split has been resolved.

•

You want to merge two Virtual Chassis that had not previously been configured together.

Every Virtual Chassis configuration has a unique ID (VCID) that is automatically assigned when the Virtual Chassis configuration is formed. You can also explicitly assign a VCID using the set virtual-chassis id command. A VCID that you assign takes precedence over automatically assigned VCIDs. When you reconnect the separate Virtual Chassis configurations or connect them for the first time, the members determine whether or not the separate Virtual Chassis configurations can merge. The members use the following rules to determine whether a merge is possible:

1306



•

If the Virtual Chassis configurations have the same VCID, then the configurations can merge. If the two Virtual Chassis were formed as the result of a split, they have the same VCID.

•

If the VCIDs are different, then the two configurations can merge only if both are active (inactive configurations cannot merge, ensuring that members removed from one Virtual Chassis configuration do not become members of another Virtual Chassis configuration). If the configurations to merge are both active and one of them has a user-configured VCID, this ID becomes the ID of the merged Virtual Chassis. If neither Virtual Chassis has a user-configured VCID, then the VCID of the configuration with the highest mastership priority becomes the ID of the merged Virtual Chassis. The resulting merged Virtual Chassis configuration is active.

When you connect two Virtual Chassis configurations, the following events occur: 1.

Connecting the two split Virtual Chassis configurations triggers the shortest-path-first (SPF) algorithm. The SPF algorithm computes the network topology and then triggers the master election algorithm. The master election algorithm waits for the members to synchronize the topology information before running.

2. The master election algorithm merges the VCIDs of all the members. 3. Each member runs the master election algorithm to select a master and a backup

from among all members with the same VCIDs. For more information, see “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. 4. The master determines whether the Virtual Chassis configuration is active or inactive.

(See “What Happens When a Virtual Chassis Configuration Splits” on page 1305.) 5. If the Virtual Chassis configuration is active, the master assigns roles to all members.

If the Virtual Chassis configuration is inactive, the master assigns all members the role of linecard. 6. When the other members receive their role from the master, they change their role to

backup or linecard. They also use the active or inactive state information sent by the master to set their own state to active or inactive and to construct the Virtual Chassis member list from the information sent by the master. 7. If the Virtual Chassis state is active, the master waits for messages from the members

indicating that they have changed their roles to the assigned roles, and then the master changes its own role to master.

NOTE: When you merge two Virtual Chassis that had not previously been part of the same Virtual Chassis configuration, any configuration settings (such as the settings for Telnet and FTP services, GRES, fast failover, VLANs, and so on) that exist on the new master become the configuration settings for all members of the new Virtual Chassis, overwriting any other configuration settings.


1307

®



•


•

Example: Assigning the Virtual Chassis ID to Determine Precedence During an EX4200 Virtual Chassis Merge on page 1384

•

Assigning the Virtual Chassis ID to Determine Precedence During an EX3300, EX4200, or EX4500 Virtual Chassis Merge (CLI Procedure) on page 1444

•

Disabling Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) on page 1443

Understanding Automatic Software Update on EX3300, EX4200, and EX4500 Virtual Chassis Member Switches You can use the automatic software update feature to automatically update the Juniper Networks Junos operating system (Junos OS) version on prospective member switches as you add them to an EX3300 Virtual Chassis, an EX4200 Virtual Chassis, or an EX4500 Virtual Chassis. Automatic software update is not supported for a mixed EX4200 and EX4500 Virtual Chassis. This topic includes: •

Automatic Software Update Basics on page 1308

•

Automatic Software Update Restrictions on page 1308

Automatic Software Update Basics When you have configured automatic software update on a Virtual Chassis, the Junos OS version is updated on the new member switch when you add it to the Virtual Chassis. The new member switch immediately joins the Virtual Chassis configuration and is put in the active state. For a standalone switch to join an existing Virtual Chassis, it must be running the same version of Junos OS that is running on the Virtual Chassis master. When the master in a Virtual Chassis detects that a new switch has been added to the configuration, it checks the software version on the new switch. If the software version on the new switch is not the same as the version running on the master, the master keeps the new switch in the inactive state. If you have not enabled the automatic software update feature, you have to manually install the correct software version on each prospective member switch as it is added to the Virtual Chassis.

Automatic Software Update Restrictions You cannot use automatic software update in certain scenarios, and you must ensure that the software release version on the Virtual Chassis is supported by the release on the prospective member switch. You cannot use the automatic software update feature to update software for a prospective member switch in the following scenarios: •

1308

The Virtual Chassis was preprovisioned and is running Junos OS Release 10.4R2 or earlier.



•

You configured the mastership-priority command to manually configure the mastership priority of at least one Virtual Chassis member switch and the Virtual Chassis was running Junos OS Release 10.4R2 or earlier when you committed this configuration.

•

The Junos OS versions on the Virtual Chassis and the prospective member switch are different versions of the same major Junos OS release. For instance, if a Virtual Chassis is running Junos OS Release 10.4R1, the prospective member switch cannot be updated using automatic software update if it is running Junos OS Release 10.4R2, 10.4R3, or any other Junos OS Release 10.4 release version.

The automatic software update feature also has a Junos OS release dependency between the release that is already running on the Virtual Chassis and the release that is running on the prospective member switch. Table 147 on page 1309 summarizes automatic software update support for each Junos OS release combination.

Table 147: Automatic Software Update Support Virtual Chassis Junos OS Release

Supported Junos OS Releases for Prospective Member Switches

All versions of Junos OS 9.0 through 9.6

All versions of Junos OS 9.0 through 9.6 Junos OS Releases 10.0R1 through 10.0R4 All versions of Junos OS Release 10.1 Junos OS Releases 10.2R1 through 10.2R3 Junos OS Releases 10.3R1 through 10.3R3

Junos OS Releases 10.0R1 through 10.0R4

All versions of Junos OS 9.0 through 9.6 All versions of Junos OS Release 10.1 Junos OS Releases 10.2R1 through 10.2R3 Junos OS Releases 10.3R1 through 10.3R3

Junos OS Release 10.0R5 and later 10.0 releases

Junos OS Release 10.2R4 and later 10.2 releases Junos OS Release 10.3R4 and later 10.3 releases All versions of Junos OS Release 10.4 All versions of Junos OS Release 11.1

All versions of Junos OS Release 10.1

All versions of Junos OS 9.0 through 9.6 Junos OS Releases 10.0R1 through 10.0R4 Junos OS Releases 10.2R1 through 10.2R3 Junos OS Releases 10.3R1 through 10.3R3


All versions of Junos OS 9.0 through 9.6 Junos OS Releases 10.0R1 through 10.0R4 All versions of Junos OS Release 10.1 Junos OS Releases 10.3R1 through 10.3R3


Junos OS Release 10.0R5 Junos OS Release 10.3R4 and later 10.3 releases All versions of Junos OS Release 10.4 All versions of Junos OS Release 11.1


1309

®


Table 147: Automatic Software Update Support (continued)


1310

Virtual Chassis Junos OS Release

Supported Junos OS Releases for Prospective Member Switches


All versions of Junos OS 9.0 through 9.6 Junos OS Releases 10.0R1 through 10.0R4 All versions of Junos OS Release 10.1 Junos OS Releases 10.2R1 through 10.2R3


Junos OS Release 10.0R5 All versions of Junos OS Release 10.4 All versions of Junos OS Release 11.1


All versions of Junos OS 9.0 through 9.6 Junos OS Releases 10.0R1 through 10.0R4 All versions of Junos OS Release 10.1 Junos OS Releases 10.2R1 through 10.2R3 Junos OS Releases 10.3R1 through 10.3R3


Junos OS Release 10.0R5 Junos OS Release 10.2R4 and later 10.2 releases Junos OS Release 10.3R4 and later 10.3 releases All versions of Junos OS Release 11.1


All versions of Junos OS Release 10.4 Junos OS Release 11.2 and later Junos OS releases

Junos OS Release 11.1R2 and later Junos OS releases

Junos OS Release 10.0R5 Junos OS Release 10.2R4 and later 10.2 releases Junos OS Release 10.3R4 and later 10.3 releases Junos OS Release 11.2 and later Junos OS releases

•


•

Example: Configuring Automatic Software Update on EX4200 Virtual Chassis Member Switches on page 1394

•

Configuring Automatic Software Update on EX3300, EX4200, or EX4500 Virtual Chassis Member Switches (CLI Procedure) on page 1444


CHAPTER 38

EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples •


•


•

Example: Expanding an EX4200 Virtual Chassis in a Single Wiring Closet on page 1321

•

Example: Adding an EX4500 Switch to a Nonprovisioned Virtual Chassis on page 1326

•

Example: Adding EX4500 Switches to a Preprovisioned Virtual Chassis on page 1331

•

Example: Setting Up a Multimember EX4200 Virtual Chassis Access Switch with a Default Configuration on page 1335

•


•


•


•


•


•

Example: Configuring a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis on page 1376

•


•


•

Example: Configuring Link Aggregation Groups Using EX4200 Uplink Virtual Chassis Ports on page 1386


1311

®


•


•


•

Example: Expanding an EX3300 Virtual Chassis on page 1400

Example: Configuring an EX4200 Virtual Chassis with a Master and Backup in a Single Wiring Closet A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant network accessibility with a basic two-member EX4200 Virtual Chassis and later expand the Virtual Chassis configuration to provide additional access ports as your office grows. This example describes how to configure an EX4200 Virtual Chassis with a master and backup in a single wiring closet: •

Requirements on page 1312

•

Overview and Topology on page 1312

•

Configuration on page 1314

•

Verification on page 1314

•

Troubleshooting the Virtual Chassis on page 1316

Requirements This example uses the following hardware and software components: •

Junos OS Release 9.0 or later for EX Series switches

•

One EX4200-48P switch

•

One EX4200-24T switch

•

One XFP uplink module

Before you begin, be sure you have: 1.

Rack-mounted the switches. See Mounting an EX4200 Switch.

2. Installed the uplink module. See Installing an Uplink Module in an EX4200 Switch. 3. Cabled the switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch.

Overview and Topology A Virtual Chassis configuration allows you to accommodate the networking needs of a growing office. The default configuration of a two-member Virtual Chassis includes a master and a backup switch. In addition to providing more access ports than a single switch can provide, a Virtual Chassis configuration provides high availability through redundancy. This example shows a Virtual Chassis configuration composed of two EX4200 switches. One of the switches has an uplink module with ports that can be configured to connect to a distribution switch or customer edge (CE) router or that can be configured as Virtual

1312


Chapter 38: EX3300, EX4200, and EX4500 Virtual Chassis—Configuration Examples

Chassis ports (VCPs) to interconnect with a member switch that is located too far for the dedicated VCP cabling. (The network interfaces on EX4200-24F switches can also be configured as VCPs.) For information on configuring the uplink ports as trunk ports to a distribution switch, see “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818. For an example of configuring uplink ports as VCPs, see “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434. By default, after you interconnect the switches with the dedicated VCPs and power on the switches, the VCPs are operational. The mastership priorities and member IDs are assigned by the software. The software elects a master based on several criteria, including how long a member switch has belonged to the Virtual Chassis configuration. For additional details, see “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. Therefore, we recommend that you start by powering on only one member switch, the one that you want to function as the master.

NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis.

The Virtual Chassis configuration provides networking access for 50 onsite workers, who are sitting within range of a single wiring closet. The workers all use personal computers and VoIP phones. As the office grows, you can add more EX4200 switches to meet increased needs for access ports. The topology for this example consists of two switches, one of which contains an uplink module: •

One EX4200-48P switch (SWA-0) with 48 access ports, all of which support PoE

•

One EX4200-24T switch (SWA-1) with 24 access ports, including eight ports that support PoE

•

One XFP uplink module, with two 10–Gigabit Ethernet ports, is installed in the EX4200-48P switch

Table 148 on page 1313 shows the default configuration settings for the two-member Virtual Chassis.

Table 148: Components of the Basic Virtual Chassis Access Switch Topology Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX4200-48P switch

0

Master: mastership priority 128

SWA-1

EX4200-24T switch

1

Backup: mastership priority 128

Figure 28 on page 1314 shows that SWA-0 and SWA-1 are interconnected with their dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role.


1313

®


SWA-0 also includes an uplink module. Its uplink ports can be used to connect to a distribution switch.

Figure 28: Basic EX4200 Virtual Chassis with Master and Backup

Configuration Configure a Virtual Chassis with a default master and backup in a single wiring closet: Step-by-Step Procedure

To configure a Virtual Chassis with master and backup: 1.

Make sure the VCPs on the rear panel of the member switches are properly cabled. See Virtual Chassis Cabling Configuration Examples for EX4200 Switches.

2.

Power on SWA-0 (the member switch that you want to function as the master).

3.

Check the front-panel LCD to confirm that the switch has powered on correctly.

4.

Run the EZSetup program on SWA-0, specifying the identification parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 or “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259 for details.

5.

Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired. [edit] user@SWA-0# set interfaces vme unit 0 family inet address /ip-address/mask/

6.

(Optional, but recommended) Disable the split and merge feature: [edit virtual-chassis] user@switch# set no-split-detection

7.

Power on SWA-1.

Verification To confirm that the Virtual Chassis configuration is operational, perform these tasks: •

Verifying That the Mastership Priority Is Assigned Appropriately on page 1314

•

Verifying That the VCPs Are Operational on page 1315

Verifying That the Mastership Priority Is Assigned Appropriately Purpose

1314

Verify that the master, which has been selected by default, is the member switch that you want to function in that role.



Action

1.

Check the front-panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned.

2. List the member switches of the Virtual Chassis configuration. user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Member ID 0 (FPC 0)

Status Prsnt

Mastership Serial No Model priority AK0207360276 ex4200-48p 128

Role Master*

1 (FPC 1)

Prsnt

AK0207360281 ex4200-24t

Backup

128

Neighbor List ID Interface 1 vcp-0 1 vcp-1 0 vcp-0 0 vcp-1

Member ID for next new member: 2 (FPC 2)

Meaning

The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that SWA-0, member 0, has been assigned default mastership priority 128. Because SWA-0 is the first member to be powered on, it has the most seniority and is therefore assigned the role of master. SWA-1 is powered on after member 0, so it is assigned the role of backup. The member IDs are displayed on the front panel of the switches. Check and confirm whether the default assignment is satisfactory.

Verifying That the VCPs Are Operational Purpose Action

Verify that the dedicated VCPs interconnecting the switches are operational. Display the VCPs of all the members: user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up 32000 1 vcp-1 vcp-1 Dedicated Up 32000 1 vcp-0 fpc1: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up 32000 1 vcp-0 vcp-1 Dedicated Up 32000 1 vcp-1

Meaning

The show virtual-chassis vc-port command lists the interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. The output in this example shows that two of the VCPs are operational and


1315

®


two VCPs are not. A single cable has been used to interconnect vcp-0 of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the switch to be operational. However, we recommend that you connect the second set of VCPs for redundancy.

Troubleshooting the Virtual Chassis To troubleshoot the configuration of a Virtual Chassis, perform these tasks: •

Troubleshooting the Assignment of Roles on page 1316

•

Troubleshooting the VCPs on page 1316

Troubleshooting the Assignment of Roles Problem

The master and backup roles are not assigned to the member switches that you want to function in these roles.

Solution

Modify the mastership priority values. To quickly modify the mastership priority of SWA-1 (member ID 1), copy the following command and paste it into the switch terminal window: [edit virtual-chassis] user@SWA-1# set member 1 mastership-priority 255

Troubleshooting the VCPs Problem

The VCPs are down.

Solution

1.

Check to make sure that you have cabled the appropriate ports.

2. Check to make sure that the cables are seated properly.

You should generally cable and interconnect both of the VCPs on the member switches, for redundancy and high availability.


1316

•


•


•


•


•

Configuring an EX3300, EX4200, or EX4500 Virtual Chassis (J-Web Procedure) on page 1412



Example: Configuring an EX4500 Virtual Chassis with a Master and Backup in a Single Wiring Closet A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant network accessibility with a basic two-member EX4500 Virtual Chassis configuration and later expand the Virtual Chassis configuration to provide additional access ports as your office grows. This example describes how to configure an EX4500 Virtual Chassis with a master and backup in a single wiring closet: •


•


•


•


•




NOTE: You must use Junos OS Release 11.4 or later if you are including three or more EX4500 switches in an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis.

•

Two EX4500 switches with Virtual Chassis modules



2. Cabled the switches but not the Virtual Chassis ports (VCPs). 3. Installed the same version of Junos OS Release 11.1 or later on both the switches

Overview and Topology A Virtual Chassis configuration allows you to accommodate the networking needs of a growing office. The default configuration of a two-member Virtual Chassis includes a master and a backup switch. In addition to providing more access ports than a single switch can provide, a Virtual Chassis configuration provides high availability through redundancy. After you interconnect the switches using the dedicated VCPs and power on the switches, the VCPs are operational. The mastership priorities and member IDs are assigned by the software. The software elects a master based on several criteria, including how long a member switch has belonged to the Virtual Chassis configuration. For additional details,


1317

®


see “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. Therefore, we recommend that you start by powering on only one member switch, the one that you want to function as the master.

NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a Virtual Chassis.

The Virtual Chassis configuration provides networking access for onsite workers who are sitting within the range of a single wiring closet. The workers all use personal computers and VoIP phones. As the office grows, you can add EX4200 switches to meet increased needs for access ports. The topology for this example consists of two EX4500 switches. Table 149 on page 1318 shows the default configuration settings for the two-member Virtual Chassis.


Hardware

Member ID

Role and Priority

SWA-0

EX4500 switch

0


SWA-1

EX4500 switch

1


Figure 29 on page 1318 shows that switches SWA-0 and SWA-1 are interconnected with their dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role.

Figure 29: Basic EX4500 Virtual Chassis with Master and Backup EX4500 1

0

EX4500

g021056

1

0


1318



2.

Power on SWA-1 (the member switch that you want to function as the backup).



3.

Set the PIC mode to Virtual Chassis mode on both switches: user@switch> request chassis pic-mode virtual-chassis

4.

Run the EZSetup program on SWA-0, specifying the identification parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

5.

Cable the Virtual Chassis member switches together.

6.

(Optional) Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired: [edit] user@SWA-0# set interfaces vme unit 0 family inet address /ip-address/mask/

7.




•



Action

Verify that the master, which has been selected by default, is the member switch that you want to function in that role. 1.



Status Prsnt

Mastership Serial No Model priority AK0207360276 ex4500-40f 128

Role Master*

1 (FPC 1)

Prsnt

AK0207360281 ex4500-40f

Backup

128

Neighbor List ID Interface 1 vcp-0 1 vcp-1 0 vcp-0 0 vcp-1


Meaning

The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that SWA-0, member 0, has been assigned default mastership priority 128. Because SWA-0 is the first member to be powered on, it has the most seniority and is therefore assigned the role of master. SWA-1 is powered on after member 0, so it is assigned the role of backup. The member


1319

®


IDs are displayed on the front panel of the switches. Check and confirm whether the default assignment is satisfactory.


Verify that the dedicated VCPs interconnecting the switches are operational. Display the VCPs of all the members: user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up 32000 1 vcp-1 vcp-1 Dedicated Up 32000 1 vcp-0 fpc1: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up 32000 1 vcp-0 vcp-1 Dedicated Up 32000 1 vcp-1

Meaning

The show virtual-chassis status command lists the interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. The output in this example shows that two of the VCPs are operational. A single cable has been used to interconnect vcp-0 of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the switch to be operational. However, we recommend that you connect the second set of VCPs for redundancy.



•




Solution


1320




The VCPs are down.

Solution

1.



We recommend that you interconnect both of the VCPs on the member switches, for redundancy and high availability.


•


•


•


Example: Expanding an EX4200 Virtual Chassis in a Single Wiring Closet A Virtual Chassis is a scalable switch composed of multiple interconnected EX4200 and EX4500 switches. This example describes how to configure an expanding EX4200 Virtual Chassis within a single wiring closet: •


•


•


•


•

Troubleshooting on page 1326



•


•

One EX4200-24T switch

•


•


Before you begin, be sure you have confirmed that the existing EX4200 Virtual Chassis configuration is operating correctly. See “Verifying That Virtual Chassis Ports on an EX3300, EX4200, or EX4500 Switch Are Operational” on page 1458.


1321

®


Overview and Topology A Virtual Chassis configuration can be expanded without disrupting the site's network connectivity. This example describes adding a member switch to an existing Virtual Chassis configuration to provide additional access ports for connecting more PCs and Voice over IP (VoIP) phones at this location. You can continue to expand the Virtual Chassis configuration with additional members in the same wiring closet, using the same procedure. If you want to expand the Virtual Chassis configuration to include member switches in another wiring closet, see “Example: Configuring an EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets” on page 1341. If you want to retain the roles of the existing master and backup switches, explicitly configure the mastership priority of these switches, specifying the highest possible value (255) for both the master and the backup. During expansion, the existing Virtual Chassis configuration can remain powered on and connected to the network. Before powering up the new switch, interconnect it to the other switches using the dedicated VCPs on the rear panel. Do not run the EZSetup program on the added member switch. This example shows an existing Virtual Chassis configuration composed of two EX4200 switches. The Virtual Chassis configuration is being expanded to include an EX4200-24P switch. The topology for this example consists of: •

One EX4200-48P switch (SWA-0) with 48 access ports, all of which support Power over Ethernet (PoE)

•

One EX4200-24T switch (SWA-1) with 24 access ports, including eight ports that support PoE

•

One EX4200-24P switch (SWA-2) with 24 access ports, all of which support PoE

•

One uplink module with two 10-gigabit ports is installed in the EX4200-48P switch. These ports can be configured as trunk ports to connect to a distribution switch or customer edge (CE) router or as Virtual Chassis ports (VCPs) to interconnect with a member switch that is located too far for dedicated VCP cabling. (The uplink module ports on the SFP and SFP+ uplink modules and the SFP network interfaces on the EX4200-24F switches can also be used for these purposes.) For information on configuring the uplink ports as trunk ports to a distribution switch, see “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818. For information on configuring uplink ports as VCPs, see “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434.

Table 150 on page 1322 shows the configuration settings for the expanded Virtual Chassis.

Table 150: Components of the Expanded Virtual Chassis Access Switch Member Switch

Hardware

Member ID

Role in Virtual Chassis

SWA-0

EX4200-48P switch

0

master; mastership priority 255

1322



Table 150: Components of the Expanded Virtual Chassis Access Switch (continued) Member Switch

Hardware

Member ID


SWA-1

EX4200-24T switch

1

backup; mastership priority 255

SWA-2

EX4200-24P switch

2

linecard; mastership priority 128

Figure 30 on page 1323 shows that the three member switches ( SWA-0, SWA-1 and SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect to a distribution switch.

Figure 30: Expanded EX4200 Virtual Chassis in a Single Wiring Closet

Configuration To expand a Virtual Chassis configuration to include additional member switches within a single wiring closet, perform these tasks:

NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis configuration.

CLI Quick Configuration

To maintain the master and backup roles of the existing members and ensure that the new member switch functions in a linecard role, copy the following commands and paste them into the terminal window: [edit] user@SWA-0# set virtual-chassis member 0 mastership-priority 255 user@SWA-1# set virtual-chassis member 1 mastership-priority 255


1323

®


Step-by-Step Procedure

To ensure that the existing member switches retain their current roles and to add another member switch in a linecard role: 1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible value, thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration. [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255

2.

Configure the mastership priority of SWA-1 (member 1) to be the highest possible value. This setting is recommended for high availability and smooth transition of mastership in case the original master becomes unavailable. [edit virtual-chassis] user@SWA-1# set member 1 mastership-priority 255

3.

Interconnect the unpowered SWA-2 with SWA-0 using the dedicated VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for EX4200 Switches for additional information.

4.

Power on SWA-2. You do not need to run EZSetup on SWA-2. The identification parameters that were set up for the master apply implicitly to all members of the Virtual Chassis configuration. SWA-2 functions in a linecard role, because SWA-0 and SWA-1 have been configured to the highest mastership priority values.

5.

Confirm SWA-2 is now included in the Virtual Chassis configuration by checking the front-panel LCD for the member ID of this switch.

6.

Cable the other VCP on SWA-2 to the Virtual Chassis.

NOTE: If you immediately cable both VCPs on SWA-2 into the existing Virtual Chassis, SWA-0 or SWA-1 might become nonoperational for several seconds. Network traffic to one of the switches is dropped during the downtime. The switch will return to the normal operational state with no user intervention, and normal operation of the Virtual Chassis will resume after this downtime.

Verification To verify that the new switch has been added in the linecard role and that its VCPs are operational, perform these tasks: •

Verifying That the New Switch Has Been Added in a Linecard Role on page 1324

•


Verifying That the New Switch Has Been Added in a Linecard Role Purpose

1324

Verify that SWA-2 has been added in a linecard role to the Virtual Chassis configuration.



Action

Use the show virtual-chassis status command to list the member switches with their member IDs, mastership priority values, and assigned roles. user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership Priority

Role

Neighbor List ID Interface

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 vcp-0 2 vcp-1

1 (FPC 1)

Prsnt

def456

ex4200-24t

255

Backup

2 vcp-0 0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

0 vcp-0 1 vcp-1

The show virtual-chassis status command lists the member switches of the Virtual Chassis configuration with the member IDs and mastership priority values. It also displays the neighbor members with which each member is interconnected. This output shows that SWA-2 has been assigned member ID 2 and has the default mastership priority value 128. Because the mastership priority is lower than the mastership priority of the other members, SWA-2 functions in the linecard role. You can continue to add more member switches, following the same procedure. It is possible to have multiple members in linecard roles with the same mastership priority value.


Verify that the dedicated VCPs interconnecting the member switches are operational. List the VCP interfaces on the Virtual Chassis configuration. user@SWA-0>show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up


1325

®


vcp-1

Meaning

Dedicated

Up

The show virtual-chassis vc-port all-members command lists all the interfaces for the Virtual Chassis configuration. In this case, no VCP uplinks have been configured. However, the VCP interfaces are automatically configured and enabled when you interconnect member switches using the dedicated VCPs. We recommend that you interconnect the member switches using both VCPs for redundancy. The VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same as the member ID.

Troubleshooting To troubleshoot the configuration of an expanded Virtual Chassis, perform these tasks: •

Troubleshooting Mastership Priority on page 1326

•

Troubleshooting Nonoperational VCPs on page 1326

Troubleshooting Mastership Priority Problem

You want to designate a different member as the master.

Solution

Change the mastership priority value or values of the switches, designating the highest mastership priority value for the switch that you want to be master. 1.

Lower the mastership priority of the existing master (member 0). [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 1

2. Set the mastership priority of the member that you want to be the master to the

highest possible value (255): [edit virtual-chassis] user@SWA-2# set member 2 mastership-priority 255

Troubleshooting Nonoperational VCPs Problem

The VCP interface shows a status of down.

Solution

Check the cable to make sure that it is properly and securely connected to the VCPs.


•


•


•


Example: Adding an EX4500 Switch to a Nonprovisioned Virtual Chassis A Virtual Chassis is multiple switches operating as a single network entity. You might want to expand an existing Virtual Chassis by adding EX4500 switches to it. You can

1326



include up to ten EX4500 switches in an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis. This example describes how to add two EX4500 switches to an existing EX4200 Virtual Chassis that was nonprovisioned. A nonprovisioned configuration is a Virtual Chassis whose roles were assigned automatically rather than configured statically (preprovisioned). •


•


•


•




•

Two EX4200 switches interconnected into a nonprovisioned Virtual Chassis

•

Two standalone EX4500 switches with Virtual Chassis modules


An operational EX4200 Virtual Chassis with two member EX4200 switches that was configured using a nonprovisioned configuration.

2. Installed the same version of Junos OS Release 11.1 or later for all members of the

Virtual Chassis and on the EX4500 switches.


Overview and Topology You can create an EX4200 Virtual Chassis by cabling two operational EX4200 switches together using the dedicated Virtual Chassis ports (VCPs) on each EX4200 switch. When you cable a Virtual Chassis using the dedicated VCPs, the switches run a master election algorithm that determines the Virtual Chassis roles for each member switch. The master election algorithm first checks the mastership priority ID. The mastership priority ID is any number between 0 and 255. The switch with the higher mastership priority ID is elected into the master role and the other switch, unless it has been configured with a mastership priority value of 0, is elected into the backup role. The default mastership priority ID for an EX4200 or EX4500 switch is 128. Both EX4200 switches are using this default mastership priority ID in the operational EX4200 Virtual Chassis in this example.


1327

®



Table 151 on page 1328 shows the default configuration settings for the two-member Virtual Chassis before the EX4500 member switches are added to the Virtual Chassis.

Table 151: Components of the EX4200 Virtual Chassis Before the EX4500 Member Switches Are Added Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX4200 switch

0


SWA-1

EX4200 switch

1


Table 152 on page 1328 shows the configuration of the mixed EX4200 and EX4500 Virtual Chassis after the EX4500 member switches are added to the Virtual Chassis and the EX4500 switches have been configured in the master and backup roles.

Table 152: Final Mixed EX4200 and EX4500 Virtual Chassis Components Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX4200 switch

0

Linecard: mastership priority 0

SWA-1

EX4200 switch

1

Linecard: mastership priority 0

SWA-2

EX4500 switch

2


SWA-3

EX4500 switch

3


Figure 31 on page 1329 shows the hardware topology of the mixed EX4200 and EX4500 Virtual Chassis.

1328



Figure 31: Mixed EX4200 and EX4500 Virtual Chassis Topology (Nonprovisioned Configuration) EX4200

EX4200

EX4500 1

0

EX4500

0

g021057

1

Configuration Step-by-Step Procedure

To add two EX4500 switches to an existing EX4200 Virtual Chassis: 1.

Log in to the EX4200 Virtual Chassis.

2.

Set all member switches into mixed mode: user@switch> request virtual-chassis mode mixed all-members

3.

Reboot all member switches in the Virtual Chassis: user@switch> request system reboot

4.

Power on SWA-2, the EX4500 switch that you want to function in the master role.

5.

Power on SWA-3, the EX4500 switch that you want to function in the backup role.

6.

Set the PIC mode to the Virtual Chassis mode on both SWA-2 and SWA-3: user@switch> request chassis pic-mode virtual-chassis

7.

Configure SWA-2 and SWA-3 as a member of the mixed EX4200 and EX4500 Virtual Chassis: user@switch> request virtual-chassis mode mixed

8.

Reboot the EX4500 switches.

9.

Cable SWA-2 into the Virtual Chassis using the dedicated VCP on the back of the EX4200 member switch and the dedicated VCP on the Virtual Chassis module in the EX4500 switch.


1329

®


NOTE: We recommend cabling one VCP into the Virtual Chassis, waiting for the new switch to be recognized by the Virtual Chassis, then cabling the other VCP on the new switch into the Virtual Chassis. If you immediately cable both VCPs into the existing Virtual Chassis, one of the Virtual Chassis member switches might become nonoperational for several seconds. Network traffic to that member switch is dropped during the downtime. The switch will return to the normal operational state with no user intervention, and normal operation of the Virtual Chassis will resume after this downtime.

10.

Cable SWA-3 into the Virtual Chassis using the dedicated VCP on the back of the EX4200 member switch and the dedicated VCP on the Virtual Chassis module in the EX4500 switch.


11.

Log in to the Virtual Chassis and set the mastership priority for the EX4200 switches to 0 and the EX4500 switches to 255: [edit virtual-chassis] user@SWA–0# set member 0 mastership-priority 0 user@SWA–0# set member 1 mastership-priority 0 user@SWA–0# set member 2 mastership-priority 255 user@SWA–0# set member 3 mastership-priority 255

NOTE: A switch with a mastership priority ID of 0 never assumes the master or backup role within a Virtual Chassis. This configuration ensures that the EX4200 member switches remain in the linecard roles even during Virtual Chassis topology changes. If you want the EX4200 switches to assume the master or backup roles, assign the switches a mastership priority between 1 and 255.

1330




Verifying Virtual Chassis Availability and Roles on page 1331

Verifying Virtual Chassis Availability and Roles Purpose Action

Verify that the Virtual Chassis is up and that the member switches are in the correct roles. List the member switches and roles. user@SWA-2> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Member ID 0 (FPC 0)

Status Prsnt


Role Linecard

Neighbor List ID Interface 1 vcp-0

1 (FPC 1)

Prsnt

AK02073602814 ex4200-48p

0

Linecard

3 0

vcp-1 vcp-0

2 (FPC 2)

Prsnt

AK02073602844 ex4500-40f

255

Master*

2 1

vcp-1 vcp-0

3 (FPC 3)

Prsnt

AK02073602088 ex4500-40f

255

Backup

3 2

vcp-1 vcp-0

0

vcp-1


Meaning


The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that the switches have the correct mastership priorities and roles.

•


•


•


Example: Adding EX4500 Switches to a Preprovisioned Virtual Chassis A Virtual Chassis is multiple switches operating as a single network entity. You might want to expand your existing Virtual Chassis by adding EX4500 switches to your Virtual Chassis configuration. You can include up to ten EX4500 switches in an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis.


1331

®


This example describes how to add two EX4500 switches to an existing EX4200 Virtual Chassis that was preprovisioned. A preprovisioned configuration is a Virtual Chassis configuration in which the roles are statically assigned to each member switch: •


•


•


•




•

Two EX4200 switches interconnected into a Virtual Chassis

•

Two standalone EX4500 switches with Virtual Chassis modules


An operational EX4200 Virtual Chassis with two member EX4200 switches that was configured using a preprovisioned configuration.

2. Installed the same version of Junos OS Release 11.1 or later on all members of the

Virtual Chassis and on the EX4500 switches.


Overview and Topology You can create an EX4200 Virtual Chassis by cabling two operational EX4200 switches together using the dedicated Virtual Chassis ports (VCPs) on each EX4200 switch. When you preprovision a Virtual Chassis, you configure the roles for each member switch. Table 153 on page 1332 shows the configuration of the two-member EX4200 Virtual Chassis before the EX4500 member switches were added.

Table 153: Components of the EX4200 Virtual Chassis Before the EX4500 Member Switches Are Added Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX4200 switch

0

Master

SWA-1

EX4200 switch

1

Backup

1332



Table 154 on page 1333 shows the configuration of the mixed EX4200 and EX4500 Virtual Chassis after the EX4500 member switches are added to the Virtual Chassis and the roles are assigned.

Table 154: Final Mixed EX4200 and EX4500 Virtual Chassis Components Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX4200 switch

0

Linecard

SWA-1

EX4200 switch

1

Linecard

SWA-2

EX4500 switch

2

Master

SWA-3

EX4500 switch

3

Backup

Figure 32 on page 1333 shows the hardware topology of the mixed EX4200 and EX4500 Virtual Chassis.

Figure 32: Mixed EX4200 and EX4500 Virtual Chassis Topology (Preprovisioned Configuration) EX4200

EX4200

EX4500 1

0

EX4500

0

g021057

1

Configuration Step-by-Step Procedure

To add two EX4500 switches to an existing EX4200 Virtual Chassis that was preprovisioned: 1.

Log in to the EX4200 Virtual Chassis.

2.

Set all member switches into mixed mode: user@switch> request virtual-chassis mode mixed all-members

3.

Reboot all member switches in the Virtual Chassis: user@switch> request system reboot

4.

Power on SWA-2 and SWA-3, the EX4500 switches.

5.



1333

®


On each of the switches SWA-2 and SWA-3, configure the switch as a member of the mixed EX4200 and EX4500 Virtual Chassis:

6.

user@switch> request virtual-chassis mode mixed 7.

Reboot the EX4500 switches.

8.

Log in to the EX4200 Virtual Chassis and change the roles of the EX4200 member switches to line-card: [edit virtual-chassis] user@SWA–0# set member 0 role line-card user@SWA–0# set member 1 role line-card

Add the EX4500 switches to the Virtual Chassis configuration:

9.

[edit virtual-chassis] user@SWA–0# set member 2 serial-number ghi789 role routing-engine user@SWA–0# set member 3 serial-number jkl012 role routing-engine 10.

Cable SWA-2 and SWA-3 into the Virtual Chassis using the dedicated VCPs.



Verifying Virtual Chassis Availability and Roles on page 1334

Verifying Virtual Chassis Availability and Roles Purpose Action

Verify that the Virtual Chassis is up and that the member switches are in the correct roles. List the member switches and roles. user@SWA-2> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Member ID 0 (FPC 0)

Status Prsnt


Role Linecard

1 (FPC 1)

Prsnt

AK02073602814 ex4200-48p

Linecard

Neighbor List ID Interface 1 vcp-0 3

1334

0

0

vcp-1 vcp-0



2 (FPC 2)

3 (FPC 3)

Meaning


Prsnt

Prsnt

AK02073602844 ex4500-40f

AK02073602088 ex4500-40f

129

129

2

vcp-1

1

vcp-0

3

vcp-1

Master*

Backup

2

vcp-0

0

vcp-1

The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that the switches have the correct mastership priorities and roles.

•


•


•


Example: Setting Up a Multimember EX4200 Virtual Chassis Access Switch with a Default Configuration You can configure a multimember EX4200 Virtual Chassis access switch in a single wiring closet without setting any parameters—by simply cabling the switches together, using the dedicated Virtual Chassis ports (VCPs). You do not need to modify the default configuration to enable these ports. They are operational by default. The Virtual Chassis configuration automatically assigns the master, backup, and linecard roles, based on the sequence in which the switches are powered on and other factors in the master election algorithm.

TIP: We recommend that you explicitly configure the mastership priority of the switches to ensure that the switches continue to perform the desired roles when additional switches are added or other changes occur. However, it is possible to use the default configuration described in this example.

This example describes how to configure a multimember Virtual Chassis in a single wiring closet, using the default role assignments: •


•


•



1335

®


•


•




•

Two EX4200-48P switches

•

Four EX4200-24P switches

Overview and Topology A Virtual Chassis configuration is easily expandable. This example shows a Virtual Chassis configuration composed of six EX4200 switches. It provides networking access for 180 onsite workers, who are sitting within range of a single wiring closet. The six combined switches are identified by a single host name and managed through a global management IP address. To set up a multimember Virtual Chassis configuration within a single wiring closet, you need to run the EZSetup program only once. Connect to the master and run EZSetup to specify its identification, time zone, and network properties. When additional switches are connected through the Virtual Chassis ports (VCPs), they automatically receive the same properties that were specified for the master. The topology for this example (see Figure 33 on page 1337) consists of six switches: •

Two EX4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which support Power over Ethernet (PoE)

•

Four EX4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access ports, all of which support PoE

Figure 33 on page 1337 shows that all the member switches are interconnected with the dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role.

1336



Figure 33: Default Configuration of a Multimember EX4200 Virtual Chassis in a Single Wiring Closet

Configuration To configure a multimember Virtual Chassis access switch in a single wiring closet using the factory defaults, perform this task: Step-by-Step Procedure

To configure a multimember Virtual Chassis with default role assignments: 1.

Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual Chassis Cabling Configuration Examples for EX4200 Switches for additional information.

2.

Power on the switch that you want to function as the master (SWA-0). This examples uses one of the larger switches (EX4200-48P) as the master.

3.

Check the front panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned.

4.

Run the EZSetup program on SWA-0, the master, specifying the identification parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

5.


6.

After a lapse of at least one minute, power on SWA-1. This example uses the second EX4200-48P switch as the backup.

7.

Check the front panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned.


1337

®


8.

Power on SWA-2, and check the front panels to make sure that the switch is operating correctly.

9.

Continue to power on the member switches one by one, checking the front panels as you proceed.

Verification To confirm that the configuration is working properly, perform these tasks: •

Verifying the Member IDs and Roles of the Member Switches on page 1338

•


Verifying the Member IDs and Roles of the Member Switches Purpose

Action

Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership Priority

Role


Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

128

Master*

1 vcp-0 5 vcp-1

1 (FPC 1)

Prsnt

def123

ex4200-48p

128

Backup

2 vcp-0 0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

3 vcp-0 1 vcp-1

3 (FPC 3)

Prsnt

cab123

ex4200-24p

128

Linecard

4 vcp-0 2 vcp-1

4 (FPC 4)

Prsnt

fed456

ex4200-24p

128

Linecard

5 vcp-0 3 vcp-1

5 (FPC 5)

Prsnt

jkl231

ex4200-24p

128

Linecard

0 vcp-0 4 vcp-1

The show virtual-chassis status command lists the member switches of the Virtual Chassis configuration with the member IDs and mastership priority values. It also displays the neighbor members with which each member is interconnected. The fpc number is the same as the member ID.


1338

Verify that the dedicated VCPs interconnecting the member switches are operational. Display the VCP interfaces.



user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc3: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc4: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc5: Interface or PIC / Port vcp-0 vcp-1

Meaning

Type

Status

Dedicated Dedicated

Up Up

The show virtual-chassis vc-port all-members command lists the VCP interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. In this case, no VCP uplinks have been configured. However, the VCP interfaces are automatically configured and enabled when you interconnect member switches using the dedicated VCPs. The dedicated VCP interfaces are identified simply as vcp-0 and vcp-1. They do not use the standard interface address (in which the member ID is represented by the first digit). The output in this example shows that all interfaces are operational. The fpc number is the same as the member ID.


1339

®


Troubleshooting To troubleshoot the configuration of a multimember Virtual Chassis in a single wiring closet, perform these tasks: •


•



You want to explicitly designate one member as the master and another as backup.

Solution

Change the mastership priority value of the member that you want to function as master, assigning the highest mastership priority value to that member.

NOTE: These configuration changes are made through the current master, SWA-0.

1.

Configure mastership priority of member 0 to be the highest possible value. [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255

2. Set the mastership priority of another member that you want to function as the backup

member as the same value: [edit virtual-chassis] user@SWA-0# set member 2 mastership-priority 255



Solution



1340

•


•


•


•


•




Example: Configuring an EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets An EX4200 Virtual Chassis can be composed of multiple EX4200 switches in different locations. You can install member switches in different wiring closets, interconnecting the member switches by cabling and configuring uplink module ports or SFP network ports on EX4200-24F switches as Virtual Chassis ports (VCPs). This example shows how to use uplink VCPs to connect Virtual Chassis members that are located too far apart to be connected using the dedicated VCPs. Uplink VCPs can also be used to connect Virtual Chassis members to form link aggregation groups (LAGs). For the latter usage, see “Example: Configuring Link Aggregation Groups Using EX4200 Uplink Virtual Chassis Ports” on page 1386.

NOTE: You can also configure the SFP networks ports on EX4200-24F switches as VCPs to connect Virtual Chassis member switches across wiring closets and to form LAGs.

This example describes how to configure a Virtual Chassis access switch interconnected across wiring closets: •


•


•


•


•




•

Four EX4200 switches

•

Four XFP uplink modules


1341

®


Before you interconnect the members of the Virtual Chassis configuration across wiring closets, be sure you have: 1.

Installed an uplink module in each member switch. See Installing an Uplink Module in an EX4200 Switch.

2. Powered on and connected the switch in the master role, SWA-0, and run the EZSetup

program (see Table 155 on page 1343 for switch names used in this example). See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details. 3. Configured SWA-0 with the virtual management Ethernet (VME) interface for remote,

out-of-band management of the Virtual Chassis configuration, if desired. See “Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1440. 4. Interconnected SWA-0 and SWA-1 using the dedicated VCPs on the rear panel. SWA-1

must not be powered on at this time. 5. Interconnected SWA-2 and SWA-3 using the dedicated VCPs on the rear panel. SWA-2

and SWA-3 must not be powered on at this time.

Overview and Topology In this example, four EX4200 switches will be interconnected in a Virtual Chassis configuration. Two of these switches (SWA-0 and SWA-1) are located in wiring closet A, and the two other switches (SWA-2 and SWA-3) are located in wiring closet B. For ease of monitoring and manageability, we want to interconnect all four switches as members of a Virtual Chassis configuration. Prior to configuring the Virtual Chassis, we installed uplink modules in each of the member switches. In this example, uplink modules are installed in all four members so that there are redundant VCP connections across the wiring closets. If you want to expand this configuration to include more members within these wiring closets, you do not need to add any more uplink modules. Simply use the dedicated VCPs on the rear panel. The redundancy of uplink VCPs provided in this example is sufficient. We have interconnected the switches in wiring closet A and also interconnected the ones in wiring closet B using the dedicated VCPs. The interfaces for the dedicated VCPs are operational by default. They do not need to be configured. However, the Virtual Chassis cables that interconnect the dedicated VCPs of member switches within a single wiring closet are not long enough to connect member switches across wiring closets. Instead, we will use the fiber-optic cable connections in the uplink modules to interconnect the member switches in wiring closet A to the member switches in wiring closet B. You only need to interconnect one member switch in wiring closet A to one in wiring closet B to form the Virtual Chassis configuration. However, for redundancy, this example connects uplink module ports from the two member switches in wiring closet A to the two member switches in wiring closet B. We will specify the highest mastership priority value (255) for SWA-0 to make it the master before we power on SWA-1. Because SWA-0 and SWA-1 are interconnected with

1342



the dedicated VCPs, the master detects that SWA-1 is a member of its Virtual Chassis configuration and assigns it a member ID. We configure SWA-2 in wiring closet B without running EZSetup by directly connecting to the console port. If you wish, you can run EZSetup and specify identification parameters. Later, when you interconnect SWA-2 with SWA-0, the master of the Virtual Chassis configuration, the master overwrites any conflicting parameters. We will use SWA-2 as the backup of the Virtual Chassis configuration. If a problem occurs in wiring closet A, SWA-2 would take control of the Virtual Chassis configuration and maintain the network connections. We will configure the same mastership priority value for SWA-2 (255) that we configured for the master. Because we power on SWA-0 before we power on SWA-2, SWA-0 has additional prioritization properties that allow it to retain mastership of the Virtual Chassis configuration. We recommend setting identical mastership priority values for the master and backup members for high availability and smooth transition of mastership in case the original master becomes unavailable. (Setting identical mastership priority values for the master and backup members prevents the previous master from pre-empting the master role from the new master when the previous master comes back online.) After we have configured SWA-2 and set one of its uplink module ports as an uplink VCP, we will interconnect its uplink VCP with an uplink VCP on SWA-0. Finally, we will power on SWA-3. Because SWA-3 is interconnected with SWA-2 using the dedicated VCPs on the rear panel, the master will detect that SWA-3 is part of the expanded Virtual Chassis configuration and assign it member ID 3. For redundancy, we will configure an uplink VCP on SWA-3 through the master and interconnect that uplink VCP with an uplink VCP on SWA-1. Table 155 on page 1343 shows the Virtual Chassis configuration settings for a Virtual Chassis composed of member switches in different wiring closets.

Table 155: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets Switch

Member ID

Role and Priority

Location

SWA-0

0


Wiring closet A

SWA-1

1


Wiring closet A

SWA-2

2


Wiring closet B

SWA-3

3


Wiring closet B

Figure 34 on page 1344 shows the different types of interconnections used for this Virtual Chassis configuration. The rear view shows the member switches within each wiring closet interconnected to each other using the dedicated VCPs. The front view shows the uplink VCPs interconnected across the wiring closets.


1343

®


Figure 34: EX4200 Virtual Chassis Interconnected Across Wiring Closets

Configuration To configure the Virtual Chassis across multiple wiring closets, perform this task: Step-by-Step Procedure

To configure a Virtual Chassis across multiple wiring closets: 1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible value (255), thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration: [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255

2.

Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting uplink VCPs for member 0 and member 1: user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 1

NOTE: • For redundancy, this example configures an uplink VCP in both SWA-0 and SWA-1. •

3.

This example omits the specification of the member member-id option in configuring an uplink VCP for SWA-0 (and, later, for SWA-2). The command applies by default to the switch where it is executed.

Prepare SWA-2 in wiring closet B for interconnecting with the Virtual Chassis configuration by configuring its mastership priority to be the highest possible value (255). Its member ID is currently 0, because it is not yet interconnected with the other members of the Virtual Chassis configuration. It is operating as a standalone switch. Its member ID will change when it is interconnected. [edit virtual-chassis] user@SWA-2# set member 0 mastership-priority 255

1344



NOTE: SWA-2 is configured with the same mastership priority value that we configured for SWA-0. However, the longer uptime of SWA-0 ensures that, once the interconnection is made, SWA-0 functions as the master and SWA-2 functions as the backup.

4.

Specify one uplink module port in SWA-2 as an uplink VCP. Its member ID is 0, because it is not yet interconnected with the other members of the Virtual Chassis configuration.

NOTE: The setting of the uplink VCP remains intact when SWA-2 reboots and joins the Virtual Chassis configuration as member 2.

user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 0 5.

Physically interconnect SWA-0 and SWA-2 across wiring closets using their uplink VCPs. Although SWA-0 and SWA-2 have the same mastership priority value (255), SWA-0 was powered on first and thus has longer uptime. This results in SWA-0 retaining mastership while SWA-2 reboots and joins the now expanded Virtual Chassis configuration as the backup, with member ID 2.

6.

Power on SWA-3. It joins the expanded Virtual Chassis configuration as member 3.

NOTE: Member ID 3 is assigned to SWA-3 because SWA-3 was powered on after members 0, 1, and 2.

7.

Because SWA-3 is now interconnected as a member of the Virtual Chassis configuration, you can specify a redundant uplink VCP on SWA-3 through the master of the Virtual Chassis configuration: user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 3

8.

Physically interconnect SWA-3 and SWA-1 across wiring closets using their uplink VCPs. Both SWA-1 and SWA-3 have the default mastership priority value (128) and function in a linecard role.


Results

Display the results of the configuration on SWA-0: [edit] user@SWA-0# show virtual-chassis member 0 {


1345

®


mastership-priority 255; } member 1 { mastership-priority 128; } member 2 { mastership-priority 255; } member 3 { mastership-priority 128; } }



•

Verifying that the Dedicated VCPs and Uplink VCPs Are Operational on page 1347


Action

Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status

Virtual Chassis ID: 000.e255.00e0

Meaning

1346

Mastership Priority

Role


Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 vcp-0 2 vcp-1 2 vcp-255/1/0

1 (FPC 1)

Prsnt

def456

ex4200-24t

128

Linecard

0 vcp-0 0 vcp-1 3 vcp-255/1/0

2 (FPC 2)

Prsnt

ghi789

ex4200-48p

255

Backup

3 vcp-0 3 vcp-1 0 vcp-255/1/0

3 (FPC 3)

Prsnt

jkl012

ex4200-24t

128

Linecard

2 vcp-0 2 vcp-1 3 vcp-255/1/0

The show virtual-chassis status command lists the member switches interconnected as a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected.



Verifying that the Dedicated VCPs and Uplink VCPs Are Operational Purpose

Action

Verify that the dedicated VCPs interconnecting member switches in wiring closet A and the uplink VCPs interconnecting the member switches between wiring closets are operational. Display the VCP interfaces: user@SWA-0> show virtual-chassis status all-members

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Auto-Configured —1 Up 1000 2 vcp-255/1/0 fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-0 vcp-1 Dedicated 2 Up 32000 0 vcp-1 1/0 Auto-Configured —1 Up 1000 3 vcp-255/1/0

fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-0 vcp-1 Dedicated 2 Up 32000 1/0 Auto-Configured —1 Up 1000 0 vcp-255/1/0

fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 2 vcp-0 vcp-1 Dedicated 2 Up 32000 2 vcp-1 1/0 Auto-Configured —1 Up 1000 1 vcp-255/1/0

Meaning

The dedicated VCPs are displayed as vcp-0 and vcp-1. The interface on the switch that has been set as an uplink VCP is displayed as 1/0. The member interface names of uplink VCPs are of the form vcp-255/pic/port—for example, vcp-255/1/0. In that name, vcp-255 indicates that the interface is an uplink VCP, 1 is the uplink PIC number, and 0 is the uplink port number. The fpc number is the same as the member ID. The Trunk ID is a positive number ID assigned to the LAG formed by the Virtual Chassis. If no LAG is formed, the value is –1.


1347

®


Troubleshooting To troubleshoot a Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: •



An uplink VCP shows a status of down.

Solution

•

Check the cable to make sure that it is properly and securely connected to the ports.

•

If the VCP is an uplink module port, make sure that it has been explicitly set as an uplink VCP.

•

If the VCP is an uplink module port, make sure that you have specified the options (pic-slot, port, and member) correctly.

•


•


•


•



Example: Connecting EX4500 Member Switches in a Virtual Chassis Across Wiring Closets An EX4500 switch can be a member of an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis. An EX4500 Virtual Chassis can be composed of two to ten EX4500 switches in different wiring closets or locations. A mixed EX4200 and EX4500 Virtual Chassis can be composed of EX4200 and EX4500 switches in different locations or wiring closets provided that at least one EX4200 switch is connected to one EX4500 switch using the dedicated Virtual Chassis port (VCP) connections available on both switches. You connect EX4500 member switches in a Virtual Chassis that are in different wiring closets by cabling them together using a 10-Gigabit Ethernet SFP+ connection. You then must configure the 10-Gigabit Ethernet SFP+ connection as a Virtual Chassis port (VCP). This example shows how to use the 10-Gigabit Ethernet SFP+ ports on EX4500 switches to connect two EX4500 member switches that are located too far apart to be connected using the dedicated VCPs in a mixed EX4200 and EX4500 Virtual Chassis. The procedure to connect two EX4500 switches in an EX4500 Virtual Chassis is identical to the procedure shown in this example.

1348



NOTE: Any 10-Gigabit Ethernet SFP+ connection on an EX4500 switch can be configured as a VCP. An EX4500 switch has network and uplink ports that support 10-Gigabit Ethernet SFP+ transceivers.

This example describes how to connect two EX4500 member switches across wiring closets: •


•


•


•


•





•

Two EX4500 member switches

•

Four EX4200 member switches

Before you interconnect the members of the Virtual Chassis configuration across wiring closets, be sure you have: 1.

Preprovisioned the Virtual Chassis. See “Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure)” on page 1414 for details.

2. (Optional) Configured SWA-0 with the virtual management Ethernet (VME) interface

if you want remote, out-of-band management of the Virtual Chassis configuration. See “Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1440. 3. Interconnected SWA-0, SWA-1, and SWA-2 using the dedicated VCPs. 4. Interconnected SWA-3, SWA-4, and SWA-5 using the dedicated VCPs.

Overview and Topology In this example, two EX4500 switches and four EX4200 switches are interconnected in a mixed EX4200 and EX4500 Virtual Chassis configuration. One EX4500 switch (SWA-0) and two EX4200 switches (SWA-1 and SWA-2) are located in wiring closet A, and the other EX4500 switch (SWA-3) and the other two EX4200 switches (SWA-4 and SWA-5) are located in wiring closet B.


1349

®


For ease of monitoring and manageability, we want to interconnect all six switches as members of a Virtual Chassis configuration. We have interconnected the switches in wiring closet A and also interconnected the ones in wiring closet B using the dedicated VCPs. The interfaces for the dedicated VCPs are operational by default. They do not need to be configured. However, the Virtual Chassis cables that interconnect the dedicated VCPs of member switches within a single wiring closet are not long enough to connect member switches across wiring closets. Instead, we will use a 10-Gigabit Ethernet SFP+ connection to interconnect the member switches in wiring closet A to the member switches in wiring closet B. You only need to interconnect one member switch in wiring closet A to one in wiring closet B to form the Virtual Chassis configuration. In this example, this connection will be made by connecting the EX4500 switches in each wiring closet together by configuring a 10-Gigabit Ethernet SFP+ connection as a VCP. We will preprovision the entire Virtual Chassis to set the roles for all member switches. We will first power on SWA-0 and preprovision the Virtual Chassis. We will then cable the Virtual Chassis before powering on the other member switches. Table 156 on page 1350 shows the Virtual Chassis configuration settings for a Virtual Chassis composed of member switches in different wiring closets.

Table 156: Components of a Virtual Chassis Interconnected Across Wiring Closets Model Switch

Member ID

Role

Location

SWA-0

EX4500 switch

0

Master

Wiring closet A

SWA-1

EX4200 switch

1

Linecard

Wiring closet A

SWA-2

EX4200 switch

2

Linecard

Wiring closet A

SWA-3

EX4500 switch

3

Backup

Wiring closet B

SWA-4

EX4200 switch

4

Linecard

Wiring closet B

SWA-5

EX4200 switch

5

Linecard

Wiring closet B

Figure 35 on page 1351 shows the different types of interconnections used for this Virtual Chassis configuration. The rear view shows the member switches within each wiring closet interconnected to each other using the dedicated VCPs. The front view shows the uplink VCPs interconnected across the wiring closets.

1350



Figure 35: Mixed EX4200 and EX4500 Virtual Chassis Interconnected Across Wiring Closets Wiring closet A

Wiring closet B

0

1

2

3

ST

0

1

2

3

ST

EX4500 Front

EX4500 Front

EX4500 - Rear

EX4500 - Rear

1

1

0

0

EX4200 - Rear

g021058

EX4200 - Rear

Configuration To configure the Virtual Chassis across wiring closets, perform this task: Step-by-Step Procedure

To configure a Virtual Chassis across wiring closets: 1.

Power on SWA-0 (the EX4500 switch acting as member 0).

2.

Power on SWA-3 (the EX4500 switch acting as member 3).

3.


4.

Power on the remaining switches.

5.

Configure all switches individually as members of the mixed EX4200 and EX4500 Virtual Chassis: user@switch> request virtual-chassis mode mixed

6.

Reboot all switches: user@switch> request system reboot

7.

Log back into SWA-0 after the reboot has completed.

8.

Run EZSetup on SWA-0 to set the parameters for the entire Virtual Chassis. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257.

9.

Preprovision the Virtual Chassis from SWA-0. Specify all members for the Virtual Chassis configuration, listing each switch’s serial number with the desired member ID and the desired role. [edit virtual-chassis] user@SWA–0# set preprovisioned user@SWA–0# set member 0 serial-number abc123 role routing-engine


1351

®


user@SWA–0# user@SWA–0# user@SWA–0# user@SWA–0# user@SWA–0# 10.

set member 1 serial-number def456 role line-card set member 2 serial-number ghi789 role line-card set member 3 serial-number jkl012 role routing-engine set member 4 serial-number mno345 role line-card set member 5 serial-number pqr678 role line-card

Commit the configuration: user@SWA–0> commit synchronize

Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting the 10-Gigabit Ethernet SFP+ interfaces on SWA-0 as VCPs:

11.

user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> 12.

request virtual-chassis vc-port set pic-slot 0 port 0 request virtual-chassis vc-port set pic-slot 0 port 1 request virtual-chassis vc-port set pic-slot 0 port 2 request virtual-chassis vc-port set pic-slot 0 port 3 request virtual-chassis vc-port set pic-slot 0 port 4 request virtual-chassis vc-port set pic-slot 0 port 5 request virtual-chassis vc-port set pic-slot 0 port 6 request virtual-chassis vc-port set pic-slot 0 port 7

Prepare the members in wiring closet B for interconnecting with the member switches in wiring closet A by setting the 10-Gigabit Ethernet SFP+ interfaces on SWA-3 as VCPs: user@SWA-3> user@SWA-3> user@SWA-3> user@SWA-3> user@SWA-3> user@SWA-3> user@SWA-3> user@SWA-3>

request virtual-chassis vc-port set pic-slot 0 port 0 request virtual-chassis vc-port set pic-slot 0 port 1 request virtual-chassis vc-port set pic-slot 0 port 2 request virtual-chassis vc-port set pic-slot 0 port 3 request virtual-chassis vc-port set pic-slot 0 port 4 request virtual-chassis vc-port set pic-slot 0 port 5 request virtual-chassis vc-port set pic-slot 0 port 6 request virtual-chassis vc-port set pic-slot 0 port 7

13.

Physically interconnect SWA-0 with SWA-1, then interconnect all switches in wiring closet A.

14.

Physically interconnect SWA-0 with SWA-3 across wiring closets using the 10-Gigabit Ethernet SFP+ connections.

15.

Physically interconnect all switches in wiring closet B.


Results

Display the results of the configuration on SWA-0: [edit virtual-chassis] user@SWA-0# show member 0 { role routing-engine; serial-number abc123; } member 1 { role line-card; serial-number def456;

1352



} member 2 { role line-card; serial-number ghi789; } member 3 { role routing-engine; serial-number jkl012; } member 4 { role line-card; serial-number mno345; } member 5 { role line-card; serial-number pqr678; } }




Action

Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status

Virtual Chassis ID: 000.e255.00e0 Virtual Chassis Mode: Mixed Mastership Priority

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4500-40f

255

Master*

1 2 3 3 3 3 3 3 3 3

1 (FPC 1)

Prsnt

def456

ex4200-48p

128

Linecard

0 vcp-0 2 vcp-1

2 (FPC 2)

Prsnt

ghi789

ex4200-48p

128

Linecard

0 vcp-0 1 vcp-1 0 vcp-255/1/0


Role


Member ID

vcp-0 vcp-1 vcp-255/0/0 vcp-255/0/1 vcp-255/0/2 vcp-255/0/3 vcp-255/0/4 vcp-255/0/5 vcp-255/0/6 vcp-255/0/7

1353

®


Meaning

3 (FPC 3)

Prsnt

jkl012

ex4500-40f

255

Backup

4 5 0 0 0 0 0 0 0 0

vcp-0 vcp-1 vcp-255/0/0 vcp-255/0/1 vcp-255/0/2 vcp-255/0/3 vcp-255/0/4 vcp-255/0/5 vcp-255/0/6 vcp-255/0/7

4 (FPC 4)

Prsnt

mno345

ex4200-48p

128

Linecard

3 vcp-0 5 vcp-1

5 (FPC 5)

Prsnt

pqr678

ex4200-48p

128

Linecard

3 vcp-0 4 vcp-1

The show virtual-chassis status command lists the member switches interconnected as a Virtual Chassis configuration with the member IDs that have been assigned by the master and the roles. It also displays the neighbor members with which each member is interconnected.

Troubleshooting To troubleshoot a Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: •



A user-configured VCP shows a status of down.

Solution

•


•

Make sure the VCP that it has been explicitly set as an uplink VCP.

•

Make sure that you have specified the options (pic-slot, port, and member) correctly.

•



Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch EX Series switches allow you to combine multiple Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. The number of Ethernet links you can combine into a LAG depends on your EX Series switch model. See “Understanding Aggregated Ethernet Interfaces and LACP” on page 1774 for more information.

1354



This example describes how to configure uplink LAGs to connect a Virtual Chassis access switch to a Virtual Chassis distribution switch: •


•


•


•


•


Requirements This example uses the following software and hardware components: •


•


•

Two EX4200-24F switches

•


Before you configure the LAGs, be sure you have: •

Configured the Virtual Chassis switches. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408.

•

Configured the uplink ports on the switches as trunk ports. See “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818.

Overview and Topology For maximum speed and resiliency, you can combine uplinks between an access switch and a distribution switch into LAGs. Using LAGs can be particularly effective when connecting a multimember Virtual Chassis access switch to a multimember Virtual Chassis distribution switch. The Virtual Chassis access switch in this example is composed of two member switches. Each member switch has an uplink module with two 10-Gigabit Ethernet ports. These ports are configured as trunk ports, connecting the access switch with the distribution switch. Configuring the uplinks as LAGs has the following advantages: •

Link Aggregation Control Protocol (LACP) can optionally be configured for link negotiation.

•

It doubles the speed of each uplink from 10 Gbps to 20 Gbps.

•

If one physical port is lost for any reason (a cable is unplugged or a switch port fails, or one member switch is unavailable), the logical port transparently continues to function over the remaining physical port.

The topology used in this example consists of one Virtual Chassis access switch and one Virtual Chassis distribution switch. The access switch is composed of two EX4200-48P


1355

®


switches (SWA-0 and SWA-1), interconnected to each other with their Virtual Chassis ports (VCPs) as member switches of Host-A. The distribution switch is composed of two EX4200-24F switches (SWD-0 and SWD-1), interconnected with their VCPs as member switches of Host-D. Each member of the access switch has an uplink module installed. Each uplink module has two ports. The uplinks are configured to act as trunk ports, connecting the access switch with the distribution switch. One uplink port from SWA-0 and one uplink port from SWA-1 are combined as LAG ae0 to SWD-0. This link is used for one VLAN. The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1. LAG ae1 is used for another VLAN.

NOTE: If the remote end of the LAG link is a security device, LACP might not be supported because security devices require a deterministic configuration. In this case, do not configure LACP. All links in the LAG are permanently operational unless the switch detects a link failure within the Ethernet physical layer or data link layers.

Figure 36: Topology for LAGs Connecting an EX4200 Virtual Chassis Access Switch to an EX4200 Virtual Chassis Distribution Switch

Table 157 on page 1357 details the topology used in this configuration example.

1356



Table 157: Components of the Topology for Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch Switch SWA-0

Hostname and VCID

Base Hardware

Uplink Module

Member ID

Trunk Port

Host-A Access switch

EX4200-48P switch


0

xe-0/1/0 to SWD-0 xe-0/1/1 to SWD-1

VCID 1 SWA-1


EX4200-48P switch


1


VCID 1 SWD-0

Host-D Distribution switch

EX4200 L-24F switch


0

xe-0/1/0 to SWA-0 xe-0/1/1 to SWA-1

VCID 4 SWD-1


EX4200 L-24F switch


1


VCID 4

Configuration To configure two uplink LAGs from the Virtual Chassis access switch to the Virtual Chassis distribution switch: CLI Quick Configuration

To quickly configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access switch and a Virtual Chassis distribution switch, copy the following commands and paste them into the switch terminal window: [edit] set chassis aggregated-devices ethernet device-count 2 set interfaces ae0 aggregated-ether-options minimum-links 1 set interfaces ae0 aggregated-ether-options link-speed 10g set interfaces ae1 aggregated-ether-options minimum-links 1 set interfaces ae1 aggregated-ether-options link-speed 10g set interfaces ae0 unit 0 family inet address 192.0.2.0/25 set interfaces ae1 unit 0 family inet address 192.0.2.128/25 set interfaces xe-0/1/0 ether-options 802.3ad ae0 set interfaces xe-1/1/0 ether-options 802.3ad ae0 set interfaces xe-0/1/1 ether-options 802.3ad ae1 set interfaces xe-1/1/1 ether-options 802.3ad ae1


To configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access switch and a Virtual Chassis distribution switch: 1.

Specify the number of LAGs to be created on the chassis: [edit chassis] user@Host-A# set aggregated-devices ethernet device-count 2

2.

Specify the number of links that need to be present for the ae0 LAG interface to be up: [edit interfaces]


1357

®


user@Host-A# set ae0 aggregated-ether-options minimum-links 1 3.

Specify the number of links that need to be present for the ae1 LAG interface to be up: [edit interfaces] user@Host-A# set ae1 aggregated-ether-options minimum-links 1

4.

Specify the media speed of the ae0 link: [edit interfaces] user@Host-A# set ae0 aggregated-ether-options link-speed 10g

5.


6.

Specify the interface ID of the uplinks to be included in LAG ae0: [edit interfaces] user@Host-A# set xe-0/1/0 ether-options 802.3ad ae0 user@Host-A# set xe-1/1/0 ether-options 802.3ad ae0

7.


8.

Specify that LAG ae0 belongs to the subnet for the employee broadcast domain: [edit interfaces] user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25

9.

Specify that LAG ae1 belongs to the subnet for the guest broadcast domain: [edit interfaces] user@Host-A# set ae1 unit 0 family inet address 192.0.2.128/25

Display the results of the configuration: [edit] chassis { aggregated-devices { ethernet { device-count 2; } } } interfaces { ae0 { aggregated-ether-options { link-speed 10g; minimum-links 1; } unit 0 { family inet { address 192.0.2.0/25; } } } ae1 { aggregated-ether-options { link-speed 10g; minimum-links 1;

1358



} unit 0 { family inet { address 192.0.2.128/25; } } xe–0/1/0 { ether-options { 802.3ad ae0; } } xe–1/1/0 { ether-options { 802.3ad ae0; } } xe–0/1/1 { ether-options { 802.3ad ae1; } } xe–1/1/1 { ether-options { 802.3ad ae1; } } }

Verification To verify that switching is operational and two LAGs have been created, perform these tasks: •

Verifying That LAG ae0 Has Been Created on page 1359

•


Verifying That LAG ae0 Has Been Created Purpose Action

Verify that LAG ae0 has been created on the switch. show interfaces ae0 terse Interface ae0 ae0.0

Meaning

Admin up up

Link Proto up up inet

Local

Remote

192.0.2.0/25

The output confirms that the ae0 link is up and shows the family and IP address assigned to this link.


Verify that LAG ae1 has been created on the switch show interfaces ae1 terse


1359

®


Interface ae1 ae1.0

Meaning

Admin Link Proto up down up down inet

Local

Remote

192.0.2.128/25

The output shows that the ae1 link is down.

Troubleshooting Troubleshooting a LAG That Is Down Problem

The show interfaces terse command shows that the LAG is down.

Solution

Check the following:


•

Verify that there is no configuration mismatch.

•

Verify that all member ports are up.

•

Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet (Layer 3 LAG).

•

Verify that the LAG member is connected to the correct LAG at the other end.

•

Verify that the LAG members belong to the same switch (or the same Virtual Chassis).

•


•


•

Example: Connecting an Access Switch to a Distribution Switch on page 2131.

•


•

Installing an Uplink Module in an EX4200 Switch

•

Uplink Modules in EX4200 Switches

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch EX Series switches allow you to combine multiple Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. EX Series switches allow you to further enhance these links by configuring Link Aggregation Control Protocol (LACP). This example describes how to overlay LACP on the LAG configurations that were created in “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200

1360



Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354: •


•


•

Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 1362

•

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch on page 1362

•


•




•


•


•

Four EX Series XFP uplink modules

Before you configure LACP, be sure you have: •

Set up the Virtual Chassis switches. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408.

•


•

Configured the LAGs. See “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354.

Overview and Topology This example assumes that you are familiar with “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354. The topology in this example is exactly the same as the topology in that other example. This example shows how to use LACP to enhance the LAG functionality. LACP exchanges are made between actors (the transmitting link) and partners (the receiving link). The LACP mode can be either active or passive.

NOTE: If the actor and partner are both in passive mode, they do not exchange LACP packets, which results in the aggregated Ethernet links not coming up. By default, LACP is in passive mode. To initiate transmission of LACP packets and responses to LACP packets, you must enable LACP in active mode.

By default, the actor and partner send LACP packets every second.


1361

®


The interval can be fast (every second) or slow (every 30 seconds).

Configuring LACP for the LAGs on the Virtual Chassis Access Switch To configure LACP for the access switch LAGs, perform these tasks: CLI Quick Configuration

To quickly configure LACP for the access switch LAGs, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ae0 aggregated-ether-options lacp active periodic fast set interfaces ae1 aggregated-ether-options lacp active periodic fast


To configure LACP for Host-A LAGs ae0 and ae1: 1.

Specify the aggregated Ethernet options for both bundles: [edit interfaces] user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast user@Host-A#set ae1 aggregated-ether-options lacp active periodic fast

Results

Display the results of the configuration: [edit interfaces] user@Host-A# show ae0 { aggregated-ether-options { lacp { active; periodic fast; } } } ae1 { aggregated-ether-options { lacp { active; periodic fast; } } }

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch To configure LACP for the two uplink LAGs from the Virtual Chassis access switch to the Virtual Chassis distribution switch, perform these tasks: CLI Quick Configuration

To quickly configure LACP for the distribution switch LAGs, copy the following commands and paste them into the switch terminal window: [edit interfaces] set ae0 aggregated-ether-options lacp passive periodic fast set ae1 aggregated-ether-options lacp passive periodic fast

1362




To configure LACP for Host D LAGs ae0 and ae1: 1.

Specify the aggregated Ethernet options for both bundles: [edit interfaces] user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast user@Host-D#set ae1 aggregated-ether-options lacp passive periodic fast

Results

Display the results of the configuration: [edit interfaces] user@Host-D# show ae0 { aggregated-ether-options { lacp { passive; periodic fast; } } } ae1 { aggregated-ether-options { lacp { passive periodic fast; } } }

Verification To verify that LACP packets are being exchanged, perform these tasks: •

Verifying the LACP Settings on page 1363

•

Verifying That the LACP Packets Are Being Exchanged on page 1364

Verifying the LACP Settings Purpose Action

Verify that LACP has been set up correctly. Use the show lacp interfaces interface-name command to check that LACP has been enabled as active on one end. user@Host-A> show lacp interfaces xe-0/1/0 Aggregated interface: ae0 LACP state:

Role

Def

Dist

Col

Syn

Aggr

Timeout

Activity

xe-0/1/0

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive

LACP protocol: xe-0/1/0


Exp

Receive State Defaulted

Transmit State

Mux State

Fast periodic

Detached

1363

®


Meaning

The output indicates that LACP has been set up correctly and is active at one end.

Verifying That the LACP Packets Are Being Exchanged Purpose Action

Verify that LACP packets are being exchanged. Use the show interfaces aex statistics command to display LACP information. user@Host-A> show interfaces ae0 statistics Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning

The output here shows that the link is down and that no protocol data units (PDUs) are being exchanged.

Troubleshooting To troubleshoot a nonworking LACP link, perform these tasks: •

Troubleshooting a Nonworking LACP Link on page 1364

Troubleshooting a Nonworking LACP Link

1364

Problem

The LACP link is not working.

Solution

Check the following: •

Remove the LACP configuration and verify whether the static LAG is up.

•

Verify that LACP is configured at both ends.




•

Verify that LACP is not passive at both ends.

•

Verify whether LACP protocol data units (PDUs) are being exchanged by running the monitor traffic-interface lag-member detail command.

•


•


•


•


Example: Configuring an EX4200 Virtual Chassis Using a Preprovisioned Configuration File You can deterministically control both the role and the member ID assigned to each member switch in an EX4200 Virtual Chassis configuration by creating a preprovisioned configuration file. A preprovisioned configuration file links the serial number of each EX4200 switch in the configuration to a specified member ID and role. The serial number must be specified in the configuration file for the member to be recognized as part of the Virtual Chassis configuration.

NOTE: When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces.

NOTE: After you have created a preprovisioned Virtual Chassis configuration, you can use the autoprovisioning feature to add member switches to that configuration. See “Adding a New Switch to an Existing EX4200 Virtual Chassis (CLI Procedure)” on page 1418.

This example describes how to configure a Virtual Chassis across multiple wiring closets using a preprovisioned configuration file: •


•


•


•


•



1365

®




•

Five EX4200-48P switches

•

Five EX4200-24T switches

•


Before you create the preprovisioned configuration of the Virtual Chassis and interconnect the members across the wiring closets, be sure you have: 1.

Made a list of the serial numbers of all the switches to be connected as a Virtual Chassis configuration.

2. Noted the desired role (routing-engine or line-card) of each switch. If you configure

the member with a routing-engine role, it is eligible to function as a master or backup. If you configure the member with a line-card role , it is not eligible to become a master or backup. 3. Installed an uplink module in each of the member switches that will be interconnected

across wiring closets. See Installing an Uplink Module in an EX4200 Switch. 4. Interconnected the member switches within each wiring closet using the dedicated

VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch. 5. Powered on the switch that you plan to use as the master switch (SWA-0). 6. Run the EZSetup program on SWA-0, specifying the identification parameters. See

“Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details. SWA-0 is going to be configured in the example to function as the master of the Virtual Chassis configuration. Thus, the properties that you specify for SWA-0 will apply to the entire Virtual Chassis configuration, including all the member switches that you specify in the preprovisioned configuration file. 7. Configured SWA-0 with the virtual management Ethernet (VME) interface for

out-of-band management of the Virtual Chassis configuration, if desired. [edit] user@SWA-0# set interfaces vme unit 0 family inet address /ip-address/mask/

Overview and Topology You must select two members that you want to make eligible for election as master of the Virtual Chassis configuration. When you list these two members in the preprovisioned configuration file, you designate both members as routing-engine. One will function as the master of the Virtual Chassis configuration and the other will function as the backup. You designate additional members, which are not eligible for election as master, as having the line-card role in the preprovisioned configuration file.

1366



In this example, five EX4200 switches (SWA-0 through SWA-4) are interconnected with their dedicated VCPs in wiring closet A and five EX4200 switches (SWA-5 through SWA-9) are interconnected with their dedicated VCPs in wiring closet B. SWA-0 (in wiring closet A) is going to be the master of the Virtual Chassis configuration. This example shows how to create a preprovisioned configuration file on SWA-0 for all member switches that will be interconnected in the Virtual Chassis configuration. The preprovisioned configuration file includes member IDs for the members in wiring closet A and for the members in wiring closet B. SWA-5 (in wiring closet B) is going to be the backup of the Virtual Chassis configuration. Both SWA-0 and SWA-5 are specified in the preprovisioned configuration file with the role of routing-engine. All other members are specified with the role of line-card. If all member switches could be interconnected with their dedicated VCPs, you could simply power on the switches after saving and committing the preprovisioned configuration file. The master detects the connection of the members through the dedicated VCPs and applies the parameters specified in the preprovisioned configuration file. However, the Virtual Chassis cables that interconnect the VCPs of member switches within a single wiring closet are not long enough to connect member switches across wiring closets. Instead, you can configure the uplink module ports or the SFP networks ports on EX4200-24F switches as VCPs to interconnect the member switches in wiring closet A to the member switch in wiring closet B. For redundancy, this example connects uplink VCPs from two member switches in wiring closet A (SWA–0 and SWA–2) to two member switches (SWA-5 and SWA-7) in wiring closet B.

NOTE: You can use interfaces on SFP, SFP+, and XFP uplink modules and the SFP network ports on EX4200-24F switches as VCPs. When an uplink module port or SFP network port is set as a VCP, it cannot be used for any other purpose. The SFP uplink module has four 1-Gbps ports; the SFP+ uplink module has four 1-Gbps or two 10-Gbps ports; the XFP uplink module has two 10-Gbps ports. The uplink module ports that are not set as VCPs can be configured as trunk ports to connect to a distribution switch.

Because this particular preprovisioned configuration is for a Virtual Chassis that is interconnected across wiring closets, we will bring up the Virtual Chassis configuration in stages. First, we power on SWA-0 (without powering on any other switches) and create the preprovisioned configuration file. Then we power on the remaining switches in wiring closet A. If we check the status of the Virtual Chassis configuration at this point by using the show virtual-chassis status command, it will display only member 0 through member 4. The members that have not yet been interconnected will not be listed. Next power on SWA-5 without powering on the remaining switches (SWA-6 through SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its uplinks as a VCP prior to interconnecting it with the Virtual Chassis configuration in wiring closet A. Without this setting, SWA-5 cannot be detected as a member switch by the master of the Virtual Chassis configuration.


1367

®


You can set the uplink VCP of SWA-5 without running the EZSetup program by directly connecting to the console port. If you wish, you can run the EZSetup program and specify identification parameters. When you interconnect SWA-5 with the master of the Virtual Chassis configuration, the master overwrites any conflicting parameters. After setting the VCP in SWA-5, connect this VCP with the VCP of SWA-0 in wiring closet A. SWA-5 (serial number pqr678) is specified as a routing-engine in the preprovisioned configuration file. This example uses SWA-5 as the backup of the Virtual Chassis configuration. If a problem occurred in wiring closet A, SWA-5 would take control of the Virtual Chassis configuration and maintain the network connections. Specify both SWA-0 and SWA-5 as routing-engine. Because SWA-0 is powered on prior to SWA-5, it has additional prioritization properties that cause it to be elected as master of the Virtual Chassis configuration. After being physically interconnected with SWA-0, SWA-5 reboots and comes up as member 5 and as the backup of the Virtual Chassis configuration. Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The master can now detect that all members are present. Finally, for redundancy, configure an additional VCP on SWA-7 through the master. The topology for this example consists of: •

Three EX4200-48P switches (SWA-0 , SWA-2, and SWA-4) in wiring closet A.

•

Two EX4200-48P switches (SWA-5 and SWA-9) in wiring closet B.

•

Two EX4200-24T switches (SWA-1 and SWA-3) in wiring closet A.

•

Three EX4200-24T switches (SWA-6, SWA-7, and SWA-8) in wiring closet B.

•

Four XFP uplink modules. Two are installed in wiring closet A and two are installed in wiring closet B.

Table 158 on page 1368 shows the Virtual Chassis configuration settings for a preprovisioned Virtual Chassis composed of member switches in different wiring closets.

Table 158: Components of a Preprovisioned EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets Switch

Serial number

Member ID

Role

Uplink Module Ports

SWA-0

abc123

0

routing-engine

xe-0/1/0

SWA-1

def456

1

linecard

SWA-2

ghi789

2

linecard

SWA-3

jkl012

3

linecard

1368

xe-2/1/0

Hardware

Location

EX4200-48P and XFP uplink module

Wiring closet A

EX4200-24T

Wiring closet A


Wiring closet A

EX4200-24T

Wiring closet A



Table 158: Components of a Preprovisioned EX4200 Virtual Chassis Interconnected Across Multiple Wiring Closets (continued) Switch

Serial number

Member ID

Role

SWA-4

mno345

4

linecard

SWA-5

pqr678

5

routing-engine

Uplink Module Ports

xe-0/1/0

NOTE: The member ID of SWA-5 is 0 at the time that its uplink module port is configured as a VCP.

Hardware

Location

EX4200-48P

Wiring closet A


Wiring closet B

EX4200-24T

Wiring closet B

EX4200-24T and XFP uplink module

Wiring closet B

SWA-6

stu901

6

linecard

SWA-7

vwx234

7

linecard

SWA-8

yza567

8

linecard

EX4200-24T

Wiring closet B

SWA-9

bcd890

9

linecard

EX4200-48P

Wiring closet B

xe-7/1/0

Figure 37 on page 1370 shows the different types of interconnections used for this Virtual Chassis configuration. The rear view shows that the member switches within each wiring closet are interconnected to each other using the dedicated VCPs. The front view shows that the uplink module ports that have been set as VCPs and interconnected across the wiring closets. The uplink module ports that are not set as VCPs can be configured as trunk ports to connect to a distribution switch.

NOTE: The interconnections shown in Figure 37 on page 1370 are the same as they would be for a configuration that was not preprovisioned across wiring closets.


1369

®


Figure 37: Maximum Size EX4200 Virtual Chassis Interconnected Across Wiring Closets

Configuration To configure the Virtual Chassis across multiple wiring closets using a preprovisioned configuration, perform this task:



To create a preprovisioned configuration for the Virtual Chassis: 1.

Specify the preprovisioned configuration mode: [edit virtual-chassis] user@SWA–0# set preprovisioned

2.

1370

Specify all the members that will be included in the Virtual Chassis configuration, listing each switch's serial number with the desired member ID and the desired role:



[edit virtual-chassis] user@SWA–0# set member 0 serial-number abc123 role routing-engine user@SWA–0# set member 1 serial-number def456 role line-card user@SWA–0# set member 2 serial-number ghi789 role line-card user@SWA–0# set member 3 serial-number jkl012 role line-card user@SWA–0# set member 4 serial-number mno345 role line-card user@SWA–0# set member 5 serial-number pqr678 role routing-engine user@SWA–0# set member 6 serial-number stu901 role line-card user@SWA–0# set member 7 serial-number vwx234 role line-card user@SWA-0# set member 8 serial-number yza567 role line-card user@SWA–0# set member 9 serial-number bcd890 role line-card 3.

Power on the member switches in wiring closet A.

4.

Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting uplink VCPs for member 0 and member 2: user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 0 member 2

NOTE: • For redundancy, this example sets an uplink VCP in both SWA-0 and SWA-2. •

This example omits the specification of the member 0 in setting the uplink for SWA-0. The command applies by default to the switch where it is executed.

5.

Power on SWA-5 and connect to it. This switch comes up as member ID 0 and functions as master of itself. Although SWA-5 is listed in the preprovisioned configuration file, it is not a present member of the Virtual Chassis configuration that has been powered on thus far. In order for the master to detect SWA-5 as a connected member, you must first set an uplink VCP on SWA-5 and interconnect that VCP with the uplink VCP of SWA-0.

6.

Set the first uplink of SWA-5 to function as a VCP. Because SWA-5 has been powered on as a separate switch and is still operating independently at this point, its member ID is 0. user@SWA-5> request virtual-chassis vc-port set pic-slot 1 port 0

NOTE: This example omits the specification of the member 0 in configuring the uplink for SWA-5 (at this point the member ID of SWA-5 is still 0). The command applies by default to the switch where it is executed.

7.

Power off SWA-5 and connect the fiber cable from SWA-5 uplink VCP xe-0/1/0 to the uplink VCP xe-0/1/0 on SWA-0.

8.

Power on SWA-5.


1371

®


9.

Now that SWA-5 has been brought up as member 5 of the Virtual Chassis configuration, power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. They are interconnected with SWA-5 using the dedicated VCPs on the rear panel and are therefore detected by the master as interconnected members. If you check the status of the Virtual Chassis configuration at this point, all the members that were specified in the preprovisioned configuration file should be displayed as present. Additional configuration for member switches can now be done through the master switch.

10.

Set one uplink module port of SWA-7 to function as a VCP: user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 7

Results

Display the results of the configuration on SWA-0: [edit] user@SWA-0# show virtual-chassis { member 0 { role routing-engine; serial-number abc123; } member 1 { role line-card; serial-number def456; } member 2 { role line-card; serial-number ghi789; } member 3 { role line-card; serial-number jkl012; } member 4 { role line-card; serial-number mno345; } member 5 { role routing-engine; serial-number pqr678; } member 6 { role line-card; serial-number stu901; } member 7 { role line-card; serial-number vwx234; } member 8 { role line-card; serial-number yza567; } member 9 {

1372



role line-card; serial-number bcd890; } preprovisioned; }



•

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 1374

Verifying the Member IDs and Roles of the Member Switches Purpose Action

Verify that the member IDs and roles are all set as expected. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: 0000.e255.0000 Mastership Priority Role

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

129

1 (FPC 1)

Prsnt

def456

ex4200-24t

2 (FPC 2)

Prsnt

ghi789

3 (FPC 3)

Prsnt

4 (FPC 4)


Master*

1 vcp-0 4 vcp-1 5 1/0

0

Linecard

2 vcp-0 0 vcp-1

ex4200-48p

0

Linecard

3 vcp-0 1 vcp-1 7 1/0

jkl012

ex4200-24t

0

Linecard

4 vcp-0 2 vcp-1

Prsnt

mno345

ex4200-48p

0

Linecard

0 vcp-0 3 vcp-1

5 (FPC 5)

Prsnt

pqr678

ex4200-48p

129

Backup

6 vcp-0 9 vcp-1 0 1/0

6 (FPC 6)

Prsnt

stu901

ex4200-24t

0

Linecard

7 vcp-0 5 vcp-1

7 (FPC 7)

Prsnt

vwx234

ex4200-24t

0

Linecard

8 vcp-0 6 vcp-1 2 1/0

8 (FPC 8)

Prsnt

yza567

ex4200-24t

0

Linecard

9 vcp-0 7 vcp-1

9 (FPC 9)

Prsnt

bc7890

ex4200-48p

0

Linecard

5 vcp-0 8 vcp-1


1373

®


Meaning

The output shows that all members listed in the preprovisioned configuration file are connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0) is functioning as the master of the Virtual Chassis configuration. The other switch configured with the routing-engine role (SWA-5) is functioning as the backup. The Neighbor List displays the interconnections of the member VCPs.

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational Purpose

Action

Verify that the dedicated VCPs interconnecting the member switches within each wiring closet and the uplink module VCPs interconnecting the member switches across wiring closets are operational. Display the VCP interfaces: user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc1: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc3: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc4: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up

1374



fpc5: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc6: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc7: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc8: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up

fpc9: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up

Meaning

The dedicated VCPs interconnecting the member switches within wiring closets are displayed as vcp-0 and vcp-1. The uplink module VCPs interconnecting member switches (members 0, 2, 5, and 7) across wiring closets are displayed as 1/0 and 1/1 and identified as Configured.

Troubleshooting To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: •



1375

®



A VCP shows a status of down.

Solution



•


•


•


•


Example: Configuring a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis You can deterministically control both the role and the member ID assigned to each member switch in a mixed EX4200 and EX4500 Virtual Chassis configuration by creating a preprovisioned configuration.

NOTE: When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces.

This example describes how to configure a mixed EX4200 and EX4500 Virtual Chassis using a preprovisioned configuration file: •


•


•


•


•





1376



•

Two EX4500 switches, each with a Virtual Chassis module

•

Two EX4200 switches

Before you create the preprovisioned configuration of the Virtual Chassis and interconnect the members across the wiring closets, be sure you have: 1.

Made a list of the serial numbers of all the switches to be connected as a Virtual Chassis configuration.

2. Noted the desired role (routing-engine or line-card) for each switch. 3. Ensured that the same version of Junos OS is running on all current or prospective

member switches.

Overview and Topology A preprovisioned configuration file links the serial number of each switch in the Virtual Chassis configuration to a specified member ID and role. The serial number must be specified in the configuration file for the member to be recognized as part of the Virtual Chassis configuration. You designate additional members, which are not eligible for election as master, as having the line-card role in the preprovisioned configuration file. In this example, two EX4500 switches (SWA-0 and SWA-1) are in the routing-engine role and interconnected to two EX4200 switches (SWA-2 and SWA-3) in the linecard role using dedicated Virtual Chassis ports (VCPs). SWA-0 will be the master of the Virtual Chassis configuration. This example shows how to create a preprovisioned configuration file on SWA-0 for all member switches that will be interconnected in the Virtual Chassis configuration. The preprovisioned configuration file includes member IDs for all member switches. SWA-1 will be the backup of the Virtual Chassis configuration. Both SWA-0 and SWA-1 are specified in the preprovisioned configuration file with the role of routing-engine. All other members are specified with the role of line-card. After all member switches are interconnected with their dedicated VCPs, you can simply power on the switches after saving and committing the preprovisioned configuration file. The master detects the connection of the members through the dedicated VCPs and applies the parameters specified in the preprovisioned configuration file.

NOTE: You can use interfaces on SFP, SFP+, and XFP uplink modules as VCPs. When an uplink module port or SFP network port is set as a VCP, it cannot be used for any other purpose.

We will bring up the Virtual Chassis configuration in stages. First, we power on SWA-0 (without powering on any other switches) and create the preprovisioned configuration file. Then we power on the remaining switches.


1377

®


The topology for this example consists of: •

Two EX4500 switches (SWA-0 and SWA-1)

•

Two EX4200 switches (SWA-2 and SWA-3)

Table 159 on page 1378 shows the Virtual Chassis configuration settings for a preprovisioned Virtual Chassis.

Table 159: Components of a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis Switch

Serial number

Member ID

Role

Hardware

SWA-0

abc123

0

routing-engine

EX4500 switch with a Virtual Chassis module

SWA-1

def456

1

routing-engine

EX4500 switch with a Virtual Chassis module

SWA-2

ghi789

2

line-card

EX4200 switch

SWA-3

jkl012

3

line-card

EX4200 switch

Configuration To configure the Virtual Chassis across multiple wiring closets using a preprovisioned configuration, perform this task:



To create a preprovisioned configuration for the Virtual Chassis: 1.

Power on the EX4500 switch (SWA-0)in the master role..

2.

Set the PIC mode to Virtual Chassis mode on SWA-0: user@switch> request chassis pic-mode virtual-chassis

3.

Set the Virtual Chassis mode to mixed: user@switch> request virtual-chassis mode mixed

4.

Reboot the switch.

5.

After the switch reboots, specify the preprovisioned configuration mode: [edit virtual-chassis] user@SWA–0# set preprovisioned

6.

Specify all members to be included in the Virtual Chassis configuration, listing each switch's serial number with the desired member ID and the desired role: [edit virtual-chassis] user@SWA–0# set member 0 serial-number abc123 role routing-engine user@SWA–0# set member 1 serial-number def456 role line-card user@SWA–0# set member 2 serial-number ghi789 role line-card user@SWA–0# set member 3 serial-number jkl012 role line-card

1378



7.

Power on the remaining switches.

8.

Set the Virtual Chassis mode to mixed on the remaining switches: user@switch> request virtual-chassis mode mixed

Results

9.

Reboot the switches.

10.

When the reboot completes, physically cable the switches together using the dedicated VCPs.

Display the results of the configuration on SWA-0: [edit] user@SWA-0# show virtual-chassis { member 0 { role routing-engine; serial-number abc123; } member 1 { role line-card; serial-number def456; } member 2 { role line-card; serial-number ghi789; } member 3 { role line-card; serial-number jkl012; } preprovisioned; }



Verifying the Member IDs and Roles of the Member Switches Purpose Action

Verify that the member IDs and roles are all set as expected. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: 0000.e255.0000 Mastership Priority Role

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4500-40f

129

1 (FPC 1)

Prsnt

def456

ex4500-40f

0



Master*

1 vcp-1 3 vcp-0

Backup

0 vcp-0

1379

®


2 vcp-1

Meaning

2 (FPC 2)

Prsnt

ghi789

ex4200-48p

0

Linecard

1 vcp-0 3 vcp-1

3 (FPC 3)

Prsnt

jkl012

ex4200-24t

0

Linecard

2 vcp-0 0 vcp-1

The output shows that all members listed in the preprovisioned configuration file are connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0) is functioning as the master of the Virtual Chassis configuration. The other switch configured with the routing-engine role (SWA-1) is functioning as the backup. The Neighbor List displays the interconnections of the member VCPs.

Troubleshooting To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: •



A VCP shows a status of down.

Solution



•


•


•


Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When an EX4200 Virtual Chassis Switch or Intermember Link Fails The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link or switch failure. If a link between two members fails, traffic flow between those members must be rerouted quickly so that there is minimal traffic loss. Fast failover is enabled by default on all dedicated EX4200 Virtual Chassis ports (VCPs). This example describes how to configure fast failover on uplink module VCPs in an EX4200 Virtual Chassis configuration:

1380

•


•




•


•




•

Six EX4200-24T switches

•

Four SFP uplink modules

Before you begin configuring fast failover, be sure you have: 1.

Mounted the switches. See Mounting an EX4200 Switch.

2. Cabled the switches in a multiple-ring topology to create the Virtual Chassis

configuration. See Connecting a Virtual Chassis Cable to an EX4200 Switch.

Overview and Topology In a Virtual Chassis configuration, fast failover automatically reroutes traffic and reduces traffic loss in the event of a link failure or a member switch failure. By default, fast failover is enabled on all dedicated VCPs. If you configure uplink module ports as VCPs, you must manually configure fast failover on these ports. For fast failover to be effective, the Virtual Chassis members must be configured in a ring topology. The ring topology can be formed by using either dedicated VCPs or user-configured uplink module VCPs. Fast failover is supported only in a ring topology that uses identical port types, for example, either a topology that uses all dedicated VCPs or one that uses all uplink module VCPs. Fast failover is not supported in a ring topology that includes both dedicated VCPs and uplink module VCPs. Fast failover is supported, however, in a Virtual Chassis configuration that consists of multiple rings. This example shows how to enable fast failover on uplink module VCPs. Figure 38 on page 1382 shows an example of a multiple-ring topology.


1381

®


Figure 38: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings

The topology for this example consists of six switches: •

Six EX4200-24T switches, four of which have an SFP uplink module installed (switches 1, 3, 4, and 6)

Configuration To configure the fast failover feature on uplink module VCPs: CLI Quick Configuration

To configure fast failover on all SFP uplink module VCPs, copy the following command and paste it into the terminal window on switch 1: [edit] set virtual-chassis fast-failover ge

1382




To configure fast failover on SFP uplink module VCPs: 1.

Enable fast failover on all SFP uplink module VCPs in the Virtual Chassis configuration: [edit] user@switch1# set virtual-chassis fast-failover ge


Results

Check the results of the configuration: [edit virtual-chassis] user@switch1# show fast-failover { ge; }

Verification To confirm that fast failover is enabled on SFP uplink module VCPs in the Virtual Chassis configuration, perform this task: •

Verifying That Fast Failover Is Enabled on page 1383

Verifying That Fast Failover Is Enabled Purpose Action

Verify that fast failover has been enabled in a Virtual Chassis configuration. Issue the show virtual-chassis fast-failover command. user@switch1> show virtual-chassis fast-failover

Fast failover on dedicated VCP ports: Enabled Fast failover on XE uplink VCP ports: Disabled Fast failover on GE uplink VCP ports: Enabled

Meaning


Fast failover is enabled on all dedicated VCPs and SFP uplink module VCPs in the Virtual Chassis configuration.

•

Configuring Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1442

•

Disabling Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis on page 1443

•


•



1383

®


Example: Assigning the Virtual Chassis ID to Determine Precedence During an EX4200 Virtual Chassis Merge There are two scenarios in which separate Virtual Chassis merge: •

A Virtual Chassis configuration that had split into two is now merging back into a single configuration because the problem that had caused it to split has been resolved.

•

You merge two Virtual Chassis that had not previously been configured together.

You can explicitly assign a Virtual Chassis ID (VCID) so that, when two EX4200 Virtual Chassis configurations merge, the ID that you assigned takes precedence over the automatically assigned VCIDs and becomes the ID of the newly merged Virtual Chassis configuration. This example shows how to assign the VCID on an EX4200 Virtual Chassis. This process is identical on an EX4500 Virtual Chassis and on a mixed EX4200 and EX4500 Virtual Chassis. This example describes how to assign the VCID in an EX4200 Virtual Chassis configuration: •


•


•


•




•


•

Two EX4200-24T switches


Installed the switches. See Mounting an EX4200 Switch.

2. Cabled the switches to create the Virtual Chassis configuration. See Connecting a

Virtual Chassis Cable to an EX4200 Switch.

Overview and Topology Every Virtual Chassis configuration has a unique ID that is automatically assigned when the Virtual Chassis configuration is formed. You can also configure a Virtual Chassis ID using the set virtual-chassis id command. When two Virtual Chassis merge, the Virtual Chassis ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID for the newly merged Virtual Chassis configuration. The topology for this example consists of four switches:

1384



•

Two EX4200-24T switches

•


The switches are connected as a four-member Virtual Chassis configuration and are identified as switch-A, switch-B, switch-C, and switch-D. The master is switch-A.

Configuration To assign the Virtual Chassis ID in a Virtual Chassis configuration: CLI Quick Configuration

To assign a Virtual Chassis ID so that when two Virtual Chassis configurations merge, the ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID of the newly merged Virtual Chassis configuration, copy the following command and paste it into the terminal window: [edit] set virtual-chassis id 9622.6ac8.5345


To assign the Virtual Chassis ID in a Virtual Chassis configuration: 1.

Assign the Virtual Chassis ID: [edit] user@switch-A# set virtual-chassis id 9622.6ac8.5345


Verification To verify that the Virtual Chassis ID has been assigned as you intended, perform these tasks: •

Verifying That the Virtual Chassis ID Is Assigned on page 1385

Verifying That the Virtual Chassis ID Is Assigned Purpose Action

Verify that the Virtual Chassis ID has been assigned in a Virtual Chassis configuration. Issue the show configuration virtual-chassis id command. user@switch-A> show configuration virtual-chassis id id 9622.6ac8.5345;

Meaning


The Virtual Chassis ID has been assigned as 9622.6ac8.5345.

•


•



1385

®


•


Example: Configuring Link Aggregation Groups Using EX4200 Uplink Virtual Chassis Ports You can form link aggregation groups (LAGs) between EX4200 Virtual Chassis member switches in different wiring closets using uplink Virtual Chassis ports (VCPs) and, on EX4200-24F switches, network VCPs. LAGs balance traffic across the member links, increase the uplink bandwidth, and provide increased availability. To form LAGs using uplink or network VCPs, you configure the uplink module interfaces or network interfaces on the member switches as VCPs and connect the VCPs using fiber-optic cables. For the LAGs to form, the uplink or network VCPs on each member switch that will form a LAG must operate at the same link speed and you must interconnect at least two uplink or network VCPs on each of those members. You can connect uplink or network VCPs operating at different link speeds, but they will not form a LAG.

NOTE: The LAGs formed by VCPs are different from LAGs formed by Virtual Chassis network interfaces. For more information on LAGs formed by network interfaces, see “Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation” on page 1294.

This example shows how to configure uplink module interfaces and network interfaces as VCPs on multiple member switches of a Virtual Chassis configuration and then connect them to form LAGs: •


•


•


•


•


Requirements This example uses the following hardware and software components:

1386

•


•

Five EX4200 switches, one of which is an EX4200-24F model

•

Two SFP uplink modules

•

Two XFP uplink modules



Before you configure the uplink module interfaces and network interfaces on Virtual Chassis member switches as VCPs and interconnect the members to form a LAG, be sure you have: 1.

Installed the SFP uplink modules in the SWA-0 and SWA-2 switches and installed the XFP uplink modules in the SWA-1 and SWA-3 switches. See Installing an Uplink Module in an EX4200 Switch.

2. Powered on SWA-0, connected it to the network, and run the EZSetup program. See

“Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details. 3. Configured SWA-0 with the virtual management Ethernet (VME) interface for remote,

out-of-band management of the Virtual Chassis configuration, if desired. See “Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1440. 4. Ensured that SWA-1 is not powered on and then interconnected SWA-0 and SWA-1

using the dedicated VCPs on the rear panel.

NOTE: The interfaces for the dedicated VCPs are operational by default. They do not need to be configured.

5. Ensured that SWA-2, SWA-3, and SWA-4 are not powered on. They are not connected

in any way, so when they are initially powered on they will be standalone switches.

Overview and Topology In this example, five EX4200 switches will be interconnected to form LAGs for ease of monitoring and manageability. Two of these switches (SWA-0 and SWA-1) are located in wiring closet A and the three others (SWA-2, SWA-3, and SWA-4) are located in wiring closet B. SWA-0 will form one LAG with SWA-2 and another LAG with SWA-4, and SWA-1 will form a LAG with SWA-3. We will use fiber-optic cables connected to the uplink and network VCPs to interconnect the member switches in wiring closet A to the member switches in wiring closet B. We will specify the highest mastership priority value (255) for SWA-0 to make it the master before we power on SWA-1. Because SWA-0 and SWA-1 are interconnected with the dedicated VCPs, the master detects that SWA-1 is a member of its Virtual Chassis configuration and assigns it a member ID. We will use SWA-2 as the backup of the Virtual Chassis configuration. We will configure the same mastership priority value for SWA-2 (255) that we configured for the master. Because we power on SWA-0 before we power on SWA-2, SWA-0 retains mastership of the Virtual Chassis configuration.


1387

®


NOTE: We recommend setting identical mastership priority values for the master and backup members for high availability and smooth transition of mastership in case the original master becomes unavailable.

We will configure the uplink module interfaces on three of the switches as uplink VCPs. On the EX4200-24F switch we will configure two of the network interfaces as VCPs. We will interconnect two of the SFP uplink VCPs on SWA-0 with two of the SFP uplink VCPs on SWA-2. Similarly, we will interconnect the two XFP uplink VCPs on SWA-1 with the two XFP uplink VCPs on SWA-3. Finally, we will connect the two remaining SFP uplink VCPs on SWA-0 with two network VCPs on SWA-4. As a result, three LAGs will be automatically formed. Figure 39 on page 1388 shows the interconnections used to form LAGs using uplink VCPs and the network VCPs after the procedure below has been completed.

Figure 39: EX4200 Virtual Chassis Interconnected Across Wiring Closets to Form LAGs

Configuration To configure the Virtual Chassis uplink module interfaces and network interfaces as uplink VCPs and interconnect them between two wiring closets to form LAGs, perform this task:

1388




To configure a Virtual Chassis across multiple wiring closets and interconnect them to form LAGs: 1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible value (255), thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration: [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255

2.

Power on SWA-1.

3.

Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting all of the SFP uplink module interfaces on SWA-0 and two of the uplink module interfaces on SWA-1 as uplink VCPs: user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0> user@SWA-0>

request virtual-chassis vc-port set pic-slot 1 port 0 request virtual-chassis vc-port set pic-slot 1 port 1 request virtual-chassis vc-port set pic-slot 1 port 2 request virtual-chassis vc-port set pic-slot 1 port 3 request virtual-chassis vc-port set pic-slot 1 port 0 member 1 request virtual-chassis vc-port set pic-slot 1 port 1 member 1

NOTE: This example omits the specification of the member member-id option in configuring the uplink VCPs for SWA-0 (and, later, for SWA-2). The command applies by default to the switch where it is executed.

4.

Power on SWA-2.

5.

If SWA-2 was previously configured, revert it to the factory default configuration. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

6.

Prepare SWA-2 in wiring closet B by configuring its mastership priority to be the highest possible value (255). Its member ID is currently 0, because it is not yet interconnected with the other members of the Virtual Chassis configuration. It is operating as a standalone switch. Its member ID will change when it is interconnected. [edit virtual-chassis] user@SWA-2# set member 0 mastership-priority 255

NOTE: SWA-2 is configured with the same mastership priority value that we configured for SWA-0. However, the longer uptime of SWA-0 ensures that, once the interconnection is made, SWA-0 functions as the master and SWA-2 functions as the backup.

7.

Specify two of the SFP uplink module interfaces in SWA-2 as uplink VCPs. The member IDs are 0, because they are not yet interconnected with the other members of the Virtual Chassis configuration:


1389

®


NOTE: The settings of the uplink VCPs remain intact when SWA-2 reboots and joins the Virtual Chassis configuration as member 2.

user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 0 user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 1 8.

Power off SWA-2.

9.

Physically interconnect SWA-0 and SWA-2 across wiring closets using two of the uplink VCPs on each switch.

10.

Power on SWA-2. SWA-2 joins the Virtual Chassis configuration and a LAG is automatically formed between SWA-0 and SWA-2. In addition, although SWA-0 and SWA-2 have the same mastership priority value (255), SWA-0 was powered on first and thus has longer uptime. This results in SWA-0 retaining mastership while SWA-2 reboots and joins the now expanded Virtual Chassis configuration as the backup, with member ID 2.

11.

Power on SWA-3.

12.

If SWA-3 was previously configured, revert it to the factory default configuration.

13.

Specify both XFP uplink module interfaces in SWA-3 as uplink VCPs: user@SWA-3> request virtual-chassis vc-port set pic-slot 1 port 0 user@SWA-3> request virtual-chassis vc-port set pic-slot 1 port 1

14.

Power off SWA-3.

15.

Physically interconnect SWA-3 with SWA-2 using their dedicated VCPs.

16.

Physically interconnect SWA-1 and SWA-3 across wiring closets using their uplink VCPs.

17.

Power on SWA-3. It joins the Virtual Chassis configuration as member 3.

NOTE: Member ID 3 is assigned to SWA-3 because SWA-3 was powered on after members 0, 1, and 2.

A LAG is automatically formed between SWA-1 and SWA-3. In addition, both SWA-1 and SWA-3 have the default mastership priority value (128) and function in a linecard role. 18.

Power on SWA-4.

19.

If SWA-4 was previously configured, revert it to the factory default configuration.

20.

Configure two of the network interfaces on SWA-4 as uplink VCPs: user@SWA-4> request virtual-chassis vc-port set pic-slot 0 port 20 user@SWA-4> request virtual-chassis vc-port set pic-slot 0 port 21

21.

1390

Power off SWA-4.



Results

22.

Physically interconnect SWA-4 and SWA-0 across wiring closets using the network VCPs on SWA-4 and the two remaining SFP uplink VCPs on SWA-0.

23.

Power on SWA-4. A LAG is automatically formed between SWA-4 and SWA-0. In addition, SWA-4 joins the Virtual Chassis configuration in the linecard role.

Display the results of the configuration on SWA-0: user@SWA-0> show configuration virtual-chassis member 0 { mastership-priority 255; } member 1 { mastership-priority 128; } member 2 { mastership-priority 255; } member 3 { mastership-priority 128; } member 4 { mastership-priority 128; } }



•



Action

Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration: user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0 Mastership Priority

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 1 2 2 4 4

1 (FPC 1)

Prsnt

def456

ex4200-24t

128

Linecard

0 vcp-0 0 vcp-1


Role


Member ID

vcp-0 vcp-1 vcp-255/1/0 vcp-255/1/1 vcp-255/0/20 vcp-255/0/21

1391

®


3 vcp–255/1/0 3 vcp–255/1/1

Meaning

2 (FPC 2)

Prsnt

ghi789

ex4200-48p

255

Backup

3 3 0 0

vcp-0 vcp-1 vcp-255/1/0 vcp-255/1/1

3 (FPC 3)

Prsnt

jkl012

ex4200-24t

128

Linecard

2 2 1 1

vcp-0 vcp-1 vcp–255/1/0 vcp–255/1/1

4 (FPC 4)

Prsnt

mno345

ex4200-24f

128

Linecard

0 vcp-255/1/2 0 vcp-255/1/3

The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected by the dedicated VCPs, by uplink VCPs, and by network VCPs.

Verifying That the VCPs Are Operational Purpose

Action

Verify that the dedicated VCPs interconnecting member switches in wiring closets A and B and the uplink and network VCPs interconnecting the member switches between wiring closets are operational. Display the Virtual Chassis interfaces: user@SWA-0> show virtual-chassis vc-port all-members

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-0 vcp-1 Dedicated 2 Up 32000 1 vcp-1 1/0 Configured 3 Up 1000 2 vcp-255/1/0 1/1 Configured 3 Up 1000 2 vcp-255/1/1 1/2 Configured 4 Up 1000 4 vcp-255/0/20 1/3 Configured 4 Up 1000 4 vcp-255/0/21 fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-0 vcp-1 Dedicated 2 Up 32000 0 vcp-1 1/0 Configured 3 Up 10000 3 vcp-255/1/0 1/1 Configured 3 Up 10000 3 vcp-255/1/1 fpc2: --------------------------------------------------------------------------

1392



Interface or PIC / Port vcp-0 vcp-1 1/0 1/1 1/2 1/3

Type

Dedicated Dedicated Configured Configured

Trunk ID 1 2 3 3 —1 —1

Status

Speed (mbps)

Neighbor ID Interface

Up Up Up Up Down Down

32000 32000 1000 1000 1000 1000

3 3 0 0

vcp-0 vcp-1 vcp-255/1/0 vcp-255/1/1

fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 2 vcp-0 vcp-1 Dedicated 2 Up 32000 2 vcp-1 1/0 Configured 3 Up 10000 1 vcp-255/1/0 1/1 Configured 3 Up 10000 1 vcp-255/1/1 fpc4: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Down 32000 vcp-1 Dedicated 2 Down 32000 0/20 Configured 3 Up 1000 0 vcp-255/1/2 0/21 Configured 3 Up 1000 0 vcp-255/1/3

Meaning

The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplink module interfaces that have been set as uplink VCPs are displayed as 1/0, 1/1, 1/2, and 1/3. The network interfaces that have been set as VCPs are displayed as 0/20 and 0/21. The neighbor interface names of uplink and network VCPs are of the form vcp-255/pic/port—for example, vcp-255/1/0. In that name, vcp-255 indicates that the interface is a VCP, 1 is the uplink PIC number, and 0 is the port number. The fpc number is the same as the member ID. The trunk ID is a positive number ID assigned to the LAG formed by the Virtual Chassis. If no LAG is formed, the value is –1.

NOTE: Each switch assigns the trunk IDs to its local interfaces. As a result, the pair of interfaces that form one end of a LAG on one switch will have the same trunk ID, and the pair of interfaces that form the other end of the LAG will have the same trunk ID, but the trunk IDs on either end of the LAG might be different. For example, in Figure 39 on page 1388, the uplink VCPs 1/2 and 1/3 on SWA-0 form a LAG with the network VCPs 0/20 and 0/21 on SWA-4. Uplink VCPs 1/2 and 1/3 on SWA-0 both have trunk ID 4, while network VCPs 0/20 and 0/21 on SWA-4 both have trunk ID 3. The trunk IDs are different between the switches because SWA-0 assigns the trunk IDs for its local uplink VCPs and SWA-4 assigns the trunk IDs for its local VCPs.


1393

®


Troubleshooting To troubleshoot a Virtual Chassis configuration that is interconnected across wiring closets, perform this task: •



An uplink VCP shows a status of down.

Solution

•

Check the cable to make sure that it is properly and securely connected to the interfaces.

•

If the VCP is an uplink module interface, make sure that it has been explicitly set as an uplink VCP.

•

If the VCP is an uplink module interface, make sure that you have specified the options (pic-slot, port, and member) correctly.

•


•


•


•



Example: Configuring Automatic Software Update on EX4200 Virtual Chassis Member Switches The automatic software update feature automatically updates the Junos OS version on prospective member switches as they are added to a Virtual Chassis configuration of EX4200 switches so the new member switch immediately joins the EX4200 Virtual Chassis configuration and is put in the active state. If the software version on the new switch is not the same as the version running on the master, the master keeps the new switch in the inactive state. If you have not enabled the automatic software update feature, you will have to manually install the correct software version on each prospective member switch as it is added to the Virtual Chassis configuration. This example describes how to configure the Virtual Chassis automatic software update feature:

1394

•


•


•


•





Three EX4200 switches

•



Ensured that two member switches are running the same version of Junos OS for EX Series switches so that they can form the initial Virtual Chassis configuration.

2. Cabled and powered on those two switches to create the Virtual Chassis configuration.

See Connecting a Virtual Chassis Cable to an EX4200 Switch. 3. Ensured that you know the name or the URL of the software package to be used by

the automatic software update feature. 4. If you are going to perform an automatic software update, ensure that the version of

Junos OS running on the Virtual Chassis is compatible with the version of Junos OS running on the prospective member switch for automatic software update. See “Understanding Automatic Software Update on EX4200 and EX4500 Virtual Chassis Member Switches” on page 1308.

Overview and Topology For a standalone EX4200 switch to join an existing Virtual Chassis configuration, it must be running the same version of Junos OS that is running on the Virtual Chassis master. If the software version on the new switch is not the same as the version running on the master, the master keeps the new switch in the inactive state. The topology for this example consists of three EX Series switches. Two of the switches are connected in a Virtual Chassis configuration and are therefore running the same version of Junos OS for EX Series switches. The third switch is a standalone switch that is running a different software version than the Virtual Chassis member switches. In this example, we will enable the automatic software update feature on the Virtual Chassis configuration and then add the third switch to the configuration. The master will detect the presence of the new switch, check the software version running on the new switch, and, because it is not the same version currently running on the master, will update the software version on the new switch and reboot the switch so that it can join the Virtual Chassis configuration and immediately be put in the active state.

Configuration To configure automatic software update, perform this task: Step-by-Step Procedure

To configure automatic software update: 1.

Enable automatic software update and configure the path to the software package: [edit]


1395

®


user@switch# set virtual-chassis auto-sw-update package-name /var/tmp/jinstall-ex-4200-10.0R1.1-domestic-signed.tgz 2.

Results

Connect the new switch to the existing Virtual Chassis configuration, and power on the switch.

Check the results of the configuration: [edit virtual-chassis] user@switch# show auto-sw-update { package-name /var/tmp/jinstall-ex-4200-10.0R1.1-domestic-signed.tgz; }

Verification To verify that the software version on the new switch has been updated and that the switch has joined the Virtual Chassis configuration, perform this task: •

Verifying That the Software Version Is Updated on page 1396

Verifying That the Software Version Is Updated Purpose

Verify that the new switch has joined the Virtual Chassis configuration.

NOTE: If the software version on the new switch had not been updated successfully, the master would not allow the switch to join the Virtual Chassis configuration.

Action

Issue the show virtual-chassis status command. user@switch> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0

Meaning


1396

Member ID 0 (FPC 0)

Status Prsnt

Mastership Serial No Model priority AK0207360276 ex4200-24t 255

Role Master*

1 (FPC 1)

Prsnt

AK0207360281 ex4200-24t

255

Backup

2 (FPC 2)

Prsnt

AJ0207391130 ex4200-48p

128

Linecard

Neighbor List ID Interface 1 vcp-1 2 vcp-0 2 vcp-1 0 vcp-0 0 vcp-1 1 vcp-0

Because in the initial two-member Virtual Chassis configuration member 0 was the master and member 1 was the backup, the output shows that the new switch has been assigned member ID 2 and has been given the Linecard role. The Status field shows that member 2 is Prsnt, which means that it is in the active state.

•


•




Example: Configuring an EX3300 Virtual Chassis with a Master and Backup A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant network accessibility with a basic two-member EX3300 Virtual Chassis and later expand the Virtual Chassis configuration to provide additional access ports as your office grows. This example describes how to configure an EX3300 Virtual Chassis with a master and backup in a single wiring closet. You could use the same software configuration, however, if the EX3300 switches were connected across wiring closets. •


•


•


•


•




•

Two EX3300 switches



2. Cabled the switches. See Virtual Chassis Cabling Configuration Examples for EX3300

Switches.

Overview and Topology A Virtual Chassis configuration allows you to accommodate the networking needs of a growing office. The default configuration of a two-member Virtual Chassis includes a master and a backup switch. In addition to providing more access ports than a single switch can provide, a Virtual Chassis configuration provides high availability through redundancy. This example shows a Virtual Chassis configuration composed of two EX3300 switches. By default, EX3300 switches have two uplink ports configured as Virtual Chassis ports (VCPs). The EX3300 Virtual Chassis is connected using these VCPs. After you interconnect the switches with the VCPs and power on the switches, the VCPs are operational. The mastership priorities and member IDs are assigned by the software. The software elects a master based on several criteria, including how long a member switch has belonged to the Virtual Chassis configuration. For additional details, see “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. Therefore, we recommend that you start by powering on only one member switch, the one that you want to function as the master.


1397

®



The topology for this example consists of two EX3300 switches. Table 160 on page 1398 shows the default configuration settings for the two-member Virtual Chassis.


Hardware

Member ID

Role and Priority

SWA-0

EX3300 switch

0


SWA-1

EX3300 switch

1




Make sure the VCPs on the rear panel of the member switches are properly cabled. See Virtual Chassis Cabling Configuration Examples for EX3300 Switches.

2.


3.

Check the front-panel LCD to confirm that the switch has powered on correctly.

4.

Run the EZSetup program on SWA-0, specifying the identification parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 or “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259 for details.

5.


6.


7.

Power on SWA-1.

Verification To confirm that the Virtual Chassis configuration is operational, perform these tasks:

1398

•


•





Action

Verify that the master, which has been selected by default, is the member switch that you want to function in that role. 1.



1 (FPC 1)

Status Prsnt

Prsnt

Mastership Serial No Model priority AK0207360276 ex3300-24t 128

AK0207360281 ex3300-24t

128

Role Master*

Backup

Neighbor List ID Interface 1 vcp-255/1/2 1

vcp-255/1/3

0

vcp-255/1/2

0

vcp-255/1/3


Meaning

The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that SWA-0, member 0, has been assigned default mastership priority 128. Because SWA-0 is the first member to be powered on, it has the most seniority and is therefore assigned the role of master. SWA-1 is powered on after member 0, so it is assigned the role of backup. The member IDs are displayed on the front panel of the switches. Check and confirm whether the default assignment is satisfactory.


Verify that the VCPs interconnecting the switches are operational. Display the VCPs of all the members: user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status Speed Neighbor or (mbps) ID Interface PIC / Port 1/2 Configured Up 10000 1 vcp-255/1/2 1/3 Configured Up 10000 1 vcp-255/1/3 fpc1: -------------------------------------------------------------------------Interface Type Status Speed Neighbor


1399

®


or PIC / Port 1/2 1/3

Meaning

Configured Configured

(mbps)

ID

10000 10000

0 0

Up Up

Interface vcp-255/1/2 vcp-255/1/3

The show virtual-chassis vc-port command lists the interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. The output in this example shows that two of the VCPs are operational and two VCPs are not. A single cable has been used to interconnect vcp-0 of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the switch to be operational. However, we recommend that you connect the second set of VCPs for redundancy.



•




Solution



The VCPs are down.

Solution

1.



You should generally cable and interconnect both of the VCPs on the member switches, for redundancy and high availability.


•

Configuring an EX3300 Virtual Chassis (CLI Procedure) on page 1446

Example: Expanding an EX3300 Virtual Chassis An EX3300 Virtual Chassis is a scalable switch composed of multiple interconnected EX3300 switches.

1400



This example describes how to configure an expanding EX3300 Virtual Chassis within a single wiring closet. The process, however, would be identical if you were connecting EX3300 member switches in different wiring closets: •


•


•


•


•




•


Before you begin, be sure you have confirmed that the existing EX3300 Virtual Chassis configuration is operating correctly. See “Verifying That Virtual Chassis Ports on an EX3300, EX4200, or EX4500 Switch Are Operational” on page 1458.

Overview and Topology A Virtual Chassis configuration can be expanded without disrupting the site's network connectivity. This example describes adding a member switch to an existing Virtual Chassis configuration to provide additional access ports for connecting more PCs and voice over IP (VoIP) phones at this location. You can continue to expand the Virtual Chassis configuration with additional members in the same wiring closet, using the same procedure. If you want to retain the roles of the existing master and backup switches, explicitly configure the mastership priority of these switches, specifying the highest possible value (255) for both the master and the backup. During expansion, the existing Virtual Chassis configuration can remain powered on and connected to the network. Before powering up the new switch, interconnect it to the other switches using the default VCP uplink ports on the front panel. Do not run the EZSetup program on the added member switch. This example shows an existing Virtual Chassis configuration composed of two EX3300 switches. The Virtual Chassis configuration is being expanded to include an additional EX3300 switch. The topology for this example consists of three EX3300 switches. Table 161 on page 1402 shows the configuration settings for the expanded Virtual Chassis.


1401

®


Table 161: Components of the Expanded Virtual Chassis Access Switch Member Switch

Hardware

Member ID


SWA-0

EX3300 switch

0


SWA-1

EX3300 switch

1


SWA-2

EX3300 switch

2


Configuration To expand a Virtual Chassis configuration to include additional member switches within a single wiring closet, perform these tasks:



To maintain the master and backup roles of the existing members and ensure that the new member switch functions in a linecard role, copy the following commands and paste them into the terminal window: [edit] user@SWA-0# set virtual-chassis member 0 mastership-priority 255 user@SWA-1# set virtual-chassis member 1 mastership-priority 255


To ensure that the existing member switches retain their current roles and to add another member switch in a linecard role: 1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible value, thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration. [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255

2.

Configure the mastership priority of SWA-1 (member 1) to be the highest possible value. This setting is recommended for high availability and smooth transition of mastership in case the original master becomes unavailable. [edit virtual-chassis] user@SWA-1# set member 1 mastership-priority 255

3.

Interconnect the unpowered SWA-2 with SWA-0 using the default VCPs on the front panel. See Virtual Chassis Cabling Configuration Examples for EX3300 Switches for additional information.

4.

Power on SWA-2. You do not need to run EZSetup on SWA-2. The identification parameters that were set up for the master apply implicitly to all members of the Virtual Chassis

1402



configuration. SWA-2 functions in a linecard role, because SWA-0 and SWA-1 have been configured to the highest mastership priority values. 5.

Confirm SWA-2 is now included in the Virtual Chassis configuration by checking the front-panel LCD for the member ID of this switch.

6.

Cable the other VCP on SWA-2 to the Virtual Chassis.

NOTE: If you immediately cable both VCPs on SWA-2 into the existing Virtual Chassis, SWA-0 or SWA-1 might become nonoperational for several seconds. Network traffic to one of the switches is dropped during the downtime. The switch will return to the normal operational state with no user intervention, and normal operation of the Virtual Chassis will resume after this downtime.

Verification To verify that the new switch has been added in the linecard role and that its VCPs are operational, perform these tasks: •

Verifying That the New Switch Has Been Added in a Linecard Role on page 1403

•


Verifying That the New Switch Has Been Added in a Linecard Role Purpose Action

Verify that SWA-2 has been added in a linecard role to the Virtual Chassis configuration. Use the show virtual-chassis status command to list the member switches with their member IDs, mastership priority values, and assigned roles. user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership Priority

Role


Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex3300-24t

255

Master*

1 vcp-255/1/2 2 vcp-255/1/3

1 (FPC 1)

Prsnt

def456

ex3300-24t

255

Backup

2 vcp-255/1/2 0 vcp-255/1/3

2 (FPC 2)

Prsnt

abd231

ex3300-24t

128

Linecard

0 vcp-255/1/2 1 vcp-255/1/3

The show virtual-chassis status command lists the member switches of the Virtual Chassis configuration with the member IDs and mastership priority values. It also displays the neighbor members with which each member is interconnected. This output shows that SWA-2 has been assigned member ID 2 and has the default mastership priority value


1403

®


128. Because the mastership priority is lower than the mastership priority of the other members, SWA-2 functions in the linecard role. You can continue to add more member switches, following the same procedure. It is possible to have multiple members in linecard roles with the same mastership priority value.


Verify that the VCPs interconnecting the member switches are operational. List the VCP interfaces on the Virtual Chassis configuration. user@SWA-0>show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port 1/2 Configured Up 1/3 Configured Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port 1/2 Configured Up 1/3 Configured Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port 1/2 Configured Up 1/3 Configured Up

Meaning

The show virtual-chassis vc-port all-members command lists all the interfaces for the Virtual Chassis configuration. In this case, no VCPs have been configured. However, the VCPs are automatically configured and enabled when you interconnect member switches using the default VCP uplink ports. We recommend that you interconnect the member switches using both VCPs for redundancy. The VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same as the member ID.

Troubleshooting To troubleshoot the configuration of an expanded Virtual Chassis, perform these tasks: •


•



1404

You want to designate a different member as the master.



Solution

Change the mastership priority value or values of the switches, designating the highest mastership priority value for the switch that you want to be master. 1.

Lower the mastership priority of the existing master (member 0). [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 1

2. Set the mastership priority of the member that you want to be the master to the

highest possible value (255): [edit virtual-chassis] user@SWA-2# set member 2 mastership-priority 255



Solution



•



1405

®


1406


CHAPTER 39

Configuring EX3300, EX4200, and EX4500 Virtual Chassis •


•

Configuring an EX3300, EX4200, and EX4500 Virtual Chassis (J-Web Procedure) on page 1412

•


•

Installing Software on a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) on page 1417

•

Adding a New EX4200 Switch to an Existing EX4200 Virtual Chassis (CLI Procedure) on page 1418

•


•


•


•

Replacing a Member Switch of an EX3300, EX4200, or EX4500 Virtual Chassis Configuration (CLI Procedure) on page 1429

•

Removing an EX4200 or EX4500 Switch From a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) on page 1431

•

Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) on page 1432

•


•


•

Setting an EX3300 or EX4200 Uplink Port as a Virtual Chassis Port Using the LCD Panel on page 1439

•


•

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of the EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) on page 1441


1407

®


•


•


•


•


•


•

Configuring Graceful Routing Engine Switchover in a Virtual Chassis (CLI Procedure) on page 1445

•


•


Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure) This topic does not apply to mixed EX4200 and EX4500 Virtual Chassis configuration. For information on configuring a mixed EX4200 and EX4500 Virtual Chassis, see “Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure)” on page 1414. You can interconnect EX4200 and EX4500 switches using the dedicated Virtual Chassis ports (VCPs) on the rear panel of EX4200 switches and on the Virtual Chassis module in EX4500 switches. You do not have to configure the interfaces for the dedicated VCPs. If you want to interconnect EX4200 or EX4500 member switches that are located in different racks or wiring closets, you interconnect them using uplink ports configured as VCPs. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 or “Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure)” on page 1438.

NOTE: A Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis. This ensures that the configuration changes are saved in both Routing Engines.

An EX4200 or EX4500 Virtual Chassis can be configured with either: •

1408

A preprovisioned configuration—Allows you to deterministically control the member ID and role assigned to a member switch by tying it to its serial number.


Chapter 39: Configuring EX3300, EX4200, and EX4500 Virtual Chassis

•

A nonprovisioned configuration—The master sequentially assigns a member ID to other member switches. The role is determined by the mastership priority value and other factors in the master election algorithm.

This topic includes: •

Configuring an EX4200 or EX4500 Virtual Chassis with a Preprovisioned Configuration File on page 1409

•

Configuring an EX4200 or EX4500 Virtual Chassis with a Nonprovisioned Configuration File on page 1410

Configuring an EX4200 or EX4500 Virtual Chassis with a Preprovisioned Configuration File Preprovisioning a Virtual Chassis configuration allows you to assign the member ID and role for each switch in the Virtual Chassis. To configure a Virtual Chassis using a preprovisioned configuration: 1.

Make a list of the serial numbers of all the switches to be connected in the Virtual Chassis configuration.

2. Note the desired role (routing-engine or line-card) you want for each switch. If you

configure the member with a routing-engine role, it is eligible to function as a master or backup. If you configure the member with a line-card role, it is not eligible to become a master or backup. 3. Interconnect the member switches using the dedicated VCPs. See Connecting a Virtual

Chassis Cable to an EX4200 Switch or Connecting a Virtual Chassis Cable to an EX4500 Switch.

NOTE: For management purposes, we recommend arranging the switches in member ID sequence, either from top to bottom or from bottom to top (0–9).

4. Power on only the switch that you plan to use as the master switch. Do not power on

the other switches at this time. 5. Run the EZSetup program on the master switch, specifying the identification

parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

NOTE: The properties that you specify for the master switch apply to the entire Virtual Chassis configuration, including all the members listed in the preprovisioned configuration file.

6. (Optional) Configure the master switch with the virtual management Ethernet (VME)

interface for out-of-band management of the Virtual Chassis configuration: [edit] user@switch# set interfaces vme unit 0 family inet address /ip-address/mask/


1409

®


7. Specify the preprovisioned configuration mode: [edit virtual-chassis] user@switch# set preprovisioned 8. From the master switch, specify all the members that you want to include in the Virtual

Chassis configuration, listing each switch’s serial number with the desired member ID and the desired role: [edit virtual-chassis] user@switch# set member 0 serial-number abc123 role routing-engine user@switch# set member 1 serial-number def456 role line-card user@switch# set member 2 serial-number ghi789 role line-card user@switch# set member 3 serial-number jkl012 role line-card user@switch# set member 4 serial-number mno345 role line-card user@switch# set member 5 serial-number pqr678 role routing-engine user@switch# set member 6 serial-number stu901 role line-card user@switch# set member 7 serial-number vwx234 role line-card user@switch# set member 8 serial-number yza567 role line-card user@switch# set member 9 serial-number bcd890 role line-card 9. (Optional. Recommended for a two-member Virtual Chassis) Disable the split and

merge feature: [edit virtual-chassis] user@switch# set no-split-detection 10. Power on the member switches. 11. (EX4500 switches only) Verify the PIC mode setting: user@switch> show chassis pic-mode

If the PIC mode setting is not set to virtual-chassis, set the PIC mode to virtual-chassis: user@switch> request chassis pic-mode virtual-chassis

NOTE: This step is required if you are using the dedicated VCPs on the Virtual Chassis module to connect the Virtual Chassis. The PIC mode setting has no impact on uplink ports that are configured as VCPs.

NOTE: You cannot modify the mastership priority when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two Routing Engines are assigned the same mastership priority value. However, the member that was powered on first has higher prioritization according to the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290.

Configuring an EX4200 or EX4500 Virtual Chassis with a Nonprovisioned Configuration File Nonprovisioned configuration can be used to configure an EX4200 Virtual Chassis or an EX4500 Virtual Chassis.

1410



To configure the Virtual Chassis using a nonprovisioned configuration: 1.

Interconnect the member switches using the dedicated VCPs. See Connecting a Virtual Chassis Cable to an EX4200 Switch or Connecting a Virtual Chassis Cable to an EX4500 Switch.


2. Power on only the switch that you plan to use as the master switch (SWA-0). Do not

power on the other switches at this time. 3. Run the EZSetup program on SWA-0, specifying the identification parameters. See

“Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis configuration, including all the members interconnected through VCPs.

4. (Optional) Configure SWA-0 with the virtual management Ethernet (VME) interface

for out-of-band management of the Virtual Chassis configuration, if desired: [edit] user@SWA-0# set interfaces vme unit 0 family inet address /ip-address/mask/ 5. Configure mastership priority for the master, backup, and other members, if desired: [edit virtual-chassis] user@switch# set member 0 mastership-priority 255 user@switch# set member 5 mastership-priority 255 6. (Optional. Recommended for a two-member Virtual Chassis) Disable the split and

merge feature: [edit virtual-chassis] user@switch# set no-split-detection 7. Power on the member switches in sequential order, one by one. 8. (EX4500 switches only) Enter the show chassis pic-mode operational mode command

to verify the current PIC mode setting. If the PIC mode is currently set to intraconnect, enter the request chassis pic-mode virtual-chassis operational mode command to set the PIC mode to virtual-chassis. Reboot the switch to complete the procedure.

NOTE: This step is only required if you are using the dedicated VCP ports on the Virtual Chassis module.


1411

®


NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned configuration is generated by default. The mastership priority value for each member switch is 128. The master role is selected by default. You can change the role that is performed by the members by modifying the mastership priority. See “Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1432. We recommend that you specify the same mastership priority value for the desired master and backup members. In this example, the highest possible mastership priority has been assigned to two members. However, the member that was powered on first has higher prioritization according to the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. The other members use the default mastership priority in this example, which configures them to function in the role of linecard.

NOTE: If you want to change the member ID that the master has assigned to a member switch, use the request virtual-chassis renumber command.


•


•


•

Monitoring the Virtual Chassis Status and Statistics on EX3300, EX4200, and EX4500 Switches on page 1459

Configuring an EX3300, EX4200, and EX4500 Virtual Chassis (J-Web Procedure) To take advantage of the scalability features of EX3300, EX4200, and EX4500 switches, you can configure a Virtual Chassis. EX3300 Virtual Chassis include up to six member switches. EX4200 and EX4500 Virtual Chassis include up to ten member switches. You can interconnect the member switches using the dedicated Virtual Chassis ports (VCPs) on the back of the switches. You do not have to configure the interface for the dedicated VCPs. If you want to interconnect member switches that are located in different racks or wiring closets, interconnect them using uplink module ports configured as VCP interfaces. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434. To configure a Virtual Chassis using the J-Web interface:

1412



1.

Select Configure > Virtual Chassis.


2. The properties you can configure are displayed.

The first section of the Virtual Chassis Configuration page displays the Virtual Chassis member configuration. The display includes a list of member switches, their member IDs, and the mastership priority. The second section displays the operational status of the Virtual Chassis configuration, member details, and the dedicated and configured Virtual Chassis ports (VCPs). 3. Enter information into the page as described in Table 162 on page 1413. 4. Click one: •

Add—To add a member's configuration to the Virtual Chassis configuration, click Add.

•

Edit—To modify an existing member's configuration, click Edit.

•

Delete—To delete the configuration of a member, click Delete.

5. To configure an uplink module port as a VCP, select the member in the Virtual Chassis

members list and select Action > Select Uplink Port as VCP. Select the port from the list. 6. To remove the VCP configuration from the uplink module port of a member, select

the member in the Virtual Chassis members list and select Action > Delete Uplink Port as VCP.

Table 162: Virtual Chassis Configuration Fields Field

Function

Your Action

Member ID

Specifies the identifier for the member switch.

Select an identifier (from 0 through 9) from the list.

Priority

Specifies the mastership priority to be assigned to the member.

Select a number from 1 through 255, (255 being the highest priority and 128, the default).

Disable Management VLAN

If you want to reserve an individual member's management Ethernet port, you can remove that port from being part of the virtual management Ethernet (VME) interface.

Click to disable the management VLAN on the port.

Member Details


1413

®


Table 162: Virtual Chassis Configuration Fields (continued) Field

Function

Your Action

Refresh

Refreshes the operational status of Virtual Chassis members.

Click to refresh the operational status.


•


•


•


•


•


•


•


Configuring a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) This topic explains how to configure a mixed EX4200 and EX4500 Virtual Chassis when none of the switches are part of a Virtual Chassis. For information on configuring an EX4200 Virtual Chassis or an EX4500 Virtual Chassis, see “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408. You can configure a mixed EX4200 and EX4500 Virtual Chassis that includes up to ten EX4200 and EX4500 member switches. You can interconnect the member switches using the dedicated Virtual Chassis ports (VCPs) or by configuring uplink ports as VCPs. This procedure uses a preprovisioned Virtual Chassis configuration. A preprovisioned configuration allows you to deterministically control the member ID and role assigned to a member switch by tying it to its serial number. Nonprovisioned configuration is also supported for a mixed EX4200 and EX4500 Virtual Chassis configuration. In a nonprovisioned configuration, the master sequentially assigns a member ID to other member switches and the other member switches roles are determined by the mastership priority value and other factors in the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. Ensure that all switches are running the same version of Junos OS. See “Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)” on page 124. To configure a mixed EX4200 and EX4500 Virtual Chassis:

1414



1.

Make a list of the serial numbers of all the switches to be connected in the Virtual Chassis. You can get the serial numbers in the show chassis hardware output or by following the instructions in Locating the Serial Number on an EX4200 Switch or Component or Locating the Serial Number on an EX4500 Switch or Component.

2. Decide which switches you want to act in the master and backup roles. See

“Understanding EX3300, EX4200, and EX4500 Virtual Chassis Components” on page 1285. 3. Power and log in to the switch that you want to function in the master role. If the

switch has not previously been configured, configure it. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257. 4. Power and log in to the switch that you want to function in the backup role. If the

switch has not previously been configured, configure it. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257. 5. Power on all other member switches. 6. (EX4500 switches only) Verify the PIC mode setting: user@switch> show chassis pic-mode 7. (EX4500 switches only) If the PIC mode was not set to Virtual Chassis mode, set the

PIC mode to Virtual Chassis mode: user@switch> request chassis pic-mode virtual-chassis

NOTE: This step is required if you are using the dedicated VCPs on the Virtual Chassis module to connect the Virtual Chassis. The PIC mode setting has no impact on uplink ports that are configured as VCPs.

8. Set the Virtual Chassis mode to mixed on all member switches: user@switch> request virtual-chassis mode mixed

NOTE: If some of the switches in the Virtual Chassis are set to mixed mode using this command while others are not, the mixed EX4200 and EX4500 Virtual Chassis will not form. When this command is not used to set any of the switches in the Virtual Chassis to mixed mode, the mixed EX4200 and EX4500 Virtual Chassis forms with one of the switches assuming the master role. All other member switches are inactive in the Virtual Chassis and placed into the linecard role. If you experience either of these scenarios, set the Virtual Chassis mode to mixed on all of the mixed EX4200 and EX4500 Virtual Chassis member switches using the request virtual-chassis mode mixed command and reboot all switches in the Virtual Chassis. You can configure the Virtual Chassis after the reboots are complete.


1415

®


9. Reboot each member switch: user@switch> request system reboot 10. After you have rebooted the switches, log into the switch that you powered on first.

This switch is the master switch. 11. Run the EZSetup program on the master switch, specifying the identification

parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257.

NOTE: The properties that you specify for the master switch apply to the entire mixed EX4200 and EX4500 Virtual Chassis.

12. (Optional) On the master switch, configure the virtual management Ethernet (VME)

interface for out-of-band management of the Virtual Chassis, if desired: [edit] user@switch# set interfaces vme unit 0 family inet address /ip-address/mask/ 13. On the master switch, specify the preprovisioned configuration mode: [edit virtual-chassis] user@switch# set preprovisioned 14. On the master switch, specify all members for the Virtual Chassis configuration, listing

each switch’s serial number with the desired member ID and the desired role.

NOTE: The routing-engine role can be assigned to any member switch starting in Junos OS Release 11.4. Ensure that you assign the routing-engine role to two members that are the same type of switch if you are running Junos OS Release 11.3 or earlier.

[edit virtual-chassis] user@switch# set member 0 serial-number serial-number role routing-engine user@switch# set member 1 serial-number serial-number role routing-engine user@switch# set member 2 serial-number serial-number role line-card user@switch# set member 3 serial-number serial-number role line-card user@switch# set member 4 serial-number serial-number role line-card user@switch# set member 5 serial-number serial-number role line-card user@switch# set member 6 serial-number serial-number role line-card user@switch# set member 7 serial-number serial-number role line-card user@switch# set member 8 serial-number serial-number role line-card user@switch# set member 9 serial-number serial-number role line-card 15. Interconnect the member switches by using either the dedicated VCPs on the member

switches (see Connecting a Virtual Chassis Cable to an EX4200 Switch or Connecting a Virtual Chassis Cable to an EX4500 Switch) or by connecting them through the uplink ports (EX4200 member switches) or SFP+ ports (EX4500 member switches) that you have configured as VCPs (see “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 or “Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure)” on page 1438).

1416



NOTE: You cannot modify the mastership priority when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file.

For information on adding a switch to an existing Virtual Chassis or configuring a Virtual Chassis port (VCP) to connect member switches over long distances, see Related Documentation. Related Documentation

•


•


•


•


•


•


•


•


Installing Software on a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) You can use this procedure to upgrade or downgrade Junos OS for all member switches in an operational mixed EX4200 and EX4500 Virtual Chassis. To upgrade Junos OS for an operational mixed EX4200 and EX4500 Virtual Chassis: 1.

Download the same version of Junos OS Release 11.1 or later software for an EX4200 switch and an EX4500 switch if you have one or two EX4500 switches in your mixed EX4200 and EX4500 Virtual Chassis. Download the same version of Junos OS Release 11.4 or later software for an EX4200 switch and an EX4500 switch if you have three or more EX4500 switches in your mixed EX4200 and EX4500 Virtual Chassis. See “Downloading Software Packages from Juniper Networks” on page 123.


See the Junos OS Installation and Upgrade Guide for instructions on performing this task. 3. (Optional) Copy both software packages to the member switch acting in the master

role. We recommend that you use FTP to copy the file to the /var/tmp directory.


1417

®


This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location. These instructions describe the software upgrade process for both scenarios. 4. Install both new packages on the Virtual Chassis:

user@switch> request system software add set [package package]

NOTE: You enter the request system software add set [package package] command once on the Virtual Chassis to download the software package onto all member switches in the mixed EX4200 and EX4500 Virtual Chassis. The package path should point to one EX4200 Junos OS image and one EX4500 Junos OS image.

Replace package with one of the following paths: •

For a software package in a local directory on the switch—/var/tmp/package.tgz.

•

For a software package on a remote server: •

ftp://hostname/pathname/package.tgz

•

http://hostname/pathname/package.tgz

where package.tgz is, for example, jinstall-ex-4200-11.1R1.8-domestic-signed.tgz.

NOTE: To abort the installation, do not reboot your Virtual Chassis; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-ex-4500-11.1R1.8-domestic-signed.tgz. This is your last chance to stop the installation.

5. Reboot the Virtual Chassis to start the new software:

user@switch> request system reboot 6. After the reboot has completed, log in and verify that the new version of the software

is properly installed for all member switches in the Virtual Chassis: user@switch> show version


•


•


Adding a New EX4200 Switch to an Existing EX4200 Virtual Chassis (CLI Procedure) This topic explains how to add an EX4200 switch to an existing EX4200 Virtual Chassis. For information on adding an EX4200 switchto an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis, see “Adding an EX4200 Switch to a Preprovisioned

1418



EX4500 Virtual Chassis or a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure)” on page 1424.. To add an EX4200 switch to an existing EX4200 Virtual Chassis, use the procedure that matches what you need to accomplish: •

Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring Closet on page 1419

•

Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis on page 1420

•

Adding a New Switch to an Existing Preprovisioned Virtual Chassis Using Autoprovisioning on page 1422

Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring Closet This procedure can be used to add an EX4200 switch to an EX4200 Virtual Chassis. Before you begin, be sure you have: •

Mounted the new switch in a rack.

•

Confirmed that the new switch is powered off.

•

If you are expanding a preprovisioned configuration, made a note of the serial number (the number is on the back of the switch). You will need to edit the Virtual Chassis configuration to include the serial number of the new member switch.

•

If you are expanding a preprovisioned configuration, edited the existing Virtual Chassis configuration to include the serial number of the new member switch. The parameters specified in the master Virtual Chassis configuration file are applied to the new switch after it has been interconnected to an existing member switch.

NOTE: After you have created a preprovisioned Virtual Chassis configuration, you can use the autoprovisioning feature to add member switches to that configuration.

•

(Optional) Configured Ethernet interfaces on different member switches into the same LAG.. See “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354 An active member switch might temporarily go down before coming back up as part of this procedure. Having traffic load-balanced across member switches using a LAG helps alleviate traffic loss during this procedure.


1419

®


To add a new member switch to an existing Virtual Chassis configuration within the same wiring closet: 1.

If the new member switch has been previously configured, revert that switch’s configuration to the factory defaults. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

2. Interconnect the unpowered new switch to one member of the existing Virtual Chassis

configuration using the dedicated Virtual Chassis ports (VCPs). Connect only one VCP on the unpowered new switch to a VCP on a member switch in the existing Virtual Chassis at this point of the procedure. 3. Power on the new switch. 4. Confirm that the new member switch is now included within the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a member ID that is greater than 0 (1 through 9), because there is already at least one member of the Virtual Chassis configuration.

NOTE: If you are using a preprovisioned configuration, the member ID is automatically assigned to the member’s serial number in the configuration file.

5. Cable the other dedicated VCP on the new member switch to the Virtual Chassis.

CAUTION: If you immediately cable both VCPs on the new switch into the existing Virtual Chassis at the same time, a member switch that was already part of the Virtual Chassis might become nonoperational for several seconds. Network traffic to this switch is dropped during the downtime. The member switch will return to the normal operational state with no user intervention, and normal operation of the Virtual Chassis will resume after this downtime.

Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis This procedure can be used to add an EX4200 switch to an EX4200 Virtual Chassis from a different wiring closet to an existing Virtual Chassis. To add a new switch from a different wiring closet to an existing Virtual Chassis configuration, you must use a long cable to connect the members switches across wiring closets. You can use any SFP, SFP+, or XFP port and a fiber-optic cable for this purpose. Before you begin, be sure you have:

1420

•

Installed the uplink modules needed for the Virtual Chassis configuration. See Installing an Uplink Module in an EX4200 Switch.

•




•

If the new member switch has been previously configured, reverted its configuration to the factory defaults. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

•


•

If you are expanding a preprovisioned configuration, edited the existing Virtual Chassis configuration to include the serial number of the new member switch. You can specify the role of the new member switch when you add its serial number in the Virtual Chassis configuration file. The parameters specified in the master Virtual Chassis configuration file are applied to the new switch after it has been interconnected with its uplink VCP to an existing member switch.

NOTE: After you have created a preprovisioned Virtual Chassis configuration, you can use the autoprovisioning feature to add member switches to that configuration.

To add a new member switch that is going to be interconnected with the existing Virtual Chassis configuration across wiring closets: 1.

Power on the new switch.

2. Connect a laptop or terminal to the console port of the switch, or use EZSetup on the

LCD Panel of the standalone switch to specify temporary identification parameters. (When you interconnect the new member switch with the existing Virtual Chassis configuration, the master will overwrite and disable any specified parameters that conflict with the Virtual Chassis parameters or assigned member configuration.) 3. Use the CLI or the J-Web interface to set one uplink module port as a VCP: user@switch> request virtual-chassis vc-port set pic-slot 1 port 0

NOTE: If you are using a nonprovisioned configuration, you might configure the new member switch with a mastership priority value that is less than that of the existing member switches. Doing so ensures that the new member switch will function in a linecard role when it is included within the Virtual Chassis configuration.

4. Power off the new switch. 5. Interconnect the new member switch to one existing member switch in the Virtual

Chassis configuration using one of the uplink module ports that you has configured as a VCP. Connect only one VCP on the unpowered new switch to a VCP on a member switch in the existing Virtual Chassis at this point of the procedure. 6. Power on the new member switch. 7. Confirm that the new member switch is now included within the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a


1421

®


member ID that is greater than 0 (1 through 9), because there is already at least one member of the Virtual Chassis configuration.

NOTE: If you are using a preprovisioned configuration, the member ID is automatically assigned to the member's serial number in the configuration file.

8. Cable another user-configured VCP on the new member switch to the Virtual Chassis,

if desired.


Adding a New Switch to an Existing Preprovisioned Virtual Chassis Using Autoprovisioning This procedure can be used to add an EX4200 switch to an existing EX4200 Virtual Chassis using autoprovisioning. Before you begin, be sure you have:

1422

•

Installed the uplink modules needed for the Virtual Chassis configuration.

•


•

Ensured that the preprovisioned Virtual Chassis configuration has an active master. For more information, see “Example: Configuring an EX4200 Virtual Chassis Using a Preprovisioned Configuration File” on page 1365.

•

On the master, configured the Link Level Discovery Protocol (LLDP) on the uplink module ports that will be used as VCPs. LLDP is configured by default but might have been disabled. To configure LLDP, see “Configuring LLDP (CLI Procedure)” on page 3641.

•

Ensured that the new member switch has the factory-default configuration. If the new member switch has been previously configured, revert its configuration to the factory defaults. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

•

Made a note of the serial number (the number is on the back of the switch). You will need to edit the Virtual Chassis configuration to include the serial number of the new member switch.

•

Edited the existing Virtual Chassis preprovisioned configuration to include the serial number of the new member switch. The parameters specified in the master Virtual



Chassis configuration file are applied to the new member switch after it has been interconnected through its uplink VCP to an existing member switch. •

Prepared an existing member switch to interconnect with the new switch through an uplink module port by configuring an uplink module port as a VCP on the existing member switch.

•

Ensured that the operational modes of the uplink modules on the existing member switch and the new member switch match.

•

Confirmed that the new member switch is powered off.

If the preceding conditions are not met, autoprovisioning will not work and you will need to manually configure uplink module ports on the switch to be added to the configuration to be VCPs. For more information, see “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434. To add a switch to an existing preprovisioned Virtual Chassis configuration using the autoprovisioning feature: 1.

Interconnect the unpowered new switch to one member of the existing Virtual Chassis configuration. Only connect one VCP on the unpowered new switch to a VCP on a member switch in the existing Virtual Chassis at this point of the procedure.

2. Power on the new member switch. 3. Confirm that the new member switch is now included in the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a member ID in the range from 0 through 9. The member ID is automatically assigned to the new member switch's serial number in the configuration file. 4. Cable the other VCP on the new member switch to the Virtual Chassis.



•


•


•


•



1423

®


•


•


•


Adding an EX4200 Switch to a Preprovisioned EX4500 Virtual Chassis or a Preprovisioned Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) This topic explains how to add an EX4200 switch to an already configured and operational EX4500 Virtual Chassis or to a mixed EX4200 and EX4500 Virtual Chassis that was configured using a preprovisioned configuration. To add an EX4200 switch to an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis that was configured using a preprovisioned configuration: 1.

Power on the EX4200 switch that will be added to the Virtual Chassis.

2. Set the Virtual Chassis mode to mixed: user@switch> request virtual-chassis mode mixed 3. Reboot the EX4200 switch. user@switch> request system reboot 4. Log in to the EX4500 Virtual Chassis or the mixed EX4200 and EX4500 Virtual Chassis. 5. (EX4500 Virtual Chassis only) Set the Virtual Chassis mode to mixed for all Virtual

Chassis member switches: user@switch> request virtual-chassis mode mixed all-members

NOTE: Each member switch will already have been configured in mixed mode in a mixed EX4200 and EX4500 Virtual Chassis.

6. (EX4500 Virtual Chassis only) Reboot all member switches in the EX4500 Virtual

Chassis: user@switch> request system reboot all-members 7. Add the EX4200 switch to the preprovisioned configuration: [edit virtual-chassis] user@SWA–0# set member 5 serial-number serial-number role role 8. If you are replacing an EX4500 switch in the routing-engine role with an EX4200

switch, change the role of the EX4500 switch to line-card: [edit virtual-chassis] user@switch# replace member 0 serial-number serial-number role routing-engine with member 0 serial-number serial-number role line-card user@switch# replace member 1 serial-number serial-number role routing-engine with member 1 serial-number serial-number role line-card 9. Commit the configuration:

1424



user@switch# commit synchronize 10. Cable one dedicated or user-configured Virtual Chassis port (VCP) on the new member

switch to the existing Virtual Chassis. See Connecting a Virtual Chassis Cable to an EX4200 Switch or “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434. 11. Wait for the new switch to become operational in the Virtual Chassis. Monitor the

show virtual-chassis command output to confirm the new switch is recognized by the

Virtual Chassis and is in the Prsnt state.


12. Cable the other dedicated or user-configured VCP on the new member switch to the

Virtual Chassis. Related Documentation

•


•


•


Adding an EX4500 Switch to a Preprovisioned EX4200 Virtual Chassis (CLI Procedure) An EX4500 switch can be added to an EX4200 Virtual Chassis to create a mixed EX4200 and EX4500 Virtual Chassis. This topic explains how to add an EX4500 switch to an already configured and operational EX4200 Virtual Chassis. To add an EX4500 switch to an EX4200 Virtual Chassis that was configured using a preprovisioned configuration: 1.

Power on the EX4500 switch with the installed Virtual Chassis module.

2. Verify the PIC mode setting: user@switch> show chassis pic-mode 3. If the PIC mode was not set to Virtual Chassis mode, set the PIC mode to Virtual

Chassis mode: user@switch> request chassis pic-mode virtual-chassis


1425

®


NOTE: This step is required only if you are using the dedicated VCPs on the Virtual Chassis module of the EX4500 switch to connect the Virtual Chassis.

4. Set the Virtual Chassis mode to mixed: user@switch> request virtual-chassis mode mixed 5. Reboot the EX4500 switch. user@switch> request system reboot 6. Log in to the EX4200 Virtual Chassis. 7. Set the Virtual Chassis mode to mixed for all member switches: user@switch> request virtual-chassis mode mixed all-members 8. Reboot the Virtual Chassis. user@switch> request system reboot all-members 9. Log in to the EX4200 Virtual Chassis after the reboot is complete. 10. On the master switch, add the EX4500 switch to the preprovisioned configuration: [edit virtual-chassis] user@switch# set member member-id serial-number serial-number role role 11. If you are using the EX4500 switch in the master role in place of an EX4200 switch,

change the EX4200 switch in the routing-engine role to the line-card role: [edit virtual-chassis] user@switch# replace member 0 serial-number serial-number role routing-engine with member 0 serial-number serial-number role line-card user@switch# replace member 1 serial-number serial-number role routing-engine with member 1 serial-number serial-number role line-card 12. Commit the configuration: user@switch# commit synchronize 13. Interconnect the EX4500 switch to one member of the existing Virtual Chassis

configuration. See Connecting a Virtual Chassis Cable to an EX4200 Switch and Connecting a Virtual Chassis Cable to an EX4500 Switch. Connect only one VCP on the EX4500 switch to a VCP on a member switch in the existing Virtual Chassis at this point of the procedure. 14. Confirm that the new member switch is now included in the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a member ID in the range from 0 through 9. The member ID is automatically assigned to the new member switch's serial number in the configuration file. 15. Cable the other VCP on the Virtual Chassis of the EX4500 switch to the Virtual Chassis.

CAUTION: If you immediately cable both VCPs on the new switch into the existing Virtual Chassis at the same time, a member switch that was already part of the Virtual Chassis might become nonoperational for several seconds. Network traffic to this switch is dropped during the downtime.

1426



The member switch will return to the normal operational state with no user intervention, and normal operation of the Virtual Chassis will resume after this downtime.


•


•


•


•


Adding an EX4500 Switch to a Nonprovisioned EX4200 Virtual Chassis (CLI Procedure) An EX4500 switch can be added to an EX4200 Virtual Chassis to create a mixed EX4200 and EX4500 Virtual Chassis. This topic explains how to add an EX4500 switch to an already configured and operational EX4200 Virtual Chassis that was configured using a nonprovisioned configuration. Before you begin adding EX4500 switches to the Virtual Chassis: •

Ensure that a Virtual Chassis module is installed in the EX4500 switch.

To add an EX4500 switch to an EX4200 Virtual Chassis that was configured using a nonprovisioned configuration: 1.

Power on the EX4500 switch.

2. Verify the PIC mode setting: user@switch> show chassis pic-mode

NOTE: This step is required only if you are using the dedicated VCPs on the Virtual Chassis module of the EX4500 switch to connect the Virtual Chassis.

3. If the PIC mode was not set to Virtual Chassis mode, set the PIC mode to Virtual

Chassis mode: user@switch> request chassis pic-mode virtual-chassis 4. Set the Virtual Chassis mode to mixed: user@switch> request virtual-chassis mode mixed 5. Reboot the EX4500 switch. user@switch> request system reboot 6. Log in to the EX4200 Virtual Chassis.


1427

®


7. Set the Virtual Chassis mode to mixed for all member switches: user@switch> request virtual-chassis mode mixed all-members 8. Reboot all member switches in the Virtual Chassis. user@switch> request system reboot all-members 9. After all members have rebooted, interconnect one dedicated VCP on the EX4500

switch with one dedicated VCP of a member EX4200 switch in the EX4200 Virtual Chassis. . See Connecting a Virtual Chassis Cable to an EX4200 Switch and Connecting a Virtual Chassis Cable to an EX4500 Switch.

NOTE: You can also connect an EX4500 switch into the Virtual Chassis by configuring an uplink port as a VCP. See “Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure)” on page 1438.

10. Log in to the Virtual Chassis. 11. Wait for the new switch to become operational in the Virtual Chassis. Monitor the

show virtual-chassis command output to confirm the new switch is recognized by the

Virtual Chassis and is in the Prsnt state.


12. Cable the other dedicated or user-configured VCP on the new member switch to the

Virtual Chassis. 13. (Optional) Set the mastership priority of the EX4500 switch. The switches with the

highest mastership priorities assume the master role and backup roles. [edit virtual-chassis] user@switch# set member member-id mastership-priority mastership-priority 14. (Optional) From the master switch, set the mastership priority of the other member

switches: [edit virtual-chassis] user@switch# replace member member-id mastership-priority mastership-priority with member member-id mastership-priority mastership-priority


1428

•

Example: Adding an EX4500 Switch to a Nonprovisioned Virtual Chassis on page 1326

•


•




Replacing a Member Switch of an EX3300, EX4200, or EX4500 Virtual Chassis Configuration (CLI Procedure) You can replace a member switch of an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis without disrupting network service for the other members. You can retain the existing configuration of the member switch and apply it to a new member switch, or you can free up the member ID and make it available for assignment to a new member switch. To replace a member switch, use the procedure that matches what you need to accomplish: •

Remove, Repair, and Reinstall the Same Switch on page 1429

•

Remove a Member Switch, Replace It with a Different Switch, and Reapply the Old Configuration on page 1430

•

Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch on page 1431

Remove, Repair, and Reinstall the Same Switch If you need to repair a member switch, you can remove it from the Virtual Chassis configuration without disrupting network service for the other members. The master stores the configuration of the member ID so that it can be reapplied when the member switch (with the same base MAC address) is reconnected. 1.

Power off and disconnect the member switch to be repaired.

2. Repair, as necessary. 3. Reconnect the switch and power it on.


1429

®


Remove a Member Switch, Replace It with a Different Switch, and Reapply the Old Configuration If you are unable to repair a member switch, you can replace it with a different member switch and retain the old configuration. The master stores the configuration of the member that was removed. When you connect a different member switch, the master assigns a new member ID. But the old configuration is still stored under the previous member ID of the previous member switch.

NOTE: If you have used a preprovisioned configuration, you can use the replace command to change the serial number in the Virtual Chassis configuration file. Substitute the serial number of the replacement member switch (on the back of the switch) for the serial number of the member switch that was removed.

1.

Power off and disconnect the member switch to be replaced.

2. If the replacement member switch has been previously configured, revert that switch’s

configuration to the factory defaults. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537. 3. Connect one VCP on the replacement member switch to a VCP of a Virtual Chassis

member switch and power the replacement member switch on. 4. Confirm that the new member switch is now included in the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a member ID in the range from 0 through 9. 5. Cable the other VCP on the new member switch to the Virtual Chassis.


6. Issue the request virtual-chassis renumber command from the Virtual Chassis master

to change the member switch’s current member ID to the member ID that belonged to the member switch that was removed from the Virtual Chassis configuration.

1430



Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch When you remove a member switch from the Virtual Chassis configuration, the master keeps that member switch’s member ID on reserve. To make that member switch’s member ID available for reassignment, issue the request virtual-chassis recycle command from the Virtual Chassis master.

NOTE: When you add or delete members in a Virtual Chassis configuration, internal routing changes might cause temporary traffic loss for a few seconds.


•


•


•


•


•


Removing an EX4200 or EX4500 Switch From a Mixed EX4200 and EX4500 Virtual Chassis (CLI Procedure) This topic explains how to remove an EX4200 or EX4500 switch from a mixed EX4200 and EX4500 Virtual Chassis. It also explains how to reconfigure the Virtual Chassis in cases in which you are removing the switches to convert a mixed EX4200 and EX4500 Virtual Chassis into an EX4200 Virtual Chassis or an EX4500 Virtual Chassis. To remove an EX4200 or EX4500 switch from a mixed EX4200 and EX4500 Virtual Chassis: 1.

Power off and disconnect the member switch that is being removed from the Virtual Chassis.

2. If the Virtual Chassis configuration was preprovisioned, remove the switch from the

preprovisioned configuration. See “Replacing a Member Switch of an EX3300, EX4200, or EX4500 Virtual Chassis Configuration (CLI Procedure)” on page 1429. If the Virtual Chassis was nonprovisioned, change the mastership-priority values of each member switch as needed to reconfigure the Virtual Chassis roles. See “Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1432. 3. If the removal of the switch changes the Virtual Chassis from a mixed EX4200 and

EX4500 Virtual Chassis to an EX4200 or EX4500 Virtual Chassis, disable mixed Virtual Chassis mode for all of the switches in the Virtual Chassis:


1431

®


user@switch> request virtual-chassis mode mixed disable all-members

Reboot all member switching the Virtual Chassis to complete this step: user@switch> request system reboot all-members 4. If you want to place the removed switch back onto the network as a standalone switch,

disable mixed Virtual Chassis mode on the switch: user@switch> request virtual-chassis mode mixed disable 5. (EX4500 switch only) Set the PIC mode on the removed switch to intraconnect: user@switch> request chassis pic-mode intraconnect

You only need to perform this step if you want to put the EX4500 switch back onto the network as a standalone switch. 6. Reboot the standalone switch so the new settings can take effect.

Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) You can designate the role (master, backup, or linecard) that a member switch performs within an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis whether or not you are using a preprovisioned configuration.

NOTE: A Virtual Chassis configuration has two Routing Engines-one is the switch in the master role and the other is the switch in the backup role. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis. This ensures that the configuration changes are saved in both Routing Engines.


Configuring Mastership Using a Preprovisioned Configuration File on page 1432

•

Configuring Mastership Using a Configuration File That Is Not Preprovisioned on page 1433

Configuring Mastership Using a Preprovisioned Configuration File To configure mastership using a preprovisioned configuration for an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis: 1.

Note the serial numbers of the switches that you want to function in the master role and backup role.

2. Power on only the switch (SWA-0) that you want to function in the master role. 3. Edit the configuration to specify the preprovisioned configuration mode: [edit virtual-chassis] user@SWA-0# set preprovisioned 4. List the serial numbers of the member switches that you want to function as master

and backup, specifying their role as routing-engine:

1432



[edit] user@SWA-0# set virtual-chassis member 0 serial-number abc123 role routing-engine user@SWA-0# set virtual-chassis member 2 serial-number def456 role routing-engine

NOTE: You cannot directly modify the mastership priority value when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two members assigned the routing-engine role are assigned the same mastership priority value (128). However, the member that was powered on first has higher prioritization according to the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. Only two members can be specified with the routing-engine role.

5. List the serial numbers of any other member switches that you are including in the

Virtual Chassis configuration. You can also specify their role as line-card.

Configuring Mastership Using a Configuration File That Is Not Preprovisioned To configure mastership of the Virtual Chassis through a configuration that is not preprovisioned for an EX3300 Virtual Chassis, EX4200 Virtual Chassis, or an EX4500 Virtual Chassis: 1.

Power on only the switch that you want to function in the master role (SWA-0).

2. Configure the highest possible mastership priority value (255) for the member that

you want to function in the master role: [edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255 3. Configure the same mastership priority value (continue to edit the Virtual Chassis

configuration on the master) for the member that you want to be the backup (SWA-1): [edit virtual-chassis] user@SWA-0# set member 1 mastership-priority 255

NOTE: We recommend that the master and backup have the same mastership priority value to prevent the master and backup status from switching back and forth between master and backup members in failover conditions.

4. If you are configuring an EX3300, EX4200, or EX4500 Virtual Chassis, use the default

mastership priority value (128) for the remaining member switches or configure the mastership priority to a value that is lower than the value specified for members functioning in the master and backup roles. Related Documentation

•



1433

®


•


•


•


•


Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure) The procedure described in this topic can be used to connect two EX3300 or EX4200 switches together within the same Virtual Chassis. It can also be used to connect a Ten-Gigabit Ethernet SFP+ connection on an EX4200 switch to an EX4500 switch in a mixed EX4200 and EX4500 Virtual Chassis. This procedure is usually not needed to configure an EX3300 Virtual Chassis. Uplink ports 2 and 3 on an EX3300 switch are configured as VCPs by default and, therefore, do not require user configuration to be set as VCPs. We recommend that you should use this procedure only to configure an uplink port on an EX3300 switch as a VCP if you configured ports 2 and 3 as network uplink ports and the ports need to be reconfigured as VCPs, or in cases when ports 2 and 3 on the uplink module cannot be used as VCPs for an unexpected reason. You can use this procedure to configure any uplink port on an EX3300 switch as a VCP. You can interconnect EX4200 switches that are beyond the reach of the Virtual Chassis cables as members of a Virtual Chassis configuration by using the SFP network ports—including the SFP uplink module, SFP+ uplink module, or XFP uplink module—and connecting the uplink ports. You can also use the SFP network ports for this purpose. To use the uplink ports or SFP network ports for interconnecting member switches, you must explicitly set the uplink ports as VCPs.

NOTE: You cannot set a 1000BASE-T copper SFP transceiver (EX-SFP-1GE-T) connection as a VCP.

NOTE: When an uplink port is set as a VCP interface, it cannot be used for any other purpose. You can set one port as a VCP interface and configure the other port in trunk mode as an uplink to a distribution switch.

Before you set an uplink port as a VCP:

1434



1.

(EX4200 switch only) Install the uplink module in the member switches that you want to interconnect.

2. Power on and connect to the switch that you plan to designate as the master of the

Virtual Chassis configuration.

NOTE: Do not power on the other switches at this point.

3. Run EZSetup on the switch that you are configuring to be the master. Follow the

prompts to specify the hostname and other identification, time zone, and network properties. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details. The properties that you specify for the master apply to the entire Virtual Chassis configuration, including all the member switches that you later interconnect with the master. 4. If you want to configure and manage the Virtual Chassis configuration remotely, specify

the VME global management interface. You can configure the VME global management interface when you are setting up the master or you can do it after completing the other configuration steps for the Virtual Chassis. See “Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1440. 5. Configure mastership of the Virtual Chassis by using either the nonprovisioned or

preprovisioned configuration. See “Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1432 for details.

NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis configuration. This ensures that the configuration changes are saved in both Routing Engines.

To interconnect a Virtual Chassis configuration across long distances, such as between wiring closets, you need to: •

Prepare the existing Virtual Chassis configuration for interconnecting with a potential member switch that is beyond the reach of a dedicated Virtual Chassis cable (EX4200 Virtual Chassis only) by setting at least one uplink VCP on an existing member of the Virtual Chassis configuration.

•

Prepare the potential member switch for interconnecting with the existing Virtual Chassis configuration by setting at least one uplink VCP on the standalone switch.

NOTE: We recommend that you set two uplink VCPs within each wiring closet for redundancy.


1435

®


This topic describes: 1.

Setting an Uplink VCP Between Two EX3300 or EX4200 Member Switches on page 1436

2. Setting an Uplink VCP on a Standalone Switch on page 1436

Setting an Uplink VCP Between Two EX3300 or EX4200 Member Switches You can set an uplink port of an EX3300 or EX4200 Virtual Chassis member as a VCP.

NOTE: If you use the SFP+ uplink module, you must configure all member switches to support either 1-gigabit SFP transceivers or 10-gigabit SFP+ transceivers on EX4200 switches. See “Setting the Mode on an SFP+ Uplink Module (CLI Procedure)” on page 1880.

To set the uplink ports for the local member switch (for example, member 0) and for a different member switch (for example, member 1) to function as VCPs: 1.

Set one uplink port of member 0 as a VCP interface. You do not need to specify the member member-id option, because the command applies by default on the member where it is executed. user@switch> request virtual-chassis vc-port set pic-slot 1 port 0

2. Set one uplink port of member 1 as a VCP interface. user@switch>request virtual-chassis vc-port set pic-slot 1 port 0 member 1

This step includes the member member-id option, because it is executed on a different member switch than the local member switch.

Setting an Uplink VCP on a Standalone Switch You can set an uplink VCP on a standalone switch. You must set an uplink port on the standalone switch as a VCP prior to physically interconnecting the switch with the existing Virtual Chassis configuration. Otherwise, the master cannot detect that the switch is a member of the Virtual Chassis configuration. To set one uplink VCP on the potential member, which is currently operating as a standalone switch: 1.

Power on the standalone switch.

2. Set one uplink port as a VCP interface. You do not need to specify the member

member-id option, because the command applies by default on the member where

it is executed. user@switch> request virtual-chassis vc-port set pic-slot 1 port 0

1436



NOTE: If you do specify the member member-id option, use member ID 0. Because the switch is not yet interconnected with the other members of the Virtual Chassis configuration, its current member ID is 0. Its member ID will change when it is interconnected with the Virtual Chassis configuration. It does not impact the functioning of the uplink VCP that its VCP interface is set with 0 as the member ID. The VCP interface has significance only on the local switch.

3. After you have set the uplink VCP on the standalone switch, physically interconnect

its uplink port with the VCP uplink ports of the members in the existing Virtual Chassis configuration. 4. The new member switch reboots and joins the now expanded Virtual Chassis

configuration with a different member ID.

NOTE: The setting for the new member switch's uplink VCP remains intact and is not affected by the change of member ID.

5. If you have additional members in the second wiring closet, set a redundant VCP

uplink on another member switch by issuing the request virtual-chassis vc-port command. Related Documentation

•


•


•


•


•


•



1437

®


Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure) You can set any 10-Gigabit Ethernet SFP+ port on an EX4500 switch as a Virtual Chassis port (VCP). Setting a 10-Gigabit Ethernet SFP+ transceiver as a VCP is useful in cases in which you have to connect Virtual Chassis members together across a distance that is greater than the longest VCP cable can breach. You can use the 10-Gigabit Ethernet SFP+ ports to connect EX4500 switches together or to connect an EX4500 switch to an EX4200 switch.

NOTE: The Virtual Chassis module for EX4500 switches is a field-replacable unit (FRU) that is not shipped with all EX4500 switch models but can be purchased separately. See Virtual Chassis Module in EX4500 Switches and “EX4500 Switch Models” on page 58.

Before you set an uplink port as a VCP on an EX4500 switch: •

Cable the switches together using an 10-Gigabit Ethernet SFP+ connection.

To set an SFP+ connection as a VCP: 1.

Set the 10–Gigabit Ethernet SFP+ port as a VCP interface: user@switch> request virtual-chassis vc-port set pic-slot pic-slot-number port port-number

where: •

pic-slot-number—the PIC slot number, which is 0 when specifying a native port on the EX4500 switch, 1 when specifying a port on the uplink module in PIC slot number 1, and 2 when specifying a port on an uplink module in PIC slot number 2.

•

port-number—the port number on the EX4500 switch or on the uplink module installed in the EX4500 switch.

2. Log onto the other EX4500 switch, and set the other end of the SFP+ connection as

a VCP interface: user@switch> request virtual-chassis vc-port set pic-slot pic-slot-number port port-number


1438

•




Setting an EX3300 or EX4200 Uplink Port as a Virtual Chassis Port Using the LCD Panel You must interconnect EX3300 switches using uplink port connections to form an EX3300 Virtual Chassis. You can interconnect EX4200 switches that are beyond the reach of the Virtual Chassis cables as members of a Virtual Chassis by using SFP, SFP+, and XFP uplink module ports.

NOTE: You cannot set a 1000BASE-T copper SFP transceiver (EX-SFP-1GE-T) connection as a VCP.

This procedure is usually not needed to configure an EX3300 Virtual Chassis. Uplink ports 2 and 3 on an EX3300 switch are configured as VCPs by default and, therefore, do not require user configuration to be set as VCPs. We recommend that you use this procedure only to configure an uplink port on an EX3300 switch as a VCP if you configured ports 2 and 3 as network uplink ports and the ports need to be reconfigured as VCPs, or in cases when uplink ports 2 and 3 cannot be used as VCPs for an unexpected reason. You can use this procedure to configure any uplink port on an EX3300 switch as a VCP. This topic describes how to set or delete the uplink ports as VCPs using the LCD panel. The following procedure shows how to configure uplink module port ge-0/1/2 as a VCP. To set an uplink port as a VCP using the LCD panel: 1.

Press Menu until you see MAINTENANCE MENU.

2. Press Menu until you see REQUEST VC PORT. 3. Press Enter. You will see SET VC PORT?. 4. Press Enter. You will see SET FPC 0?. 5. Press Enter. You will see SET PIC 0?. 6. Press Menu until you see SET PIC 1?. 7. Press Enter. You will see SET PORT 0?. 8. Press Menu until you see SET PORT 2?. 9. Press Enter. You will see CONFIGURING .... 10. Once the configuration has been accepted, press Enter to return to the MAINTENANCE

menu. You can also use the LCD panel to delete a VCP, thus resetting the port to an uplink port. To reset vcp-0/1/2 to an uplink port using the LCD panel: 1.

Press Menu until you see MAINTENANCE MENU.

2. Press Menu until you see REQUEST VC PORT.


1439

®


3. Press Enter. You will see SET VC PORT?. 4. Press Menu. You will see DELETE VC PORT?. 5. Press Enter. You will see DELETE FPC 0?. 6. Press Enter. You will see DELETE PIC 0?. 7. Press Menu until you see DELETE PIC 1?. 8. Press Enter. You will see DELETE PORT 0?. 9. Press Menu until you see DELETE PORT 2?. 10. Press Enter. You will see CONFIGURING .... 11. Once the configuration has been accepted, press Enter to return to the MAINTENANCE

menu. Related Documentation

•


•


•


•


•

Understanding Interface Naming Conventions on EX Series Switches on page 1772

Configuring the Virtual Management Ethernet Interface for Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) If you want to configure and manage the Virtual Chassis remotely through SSH or Telnet, configure the virtual management Ethernet (VME) interface on the master of the Virtual Chassis. You can configure and manage all members of the Virtual Chassis through this single global interface. 1.

Power on the switch that you want to function as the master.

2. Check the front-panel LCD to confirm that the switch has powered on correctly. 3. Run the EZSetup program on the switch, specifying the identification parameters. See

“Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257. To configure the VME interface: [edit] user@switch# set interfaces vme unit 0 family inet address /ip-address/mask/


1440

•


•


•




Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of the EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) When a backup member takes control of the Virtual Chassis because of a reset or other temporary failure, the backup uses the MAC address of the old master as the system MAC base address. This process helps to ensure a smooth transition of mastership with no disruption to network connectivity. The MAC persistence timer is used in situations in which the master is no longer a member of the Virtual Chassis because the master has been physically disconnected or removed. If the old master does not rejoin the Virtual Chassis before the timer elapses, the new master starts using its own MAC address as the system MAC base address. For information on how the system MAC base address is used to assign MAC addresses to ports in a Virtual Chassis, see Understanding MAC Address Assignment on a Virtual Chassis. The default timer value is 10 minutes. There are no minimum or maximum limits. Before you begin configuring the timer, ensure that you have at least two member switches in the Virtual Chassis. To configure or modify the MAC persistence timer: [edit virtual-chassis] user@switch# set mac-persistence-timer minutes


•


•


•



1441

®


Configuring Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link or switch failure. If a link between two members fails, traffic flow between those members must be rerouted quickly so that there is minimal traffic loss. Fast failover is enabled by default on dedicated Virtual Chassis ports (VCPs).You must manually enable fast failover on uplink ports that have been configured as VCPs or on EX3300 uplink ports that are configured as VCPs by default. Before you begin configuring fast failover, ensure that the dedicated VCPs or uplink VCPs are connected in a ring topology. •

To reenable the fast failover feature on all dedicated VCPs in a ring: [edit] user@switch# delete virtual-chassis fast-failover vcp disable

•

To configure the fast failover feature on all XFP uplink VCPs in a ring: [edit] user@switch# set virtual-chassis fast-failover xe

•

To configure the fast failover feature on all SFP uplink VCPs in a ring: [edit] user@switch# set virtual-chassis fast-failover ge


1442

•


•


•




Disabling Fast Failover in an EX3300, EX4200, or EX4500 Virtual Chassis Fast failover is enabled by default on dedicated Virtual Chassis ports (VCPs). You must use this procedure to manually disable fast failover on dedicated VCPs or to disable fast failover on uplink ports that you previously configured as VCPs. •

To disable the fast failover feature on all dedicated VCPs in a ring: [edit] user@switch# set virtual-chassis fast-failover vcp disable

•

To disable the fast failover feature on all XFP uplink VCPs in a ring: [edit] user@switch# delete virtual-chassis fast-failover xe

•

To disable the fast failover feature on all SFP uplink VCPs in a ring: [edit] user@switch# delete virtual-chassis fast-failover ge


•


•


•


Disabling Split and Merge in an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure) The split and merge feature is enabled by default on EX3300, EX4200, and EX4500 switches in a Virtual Chassis. You can disable the split and merge feature. If you disable the split and merge feature and the Virtual Chassis splits, both parts of the split Virtual Chassis configuration remain active. In a preprovisioned EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis, if both of the Routing Engines end up in the same Virtual Chassis configuration after a split, the other part of the split Virtual Chassis configuration remains inactive. If the Routing Engines end up in different parts of the split Virtual Chassis configuration and the rest of the member switches are configured as having linecard roles, then a backup Routing Engine might not be selected for either part. To disable the split and merge feature in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis: [edit] user@switch# set virtual-chassis no-split-detection


•



1443

®


•


Assigning the Virtual Chassis ID to Determine Precedence During an EX3300, EX4200, or EX4500 Virtual Chassis Merge (CLI Procedure) Every EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis has a unique ID that is automatically assigned when the Virtual Chassis configuration is formed. You can also explicitly assign a Virtual Chassis ID using the set virtual-chassis id command. When two Virtual Chassis configurations attempt to merge, the Virtual Chassis ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID for the newly merged Virtual Chassis configuration. To configure the Virtual Chassis ID: [edit] user@switch# set virtual-chassis id id


•


•


Configuring Automatic Software Update on EX3300, EX4200, or EX4500 Virtual Chassis Member Switches (CLI Procedure) The automatic software update feature allows you to automatically update the software version on prospective member switches as they are added so that they can join an EX4200 Virtual Chassis or an EX4500 Virtual Chassis. This feature cannot be used to upgrade software for a mixed EX4200 and EX4500 Virtual Chassis.

NOTE: The Junos OS software running on the Virtual Chassis must be compatible with the software running on the prospective member switch for an automatic software update to occur. For information on Junos OS compatibility and other automatic software update restrictions, see “Understanding Automatic Software Update on EX4200 and EX4500 Virtual Chassis Member Switches” on page 1308.

Before you begin, ensure that you know the name or the URL of the software package to be used by the automatic software update feature.

1444



To configure the automatic software update feature: [edit] user@switch# set virtual-chassis auto-sw-update package-name package-name

If the software package is located on a local directory on the switch, use the following format for package-name: /pathname/package-name

If the software package is to be downloaded and installed from a remote location, use one of the following formats: ftp://hostname/pathname/package-name ftp://username:[email protected]/package-name http://hostname/pathname/package-name


•


•

Understanding Automatic Software Update on EX4200 and EX4500 Virtual Chassis Member Switches on page 1308

Configuring Graceful Routing Engine Switchover in a Virtual Chassis (CLI Procedure) In a virtual chassis, one member switch is assigned the master role and has the master Routing Engine. Another member switch is assigned the backup role and has the backup Routing Engine. Graceful Routing Engine switchover (GRES) enables the master and backup Routing Engines in a Virtual Chassis configuration to switch from the master to backup without interruption to packet forwarding. When you configure graceful Routing Engine switchover, the backup Routing Engine automatically synchronizes with the master Routing Engine to preserve kernel state information and the forwarding state. GRES can be configured on these switches: •


•


•


•


•


•


To set up the Virtual Chassis configuration to use graceful Routing Engine switchover (GRES): 1.

Set up a minimum of two switches in a Virtual Chassis configuration with mastership priority of 255: [edit]


1445

®


user@switch# set virtual-chassis member 0 mastership-priority 255 [edit] user@switch# set virtual-chassis member 1 mastership-priority 255 2. Set up graceful Routing Engine switchover: [edit] user@switch# set chassis redundancy graceful-switchover

Commit the configuration.



•


•


•


Configuring an EX3300 Virtual Chassis (CLI Procedure) You must interconnect EX3300 switches using uplink ports configured as Virtual Chassis ports (VCPs). Uplink ports 2 and 3 on an EX3300 switch are configured as VCPs by default. You do not have to configure these interfaces to connect EX3300 switches together in a Virtual Chassis. The uplink ports configured as VCPs are used to connect EX3300 switches into a Virtual Chassis in the same or different wiring closets over short and long distances (up to 6.2 miles).

NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis. This ensures that the configuration changes are saved in both Routing Engines.

An EX3300 Virtual Chassis can be configured with either: •

1446

A preprovisioned configuration—Allows you to deterministically control the member ID and role assigned to a member switch by tying it to its serial number.



•

A nonprovisioned configuration—The master sequentially assigns a member ID to other member switches. The role is determined by the mastership priority value and other factors in the master election algorithm.


Configuring an EX3300 Virtual Chassis with a Preprovisioned Configuration File on page 1447

•

Configuring an EX3300 Virtual Chassis with a Nonprovisioned Configuration File on page 1448

Configuring an EX3300 Virtual Chassis with a Preprovisioned Configuration File Preprovisioning a Virtual Chassis configuration allows you to assign the member ID and role for each switch in the Virtual Chassis. Preprovisioning is supported for an EX3300 Virtual Chassis. To configure a Virtual Chassis using a preprovisioned configuration: 1.

Make a list of the serial numbers of all the switches to be connected in a Virtual Chassis configuration.

2. Note the desired role (routing-engine or line-card) of each switch. If you configure the

member with a routing-engine role, it is eligible to function in the master or backup role. If you configure the member with a line-card role, it is not eligible to function in the master or backup role. 3. Interconnect the member switches using uplink ports 2 and 3 of your EX3300 switches.

See Virtual Chassis Cabling Configuration Examples for EX3300 Switches.


4. Power on only the switch that you plan to use as the master switch. Do not power on

the other switches at this time. 5. Run the EZSetup program on the master switch, specifying the identification

parameters. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

NOTE: The properties that you specify for the master switch apply to the entire Virtual Chassis configuration, including all the members listed in the preprovisioned configuration file.

6. (Optional) Configure the master switch with the virtual management Ethernet (VME)

interface for out-of-band management of the Virtual Chassis: [edit] user@switch# set interfaces vme unit 0 family inet address /ip-address/mask/


1447

®


7. Specify the preprovisioned configuration mode: [edit virtual-chassis] user@switch# set preprovisioned 8. Specify all the members that you want to included in the Virtual Chassis configuration,

listing each switch’s serial number with the desired member ID and the desired role: [edit virtual-chassis] user@switch# set member 0 serial-number abc123 role routing-engine user@switch# set member 1 serial-number def456 role line-card user@switch# set member 2 serial-number ghi789 role line-card user@switch# set member 3 serial-number jkl012 role line-card user@switch# set member 4 serial-number mno345 role line-card user@switch# set member 5 serial-number pqr678 role routing-engine 9. (Optional. Recommended for a two-member Virtual Chassis) Disable the split and

merge feature: [edit virtual-chassis] user@switch# set no-split-detection 10. Power on the member switches.

NOTE: You cannot modify the mastership priority when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two Routing Engines are assigned the same mastership priority value. However, the member that was powered on first has higher prioritization according to the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290.

Configuring an EX3300 Virtual Chassis with a Nonprovisioned Configuration File Nonprovisioned configuration can be used to configure an EX3300 Virtual Chassis. To configure the Virtual Chassis using a nonprovisioned configuration: 1.

Interconnect the member switches using uplink ports 2 and 3 on your EX3300 switches. See Virtual Chassis Cabling Configuration Examples for EX3300 Switches.

NOTE: For management purposes, we recommend arranging the switches in member ID sequence, either from top to bottom or from bottom to top.

2. Power on only the switch that you plan to use as the master switch (SWA-0). Do not

power on the other switches at this time. 3. Run the EZSetup program on SWA-0, specifying the identification parameters. See

“Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 for details.

1448



NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis configuration, including all the members interconnected through VCPs..

4. (Optional) Configure SWA-0 with the virtual management Ethernet (VME) interface

for out-of-band management of the Virtual Chassis: [edit] user@SWA-0# set interfaces vme unit 0 family inet address /ip-address/mask/ 5. (Optional) Configure mastership priority for the master, backup, and other members: [edit virtual-chassis] user@SWA–0# set member 0 mastership-priority 255 user@SWA–0# set member 3 mastership-priority 255 6. (Optional. Recommended for a two-member Virtual Chassis) Disable the split and

merge feature: [edit virtual-chassis] user@switch# set no-split-detection 7. Power on the member switches in sequential order, one by one.

NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned configuration is generated by default. The mastership priority value for each member switch is 128. The master role is selected by default. You can change the role that is performed by the members by modifying the mastership priority. See “Configuring Mastership of an EX3300, EX4200, or EX4500 Virtual Chassis (CLI Procedure)” on page 1432. We recommend that you specify the same mastership priority value for the desired master and backup members. In this example, the highest possible mastership priority has been assigned to two members. However, the member that was powered on first has higher prioritization according to the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. The other members use the default mastership priority in this example, which configures them to function in the role of linecard.

NOTE: If you want to change the member ID that the master has assigned to a member switch, use the request virtual-chassis renumber command.


•


•


•



1449

®


Adding a New Switch to an Existing EX3300 Virtual Chassis (CLI Procedure) You can use this procedure to add an EX3300 switch to an EX3300 Virtual Chassis. Before you begin, be sure you have: •


•

Confirmed that the new switch is powered off.

•


•

If you are expanding a preprovisioned configuration, edited the existing Virtual Chassis configuration to include the serial number of the new member switch. The parameters specified in the master Virtual Chassis configuration file are applied to the new switch after it has been interconnected to an existing member switch.

NOTE: If you are expanding a preprovisioned Virtual Chassis configuration, you can use the autoprovisioning feature to add member switches to that configuration.

•

(Optional) Configured Ethernet interfaces on different member switches into the same LAG.. See “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354 An active member switch might temporarily go down before coming back up as part of this procedure. Having traffic load-balanced across member switches using a LAG helps alleviate traffic loss during this procedure.

To add a new member switch to an existing Virtual Chassis configuration:: 1.

If the new member switch has been previously configured, revert that switch’s configuration to the factory defaults. See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

2. Interconnect the unpowered new switch to one member of the existing Virtual Chassis

configuration using either uplink port 2 or 3. Uplink ports 2 and 3 are configured as VCPs by default. See Virtual Chassis Cabling Configuration Examples for EX3300 Switches. Connect only one VCP on the unpowered new switch to a VCP on a member switch in the existing Virtual Chassis at this point of the procedure.

NOTE: Because EX3300 switches use uplink ports configured as VCPs to form a Virtual Chassis, this step is identical for short and long distance (up to 6.2 miles) VCP connections.

1450



3. Power on the new switch. 4. Confirm that the new member switch is now included within the Virtual Chassis

configuration by checking the front-panel LCD for the member ID. It should display a member ID that is greater than 0 (1 through 5), because there is already at least one member of the Virtual Chassis configuration.

NOTE: If you are using a preprovisioned configuration, the member ID is automatically assigned to the member’s serial number in the configuration file.

5. Cable the other default VCP - either uplink port 2 or 3 - on the new member switch to

the Virtual Chassis.



•

Example: Expanding an EX3300 Virtual Chassis on page 1400


1451

®


1452


CHAPTER 40

Verifying EX3300, EX4200, and EX4500 Virtual Chassis Configuration •

Command Forwarding Usage with an EX3300, EX4200, or EX4500 Virtual Chassis on page 1453

•

Verifying the Member ID, Role, and Neighbor Member Connections of an EX3300, EX4200, or EX4500 Virtual Chassis Member on page 1456

•

Verifying That Virtual Chassis Ports on an EX3300, EX4200, or EX4500 Switch Are Operational on page 1458

•

Monitoring EX3300, EX4200 and EX4500 Virtual Chassis Status and Statistics on page 1459

•

Verifying the Setting for the Virtual Chassis Mode on EX4200 and EX4500 Switches on page 1461

•

Verifying the Setting for the PIC Mode on an EX4500 Switch in a Virtual Chassis on page 1461

•

Verifying That Graceful Routing Engine Switchover Is Working in the Virtual Chassis on page 1462

Command Forwarding Usage with an EX3300, EX4200, or EX4500 Virtual Chassis Some CLI commands can be run either on all members or on a specific member of a Virtual Chassis configuration. This functionality is referred to as command forwarding. For example, to collect information about your system prior to contacting Juniper Networks Technical Assistance Center (JTAC), use the command request support information all-members to gather data for all the member switches. If you want to gather this data only for a particular member switch, use the command request support information member member-id . Table 163 on page 1454 provides a list of commands that can be run either on all members of the Virtual Chassis configuration or on a specific member switch.


1453

®


Table 163: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration Commands Available for Command Forwarding request support information

Purpose

all-members

member-member-id

Use this command when you contact JTAC about your component problem. This command is the equivalent of using the following CLI commands:

Displays information for all members of the Virtual Chassis configuration.

Displays information for the specified member switch.

•

show version

•


•

show chassis hardware

•


•

show interfaces extensive

(for each configured interface) •

show configuration

(excluding any SECRET-DATA) •


request system partition hard-disk

Set up the hard disk for partitioning. After this command is issued, the hard disk is partitioned the next time the system is rebooted. When the hard disk is partitioned, the contents of /altroot and /altconfig are saved and restored. All other data on the hard disk is at risk of being lost.

Partitions the hard disk on all members of the Virtual Chassis configuration.

Partitions the hard disk on the specified member switch.


Reboot Junos OS for EX Series switches after a software upgrade and occasionally to recover from an error condition.

Reboots all members of the Virtual Chassis configuration.

Reboots the specified member switch.


Back up the currently running and active file system.

Backs up the file systems on all members of the Virtual Chassis configuration.

Backs up the file system on the specified member switch.


Free storage space on the switch by rotating log files and proposing a list of files for deletion. User input is required for file deletion.

Runs cleanup on all members of the Virtual Chassis configuration.

Runs cleanup on the specified member switch.

show log user

Display users who are viewing the system log.



1454


Chapter 40: Verifying EX3300, EX4200, and EX4500 Virtual Chassis Configuration

Table 163: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued) Commands Available for Command Forwarding

Purpose

all-members

member-member-id

show system alarms

Display active system alarms.



show system audit

Display the state and checksum values for file systems.




Display initial messages generated by the system kernel upon startup. These messages are the contents of /var/run/dmesg.boot.



show system core-dumps

Display a core file generated by an internal Junos OS process.



show system directory-usage

Display directory usage information.



show system reboot

Display pending system reboots or halts.



show system snapshot

Display information about the backup software that is located in the /altroot and /altconfig file systems. To back up software, use the request system snapshot command.




Display the Junos OS extensions loaded on your switch.



show system statistics

Display systemwide protocol-related statistics.



show system storage

Display statistics about the amount of free disk space in the switch's file systems.



show system uptime

Display the current time and information about how long the switch, the switch software, and any existing protocols have been running




1455

®


Table 163: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued) Commands Available for Command Forwarding

Purpose

all-members

member-member-id

show system users

Show all users who are currently logged in.

Shows all users who are currently logged in to any members of the Virtual Chassis configuration.

Shows all users who are currently logged in to the specified member switch.


Display the usage of Junos OS kernel memory, listed first by size of allocation and then by type of usage. Use show system virtual-memory for troubleshooting with JTAC.



Table 164 on page 1456 shows a list of commands that are relevant only to the master switch in a Virtual Chassis configuration. Do not use the options all-members or member-member-id with these commands.

Table 164: Commands Relevant Only to the Master Commands Relevant Only to the Master

Purpose

set date

Set the data and time.

show system buffers

Display information about the buffer pool that the Routing Engine uses for local traffic. Local traffic is the routing and management traffic that is exchanged between the Routing Engine and the Packet Forwarding Engine within the switch, as well as the routing and management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on).

show system connections

Display information about the active IP sockets on the Routing Engine. Use this command to verify which servers are active on a system and which connections are currently in progress.

show system processes

Display information about software processes that are running on the switch and that have controlling terminals.


•


•


•

Junos OS System Basics and Services Command Reference

Verifying the Member ID, Role, and Neighbor Member Connections of an EX3300, EX4200, or EX4500 Virtual Chassis Member Purpose

1456

You can designate the role that a member performs within an EX3300 Virtual Chassis, EX4200 Virtual Chassis, an EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis configuration or you can allow the role to be assigned by default. You can



designate the member ID that is assigned to a specific switch by creating a permanent association between the switch’s serial number and a member ID, using a preprovisioned configuration. Or you can let the member ID be assigned by the master, based on the sequence in which the member switch is powered on and on which member IDs are currently available. The role and member ID of the member switch are displayed on the front-panel LCD. Each member switch can be cabled to one or two other member switches, using either the dedicated Virtual Chassis ports (VCPs) on the rear panel, an uplink port that has been configured as a VCP, or an SFP network port that has been configured as a VCP. The members that are cabled together are considered neighbor members. Action

To display the role and member ID assignments using the CLI: user@switch> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership Priority

Role

Neighbor List ID, Interface

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 vcp-0 2 vcp-1

1 (FPC 1)

Prsnt

def456

ex4200-24t

255

Backup

2 vcp-0 0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

0 vcp-0 1 vcp-1

This output verifies that three EX4200 switches have been interconnected as a Virtual Chassis configuration through their dedicated VCPs to create an EX4200 Virtual Chassis. The display shows which of the VCPs is connected to which neighbor. The first port (vcp-0) of member 0 is connected to member 1 and the second port of member 0 (vcp-1) is connected to member 2. The FPC slots for the switches are the same as the member IDs. The Mastership Priority values indicate that the master and backup members have been explicitly configured, because they are not using the default value (128).

NOTE: This example uses output from an EX4200 Virtual Chassis. The output, with the exception of the Model column, would be identical on an EX3300 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis.


•


•



1457

®


•


•


•


Verifying That Virtual Chassis Ports on an EX3300, EX4200, or EX4500 Switch Are Operational Purpose

Display the status of Virtual Chassis ports (VCPs) in an EX3300, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis.

NOTE: The interfaces for VCPs are not displayed when you issue the show interfaces ge- command.

Action

Display the VCPs: user@switch> show virtual-chassis vc-port all-members

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-0 vcp-1 Dedicated 2 Up 32000 1 vcp-1 1/0 Configured 3 Up 1000 2 vcp-255/1/0 1/1 Configured 3 Up 1000 2 vcp-255/1/1 1/2 Configured 4 Up 1000 4 vcp-255/0/20 1/3 Configured 4 Up 1000 4 vcp-255/0/21 fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-0 vcp-1 Dedicated 2 Up 32000 0 vcp-1 1/0 Configured 3 Up 10000 3 vcp-255/1/0 1/1 Configured 3 Up 10000 3 vcp-255/1/1 fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-0 vcp-1 Dedicated 2 Up 32000 3 vcp-1 1/0 Configured 3 Up 1000 0 vcp-255/1/0 1/1 Configured 3 Up 1000 0 vcp-255/1/1 1/2 —1 Down 1000 1/3 —1 Down 1000

1458



fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 2 vcp-0 vcp-1 Dedicated 2 Up 32000 2 vcp-1 1/0 Configured 3 Up 10000 1 vcp-255/1/0 1/1 Configured 3 Up 10000 1 vcp-255/1/1 fpc4: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Down 32000 vcp-1 Dedicated 2 Down 32000 0/20 Configured 3 Up 1000 0 vcp-255/1/2 0/21 Configured 3 Up 1000 0 vcp-255/1/3

Meaning

The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplink interfaces that have been set as uplink VCPs are displayed as 1/0, 1/1, 1/2, and 1/3. The network interfaces that have been set as VCPs are displayed as 0/20 and 0/21. The neighbor interface names of uplink and network VCPs are of the form vcp-255/pic/port—for example, vcp-255/1/0. In that name, vcp-255 indicates that the interface is a VCP, 1 is the uplink PIC number, and 0 is the port number. The fpc number is the same as the member ID. The trunk ID is a positive number ID assigned to the link aggregation group (LAG) formed by the Virtual Chassis. If no LAG is formed, the value is –1.

NOTE: This example uses output from an EX4200 Virtual Chassis. The output would be identical on an EX3300 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis.


•


•


•


•


•


Monitoring EX3300, EX4200 and EX4500 Virtual Chassis Status and Statistics Purpose

Use the monitoring functionality to view the following information about EX3300, EX4200 or EX4500 member switches and ports in a Virtual Chassis:


1459

®


Action

•

Member details and how members are connected with each other

•

Traffic statistics for Virtual Chassis ports of the selected members

•

Details of the VCP packet counters

To view Virtual Chassis monitoring details in the J-Web interface for a Virtual Chassis, select Monitor > Virtual Chassis. To view member details for all members in the CLI, enter the following command: user@switch> show virtual-chassis status

To view VCP traffic statistics for a specific member in the CLI, enter the following command: user@switch>show virtual-chassis vc-port statistics member member-id

To view the path a packet takes when going from a source interface to a destination interface in a Virtual Chassis configuration using the CLI, enter the following command: user@switch> show virtual-chassis vc-path

Meaning

In the J-Web interface, the top half of the screen displays details of the Virtual Chassis configuration, such as: •

Member

•

Role

•

Interface

•

Type

•

Speed

•

Neighboring Member ID

•

Link Status

•

Error count

Click the Stop button to stop fetching values from the switch, and click the Start button to start plotting data again from the point where it was stopped. To view a graph of the statistics for the selected VCP of the member, click Show Graph. Refresh Interval (sec)—Displays the time interval you have set for page refresh. Click Clear Statistics to clear the monitoring statistics for the selected member switch. You can specify the interval at which the member details and statistics must be refreshed. The bottom half of the screen displays a chart of the Virtual Chassis statistics and the port packet counters. For details about the output from CLI commands, see the show virtual-chassis status and show virtual-chassis vc-port statistics command summaries.

1460




•


•


•


•


Verifying the Setting for the Virtual Chassis Mode on EX4200 and EX4500 Switches Purpose

Action

You must configure EX4200 and EX4500 switches into mixed Virtual Chassis mode if you want those switches to act as member switches in a mixed EX4200 and EX4500 Virtual Chassis. You must also configure an EX4200 or EX4500 switch out of mixed Virtual Chassis mode if you remove the switch from a mixed Virtual Chassis. You must change the Virtual Chassis mode for all member switches in a Virtual Chassis if all EX4200 or EX4500 switches are removed from a mixed EX4200 and EX4500 Virtual Chassis and the Virtual Chassis is no longer mixed. To display the Virtual Chassis mode of any EX4200 or EX4500 switch: user@switch> show virtual-chassis mode fpc0: -------------------------------------------------------------------------Mixed Mode: Disabled

Meaning


The output indicates that the switch is currently not in mixed Virtual Chassis mode.

•


Verifying the Setting for the PIC Mode on an EX4500 Switch in a Virtual Chassis Purpose Action

Verify the PIC mode setting for an EX4500 switch in a Virtual Chassis. To verify the current PIC mode setting: user@switch> show chassis pic-mode fpc0: -------------------------------------------------------------------------Pic Mode: Intraconnect

Meaning


The output shows that the PIC mode is currently set to Intraconnect. You must set the PIC mode to virtual-chassis if you want to connect the switch into a Virtual Chassis using the dedicated Virtual Chassis ports (VCPs) on the Virtual Chassis module.

•



1461

®


Verifying That Graceful Routing Engine Switchover Is Working in the Virtual Chassis Purpose

Action

Graceful Routing Engine switchover (GRES) takes place on the switches with two routing engines and is used when those switches are configured as virtual chassis. Verify that graceful Routing Engine switchover (GRES) is working in the following: •


•


•


•


•


•


On the master switch, verify the member ID of the backup Routing Engine: {master:0} user@switch> show virtual-chassis status Virtual Chassis ID: 5efa.4b7a.aae6 Member ID 0 (FPC 0) 1 (FPC 1)

Status Prsnt Prsnt

Mastership Serial No Model priority BM0208105281 ex4200-24t 255 BP0208192350 ex4200-48t 255

Role Master* Backup

Neighbor List ID Interface 1 vcp-0 0 vcp-0


1.

Connect to the backup Routing Engine: {master:0} user@switch> request session member 1 {backup:1} user@switch>

2. Verify that the backup Routing Engine is ready for switchover on member ID 1: {backup:1} user@switch> show system switchover Graceful switchover: On Configuration database: Ready Kernel database: Ready Peer state: Steady State

3. Switch the current backup Routing Engine to master Routing Engine:

NOTE: You must wait a minimum of two minutes between Routing Engine failovers for the Routing Engines to synchronize.

{backup:1}

1462



user@switch> request chassis routing-engine master acquire 4. Verify that the master and backup Routing Engines have switched roles:

NOTE: Member ID 1 is now the master and member ID 0 is now the backup.

{master:1} user@switch> show virtual-chassis status Virtual Chassis ID: 5efa.4b7a.aae6 Mastership

Neighbor List

Member ID 0 (FPC 0)

Status Prsnt

Serial No Model priority BM0208105281 ex4200-24t 255

Role Backup

1 (FPC 1)

Prsnt

BP0208192350 ex4200-48t

Master*

255

ID 1 0

Interface vcp-0 vcp-0


Meaning


With graceful Routing Engine switchover enabled, when you initiated a switchover from the backup Routing Engine, the backup Routing Engine became the master and the master Routing Engine became the backup.

•



1463

®


1464


CHAPTER 41

Troubleshooting EX3300, EX4200, and EX4500 Virtual Chassis •

Troubleshooting an EX3300, EX4200 or EX4500 Virtual Chassis on page 1465

Troubleshooting an EX3300, EX4200 or EX4500 Virtual Chassis This topic describes the following troubleshooting issues for an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis: •

A Disconnected Member Switch's ID Is Not Available for Reassignment on page 1465

•

Load Factory Default Does Not Commit on a Multimember Virtual Chassis on page 1466

•

The Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis on page 1466

•

A Member Switch or Multiple Member Switches are Not Participating in an EX4200 Virtual Chassis or an EX4500 Virtual Chassis on page 1466

•

A Member Switch Is Not Participating in a Mixed EX4200 and EX4500 Virtual Chassis on page 1468

A Disconnected Member Switch's ID Is Not Available for Reassignment Problem

You disconnected a switch from the Virtual Chassis, but the disconnected switch’s member ID is still displayed in the status output. You cannot reassign that member ID to another switch.

Solution

When you disconnect a member of a Virtual Chassis configuration, the master retains the member ID and member configuration in its configuration database. Output from the show virtual-chassis status command continues to display the member ID of the disconnected member with a status of NotPrsnt. If want to permanently disconnect the member switch, you can free up the member ID by using the request virtual-chassis recycle command. This will also clear the status of that member.


1465

®


Load Factory Default Does Not Commit on a Multimember Virtual Chassis Problem

The load factory-default command fails on a multimember Virtual Chassis.

Solution

The load factory-default command is not supported on a multimember Virtual Chassis configuration. For information on how to revert the switches in the Virtual Chassis to factory default settings, see “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537.

The Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis Problem

Gigabit Ethernet interfaces retain their previous slot numbers when a member switch is disconnected from the Virtual Chassis.

Solution

If a switch had been previously connected as a member of a Virtual Chassis configuration, it retains the member ID that it was assigned as a member of that configuration even after it is disconnected and operating as a standalone switch. The interfaces that were configured while the switch was a member of the Virtual Chassis configuration retain the old member ID as the first digit of the interface name. For example, if the switch was previously member 1, its interfaces are named ge-1/0/0 and so on. To change the switch’s member ID, so that its member ID is 0, and to rename the switch’s interfaces accordingly: 1.

To change the member ID to 0: user@switch> request virtual-chassis renumber member-id 1 new-member-id 0

2. To rename the interfaces to match the new member ID: [edit virtual-chassis] user@switch# replace pattern ge-1/ with ge-0/

A Member Switch or Multiple Member Switches are Not Participating in an EX4200 Virtual Chassis or an EX4500 Virtual Chassis Problem

At least one member switch in an EX4200 Virtual Chassis or an EX4500 Virtual Chassis is not participating in the Virtual Chassis. The show virtual-chassis status output indicates the member switch status is Inactive or NotPrsnt for one or more member switches. This issue is most likely to happen immediately after cabling a new switch into an existing Virtual Chassis or after cabling a new Virtual Chassis.

Solution

1466

The Virtual Chassis might have switches with different mixed mode settings. If mixed mode is enabled on some member switches and disabled on other member switches in an EX4200 Virtual Chassis or EX4500 Virtual Chassis, the switches that have enabled mixed mode assume the master and backup roles and remain active in the Virtual Chassis while the switches that have disabled mixed mode assume the linecard role and stop participating in the Virtual Chassis.


Chapter 41: Troubleshooting EX3300, EX4200, and EX4500 Virtual Chassis

You can disable mixed mode on the switches that have enabled mixed mode to fix this problem. To verify the member switch status and the mixed mode settings: user@switch> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: c749.4495.9068 Virtual Chassis Mode: Enabled Member ID 0 (FPC 0)

Mstr Status Serial No Model prio NotPrsnt BM0209469808 ex4200-24t 129

1 (FPC 1)

NotPrsnt BM0209469735 ex4200-24t 129

2 (FPC 2)

NotPrsnt BM0209469735 ex4200-24t 129

3 (FPC 3)

Prsnt

BM0209469735 ex4200-24t 129

Mixed Neighbor List Mode ID Interface N 3 vcp-0 1 vcp-1 Linecard N 0 vcp-0 2 vcp-1 Linecard N 1 vcp-0 3 vcp-1 Master Y 2 vcp-0 0 vcp-1 Role Linecard

The Mixed Mode output was added to the show virtual-chassis mode command in Junos OS Release 11.2. If you are running Junos OS Release 11.1 or earlier, you also need to enter the show virtual-chassis mode command to verify the mixed mode setting: user@switch> show virtual-chassis mode fpc0: -------------------------------------------------------------------------Mixed Mode: Disabled fpc1: -------------------------------------------------------------------------Mixed Mode: Disabled fpc2: -------------------------------------------------------------------------Mixed Mode: Disabled fpc3: -------------------------------------------------------------------------Mixed Mode: Enabled

To disable mixed mode on a member switch (in this case, member ID 3): user@switch> request virtual-chassis mode mixed disable member 3

To disable mixed mode on all member switches in the Virtual Chassis: user@switch> request virtual-chassis mode mixed disable all-members

The member switch must be rebooted for the Virtual Chassis mode setting change to take effect. To reboot the member switch (in this case, member ID 3): user@switch> request system reboot member 3

To reboot the Virtual Chassis: user@switch> request system reboot all-members

After the reboots have completed, verify that all member switches are now participating in the Virtual Chassis: user@switch> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: c749.4495.9068 Virtual Chassis Mode: Enabled


1467

®


Member ID 0 (FPC 0)

Status Prsnt

Mstr Serial No Model prio BM0209469808 ex4200-24t 129

1 (FPC 1)

Prsnt

BM0209469735 ex4200-24t 129

2 (FPC 2)

Prsnt

BM0209469735 ex4200-24t 129

3 (FPC 3)

Prsnt

BM0209469735 ex4200-24t 129

Mixed Neighbor List Mode ID Interface N 3 vcp-0 1 vcp-1 Backup N 0 vcp-0 2 vcp-1 Linecard N 1 vcp-0 3 vcp-1 Linecard N 2 vcp-0 0 vcp-1 Role Master

The role assignments change as a result of this procedure. If needed, configure the Virtual Chassis. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408.

A Member Switch Is Not Participating in a Mixed EX4200 and EX4500 Virtual Chassis Problem

A member switch in a mixed EX4200 and EX4500 Virtual Chassis is not participating in the Virtual Chassis. The show virtual-chassis status output indicates the member switch status is Inactive or NotPrsnt. This issue is most likely to happen immediately after cabling a mixed EX4200 and EX4500 Virtual Chassis or after cabling a new switch into an existing Virtual Chassis.

Solution

The Virtual Chassis mode on the switch might not be set to mixed mode. If the member switch is an EX4500 switch and cabled into the Virtual Chassis using the dedicated Virtual Chassis port (VCP), the PIC mode might also be set to Intraconnect instead of virtual-chassis. To verify the Virtual Chassis mode: user@switch> show virtual-chassis mode fpc0: -------------------------------------------------------------------------Mixed Mode: Enabled fpc1: -------------------------------------------------------------------------Mixed Mode: Enabled fpc2: -------------------------------------------------------------------------Mixed Mode: Enabled fpc3: -------------------------------------------------------------------------Mixed Mode: Enabled fpc4: -------------------------------------------------------------------------Mixed Mode: Disabled fpc5: -------------------------------------------------------------------------Mixed Mode: Enabled

To change the Virtual Chassis mode on a member switch (in this case, member ID 4) to mixed mode: user@switch> request virtual-chassis mode mixed member 4

To change the Virtual Chassis mode on all member switches in the Virtual Chassis:

1468


Chapter 41: Troubleshooting EX3300, EX4200, and EX4500 Virtual Chassis

user@switch> request virtual-chassis mode mixed all-members

(EX4500 switch only) To verify the PIC mode: user@switch> show chassis pic-mode fpc0: -------------------------------------------------------------------------Pic Mode: Not-Applicable fpc1: -------------------------------------------------------------------------Pic Mode: Not-Applicable fpc2: -------------------------------------------------------------------------Pic Mode: Not-Applicable fpc3: -------------------------------------------------------------------------Pic Mode: Not-Applicable fpc4: -------------------------------------------------------------------------Pic Mode: PIC 3: Intraconnect fpc5: -------------------------------------------------------------------------Pic Mode: PIC 3: virtual-chassis

To change the PIC mode on an EX4500 switch to virtual-chassis mode (in this case, member ID 4): user@switch> request chassis pic-mode virtual-chassis member 4

The member switch must be rebooted for the Virtual Chassis mode or PIC mode setting change to take effect. To reboot the member switch (in this case, member ID 4): user@switch> request system reboot member 4


•


•


•


•


•

For more information about the replace command, see Junos OS CLI User Guide .


1469

®


1470


CHAPTER 42

Configuration Statements for EX3300, EX4200, and EX4500 Virtual Chassis •


[edit virtual-chassis] Configuration Statement Hierarchy virtual-chassis { auto-sw-update { package-name package-name; } fast-failover (ge | vcp disable | xe); id id; mac-persistence-timer seconds; member member-id { location location; mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions (Virtual Chassis) { file filename ; flag flag ; } }


•


•


•


•



1471

®


auto-sw-update Syntax


auto-sw-update { package-name package-name; } [edit virtual-chassis]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Enable the automatic software update feature for Virtual Chassis configurations. The remaining statement is explained separately.


1472

The automatic software update feature is disabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•



Chapter 42: Configuration Statements for EX3300, EX4200, and EX4500 Virtual Chassis

fast-failover Syntax Hierarchy Level Release Information Description

fast-failover (ge | vcp disable | xe); [edit virtual-chassis]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Enable the fast failover feature on an uplink Virtual Chassis port (VCP). Fast failover is not supported on an EX8200 Virtual Chassis.

Default

Fast failover is enabled, by default, on dedicated VCPs. Fast failover is not enabled on uplink VCPs, including the uplink ports that are, by default, configured as VCPs on an EX3300 switch.

Options


•

ge—Enable fast failover on all Gigabit Ethernet uplink VCPs in the ring topology.

•

vcp disable—Disable fast failover on all dedicated VCPs in the ring topology.

•

xe—Enable fast failover on all 10-Gigabit Ethernet uplink VCPs in the ring topology.



•


•



1473

®


graceful-switchover Syntax Hierarchy Level Release Information Description


1474

graceful-switchover; [edit chassis redundancy]

Statement introduced in Junos OS Release 9.2 for EX Series switches. For switches with more than one Routing Engine, including those in a Virtual Chassis, configure the master Routing Engine to switch over gracefully to a backup Routing Engine without interruption to packet forwarding. Graceful Routing Engine switchover (GRES) is disabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Example: Configuring Nonstop Active Routing on EX Series Switches on page 1681

•


•

Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure) on page 1688

•




id Syntax Hierarchy Level Release Information Description Options

id id; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure the alphanumeric string that identifies a Virtual Chassis configuration. id—Virtual Chassis ID (VCID), which uses the ISO family address format—for example, 9622.6ac8.5345.




•


•


•

Understanding Virtual Chassis Member ID Numbering in an EX8200 Virtual Chassis on page 1545


1475

®


lag-hash Syntax Hierarchy Level Release Information Description

lag-hash (packet-based | source-port-based); [edit virtual-chassis vc-port]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Enable hashing of link aggregation group (LAG) network traffic over a dedicated trunk port within a Virtual Chassis, and select how the traffic within the dedicated trunk port is hashed.

BEST PRACTICE: Do not configure this statement unless you have a compelling reason to configure it. Configuration of this statement is optional and is only useful in a few types of network setups.

Default Options

source-port-based packet-based—Hashes all incoming LAG network traffic on the dedicated trunk port

based on the packet. source-port-based—Hashes all incoming LAG network traffic on the dedicated trunk port

based on the source. Required Privilege Level Related Documentation

1476


Understanding Link Aggregation into an EX8200 Virtual Chassis on page 1549



location Syntax Hierarchy Level Release Information Description

location location; [edit virtual-chassis member member-id]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Set a description of the location of the Virtual Chassis member switch or external Routing Engine. The Location field is visible to users who enter the show virtual-chassis status detail command. Setting this description has no effect on the operation of the Virtual Chassis member.

Options

location—Location of the current member switch or external Routing Engine. The location

can be any single word. Required Privilege Level Related Documentation



•


•

Example: Setting Up a Full Mesh EX8200 Virtual Chassis with Two EX8200 Switches and Redundant XRE200 External Routing Engines on page 1557

•


•


•



1477

®


mac-persistence-timer Syntax Hierarchy Level Release Information Description

mac-persistence-timer minutes; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. (EX3300, EX4200, and EX4500 Virtual Chassis only) Specify how long the Virtual Chassis continues to use the MAC address of the switch that was originally configured in the master role as the system MAC base address when the original master switch is removed from the Virtual Chassis. The system MAC base address does not change in the event of a switchover provided the switch originally configured in the master role remains a member of the Virtual Chassis. There are no minimum or maximum timer limits.

Default Options

The MAC persistence timer is set to 10 minutes by default. minutes—Time in minutes that the member switch in the backup role continues to use

the system MAC base address of the old master for all Layer 3 interfaces before using its own system MAC base address after the switch in the master role is physically disconnected or removed from the Virtual Chassis. Required Privilege Level Related Documentation

1478





mastership-priority Syntax Hierarchy Level Release Information

Description

mastership-priority number; [edit virtual-chassis member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Mastership priority option 0 introduced in Junos OS Release 11.1 for EX Series switches. (EX3300, EX4200, and EX4500 Virtual Chassis) The mastership priority value is the most important factor in determining the role of the member switch within the Virtual Chassis configuration. Other factors (see “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290) also affect the election of the master. The mastership priority value takes the highest precedence in the master election algorithm. The member switch with highest mastership priority becomes the master of the Virtual Chassis configuration. Toggling back and forth between master and backup status in failover conditions is undesirable, so we recommend that you assign the same mastership priority value to both the master and the backup. Secondary factors in the master election algorithm determine which of these two members (that is, the two members that are assigned the highest mastership priority value) functions as the master of the Virtual Chassis configuration. This statement is not used for the EX8200 Virtual Chassis, which determines mastership by external Routing Engine uptime. See “Understanding Virtual Chassis Roles in an EX8200 Virtual Chassis” on page 1546. A switch with a mastership priority of 0 never takes the master or backup role.

Default Options

128 number—Mastership priority value.

Range: 0 through 255 Required Privilege Level Related Documentation



•


•


•



1479

®


member Syntax


member member-id { location location mastership-priority number; no-management-vlan; serial-number; role; } [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an EX3300, EX4200, or EX4500 switch as a member of a Virtual Chassis configuration, or configure an EX8200 switch or an XRE200 External Routing Engine as a member of a Virtual Chassis configuration.

NOTE: The mastership-priority and no-management-vlan statements are not used in an EX8200 Virtual Chassis.

Default

When an EX3300, EX4200, or EX4500 is powered on as a standalone switch (not interconnected through its Virtual Chassis ports (VCPs) with other switches), its default member ID is 0. There is no default member ID in an EX8200 Virtual Chassis. An EX8200 Virtual Chassis must be preprovisioned, and that process configures the member IDs.

Options

member-id—Identifies a specific member switch of a Virtual Chassis configuration.

Range: 0 through 9 In an EX3300 Virtual Chassis, each switch has a member ID in the range from 0 through 5.. In an EX4200 or EX4500 Virtual Chassis, each switch has a member ID in the range from 0 through 9. In an EX8200 Virtual Chassis, member IDs 0 through 7 are reserved for EX8200 member switches and member IDs 8 and 9 are reserved for the master and backup external Routing Engines. The remaining statements are explained separately. Required Privilege Level Related Documentation

1480





•


•


•


•


no-management-vlan Syntax Hierarchy Level Release Information Description

no-management-vlan; [edit virtual-chassis member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Remove the specified member’s out-of-band management port from the virtual management Ethernet (VME) global management VLAN of the Virtual Chassis configuration. For a member that is functioning in a linecard role, you can use this configuration to reserve the member's management Ethernet port for local troubleshooting: virtual-chassis { member 2 { no-management-vlan; } }

You cannot configure the IP address for a local management Ethernet port using the CLI or the J-Web interface. To do this, you need to use the shell ifconfig command. Required Privilege Level Related Documentation



•


•



1481

®


no-split-detection Syntax Hierarchy Level

no-split-detection; [edit virtual-chassis]

Release Information


Description

Disable the split and merge feature in a Virtual Chassis configuration. We recommend using this statement to disable the split and merge feature when configuring a two-member EX3300, EX4200, or EX4500 Virtual Chassis. Enabling this statement on a two-member Virtual Chassis ensures that both switches remain in the correct Virtual Chassis roles in the event of a Virtual Chassis split.


1482

The split and merge feature is enabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•




package-name Syntax Hierarchy Level Release Information Description

Default Options

package-name package-name; [edit virtual-chassis auto-sw-update]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify the software package name or location of the software package to be used by the automatic software update feature for Virtual Chassis configurations. No package name is specified. package-name—Name of the software package or the URL to the software package to

be used. •

If the software package is located on a local directory on the switch, use the following format for package-name: /pathname/package-name

•

If the software package is to be downloaded and installed from a remote location, use one of the following formats: ftp://hostname/pathname/package-name ftp://username:[email protected]/package-name http://hostname/pathname/package-name




•



1483

®


preprovisioned Syntax Hierarchy Level Release Information Description

preprovisioned; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable the preprovisioned configuration mode for a Virtual Chassis configuration. When the preprovisioned configuration mode is enabled for an EX3300, EX4200, or EX4500 Virtual Chassis, you cannot use the CLI or the J-Web interface to change the mastership priority or member ID of member switches. A preprovisioned configuration is highly recommended for a mixed EX4200 and EX4500 Virtual Chassis. You must use this statement to configure an EX8200 Virtual Chassis. Nonprovisioned configuration of an EX8200 Virtual Chassis is not supported.


1484



•


•


•


•


•




redundancy (Graceful Switchover) Syntax


redundancy { failover { on-disk-failure; on-loss-of-keepalives; } graceful-switchover; } [edit chassis]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Enable redundant Routing Engines on a Virtual Chassis with two or more member switches or on a standalone EX6200 or EX8200 switch with more than one Routing Engine. The remaining statements are explained separately.


Redundancy is enabled for the Routing Engines. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

graceful-switchover on page 1474

•


•


•



1485

®


role Syntax Hierarchy Level Release Information Description

role (line-card | routing-engine); [edit virtual-chassis preprovisioned member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the roles of the members of the Virtual Chassis in a preprovisioned Virtual Chassis. EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, and Mixed EX4200 and EX4500 Virtual Chassis Specify the role to be performed by each member switch. Associate the role with the member’s serial number. When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces. The mastership priority value is generated by the software, based on the assigned role: •

A member configured as routing-engine is assigned the mastership priority 129.

•

A member configured as line-card is assigned the mastership priority 0.

•

A member listed in the preprovisioned configuration without an explicitly specified role is assigned the mastership priority 128.

The configured role specifications are permanent. If both routing-engine members fail, a line-card member cannot take over as master of the Virtual Chassis configuration. You must delete the preprovisioned configuration to change the specified roles in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis. Explicitly configure two members as routing-engine and configure additional switches as members of the preprovisioned Virtual Chassis by specifying only their serial numbers in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, or EX4500 Virtual Chassis. If you do not explicitly configure the role of the additional members, they function in a linecard role by default. In that case, a member that is functioning in a linecard role can take over mastership if the members functioning as master and backup (routing-engine role) both fail. EX8200 Virtual Chassis Specify the role to be performed by each XRE200 External Routing Engine and each EX8200 member switch. Associate the role with the member’s serial number. An EX8200 Virtual Chassis cannot function when both external Routing Engines, which must be configured in the routing-engine role, have failed. Options

•

line-card—Enables the member to be eligible to function only in the linecard role. Any

member of the Virtual Chassis configuration other than the master or backup functions in the linecard role and runs only a subset of Junos OS for EX Series switches. A member

1486



functioning in the linecard role does not run the control protocols or the chassis management processes. An EX3300, EX4200, mixed EX4200 and EX4500, and EX4500 Virtual Chassis configuration must have at least three members for one member to function in the linecard role. In an EX8200 Virtual Chassis configuration, all member switches must be in the linecard role. •

routing-engine—Enables the member to function as a master or backup of the Virtual

Chassis configuration. The master manages all members of the Virtual Chassis configuration and runs the chassis management processes and control protocols. The backup synchronizes with the master in terms of protocol states, forwarding tables, and so forth, so that it is prepared to preserve routing information and maintain network connectivity without disruption in case the master is unavailable. (EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, and mixed EX4200 and EX4500 Virtual Chassis) Specify two and only two members as routing-engine. The software determines which of the two members assigned the routing-engine role functions as master, based on the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. In these Virtual Chassis, the routing-engine role is associated with a switch. (EX8200 Virtual Chassis) All XRE200 External Routing Engines must be in the routing-engine role. Required Privilege Level Related Documentation



•


•


•


•


•


•


•



1487

®


serial-number Syntax Hierarchy Level Release Information Description

serial-number serial-number; [edit virtual-chassis preprovisioned member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. In a preprovisioned EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis or mixed EX4200 and EX4500 Virtual Chassis, specify the serial number of each member switch to be included in the Virtual Chassis configuration. If you do not include the serial number within the Virtual Chassis configuration, the switch cannot be recognized as a member of a preprovisioned configuration. In an EX8200 Virtual Chassis configuration, specify the serial number of each XRE200 External Routing Engine and each EX8200 member switch to be included in the Virtual Chassis configuration. If you do not include the serial number within the Virtual Chassis configuration, the external Routing Engine or switch cannot be recognized as a member of the configuration.

Options

serial-number—Permanent serial number for the external Routing Engine or for the member

switch. Required Privilege Level Related Documentation

1488



•


•


•


•


•


•


•




traceoptions Syntax



traceoptions { file filename ; flag flag ; } [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Option detail added in Junos OS Release 9.2 for EX Series switches. Define tracing operations for the Virtual Chassis configuration. Tracing operations are disabled. detail—(Optional) Generate detailed trace information for a flag. disable—(Optional) Disable a flag. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,


all—All tracing operations.

TIP: The all flag displays a subset of logs that are useful in debugging most issues. For more detailed information, use all detail.

•

auto-configuration—Trace Virtual Chassis ports (VCPs) that have been automatically

configured. •

csn—Trace Virtual Chassis complete sequence number (CSN) packets.

•

error—Trace Virtual Chassis errored packets.

•

hello—Trace Virtual Chassis hello packets.

•

krt—Trace Virtual Chassis KRT events.


1489

®


•

lsp—Trace Virtual Chassis link-state packets.

•

lsp-generation—Trace Virtual Chassis link-state packet generation.

•

me—Trace Virtual Chassis ME events.

•

normal—Trace normal events.

•

packets—Trace Virtual Chassis packets.

•

parse—Trace reading of the configuration.

•

psn—Trace partial sequence number (PSN) packets.

•

route—Trace Virtual Chassis routing information.

•

spf—Trace Virtual Chassis SPF events.

•

state—Trace Virtual Chassis state transitions.

•

task—Trace Virtual Chassis task operations.

no-stamp—(Optional) Do not place a timestamp on any trace file. no-world-readable—(Optional) Restrict file access to the user who created the file. receive—(Optional) Trace received packets. replace—(Optional) Replace a trace file rather than appending information to it. send—(Optional) Trace transmitted packets. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB world-readable—(Optional) Enable unrestricted file access.


1490





•


•


•


•

Verifying Virtual Chassis Ports in an EX8200 Virtual Chassis on page 1578

•


vc-port Syntax


vc-port { lag-hash (packet-based | source-port-based); } [edit virtual-chassis]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Enable hashing of link aggregation group (LAG) network traffic over a dedicated trunk port within a Virtual Chassis. You select how to direct all LAG traffic through the dedicated trunk port by using the lag-hash statement.

BEST PRACTICE: Do not configure this statement unless you have a compelling reason to configure it. Configuration of this statement is optional and is only useful in a few types of network setups.

The remaining statement is explained separately. Default Required Privilege Level Related Documentation

source-port-based system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



1491

®


virtual-chassis Syntax


virtual-chassis { auto-sw-update { package-name package-name; } fast-failover (ge | vcp disable | xe); graceful-restart { disable; } id id; mac-persistence-timer seconds; member member-id { location location; mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions (Virtual Chassis) { file filename ; flag flag ; } vc-port { lag-hash (packet-based | source-port-based); } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Virtual Chassis information. The remaining statements are explained separately.

Default

A standalone EX3300, EX4200, or EX4500 switch is a Virtual Chassis by default. It has a default member ID of 0, a default mastership priority of 128, and a default role as master. A standalone XRE200 External Routing Engine or EX8200 switch is not part of an EX8200 Virtual Chassis until a Virtual Chassis configuration is set up.


1492



•




•


•


•


•



1493

®


1494


CHAPTER 43

Operational Commands for EX3300, EX4200, and EX4500 Virtual Chassis


1495

®


clear virtual-chassis vc-port statistics Syntax

Release Information

clear virtual-chassis vc-port statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. The options all-members and local were added in Junos OS Release 9.3 for EX Series switches.

Description

Clear—reset to zero (0)—the traffic statistics counters on Virtual Chassis ports (VCPs).

Options

none—Clear traffic statistics for VCPs of all members of a Virtual Chassis configuration. all-members—(Optional) Clear traffic statistics for VCPs of all members of a Virtual

Chassis configuration. interface-name—(Optional) Clear traffic statistics for the specified VCP. local—(Optional) Clear traffic statistics for VCPs from the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Clear traffic statistics for VCPs from the specified member

of a Virtual Chassis configuration. Required Privilege Level Related Documentation


clear

•

show virtual-chassis vc-port statistics on page 1528

•

show virtual-chassis vc-port on page 1524

•


clear virtual-chassis vc-port statistics (EX4200 Virtual Chassis) on page 1496 clear virtual-chassis vc-port statistics (EX8200 Virtual Chassis) on page 1496 clear virtual-chassis vc-port statistics member 3 on page 1497

Sample Output clear virtual-chassis vc-port statistics (EX4200 Virtual Chassis)

user@switch> clear virtual-chassis vc-port statistics fpc0: -------------------------------------------------------------------------Statistics cleared


user@external-routing-engine> clear virtual-chassis vc-port statistics member0: --------------------------------------------------------------------------

1496


Chapter 43: Operational Commands for EX3300, EX4200, and EX4500 Virtual Chassis

(EX8200 Virtual Chassis)

Statistics cleared member1: -------------------------------------------------------------------------Statistics cleared member8: -------------------------------------------------------------------------Statistics cleared member9: -------------------------------------------------------------------------Statistics cleared

clear virtual-chassis vc-port statistics member 3

user@switch> clear virtual-chassis vc-port statistics member 3 Cleared statistics on member 3


1497

®


request chassis pic-mode Syntax


request chassis pic-mode (intraconnect | virtual-chassis)

Command introduced in Junos OS Release 11.1 for EX Series switches. Set the PIC mode on an EX4500 switch. The PIC mode must be set to virtual-chassis if the EX4500 switch is cabled into a Virtual Chassis using the dedicated Virtual Chassis ports (VCPs) on the Virtual Chassis module. The PIC mode setting has no impact on uplink ports that are configured as VCPs. The default PIC mode setting is virtual-chassis if the EX4500 switch was shipped with a Virtual Chassis module. The PIC mode is not set if the EX4500 switch was sent without the Virtual Chassis module. The EX4500 switch functions in intraconnect mode when the PIC mode is not set. Use the show chassis pic-mode command to verify the current PIC mode setting. The PIC mode setting is maintained through reboots even though it is set in operational mode.

Options

intraconnect—Set the PIC mode to intraconnect. virtual-chassis—Set the PIC mode to Virtual Chassis. none—Set the PIC mode on the member switch where the command is issued. all-members—(Optional) Set the PIC mode for all members of the Virtual Chassis

configuration. local—(Optional) Set the PIC mode on the member switch where the command is issued. member member-id—(Optional) Set the PIC mode of the specified member of the Virtual

Chassis configuration. Required Privilege Level Related Documentation

1498

view

•

Verifying the Setting for the PIC Mode on an EX4500 Switch in a Virtual Chassis on page 1461

•


•


•





request chassis pic-mode virtual-chassis on page 1499 request chassis pic-mode intraconnect on page 1499

Sample Output request chassis pic-mode virtual-chassis request chassis pic-mode intraconnect

user@switch> request chassis pic-mode virtual-chassis

user@switch> request chassis pic-mode intraconnect


1499

®


request session member Syntax Release Information Description Options Required Privilege Level Related Documentation

1500

request session member member-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Start a session with the specified member of a Virtual Chassis configuration. member-id—Member ID for the specific member of the Virtual Chassis configuration.

maintenance

•

member on page 1480

•




request virtual-chassis mode mixed Syntax


request virtual-chassis mode mixed

Command introduced in Junos OS Release 11.1 for EX Series switches. Configure an EX4200 or EX4500 switch as a member of a mixed EX4200 and EX4500 Virtual Chassis. To avoid potential traffic disruptions and configuration issues, we recommend entering this command and rebooting the member switch before cabling it into the mixed EX4200 and EX4500 Virtual Chassis if you are cabling a mixed EX4200 and EX4500 Virtual Chassis for the first time. The command can be entered after cabling the switch into the mixed EX4200 and EX4500 Virtual Chassis, however. The switch or switches must be rebooted for this command to take effect. When this command is not used to set any of the switches in a cabled mixed EX4200 and EX4500 Virtual Chassis to mixed mode, a mixed EX4200 and EX4500 Virtual Chassis forms with one of the switches assuming the master role if the switches are running Junos OS Release 11.4 or later. All other switches in the mixed EX4200 and EX4500 Virtual Chassis are inactive within the Virtual Chassis and are placed into the linecard role. If you experience this issue, you should enter the request virtual-chassis mode mixed all-members command to set the Virtual Chassis mode to mixed for all switches in the Virtual Chassis. You will then need to reboot the Virtual Chassis or each individual member switch to complete the procedure. You can configure the Virtual Chassis when it has successfully formed after the reboot. If some of the switches in the Virtual Chassis are set to mixed mode using this command while others are not, the switches that have not enabled mixed mode are inactive and cannot participate as member switches in the mixed EX4200 and EX4500 Virtual Chassis. If you experience this issue, you should enter the request virtual-chassis mode mixed all-members command to set the Virtual Chassis mode to mixed for all switches in the Virtual Chassis. You will then need to reboot the Virtual Chassis or each individual member switch to complete the procedure. You can configure the Virtual Chassis when all member switches are participating after the reboot is completed. The Virtual Chassis mode setting is maintained through reboots even though it is set in operational mode.

Options

none—Set the Virtual Chassis mode to mixed on the member switch where the command

is issued. all-members—(Optional) Set the Virtual Chassis mode to mixed for all members of the

Virtual Chassis configuration. disable—Disable the Virtual Chassis mixed mode setting if it was previously enabled.


1501

®


local—(Optional) Set the Virtual Chassis mode to mixed on the member switch where

the command is issued. member member-id—(Optional) Set the Virtual Chassis mode to mixed on the specified

member of the Virtual Chassis configuration. Required Privilege Level Related Documentation


system-control

•


•


request virtual-chassis mode mixed on page 1502

Sample Output request virtual-chassis mode mixed

1502

user@switch> request virtual-chassis mode mixed



request virtual-chassis recycle Syntax Release Information Description

request virtual-chassis recycle member-id member-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Make a previously used member ID available for reassignment. When you remove a member switch from the Virtual Chassis configuration, the master reserves that member ID. To make the member ID available for reassignment, you must use this command.

NOTE: You must run this command from the Virtual Chassis member in the master role.

Options

member-id member-id—Specify the member ID that you want to make available for

reassignment to a different member. Required Privilege Level Related Documentation


system-control

•

request virtual-chassis renumber on page 1504

•


•

Adding or Replacing a Member Switch or an External Routing Engine in an EX8200 Virtual Chassis (CLI Procedure) on page 1565

request virtual-chassis recycle member-id 3 on page 1503 request virtual-chassis recycle member-id 1 on page 1503

Sample Output request virtual-chassis recycle member-id 3

user@switch> request virtual-chassis recycle member-id 3


user@external-routing-engine> request virtual-chassis recycle member-id 1


1503

®


request virtual-chassis renumber Syntax Release Information Description

request virtual-chassis renumber member-id old-member-id new-member-id new-member-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Renumber a member of a Virtual Chassis configuration.


Options

member-id old-member-id—Specify the ID of the member that you wish to renumber. new-member-id new-member-id—Specify an unassigned member ID.



system-control

•

request virtual-chassis recycle on page 1503

•


•


request virtual-chassis renumber member-id 5 new-member-id 4 on page 1504 request virtual-chassis renumber member-id 1 new-member-id 0 on page 1504

Sample Output request virtual-chassis renumber member-id 5 new-member-id 4

user@switch> request virtual-chassis renumber member-id 5 new-member-id 4


1504

user@external-routing-engine> request virtual-chassis renumber member-id 1 new-member-id 0



request virtual-chassis vc-port Syntax

Release Information

Description

request virtual-chassis vc-port set | delete pic-slot pic-slot port port-number

Command introduced in Junos OS Release 9.0 for EX Series switches. Option fpc-slot introduced in Junos OS Release 10.4 for EX Series switches. Enable or disable an uplink port (on an SFP, SFP+, or XFP uplink interface) or an SFP network port as a Virtual Chassis port (VCP). If you omit member member-id, this command defaults to enabling or disabling the uplink VCP or SFP network port configured as a VCP on the switch where the command is issued. On an EX3300 switch, uplink ports 2 and 3 are configured as VCPs by default. No other uplink ports on any other EX Series switches are configured as VCPs by default. You might experience a temporary traffic disruption immediately after creating or deleting a user-configured VCP in an EX8200 Virtual Chassis.

Options

pic-slot pic-slot—Number of the PIC slot for the uplink port or SFP network port on the

switch. port port-number—Number of the uplink port or SFP network port that is to be enabled

or disabled as a VCP. member member-id—(Optional) Enable or disable the specified VCP on the specified



system-control

•

request virtual-chassis vc-port on page 1507 (dedicated port)

•


•


•

clear virtual-chassis vc-port statistics on page 1496

•

Virtual Chassis Port (VCP) Interface Names in an EX8200 Virtual Chassis on page 1552

•


request virtual-chassis vc-port set pic-slot 1 port 0 on page 1506 request virtual-chassis vc-port set pic-slot 1 port 1 member 3 on page 1506 request virtual-chassis vc-port delete pic-slot 1 port 1 member 3 on page 1506


1505

®


Sample Output request virtual-chassis vc-port set pic-slot 1 port 0

user@switch> request virtual-chassis vc-port set pic-slot 1 port 0

request virtual-chassis vc-port set pic-slot 1 port 1 member 3

user@switch> request virtual-chassis vc-port set pic-slot 1 port 1 member 3

request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

user@switch> request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

1506

To check the results of this command, use the show virtual-chassis vc-port command.







request virtual-chassis vc-port set interface vcp-interface-name

Command introduced in Junos OS Release 9.0 for EX Series switches. Disable or enable a Virtual Chassis port (VCP) on a dedicated VCP on an EX4200 or EX4500 switch. Configure a Gigabit Ethernet link on an EX8200 switch as a VCP in an EX8200 Virtual Chassis. You can use this command only to configure a link between two EX8200 member switches as a VCP link; all other links in an EX8200 Virtual Chassis are automatically VCP links.

Options

interface vcp-interface-name—Name of the interface to enable or disable.

If you omit member member-id in an EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis, this command defaults to disabling or enabling the dedicated VCP on the switch where the command is issued. The dedicated VCPs are enabled in the factory default configuration. member member-id—(Optional on EX4200 and EX4500 switches; required on EX8200

switches) Enable or disable the specified VCP on the specified member of the Virtual Chassis configuration. This option must be specified when using this command to configure a VCP link between two EX8200 switches. disable—(Optional) Disable the specified VCP. If you omit this keyword, the command

enables the dedicated VCP. Required Privilege Level Related Documentation


system-control

•

request virtual-chassis vc-port on page 1505

•


•


•


•


request virtual-chassis vc-port set interface vcp-0 disable (EX4200 Virtual Chassis) on page 1508 request virtual-chassis vc-port set fpc-slot 4 pic-slot 0 port 2 member 1 (EX8200 Virtual Chassis) on page 1508 request virtual-chassis vc-port set interface vcp-0 member 3 disable (EX8200 Virtual Chassis) on page 1508


1507

®


Sample Output request virtual-chassis vc-port set interface vcp-0 disable (EX4200 Virtual Chassis)

user@switch> request virtual-chassis vc-port set interface vcp-0 disable

request virtual-chassis vc-port set fpc-slot 4 pic-slot 0 port 2 member 1 (EX8200 Virtual Chassis)

user@external-routing-engine> request virtual-chassis vc-port set fpc-slot 4 pic-slot 0 port 2 member 1

request virtual-chassis vc-port set interface vcp-0 member 3 disable (EX8200 Virtual Chassis)

user@external-routing-engine> request virtual-chassis vc-port set interface vcp-0 member 3 disable

1508






show chassis pic-mode Syntax


show chassis pic-mode

Command introduced in Junos OS Release 11.1 for EX Series switches. Display the PIC mode on an EX4500 switch. The PiC mode must be set to virtual-chassis if the EX4500 switch is cabled into a Virtual Chassis using the dedicated Virtual Chassis ports (VCPs) on the Virtual Chassis module. The default PIC mode setting is virtual-chassis if the EX4500 switch was shipped with a Virtual Chassis module. The PIC mode is not set if the EX4500 switch was ordered without the Virtual Chassis module. The EX4500 switch functions in intraconnect mode when the PIC mode is not set. Use the request chassis pic-mode command to configure the PIC mode setting.

Options

none—Display the PIC mode on the member switch where the command is issued. all-members—(Optional) Display the PIC mode for all members of the Virtual Chassis

configuration. local—(Optional) Display the PIC mode on the member switch where the command is

issued. member member-id—(Optional) Display the PIC mode of the specified member of the

Virtual Chassis configuration. Required Privilege Level Related Documentation


view

•

request chassis pic-mode on page 1498

•


show chassis pic-mode on page 1509

Sample Output show chassis pic-mode

user@switch> show chassis pic-mode fpc0: -------------------------------------------------------------------------Pic Mode: Intraconnect


1509

®


show system uptime Syntax Release Information Description

Options

show system uptime (all-members | member member-id)

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the current time and information about how long the Virtual Chassis, the Junos OS software, and routing protocols have been running. all-members—Display the current time and information about how long the Virtual Chassis,

the Junos OS software, and routing protocols have been running for all the member switches of the Virtual Chassis configuration. member member-id—Display the current time and information about how long the Virtual

Chassis, the Junos OS software, and routing protocols have been running for the specific member of the Virtual Chassis configuration. Required Privilege Level Related Documentation


view

•

virtual-chassis on page 1492

•


show system uptime member 0 on page 1511 Table 165 on page 1510 lists the output fields for the show system uptime command. Output fields are listed in the approximate order in which they appear.


Field Description

Current time


System booted


Protocols started


Last configured


Time and up

Current time, in the local time zone, and how long the switch has been operational.

Users

Number of users logged into the switch.

Load averages


1510



Sample Output show system uptime member 0

user@switch>show system uptime member 0 fpc0: -----------------------------------------------------------------------Current time: 2008-02-06 05:24:20 UTC System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago) Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago) Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root 5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01


1511

®


show virtual-chassis active-topology Syntax

Release Information

show virtual-chassis active-topology

Command introduced in Junos OS Release 9.0 for EX Series switches.

Description

Display the active topology of the Virtual Chassis configuration with next-hop reachability information.

Options

none—Display the active topology of the member switch where the command is issued. all-members—(Optional) Display the active topology of all members of the Virtual Chassis

configuration. local—(Optional) Display the active topology of the switch or external Routing Engine

on which this command is entered. member member-id—(Optional) Display the active topology of the specified member of

the Virtual Chassis configuration. Required Privilege Level Related Documentation


Output Fields

view

•


•


show virtual-chassis active-topology (EX4200 Virtual Chassis) on page 1512 show virtual-chassis active-topology (EX8200 Virtual Chassis) on page 1513 Table 166 on page 1512 lists the output fields for the show virtual-chassis active-topology command. Output fields are listed in the approximate order in which they appear.

Table 166: show virtual-chassis active-topology Output Fields Field Name

Field Description

Destination ID

Specifies the member ID of the destination.

Next-hop

Specifies the member ID and Virtual Chassis port (VCP) of the next hop to which packets for the destination ID are forwarded.

Sample Output show virtual-chassis active-topology

1512

user@switch> show virtual-chassis active-topology 1 1(vcp-1)




show virtual-chassis active-topology (EX8200 Virtual Chassis)

2

1(vcp-1)

3

1(vcp-1)

4

1(vcp-1)

5

8(vcp-0)

6

8(vcp-0)

7

8(vcp-0)

8

8(vcp-0)

1(vcp-1)

user@external-routing-engine> show virtual-chassis active-topology member0: -------------------------------------------------------------------------Destination ID Next-hop 1

1(vcp-4/0/4.32768)

8

8(vcp-0/0.32768)

9

8(vcp-0/0.32768)

member1: -------------------------------------------------------------------------Destination ID Next-hop 0

0(vcp-3/0/4.32768)

8

8(vcp-0/0.32768)

9

8(vcp-0/0.32768)


0(vcp-1/1.32768)

1

1(vcp-1/2.32768)

9

9(vcp-2/1.32768)


1513

®


member9: -------------------------------------------------------------------------Destination ID Next-hop

1514

0

8(vcp-1/2.32768)

1

8(vcp-1/2.32768)

8

8(vcp-1/2.32768)



show virtual-chassis fast-failover Syntax Release Information Description Required Privilege Level Related Documentation


show virtual-chassis fast-failover

Command introduced in Junos OS Release 9.3 for EX Series switches. Display information about the fast failover feature in a Virtual Chassis configuration. view

•


•


•


show virtual-chassis fast-failover on page 1515 Table 167 on page 1515 lists the output fields for the show virtual-chassis fast-failover command. Output fields are listed in the approximate order in which they appear.

Table 167: show virtual-chassis fast-failover Output Fields Field Name

Field Description

Fast failover on dedicated VCP ports

Indicates fast failover status on dedicated VCPs.

Fast failover on XE uplink VCP ports

Indicates fast failover status on XFP uplink VCPs.

Fast failover on GE uplink VCP ports

Indicates fast failover status on SFP uplink VCPs.

Sample Output show virtual-chassis fast-failover

user@switch1> Fast failover Fast failover Fast failover


show virtual-chassis fast-failover on dedicated VCP ports: Enabled on XE uplink VCP ports: Disabled on GE uplink VCP ports: Enabled

1515

®


show virtual-chassis login Syntax Release Information Description

show virtual-chassis login

Command introduced in Junos OS Release 9.3 for EX Series switches. Supply the address of the host that logged into the Virtual Chassis, or identify the location of the member switch that redirected the current session to a different Virtual Chassis member switch. You might need this information for tracing or troubleshooting purposes.



view

•

request session member on page 1500

•


show virtual-chassis login (Direct Login to the Master Console Port) on page 1516 show virtual-chassis login (Backup Console Session Redirected to the Master Console Port) on page 1516

Sample Output show virtual-chassis login (Direct Login to the Master Console Port) show virtual-chassis login (Backup Console Session Redirected to the Master Console Port)

1516

user@switch> show virtual-chassis login Current login session initiated from host 248.1.2.3

user@switch> show virtual-chassis login Current login session initiated from host backup



show virtual-chassis mode Syntax


show virtual-chassis mode

Command introduced in Junos OS Release 11.1 for EX Series switches. Display the Virtual Chassis mixed mode status. An EX4200 or EX4500 switch must have mixed mode enabled if it is part of a mixed EX4200 and EX4500 Virtual Chassis. Mixed mode must be disabled for the switch in all other contexts.

Options

none—Display the Virtual Chassis mixed mode status on the switch where the command

is entered. all-members—(Optional) Display the Virtual Chassis mixed mode status for all member

switches in the Virtual Chassis. local—(Optional) Display the Virtual Chassis mixed mode status on the switch where

the command is entered. member member-id—(Optional) Display the Virtual Chassis mixed mode status of the

specified member of the Virtual Chassis. Required Privilege Level Related Documentation


view

•

request virtual-chassis mode mixed on page 1501

•


show virtual-chassis mode on page 1517 Table 168 on page 1517 lists the output fields for the show virtual-chassis mode command.

Table 168: show virtual-chassis mode Output Fields Field Name

Field Description

Mixed Mode

Specifies the mixed mode status of the member switch. Mixed mode is either Enabled or Disabled for the member switch.

Sample Output show virtual-chassis mode

user@switch>show virtual-chassis mode fpc0: -------------------------------------------------------------------------Mixed Mode: Disabled


1517

®


1518



show virtual-chassis status Syntax

show virtual-chassis status

Release Information

Command introduced in Junos OS Release 9.0 for EX Series switches. Location field introduced in Junos OS Release 11.1 for EX Series switches. Mixed Mode field introduced in Junos OS Release 11.2 for EX Series switches.

Description

Display information about all members of the Virtual Chassis configuration.



Output Fields

view

•


•


show virtual-chassis status (EX4200 Virtual Chassis) on page 1520 show virtual-chassis status (EX8200 Virtual Chassis) on page 1521 Table 169 on page 1519 lists the output fields for the show virtual-chassis status command. Output fields are listed in the approximate order in which they appear.

Table 169: show virtual-chassis status Output Fields Field Name

Field Description

Virtual Chassis ID

Assigned ID that applies to the entire Virtual Chassis configuration.

Member ID

Assigned member ID and FPC slot (from 0 through 9).

Status

For a nonprovisioned configuration: •

Prsnt for a member that is currently connected to the Virtual Chassis configuration

•

NotPrsnt for a member ID that has been assigned but is not currently connected

For a preprovisioned configuration: •

Prsnt for a member that is specified in the preprovisioned configuration file and is

currently connected to the Virtual Chassis configuration •

Unprvsnd for a member that is interconnected with the Virtual Chassis configuration,

but is not specified in the preprovisioned configuration file Serial No

Serial number of the member switch or external Routing Engine

Model

Model number of the member switch

Mastership Priority

Mastership priority value of the member switch

Role

Role of the member switch


1519

®


Table 169: show virtual-chassis status Output Fields (continued) Field Name

Field Description

Mixed Mode

Mixed mode configuration status •

Y for a member switch configured in mixed mode.

•

N for a member switch not configured in mixed mode.

•

NA for a member switch that cannot be configured in mixed mode.

Location of the member device

Location

If this field is empty, the location field was not set for the device. Neighbor List

Member ID of the neighbor member to which this member’s VCP is connected.

Sample Output show virtual-chassis status (EX4200 Virtual Chassis)

user@switch> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Mastership List Member ID Interface 0 (FPC 0)

1 (FPC 1)

2 (FPC 2)

3 (FPC 3)

4 (FPC 4)

5 (FPC 5)

6 (FPC 6)

7 (FPC 7)

8 (FPC 8)

1520

Status Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Serial No

Model

AK0207360276 ex4200-24t

AK0207360281 ex4200-24t

AJ0207391130 ex4200-48p

AK0207360280 ex4200-24t

AJ0207391113 ex4200-48p

BP0207452204 ex4200-48t

BP0207452222 ex4200-48t

BR0207432028 ex4200-24f

BR0207431996 ex4200-24f

priority 249

248

247

246

245

244

243

242

241

Mixed Role

Mode

Master*

N

Backup

Linecard

Linecard

Linecard

Linecard

Linecard

Linecard

Linecard

N

N

N

N

N

N

N

N

Neighbor ID 8

vcp-0

1

vcp-1

0

vcp-0

2

vcp-1

1

vcp-0

3

vcp-1

2

vcp-0

4

vcp-1

3

vcp-0

5

vcp-1

4

vcp-0

6

vcp-1

5

vcp-0

7

vcp-1

6

vcp-0

8

vcp-1

7

vcp-0



0

vcp-1



user@external-routing-engine> show virtual-chassis status Virtual Chassis ID: c806.0842.de51 Mastership List Member ID 0 (FPC 0-15)

Status Prsnt

Serial No Model BA0908380001 ex8216

priority 0

Neighbor Role ID Interface Linecard 8 vcp-0/0 8

1 (FPC 16-31)

Prsnt

BT0909411634 ex8208

0

8 (FPC 128-143) Prsnt

062009000021 ex-xre

128

9 (FPC 144-159) Prsnt


062009000022 ex-xre

128

1

vcp-4/0/4 8 vcp-0/0

0

vcp-3/0/4 9 vcp-1/0

Linecard

Master

Backup*

vcp-0/1

1

vcp-1/2

9

vcp-1/3

0

vcp-2/0

9

vcp-2/1

0 8

vcp-1/1 vcp-1/0

8

vcp-1/2

8

vcp-1/3

1521

®


show virtual-chassis vc-path Syntax


Options

show virtual-chassis vc-path source-interface interface-name destination-interface interface-name

Command introduced in Junos OS Release 9.6 for EX Series switches. Show the path a packet takes when going from a source interface to a destination interface in a Virtual Chassis configuration. source-interface interface-name—Name of the interface from which the packet originates destination-interface interface-name—Name of the interface to which the packet is

delivered Required Privilege Level Related Documentation


view

•


•


•


show virtual-chassis vc-path source-interface destination-interface on page 1523 Table 170 on page 1522 lists the output fields for the show virtual-chassis vc-path command. Output fields are listed in the approximate order in which they appear.

Table 170: show virtual-chassis vc-path Output Fields

1522

Field Name

Field Description

Hop

The number of hops between the source and destination interfaces.

Member

The Virtual Chassis ID of the member switch that contains the Packet Forwarding Engine for each intermediate hop.

PFE-Device

The number of the Packet Forwarding Engine in each Virtual Chassis member through which a packet passes. Each Packet Forwarding Engine is the next hop of the preceding Packet Forwarding Engine.

Interface

The name of the interface through which the Packet Forwarding Engines are connected. The interface for the first hop is always the source interface and the interface for the last hop is always the destination interface. For intermediate hops, the Interface field denotes the Packet Forwarding Engines through which the packet passes on its way to the next hop.



Sample Output show virtual-chassis vc-path source-interface destination-interface

user@switch> show virtual-chassis vc-path source-interface ge-0/0/0 destination-interface ge-1/0/1 vc-path from ge-0/0/0 to ge-1/0/1 Hop Member PFE-Device Interface 0 0 1 ge-0/0/0 1 0 0 internal-1/24 2 1 3 vcp-0 3 1 4 ge-1/0/1


1523

®


show virtual-chassis vc-port Syntax


Options

show virtual-chassis vc-port

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the status of the Virtual Chassis ports (VCPs), including both the dedicated VCPs and the uplink ports configured as VCPs. none—Display the operational status of all VCPs of the member switch where the

command is issued. all-members—(Optional) Display the operational status of all VCPs on all members of

the Virtual Chassis configuration. local—(Optional) Display the operational status of the switch or external Routing Engine

on which this command is entered. member member-id—(Optional) Display the operational status of all VCPs for the specified



Output Fields

view

•


•


•


show virtual-chassis vc-port (EX4200 Virtual Chassis) on page 1525 show virtual-chassis vc-port (EX8200 Virtual Chassis) on page 1526 show virtual-chassis vc-port all-members on page 1527 Table 171 on page 1524 lists the output fields for the show virtual-chassis vc-port command. Output fields are listed in the approximate order in which they appear.

Table 171: show virtual-chassis vc-port Output Fields Field Name

Field Description

fpcnumber

The FPC number is the same as the member ID.

1524



Table 171: show virtual-chassis vc-port Output Fields (continued) Field Name

Field Description

Interface or PIC/Port

VCP name.

Type

•

The dedicated VCPs in an EX4200 or EX4500 Virtual Chassis are vcp-0 and vcp-1.

•

The uplink module ports set as VCPs in an EX4200 Virtual Chassis are named 1/0 and 1/1, representing the PIC number and the port number.

•

The native VCP (port 0) on an XRE200 External Routing Engine in an EX8200 Virtual Chassis is named vcp-0.

•

The VCPs on each Virtual Chassis Control Interface (VCCI) module in an XRE200 External Routing Engine are named using the vcp-slot-number/port-number convention; for instance, vcp-1/0.

•

The VCPs on EX8200 member switches are named using the vcp-slot-number/pic-number/interface-number convention; for instance, vcp-3/0/2.

Type of VCP: •

Dedicated—The rear panel VCP on an EX4200 or EX4500 switch. or any VCP link connected to an

XRE200 External Routing Engine in an EX8200 Virtual Chassis. •

Configured—Uplink port configured as a VCP in an EX4200 or EX4500 Virtual Chassis or an SFP+

link between two EX8200 switches configured as a VCP in an EX8200 Virtual Chassis. •

Auto-Configured—Uplink port autoconfigured as a VCP in an EX4200 or EX4500 Virtual Chassis.

See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 or “Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure)” on page 1567 for information about configuring VCPs. Trunk ID

A positive-number ID assigned to a link aggregation group (LAG) formed by the Virtual Chassis. The trunk ID value is –1 if no trunk is formed. A LAG between uplink VCPs requires that the link speed be the same on connected interfaces and that at least two VCPs on one member be connected to at least two VCPs on the other member in an EX4200 or EX4500 Virtual Chassis. Dedicated VCP LAGs are assigned trunk IDs 1 and 2. Trunk IDs for LAGs formed with uplink VCPs therefore have values of 3 or greater. The trunk ID value changes if the link-adjacency state between LAG members changes; trunk membership is then allocated or deallocated.

Status

Interface status: •

absent—Interface is not a VCP link.

•

down—VCP link is down.

•

up—VCP link is up.

Speed (mbps)

Speed of the interface in megabits per second.

Neighbor ID/Interface

The Virtual Chassis member ID and interface of a VCP on a member that is connected to the interface or PIC/Port field in the same row as this interface.

Sample Output show virtual-chassis vc-port (EX4200 Virtual Chassis)

user@switch> show virtual-chassis vc-port fpc0: -------------------------------------------------------------------------–


1525

®


Interface or PIC / Port vcp-0 vcp-1 1/0 1/0

show virtual-chassis vc-port (EX8200 Virtual Chassis)

Type

Dedicated Dedicated Auto-Configured Auto-Configured

Trunk ID 1 2 3 3

Status

Speed (mbps)


Up Up Up Up

32000 32000 1000 1000

1 0 2 2

vcp-1 vcp-0 vcp-255/1/0 vcp-255/1/1

user@external-routing-engine> show virtual-chassis vc-port member0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Up 1000 8 vcp-1/1 vcp-0/1 Dedicated -1 Up 1000 8 vcp-2/0 4/0/4 Configured -1 Up 10000 1 vcp-3/0/4 4/0/7 Configured -1 Down 10000 4/0/3 Configured Absent 4/0/2 Configured Absent 4/0/5 Configured Absent 4/0/6 Configured Absent 4/0/1 Configured Absent 4/0/0 Configured Absent member1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Up 1000 8 vcp-1/2 3/0/0 Configured -1 Down 10000 3/0/1 Configured -1 Down 10000 3/0/4 Configured -1 Up 10000 0 vcp-4/0/4 3/0/5 Configured Absent 4/0/5 Configured Absent 4/0/4 Configured Absent member8: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Down 1000 vcp-1/0 Dedicated -1 Up 1000 9 vcp-1/0 vcp-1/1 Dedicated -1 Up 1000 0 vcp-0/0 vcp-1/2 Dedicated -1 Up 1000 1 vcp-0/0 vcp-1/3 Dedicated -1 Up 1000 9 vcp-1/3 vcp-2/0 Dedicated -1 Up 1000 0 vcp-0/1 vcp-2/1 Dedicated -1 Up 1000 9 vcp-1/2 vcp-2/2 Dedicated -1 Down 1000 vcp-2/3 Dedicated -1 Down 1000 member9: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Disabled 1000 vcp-1/0 Dedicated -1 Up 1000 8 vcp-1/0 vcp-1/1 Dedicated -1 Down 1000

1526



vcp-1/2 vcp-1/3

show virtual-chassis vc-port all-members

Dedicated Dedicated

-1 -1

Up Up

1000 1000

8 8

vcp-2/1 vcp-1/3

user@switch> show virtual-chassis vc-port all-members

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Auto-Configured 3 Up 1000 2 vcp-255/1/0 1/1 Auto-Configured 3 Up 1000 2 vcp-255/1/1 fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Auto-Configured —1 Up 1000 3 vcp-255/1/0 fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-1 vcp-1 Dedicated 2 Up 32000 3 vcp-0 1/0 Auto-Configured 3 Up 1000 0 vcp-255/1/0 1/1 Auto-Configured 3 Up 1000 0 vcp-255/1/1 fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 2 vcp-0 vcp-1 Dedicated 2 Up 32000 2 vcp-1 1/0 Auto-Configured —1 Up 1000 1 vcp-255/1/0


1527

®


show virtual-chassis vc-port statistics Syntax

Release Information

Description Options

show virtual-chassis vc-port statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. The options all-members, brief, detail, extensive, and local were added in Junos OS Release 9.3 for EX Series switches. Display the traffic statistics collected on Virtual Chassis ports (VCPs). none—Display traffic statistics for VCPs of all members of a Virtual Chassis configuration. brief | detail | extensive—(Optional) Display the specified level of output. Using the brief

option is equivalent to entering the command with no options (the default). The detail and extensive options provide identical displays. all-members—(Optional) Display traffic statistics for VCPs of all members of a Virtual

Chassis configuration. interface-name—(Optional) Display traffic statistics for the specified VCP. local—(Optional) Display traffic statistics for VCPs on the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Display traffic statistics for VCPs on the specified member



Output Fields

1528

view

•


•


•


•


show virtual-chassis vc-port statistics on page 1531 show virtual-chassis vc-port statistics (EX8200 Virtual Chassis) on page 1531 show virtual-chassis vc-port statistics brief on page 1532 show virtual-chassis vc-port statistics extensive on page 1532 show virtual-chassis vc-port statistics member 0 on page 1533 Table 172 on page 1529 lists the output fields for the show virtual-chassis vc-port statistics command. Output fields are listed in the approximate order in which they appear.



Table 172: show virtual-chassis vc-port statistics Output Fields Field Name

Field Description

Level of Output

fpcnumber

(EX4200, EX4500, and mixed EX4200 and EX4500 Virtual Chassis only) ID of the Virtual Chassis member. The FPC number is the same as the member ID.

All levels

member number

(EX8200 Virtual Chassis only) Member ID of the Virtual Chassis member.

All levels

Interface

VCP name.

brief

Input Octets/Packets

Number of octets and packets received on the VCP.

brief, member, none

Output Octets/Packets

Number of octets and packets transmitted on the VCP.

brief, member, none

master: number

Member ID of the Virtual Chassis master.

All levels

Port

VCP for which RX (Receive) statistics,TX (Transmit) statistics, or both are reported by the VCP subsystem during a sampling interval—since the statistics counter was last cleared.

detail, extensive

Total octets

Total number of octets received and transmitted on the VCP.

detail, extensive

Total packets

Total number of packets received and transmitted on the VCP.

detail, extensive

Unicast packets

Number of unicast packets received and transmitted on the VCP.

detail, extensive

Broadcast packets

Number of broadcast packets received and transmitted on the VCP.

detail, extensive

Multicast packets

Number of multicast packets received and transmitted on the VCP.

detail, extensive

MAC control frames

Number of media access control (MAC) control frames received and transmitted on the VCP.

detail, extensive

CRC alignment errors

Number of packets received on the VCP that had a length—excluding framing bits, but including frame check sequence (FCS) octets—of between 64 and 1518 octets, inclusive, and had one of the following errors:

detail, extensive

•

Invalid FCS with an integral number of octets (FCS error)

•

Invalid FCS with a nonintegral number of octets (alignment error)


1529

®


Table 172: show virtual-chassis vc-port statistics Output Fields (continued) Field Name

Field Description

Level of Output

Oversize packets

Number of packets received on the VCP that were longer than 1518 octets (excluding framing bits, but including FCS octets) but were otherwise well formed.

detail, extensive

Undersize packets

Number of packets received on the VCP that were shorter than 64 octets (excluding framing bits but including FCS octets) and were otherwise well formed..

detail, extensive

Jabber packets

Number of packets received on the VCP that were longer than 1518 octets—excluding framing bits, but including FCS octets—and that had either an FCS error or an alignment error.

detail, extensive

NOTE: This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10Base5) and section 10.3.1.4 (10Base2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is between 20 ms and 150 ms. Fragments received

Number of packets received on the VCP that were shorter than 64 octets (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error.

detail, extensive

Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted. Ifout errors

Number of outbound packets received on the VCP that could not be transmitted because of errors.

detail, extensive

Packet drop events

Number of outbound packets received on the VCP that were dropped, rather than being encapsulated and sent out of the switch as fragments. The packet drop counter is incremented if a temporary shortage of packet memory causes packet fragmentation to fail.

detail, extensive

64 octets frames

Number of packets received on the VCP (including invalid packets) that were 64 octets in length (excluding framing bits, but including FCS octets).

detail, extensive

65–127 octets frames

Number of packets received on the VCP (including invalid packets) that were between 65 and 127 octets in length, inclusive (excluding framing bits, but including FCS octets).

detail, extensive



detail, extensive

1530




Field Description

Level of Output



detail, extensive



detail, extensive



detail, extensive

Rate packets per second

Number of packets per second received and transmitted on the VCP.

detail, extensive

Rate bytes per second

Number of bytes per second received and transmitted on the VCP.

detail, extensive

Sample Output show virtual-chassis vc-port statistics

user@switch> show virtual-chassis vc-port statistics fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0 {master:0}

show virtual-chassis vc-port statistics (EX8200 Virtual Chassis)

user@external-routing-engine> show virtual-chassis vc-port statistics member0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets vcp-4/0/4 43171238 / 48152 47687133 / 51891 vcp-4/0/7 0 / 0 0 / 0 member1: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets vcp-3/0/0 0 / 0 0 / 0 vcp-3/0/1 0 / 0 0 / 0 vcp-3/0/4 47695376 / 51899 43180556 / 48160


1531

®


member8: -------------------------------------------------------------------------member9: --------------------------------------------------------------------------

show virtual-chassis vc-port statistics brief

user@switch> show virtual-chassis vc-port statistics brief fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0 {master:0}

show virtual-chassis vc-port statistics extensive

user@switch> show virtual-chassis vc-port statistics extensive fpc0: --------------------------------------------------------------------------

Port: internal-0/24 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets: MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

RX

TX

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0

... Port: vcp-0 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets:

1532



MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0

Port: vcp-1 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets: MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0

0 0

0 0

... {master:0}

show virtual-chassis vc-port statistics member 0

user@switch>show virtual-chassis vc-port statistics member 0 fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0


1533

®


{master:0}

1534


PART 11

EX8200 Virtual Chassis •

EX8200 Virtual Chassis—Overview, Components, and Configurations on page 1537

•

EX8200 Virtual Chassis—Configuration Example on page 1557

•

Configuring EX8200 Virtual Chassis on page 1563

•

Verifying EX8200 Virtual Chassis Configuration on page 1577

•

Configuration Statements for EX8200 Virtual Chassis on page 1583

•

Operational Commands for EX8200 Virtual Chassis on page 1599


1535

®


1536


CHAPTER 44

EX8200 Virtual Chassis—Overview, Components, and Configurations •


•

Understanding EX8200 Virtual Chassis Components on page 1538

•

Understanding EX8200 Virtual Chassis Topologies on page 1541

•


•

Understanding Virtual Chassis Roles in an EX8200 Virtual Chassis on page 1546

•

Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis on page 1547

•

Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis on page 1548

•


•

Understanding Global Management of an EX8200 Virtual Chassis on page 1549

•

Understanding File Storage in an EX8200 Virtual Chassis on page 1550

•

Understanding EX8200 Virtual Chassis Compatibility Requirements on page 1551

•

Understanding the Virtual Chassis Control Protocol in an EX8200 Virtual Chassis on page 1551

•

Understanding Software Upgrades in an EX8200 Virtual Chassis on page 1551

•


•

Network Port Interface Names on an EX8200 Virtual Chassis on page 1553

•

Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis on page 1554

•

Understanding Virtual Chassis Device Reachability Testing on page 1555


1537

®


EX8200 Virtual Chassis Overview An EX8200 Virtual Chassis is multiple Juniper Networks EX8200 Ethernet Switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols such as Spanning Tree Protocol (STP). The XRE200 Routing Engine is the device that connects all member switches into a single Virtual Chassis. An EX8200 Virtual Chassis is formed by connecting a Virtual Chassis port (VCP) on an XRE200 External Routing Engine to the management ports (labeled MGMT) on the internal Routing Engines of the EX8200 member switches. A member switch is any switch that is part of a Virtual Chassis. You can add a second XRE200 External Routing Engine to an EX8200 Virtual Chassis topology to provide external Routing Engine redundancy. See “Understanding EX8200 Virtual Chassis Topologies” on page 1541. Related Documentation

•


•


•


•

Understanding EX8200 Virtual Chassis Compatibility Requirements on page 1551

•

Understanding Virtual Chassis Roles in an EX8200 Virtual Chassis on page 1546

•


Understanding EX8200 Virtual Chassis Components An EX8200 Virtual Chassis allows you to interconnect up to eight Juniper Networks EX8200 Ethernet Switches and run them as a single network entity. You interconnect the EX8200 switches by connecting them to an XRE200 External Routing Engine. This topic covers:

1538

•

Virtual Chassis Ports (VCPs) on page 1539

•

Master External Routing Engine Role on page 1539

•

Backup External Routing Engine Role on page 1540

•

Linecard Role on page 1540

•

Member Switch and Member ID on page 1540

•

Virtual Chassis Identifier (VCID) on page 1541


Chapter 44: EX8200 Virtual Chassis—Overview, Components, and Configurations

Virtual Chassis Ports (VCPs) A Virtual Chassis port (VCP) in an EX8200 Virtual Chassis is any interface whose function is to send and receive Virtual Chassis Control Protocol (VCCP) traffic to create, monitor, and maintain the Virtual Chassis. VCPs are used for creating, monitoring, and maintaining the Virtual Chassis as well as carrying data traffic through the Virtual Chassis. All Gigabit Ethernet ports on the Virtual Chassis Control Interface (VCCI) modules on the XRE200 External Routine Engine are VCPs. Port 0 on the XRE200 External Routing Engine is also a VCP. You use VCPs to connect EX8200 switches to the external Routing Engine to form a Virtual Chassis and also to connect XRE200 External Routing Engines together to provide external Routing Engine redundancy within the Virtual Chassis. Any link connecting an XRE200 External Routing Engine to an EX8200 switch or to another XRE200 External Routing Engine, therefore, is automatically a VCP link. No user configuration is required to configure these VCP links. The small form-factor pluggable (SFP) ports on the 4-port 1000BASE-X SFP VCCI module are also VCPs. You can use these ports to directly connect XRE200 External Routing Engines together within an EX8200 Virtual Chassis with no user configuration. You can also use these SFP ports to connect an XRE200 External Routing Engine to an EX8200 switch within a Virtual Chassis when an intermediary switch is used to convert the SFP fiber-optic connection to a copper connection. This conversion is necessary because the management ports (labeled MGMT) on EX8200 switches do not support fiber-optic connections. See “Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis” on page 1568. VCP links are also needed in an EX8200 Virtual Chassis to send and receive VCCP traffic between two EX8200 switches. You must explicitly configure VCP links between two EX8200 switches; otherwise, the switches detect such links as network links.

Master External Routing Engine Role The function of each hardware device in a Virtual Chassis is determined by that device’s role. The master role in an EX8200 Virtual Chassis is assigned to an XRE200 External Routing Engine only. The XRE200 External Routing Engine in the master role: •

Controls most Routing Engine functions for all switches in the Virtual Chassis.

•

Manages the Virtual Chassis configuration.

•

Provides a single point where you can view all functionality for all devices in the Virtual Chassis.

•

Runs the Juniper Networks Junos operating system (Junos OS).

When a single XRE200 External Routing Engine is connecting an EX8200 Virtual Chassis and no backup external Routing Engine is configured, the single external Routing Engine is assigned the master role. When a backup external Routing Engine is part of the Virtual Chassis, the external Routing Engine with the most uptime functions as the master.


1539

®


Backup External Routing Engine Role The function of each hardware device in a Virtual Chassis is determined by that device’s role. The external Routing Engine that functions in the backup role: •

Maintains a state of readiness to take over the master role if the master fails.

•

Runs Junos OS.

•

Synchronizes with the master, so that it is prepared to preserve routing information and maintain network connectivity without disruption if the master external Routing Engine becomes unavailable.

You must have two external Routing Engines in an EX8200 Virtual Chassis configuration to have an external Routing Engine in the backup role. When a backup external Routing Engine is part of the Virtual Chassis, the external Routing Engine with the lesser amount of uptime functions as the backup external Routing Engine.

Linecard Role All EX8200 switches in an EX8200 Virtual Chassis are assigned the linecard role. Switches in the linecard role: •

Forward network traffic.

•

Do not run the chassis control protocols.

•

Can detect certain error conditions (such as an unplugged cable) on any interfaces that have been configured on them through the master.

Member Switch and Member ID An EX8200 Virtual Chassis contains member IDs 0 through 9. Member IDs 0 through 7 must be configured as EX8200 switches. Member IDs 8 and 9 must be configured as XRE200 External Routing Engines. An XRE200 External Routing Engine automatically assumes the next available member ID if a Virtual Chassis configuration has not been configured and committed. The external Routing Engine does not function properly until it is configured as member 8 or 9, however. Table 173 on page 1540 summarizes EX8200 Virtual Chassis roles and member IDs.

Table 173: EX8200 Virtual Chassis Roles and Member IDs Hardware

Role

Member IDs

EX8208 or EX8216 switch

Linecard

0–7

XRE200 External Routing Engine

Master or backup

8 or 9

1540



Virtual Chassis Identifier (VCID) All members of a Virtual Chassis configuration share one Virtual Chassis identifier (VCID). This identifier is derived from internal parameters. When you are monitoring a Virtual Chassis configuration, the VCID is displayed in the user interface. Related Documentation

•


•


•


Understanding EX8200 Virtual Chassis Topologies An EX8200 Virtual Chassis is composed of one or two XRE200 External Routing Engines interconnected with up to eight Juniper Networks EX8200 Ethernet Switches. This topic explains the topologies that you can use to connect these devices. The topic covers: •

Understanding the Full Mesh EX8200 Virtual Chassis Topology on page 1541

•

Understanding the Ring EX8200 Virtual Chassis Topology on page 1543

•

The Role of XRE200 External Routing Engine Redundancy in a Virtual Chassis Topology on page 1544

•

EX8200 Virtual Chassis Basic Topology on page 1544

Understanding the Full Mesh EX8200 Virtual Chassis Topology We recommend that you use a full mesh topology for all EX8200 Virtual Chassis whenever possible. In a full mesh topology, every possible Virtual Chassis port (VCP) connection within the Virtual Chassis is established. Both external Routing Engines have connections to all switches in addition to having connections to each other. The switches are connected together by a user-configured VCP link—preferably multiple VCP links, which will automatically form a VCP link aggregation group (LAG)—to provide another link for Virtual Chassis Control Protocol (VCCP) traffic within the Virtual Chassis. Each member switch has a VCP link to every other member switch. Figure 40 on page 1542 shows a full mesh EX8200 Virtual Chassis topology with four member switches.


1541

®


Figure 40: EX8200 Virtual Chassis Full Mesh Topology with Four EX8200 Member Switches Master XRE200 External Routing Engine

EX8200 member switch



g021238


Backup XRE200 External Routing Engine

Figure 41 on page 1543 shows a full mesh EX8200 Virtual Chassis topology with two member switches.

1542



Figure 41: EX8200 Virtual Chassis Full Mesh Topology with Two EX8200 Member Switches Backup External Routing Engine

XRE 20

XRE 20

0

EX8200 Member switch

0


g020973

Master External Routing Engine

A full mesh Virtual Chassis topology has several advantages over other topologies. Because there are multiple paths to all devices in the Virtual Chassis, a single link failure does not disable any path from one device to another. Because the multiple VCP links connect all devices together, the VCCP has more flexibility when sending traffic through the Virtual Chassis than it does in other topologies.

Understanding the Ring EX8200 Virtual Chassis Topology In a ring topology, each device in the EX8200 Virtual Chassis has at least one path to every other device in the Virtual Chassis. The paths are not necessarily direct and traffic might be required to travel across multiple hops to reach another device within the same Virtual Chassis. Figure 42 on page 1544 shows a ring EX8200 Virtual Chassis topology.


1543

®


Figure 42: EX8200 Virtual Chassis Ring Topology XRE 20

0

0

0

EX 820

0

g020977

EX 820

XRE 20

VCCP traffic often has to travel multiple hops to communicate with other devices in the Virtual Chassis. When a VCP link fails in a ring topology, additional hops are added for VCCP traffic in the Virtual Chassis ring topology. VCP link failures are problematic in a ring topology, as the shortage of VCP links in the topology increases the potential for a single link failure to cause the EX8200 member switches to split from the Virtual Chassis. An EX8200 Virtual Chassis full mesh topology is always recommended. Use the ring topology in cases where some of the VCP links in a full mesh topology have failed or when the equipment to configure a full mesh topology is unavailable.

The Role of XRE200 External Routing Engine Redundancy in a Virtual Chassis Topology A backup XRE200 External Routing Engine provides redundancy to a master XRE200 External Routing Engine. If a master external Routing Engine fails, the backup external Routing Engine takes control of the Virtual Chassis, allowing network traffic to continue to pass through the Virtual Chassis with minimal network disruption.

NOTE: A backup XRE200 External Routing Engine is recommended in all EX8200 Virtual Chassis configurations.

When a backup external Routing Engine is included in the EX8200 Virtual Chassis, one link must be used to connect the master external Routing Engine to the backup external Routing Engine. Both EX8200 switches must also have connections to the backup external Routing Engine.

EX8200 Virtual Chassis Basic Topology The most basic EX8200 Virtual Chassis topology has one XRE200 External Routing Engine connecting two EX8200 switches into a Virtual Chassis. Figure 43 on page 1545 shows a basic EX8200 Virtual Chassis topology.

1544



Figure 43: EX8200 Virtual Chassis Basic Topology XRE 20

0

EX 820

EX 820

0

g020976

0

In this topology, all VCCP traffic has to travel on one of the two links, which is problematic because the switches have to send traffic through the external Routing Engine to communicate with each other. There is no link redundancy in this topology. If either link fails, one of the switches is no longer participating in the Virtual Chassis. There is no redundant external Routing Engine in this topology. If the external Routing Engine fails, the Virtual Chassis is no longer active. An EX8200 Virtual Chassis full mesh topology is always recommended. Use the basic topology only when VCP links have failed or when the equipment to configure a full mesh topology is unavailable. Related Documentation

•


•


•


Understanding Virtual Chassis Member ID Numbering in an EX8200 Virtual Chassis An EX8200 Virtual Chassis contains member IDs 0 through 9. Member IDs 0 through 7 are reserved for Juniper Networks EX8200 Ethernet Switches, which always assume the linecard role in the EX8200 Virtual Chassis. Member IDs 8 and 9 are reserved for the XRE200 External Routing Engines, which assume either the master or backup role in the EX8200 Virtual Chassis. These member IDs must be configured before configuring an EX8200 Virtual Chassis. If an XRE200 is not configured


1545

®


as member ID 8 or 9 before connecting to a Virtual Chassis, it will not work until one of these member IDs is configured. The master and backup roles for XRE200 External Routing Engines are determined by external Routing Engine uptime; the external Routing Engine that has been up the longest is selected for the master role. The role has no correlation to member ID; a master or backup XRE200 External Routing Engine can be member ID 8 or 9. Table 174 on page 1546 summarizes EX8200 Virtual Chassis member IDs and roles.

Table 174: EX8200 Virtual Chassis Roles and Member IDs Hardware

Role

Member IDs

EX8208 or EX8216 switch

Linecard

0–7

XRE200 External Routing Engine

Master, Backup

8–9


•


•


•


Understanding Virtual Chassis Roles in an EX8200 Virtual Chassis The roles of Virtual Chassis members in an EX8200 Virtual Chassis are defined by uptime and hardware type. The XRE200 External Routing Engine with the most uptime assumes the master role; the external Routing Engine with less uptime assumes the backup role. EX8200 member switches are always in the linecard role. Table 175 on page 1546 provides a summary of the EX8200 Virtual Chassis roles.

Table 175: EX8200 Virtual Chassis Roles Role

Description

Master

The master XRE200 External Routing Engine. The master XRE200 External Routing Engine is responsible for maintaining an active EX8200 Virtual Chassis.

Backup

The backup XRE200 External Routing Engine. The backup external Routing Engine takes control of the Virtual Chassis when the master external Routing Engine fails.

Linecard

EX8208 or EX8216 switch. All EX8200 member switches in the Virtual Chassis are in the linecard role.


1546

•




•


Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis A Virtual Chassis port (VCP) in an EX8200 Virtual Chassis is any port whose function is to send and receive Virtual Chassis Control Protocol (VCCP) traffic to create, monitor, and maintain the Virtual Chassis. VCPs are responsible for creating, monitoring, and maintaining the Virtual Chassis as well as carrying data traffic through the Virtual Chassis. All Gigabit Ethernet ports on the 10/100/100BASE-T RJ-45 Virtual Chassis Control Interface (VCCI) modules and all small form-factor pluggable (SFP) ports on the 1000BASE-X SFP VCCI modules on the XRE200 External Routine Engine are VCPs. Port 0 on the XRE200 External Routing Engine is also a VCP. You can use VCPs to connect Juniper Networks EX8200 Ethernet Switches to the external Routing Engine to form a Virtual Chassis and also to connect XRE200 External Routing Engines together to provide external Routing Engine redundancy within the Virtual Chassis. Any link connecting an XRE200 External Routing Engine to an EX8200 switch or to another XRE200 External Routing Engine, therefore, is automatically a VCP link. No user configuration is required to configure these VCP links.

NOTE: To connect a 1000BASE-X SFP interface on the XRE200 External Routing Engine to an EX8200 switch, you must use an intermediary switch. The intermediary switch is required because the management interface (labeled MGMT) on the Routing Engine (RE) module or the Switch Fabric and Routing Engine (SRE) module in the EX8200 switch does not support SFP connections. See “Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis” on page 1554.

VCP links are also needed in an EX8200 Virtual Chassis to send and receive VCCP traffic between two EX8200 member switches. You must explicitly configure VCP links between two EX8200 switches; otherwise, the switches detect the link as a network link. For information regarding which ports on an EX8200 switch can be configured as VCPs, see Line Card Model and Version Compatibility in an EX8200 Switch. Multiple VCP links can be configured between two EX8200 member switches; these links will automatically form a link aggregation group (LAG). See “Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis” on page 1548. Figure 44 on page 1548 shows a two member Virtual Chassis configured in a full mesh topology and highlights which VCP links must be user-configured.


1547

®


Figure 44: EX8200 Virtual Chassis Ports Master External Routing Engine

Backup External Routing Engine

XRE 20 0

XRE 20

0

User-configured VCP Link


Automatic VCP links


g020974


•


•

Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure) on page 1567

Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis In an EX8200 Virtual Chassis, physical 10–GigabitEthernet ports that are configured as Virtual Chassis port (VCP) links that connect member switches together automatically form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one link fails, the system automatically load-balances traffic across all remaining links. VCP links between member switches in the Virtual Chassis are automatically connected into a single LAG; no user configuration is required to configure the LAG. You can configure up to 12 Ethernet ports as VCPs to form a LAG between two member switches in a Virtual Chassis. The 12 Ethernet links as VCP LAG restriction is between member switches. Each member switch in an EX8200 Virtual Chassis can have a VCP LAG to every other member switch in the Virtual Chassis. For instance, in a Virtual Chassis with four member switches, the switch configured as member Id 0 can have one VCP LAG to the switch configured as member id 1, another VCP LAG to the switch configured as member id 2, and another

1548



VCP LAG to the switch configured as member id 3. Each VCP LAG must have no more then 12 links. Only one VCP LAG is permitted between the same member switches in the Virtual Chassis. LAGs are also useful for connecting the network ports of directly-connected devices into an EX8200 Virtual Chassis. See “Understanding Link Aggregation into an EX8200 Virtual Chassis” on page 1549. Related Documentation

•


•


Understanding Link Aggregation into an EX8200 Virtual Chassis An EX8200 Virtual Chassis is typically used to aggregate standalone EX8200 switches at the distribution layer into a Virtual Chassis. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols such as Spanning Tree Protocol (STP). You can extend the benefits of a network using an EX8200 Virtual Chassis at the distribution layer by configuring the network connections of the devices connecting to the EX8200 Virtual Chassis as link aggregation group (LAG) bundles. A LAG balances traffic across the member links within an aggregated Ethernet bundle and effectively increases the uplink bandwidth of network traffic into the Virtual Chassis. An EX8200 Virtual Chassis can support up to 239 LAGs and up to 12 interfaces per LAG. Member links of a single LAG can span between multiple switches that are part of the same EX8200 Virtual Chassis. Configuring LAGs into the Virtual Chassis minimizes the need for spanning-tree protocols by bundling multiple interfaces into a single interface. Another advantage of link aggregation is increased link availability compared to that of links not configured in LAGs. Because the LAG is composed of multiple member links, the LAG continues to carry traffic over the remaining links when a link fails. Link aggregation is also useful for combining Virtual Chassis Ports (VCPs) within an EX8200 Virtual Chassis. See “Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis” on page 1548. Related Documentation

•


Understanding Global Management of an EX8200 Virtual Chassis An EX8200 Virtual Chassis is composed of up to eight EX8200 switches and up to two XRE200 External Routing Engines, so it has up to 10 console (CON) ports and accessible out-of-band management (MGMT) ports. The XRE200 External Routing Engines MGMT ports are accessible through the network; the EX8200 switch management ports are connected to the external Routing Engines.


1549

®


You can configure an EX8200 Virtual Chassis by logging in to the out-of-band management (MGMT) port or to the console (CON) port of the master external Routing Engine. If you log in to the backup external Routing Engine or in to a member switch and then want to configure the EX8200 Virtual Chassis, either cancel your session and log in to the master external Routing Engine or issue the request session member command to redirect your session to the master external Routing Engine. Related Documentation

•


•

Connecting an EX Series Switch to a Network for Out-of-Band Management

Understanding File Storage in an EX8200 Virtual Chassis An XRE200 External Routing Engine is shipped with two 160 GB Hard Disk Drive (HDD) modules. The HDD modules are fully redundant file storage units; all content that is stored on one HDD module is stored on the other HDD module. This redundancy helps ensure that no files are lost if a single HDD module is unusable for any reason. In an EX8200 Virtual Chassis, the master external Routing Engine is responsible for most Routing Engine functions for all switches in the Virtual Chassis. This responsibility extends to file storage; the external Routing Engine stores many of the files related to the Virtual Chassis, including: •

Software packages—You can use the XRE200 External Routing Engine software package to upgrade all devices in the Virtual Chassis simultaneously. You can store these packages on the external Routing Engine for the entire Virtual Chassis.

•

Log files—All log files related to all devices in the EX8200 Virtual Chassis are stored on the XRE200 External Routing Engines. The EX8200 member switches continue to store logs related to their local functions.

•

Configuration files—The XRE200 External Routing Engine has its own configuration file. This configuration file configures the Virtual Chassis itself and configures the network parameters for all network traffic entering and leaving the Virtual Chassis.

The XRE200 External Routing Engine uses RAID storage technology to manage file storage between the HDD modules. The RAID file storage management is handled automatically and is not user-configurable. If you suspect a memory problem with your external Routing Engine, you can run an HDD memory and diagnostics monitoring test. The test results provide information on the health of RAID and the HDD modules. See “Verifying Hard Disk Memory Status on an XRE200 External Routing Engine” on page 1579. Related Documentation

1550

•


•




Understanding EX8200 Virtual Chassis Compatibility Requirements For Juniper Networks EX8200 Ethernet Switches to be interconnected into a Virtual Chassis, the switches and the XRE200 External Routing Engines must be running the same software versions. The master external Routing Engine checks the hardware version, the Juniper Networks Junos operating system (Junos OS) version, and other component versions running in a switch that is physically interconnected to its Virtual Chassis port (VCP). A switch that is running a different version of software will not be allowed to join the Virtual Chassis configuration. After an EX8200 Virtual Chassis is connected, software upgrades for all switches and external Routing Engines in the Virtual Chassis can be performed simultaneously. This process ensures all devices are running the same version of Junos OS. See “Understanding Software Upgrades in an EX8200 Virtual Chassis” on page 1551. Different models in the EX8200 line of switches can be members of the same Virtual Chassis; for instance, an XRE200 External Routing Engine can be used to connect a Virtual Chassis composed of one EX8208 switch and one EX8216 switch. Related Documentation

•


•


Understanding the Virtual Chassis Control Protocol in an EX8200 Virtual Chassis An EX8200 Virtual Chassis uses the Virtual Chassis Control Protocol (VCCP) to create and maintain a Virtual Chassis. VCCP is enabled automatically when an EX8200 Virtual Chassis is formed. No user configuration is needed or available. VCCP is based on the IS-IS protocol. You can monitor VCCP packet activity by using the show virtual-chassis protocol commands. Related Documentation

•


Understanding Software Upgrades in an EX8200 Virtual Chassis In an EX8200 Virtual Chassis, both XRE200 External Routing Engines and the master Routing Engines of the member switches must be running the same version of Juniper Networks Junos OS Software. You must upgrade all switches and external Routing Engine to the same version of Junos OS before connecting the Virtual Chassis for the first time. After the Virtual Chassis is connected, you can upgrade the software for all switches and external Routing Engines in the EX8200 Virtual Chassis through the use of the XRE200 External Routing Engine software package. You identify this software package on the software download site by confirming that “xre200” is listed in the filename as the package-name, for instance, jinstall-ex-xre200-10.4R1.6-domestic-signed.tgz. This software package contains the Junos OS image for the external Routing Engines as well as the


1551

®


software packages for the EX8200 switches. The software packages in the EX8200 Virtual Chassis software package are identical to the software packages for the stand-alone Juniper Networks EX8200 Ethernet Switches; the switches are running the same software regardless of whether they were upgraded with or without the XRE200 External Routing Engine software package. Related Documentation

•

Installing Software for All Devices in an EX8200 Virtual Chassis on page 1571

•

Installing Software for a Single Device in an EX8200 Virtual Chassis on page 1573

•


Virtual Chassis Port (VCP) Interface Names in an EX8200 Virtual Chassis A Virtual Chassis port (VCP) in an EX8200 Virtual Chassis is any port whose function is to send and receive Virtual Chassis Control Protocol (VCCP) traffic to create, monitor, and maintain the Virtual Chassis. An EX8200 Virtual Chassis has four types of interfaces that can form a VCP link. This topic describes the naming conventions for these interface types: •

Virtual Chassis Control Interface (VCCI) Module VCP Name on the XRE200 External Routing Engine on page 1552

•

Native VCP Name on the XRE200 External Routing Engine on page 1552

•

EX8200 Switch to XRE200 External Routing Engine VCP Name on page 1553

•

EX8200 Switch to EX8200 Switch VCP Name on page 1553

Virtual Chassis Control Interface (VCCI) Module VCP Name on the XRE200 External Routing Engine The interface names for the Gigabit Ethernet or small form-factor pluggable (SFP) VCPs on the VCCI modules in the XRE200 External Routing Engine follow this format: vcp-slot-number/port-number where: •

slot-number—Slot on the XRE200 External Routing Engine where the VCCI module is installed. VCCI modules can be installed in slot 1 and slot 2 on the external Routing Engine.

•

port-number—Port number on the VCCI module. Each VCCI module has four ports numbered 0 through 3.

Native VCP Name on the XRE200 External Routing Engine The native VCP on the XRE200 External Routing Engine—the port located next to the management (MGMT) port labeled 0—is always named vcp-0/0.

1552



EX8200 Switch to XRE200 External Routing Engine VCP Name An XRE200 External Routing Engine forms a VCP when it connects to the management (MGMT) port on the Routing Engine (RE) module or the Switch Fabric and Routing Engine (SRE) module in an EX8200 switch. The naming for the management port on the EX8200 switch when used as a VCP follows this format: vcp-pic/slot where: •

pic is the PIC number, which is always 0 for an EX8200 switch.

•

slot is the number of the slot containing the RE module or the SRE module.

An EX8200 switch VCP name is always vcp-0/0 or vcp-0/1.

EX8200 Switch to EX8200 Switch VCP Name The names for the Gigabit Ethernet ports configured as VCP links on the EX8200 member switches follow this format: vcp-fpc/pic/port where: •

fpc is the slot number of the line card that contains the physical interface.

•

pic is the PIC number, which is always 0 for an EX8200 switch.

•

port is the network port number.

vcp-fpc/pic/port names apply to the device that the switch is connected to, not to the switch itself. Therefore, a VCP link is named according to the connected interface. For instance, if an external Routing Engine connects to interface 4/0/3 on an EX8200 switch, that VCP link is detected as vcp-4/0/3 by the external Routing Engine. Related Documentation

•


•


Network Port Interface Names on an EX8200 Virtual Chassis Network interfaces in Junos OS are specified as follows: type-fpc / pic / port This topic discusses network-port naming conventions for the network-facing interfaces on EX8200 member switches in an EX8200 Virtual Chassis. For information on interface


1553

®


naming conventions for Virtual Chassis Ports (VCPs) in an EX8200 Virtual Chassis, see “Virtual Chassis Port (VCP) Interface Names in an EX8200 Virtual Chassis” on page 1552. An EX8200 Virtual Chassis network interface name uses these conventions: •

•

type—EX8200 member switch interfaces use the following media types: •

ge—Gigabit Ethernet interface

•

xe—10–Gigabit Ethernet interface

fpc—Flexible PIC Concentrator. In an EX8200 Virtual Chassis, the FPC number indicates the slot number of the line card within the Virtual Chassis. The FPC number on member 0 is always 0 through 15. The FPC number on member 1 is always 16 through 31. The EX8200 Virtual Chassis reserves 16 FPC slot numbers for each member switch, regardless of whether the member switch is an EX8208 or an EX8216 switch. For EX8208 switches, therefore, FPC numbers 8 through 15 and 24 through 31 are not used.


•

pic— PIC (Physical Interface Card) number in interface names. On EX8200 member switches in an EX8200 Virtual Chassis, the PIC number is always 0.

•

port—Port number. On EX8200 switches, the network ports are numbered from left to right on each line card. On line cards that have two rows of ports, the ports on the top row start with 0 followed by the remaining even-numbered ports, and the ports on the bottom row start with 1 followed by the remaining odd-numbered ports.

•


Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis An EX8200 Virtual Chassis is formed when XRE200 External Routing Engines and EX8200 switches are interconnected to form a Virtual Chassis. The maximum length supported to connect an XRE200 External Routing Engine to another XRE200 External Routing Engine is 43.5 miles (70 kilometers). You must use the 4-port 1000BASE-X small form-factor pluggable (SFP) module on each XRE200 External Routing Engine to establish this VCP connection over any distance greater than 328 feet (100 meters). See Virtual Chassis Control Interface (VCCI) Modules in an XRE200 External Routing Engine. An XRE200 External Routing Engine can connect to an EX8200 switch over a distance up to 43.5 miles using an SFP connection only if an intermediary switch that supports SFPs is used to convert the SFP optical connection into a fiber connection. This conversion is necessary because the management interface (labeled MGMT) on the Routing Engine (RE) or Switch Fabric and Routing Engine (SRE) in the EX8200 switch does not support SFP connections. See “Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis” on page 1568. An EX Series switch used an intermediary switch for this purpose must be dedicated to this task. VLANs must be created on the intermediary switch to properly direct VCCP

1554



traffic between the XRE200 External Routing Engines and the EX8200 switches. This switch cannot receive or transmit any other traffic. Any EX Series switch can be used for this purpose.

NOTE: The most affordable EX Series switch is an EX2200 switch with 24 total ports and no Power over Ethernet (PoE) ports (model number EX2200-24T-4G). If you need to purchase a new switch to extend a VCP for an EX8200 Virtual Chassis, we recommend purchasing this switch with an SFP uplink module and an SFP cable whose length is appropriate for your environment. The EX2200 switch supports uplink modules with SFP connections that span up to 43.5 miles (70 km).


•

Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis on page 1568

Understanding Virtual Chassis Device Reachability Testing You can use a Virtual Chassis device reachability test to verify that the connections that connect the Virtual Chassis member devices together are functioning properly. You typically use a device reachability test to verify host reachability and connectivity within a Virtual Chassis. A Virtual Chassis device reachability test sends ping packets from one member of a Virtual Chassis to another member of a Virtual Chassis directly through the Virtual Chassis connections. The receiving Virtual Chassis member sends reply packets to confirm receipt of the ping packets from the sending device. The results of the test provide information that is helpful in verifying connectivity between Virtual Chassis member devices. Related Documentation

•

Verifying Connectivity Between Virtual Chassis Member Devices on page 1579


1555

®


1556


CHAPTER 45

EX8200 Virtual Chassis—Configuration Example •


Example: Setting Up a Full Mesh EX8200 Virtual Chassis with Two EX8200 Switches and Redundant XRE200 External Routing Engines An EX8200 Virtual Chassis connects up to eight EX8200 switches into a single network entity. The Virtual Chassis is formed by connecting the switches to an XRE200 External Routing Engine. This example describes how to connect two EX8200 switches and two XRE200 External Routing Engines into a Virtual Chassis: •


•


•

Setting the EX8200 Switches as Virtual Chassis Members on page 1559

•

Preprovisioning the Virtual Chassis on page 1560

•

Configuring a VCP Link from Member Switch 0 to Member Switch 1 on page 1561

•

Configuring a VCP Link from Member Switch 1 to Member Switch 0 on page 1561

•



Two XRE200 External Routing Engines

•

One EX8208 switch

•

One EX8216 switch

Before you begin: Ensure that the external Routing Engines and the member switches are running the same version of Junos OS Release 10.4 or later. See “Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)” on page 124, “Installing Software on an EX


1557

®


Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126, or “Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure)” on page 1697 to upgrade software on EX8200 switches.

Overview and Topology An EX8200 Virtual Chassis connects up to four EX8200 switches into a single virtual device, thereby simplifying network management, configuration, and troubleshooting. In this example, two EX8200 switches are connected to an XRE200 External Routing Engine to form an EX8200 Virtual Chassis. A backup XRE200 External Routing Engine is also part of the topology and has connections to the master external Routing Engine and both member switches. A Virtual Chassis port (VCP) link is also configured to connect the switches, thereby forming a full mesh topology that utilizes all possible VCP links within the Virtual Chassis topology. This example shows an EX8200 Virtual Chassis composed of four devices: a master XRE200 External Routing Engine, a backup XRE200 External Routing engine, an EX8208 member switch, and an EX8216 member switch. Table 176 on page 1558 explains the components of the example EX8200 Virtual Chassis topology.

Table 176: Components of the EX8200 Virtual Chassis Topology Property

Settings

Hardware

•

Two XRE200 External Routing Engines

•

Member EX8208 switch

•

Member EX8216 switch

•

Master external Routing Engine

Member IDs and Roles

•

Member ID: 8

•

Role: routing-engine

NOTE: The master external Routing Engine earned the mastership role by having the longest uptime. This example assumes this external Routing Engine was up before the backup external Routing Engine. •

•

•

1558

Backup external Routing Engine •

Member ID: 9

•

Role: routing-engine

Member EX8208 switch •

Member ID: 0

•

Role: line-card

Member EX8216 switch •

Member ID: 1

•

Role: line-card


Chapter 45: EX8200 Virtual Chassis—Configuration Example

Table 176: Components of the EX8200 Virtual Chassis Topology (continued) Property

Settings

Interfaces

The master XRE200 External Routing Engine interfaces: •

vcp-1/0—Connects to vcp-1/0 on the backup external Routing Engine

(member 9). •

vcp-1/1—Connects to vcp-0/0 (the MGMT port on the module in slot RE0)

on the EX8208 member switch (member 0). •


on the EX8216 member switch (member 1). The backup XRE200 External Routing Engine interfaces: •

vcp-1/0—Connects to vcp-1/0 on the master external Routing Engine

(member 8). •


on the EX8208 member switch (member 0). •


on the EX8216 member switch (member 1). The EX8208 member switch interfaces: •

vcp-0/0(the MGMT port on the module in slot RE0)—Connects to vcp-1/1

on the master external Routing Engine (member 8). •

vcp-0/1 (the MGMT port on the module in slot RE1)—Connects to vcp-1/1

on the backup external Routing Engine (member 9). •

xe-3/0/2—Connects to xe-4/0/2 on the EX8216 member switch (member

1). The EX8216 member switch interfaces: •


on the master external Routing Engine (member 8). •


on the backup external Routing Engine (member 9). •

xe-4/0/2—Connects to xe-3/0/2 on the EX8208 member switch (member

0).

This example assumes that all devices in the Virtual Chassis are running the same version of Junos OS Release 10.4 or later. If you need to upgrade a device in the Virtual Chassis configuration to meet this requirement, perform that upgrade before performing this procedure.

Setting the EX8200 Switches as Virtual Chassis Members Step-by-Step Procedure

To configure the EX8200 switches as Virtual Chassis members: On the EX8208 switch: user@switch> set chassis virtual-chassis

On the EX8216 switch: user@switch> set chassis virtual-chassis


1559

®


Preprovisioning the Virtual Chassis CLI Quick Configuration

To quickly preprovision the Virtual Chassis, log in to the master external Routing Engine and enter the following commands: [edit] set virtual-chassis preprovisioned set virtual-chassis member 0 serial-number ghi789 role line-card set virtual-chassis member 1 serial-number jkl112 role line-card set virtual-chassis member 8 serial-number abc123 role routing-engine set virtual-chassis member 9 serial-number def456 role routing-engine


To preprovision the EX8200 Virtual Chassis: 1.

Log in to the master external Routing Engine and specify the use of a preprovisioned configuration:

NOTE: You must use a preprovisioned configuration to configure an EX8200 Virtual Chassis. Nonprovisioned configuration is not supported.

[edit virtual-chassis] user@external-routing-engine# set preprovisioned 2.

Specify all members that you want to include in the Virtual Chassis configuration, listing each switch’s or external Routing Engine’s serial number with its desired member ID and role: [edit virtual-chassis] user@external-routing-engine# set member 0 serial-number ghi789 role line-card user@external-routing-engine# set member 1 serial-number jkl112 role line-card user@external-routing-engine# set member 8 serial-number abc123 role routing-engine user@external-routing-engine# set member 9 serial-number def456 role routing-engine

Check the results of the configuration: [edit virtual-chassis] user@external-routing-engine# show preprovisioned; member 0 { role line-card; serial-number ghi789; } member 1 { role line-card; serial-number jkl112; } member 8 { role routing-engine; serial-number abc123; } member 9 {

1560


Chapter 45: EX8200 Virtual Chassis—Configuration Example

role routing-engine; serial-number def456; }

Configuring a VCP Link from Member Switch 0 to Member Switch 1 Step-by-Step Procedure

To configure the VCP link between the member switches, log in to the EX8208 member switch (member ID 0) and enter

NOTE: For information on which ports on EX8200 line cards can be configured as VCPs, see Line Card Model and Version Compatibility in an EX8200 Switch.

user@external-routing-engine> request virtual-chassis vc-port set fpc-slot 4 pic-slot 0 port 2 member 1

Configuring a VCP Link from Member Switch 1 to Member Switch 0 Step-by-Step Procedure

To configure the VCP link between the member switches, log in to the EX8216 member switch (member ID 1) and enter:


user@switch> request virtual-chassis vc-port set fpc-slot 3 pic-slot 0 port 2 member 0

Verification To verify that the Virtual Chassis is operational, perform this task: •

Verifying That the Virtual Chassis Is Operational on page 1561

Verifying That the Virtual Chassis Is Operational Purpose

Action

Verify that the Virtual Chassis is operational and that all VCP links in the Virtual Chassis are functioning properly. Enter the show virtual-chassis status command: user@external-routing-engine> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: c806.0842.de51 Mastership List Member ID 0 (FPC 0-15)

Status Prsnt

Serial No ghi789

Model ex8208

priority 0

Neighbor Role ID Interface Linecard 8 vcp-0/0 9 1


vcp-0/1

vcp-3/0/2

1561

®


1 (FPC 16-31)

Prsnt

jkl112

ex8216

0

Linecard

0 8 (FPC 128-143) Prsnt

9 (FPC 144-159) Prsnt

Meaning


1562

abc123

def456

ex-xre

ex-xre

129

129

Master*

Backup

8

vcp-0/0

9

vcp-0/1

vcp-4/0/2 9 vcp-1/0 0

vcp-1/1

1 8

vcp-1/2 vcp-1/0

0

vcp-1/1

1

vcp-1/2

This output verifies that a Virtual Chassis composed of one EX8208 switch (member 0), one EX8216 switch (member 1), and master and backup XRE200 External Routing Engines (members 8 and 9) is operational. The display shows the VCP connections and confirms that each member has a connection to all three other members to form a full-mesh EX8200 Virtual Chassis.

•


•



CHAPTER 46

Configuring EX8200 Virtual Chassis •


•


•


•

Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis on page 1568

•

Installing Software for All Devices in an EX8200 Virtual Chassis on page 1571

•


•

Performing a Software Recovery Installation for an XRE200 External Routing Engine on page 1574

Configuring an EX8200 Virtual Chassis (CLI Procedure) You can configure an EX8200 Virtual Chassis to include up to eight EX8200 switches and one or two XRE200 External Routing Engines. You interconnect the member switches by connecting them to the external Routing Engines, whose ports automatically function as Virtual Chassis ports (VCPs). A VCP is any port whose function is to send and receive Virtual Chassis Control Protocol (VCCP) traffic to create, monitor, and maintain the Virtual Chassis. VCPs also carry data traffic through the Virtual Chassis. If you want to add paths for VCCP traffic within an EX8200 Virtual Chassis, you can also configure VCP links between member switches. See “Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure)” on page 1567. To configure an EX8200 Virtual Chassis: 1.

Log into each EX8200 member switch and revert the switch to the factory default configuration: user@switch# load factory-default

See “Reverting to the Default Factory Configuration for the EX Series Switch” on page 537 for additional information on this process. 2. Configure a password for the EX8200 switch. See “Connecting and Configuring an

EX Series Switch (CLI Procedure)” on page 257.


1563

®


BEST PRACTICE: You should always access the EX8200 Virtual Chassis through the master XRE200 External Routing Engine. However, configuring the password ensures that you can access the EX8200 member switch for purposes such as local monitoring or debugging.

3. Set each EX8200 switch as a Virtual Chassis member: user@switch> set chassis virtual-chassis

Follow the CLI prompts. You must reboot the switch to complete this procedure. 4. Upgrade the software on all switches and external Routing Engines in the Virtual

Chassis to the same Junos OS release. All switches and external Routing Engines must be running the same version of Junos OS before being connected into a Virtual Chassis. See “Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)” on page 124, “Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126, or “Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure)” on page 1697. 5. Make a list of the serial numbers of all switches and external Routing Engines to be

connected in the Virtual Chassis configuration. See Locating the Serial Number on an EX8200 Switch or Component and Locating the Serial Number on an XRE200 External Routing Engine or Component. 6. If both external Routing Engines are already powered on, skip this step.

Power on one of the external Routing Engines. The external Routing Engine with the most uptime is assigned the master role, so the external Routing Engine that is powered on in this step is the master external Routing Engine. 7. Log in to the master external Routing Engine and specify the preprovisioned

configuration mode. If the external Routing Engine mastership has not been determined, log in to the external Routing Engine that has been powered on the longest.

NOTE: You must use a preprovisioned configuration to configure an EX8200 Virtual Chassis. Nonprovisioned configuration is not supported.

[edit virtual-chassis] user@external-routing-engine# set preprovisioned 8. Specify all members for the Virtual Chassis, listing each switch’s or external Routing

Engine’s serial number, member ID, and role: [edit virtual-chassis] user@external-routing-engine# set member member-id serial-number serial-number role role

For example: [edit virtual-chassis] user@external-routing-engine# user@external-routing-engine# user@external-routing-engine# user@external-routing-engine# user@external-routing-engine#

1564

set member 0 serial-number abc123 role line-card set member 1 serial-number def456 role line-card set member 2 serial-number ghi789 role line-card set member 3 serial-number jkl101 role line-card set member 8 serial-number yza567 role routing-engine


Chapter 46: Configuring EX8200 Virtual Chassis

user@external-routing-engine# set member 9 serial-number bcd890 role routing-engine

NOTE: An EX8200 Virtual Chassis does not function properly when an external Routing Engine is configured to use a member ID other than 8 or 9. When the EX8200 Virtual Chassis configuration is not preprovisioned, the external Routing Engine assumes a member ID that is not 8 or 9. The EX8200 Virtual Chassis cannot be formed until this member ID configuration is changed using this procedure.

9. Interconnect the member switches and external Routing Engines. See Connecting an

EX8200 Switch to an XRE200 External Routing Engine, Interconnecting XRE200 External Routing Engines, and “Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure)” on page 1567. 10. Commit the configuration: [edit] user@external-routing-engine# commit synchronize 11. Power on the backup external Routing Engine if it is not already powered on.


•


•


•

Verifying the Member ID, Role, and Neighbor Member Connections of an EX8200 Virtual Chassis Member on page 1577

Adding or Replacing a Member Switch or an External Routing Engine in an EX8200 Virtual Chassis (CLI Procedure) You can configure an EX8200 Virtual Chassis to include up to eight EX8200 switches and one or two XRE200 External Routing Engines. You can add or replace a member switch or an external Routing Engine if one needs to be replaced for any reason. To add or replace a member switch or external Routing Engine in an EX8200 Virtual Chassis: 1.

If you are replacing an existing switch or external Routing Engine, power off the device. See Powering Off an EX8200 Switch or Powering Off an XRE200 External Routing Engine.

2. Uncable the device that you will remove from the Virtual Chassis. 3. Power on the new switch or external Routing Engine. See Powering On an EX8200

Switch or Powering On an XRE200 External Routing Engine. 4. Note and record the serial number of the new switch or external Routing Engine. See

Locating the Serial Number on an EX8200 Switch or Component and Locating the Serial Number on an XRE200 External Routing Engine or Component.


1565

®


5. Upgrade the software on the new switch or external Routing Engine to the Junos OS

release currently running in the Virtual Chassis, unless the switch or external Routing Engine is already running that release. See “Installing Software on an EX Series Switch with a Single Routing Engine (CLI Procedure)” on page 124, “Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126, or “Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure)” on page 1697.

NOTE: If you are adding an EX8200 switch to the Virtual Chassis, reboot the switch to complete the software upgrade after completing step 6. If you are adding an XRE200 External Routing Engine to the Virtual Chassis, reboot the device to complete the software upgrade.

6. (EX8200 switch only) Set the EX8200 switch as a Virtual Chassis member: user@switch> set chassis virtual-chassis

Follow the CLI prompts. You must reboot the switch to complete this step of the procedure. 7. Log in to the master external Routing Engine on the Virtual Chassis. 8. Delete the device that you uncabled from the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# delete member member-id serial-number serial-number role role

For example: •

To delete a switch from the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# delete member 1 serial-number abc123 role line-card

•

To delete an external Routing Engine from the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# delete member 8 serial-number yza567 role routing-engine

9. Add the new device to the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# set member member-id serial-number serial-number role role

For example: •

To add a switch to the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# set member 1 serial-number lmn910 role line-card

•

To add an external Routing Engine to the Virtual Chassis configuration: [edit virtual-chassis] user@external-routing-engine# set member 8 serial-number opq112 role routing-engine

10. Commit the configuration: [edit]

1566



user@external-routing-engine# commit synchronize 11. Connect the new device to the EX8200 Virtual Chassis. See Connecting an EX8200

Switch to an XRE200 External Routing Engine. Related Documentation

•


•


Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure) You can connect member switches together in an EX8200 Virtual Chassis by configuring 10-Gigabit Ethernet ports as Virtual Chassis ports (VCPs). Member switch to member switch VCPs provide additional paths within the Virtual Chassis for Virtual Chassis Control Protocol (VCCP) traffic to monitor, maintain, or carry data traffic through the Virtual Chassis. See “Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis” on page 1547


All connections between EX8200 member switches and XRE200 External Routing Engines are automatically configured as dedicated VCP links, so you do not need to perform this procedure on those connections. See “Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis” on page 1547. VCP links between EX8200 member switches automatically form a link aggregation group (LAG). Up to 12 VCP links can be part of a LAG of VCP links between EX8200 member switches. No user configuration is required to create this LAG. See “Understanding Virtual Chassis Port Link Aggregation in an EX8200 Virtual Chassis” on page 1548. You must use this procedure to configure VCPs between member switches in an EX8200 Virtual Chassis. To configure a VCP link between two EX8200 switches: user@switch> request virtual-chassis vc-port set fpc-slot fpc-slot pic-slot pic-slot port port-number member member-id

When you use this command to create the VCP link, a paired 10-Gigabit Ethernet interface is also automatically configured as a VCP. For instance, when you enter request virtual-chassis vc-port set fpc-slot 5 pic-slot 0 port 0 to configure interface xe-5/0/0 as a VCP, interface xe-5/0/1 is also configured as a VCP and automatically becomes part of the LAG. To unconfigure a VCP link between two EX8200 switches and make it a Gigabit Ethernet network link: user@switch> request virtual-chassis vc-port delete fpc-slot fpc-slot pic-slot pic-slot port port-number member member-id


1567

®



•


•


•


Configuring a Long-Distance Virtual Chassis Port Connection for an EX8200 Virtual Chassis This procedure describes how to connect XRE200 External Routing Engine to EX8200 switch connections over long distances in an EX8200 Virtual Chassis only. You can connect XRE200 External Routing Engines together over distances up to 43.5 miles (70 km) within an EX8200 Virtual Chassis using the 1000BASE-X SFP Virtual Chassis Control Interface (VCCI) module ports. No software configuration is needed to make these connections. You can connect EX8200 switches together over longer distances within an EX8200 Virtual Chassis by configuring a 10-Gigabit Ethernet port as a Virtual Chassis port (VCP). See “Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure)” on page 1567. You can connect an XRE200 External Routing Engine to an EX8200 switch to form a Virtual Chassis over a longer distance by using an intermediary switch. The intermediary switch should be located within 328 feet (100 meters) of the EX8200 member switch to ensure a Gigabit Ethernet connection to the management port (labeled MGMT) can be made. The intermediary switch is required because an SFP connection from an external Routing Engine cannot directly connect to the management port of an EX8200 switch. Virtual Chassis Control Protocol (VCCP) traffic traversing the intermediary switches must be placed into VLANs to ensure it is directed to the correct destination. This procedure shows how to connect two XRE200 External Routing Engines to two EX8200 member switches together over a long-distance connection. Ensure that you have the following parts and tools available:

1568

•

Two XRE200 External Routing Engines, each with at least one installed 1000BASE-X SFP VCCI module

•

Two EX8200 switches

•

Two EX Series switches



NOTE: Any EX Series switch can be used as an intermediary switch in an EX8200 Virtual Chassis. The most affordable EX Series switch is an EX2200 switch with 24 total ports and no Power over Ethernet (PoE) ports (model number EX2200-24T-4G). If you need to purchase a new switch to extend a VCP for an EX8200 Virtual Chassis, we recommend purchasing this switch with an SFP uplink module that supports the same SFPs as an XRE200 External Routing Engine and an SFP cable whose length is appropriate for your environment. The EX2200 switch supports uplink modules with SFP connections that span up to 43.5 miles (70 km). See Optical Interface Support in EX2200 Switches and Optical Interface Support in XRE200 External Routing Engines for information on supported optical uplinks.

The EX Series switches used as intermediary switches in this procedure must be dedicated to this task. These switches cannot receive or forward any other network traffic. Figure 45 on page 1569 provides a diagram of the XRE200 External Routing Engine-to-EX8200 switch long-distance connections in the EX8200 Virtual Chassis. The diagram shows the physical and VLAN setup of the Virtual Chassis.

Figure 45: Long Distance EX8200 Virtual Chassis EX8200-XRE200

Disk Number 0 1

0

1

0

LINK/ ACT SPD

USB

MGMT

1

1

2

3

0

0

CONSOLE

0

1

2

3

4

5

6

7

8

9

10

12

13

Slot Number 2

LINK/ ACT SPD

USB

0

CONSOLE

Disk Number 0 1

Slot Number 2

14

15

1617

1819

2021

22

MGMT

0

23 M

S

AL

SY

1

2

3

0

1

2

3

4

5

6

7

8

9

10

12

13

14

15

1617

1819

2021

22

23 M

S

SPD

AL

SY

DX

0

1

2

3

RE/SRE 0 (Master)

MGMT

RE/SRE 1 (Backup)

MGMT

vcp-vlan 1

vcp-vlan 3

vcp-vlan 2

vcp-vlan 4


SPD DX

0

EN POE

1

2

3

EN POE

MGMT

MGMT

g021230

EX8200-XRE200

1569

®


To configure a long-distance VCP using two intermediary EX Series switches in an EX8200 Virtual Chassis: 1.

Cable the devices. The following connections must be cabled: VLAN 1: •

SFP VCP on the master XRE200 External Routing Engine connected to intermediary switch 0.

•

Gigabit Ethernet port on intermediary switch 0 to the management port (labeled MGMT) on the master Switch Fabric and Routing Engine (SRE) module or Routing Engine (RE) module on the EX8200 member switch ID 0.

VLAN 2: •

SFP VCP on the master XRE200 External Routing Engine connected to intermediary switch 1.

•

Gigabit Ethernet port on intermediary switch 1 to the management port (labeled MGMT) on the master SRE module or RE module on the EX8200 member switch ID 1.

VLAN 3: •

SFP VCP on the backup XRE200 External Routing Engine connected to intermediary switch 0.

•

Gigabit Ethernet port on intermediary switch 0 to the management port (labeled MGMT) on the backup SRE module or RE module on the EX8200 member switch ID 0.

VLAN 4: •

SFP VCP on the backup XRE200 External Routing Engine connected to intermediary switch 1.

•

Gigabit Ethernet port on intermediary switch 1 to the management port (labeled MGMT) on the backup SRE module or RE module on the EX8200 member switch ID 1.

2. Configure the VLANs on the intermediary switches. Each VLAN must contain the

interface on the intermediary switch connecting to the XRE200 External Routing Engine and the interface connecting to the EX8200 member switch.

NOTE: You only need to configure the VLANs on the intermediary switches. You do not need to place any interfaces on the XRE200 External Routing Engine or on the EX8200 member switches into the VLANs.

VLAN 1: user@switch-0# set vlans vcp-vlan-1 interface ge-0/1/0 user@switch-0# set vlans vcp-vlan-1 interface ge-0/0/0

VLAN 2:

1570



user@switch-1# set vlans vcp-vlan-2 interface ge-0/1/0 user@switch-1# set vlans vcp-vlan-2 interface ge-0/0/0

VLAN 3: user@switch-0# set vlans vcp-vlan-3 interface ge-0/1/1 user@switch-0# set vlans vcp-vlan-3 interface ge-0/0/1

VLAN 4: user@switch-1# set vlans vcp-vlan-4 interface ge-0/1/1 user@switch-1# set vlans vcp-vlan-4 interface ge-0/0/1 3. Set the maximum transmission units (MTU) value on all interfaces on both

intermediary switches transmitting VCCP traffic to 3000 bytes or more. On switch 0: user@switch-0# user@switch-0# user@switch-0# user@switch-0#

set interfaces ge-0/0/0 mtu 3000 set interfaces ge-0/0/1 mtu 3000 set interfaces ge-0/1/0 mtu 3000 set interfaces ge-0/1/1 mtu 3000

On switch 1: user@switch-1# user@switch-1# user@switch-1# user@switch-1#


set interfaces ge-0/0/0 mtu 3000 set interfaces ge-0/0/1 mtu 3000 set interfaces ge-0/1/0 mtu 3000 set interfaces ge-0/1/1 mtu 3000

•

Understanding Long-Distance Virtual Chassis Port Configuration for an EX8200 Virtual Chassis on page 1554

•

Virtual Chassis Control Interface (VCCI) Modules in an XRE200 External Routing Engine

Installing Software for All Devices in an EX8200 Virtual Chassis We recommend that you use nonstop software upgrade (NSSU) to upgrade the software for an EX8200 Virtual Chassis. NSSU upgrades all Routing Engines in the Virtual Chassis with minimal disruption of traffic. For more details, see “Upgrading Software on an EX8200 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure)” on page 1705. Use the procedure described in this topic to upgrade the software for the EX8200 Virtual Chassis when you cannot use NSSU—for example, when the software version you are running does not support NSSU. You can use this procedure to upgrade the software on all devices in the EX8200 Virtual Chassis, including all EX8200 member switches and both the master and backup external Routing Engines. This procedure requires a reboot of the Virtual Chassis. To upgrade software for all devices in the EX8200 Virtual Chassis: 1.

Download the software package for the XRE200 External Routing Engine (the software package whose package name contains “xre200”—for instance, jinstall-ex-xre200-10.4R1.8-domestic-signed.tgz—as described in “Downloading Software Packages from Juniper Networks” on page 123.


See the Junos OS Installation and Upgrade Guide.


1571

®


3. (Optional) Copy the software package to the master external Routing Engine. We

recommend that you use FTP to copy the file to the /var/tmp directory. This step is optional because you can upgrade Junos OS when the software image is stored at a remote location. This procedure describes the software upgrade process for both scenarios. 4. Install the new package:

NOTE: A reboot, which occurs as part of the execution of the following command, is required on each external Routing Engine or switch to complete the software upgrade. If you use this procedure as outlined, all Switch Fabric and Routing Engine (SRE) modules or Routing Engine (RE) modules on the EX8200 switches that are connected into the EX8200 Virtual Chassis will reboot simultaneously when the command is entered. Network traffic cannot be forwarded during the reboot. If you want to reboot a device at a later time or reboot the SRE modules or RE modules individually, do not use the reboot option at this point of the procedure. Enter the request system reboot command at a later time to reboot the external Routing Engine or SRE module or RE module to complete the procedure.

user@switch> request system software add source reboot

Replace source with one of the following paths: •

For a software package that is installed from a local directory on the external Routing Engine—/pathname/package-name-m.nZx-distribution.tgz.

•

For a software package that is downloaded and installed from a remote location: •

ftp://hostname/pathname/package-name-m.nZx-distribution.tgz

•

http://hostname/pathname/package-name-m.nZx-distribution.tgz

where package-name-m.nZx-distribution.tgz is, for example, jinstall-ex-xre200-10.4R1.8-domestic-signed.tgz. Related Documentation

1572

•


•

Upgrading Software on an EX8200 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) on page 1705

•


•




Installing Software for a Single Device in an EX8200 Virtual Chassis You can use this procedure to upgrade the software on a single device in an EX8200 Virtual Chassis. This procedure is most useful when one device that was previously recognized as active in the Virtual Chassis is no longer recognized as active and the reason for that lack of recognition is likely related to a software version mismatch between this device and the other Virtual Chassis members. Generally, the preferred method of upgrading a Virtual Chassis is to upgrade all devices in the Virtual Chassis at the same time to ensure all members are running the same version of Junos OS. See “Installing Software for All Devices in an EX8200 Virtual Chassis” on page 1571 If you are adding a single device to an existing Virtual Chassis, upgrade that device to the version of Junos OS currently running in the Virtual Chassis before you connect the device. The following procedure cannot be used in that scenario, as the Virtual Chassis will not recognize the new device until the software mismatch is corrected. See “Adding or Replacing a Member Switch or an External Routing Engine in an EX8200 Virtual Chassis (CLI Procedure)” on page 1565. To upgrade software for a single device in an EX8200 Virtual Chassis: 1.

Download the software package as described in “Downloading Software Packages from Juniper Networks” on page 123. The software package in this procedure is always the XRE200 software package, even if you are upgrading the software on a member switch.


See the Junos OS Installation and Upgrade Guide. 3. (Optional) Copy the software package to the master external Routing Engine. We

recommend that you use FTP to copy the file to the /var/tmp directory. This step is optional because you can also upgrade Junos OS when the software image is stored at a remote location. This procedure describes the software upgrade process for both scenarios. 4. Install the new package:

NOTE: A reboot, which occurs as part of the execution of the following command, is required to complete the software upgrade. If you want to reboot the external Routing Engine or switch at a later time, do not use the reboot option at this point of the procedure and enter the request system reboot command at a later time to reboot the device.

user@switch> request system software add source member member-id reboot

Replace source with one of the following paths: •

For a software package that is installed from a local directory on the external Routing Engine—/pathname/package-name-m.nZx-distribution.tgz.


1573

®


•

For a software package that is downloaded and installed from a remote location: •

ftp://hostname/pathname/package-name-m.nZx-distribution.tgz

•

http://hostname/pathname/package-name-m.nZx-distribution.tgz

where package-name-m.nZx-distribution.tgz is, for example, jinstall-ex-xre200–10.4R1.8-domestic-signed.tgz. Replace member-id with the member ID of the device receiving the upgrade. Related Documentation

•


Performing a Software Recovery Installation for an XRE200 External Routing Engine This process can be used in any scenario when a software recovery upgrade of an XRE200 External Routing Engine is needed. A software recovery upgrade might be needed in several scenarios, including cases when the CLI prompt is unreachable or the external Routing Engine is continually rebooting and other troubleshooting methods have failed to address the problem. This procedure copies the Junos OS image on USB flash memory onto an XRE200 External Routing Engine. The external Routing Engine then boots using the Junos OS image on the XRE200 External Routing Engine. To perform a software recovery installation: Ensure that you have the following tools and parts available: •

A USB flash drive that meets the EX Series switch USB port specifications. See USB Port Specifications for an XRE200 External Routing Engine.

•

A computer or other device that you can use to download the software package from the Internet and copy it to the USB flash drive.

1.

Download the Junos OS package that you would like to place onto the external Routing Engine from the Internet onto the USB flash drive using your computer or other device. See “Downloading Software Packages from Juniper Networks” on page 123.

NOTE: In most cases, you should download the Junos OS image running on the other devices in your EX8200 Virtual Chassis onto USB Flash memory. Booting the external Routing Engine with the same software currently running within the EX8200 Virtual Chassis ensures the external Routing Engine will be recognized by the other Virtual Chassis member devices after the recovery upgrade.

2. Remove the USB flash drive from the computer or other device. 3. Insert the USB flash drive into the USB port on the external Routing Engine.

1574



4. Power off the external Routing Engine. See Powering Off an XRE200 External Routing

Engine. 5. Reconnect power to the external Routing Engine. You will see the following prompt: Hit [Enter] to boot Immediately or [R] key to start recovery ...

Press the R key to select the recovery software upgrade procedure. 6. The following prompt appears on your external Routing Engine: Select one of the following options ... 1. Reboot the system with out making any changes. 2. Start Recovery. Choice :

Press the 2 key. 7. Monitor the output: Starting Recovery Process ... (user@switch, Wed Aug 18 16:30:02 IST 2010) Loading /boot/defaults/loader.conf /kernel text=0x4a6878 data=0x354e0+0x5edf4 syms=[0x4+0x601a0 +0x4+0x8a749 / Hit [Enter] to boot immediately, or space bar for command prompt. OK boot GDB: debug ports: uart GDB: current port: uart KDB: debugger backends: ddb gdb KDB: current backend: ddb 262144K of memory above 4GB ignored Copyright (c) 1996-2010, Juniper Networks, Inc. All rights reserved. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. JUNOS 10.4I #0: 2010-07-20 04:46:37 UTC user@switch:/b/user/current/XRE-200/obj-i386/bsd/sys/compile/INSTALL-EXInstall EXInstall File: /tmp/cf/packages/jinstall-ex-xre200-10.4R1.5-domestic-signed.tgz Rebooting to complete the installation. Please wait...

The external Routing Engine reboots to complete the procedure. 8. When you see the CLI prompt, the USB Flash memory card can be removed from the

USB port on the XRE200 External Routing Engine. Related Documentation

•


•

USB Port Specifications for an XRE200 External Routing Engine


1575

®


1576


CHAPTER 47

Verifying EX8200 Virtual Chassis Configuration •


•


•


•

Verifying Hard Disk Memory Status on an XRE200 External Routing Engine on page 1579

Verifying the Member ID, Role, and Neighbor Member Connections of an EX8200 Virtual Chassis Member Purpose Action

View the member ID, role, and VCP links in an EX8200 Virtual Chassis. To display the role and member ID assignments, use the show virtual-chassis status command: user@external-routing-engine> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: c806.0842.de51 Mastership List Member ID 0 (FPC 0-15)

Status Prsnt

Serial No ghi789

Model ex8208

priority 0

Neighbor Role ID Interface Linecard 8 vcp-0/0 9 1

1 (FPC 16-31)

Prsnt

jkl112

ex8216

0

Linecard

vcp-3/0/2 8 vcp-0/0 9

0 8 (FPC 128-143) Prsnt

9 (FPC 144-159) Prsnt


abc123

def456

ex-xre

ex-xre

129

129

Master*

Backup

vcp-0/1

vcp-0/1

vcp-4/0/2 9 vcp-1/0 0

vcp-1/1

1 8

vcp-1/2 vcp-1/0

0

vcp-1/1

1577

®


1

Meaning


vcp-1/2

This output verifies that a Virtual Chassis composed of one EX8208 switch (member 0), one EX8216 switch (member 1), and master and backup XRE200 External Routing Engines (members 8 and 9) is operational by showing that all devices are in the Prsnt state. The display shows the VCP connections and confirms that each member has an active connection to all three other members.

•


•


Verifying Virtual Chassis Ports in an EX8200 Virtual Chassis Purpose

Action

Verify that the Virtual Chassis ports (VCPs) in the EX8200 Virtual Chassis are properly configured. This task is particularly important as a method of confirming the user-configured VCP connection between two EX8200 switches. Verify the type, status, speed, and neighbor ID and interface of each VCP on an EX8200 switch or an XRE200 External Routing Engine: user@external-routing-engine> show virtual-chassis vc-port member 0 member0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Up 1000 8 vcp-1/1 vcp-0/1 Dedicated -1 Up 1000 9 vcp-1/1 3/0/2 Configured -1 Up 10000 1 vcp-4/0/2 3/0/3 Configured Absent 3/0/4 Configured Absent 3/0/5 Configured Absent 3/0/6 Configured Absent 3/0/7 Configured Absent

Meaning

Members 0 through 7 in an EX8200 Virtual Chassis are reserved for EX8200 switches, so we know this output from member 0 shows the VCP connections from an EX8200 member switch. The output shows that the switch has a dedicated VCP connection to each external Routing Engine—member IDs 8 and 9, which are always external Routing Engines. These links are dedicated because they are connections to an external Routing Engine. The output also shows a VCP link between two EX8200 switches (member 0 and member 1). VCP links between EX8200 member switches must be user-configured, and the Configured Type output is a result of this user configuration. This VCP link is from interface vcp–3/0/2 on the switch to interface vcp–4/0/2 of the switch acting as member 1. Trunk ID -1 is used to indicate a link is not part of a link aggregation group (LAG). This output shows that no links in this configuration are part of a LAG.

1578


Chapter 47: Verifying EX8200 Virtual Chassis Configuration


•


Verifying Connectivity Between Virtual Chassis Member Devices Purpose Action

Verify that a member device is reachable through the Virtual Chassis. 1.

Run a Virtual Chassis device reachability test: user@switch> request virtual-chassis device-reachability test-name name source-fpc source-fpc-id destination-fpc destination-fpc-id

2. View the test results that appear on the screen: Device Reachability Statistics: Test Name : member0-to-member2 Performing Test: 1 56 bytes from 0: session-id 0 seq-id 0 56 bytes from 0: session-id 0 seq-id 1 56 bytes from 0: session-id 0 seq-id 2 56 bytes from 0: session-id 0 seq-id 3 56 bytes from 0: session-id 0 seq-id 4 --- sping statistics --Session ID Packets Count/Sent/Received/Sendfail Unknown/Timedout/Duplicate packets received Round-trip Min/Avg/Max

Meaning


: : : :

0 5/5/5/0 0/0/0 181/807/3010 usec

The test results confirm that the connection between the member devices within the Virtual Chassis is operating properly. The Packets Count/Sent/Received/Sendfail output shows that five ping packets were sent and five ping packets were returned. The Unknown/Timedout/Duplicate packets received field output shows that zero ping packets errors occurred during the test. The Round-trip Min/Avg/Max output shows that all of the test packets took between 181 and 3010 microseconds to traverse the path.

•

Understanding Virtual Chassis Device Reachability Testing on page 1555

Verifying Hard Disk Memory Status on an XRE200 External Routing Engine Purpose

Verify that the hard disk memory on your XRE200 External Routing Engine is functioning properly.


1579

®


Action

1.

Run a Hard Disk Drive (HDD) memory and diagnostics monitoring test: user@external-routing-engine> request chassis routing-engine hard-disk-test

2. View the test results that appear on the screen: RAID INFORMATION RAID device path: /dev/ad4 Firmware Version: 11594 RAID controller s/n: 12345678 RAID Chip ID: 123 RAID policy: SAFE Drive0 Drive1 Drive0 Drive1 Drive0 Drive1

model: WDC WD123AAJS-4567A0 model: WDC WD345JD-18MSA1 s/n: WD-WCAT30214999 s/n: WD-WMAM9DTK4111 capacity: 74(GB) capacity: 74(GB)

RAID STATUS Drive0: On-line Drive1: On-line Number of partitions: 1 Size of Partitions: Partition 0: 74(GB) RAID Status: Healthy

Meaning

These results confirm that both HDD modules are functioning properly, as shown by the status of On-line for both Drive0 and Drive1. If your HDD module is not functioning properly, the status is Off-line or Unknown. If the status is Off-line for Drive0 or Drive1, verify that the HDD module is securely seated in its slot. If the status is Unknown for either drive, wait a few minutes then retry the test. If you are unable to return the status to On-line, contact Juniper Networks customer support (JTAC). See Contacting Customer Support to Obtain Return Materials Authorization for EX Series Switches. The results also show that RAID storage, as indicated in the RAID Status output, is Healthy. RAID storage technology manages storage between the redundant HDD modules in the XRE200 External Routing Engine. If RAID storage is not functioning properly, the status is Degraded or Unknown. If Degraded appears in the RAID Status field, contact customer support. If the RAID Status is Unknown, wait a few minutes, then retry the test. If the status remains Unknown after the second test, contact JTAC.

NOTE: The remainder of the test results output is either informational or intended for customer support purposes only.


1580

•

Understanding File Storage in an EX8200 Virtual Chassis on page 1550


Chapter 47: Verifying EX8200 Virtual Chassis Configuration

•



1581

®


1582


CHAPTER 48

Configuration Statements for EX8200 Virtual Chassis •


[edit virtual-chassis] Configuration Statement Hierarchy virtual-chassis { auto-sw-update { package-name package-name; } fast-failover (ge | vcp disable | xe); id id; mac-persistence-timer seconds; member member-id { location location; mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions (Virtual Chassis) { file filename ; flag flag ; } }


•


•


•


•



1583

®


id Syntax Hierarchy Level Release Information Description Options

id id; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure the alphanumeric string that identifies a Virtual Chassis configuration. id—Virtual Chassis ID (VCID), which uses the ISO family address format—for example, 9622.6ac8.5345.


1584



•


•


•



Chapter 48: Configuration Statements for EX8200 Virtual Chassis

location Syntax Hierarchy Level Release Information Description

location location; [edit virtual-chassis member member-id]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Set a description of the location of the Virtual Chassis member switch or external Routing Engine. The Location field is visible to users who enter the show virtual-chassis status detail command. Setting this description has no effect on the operation of the Virtual Chassis member.

Options

location—Location of the current member switch or external Routing Engine. The location

can be any single word. Required Privilege Level Related Documentation



•


•


•


•


•



1585

®


mac-persistence-timer Syntax Hierarchy Level Release Information Description

mac-persistence-timer minutes; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. (EX3300, EX4200, and EX4500 Virtual Chassis only) Specify how long the Virtual Chassis continues to use the MAC address of the switch that was originally configured in the master role as the system MAC base address when the original master switch is removed from the Virtual Chassis. The system MAC base address does not change in the event of a switchover provided the switch originally configured in the master role remains a member of the Virtual Chassis. There are no minimum or maximum timer limits.

Default Options

The MAC persistence timer is set to 10 minutes by default. minutes—Time in minutes that the member switch in the backup role continues to use

the system MAC base address of the old master for all Layer 3 interfaces before using its own system MAC base address after the switch in the master role is physically disconnected or removed from the Virtual Chassis. Required Privilege Level Related Documentation

1586





member Syntax


member member-id { location location mastership-priority number; no-management-vlan; serial-number; role; } [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an EX3300, EX4200, or EX4500 switch as a member of a Virtual Chassis configuration, or configure an EX8200 switch or an XRE200 External Routing Engine as a member of a Virtual Chassis configuration.

NOTE: The mastership-priority and no-management-vlan statements are not used in an EX8200 Virtual Chassis.

Default

When an EX3300, EX4200, or EX4500 is powered on as a standalone switch (not interconnected through its Virtual Chassis ports (VCPs) with other switches), its default member ID is 0. There is no default member ID in an EX8200 Virtual Chassis. An EX8200 Virtual Chassis must be preprovisioned, and that process configures the member IDs.

Options

member-id—Identifies a specific member switch of a Virtual Chassis configuration.

Range: 0 through 9 In an EX3300 Virtual Chassis, each switch has a member ID in the range from 0 through 5.. In an EX4200 or EX4500 Virtual Chassis, each switch has a member ID in the range from 0 through 9. In an EX8200 Virtual Chassis, member IDs 0 through 7 are reserved for EX8200 member switches and member IDs 8 and 9 are reserved for the master and backup external Routing Engines. The remaining statements are explained separately. Required Privilege Level Related Documentation




1587

®


•


•


•


•


no-split-detection Syntax Hierarchy Level

no-split-detection; [edit virtual-chassis]

Release Information


Description

Disable the split and merge feature in a Virtual Chassis configuration. We recommend using this statement to disable the split and merge feature when configuring a two-member EX3300, EX4200, or EX4500 Virtual Chassis. Enabling this statement on a two-member Virtual Chassis ensures that both switches remain in the correct Virtual Chassis roles in the event of a Virtual Chassis split.


1588

The split and merge feature is enabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•




preprovisioned Syntax Hierarchy Level Release Information Description

preprovisioned; [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable the preprovisioned configuration mode for a Virtual Chassis configuration. When the preprovisioned configuration mode is enabled for an EX3300, EX4200, or EX4500 Virtual Chassis, you cannot use the CLI or the J-Web interface to change the mastership priority or member ID of member switches. A preprovisioned configuration is highly recommended for a mixed EX4200 and EX4500 Virtual Chassis. You must use this statement to configure an EX8200 Virtual Chassis. Nonprovisioned configuration of an EX8200 Virtual Chassis is not supported.




•


•


•


•


•



1589

®


role Syntax Hierarchy Level Release Information Description

role (line-card | routing-engine); [edit virtual-chassis preprovisioned member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the roles of the members of the Virtual Chassis in a preprovisioned Virtual Chassis. EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, and Mixed EX4200 and EX4500 Virtual Chassis Specify the role to be performed by each member switch. Associate the role with the member’s serial number. When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces. The mastership priority value is generated by the software, based on the assigned role: •

A member configured as routing-engine is assigned the mastership priority 129.

•

A member configured as line-card is assigned the mastership priority 0.

•

A member listed in the preprovisioned configuration without an explicitly specified role is assigned the mastership priority 128.

The configured role specifications are permanent. If both routing-engine members fail, a line-card member cannot take over as master of the Virtual Chassis configuration. You must delete the preprovisioned configuration to change the specified roles in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis. Explicitly configure two members as routing-engine and configure additional switches as members of the preprovisioned Virtual Chassis by specifying only their serial numbers in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, or EX4500 Virtual Chassis. If you do not explicitly configure the role of the additional members, they function in a linecard role by default. In that case, a member that is functioning in a linecard role can take over mastership if the members functioning as master and backup (routing-engine role) both fail. EX8200 Virtual Chassis Specify the role to be performed by each XRE200 External Routing Engine and each EX8200 member switch. Associate the role with the member’s serial number. An EX8200 Virtual Chassis cannot function when both external Routing Engines, which must be configured in the routing-engine role, have failed. Options

•

line-card—Enables the member to be eligible to function only in the linecard role. Any

member of the Virtual Chassis configuration other than the master or backup functions in the linecard role and runs only a subset of Junos OS for EX Series switches. A member

1590



functioning in the linecard role does not run the control protocols or the chassis management processes. An EX3300, EX4200, mixed EX4200 and EX4500, and EX4500 Virtual Chassis configuration must have at least three members for one member to function in the linecard role. In an EX8200 Virtual Chassis configuration, all member switches must be in the linecard role. •

routing-engine—Enables the member to function as a master or backup of the Virtual

Chassis configuration. The master manages all members of the Virtual Chassis configuration and runs the chassis management processes and control protocols. The backup synchronizes with the master in terms of protocol states, forwarding tables, and so forth, so that it is prepared to preserve routing information and maintain network connectivity without disruption in case the master is unavailable. (EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, and mixed EX4200 and EX4500 Virtual Chassis) Specify two and only two members as routing-engine. The software determines which of the two members assigned the routing-engine role functions as master, based on the master election algorithm. See “Understanding How the Master in an EX3300, EX4200, or EX4500 Virtual Chassis Is Elected” on page 1290. In these Virtual Chassis, the routing-engine role is associated with a switch. (EX8200 Virtual Chassis) All XRE200 External Routing Engines must be in the routing-engine role. Required Privilege Level Related Documentation



•


•


•


•


•


•


•



1591

®


serial-number Syntax Hierarchy Level Release Information Description

serial-number serial-number; [edit virtual-chassis preprovisioned member member-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. In a preprovisioned EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis or mixed EX4200 and EX4500 Virtual Chassis, specify the serial number of each member switch to be included in the Virtual Chassis configuration. If you do not include the serial number within the Virtual Chassis configuration, the switch cannot be recognized as a member of a preprovisioned configuration. In an EX8200 Virtual Chassis configuration, specify the serial number of each XRE200 External Routing Engine and each EX8200 member switch to be included in the Virtual Chassis configuration. If you do not include the serial number within the Virtual Chassis configuration, the external Routing Engine or switch cannot be recognized as a member of the configuration.

Options

serial-number—Permanent serial number for the external Routing Engine or for the member

switch. Required Privilege Level Related Documentation

1592



•


•


•


•


•


•


•




traceoptions Syntax



traceoptions { file filename ; flag flag ; } [edit virtual-chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Option detail added in Junos OS Release 9.2 for EX Series switches. Define tracing operations for the Virtual Chassis configuration. Tracing operations are disabled. detail—(Optional) Generate detailed trace information for a flag. disable—(Optional) Disable a flag. file filename—Name of the file to receive the output of the tracing operation. Enclose the


so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,



TIP: The all flag displays a subset of logs that are useful in debugging most issues. For more detailed information, use all detail.

•

auto-configuration—Trace Virtual Chassis ports (VCPs) that have been automatically

configured. •

csn—Trace Virtual Chassis complete sequence number (CSN) packets.

•

error—Trace Virtual Chassis errored packets.

•

hello—Trace Virtual Chassis hello packets.

•

krt—Trace Virtual Chassis KRT events.


1593

®


•

lsp—Trace Virtual Chassis link-state packets.

•

lsp-generation—Trace Virtual Chassis link-state packet generation.

•

me—Trace Virtual Chassis ME events.

•


•

packets—Trace Virtual Chassis packets.

•


•

psn—Trace partial sequence number (PSN) packets.

•

route—Trace Virtual Chassis routing information.

•

spf—Trace Virtual Chassis SPF events.

•

state—Trace Virtual Chassis state transitions.

•

task—Trace Virtual Chassis task operations.

no-stamp—(Optional) Do not place a timestamp on any trace file. no-world-readable—(Optional) Restrict file access to the user who created the file. receive—(Optional) Trace received packets. replace—(Optional) Replace a trace file rather than appending information to it. send—(Optional) Trace transmitted packets. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB world-readable—(Optional) Enable unrestricted file access.


1594





•


•


•


•


•



1595

®


virtual-chassis Syntax


virtual-chassis { auto-sw-update { package-name package-name; } fast-failover (ge | vcp disable | xe); graceful-restart { disable; } id id; mac-persistence-timer seconds; member member-id { location location; mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions (Virtual Chassis) { file filename ; flag flag ; } vc-port { lag-hash (packet-based | source-port-based); } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Virtual Chassis information. The remaining statements are explained separately.

Default

A standalone EX3300, EX4200, or EX4500 switch is a Virtual Chassis by default. It has a default member ID of 0, a default mastership priority of 128, and a default role as master. A standalone XRE200 External Routing Engine or EX8200 switch is not part of an EX8200 Virtual Chassis until a Virtual Chassis configuration is set up.


1596



•




•


•


•


•



1597

®


1598


CHAPTER 49

Operational Commands for EX8200 Virtual Chassis


1599

®


clear virtual-chassis protocol statistics Syntax


Options

clear virtual-chassis protocol statistics

Command introduced in Junos OS Release 10.4 for EX Series switches. Clear—reset to zero (0)—all Virtual Chassis Control Protocol (VCCP) traffic counters for the Virtual Chassis. none—Clear VCCP counters for all members of the Virtual Chassis. all-members—(Optional) Clear VCCP traffic counters for all members of the Virtual

Chassis. local—(Optional) Clear VCCP traffic counters on the switch or external Routing Engine

on which this command is entered. member member-id—(Optional) Clear VCCP traffic counters for the specified member

of the Virtual Chassis. Required Privilege Level Related Documentation

clear

•

show virtual-chassis protocol statistics on page 1637

•


Sample Output clear virtual-chassis protocol statistics

user@switch> clear virtual-chassis protocol statistics member0: -------------------------------------------------------------------------Statistics cleared member1: -------------------------------------------------------------------------Statistics cleared member8: -------------------------------------------------------------------------Statistics cleared member9: -------------------------------------------------------------------------Statistics cleared

This output shows that the VCCP counters have been cleared for both member switches (member 0 and member 1) and both XRE200 External Routing Engines (member 8 and member 9) in the EX8200 Virtual Chassis.

1600


Chapter 49: Operational Commands for EX8200 Virtual Chassis

clear virtual-chassis vc-port statistics Syntax

Release Information


Command introduced in Junos OS Release 9.0 for EX Series switches. The options all-members and local were added in Junos OS Release 9.3 for EX Series switches.

Description

Clear—reset to zero (0)—the traffic statistics counters on Virtual Chassis ports (VCPs).

Options

none—Clear traffic statistics for VCPs of all members of a Virtual Chassis configuration. all-members—(Optional) Clear traffic statistics for VCPs of all members of a Virtual

Chassis configuration. interface-name—(Optional) Clear traffic statistics for the specified VCP. local—(Optional) Clear traffic statistics for VCPs from the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Clear traffic statistics for VCPs from the specified member



clear

•


•


•


clear virtual-chassis vc-port statistics (EX4200 Virtual Chassis) on page 1601 clear virtual-chassis vc-port statistics (EX8200 Virtual Chassis) on page 1601 clear virtual-chassis vc-port statistics member 3 on page 1602

Sample Output clear virtual-chassis vc-port statistics (EX4200 Virtual Chassis)

user@switch> clear virtual-chassis vc-port statistics fpc0: -------------------------------------------------------------------------Statistics cleared


user@external-routing-engine> clear virtual-chassis vc-port statistics member0: --------------------------------------------------------------------------


1601

®



Statistics cleared member1: -------------------------------------------------------------------------Statistics cleared member8: -------------------------------------------------------------------------Statistics cleared member9: -------------------------------------------------------------------------Statistics cleared

clear virtual-chassis vc-port statistics member 3

1602

user@switch> clear virtual-chassis vc-port statistics member 3 Cleared statistics on member 3



request chassis routing-engine hard-disk-test Syntax Release Information Description



request chassis routing-engine hard-disk-test

Command introduced in Junos OS Release 12.1 for XRE200 External Routing Engines. Run a Hard Disk Drive (HDD) memory and diagnostics monitoring test for an XRE200 External Routing Engine. The test provides output that is helpful in monitoring the status of the hard disk memory on the XRE200 External Routing Engine. system-control

•


•


request chassis routing-engine hard-disk-test on page 1605 Table 177 on page 1603 lists the output fields for the request chassis routing-engine hard-disk-test command. Output fields are listed in the approximate order in which they appear.

Table 177: request chassis routing-engine hard-disk-test Output Fields Field Name

Field Description

RAID device path

The device path to the RAID. This output is generally only useful for customer support personnel.

Firmware Version

The firmware version of the RAID. This output is generally only useful for customer support personnel.

RAID controller s/n

The serial number of the RAID controller. This output is generally only useful for customer support personnel.

RAID Chip ID

The RAID chip identification number. This output is generally only useful for customer support personnel.

RAID policy

The RAID policy status. SAFE is the only RAID policy used by an XRE200 External Routing Engine. This output is generally only useful for customer support personnel.

Drive0 model

The model number of the HDD module in HDD slot 0. This output is generally only useful for customer support personnel.


1603

®


Table 177: request chassis routing-engine hard-disk-test Output Fields (continued) Field Name

Field Description

Drive1 model

The model number of the HDD module in HDD slot 1. This output is generally only useful for customer support personnel.

Drive0 s/n

The serial number of the HDD module in HDD slot 0. This output is generally only useful for customer support personnel.

Drive1 s/n

The serial number of the HDD module in HDD slot 1. This output is generally only useful for customer support personnel.

Drive0 capacity

The memory capacity of the HDD module in HDD slot 0, in gigabytes.

Drive1 capacity

The memory capacity of the HDD module in HDD slot 1, in gigabytes.

Drive0 (RAID STATUS)

The RAID status of the HDD module in HDD slot 0. Outputs include: •

On-line—The HDD module is online.

•

Off-line—The HDD module is offline.

If the status is Off-line, verify that the HDD module is securely seated in its slot. If the HDD module is securely seated and you cannot identify the reason for this status, contact Juniper Networks customer support (JTAC). •

Unknown—HDD module RAID status is unknown.

If the status is Unknown, wait a few minutes then retry the test. If the status remains Unknown after the second test, contact Juniper Networks customer support (JTAC). Drive1 (RAID STATUS)

The RAID status of the HDD module in HDD slot 1. Outputs include: •

On-line—HDD module is online.

•

Off-line—HDD module is offline.

If the status is Off-line, verify that the HDD module is securely seated in its slot. If the HDD module is securely seated and you cannot identify the reason for this status, contact Juniper Networks customer support (JTAC). •

Unknown—HDD module RAID status is unknown.

If the status is Unknown, wait a few minutes then retry the test. If the status remains Unknown after the second test, contact Juniper Networks customer support (JTAC). Number of partitions

The number of RAID memory partitions.

Size of Partitions

The size of each partition, in gigabytes.

1604



Table 177: request chassis routing-engine hard-disk-test Output Fields (continued) Field Name

Field Description

RAID Status

The RAID status. Outputs include: •

Healthy—RAID is healthy.

•

Degraded—RAID has detected a problem with at least one HDD module.

If Degraded appears in the RAID Status field, contact customer support. •

Unknown—RAID status is unknown.

If the status is Unknown, wait a few minutes then retry the test. If the status remains Unknown after the second test, contact Juniper Networks customer support (JTAC). •

Rebuilding—The RAID is rebuilding.

The output includes a drive number and a percentage complete indication. The RAID rebuilding process can take up to 40 minutes. Wait several minutes after the process has finished and then retry the test. •

Verifying—The RAID is rebuilt and being verified by the system.

The output includes a drive number and a percentage complete indication. The RAID verification process can take up to 40 minutes. Wait several minutes after the process has finished and then retry the test.

Sample Output request chassis routing-engine hard-disk-test

user@switch> request chassis routing-engine hard-disk-test RAID INFORMATION RAID device path: /dev/ad4 Firmware Version: 11594 RAID controller s/n: 12345678 RAID Chip ID: 123 RAID policy: SAFE Drive0 Drive1 Drive0 Drive1 Drive0 Drive1

model: WDC WD123AAJS-4567A0 model: WDC WD345JD-18MSA1 s/n: WD-WCAT30214999 s/n: WD-WMAM9DTK4111 capacity: 74(GB) capacity: 74(GB)

RAID STATUS Drive0: On-line Drive1: On-line Number of partitions: 1 Size of Partitions: Partition 0: 74(GB) RAID Status: Healthy


1605

®



1606



maintenance

•

member on page 1480

•







maintenance

•

member on page 1480

•



1607

®


request virtual-chassis device-reachability Syntax


Options

request virtual-chassis device-reachability test-name name (source-fpc source-fpc-id | source-ip-address source-ip-address) (destination-device device-id | destination-fpc destination-fpc-id | destination-ip-address destination-ip-address)

Command introduced in Junos OS Release 11.2 for EX Series switches. Run a Virtual Chassis device reachability test. A Virtual Chassis device reachability test sends ping packets from one member of a Virtual Chassis to another member of a Virtual Chassis directly through the Virtual Chassis connections. The receiving Virtual Chassis member sends reply packets to confirm receipt of the ping packets from the sending device. The results of the test immediately provide information that is helpful in verifying connectivity between Virtual Chassis member devices. test-name name—Specify the name of the test. The name can be any single-word

character string. Spaces are not allowed. source-fpc source-fpc-id—Specify the FPC that sends the first ping message. source-ip-address source-ip-address—Specify the source IP address that receives the ping

message. destination-device device-id—Specify the device in the Virtual Chassis that receives the

ping message. destination-fpc destination-fpc-id—Specify the FPC that receives the first ping message. destination-ip-address destination-ip-address—Specify the destination IP address that

receives the ping message. probe-count count—(Optional) Specify the number of ping messages to send for the test.

The count can be any number from 1 through 10. The default count is 5. probe-interval interval—(Optional) Specify the time in seconds between the ping messages

that are sent during the test. The interval can be any number from 1 through 3. The default interval is 1 second. probe-pattern pattern—(Optional) Specify a payload pattern in the ping message. Enter

the pattern in hexadecimal format. test-count count—(Optional) Specify the number of times to run the test. The count can

be any number from 1 through 3. The default count is 1. test-interval interval—(Optional) Specify the time in seconds between tests when multiple

tests are specified. The interval can be any number from 1 through 3. The default interval is 1.

1608




system-control

•


Table 178 on page 1609 lists the output fields for the request virtual chassis device reachability command. Output fields are listed in the approximate order in which they appear.

Table 178: request virtual chassis device reachability Output Fields Field Name

Field Description

Test Name

The name of the test.

Performing Test

The test number.

Session ID

The session ID. This output is always 0 and not useful for Virtual Chassis device reachability tests.

Packets Count/Sent/Received/Sendfail

The number of total ping packets sent, including the total number of ping packets counted (Count), sent (Sent), received (Received), and packets that could not be sent (Sendfail).

Unknown/Timedout/Duplicate packets received

The failed pings, including the number of ping packets that failed for an unknown reason (Unknown), timed out (Timed Out), and the number of duplicate received ping packets (Duplicate packets received).

Round-trip Min/Avg/Max

The average round-trip ping time, including the shortest ping time (Min), the average ping time (Avg), and the maximum ping time (Max).

Sample Output request virtual-chassis device-reachability test-name member0-to-member2 source-fpc 0 destination-fpc 2

user@switch> request virtual-chassis device-reachability test-name member0-to-member2 source-fpc 0 destination-fpc 2 Device Reachability Statistics: Test Name : member0-to-member2 Performing Test: 1 56 bytes from 0: session-id 0 seq-id 0 56 bytes from 0: session-id 0 seq-id 1 56 bytes from 0: session-id 0 seq-id 2 56 bytes from 0: session-id 0 seq-id 3 56 bytes from 0: session-id 0 seq-id 4 --- sping statistics --Session ID Packets Count/Sent/Received/Sendfail Unknown/Timedout/Duplicate packets received Round-trip Min/Avg/Max


: : : :

0 5/5/5/0 0/0/0 181/807/3010 usec

1609

®


request virtual-chassis reactivate Syntax Release Information Description

request virtual-chassis reactivate

Command introduced in Junos OS Release 9.3 for EX Series switches. Reactivate a device that has been assigned a member ID but is not currently connected to the Virtual Chassis. You can use this command to reactivate a device that was previously part of the Virtual Chassis but whose status is no longer Prsnt.



system-control

•


•


request virtual-chassis reactivate on page 1610

Sample Output request virtual-chassis reactivate

1610

user@switch> request virtual-chassis reactivate



request virtual-chassis recycle Syntax Release Information Description

request virtual-chassis recycle member-id member-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Make a previously used member ID available for reassignment. When you remove a member switch from the Virtual Chassis configuration, the master reserves that member ID. To make the member ID available for reassignment, you must use this command.


Options

member-id member-id—Specify the member ID that you want to make available for

reassignment to a different member. Required Privilege Level Related Documentation


system-control

•

request virtual-chassis renumber on page 1504

•


•


request virtual-chassis recycle member-id 3 on page 1611 request virtual-chassis recycle member-id 1 on page 1611


user@switch> request virtual-chassis recycle member-id 3


user@external-routing-engine> request virtual-chassis recycle member-id 1


1611

®


request virtual-chassis renumber Syntax Release Information Description

request virtual-chassis renumber member-id old-member-id new-member-id new-member-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Renumber a member of a Virtual Chassis configuration.


Options

member-id old-member-id—Specify the ID of the member that you wish to renumber. new-member-id new-member-id—Specify an unassigned member ID.



system-control

•

request virtual-chassis recycle on page 1503

•


•


request virtual-chassis renumber member-id 5 new-member-id 4 on page 1612 request virtual-chassis renumber member-id 1 new-member-id 0 on page 1612


user@switch> request virtual-chassis renumber member-id 5 new-member-id 4


1612

user@external-routing-engine> request virtual-chassis renumber member-id 1 new-member-id 0




Release Information

Description

request virtual-chassis vc-port set | delete pic-slot pic-slot port port-number

Command introduced in Junos OS Release 9.0 for EX Series switches. Option fpc-slot introduced in Junos OS Release 10.4 for EX Series switches. Enable or disable an uplink port (on an SFP, SFP+, or XFP uplink interface) or an SFP network port as a Virtual Chassis port (VCP). If you omit member member-id, this command defaults to enabling or disabling the uplink VCP or SFP network port configured as a VCP on the switch where the command is issued. On an EX3300 switch, uplink ports 2 and 3 are configured as VCPs by default. No other uplink ports on any other EX Series switches are configured as VCPs by default. You might experience a temporary traffic disruption immediately after creating or deleting a user-configured VCP in an EX8200 Virtual Chassis.

Options

pic-slot pic-slot—Number of the PIC slot for the uplink port or SFP network port on the

switch. port port-number—Number of the uplink port or SFP network port that is to be enabled

or disabled as a VCP. member member-id—(Optional) Enable or disable the specified VCP on the specified



system-control

•

request virtual-chassis vc-port on page 1507 (dedicated port)

•


•


•


•


•


request virtual-chassis vc-port set pic-slot 1 port 0 on page 1614 request virtual-chassis vc-port set pic-slot 1 port 1 member 3 on page 1614 request virtual-chassis vc-port delete pic-slot 1 port 1 member 3 on page 1614


1613

®


Sample Output request virtual-chassis vc-port set pic-slot 1 port 0

user@switch> request virtual-chassis vc-port set pic-slot 1 port 0

request virtual-chassis vc-port set pic-slot 1 port 1 member 3

user@switch> request virtual-chassis vc-port set pic-slot 1 port 1 member 3

request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

user@switch> request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

1614






set chassis virtual-chassis Syntax


set chassis virtual-chassis

Command introduced in Junos OS Release 10.4 for EX Series switches. Set the EX8200 switch into Virtual Chassis mode. An EX8200 switch cannot be a member switch in an EX8200 Virtual Chassis until the switch is in Virtual Chassis mode. This command is not needed when configuring an EX3300 Virtual Chassis, EX4200 Virtual Chassis, EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis.

Options

none—Set the internal Routing Engines into Virtual Chassis mode. disable—Disable Virtual Chassis mode for all internal REs on the switch. local—Set the Routing Engine that you are currently logged in to into Virtual Chassis

mode. Required Privilege Level Related Documentation


view

•

show virtual-chassis status on page 1519

•


set chassis virtual-chassis on page 1615

Sample Output set chassis virtual-chassis

user@switch> set chassis virtual-chassis This will reboot the RE(s) Do you want to continue ? [yes,no] (no) yes


1615

®


show system uptime Syntax Release Information Description

Options

show system uptime (all-members | member member-id)

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the current time and information about how long the Virtual Chassis, the Junos OS software, and routing protocols have been running. all-members—Display the current time and information about how long the Virtual Chassis,

the Junos OS software, and routing protocols have been running for all the member switches of the Virtual Chassis configuration. member member-id—Display the current time and information about how long the Virtual

Chassis, the Junos OS software, and routing protocols have been running for the specific member of the Virtual Chassis configuration. Required Privilege Level Related Documentation


view

•

virtual-chassis on page 1492

•


show system uptime member 0 on page 1617 Table 165 on page 1510 lists the output fields for the show system uptime command. Output fields are listed in the approximate order in which they appear.


Field Description

Current time


System booted


Protocols started


Last configured


Time and up

Current time, in the local time zone, and how long the switch has been operational.

Users

Number of users logged into the switch.

Load averages


1616



Sample Output show system uptime member 0

user@switch>show system uptime member 0 fpc0: -----------------------------------------------------------------------Current time: 2008-02-06 05:24:20 UTC System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago) Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago) Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root 5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01


1617

®


show virtual-chassis active-topology Syntax

Release Information

show virtual-chassis active-topology


Description

Display the active topology of the Virtual Chassis configuration with next-hop reachability information.

Options

none—Display the active topology of the member switch where the command is issued. all-members—(Optional) Display the active topology of all members of the Virtual Chassis

configuration. local—(Optional) Display the active topology of the switch or external Routing Engine

on which this command is entered. member member-id—(Optional) Display the active topology of the specified member of

the Virtual Chassis configuration. Required Privilege Level Related Documentation


Output Fields

view

•


•


show virtual-chassis active-topology (EX4200 Virtual Chassis) on page 1618 show virtual-chassis active-topology (EX8200 Virtual Chassis) on page 1619 Table 166 on page 1512 lists the output fields for the show virtual-chassis active-topology command. Output fields are listed in the approximate order in which they appear.

Table 180: show virtual-chassis active-topology Output Fields Field Name

Field Description

Destination ID

Specifies the member ID of the destination.

Next-hop

Specifies the member ID and Virtual Chassis port (VCP) of the next hop to which packets for the destination ID are forwarded.

Sample Output show virtual-chassis active-topology

1618

user@switch> show virtual-chassis active-topology 1 1(vcp-1)




show virtual-chassis active-topology (EX8200 Virtual Chassis)

2

1(vcp-1)

3

1(vcp-1)

4

1(vcp-1)

5

8(vcp-0)

6

8(vcp-0)

7

8(vcp-0)

8

8(vcp-0)

1(vcp-1)

user@external-routing-engine> show virtual-chassis active-topology member0: -------------------------------------------------------------------------Destination ID Next-hop 1

1(vcp-4/0/4.32768)

8

8(vcp-0/0.32768)

9

8(vcp-0/0.32768)


0(vcp-3/0/4.32768)

8

8(vcp-0/0.32768)

9

8(vcp-0/0.32768)


0(vcp-1/1.32768)

1

1(vcp-1/2.32768)

9

9(vcp-2/1.32768)


1619

®


member9: -------------------------------------------------------------------------Destination ID Next-hop

1620

0

8(vcp-1/2.32768)

1

8(vcp-1/2.32768)

8

8(vcp-1/2.32768)



show virtual-chassis device-topology Syntax

Release Information

show virtual-chassis device-topology


Description

Display the device topology—the member and system IDs, the VCP numbers, and device status—for all hardware devices in the Virtual Chassis.

Options

none—Display the Virtual Chassis device topology for all members of the Virtual Chassis. all-members—(Optional) Display the Virtual Chassis device topology for all members of

the Virtual Chassis. local—(Optional) Display the Virtual Chassis device topology for the switch or external

Routing Engine on which this command is entered. member member-id—(Optional) Display the Virtual Chassis device topology for the

specified member of the Virtual Chassis. Required Privilege Level Related Documentation

Output Fields

clear

•


•

Understanding EX8200 Virtual Chassis Topologies on page 1541

Table 181 on page 1621 lists the output fields for the show virtual-chassis device-topology command. Output fields are listed in the approximate order in which they appear.

Table 181: show virtual-chassis device-topology Output Fields Field Name

Field Description

Member

Assigned member ID.

Device

Assigned device ID. For an EX8200 Virtual Chassis, the member ID and the device ID are always identical.

Status

The status of the device within the Virtual Chassis. Outputs include: •

Prsnt—Device is currently connected to and participating in the Virtual Chassis

configuration. •

NotPrsnt—Device is assigned but is not currently connected.


1621

®


Table 181: show virtual-chassis device-topology Output Fields (continued) Field Name

Field Description

System ID

System ID of the device. The system ID of the device is the device’s MAC address.

Member (Neighbor List)

Assigned member ID of the neighbor device.

Device (Neighbor List)

Assigned device ID of the neighbor device. For an EX8200 Virtual Chassis, the member ID and the device ID are always identical.

Interface (Neighbor List)

The interface connecting the device to the neighbor.

Sample Output show virtual-chassis device-topology

user@switch> show virtual-chassis device-topology member0: -------------------------------------------------------------------------Neighbor List Member Device Status System ID Member Device Interface 0 0 Prsnt 0021.59f7.d000 8 8 vcp-0/0 1 1 vcp-4/0/1 1 1 Prsnt 0026.888d.6800 8 8 vcp-0/0 9 9 vcp-0/1 0 0 vcp-3/0/4 8 8 Prsnt 0000.4a75.9b7c 9 9 vcp-1/0 0 0 vcp-1/1 1 1 vcp-1/2 9 9 Prsnt 0000.73e9.9a57 8 8 vcp-1/0 1 1 vcp-1/1 member1: -------------------------------------------------------------------------Neighbor List Member Device Status System ID Member Device Interface 0 0 Prsnt 0021.59f7.d000 8 8 vcp-0/0 1 1 vcp-4/0/1 1 1 Prsnt 0026.888d.6800 8 8 vcp-0/0 9 9 vcp-0/1 0 0 vcp-3/0/4 8 8 Prsnt 0000.4a75.9b7c 9 9 vcp-1/0 0 0 vcp-1/1 1 1 vcp-1/2 9 9 Prsnt 0000.73e9.9a57 8 8 vcp-1/0 1 1 vcp-1/1 member8: -------------------------------------------------------------------------Neighbor List Member Device Status System ID Member Device Interface 0 0 Prsnt 0021.59f7.d000 8 8 vcp-0/0 1 1 vcp-4/0/1

1622



1

1

Prsnt

0026.888d.6800

8

8

Prsnt

0000.4a75.9b7c

9

9

Prsnt

0000.73e9.9a57

8 9 0 9 0 1 8 1

8 9 0 9 0 1 8 1

vcp-0/0 vcp-0/1 vcp-3/0/4 vcp-1/0 vcp-1/1 vcp-1/2 vcp-1/0 vcp-1/1

member9: -------------------------------------------------------------------------Neighbor List Member Device Status System ID Member Device Interface 0 0 Prsnt 0021.59f7.d000 8 8 vcp-0/0 1 1 vcp-4/0/1 1 1 Prsnt 0026.888d.6800 8 8 vcp-0/0 9 9 vcp-0/1 0 0 vcp-3/0/4 8 8 Prsnt 0000.4a75.9b7c 9 9 vcp-1/0 0 0 vcp-1/1 1 1 vcp-1/2 9 9 Prsnt 0000.73e9.9a57 8 8 vcp-1/0 1 1 vcp-1/1


1623

®


show virtual-chassis protocol adjacency Syntax


Options

show virtual-chassis protocol adjacency

Command introduced in Junos OS Release 10.4 for EX Series switches. Display the Virtual Chassis Control Protocol (VCCP) adjacency statistics in the Virtual Chassis for all hardware devices. none—Display VCCP adjacency statistics in brief form for all members of the Virtual

Chassis. brief | detail | extensive—(Optional) Display the specified level of output. Using the brief

option is equivalent to entering the command with no options (the default). The detail and extensive options provide identical displays. all-members—(Optional) Display VCCP adjacency statistics in brief form for all members

of the Virtual Chassis. local—(Optional) Display VCCP adjacency statistics for the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Display VCCP adjacency statistics for the specified

member of the Virtual Chassis. system-id—(Optional) Display VCCP adjacency statistics for the specified member of

the Virtual Chassis. Required Privilege Level Related Documentation


Output Fields

1624

clear

•


•


show virtual-chassis protocol adjacency on page 1625 show virtual-chassis protocol adjacency detail on page 1626 Table 182 on page 1625 lists the output fields for the show virtual-chassis protocol adjacency command. Output fields are listed in the approximate order in which they appear.



Table 182: show virtual-chassis protocol adjacency Output Fields Field Name

Field Description

Level of Output

Interface

Name of the Virtual Chassis port (VCP) interface.

All levels

System

The MAC address of the device on the receiving side of the VCP link.

All levels

State

State of the link. Outputs include:

All levels

•

Up—The link is up.

•

Down—The link is down.

•

New—The link is new.

•

One-way—The link is transmitting traffic in one direction.

•

Initializing—The link is initializing.

•

Rejected—The link is rejected.

Hold, Expires in

Remaining holdtime of the adjacency.

All levels

Priority

Priority to become the designated intermediary system.

detail

Up/Down Transitions

Count of adjacency status transition changes from up to down or down to up.

detail

Last transition

Time of the last up/down transition.

detail

Sample Output show virtual-chassis protocol adjacency

user@switch> show virtual-chassis protocol adjacency member0: -------------------------------------------------------------------------Interface System State Hold (secs) vcp-0/0.32768 0000.4a75.9b7c Up 57 vcp-0/1.32768 0000.4a75.9b7c Up 59 vcp-4/0/1.32768 0026.888d.6800 Up 57 member1: -------------------------------------------------------------------------Interface System State Hold (secs) vcp-0/0.32768 0000.4a75.9b7c Up 58 vcp-0/1.32768 0000.73e9.9a57 Up 59 vcp-3/0/4.32768 0021.59f7.d000 Up 58 member8: -------------------------------------------------------------------------Interface System State Hold (secs) vcp-1/0.32768 0000.73e9.9a57 Up 58 vcp-1/1.32768 0021.59f7.d000 Up 58 vcp-1/2.32768 0026.888d.6800 Up 59 vcp-2/0.32768 0021.59f7.d000 Up 59 member9: -------------------------------------------------------------------------Interface System State Hold (secs)


1625

®


vcp-1/0.32768 vcp-1/1.32768

show virtual-chassis protocol adjacency detail

0000.4a75.9b7c Up 0026.888d.6800 Up

58 59

user@switch> show virtual-chassis protocol adjacency detail member0: -------------------------------------------------------------------------0000.4a75.9b7c interface-name: vcp-0/0.32768, State: Up, Expires in 57 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:37 ago 0000.4a75.9b7c interface-name: vcp-0/1.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:37 ago 0026.888d.6800 interface-name: vcp-4/0/1.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 22:06:39 ago member1: -------------------------------------------------------------------------0000.4a75.9b7c interface-name: vcp-0/0.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago 0000.73e9.9a57 interface-name: vcp-0/1.32768, State: Up, Expires in 58 secs Priority: 0, Up/Down transitions: 1, Last transition: 22:17:36 ago 0021.59f7.d000 interface-name: vcp-3/0/4.32768, State: Up, Expires in 58 secs Priority: 0, Up/Down transitions: 1, Last transition: 22:06:39 ago member8: -------------------------------------------------------------------------0000.73e9.9a57 interface-name: vcp-1/0.32768, State: Up, Expires in 58 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago 0021.59f7.d000 interface-name: vcp-1/1.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago 0026.888d.6800 interface-name: vcp-1/2.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago 0021.59f7.d000 interface-name: vcp-2/0.32768, State: Up, Expires in 57 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago member9: -------------------------------------------------------------------------0000.4a75.9b7c interface-name: vcp-1/0.32768, State: Up, Expires in 59 secs Priority: 0, Up/Down transitions: 1, Last transition: 19:26:38 ago 0026.888d.6800

1626



interface-name: vcp-1/1.32768, State: Up, Expires in 58 secs Priority: 0, Up/Down transitions: 1, Last transition: 22:17:36 ago


1627

®


show virtual-chassis protocol database Syntax


Options

show virtual-chassis protocol database

Command introduced in Junos OS Release 10.4 for EX Series switches. Display the Virtual Chassis Control Protocol (VCCP) database statistics for all hardware devices within the Virtual Chassis. none—Display VCCP database statistics in brief form for all members of the Virtual

Chassis. brief | detail | extensive—(Optional) Display the specified level of output. Using the brief

option is equivalent to entering the command with no options (the default). The detail option provides more output than the brief option. The extensive option provides all output and is most useful for customer support personnel. all-members—(Optional) Display VCCP database statistics in brief form for all members

of the Virtual Chassis. local—(Optional) Display VCCP database statistics for the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Display VCCP database statistics for the specified

member of the Virtual Chassis. Required Privilege Level Related Documentation List of Sample Output

Output Fields

clear

•


show virtual-chassis protocol database on page 1629 show virtual-chassis protocol database detail on page 1630 Table 183 on page 1628 lists the output fields for the show virtual-chassis protocol database command. Output fields are listed in the approximate order in which they appear.

Table 183: show virtual-chassis protocol database Output Fields Field Name

Field Description

Level of Output

LSP ID

Link-state protocol (LSP) data unit identifier.

All levels

Sequence

Sequence number of the LSP.

All levels

Checksum

Checksum value of the LSP.

All levels

1628



Table 183: show virtual-chassis protocol database Output Fields (continued) Field Name

Field Description

Level of Output

Lifetime

Remaining lifetime of the LSP, in seconds.

All levels

Neighbor

MAC address of the neighbor on the advertising system.

detail

Interface

Virtual Chassis port (VCP) interface name.

detail

Metric

Metric of the prefix or neighbor.

detail

The extensive output was omitted from this list. The extensive output is useful for customer support personnel only.

Sample Output show virtual-chassis protocol database

user@switch> show virtual-chassis protocol database member0: -------------------------------------------------------------------------LSP ID Sequence Checksum Lifetime 0000.4a75.9b7c.00-00 0x1dd80 0xc2e3 116 0000.73e9.9a57.00-00 0xf361 0x27e8 113 0021.59f7.d000.00-00 0x16882 0x3993 118 0026.888d.6800.00-00 0x1691f 0x82b7 116 4 LSPs member1: -------------------------------------------------------------------------LSP ID Sequence Checksum Lifetime 0000.4a75.9b7c.00-00 0x1dd80 0xc2e3 116 0000.73e9.9a57.00-00 0xf361 0x27e8 114 0021.59f7.d000.00-00 0x16883 0x289 116 0026.888d.6800.00-00 0x1691f 0x82b7 118 4 LSPs member8: -------------------------------------------------------------------------LSP ID Sequence Checksum Lifetime 0000.4a75.9b7c.00-00 0x1dd80 0xc2e3 118 0000.73e9.9a57.00-00 0xf361 0x27e8 114 0021.59f7.d000.00-00 0x16883 0x289 116 0026.888d.6800.00-00 0x16920 0xa335 116 4 LSPs member9: -------------------------------------------------------------------------LSP ID Sequence Checksum Lifetime 0000.4a75.9b7c.00-00 0x1dd80 0xc2e3 116 0000.73e9.9a57.00-00 0xf361 0x27e8 116 0021.59f7.d000.00-00 0x16883 0x289 114 0026.888d.6800.00-00 0x16920 0xa335 116 4 LSPs


1629

®


show virtual-chassis protocol database detail

user@switch> show virtual-chassis protocol database detail member0: -------------------------------------------------------------------------0000.4a75.9b7c.00-00 Sequence: 0x1ddbc, Checksum: 0x3111, Neighbor: 0000.73e9.9a57.00 Interface: vcp-1/0.32768 Neighbor: 0021.59f7.d000.00 Interface: vcp-1/1.32768 Neighbor: 0026.888d.6800.00 Interface: vcp-1/2.32768

Lifetime: 115 secs Metric: 150 Metric: 150 Metric: 150

0000.73e9.9a57.00-00 Sequence: 0xf381, Checksum: 0xe065, Lifetime: 114 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-1/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-1/1.32768 Metric: 150 0021.59f7.d000.00-00 Sequence: 0x168af, Checksum: 0x8b0b, Lifetime: 118 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-4/0/1.32768 Metric: 15 0026.888d.6800.00-00 Sequence: 0x1694e, Checksum: 0xca97, Lifetime: 115 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0000.73e9.9a57.00 Interface: vcp-0/1.32768 Metric: 150 Neighbor: 0021.59f7.d000.00 Interface: vcp-3/0/4.32768 Metric: 15 member1: -------------------------------------------------------------------------0000.4a75.9b7c.00-00 Sequence: 0x1ddbc, Checksum: 0x3111, Neighbor: 0000.73e9.9a57.00 Interface: vcp-1/0.32768 Neighbor: 0021.59f7.d000.00 Interface: vcp-1/1.32768 Neighbor: 0026.888d.6800.00 Interface: vcp-1/2.32768


0000.73e9.9a57.00-00 Sequence: 0xf381, Checksum: 0xe065, Lifetime: 116 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-1/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-1/1.32768 Metric: 150 0021.59f7.d000.00-00 Sequence: 0x168af, Checksum: 0x8b0b, Lifetime: 116 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-4/0/1.32768 Metric: 15 0026.888d.6800.00-00 Sequence: 0x1694e, Checksum: 0xca97, Lifetime: 117 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0000.73e9.9a57.00 Interface: vcp-0/1.32768 Metric: 150 Neighbor: 0021.59f7.d000.00 Interface: vcp-3/0/4.32768 Metric: 15 member8: -------------------------------------------------------------------------0000.4a75.9b7c.00-00 Sequence: 0x1ddbd, Checksum: 0xfd83, Neighbor: 0000.73e9.9a57.00 Interface: vcp-1/0.32768 Neighbor: 0021.59f7.d000.00 Interface: vcp-1/1.32768 Neighbor: 0026.888d.6800.00 Interface: vcp-1/2.32768


0000.73e9.9a57.00-00 Sequence: 0xf381, Checksum: 0xe065, Lifetime: 115 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-1/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-1/1.32768 Metric: 150 0021.59f7.d000.00-00 Sequence: 0x168af, Checksum: 0x8b0b, Lifetime: 116 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-4/0/1.32768 Metric: 15 0026.888d.6800.00-00 Sequence: 0x1694e, Checksum: 0xca97, Lifetime: 115 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150

1630



Neighbor: 0000.73e9.9a57.00 Neighbor: 0021.59f7.d000.00

Interface: vcp-0/1.32768 Metric: Interface: vcp-3/0/4.32768 Metric:

150 15

member9: -------------------------------------------------------------------------0000.4a75.9b7c.00-00 Sequence: 0x1ddbd, Checksum: 0xfd83, Neighbor: 0000.73e9.9a57.00 Interface: vcp-1/0.32768 Neighbor: 0021.59f7.d000.00 Interface: vcp-1/1.32768 Neighbor: 0026.888d.6800.00 Interface: vcp-1/2.32768


0000.73e9.9a57.00-00 Sequence: 0xf381, Checksum: 0xe065, Lifetime: 117 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-1/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-1/1.32768 Metric: 150 0021.59f7.d000.00-00 Sequence: 0x168af, Checksum: 0x8b0b, Lifetime: 113 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0026.888d.6800.00 Interface: vcp-4/0/1.32768 Metric: 15 0026.888d.6800.00-00 Sequence: 0x1694f, Checksum: 0xa61a, Lifetime: 116 secs Neighbor: 0000.4a75.9b7c.00 Interface: vcp-0/0.32768 Metric: 150 Neighbor: 0000.73e9.9a57.00 Interface: vcp-0/1.32768 Metric: 150 Neighbor: 0021.59f7.d000.00 Interface: vcp-3/0/4.32768 Metric: 15


1631

®


show virtual-chassis protocol interface Syntax


Options

show virtual-chassis protocol interface

Command introduced in Junos OS Release 10.4 for EX Series switches. Display information about Virtual Chassis Control Protocol (VCCP) statistics for VCCP-enabled interfaces within the Virtual Chassis. none—Display the VCCP interface statistics in brief form for all members of the Virtual

Chassis. brief | detail —(Optional) Display the specified level of output. Using the brief option is

equivalent to entering the command with no options (the default). The detail option provides more output than the brief option. all-members—(Optional) Display VCCP interface statistics for all members of the Virtual

Chassis. interface-name—(Optional) Display VCCP interface statistics for the specified interface. local—(Optional) Display VCCP interface statistics for the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Display VCCP interface statistics for the specified member

of the Virtual Chassis. Required Privilege Level Related Documentation


clear

•


•


•


show virtual-chassis protocol interface on page 1633 Table 184 on page 1632 lists the output fields for the show virtual-chassis protocol interface command. Output fields are listed in the approximate order in which they appear.

Table 184: show virtual-chassis protocol interface Output Fields Field Name

Field Description

Level of Output

Interface

Name of the VCP.

All levels

1632



Table 184: show virtual-chassis protocol interface Output Fields (continued) Field Name

Field Description

Level of Output

State

State of the link. Outputs include:

All levels

Metric

•

Up—The link is up.

•

Down—The link is down.


All levels

Sample Output show virtual-chassis protocol interface

user@switch> show virtual-chassis protocol interface member0: -------------------------------------------------------------------------IS-IS interface database: Interface State Metric vcp-0/0.32768 Up 150 vcp-0/1.32768 Up 150 vcp-4/0/1.32768 Up 15 vcp-4/0/7.32768 Down 15 member1: -------------------------------------------------------------------------IS-IS interface database: Interface State Metric vcp-0/0.32768 Up 150 vcp-0/1.32768 Up 150 vcp-3/0/4.32768 Up 15 member8: -------------------------------------------------------------------------IS-IS interface database: Interface State Metric vcp-0/0.32768 Down 150 vcp-1/0.32768 Up 150 vcp-1/1.32768 Up 150 vcp-1/2.32768 Up 150 vcp-1/3.32768 Down 150 vcp-2/0.32768 Up 150 vcp-2/1.32768 Down 150 vcp-2/2.32768 Down 150 vcp-2/3.32768 Down 150 member9: -------------------------------------------------------------------------IS-IS interface database: Interface State Metric vcp-0/0.32768 Down 150 vcp-1/0.32768 Up 150 vcp-1/1.32768 Up 150 vcp-1/2.32768 Down 150 vcp-1/3.32768 Down 150


1633

®


show virtual-chassis protocol route Syntax


Options

show virtual-chassis protocol route

Command introduced in Junos OS Release 10.4 for EX Series switches. Display the unicast and multicast Virtual Chassis Control Protocol (VCCP) routing tables within the Virtual Chassis. none—Display the unicast and multicast routing tables for all members of the Virtual

Chassis. all-members—(Optional) Display the unicast and multicast routing tables for all members

of the Virtual Chassis. destination-id—(Optional) Display the unicast and multicast routing tables to the specified

destination member ID for each member of the Virtual Chassis. local—(Optional) Display the unicast and multicast routing tables on the device where

this command is entered. member member-id—(Optional) Display the unicast and multicast routing tables for the

specified member of the Virtual Chassis. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•


show virtual-chassis protocol route on page 1635 Table 185 on page 1634 lists the output fields for the show virtual-chassis protocol route command. Output fields are listed in the approximate order in which they appear.

Table 185: show virtual-chassis protocol route Output Fields Field Name

Field Description

Dev

MAC address of the member storing the VCCP routing table.

Version

Version of the shortest-path-first algorithm that generated the routing table.

System ID

MAC address of the device.

Version

Version of the shortest-path-first (SPF) algorithm that generated the route.

1634



Table 185: show virtual-chassis protocol route Output Fields (continued) Field Name

Field Description

Metric

The metric number to get to that device.

Interface

Name of the Virtual Chassis port (VCP) interface connecting the devices.

Via

MAC address of the next-hop device, if applicable.

Sample Output show virtual-chassis protocol route

user@switch> show virtual-chassis protocol route member0: -------------------------------------------------------------------------Dev 0021.59f7.d000 ucast routing table Current version: 21 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 21 150 vcp-0/1.32768 0000.4a75.9b7c 0000.73e9.9a57 21 165 vcp-4/0/1.32768 0026.888d.6800 0021.59f7.d000 21 0 0026.888d.6800 21 15 vcp-4/0/1.32768 0026.888d.6800 Dev 0021.59f7.d000 mcast routing table Current version: 21 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 21 0000.73e9.9a57 21 0021.59f7.d000 21 vcp-4/0/1.32768 vcp-0/1.32768 0026.888d.6800 21 member1: -------------------------------------------------------------------------Dev 0026.888d.6800 ucast routing table Current version: 25 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 25 150 vcp-0/0.32768 0000.4a75.9b7c 0000.73e9.9a57 25 150 vcp-0/1.32768 0000.73e9.9a57 0021.59f7.d000 25 15 vcp-3/0/4.32768 0021.59f7.d000 0026.888d.6800 25 0 Dev 0026.888d.6800 mcast routing table Current version: 25 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 25 0000.73e9.9a57 25 vcp-3/0/4.32768 0021.59f7.d000 25 vcp-0/1.32768 0026.888d.6800 25 vcp-3/0/4.32768 vcp-0/0.32768 vcp-0/1.32768 member8: -------------------------------------------------------------------------Dev 0000.4a75.9b7c ucast routing table


Current version: 39

1635

®


---------------System ID 0000.4a75.9b7c 0000.73e9.9a57 0021.59f7.d000 0026.888d.6800

Version 39 39 39 39

Metric 0 150 150 150

Interface

Via

vcp-1/0.32768 0000.73e9.9a57 vcp-2/0.32768 0021.59f7.d000 vcp-1/2.32768 0026.888d.6800

Dev 0000.4a75.9b7c mcast routing table Current version: 39 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 39 vcp-1/0.32768 vcp-2/0.32768 vcp-1/2.32768 0000.73e9.9a57 39 0021.59f7.d000 39 0026.888d.6800 39 member9: -------------------------------------------------------------------------Dev 0000.73e9.9a57 ucast routing table ---------------System ID Version Metric Interface 0000.4a75.9b7c 31 150 vcp-1/0.32768 0000.73e9.9a57 31 0 0021.59f7.d000 31 165 vcp-1/1.32768 0026.888d.6800 31 150 vcp-1/1.32768

Current version: 31 Via 0000.4a75.9b7c 0026.888d.6800 0026.888d.6800

Dev 0000.73e9.9a57 mcast routing table Current version: 31 ---------------System ID Version Metric Interface Via 0000.4a75.9b7c 31 0000.73e9.9a57 31 vcp-1/0.32768 vcp-1/1.32768 0021.59f7.d000 31 0026.888d.6800 31

1636



show virtual-chassis protocol statistics Syntax


Options

show virtual-chassis protocol statistics

Command introduced in Junos OS Release 10.4 for EX Series switches. Display the Virtual Chassis Control Protocol (VCCP) statistics for all hardware devices within the Virtual Chassis. none—Display VCCP statistics for all members of the Virtual Chassis. all-members—(Optional) Display VCCP statistics for all members of the Virtual Chassis. interface-name—(Optional) Display VCCP statistics for the specified interface. local—(Optional) Display VCCP statistics for the switch or external Routing Engine on

which this command is entered. member member-id—(Optional) Display VCCP statistics for the specified member of the

Virtual Chassis. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•


show virtual-chassis protocol statistics on page 1638 Table 186 on page 1637 lists the output fields for the show virtual-chassis protocol interface command. Output fields are listed in the approximate order in which they appear.

Table 186: show virtual-chassis protocol statistics Output Fields Field Name

Field Description

PDU type

Protocol data unit type.

Received

Number of PDUs received since VCCP started or since the statistics were set to zero.

Processed

Number of PDUs received minus the number of PDUs dropped.

Drops

Number of PDUs dropped.

Sent

Number of PDUs transmitted since VCCP started or since the statistics were set to zero.

Rexmit

Number of PDUs retransmitted since VCCP started or since the statistics were set to zero.


1637

®


Table 186: show virtual-chassis protocol statistics Output Fields (continued) Field Name

Field Description

Total Packets Received

Number of PDUs received since VCCP started or since the statistics were set to zero.

Total Packets Sent

Number of PDUs sent since VCCP started or since the statistics were set to zero.

LSP queue length

Number of link-state PDUs waiting in the queue for processing. This value is almost always 0.

SPF runs

Number of shortest-path-first (SPF) calculations that have been performed.

Fragments Rebuilt

Number of link-state PDU fragments that the local system has computed.

LSP Regenerations

Number of link-state PDUs that have been regenerated. A link-state PDU is regenerated when it is nearing the end of its lifetime and it has not changed.

Purges initiated

Number of purges that the system initiated. A purge is initiated if the software determines that a link-state PDU must be removed from the network.

Sample Output show virtual-chassis protocol statistics

user@switch> show virtual-chassis protocol statistics member0: -------------------------------------------------------------------------IS-IS statistics for 0021.59f7.d000: PDU type Received Processed LSP 8166 8166 HELLO 1659 1659 CSNP 2 2 PSNP 1909 1909 Unknown 0 0 Totals 11736 11736

Drops 0 0 0 0 0 0

Sent 4551 1693 3 2293 0 8540

Rexmit 0 0 0 0 0 0

Total packets received: 11736 Sent: 8540 LSP queue length: 0 Drops: 0 SPF runs: 9 Fragments rebuilt: 1640 LSP regenerations: 1 Purges initiated: 0 member1: -------------------------------------------------------------------------IS-IS statistics for 0026.888d.6800: PDU type Received Processed LSP 10909 10909 HELLO 1877 1877 CSNP 3 3 PSNP 3846 3846 Unknown 0 0 Totals 16635 16635

Drops 0 0 0 0 0 0

Sent 12088 2251 3 3732 0 18074

Rexmit 0 0 0 0 0 0

Total packets received: 16635 Sent: 18074

1638



LSP queue length: 0 Drops: 0 SPF runs: 13 Fragments rebuilt: 1871 LSP regenerations: 2 Purges initiated: 0 member8: -------------------------------------------------------------------------IS-IS statistics for 0000.4a75.9b7c: PDU type Received Processed LSP 7935 7935 HELLO 2695 2695 CSNP 4 4 PSNP 4398 4398 Unknown 0 0 Totals 15032 15032

Drops 0 0 0 0 0 0

Sent 14865 7124 4 3666 0 25659

Rexmit 0 0 0 0 0 0

Total packets received: 15032 Sent: 25659 LSP queue length: 0 Drops: 0 SPF runs: 26 Fragments rebuilt: 2666 LSP regenerations: 4 Purges initiated: 0 member9: -------------------------------------------------------------------------IS-IS statistics for 0000.73e9.9a57: PDU type Received Processed LSP 10800 10800 HELLO 1492 1492 CSNP 2 2 PSNP 2683 2683 Unknown 0 0 Totals 14977 14977

Drops 0 0 0 0 0 0

Sent 6327 2356 2 3149 0 11834

Rexmit 0 0 0 0 0 0

Total packets received: 14977 Sent: 11834 LSP queue length: 0 Drops: 0 SPF runs: 19 Fragments rebuilt: 1510 LSP regenerations: 6 Purges initiated: 0


1639

®


show virtual-chassis status Syntax

show virtual-chassis status

Release Information

Command introduced in Junos OS Release 9.0 for EX Series switches. Location field introduced in Junos OS Release 11.1 for EX Series switches. Mixed Mode field introduced in Junos OS Release 11.2 for EX Series switches.

Description

Display information about all members of the Virtual Chassis configuration.



Output Fields

view

•


•


show virtual-chassis status (EX4200 Virtual Chassis) on page 1641 show virtual-chassis status (EX8200 Virtual Chassis) on page 1642 Table 169 on page 1519 lists the output fields for the show virtual-chassis status command. Output fields are listed in the approximate order in which they appear.

Table 187: show virtual-chassis status Output Fields Field Name

Field Description

Virtual Chassis ID

Assigned ID that applies to the entire Virtual Chassis configuration.

Member ID

Assigned member ID and FPC slot (from 0 through 9).

Status

For a nonprovisioned configuration: •

Prsnt for a member that is currently connected to the Virtual Chassis configuration

•

NotPrsnt for a member ID that has been assigned but is not currently connected

For a preprovisioned configuration: •

Prsnt for a member that is specified in the preprovisioned configuration file and is

currently connected to the Virtual Chassis configuration •

Unprvsnd for a member that is interconnected with the Virtual Chassis configuration,

but is not specified in the preprovisioned configuration file

1640

Serial No

Serial number of the member switch or external Routing Engine

Model

Model number of the member switch

Mastership Priority

Mastership priority value of the member switch

Role

Role of the member switch



Table 187: show virtual-chassis status Output Fields (continued) Field Name

Field Description

Mixed Mode

Mixed mode configuration status •

Y for a member switch configured in mixed mode.

•

N for a member switch not configured in mixed mode.

•

NA for a member switch that cannot be configured in mixed mode.

Location of the member device

Location

If this field is empty, the location field was not set for the device. Neighbor List

Member ID of the neighbor member to which this member’s VCP is connected.


user@switch> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Mastership List Member ID Interface 0 (FPC 0)

1 (FPC 1)

2 (FPC 2)

3 (FPC 3)

4 (FPC 4)

5 (FPC 5)

6 (FPC 6)

7 (FPC 7)

8 (FPC 8)


Status Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Prsnt

Serial No

Model

AK0207360276 ex4200-24t

AK0207360281 ex4200-24t

AJ0207391130 ex4200-48p

AK0207360280 ex4200-24t

AJ0207391113 ex4200-48p

BP0207452204 ex4200-48t

BP0207452222 ex4200-48t

BR0207432028 ex4200-24f

BR0207431996 ex4200-24f

priority 249

248

247

246

245

244

243

242

241

Mixed Role

Mode

Master*

N

Backup

Linecard

Linecard

Linecard

Linecard

Linecard

Linecard

Linecard

N

N

N

N

N

N

N

N

Neighbor ID 8

vcp-0

1

vcp-1

0

vcp-0

2

vcp-1

1

vcp-0

3

vcp-1

2

vcp-0

4

vcp-1

3

vcp-0

5

vcp-1

4

vcp-0

6

vcp-1

5

vcp-0

7

vcp-1

6

vcp-0

8

vcp-1

7

vcp-0

1641

®


0

vcp-1



user@external-routing-engine> show virtual-chassis status Virtual Chassis ID: c806.0842.de51 Mastership List Member ID 0 (FPC 0-15)

Status Prsnt

Serial No Model BA0908380001 ex8216

priority 0

Neighbor Role ID Interface Linecard 8 vcp-0/0 8

1 (FPC 16-31)

Prsnt

BT0909411634 ex8208

0

8 (FPC 128-143) Prsnt

062009000021 ex-xre

128

9 (FPC 144-159) Prsnt

1642

062009000022 ex-xre

128

1

vcp-4/0/4 8 vcp-0/0

0

vcp-3/0/4 9 vcp-1/0

Linecard

Master

Backup*

vcp-0/1

1

vcp-1/2

9

vcp-1/3

0

vcp-2/0

9

vcp-2/1

0 8

vcp-1/1 vcp-1/0

8

vcp-1/2

8

vcp-1/3



show virtual-chassis vc-path Syntax


Options

show virtual-chassis vc-path source-interface interface-name destination-interface interface-name

Command introduced in Junos OS Release 9.6 for EX Series switches. Show the path a packet takes when going from a source interface to a destination interface in a Virtual Chassis configuration. source-interface interface-name—Name of the interface from which the packet originates destination-interface interface-name—Name of the interface to which the packet is

delivered Required Privilege Level Related Documentation


view

•


•


•


show virtual-chassis vc-path source-interface destination-interface on page 1644 Table 170 on page 1522 lists the output fields for the show virtual-chassis vc-path command. Output fields are listed in the approximate order in which they appear.

Table 188: show virtual-chassis vc-path Output Fields Field Name

Field Description

Hop

The number of hops between the source and destination interfaces.

Member

The Virtual Chassis ID of the member switch that contains the Packet Forwarding Engine for each intermediate hop.

PFE-Device

The number of the Packet Forwarding Engine in each Virtual Chassis member through which a packet passes. Each Packet Forwarding Engine is the next hop of the preceding Packet Forwarding Engine.

Interface

The name of the interface through which the Packet Forwarding Engines are connected. The interface for the first hop is always the source interface and the interface for the last hop is always the destination interface. For intermediate hops, the Interface field denotes the Packet Forwarding Engines through which the packet passes on its way to the next hop.


1643

®


Sample Output show virtual-chassis vc-path source-interface destination-interface

1644

user@switch> show virtual-chassis vc-path source-interface ge-0/0/0 destination-interface ge-1/0/1 vc-path from ge-0/0/0 to ge-1/0/1 Hop Member PFE-Device Interface 0 0 1 ge-0/0/0 1 0 0 internal-1/24 2 1 3 vcp-0 3 1 4 ge-1/0/1



show virtual-chassis vc-port Syntax


Options

show virtual-chassis vc-port

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the status of the Virtual Chassis ports (VCPs), including both the dedicated VCPs and the uplink ports configured as VCPs. none—Display the operational status of all VCPs of the member switch where the

command is issued. all-members—(Optional) Display the operational status of all VCPs on all members of

the Virtual Chassis configuration. local—(Optional) Display the operational status of the switch or external Routing Engine

on which this command is entered. member member-id—(Optional) Display the operational status of all VCPs for the specified



Output Fields

view

•


•


•


show virtual-chassis vc-port (EX4200 Virtual Chassis) on page 1646 show virtual-chassis vc-port (EX8200 Virtual Chassis) on page 1647 show virtual-chassis vc-port all-members on page 1648 Table 171 on page 1524 lists the output fields for the show virtual-chassis vc-port command. Output fields are listed in the approximate order in which they appear.

Table 189: show virtual-chassis vc-port Output Fields Field Name

Field Description

fpcnumber

The FPC number is the same as the member ID.


1645

®


Table 189: show virtual-chassis vc-port Output Fields (continued) Field Name

Field Description

Interface or PIC/Port

VCP name.

Type

•

The dedicated VCPs in an EX4200 or EX4500 Virtual Chassis are vcp-0 and vcp-1.

•

The uplink module ports set as VCPs in an EX4200 Virtual Chassis are named 1/0 and 1/1, representing the PIC number and the port number.

•

The native VCP (port 0) on an XRE200 External Routing Engine in an EX8200 Virtual Chassis is named vcp-0.

•

The VCPs on each Virtual Chassis Control Interface (VCCI) module in an XRE200 External Routing Engine are named using the vcp-slot-number/port-number convention; for instance, vcp-1/0.

•

The VCPs on EX8200 member switches are named using the vcp-slot-number/pic-number/interface-number convention; for instance, vcp-3/0/2.

Type of VCP: •

Dedicated—The rear panel VCP on an EX4200 or EX4500 switch. or any VCP link connected to an

XRE200 External Routing Engine in an EX8200 Virtual Chassis. •

Configured—Uplink port configured as a VCP in an EX4200 or EX4500 Virtual Chassis or an SFP+

link between two EX8200 switches configured as a VCP in an EX8200 Virtual Chassis. •

Auto-Configured—Uplink port autoconfigured as a VCP in an EX4200 or EX4500 Virtual Chassis.

See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 or “Setting a 10-Gigabit Ethernet Port as a Virtual Chassis Port in an EX8200 Virtual Chassis (CLI Procedure)” on page 1567 for information about configuring VCPs. Trunk ID

A positive-number ID assigned to a link aggregation group (LAG) formed by the Virtual Chassis. The trunk ID value is –1 if no trunk is formed. A LAG between uplink VCPs requires that the link speed be the same on connected interfaces and that at least two VCPs on one member be connected to at least two VCPs on the other member in an EX4200 or EX4500 Virtual Chassis. Dedicated VCP LAGs are assigned trunk IDs 1 and 2. Trunk IDs for LAGs formed with uplink VCPs therefore have values of 3 or greater. The trunk ID value changes if the link-adjacency state between LAG members changes; trunk membership is then allocated or deallocated.

Status

Interface status: •

absent—Interface is not a VCP link.

•

down—VCP link is down.

•

up—VCP link is up.

Speed (mbps)

Speed of the interface in megabits per second.

Neighbor ID/Interface

The Virtual Chassis member ID and interface of a VCP on a member that is connected to the interface or PIC/Port field in the same row as this interface.

Sample Output show virtual-chassis vc-port (EX4200 Virtual Chassis)

1646

user@switch> show virtual-chassis vc-port fpc0: -------------------------------------------------------------------------–



Interface or PIC / Port vcp-0 vcp-1 1/0 1/0

show virtual-chassis vc-port (EX8200 Virtual Chassis)

Type

Dedicated Dedicated Auto-Configured Auto-Configured

Trunk ID 1 2 3 3

Status

Speed (mbps)


Up Up Up Up

32000 32000 1000 1000

1 0 2 2

vcp-1 vcp-0 vcp-255/1/0 vcp-255/1/1

user@external-routing-engine> show virtual-chassis vc-port member0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Up 1000 8 vcp-1/1 vcp-0/1 Dedicated -1 Up 1000 8 vcp-2/0 4/0/4 Configured -1 Up 10000 1 vcp-3/0/4 4/0/7 Configured -1 Down 10000 4/0/3 Configured Absent 4/0/2 Configured Absent 4/0/5 Configured Absent 4/0/6 Configured Absent 4/0/1 Configured Absent 4/0/0 Configured Absent member1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Up 1000 8 vcp-1/2 3/0/0 Configured -1 Down 10000 3/0/1 Configured -1 Down 10000 3/0/4 Configured -1 Up 10000 0 vcp-4/0/4 3/0/5 Configured Absent 4/0/5 Configured Absent 4/0/4 Configured Absent member8: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Down 1000 vcp-1/0 Dedicated -1 Up 1000 9 vcp-1/0 vcp-1/1 Dedicated -1 Up 1000 0 vcp-0/0 vcp-1/2 Dedicated -1 Up 1000 1 vcp-0/0 vcp-1/3 Dedicated -1 Up 1000 9 vcp-1/3 vcp-2/0 Dedicated -1 Up 1000 0 vcp-0/1 vcp-2/1 Dedicated -1 Up 1000 9 vcp-1/2 vcp-2/2 Dedicated -1 Down 1000 vcp-2/3 Dedicated -1 Down 1000 member9: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface Slot/PIC/Port vcp-0/0 Dedicated -1 Disabled 1000 vcp-1/0 Dedicated -1 Up 1000 8 vcp-1/0 vcp-1/1 Dedicated -1 Down 1000


1647

®


vcp-1/2 vcp-1/3

show virtual-chassis vc-port all-members

Dedicated Dedicated

-1 -1

Up Up

1000 1000

8 8

vcp-2/1 vcp-1/3

user@switch> show virtual-chassis vc-port all-members

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Auto-Configured 3 Up 1000 2 vcp-255/1/0 1/1 Auto-Configured 3 Up 1000 2 vcp-255/1/1 fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Auto-Configured —1 Up 1000 3 vcp-255/1/0 fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-1 vcp-1 Dedicated 2 Up 32000 3 vcp-0 1/0 Auto-Configured 3 Up 1000 0 vcp-255/1/0 1/1 Auto-Configured 3 Up 1000 0 vcp-255/1/1 fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 2 vcp-0 vcp-1 Dedicated 2 Up 32000 2 vcp-1 1/0 Auto-Configured —1 Up 1000 1 vcp-255/1/0

1648



show virtual-chassis vc-port statistics Syntax

Release Information

Description Options

show virtual-chassis vc-port statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. The options all-members, brief, detail, extensive, and local were added in Junos OS Release 9.3 for EX Series switches. Display the traffic statistics collected on Virtual Chassis ports (VCPs). none—Display traffic statistics for VCPs of all members of a Virtual Chassis configuration. brief | detail | extensive—(Optional) Display the specified level of output. Using the brief

option is equivalent to entering the command with no options (the default). The detail and extensive options provide identical displays. all-members—(Optional) Display traffic statistics for VCPs of all members of a Virtual

Chassis configuration. interface-name—(Optional) Display traffic statistics for the specified VCP. local—(Optional) Display traffic statistics for VCPs on the switch or external Routing

Engine on which this command is entered. member member-id—(Optional) Display traffic statistics for VCPs on the specified member



Output Fields

view

•


•


•


•


show virtual-chassis vc-port statistics on page 1652 show virtual-chassis vc-port statistics (EX8200 Virtual Chassis) on page 1652 show virtual-chassis vc-port statistics brief on page 1653 show virtual-chassis vc-port statistics extensive on page 1653 show virtual-chassis vc-port statistics member 0 on page 1654 Table 172 on page 1529 lists the output fields for the show virtual-chassis vc-port statistics command. Output fields are listed in the approximate order in which they appear.


1649

®


Table 190: show virtual-chassis vc-port statistics Output Fields Field Name

Field Description

Level of Output

fpcnumber

(EX4200, EX4500, and mixed EX4200 and EX4500 Virtual Chassis only) ID of the Virtual Chassis member. The FPC number is the same as the member ID.

All levels

member number

(EX8200 Virtual Chassis only) Member ID of the Virtual Chassis member.

All levels

Interface

VCP name.

brief

Input Octets/Packets

Number of octets and packets received on the VCP.

brief, member, none

Output Octets/Packets

Number of octets and packets transmitted on the VCP.

brief, member, none

master: number

Member ID of the Virtual Chassis master.

All levels

Port

VCP for which RX (Receive) statistics,TX (Transmit) statistics, or both are reported by the VCP subsystem during a sampling interval—since the statistics counter was last cleared.

detail, extensive

Total octets

Total number of octets received and transmitted on the VCP.

detail, extensive

Total packets

Total number of packets received and transmitted on the VCP.

detail, extensive

Unicast packets

Number of unicast packets received and transmitted on the VCP.

detail, extensive

Broadcast packets

Number of broadcast packets received and transmitted on the VCP.

detail, extensive

Multicast packets

Number of multicast packets received and transmitted on the VCP.

detail, extensive

MAC control frames

Number of media access control (MAC) control frames received and transmitted on the VCP.

detail, extensive

CRC alignment errors

Number of packets received on the VCP that had a length—excluding framing bits, but including frame check sequence (FCS) octets—of between 64 and 1518 octets, inclusive, and had one of the following errors:

detail, extensive

1650

•

Invalid FCS with an integral number of octets (FCS error)

•

Invalid FCS with a nonintegral number of octets (alignment error)




Field Description

Level of Output

Oversize packets

Number of packets received on the VCP that were longer than 1518 octets (excluding framing bits, but including FCS octets) but were otherwise well formed.

detail, extensive

Undersize packets

Number of packets received on the VCP that were shorter than 64 octets (excluding framing bits but including FCS octets) and were otherwise well formed..

detail, extensive

Jabber packets

Number of packets received on the VCP that were longer than 1518 octets—excluding framing bits, but including FCS octets—and that had either an FCS error or an alignment error.

detail, extensive

NOTE: This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10Base5) and section 10.3.1.4 (10Base2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is between 20 ms and 150 ms. Fragments received

Number of packets received on the VCP that were shorter than 64 octets (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error.

detail, extensive

Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted. Ifout errors

Number of outbound packets received on the VCP that could not be transmitted because of errors.

detail, extensive

Packet drop events

Number of outbound packets received on the VCP that were dropped, rather than being encapsulated and sent out of the switch as fragments. The packet drop counter is incremented if a temporary shortage of packet memory causes packet fragmentation to fail.

detail, extensive

64 octets frames

Number of packets received on the VCP (including invalid packets) that were 64 octets in length (excluding framing bits, but including FCS octets).

detail, extensive



detail, extensive



detail, extensive


1651

®



Field Description

Level of Output



detail, extensive



detail, extensive



detail, extensive

Rate packets per second

Number of packets per second received and transmitted on the VCP.

detail, extensive

Rate bytes per second

Number of bytes per second received and transmitted on the VCP.

detail, extensive

Sample Output show virtual-chassis vc-port statistics

user@switch> show virtual-chassis vc-port statistics fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0 {master:0}

show virtual-chassis vc-port statistics (EX8200 Virtual Chassis)

user@external-routing-engine> show virtual-chassis vc-port statistics member0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets vcp-4/0/4 43171238 / 48152 47687133 / 51891 vcp-4/0/7 0 / 0 0 / 0 member1: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets vcp-3/0/0 0 / 0 0 / 0 vcp-3/0/1 0 / 0 0 / 0 vcp-3/0/4 47695376 / 51899 43180556 / 48160

1652



member8: -------------------------------------------------------------------------member9: --------------------------------------------------------------------------

show virtual-chassis vc-port statistics brief

user@switch> show virtual-chassis vc-port statistics brief fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0 {master:0}

show virtual-chassis vc-port statistics extensive

user@switch> show virtual-chassis vc-port statistics extensive fpc0: --------------------------------------------------------------------------

Port: internal-0/24 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets: MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

RX

TX

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0

... Port: vcp-0 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets:


1653

®


MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0

Port: vcp-1 Total octets: Total packets: Unicast packets: Broadcast packets: Multicast packets: MAC control frames: CRC alignment errors: Oversize packets: Undersize packets: Jabber packets: Fragments received: Ifout errors: Packet drop events: 64 octets frames: 65-127 octets frames: 128-255 octets frames: 256-511 octets frames: 512-1023 octets frames: 1024-1518 octets frames: Rate packets per second: Rate bytes per second:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0

0 0

0 0

... {master:0}

show virtual-chassis vc-port statistics member 0

1654

user@switch>show virtual-chassis vc-port statistics member 0 fpc0: -------------------------------------------------------------------------Interface Input Octets/Packets Output Octets/Packets internal-0/24 0 / 0 0 / 0 internal-0/25 0 / 0 0 / 0 internal-1/26 0 / 0 0 / 0 internal-1/27 0 / 0 0 / 0 vcp-0 0 / 0 0 / 0 vcp-1 0 / 0 0 / 0 internal-0/26 0 / 0 0 / 0 internal-0/27 0 / 0 0 / 0 internal-1/24 0 / 0 0 / 0 internal-1/25 0 / 0 0 / 0



{master:0}


1655

®


1656


PART 12

High Availability •

High Availability—Overview on page 1659

•

Examples of High Availability Configuration on page 1681

•

Configuring High Availability on page 1687

•

Administering High Availability on page 1697

•

Configuration Statements for High Availability on page 1717

•

Operational Commands for High Availability on page 1743


1657

®


1658


CHAPTER 50

High Availability—Overview •


•


•


•


•


•

Understanding Power Management on EX Series Switches on page 1673

High Availability Features for EX Series Switches Overview High availability refers to the hardware and software components that provide redundancy and reliability for packet-based communications. This topic covers the following high availability features of Juniper Networks EX Series Ethernet Switches: •

VRRP on page 1659

•

Graceful Protocol Restart on page 1660

•

Redundant Routing Engines on page 1660

•

Virtual Chassis on page 1661

•

Graceful Routing Engine Switchover on page 1661

•

Link Aggregation on page 1661

•

Nonstop Active Routing on page 1662

•

Nonstop Software Upgrade on page 1662

•

Redundant Power System on page 1662

VRRP You can configure Virtual Router Redundancy Protocol (VRRP) for IP and IPv6 on Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces on the switches. When VRRP is configured, the switches act as virtual routing platforms. VRRP enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. The VRRP routing platforms share the IP address corresponding to the default route configured on the hosts. At any time, one of the VRRP routing platforms is the master (active) and the others are backups. If the master routing platform fails, one of the backup routing


1659

®


platforms becomes the new master, providing a virtual default routing platform and enabling traffic on the LAN to be routed without relying on a single routing platform. Using VRRP, a backup switch can take over a failed default switch within a few seconds. This is done with minimum loss of VRRP traffic and without any interaction with the hosts.

Graceful Protocol Restart With standard implementations of routing protocols, any service interruption requires an affected switch to recalculate adjacencies with neighboring switches, restore routing table entries, and update other protocol-specific information. An unprotected restart of a switch can result in forwarding delays, route flapping, wait times stemming from protocol reconvergence, and even dropped packets. Graceful protocol restart allows a restarting switch and its neighbors to continue forwarding packets without disrupting network performance. Because neighboring switches assist in the restart (these neighbors are called helper switches), the restarting switch can quickly resume full operation without recalculating algorithms from scratch. On the switches, graceful protocol restart can be applied to aggregate and static routes and for routing protocols (BGP, IS-IS, OSPF, and RIP). Graceful protocol restart works similarly for the different routing protocols. The main benefits of graceful protocol restart are uninterrupted packet forwarding and temporary suppression of all routing protocol updates. Graceful protocol restart thus allows a switch to pass through intermediate convergence states that are hidden from the rest of the network. Most graceful restart implementations define two types of switches—the restarting switch and the helper switch. The restarting switch requires rapid restoration of forwarding state information so that it can resume the forwarding of network traffic. The helper switch assists the restarting switch in this process. Individual graceful restart configuration statements typically apply to either the restarting switch or the helper switch.

Redundant Routing Engines Redundant Routing Engines are two Routing Engines that are installed in a switch or a Virtual Chassis. When a switch has two Routing Engines, one functions as the master, while the other stands by as a backup should the master Routing Engine fail. When a Virtual Chassis has two Routing Engines, the switch in the master role functions as the master Routing Engine and the switch in the backup role functions as the backup Routing Engine. Redundant Routing Engines are supported on Juniper Networks EX6200 Ethernet Switches, Juniper Networks EX8200 Ethernet Switches, and on all EX Series Virtual Chassis configurations. The master Routing Engine receives and transmits routing information, builds and maintains routing tables, communicates with interfaces and Packet Forwarding Engine components of the switch, and has full control over the control plane of the switch. The backup Routing Engine stays in sync with the master Routing Engine in terms of protocol states, forwarding tables, and so forth. If the master becomes unavailable, the backup Routing Engine takes over the functions that the master Routing Engine performs.

1660


Chapter 50: High Availability—Overview

Network reconvergence takes place more quickly on switches and on Virtual Chassis with redundant Routing Engines than on switches and on Virtual Chassis with a single Routing Engine.

Virtual Chassis A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols such as Spanning Tree Protocol (STP). A Virtual Chassis improves high availability by introducing a variety of failover mechanisms; if a member switch, a line card, or an interface fails on a switch that is a member of a Virtual Chassis, for instance, traffic to that switch, line card, or interface can be rerouted within the Virtual Chassis. Juniper Networks EX3300 Ethernet Switches, Juniper Networks EX4200 Ethernet Switches, Juniper Networks EX4500 Ethernet Switches, or EX8200 switches can form a Virtual Chassis. An EX4200 switch and an EX4500 switch can be connected together to form a mixed EX4200 and EX4500 Virtual Chassis.

Graceful Routing Engine Switchover You can configure graceful Routing Engine switchover (GRES) on a switch with redundant Routing Engines or on a Virtual Chassis, allowing control to switch from the master Routing Engine to the backup Routing Engine with minimal interruption to network communications. When you configure graceful Routing Engine switchover, the backup Routing Engine automatically synchronizes with the master Routing Engine to preserve kernel state information and forwarding state. Any updates to the master Routing Engine are replicated to the backup Routing Engine as soon as they occur. If the kernel on the master Routing Engine stops operating, the master Routing Engine experiences a hardware failure, or the administrator initiates a manual switchover, mastership switches to the backup Routing Engine. When the backup Routing Engine assumes mastership in a redundant failover configuration (that is, when graceful Routing Engine switchover is not enabled), the Packet Forwarding Engines initialize their state to the boot state before they connect to the new master Routing Engine. In contrast, in a graceful switchover configuration, the Packet Forwarding Engines do not reinitialize their state, but resynchronize their state to that of the new master Routing Engine. The interruption to traffic is minimal.

Link Aggregation You can combine multiple physical Ethernet ports to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links. In a Virtual Chassis, LAGs can be used to load-balance network traffic between member switches.


1661

®


The number of Ethernet interfaces you can include in a LAG and the number of LAGs you can configure on a switch depend on the switch model. For information on LAGs, see “Understanding Aggregated Ethernet Interfaces and LACP” on page 1774.

Nonstop Active Routing Nonstop active routing (NSR) provides high availability in a switch with redundant Routing Engines by enabling transparent switchover of the Routing Engines without requiring restart of supported routing protocols. Both Routing Engines are fully active in processing protocol sessions, and so each can take over for the other. The switchover is transparent to neighbor routing devices, which do not detect that a change has occurred. To use nonstop active routing, you must also configure graceful Routing Engine switchover.

Nonstop Software Upgrade Nonstop software upgrade (NSSU) allows you to upgrade the software on a switch with dual Routing Engines or on a Virtual Chassis in an automated manner with minimal traffic disruption. NSSU takes advantage of graceful Routing Engine switchover and nonstop active routing to enable upgrading the Junos OS version with no disruption to the control plane. In addition, NSSU minimizes traffic disruption by: •


•


By configuring LAGs such that the member links reside on different line cards or Virtual Chassis members, you can achieve minimal traffic disruption when performing an NSSU.

Redundant Power System Most Juniper Networks Ethernet Switches have a built-in capability for redundant power supplies—therefore if one power supply fails on those switches, the other power supply takes over. However, EX2200 switches and EX3300 switches have only one internal fixed power supply. If an EX2200 switch or EX3300 switch is deployed in a critical situation, we recommend that you connect a Redundant Power System (RPS) to that switch to supply backup power if the internal power supply fails. RPS is not a primary power supply—it only provides backup power to switches when the single dedicated power supply fails. An RPS operates in parallel with the single dedicated power supplies of the switches connected to it and provides all connected switches enough power to support either power over Ethernet (PoE) or non-PoE devices. For more information on RPS, see EX Series Redundant Power System Hardware Overview. Related Documentation

1662

•

For more information on high availability features, see the Junos OS High Availability Configuration Guide.

•


•


•




•


•


•


•


Understanding VRRP on EX Series Switches Juniper Networks EX Series Ethernet Switches support the Virtual Router Redundancy Protocol (VRRP) and VRRP for IPv6. This topic covers: •

Overview of VRRP on EX Series Switches on page 1663

•

Examples of VRRP Topologies on page 1664

Overview of VRRP on EX Series Switches You can configure the Virtual Router Redundancy Protocol (VRRP) or VRRP for IPv6 on Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces on EX Series switches. When VRRP is configured, the switches act as virtual routing platforms. VRRP enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. The VRRP routing platforms share the IP address corresponding to the default route configured on the hosts. At any time, one of the VRRP routing platforms is the master (active) and the others are backups. If the master routing platform fails, one of the backup routing platforms becomes the new master, providing a virtual default routing platform and enabling traffic on the LAN to be routed without relying on a single routing platform. Using VRRP, a backup EX Series switch can take over a failed default switch within a few seconds. This is done with minimum loss of VRRP traffic and without any interaction with the hosts. Virtual Router Redundancy Protocol is not supported on management interfaces. VRRP for IPv6 provides a much faster switchover to an alternate default routing platform than IPv6 Neighbor Discovery (ND) procedures. VRRP for IPv6 does not support the authentication-type or authentication-key statements.

NOTE: Do not confuse the VRRP master and backup routing platforms with the master and backup member switches of a Virtual Chassis configuration. The master and backup members of a Virtual Chassis configuration compose a single host. In a VRRP topology, one host operates as the master routing platform and another operates as the backup routing platform, as shown in Figure 47 on page 1665.

Switches running VRRP dynamically elect master and backup routing platforms. You can also force assignment of master and backup routing platforms using priorities from 1 through 255, with 255 being the highest priority. In VRRP operation, the default master routing platform sends advertisements to backup routing platforms at regular intervals. The default interval is 1 second. If the backup routing platforms do not receive an


1663

®


advertisement for a set period, the backup routing platform with the highest priority takes over as master and begins forwarding packets.

NOTE: Priority 255 cannot be set for routed VLAN interfaces (RVIs).

VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.

Examples of VRRP Topologies Figure 46 on page 1664 illustrates a basic VRRP topology with EX Series switches. In this example, Switches A, B, and C are running VRRP and together they make up a virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address as the physical interface of Switch A).

Figure 46: Basic VRRP on EX Series Switches

Figure 47 on page 1665 illustrates a basic VRRP topology using Virtual Chassis configurations. Switch A, Switch B, and Switch C are each composed of multiple interconnected Juniper Networks EX4200 Ethernet Switches. Each Virtual Chassis configuration operates as a single switch, which is running VRRP, and together they make up a virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address as the physical interface of Switch A).

1664



Figure 47: VRRP on Virtual Chassis Switches

Because the virtual routing platform uses the IP address of the physical interface of Switch A, Switch A is the master VRRP routing platform, while Switch B and Switch C function as backup VRRP routing platforms. Clients 1 through 3 are configured with the default gateway IP address of 10.10.0.1 as the master router, Switch A, forwards packets sent to its IP address. If the master routing platform fails, the switch configured with the higher priority becomes the master virtual routing platform and provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes the master virtual routing platform again. Related Documentation

•

For more information on VRRP or VRRP for IPv6, see the Junos OS High Availability Configuration Guide.

•


•

Configuring VRRP for IPv6 (CLI Procedure) on page 1687


1665

®


Understanding Nonstop Active Routing on EX Series Switches You can configure nonstop active routing (NSR) on an EX Series switch with redundant Routing Engines to enable the transparent switchover of the Routing Engines in the event that one of the Routing Engines goes down. Nonstop active routing provides high availability for Routing Engines by enabling transparent switchover of the Routing Engines without requiring restart of supported routing protocols. Both Routing Engines are fully active in processing protocol sessions, and so each can take over for the other. The switchover is transparent to neighbor routing devices, which do not detect that a change has occurred. Enable nonstop active routing when neighbor routing devices are not configured to support graceful restart of protocols or when you want to ensure graceful restart of protocols for which graceful restart is not supported (such as PIM). You do not need to start the two Routing Engines simultaneously to synchronize them for nonstop active routing. If both Routing Engines are not present or not up when you issue a commit synchronize statement, the candidate configuration is committed in the master Routing Engine and when the backup Routing Engine is inserted or comes online, its configuration is automatically synchronized with that of the master. Nonstop active routing uses the same infrastructure as graceful Routing Engine switchover (GRES) to preserve interface and kernel information. However, nonstop active routing also saves routing protocol information by running the routing protocol process (rpd) on the backup Routing Engine. By saving this additional information, nonstop active routing does not rely on other routing devices to assist in restoring routing protocol information.

NOTE: After a graceful Routing Engine switchover, we recommend that you issue the clear interface statistics (interface-name | all) command to reset the cumulative values for local statistics on the new master Routing Engine.

If you suspect a problem with the synchronization of Routing Engines when nonstop active routing is enabled, you can gather troubleshooting information using trace options. For example, if certain protocols lose connectivity with neighbors after a graceful Routing Engine switchover with NSR enabled, you can use trace options to help isolate the problem. See “Tracing Nonstop Active Routing Synchronization Events” on page 1690.

NOTE: Graceful restart and nonstop active routing are mutually exclusive. You will receive an error message upon commit if both are configured.

NOTE: Nonstop active routing provides a transparent switchover mechanism only for Layer 3 protocol sessions. Nonstop bridging (NSB) provides a similar mechanism for Layer 2 protocol sessions. See “Understanding Nonstop Bridging on EX Series Switches” on page 1667.

1666




•


•


Understanding Nonstop Bridging on EX Series Switches You can configure nonstop bridging (NSB) to provide resilience for Layer 2 protocol sessions on a Juniper Networks EX Series Ethernet Switch with redundant Routing Engines. Nonstop bridging operates by synchronizing all protocol information for NSB-supported Layer 2 protocols between the master and backup Routing Engines. If the switch has a Routing Engine switchover, the NSB-supported Layer 2 protocol sessions remain active because all session information is already synchronized to the backup Routing Engine. Traffic disruption for the NSB-supported Layer 2 protocol is minimal or nonexistent as a result of the switchover. The Routing Engine switchover is transparent to neighbor devices, which do not detect any changes related to the NSB-supported Layer 2 protocol sessions on the switch. For a list of the EX Series switches and Layer 2 protocols that support nonstop bridging, see “EX Series Switch Software Features Overview” on page 3.

NOTE: Nonstop bridging provides a transparent switchover mechanism only for Layer 2 protocol sessions. Nonstop active routing (NSR) provides a similar mechanism for Layer 3 protocol sessions. See “Understanding Nonstop Active Routing on EX Series Switches” on page 1666.


•

Configuring Nonstop Bridging on EX Series Switches (CLI Procedure) on page 1689


1667

®


Understanding Nonstop Software Upgrade on EX Series Switches Nonstop software upgrade (NSSU) enables you to upgrade the software running on a Juniper Networks EX Series Virtual Chassis or a Juniper Networks EX Series Ethernet Switch with redundant Routing Engines with a single command and minimal disruption to network traffic. NSSU is supported on EX8200 switches and the following Virtual Chassis: EX4200, EX4500, mixed EX4200 and EX4500, and EX8200 Virtual Chassis. Performing an NSSU provides these benefits: •

No disruption to the control plane—An NSSU takes advantage of graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) to ensure no disruption to the control plane. During the upgrade process, interface, kernel, and routing protocol information is preserved.

•

Minimal disruption to traffic—An NSSU minimizes traffic disruption by: •


•


To achieve minimal disruption to traffic, you must configure link aggregation groups (LAGs) such that the member links of each LAG reside on different line cards or Virtual Chassis members. When one member link of a LAG is down, the remaining links are up, and traffic continues to flow through the LAG.

NOTE: Because NSSU upgrades the software on each line card or on each Virtual Chassis member one at a time, an upgrade using NSSU can take longer than an upgrade using the request system software add command. For EX8200 switches and EX8200 Virtual Chassis, you can reduce the amount of time an upgrade takes by configuring line-card upgrade groups. The line cards in an upgrade group are upgraded simultaneously, reducing the amount of time it takes to complete an upgrade. See “Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure)” on page 1692.

This topic covers:

1668

•

Requirements for Performing an NSSU on page 1669

•

How an NSSU Works on page 1669

•

NSSU Limitations on page 1672

•

NSSU and Junos OS Release Support on page 1672

•

Overview of NSSU Configuration and Operation on page 1673



Requirements for Performing an NSSU The following requirements apply to all switches and Virtual Chassis: •

All Virtual Chassis members and all Routing Engines must be running the same Junos OS release.

•

Graceful Routing Engine switchover (GRES) must be enabled.

•

Nonstop active routing (NSR) must be enabled.

•

For minimal traffic disruption, you must define link aggregation groups (LAGs) such that the member links reside on different Virtual Chassis members or on different line cards.

The following are requirements for EX4200, EX4500, and mixed EX4200 and EX4500 Virtual Chassis: •

The Virtual Chassis members must be connected in a ring topology so that no member is isolated as a result of another member being rebooted. This topology prevents the Virtual Chassis from splitting during an NSSU.

•

The Virtual Chassis master and backup must be adjacent to each other in the ring topology. Adjacency permits the master and backup to always be in sync, even when the switches in linecard roles are rebooting.

•

The Virtual Chassis must be preprovisioned so that the linecard role has been explicitly assigned to member switches acting in a linecard role. During an NSSU, the Virtual Chassis members must maintain their roles—the master and backup must maintain their master and backup roles (although mastership will change), and the remaining switches must maintain their linecard roles.

•

A two-member Virtual Chassis must have no-split-detection configured so that the Virtual Chassis does not split when an NSSU upgrades a member.

How an NSSU Works This section describes what happens when you request an NSSU on these switches and Virtual Chassis: •

EX4200, EX4500, and Mixed EX4200 and EX4500 Virtual Chassis on page 1670

•

EX8200 Switch on page 1670

•

EX8200 Virtual Chassis on page 1671


1669

®


EX4200, EX4500, and Mixed EX4200 and EX4500 Virtual Chassis When you request an NSSU on an EX4200, EX4500, or mixed EX4200 and EX4500 Virtual Chassis: 1.

The Virtual Chassis master verifies that: •

The backup is online and running the same software version.

•

Graceful Routing Engine switchover and nonstop active routing are enabled.

•

The Virtual Chassis has a preprovisioned configuration.

2. The master installs the new software image on the backup and reboots it. 3. The master resynchronizes the backup. 4. The master installs the new software image on member switches that are in the

linecard role and reboots them, one at a time. The master waits for each member to become online and active before starting the software upgrade on the next member. 5. When all members that are in the linecard role have been upgraded, the master

performs a graceful Routing Engine switchover, and the upgraded backup becomes the master. 6. The software on the original master is upgraded and the original master is

automatically rebooted. After the original master has rejoined the Virtual Chassis, you can optionally return control to it by requesting a graceful Routing Engine switchover.

EX8200 Switch When you request an NSSU on a standalone switch with redundant Routing Engines: 1.

The switch verifies that: •

Both Routing Engines are online and running the same software version.

•

Both Routing Engines have sufficient storage space for the new software image.

•


2. The switch installs the new software image on the backup Routing Engine and reboots

it. 3. The switch resynchronizes the backup Routing Engine to the master Routing Engine. 4. The line cards in the first upgrade group (or the line card in slot 0, if no upgrade groups

are defined) download the new image and then restart. Traffic continues to flow through the line cards in the other upgrade groups during this process. 5. When line cards restarted in Step 4 are online again, the line cards in the next upgrade

group download the new image and restart. This process continues until all online line cards have restarted with the new software.

1670



NOTE: If you have taken a line card offline with the CLI before you start the NSSU, the line card is not restarted and remains offline.

6. The switch performs a graceful Routing Engine switchover, so that the upgraded

backup Routing Engine becomes the master. 7. The switch installs the new software on the original master Routing Engine.

To complete the upgrade process, the original master Routing Engine must be rebooted. You can do so manually or have the switch perform an automatic reboot by including the reboot option when you request the NSSU. After the original master has been rebooted, you can optionally return control to it by requesting a graceful Routing Engine switchover.

EX8200 Virtual Chassis When you request an NSSU on a Virtual Chassis: 1.

The master external Routing Engine verifies that: •

It has a backup external Routing Engine that is online.

•

All Virtual Chassis members have redundant Routing Engines and the Routing Engines are online.

•

All Routing Engines are running the same software version.

•

All Routing Engines have sufficient storage space for the new software image.

•


2. The master external Routing Engine installs the new software image on the backup

external Routing Engine and reboots it. 3. The backup external Routing Engine resynchronizes with the master external Routing

Engine. 4. The master external Routing Engine installs the new software on the backup Routing

Engines in the member switches and reboots the backup Routing Engines. 5. When the reboot of the backup Routing Engines complete, the line cards in the first

upgrade group download the new image and then restart. (If no upgrade groups are defined, the line card in slot 0 of member 0 downloads the new image and restarts.) Traffic continues to flow through the line cards in the other upgrade groups during this process. 6. When line cards restarted in Step 5 are online again, the line cards in the next upgrade

group (or the next sequential line card) download the new image and restart. This process continues until all online line cards have restarted with the new software.

NOTE: If you have taken a line card offline with the CLI before you start the NSSU, the line card is not restarted and remains offline.


1671

®


7. The new software image is installed on the master Routing Engines, both external

and internal. 8. The member switches perform a graceful Routing Engine switchover, so that the

upgraded backup Routing Engines become masters. 9. The master external Routing Engine performs a graceful Routing Engine switchover

so that the backup external Routing Engine is now the master. To complete the upgrade process, the original master Routing Engines, both external and internal, must be rebooted. You can do so manually by establishing a console connection to each Routing Engine or have the reboot performed automatically by including the reboot option when you request the NSSU. After the original master external Routing Engine has been rebooted, you can optionally return control to it by requesting a graceful Routing Engine switchover.

NSSU Limitations You cannot use an NSSU to downgrade the software—that is, to install an earlier version of the software than is currently running on the switch. To install an earlier software version, use the request system software add command. You cannot roll back to the previous software version after you perform an upgrade using NSSU. If you need to rollback to the previous software version, you can do so by rebooting from the alternate root partition if you have not already copied the new software version into the alternate root partition.

NSSU and Junos OS Release Support A Virtual Chassis must be running a Junos OS release that supports NSSU before you can perform an NSSU. If a Virtual Chassis is running a software version that does not support NSSU, use the request system software add command. Table 191 on page 1672 lists the EX Series switches and Virtual Chassis that support NSSU and the Junos OS release at which they began supporting it.

Table 191: Platform and Release Support for NSSU

1672

Platform

Junos OS Release


12.1 or later


12.1 or later


12.1 or later

EX8200 switch

10.4 or later


11.1 or later



Overview of NSSU Configuration and Operation You must ensure that the configuration of the switch or Virtual Chassis meets the requirements described in “Requirements for Performing an NSSU” on page 1669. NSSU requires no additional configuration. For EX8200 switches and EX8200 Virtual Chassis, you can optionally configure line-card upgrade groups using the CLI. See “Example: Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade on EX Series Switches” on page 1684. You perform an NSSU by executing the request system software nonstop-upgrade command. For detailed instructions on how to perform an NSSU, see the topics in Related Documentation. Related Documentation

•


•


•


•

Example: Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade on EX Series Switches on page 1684

Understanding Power Management on EX Series Switches The power management feature for Juniper Networks EX6200 Ethernet Switches and Juniper Networks EX8200 Ethernet Switches helps ensure that normal operation of the system is not disrupted because of insufficient power to the switch. For example: •

Power management ensures that operating line cards continue to receive power if a user installs a new line card in an operating switch when power is insufficient for both the new and existing line cards.

•

Power management reserves a certain amount of power to power supply redundancy, so that if a power supply fails, the switch can continue to operate normally. If power management must use some of this reserved power to provide power to switch components, it raises an alarm to indicate that power supply redundancy no longer exists and that normal operations might be disrupted if a power supply fails.

•

If power supply failure requires power management to power down some components, it does so gracefully by powering down line cards and PoE ports in the order specified by the user.

Power management manages power to switch components by employing a power budget policy. In its power budget policy, power management: •

Budgets power for each installed switch component that requires power. With the exception of PoE power for line cards that support PoE, the amount that power


1673

®


management budgets for each component is the maximum power that component might consume under worst case operating conditions. For example, for the fan tray, power management budgets the amount of power required to run the fans at their maximum speed setting, even if the current fan speed is much lower. •

Reserves a set amount of power for power supply redundancy. In its default configuration, power management manages the switch for N+1 power redundancy, which ensures uninterrupted system operation if one power supply fails. For example, if a switch has four online 3000 W power supplies, power management reserves 3000 W in its power budget policy for redundancy. It allocates the remaining 9000 W to normal operating power.

•

Specifies the rules under which components receive power. These rules are designed to ensure the least disruption to switch operation under conditions of insufficient power. For example, power management provides power to core system components, such as the Routing Engines, before it provides power to line cards.

You can configure certain aspects of power management’s budget policy, specifically: •

The power priority of individual line cards. By assigning different power priorities to the line cards, you can determine which line cards are more likely to receive power in the event of insufficient power.

•

The power redundancy configuration. The default power redundancy configuration is N+1; you can optionally configure N+N. For example, if you have deployed two independent AC power feeds to the switch, configure N+N redundancy. When you configure power management for N+N redundancy, it reserves the appropriate amount of power in its power budget and reports insufficient power conditions accordingly.

These configurable items are discussed further in: •

Power Priority of Line Cards on page 1674

•

Power Supply Redundancy on page 1677

Power Priority of Line Cards The power priority of line cards determines: •

The order in which line cards are allocated power

•

The order in which line cards that support PoE are allocated power for PoE

•

How power is reallocated in cases of changes in power availability or demand in an operating switch

NOTE: On EX6200 switches, the four 10-Gigabit Ethernet SFP+ uplink ports on a Switch Fabric and Routing Engine (SRE) module are treated like a line card in the power budget.

1674



This section covers: •

How a Line Card’s Power Priority Is Determined on page 1675

•

Line Card Priority and Line Card Power on page 1675

•

Line Card Priority and PoE Power on page 1676

•

Line Card Priority and Changes in the Power Budget on page 1676

How a Line Card’s Power Priority Is Determined Using the CLI, you can assign a explicit power priority to a line-card slot. If more than one slot has the same assigned priority, the power priority is determined by slot number, with the lowest-numbered slots receiving power first. By default, all slots in an EX8200 switch are assigned the lowest priority. Thus if you do not explicitly assign priorities to slots, power priority is determined by slot number, with slot 0 having the highest priority. In an EX6200 switch, all slots are assigned the lowest priority, except for the slots containing an SRE module. Slots containing an SRE module are automatically assigned the highest priority. This means that the line cards that represent the 10-Gigabit Ethernet SFP+ ports on SRE modules have the highest priority among the line cards.

Line Card Priority and Line Card Power When an EX6200 or EX8200 switch is powered on, power management allocates power to components according to its power budget policy. After power management has allocated power to the base chassis components, it allocates the remaining available power to the line cards. It powers on the line cards in priority order until all line cards are powered on or the available power (including reserved power, if necessary) is exhausted. Thus if available power is exhausted before all line cards receive power, higher-priority cards are powered on while lower-priority cards remain powered off. A lower-priority card might receive power while a higher-priority card does not if the remaining available power is sufficient to power on the lower-priority card but not the higher-priority card. For example, if a line card requiring 450 W is in a higher-priority slot than line card requiring 330 W, the line card requiring 330 W receives the power if there is less than 450 W but more than 330 W remaining in the power budget. Line cards that have been administratively taken offline are not allocated power.

NOTE: Because power management does not allocate power to a line card that has been administratively taken offline, a line card that has been taken offline in an EX6200 or EX8200 switch is not automatically brought online when you commit a configuration. You must explicitly use the request chassis fpc slot slot-number online command to bring a line card online that was taken offline previously. This behavior differs from other platforms running Juniper Networks Junos operating system (Junos OS), which automatically bring an offline FPC online when you commit a configuration.


1675

®


If power management cannot power on a line card because of insufficient power, it raises a major (red) alarm.

Line Card Priority and PoE Power After all line cards have been powered on, power management allocates any remaining available power, including reserved power, to the PoE power budgets of line cards that have PoE ports. Power management allocates PoE power to line cards in the order of power priority. If enough power is available, a line card receives its full PoE power budget before power management allocates PoE power to the next highest-priority line card. If not enough power is available, a line card receives partial PoE power and lower-priority line cards receive no PoE power. If power management is unable to allocate enough power to meet the PoE power budget for a line card, it logs a message to the system log. The default PoE power budget for a line card is the amount of power needed to supply the maximum supported power to all PoE ports. In cases where powered devices do not require the maximum power or in which some PoE ports are not used for powered devices, you can configure a smaller PoE power budget for a line card. By configuring a smaller PoE power budget, you make more power available for the PoE power budgets of lower-priority line cards. You can also configure the power priority of the PoE ports on a line card. If power management is unable to allocate enough power to a line card to meet its PoE power budget, the line card PoE controller will turn off power to PoE ports in reverse priority order as required to meet the reduced power allocation. See “Configuring PoE (CLI Procedure)” on page 4635 for more information on how to configure the PoE power budget for a line card and how to configure PoE port priorities.

Line Card Priority and Changes in the Power Budget In an operating switch, power management dynamically reallocates power in response to changes in power availability or demand or changes in line card priority. Power management uses line card priority to determine how to reallocate power in response to the following events: •

•

A power supply fails, is removed, or is taken offline: •

If power is insufficient to meet the PoE power allocations of all PoE line cards, power management deallocates PoE power from the line cards in reverse priority order until power is sufficient to meet the remaining PoE power allocations.

•

If power is insufficient to meet the base (non-PoE) power requirements of all the line cards, all PoE power is deallocated. If, after the deallocation of PoE power, power is still not sufficient, power management turns off line cards in reverse priority order until power is sufficient for the remaining line cards.

A new line card is inserted or a line card is brought online: •

1676

If the line card supports PoE and there is insufficient power to meet its PoE power budget, PoE power is reallocated from lower-priority line cards. If not enough PoE



power can be reallocated from lower-priority line cards, the new line card receives a partial PoE power allocation.

•

•

•

•

If there is insufficient power to power on the new line card, PoE power is removed from PoE line cards in reverse priority order until the new line card can be powered on.

•

If the removal of all PoE power is insufficient to free up enough power to power on the line card, the line card remains powered off and the PoE line cards continue to receive their PoE power allocations. To minimize disruption on an operating switch, lower-priority line cards are not turned off to provide power to the new line card. However, if you restart the switch, power management reruns the current power budget policy and powers line cards on or off based on their priority. As a result, line cards receive power strictly by priority order and previously operating line cards might no longer receive power.

A new power supply is brought online: •

Any line cards that were powered off because of insufficient power are powered on in priority order.

•

After all line cards are powered on, remaining power is allocated to the PoE power budgets of line cards in priority order.

A line card is removed or taken offline, freeing up power: •

Any line cards that were powered down because of insufficient power are powered on in priority order.

•

After all line cards are powered on, any remaining power is allocated to the PoE power budgets of line cards in priority order.

A user changes the assigned power priority of one or more line cards when power is insufficient to meet the power budget: •

PoE power to the line cards is reallocated based on the new power priorities.

•

Base power allocation to the line cards is not changed—in other words, power management does not power down line cards that had been receiving power because they are now a lower priority. However, if you restart the switch, power management reruns the current power budget policy and powers line cards on or off based on their priority. As a result, line cards receive power strictly by priority order and previously operating line cards might no longer receive power.

If, because of insufficient power, power management reduces or eliminates the PoE power budget for a line card, it logs a message to the system log. If power management must power down a line card because of insufficient power, it raises a major (red) alarm.

Power Supply Redundancy By default, power management in EX6200 and EX8200 switches is configured to manage the power supplies for N+1 redundancy, in which one power supply is held in reserve for backup if one of the other power supplies is removed or fails.


1677

®


You can configure power management to manage the power supplies for N+N redundancy. In N+N redundancy, power management holds N power supplies in reserve for backup. For example, if your switch has six power supplies and you configure N+N redundancy, power management makes three power supplies available for normal operating power and reserves three power supplies for redundancy (3+3). If you have an odd number of power supplies, power management allocates one more power supply to normal operating power than to redundant power. For example, if you have five power supplies, the N+N configuration is 3+2. Given the same number of power supplies, an N+N configuration usually provides less normal operating power than an N+1 configuration because the N+N configuration holds more power in reserve for backup. Table 192 on page 1678 shows the effect on normal operating power in N+1 and N+N configurations.

Table 192: Available Operating Power in N+1 and N+N Redundancy Configurations Number of Power Supplies at n W Each

Normal Operating Power in N+1 Configuration

Normal Operating Power in N+N Configuration

2

1 x (n W)

1 x (n W)

3

2 x (n W)

2 x (n W)

4

3 x (n W)

2 x (n W)

5 (EX8200 switches only)

4 x (n W)

3 x (n W)

6 (EX8200 switches only)

5 x (n W)

3 x (n W)

To compensate for the reduced normal operating power, power management on EX8200 switches allocates less power to the chassis in an N+N configuration than in an N+1 configuration. This reduction in allocated chassis power allows a switch in an N+N configuration to power more line cards than it could without the reduction. For the EX8208 switch, the power allocated for the chassis is reduced to 1200 W from 1600 W; for the EX8216 switch, it is reduced to 1800 W from 2400 W.

NOTE: To achieve the reduction in allocated chassis power in an EX8200 switch, power management reduces the maximum fan speed to 60 percent in an N+N configuration from 80 percent in an N+1 configuration. Because the maximum fan speed is reduced, it is possible that a line card that overheats would be shut down sooner in an N+N configuration than in an N+1 configuration.

On EX6200 switches, the same amount of power is allocated for the chassis in N+N configurations as in N+1 configurations. Power management automatically recalculates the reserved power and normal operating power as power supplies go online or offline. For example, if you have an N+N configuration

1678



with three online 2000 W power supplies, power management allocates 2000 W to reserved power. If you bring a fourth 2000 W power supply online, power management then allocates 4000 W to reserved power. If a power supply goes offline again, power management once again allocates 2000 W to reserved power. When power is insufficient to meet the budgeted power requirements, power management raises alarms as follows: •

A minor (yellow) alarm is raised when insufficient power exists to maintain the configured N+1 or N+N power reserves, but all line cards are still receiving their base and PoE power allocations. If this condition persists for 5 minutes, the alarm becomes a major (red) alarm. Even though operation of the switch is unaffected in this condition, you should remedy it as quickly as possible because a power supply failure might cause a disruption in switch operation.

•

A major (red) alarm is raised when insufficient power exists to provide all the line cards with their base and PoE power allocations. One or more PoE ports might be down or one or more line cards might be down.

Power management clears all alarms when sufficient power is available to meet normal operating and reserved power requirements. Related Documentation

•


•


•


•

Verifying Power Configuration and Use on page 1713


1679

®


1680


CHAPTER 51

Examples of High Availability Configuration •


•


Example: Configuring Nonstop Active Routing on EX Series Switches Nonstop active routing (NSR) provides high availability for Routing Engines by enabling transparent switchover of the Routing Engines without necessitating restart of supported routing protocols. Both Routing Engines are fully active in processing protocol sessions, and so each can take over for the other. The switchover is transparent to neighbors. This example describes how to configure nonstop active routing on switches with multiple Routing Engines: •


•


•


•


•



An EX Series switch with multiple Routing Engines

•


Overview and Topology Configure nonstop active routing on any EX Series switch with multiple Routing Engines or EX Series switch in a Virtual Chassis configuration. Nonstop active routing is advantageous in networks where neighbor routing devices do not support graceful restart protocol extensions.


1681

®


The topology used in this example consists of an EX8200 switch with redundant Routing Engines connected to neighbor routing devices that are not configured to support graceful restart of protocols.

Configuration CLI Quick Configuration

To quickly configure nonstop active routing, copy the following commands and paste them into the switch terminal window: [edit] set chassis redundancy graceful-switchover set routing-options nonstop-routing set system commit synchronize


To configure nonstop active routing on a switch: 1.

Enable graceful Routing Engine switchover (GRES): [edit chassis redundancy] user@switch# set graceful-switchover

2.

Enable nonstop active routing (by default, nonstop active routing is disabled): [edit routing-options] user@switch# set nonstop-routing

3.

Synchronize configuration changes between the Routing Engines: [edit system] user@switch# set commit synchronize

If you try to commit the nonstop active routing configuration without including the commit synchronize statement, the commit fails.

NOTE: If the backup Routing Engine is down when you issue the commit, a warning is displayed and the candidate configuration is committed in the master Routing Engine. When the backup Routing Engine comes up, its configuration is automatically synchronized with that of the master. If you subsequently insert or bring up a backup Routing Engine, it automatically synchronizes its configuration with the master Routing Engine configuration.

Check the results of the configuration: [edit] user@switch# show chassis { redundancy { graceful-switchover; } routing-options { nonstop-routing; } system { commit synchronize; }

1682


Chapter 51: Examples of High Availability Configuration


Verifying That Nonstop Active Routing Is Working Correctly on the Switch on page 1683

Verifying That Nonstop Active Routing Is Working Correctly on the Switch Purpose Action

Verify that nonstop active routing is enabled. Issue the show task replication command: user@switch# show task replication Stateful Replication: Enabled RE mode: Master Protocol OSPF RIP PIM RSVP

Meaning

Synchronization Status Complete Complete Complete Complete

This output shows that nonstop active routing (Stateful Replication) is enabled on master routing engine. If nonstop routing is not enabled, instead of the output shown above: •

On the backup routing engine the following error message is displayed: “error: the routing subsystem is not running.”

•

On the master routing engine, the following output is displayed if nonstop routing is not enabled: Stateful Replication: Disabled RE mode: Master

Troubleshooting To troubleshoot nonstop active routing, perform these tasks: •

Investigating Problems with Synchronization of Routing Engines When NSR Is Enabled on page 1683

Investigating Problems with Synchronization of Routing Engines When NSR Is Enabled Problem

A protocol loses connectivity with neighbors after a graceful Routing Engine switchover (GRES) occurs with nonstop active routing (NSR) enabled.

Solution

Use trace options to help isolate the problem and gather troubleshooting information. Using the information gathered from trace options, you can confirm or eliminate the synchronization of the Routing Engines as the cause of the loss of connectivity for the protocol. See “Tracing Nonstop Active Routing Synchronization Events” on page 1690.


1683

®



•


•

Tracing Nonstop Active Routing Synchronization Events on page 1690

•


Example: Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade on EX Series Switches Nonstop software upgrade (NSSU) enables you to upgrade the software running on an EX8200 switch with redundant Routing Engines or on an EX8200 Virtual Chassis with redundant XRE200 External Routing Engines using a single command and with minimal disruption to network traffic. By default, NSSU upgrades the software running on the line cards one line card at a time. To reduce the time an NSSU takes, you can configure line-card upgrade groups. This example shows how to configure NSSU to use line-card upgrade groups: •


•


•



An EX8200 switch with redundant Routing Engines

•


Before you begin to configure line-card upgrade groups, ensure that you have configured the link aggregation groups (LAGs) as described in “Configuring Aggregated Ethernet Links (CLI Procedure)” on page 1867. See “Overview and Topology” on page 1684 for details about the LAG configurations for this example.

Overview and Topology In its default configuration, NSSU upgrades each line card in a switch or Virtual Chassis one at a time. Traffic continues to flow through the other line cards while a line card is being restarted as part of the upgrade. This behavior allows you minimize disruption to traffic by configuring link aggregation groups (LAGs) such that the member links of each LAG reside on different line cards. When one member link of a LAG is down, the remaining links are up, and traffic continues to flow through the LAG. Because the default configuration upgrades each line card one at a time, the upgrade can take some time to complete. You can reduce the time it takes to perform an NSSU by configuring line-card upgrade groups. Instead of being upgraded sequentially, the line cards in an upgrade group are upgraded simultaneously. To achieve minimal traffic disruption, you must define the line-card upgrade groups such that the member links of the LAGs reside on line cards that are in different upgrade groups.

1684


Chapter 51: Examples of High Availability Configuration

This example uses an EX8200 switch that has five line cards installed in slots 0 through 4. Two LAGs have been configured: •

ae0—Has two member links, one on the line card in slot 0 and one on the line card in

slot 1. •

ae1—Has two member links, one on the line card in slot 2 and one on the line card in

slot 3. The interfaces on the line card in slot 4 are not part of either LAG. To minimize the time an upgrade takes and to ensure that the member links of each LAG are in different upgrade groups, this example configures the following two line-card upgrade groups: •

group1—Contains the line cards in slots 0, 2, and 4.

•

group2—Contains the line cards in slots 1 and 3.

The line card in slot 4 could be put in either group. It could also be left out of an upgrade group entirely, and it would be upgraded separately after the line cards in the upgrade groups have been upgraded. However, it is more efficient to include it in an upgrade group. Figure 48 on page 1685 illustrates the topology.

Figure 48: Example Line-Card Upgrade Group Topology

Configuration To create line-card upgrade groups, perform these tasks: CLI Quick Configuration

To quickly create the line-card upgrade groups, copy the following commands and paste them into the switch terminal window: [edit] set chassis nssu upgrade-group group1 fpcs [0 2 4] set chassis nssu upgrade-group group2 fpcs [1 3]


To create the line-card upgrade groups for an NSSU: 1.

Create the first line-card upgrade group: [edit chassis] user@switch# set nssu upgrade-group group1 fpcs [0 2 4]

2.

Create the second line-card upgrade group:


1685

®


[edit chassis] user@switch# set nssu upgrade-group group2 fpcs (NSSU Upgrade Groups) [1 3]

Results

Display the results of the configuration: [edit chassis] user@switch# show nssu { upgrade-group group1 { fpcs [ 0 2 4 ]; } upgrade-group group2 { fpcs [ 1 3 ]; } }


1686

•


•


•



CHAPTER 52

Configuring High Availability •


•


•


•


•


•


•


Configuring VRRP for IPv6 (CLI Procedure) By configuring the Virtual Router Redundancy Protocol (VRRP) on EX Series switches, you can enable hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. You can configure VRRP for IPv6 on Gigabit Ethernet, 10-Gigabit Ethernet, and logical interfaces. To configure VRRP for IPv6: 1.

Configure VRRP group support on interfaces: [edit interfaces interface-name unit logical-unit-number family inet6 address address] user@switch# set vrrp-inet6-group group-id priority number virtual-inet6-address address virtual-link-local-address ipv6-address

You must explicitly define a virtual link local address for each VRRP for IPv6 group. Otherwise, when you attempt to commit the configuration, the commit request fails. The virtual link local address must be on the same subnet as the physical interface address. 2. If you want to configure the priority order in which this switch functioning as a backup

router becomes the master router if the master router becomes nonoperational, configure a priority for this switch: [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id] user@switch# set priority number


1687

®


3. Specify the interval in milliseconds in which the master router sends advertisement

packets to the members of the VRRP group: [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id] user@switch# set inet6-advertise-interval milliseconds 4. By default, a higher-priority backup router preempts a lower-priority master router. •

To explicitly enable the master router to be preempted: [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id] user@switch# set preempt

•

To prohibit a higher-priority backup router from preempting a lower priority master router: [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id] user@switch# set no-preempt


•

show vrrp on page 1758

•


Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure) Nonstop active routing (NSR) provides a mechanism for transparent switchover of the Routing Engines without necessitating restart of supported routing protocols. Both Routing Engines are fully active in processing protocol sessions, and so each can take over for the other. The switchover is transparent to neighbors. You can configure nonstop active routing on an EX Series switch with redundant Routing Engines to enable the transparent switchover of the Routing Engines in the event that the Routing Engines switch over. You can also disable nonstop active routing after you have enabled it. To configure nonstop active routing: 1.


2. Enable nonstop active routing (by default, nonstop active routing is disabled): [edit routing-options] user@switch# set nonstop-routing 3. Synchronize configuration changes between the Routing Engines: [edit system] user@switch# set commit synchronize

If you try to commit the nonstop active routing configuration without including the commit synchronize statement, the commit fails.

1688


Chapter 52: Configuring High Availability

NOTE: There is no requirement to start the two Routing Engines simultaneously. If the backup Routing Engine is not up when you commit synchronize, the candidate configuration is committed in the master Routing Engine and when the backup Routing Engine is inserted or comes online, its configuration is automatically synchronized with that of the master.

BEST PRACTICE: After a graceful Routing Engine switchover, we recommend that you issue the clear interface statistics (interface-name | all) command to reset the cumulative values for local statistics on the new master Routing Engine.

To disable nonstop active routing: [edit routing-options] user@switch# delete nonstop-routing


•


•


•


Configuring Nonstop Bridging on EX Series Switches (CLI Procedure) You can configure nonstop bridging (NSB) to provide resilience for Layer 2 protocol sessions on an EX Series switch with redundant Routing Engines. Nonstop bridging operates by synchronizing all protocol information for NSB-supported Layer 2 protocols between the master and backup Routing Engines. If the switch has a Routing Engine switchover, the NSB-supported Layer 2 protocol sessions remain active because they are already synchronized on the backup Routing Engine. The Routing Engine switchover is transparent to neighbor devices, which do not detect any changes related to the Layer 2 protocol sessions on the switch. To configure nonstop bridging: 1.


2. Configure the switch to always synchronize configuration changes between the Routing

Engines: [edit system] user@switch# set commit synchronize

If you try to commit a configuration in which nonstop bridging is configured but synchronization of configuration changes is not configured, the configuration is not committed. 3. Enable nonstop bridging:


1689

®


[edit ethernet-switching-options] user@switch# set nonstop-bridging

NOTE: There is no requirement to start both Routing Engines simultaneously. If the backup Routing Engine is not up when you commit the configuration, the candidate configuration is committed in the master Routing Engine. When the backup Routing Engine comes online, the configuration is automatically synchronized.


•

Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX Series Switches on page 2427

•


Tracing Nonstop Active Routing Synchronization Events To track the progress of nonstop active routing synchronization between Routing Engines, you can configure nonstop active routing trace options flags for each supported protocol and for BFD sessions and record these operations to a log file. To configure nonstop active routing trace options for supported routing protocols, include the nsr-synchronization statement at the [edit protocols protocol-name traceoptions flag] hierarchy level and optionally specify one or more of the detail, disable, receive, and send options: [edit protocols] bgp { traceoptions { flag nsr-synchronization ; } } isis { traceoptions { flag nsr-synchronization ; } } ldp { traceoptions { flag nsr-synchronization ; } } mpls { traceoptions { flag nsr-synchronization; flag nsr-synchronization-detail; } } msdp { traceoptions { flag nsr-synchronization ; }

1690



} (ospf | ospf3) { traceoptions { flag nsr-synchronization ; } } (rip | ripng) { traceoptions { flag nsr-synchronization ; } } pim { traceoptions { flag nsr-synchronization ; } }

To configure nonstop active routing trace options for BFD sessions, include the nsr-synchronization and nsr-packet statements at the [edit protocols bfd traceoptions flag] hierarchy level. [edit protocols] bfd { traceoptions { flag nsr-synchronization; flag nsr-packet; } }

To trace the Layer 2 VPN signaling state replicated from routes advertised by BGP, include the nsr-synchronization statement at the [edit routing-options traceoptions flag] hierarchy level. This flag also traces the label and logical interface association that VPLS receives from the kernel replication state. [edit routing-options] traceoptions { flag nsr-synchronization; }


•

Configuring Nonstop Active Routing

•


•

OBSOLETE - traceoptions on page 1736

•

Example: Configuring Nonstop Active Routing

•



1691

®


Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure) Nonstop software upgrade (NSSU) enables you to upgrade the software running on an EX8200 switch with redundant Routing Engines or on an EX8200 Virtual Chassis with redundant XRE200 External Routing Engines using a single command and with minimal disruption to network traffic. In its default configuration, NSSU upgrades each line card in a switch or Virtual Chassis one at a time. Traffic continues to flow through the other line cards while a line card is being restarted as part of the upgrade. This behavior allows you to minimize disruption to traffic by configuring link aggregation groups (LAGs) such that the member links of each LAG reside on different line cards. When one member link of a LAG is down, the remaining links are up, and traffic continues to flow through the LAG. You can reduce the time it takes to perform an NSSU by configuring NSSU to use line-card upgrade groups. When you define an upgrade group, NSSU upgrades the line cards in the upgrade group at the same time instead of sequentially. To achieve minimal traffic disruption, you must define the line-card upgrade groups such that the member links of the LAGs reside on line cards that are in different upgrade groups. For information on how to configure LAGs, see “Configuring Aggregated Ethernet Links (CLI Procedure)” on page 1867. To configure line-card upgrade groups on a standalone EX8200 switch: •

To create an upgrade group and add a line card to it: [edit chassis] user@switch# set nssu upgrade-group group-name fpcs slot-number

For example, to create an upgrade group called group3 and add the line card in slot 5 to it: [edit chassis] user@switch# set nssu upgrade-group group3 fpcs 5

If group3 already exists, this command adds line card 5 to group3. •

To create an upgrade group and add multiple line cards to it: [edit chassis] user@switch# set nssu upgrade-group group-name fpcs (NSSU Upgrade Groups) [list-of-slot-numbers]

For example, to create an upgrade group called primary and add line cards in slots 1, 4, and 7 to it: [edit chassis] user@switch# set nssu upgrade-group primary fpcs [1 4 7]

If primary already exists, this command adds line cards in slots 1, 4, and 7 to primary. To configure line-card upgrade groups on an EX8200 Virtual Chassis: •

1692

To create an upgrade group and add a line card on a Virtual Chassis member to it:



[edit chassis] user@switch# set nssu upgrade-group group-name member (NSSU Upgrade Groups) member-id fpcs slot-number

For example, to create an upgrade group called primary-ny and add the line card on member 1 in slot 5 to it: [edit chassis] user@switch# set nssu upgrade-group primary-ny member 1 fpcs 5

If primary-ny already exists, this command adds line card 5 on member 1 to primary-ny. •

To create an upgrade group that contains multiple line cards on a Virtual Chassis member: [edit chassis] user@switch# set nssu upgrade-group group-name member member-id fpcs [list-of-slot-numbers]

For example, to create an upgrade group called primary-ny that contains the line cards in slots 1 and 2 on member 0 and in slots 3 and 4 on member 1: [edit chassis] user@switch# set nssu upgrade-group primary-ny member 0 fpcs [1 2] [edit chassis] user@switch# set nssu upgrade-group primary-ny member 1 fpcs [3 4]


•


•


•


•



1693

®


Configuring Power Supply Redundancy (CLI Procedure) By default, the power management feature in EX6200 and EX8200 switches is configured to manage the power supplies for N+1 redundancy, in which one power supply is held in reserve for backup if any one of the other power supplies is removed or fails. You can configure power management to manage the power supplies for N+N redundancy. For example, to set up your AC power supplies for dual power feed, N+N redundancy is required. In N+N redundancy, power management allocates half of the online power supplies to normal operating power and half to redundant power. If you have an odd number of online power supplies, power management allocates one more power supply to normal operating power than to redundant power. This topic describes how to configure power management for N+N redundancy and how to revert back to N+1 redundancy if your deployment needs change. Before you configure power management for N+N redundancy, ensure that you have sufficient power supplies to meet the power requirements of an N+N configuration. Use the show chassis power-budget-statistics command to display your current power budget.

NOTE: To allow more power to be available to line cards in an EX8200 switch, power management compensates for the reduced normal operating power in an N+N configuration by allocating less power to the chassis than it does in an N+1 configuration. For the EX8208 switch, the power allocated to the chassis is reduced to 1200 W from 1600 W. For the EX8216 switch, it is reduced to 1800 W from 2400 W. In determining whether you have enough power for an N+N configuration, take this reduction of allocated chassis power into account. The reduction in allocated chassis power is achieved by reducing the maximum fan speed to 60 percent in an N+N configuration from 80 percent in an N+1 configuration. Because the maximum fan speed is reduced, it is possible that a line card that overheats would be shut down sooner in an N+N configuration than in an N+1 configuration. On EX6200 switches, the same amount of power is allocated for the chassis in N+N configurations as in N+1 configurations.

To configure N+N redundancy: [edit chassis] user@switch# set psu redundancy n-plus-n

To revert back to N+1 redundancy: [edit chassis] user@switch# delete chassis psu redundancy n-plus-n


1694

•




•


•


Configuring the Power Priority of Line Cards (CLI Procedure) The power management facility on EX6200 and EX8200 switches allows you to assign power priorities to the slots occupied by line cards. Power management provides power to the slots in priority order, which means that line cards in higher priority slots are more likely to receive power than line cards in lower priority slots if power to the switch is insufficient to power all the line cards. The power priority you assign to a PoE line card affects both the order in which it receives base power and the order in which it receives PoE power. Base power is allocated first to all line cards in priority order. PoE power is then allocated to the PoE line cards in priority order. When assigning power priority to slots, keep these points in mind: •

0 is the highest priority. The number of priority levels depends on the number of slots in a switch—for example, for an EX8208 switch, which has eight slots, you can assign a priority of 0 through 7 to a slot.

•

All slots are assigned the lowest priority by default.

•

If a group of slots shares the same assigned priority, each slot’s power priority within the group is based on its slot number, with the lowest-numbered slots receiving power first. For example, if slot 3 and slot 7 each have an assigned power priority of 2, slot 3 has the higher power priority.

•

On EX6200 switches, slots containing a Switch Fabric and Routing Engine (SRE) module are automatically assigned the highest priority. If you assign a priority of 0 to a slot that has a lower number than a slot an SRE module is in, the slot with an SRE module still receives power first. You cannot change the power priority of slot containing an SRE module.

To assign or change the power priority for a slot: [edit chassis] user@switch# set fpc slot power-budget-priority priority

For example, to set slot 6 to priority 0, enter: [edit chassis] user@switch# set fpc 6 power-budget-priority 0


•


•


•



1695

®


1696


CHAPTER 53

Administering High Availability •


•


•


•


Upgrading Software on an EX8200 Standalone Switch Using Nonstop Software Upgrade (CLI Procedure) You can use nonstop software upgrade (NSSU) to upgrade the software on standalone EX8200 switches with redundant Routing Engines. NSSU upgrades the software running on the Routing Engines and line cards with minimal traffic disruption during the upgrade. NSSU is supported on switches running Junos OS Release 10.4 or later. With NSSU, you can upgrade both Routing Engines at the same time with a single command. You also have the option of upgrading just one Routing Engine, the backup Routing Engine, which becomes the master Routing Engine after the upgrade is done. You then use the standard software installation process to upgrade the original master Routing Engine. This topic covers: •

Preparing the Switch for Software Installation on page 1697

•

Upgrading Both Routing Engines Using NSSU on page 1699

•

Upgrading One Routing Engine Using NSSU on page 1702

•

Upgrading the Original Master Routing Engine on page 1704

Preparing the Switch for Software Installation Before you begin software installation using NSSU:


1697

®


•

(Optional) Configure line-card upgrade groups as described in “Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure)” on page 1692. By default, an NSSU upgrades line cards one at a time to allow aggregated Ethernet links that have members on different line cards to remain up through the upgrade process. Configuring line-card upgrade groups reduces the time an upgrade takes because the line cards in each upgrade group are upgraded at the same time rather than sequentially.

•

Verify that the Routing Engines are running the same version of the software. Enter the following command: {master} user@switch> show version invoke-on all-routing-engines re0: -------------------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [11.3-20110429.1] JUNOS Base OS Software Suite [11.3-20110429.1] JUNOS Kernel Software Suite [11.3-20110429.1] JUNOS Crypto Software Suite [11.3-20110429.1] JUNOS Online Documentation [11.3-20110429.1] JUNOS Enterprise Software Suite [11.3-20110429.1] LC JUNOS Installation Software [11.3-20110429.1] JUNOS Routing Software Suite [11.3-20110429.1] JUNOS Web Management [11.3-20110429.1] re1: -------------------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [11.3-20110429.1] JUNOS Base OS Software Suite [11.3-20110429.1] JUNOS Kernel Software Suite [11.3-20110429.1] JUNOS Crypto Software Suite [11.3-20110429.1] JUNOS Online Documentation [11.3-20110429.1] JUNOS Enterprise Software Suite [11.3-20110429.1] LC JUNOS Installation Software [11.3-20110429.1] JUNOS Routing Software Suite [11.3-20110429.1] JUNOS Web Management [11.3-20110429.1]

If the Routing Engines are not running the same version of the software, use the request system software add command to upgrade the Routing Engine that is running the earlier software version. For instructions on upgrading a single Routing Engine, see “Installing Software on an EX Series Switch with Redundant Routing Engines (CLI Procedure)” on page 126. •

Ensure that nonstop active routing (NSR) and graceful Routing Engine switchover (GRES) are enabled. To verify that they are enabled, you need to check only the state of nonstop active routing—if nonstop active routing is enabled, then graceful Routing Engine switchover is enabled. To verify that nonstop active routing is enabled, execute the following command: {master} user@switch> show task replication Stateful Replication: Enabled RE mode: Master

1698


Chapter 53: Administering High Availability

Protocol OSPF RIP PIM RSVP

Synchronization Status Complete Complete Complete Complete

If nonstop active routing is not enabled (Stateful Replication is Disabled), see “Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure)” on page 1688 for information on how to enable it. •

(Optional) Back up the system software on each Routing Engine to an external storage device with the request system snapshot command.

Upgrading Both Routing Engines Using NSSU This procedure describes how to upgrade both Routing Engines using NSSU. When the upgrade completes, both Routing Engines are running the new version of the software, and the backup Routing Engine is the new master Routing Engine. To upgrade both Routing Engines using NSSU: 1.

Download the software package by following the procedure in “Downloading Software Packages from Juniper Networks” on page 123.


the file to the /var/tmp directory. 3. Log in to the master Routing Engine using the console connection. You can perform

an NSSU from the management interface, but a console connection allows you to monitor the progress of the master Routing Engine reboot. 4. Install the new software package:

{master} user@switch> request system software nonstop-upgrade reboot /var/tmp/package-name-m.nZx-distribution.tgz

where package-name-m.nZx-distribution.tgz is, for example, jinstall-ex-8200-10.4R1.5-domestic-signed.tgz. The switch displays the following status messages as the upgrade executes: Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Pushing bundle to re1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Backup upgrade done Rebooting Backup RE Rebooting re1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU


1699

®


ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 3 Offline Offlined by CLI command FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 6 Online (ISSU) FPC 7 Online (ISSU) Resolving mastership... Complete. The other routing engine becomes the master. ISSU: RE switchover Done ISSU: Upgrading Old Master RE WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately ISSU: Old Master Upgrade Done ISSU: IDLE

*** FINAL System shutdown message from user@switch *** System going down IMMEDIATELY Shutdown NOW! [pid 2635]

NOTE: If you omit the reboot option in this step, you must manually reboot the original master Routing Engine with the request system reboot command for the upgrade to complete.

5. Log in after the reboot completes. To verify that both Routing Engines have been

upgraded, enter the following command: {backup} user@switch> show version invoke-on all-routing-engines re0: -----------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [12.1-20111229.0] JUNOS Base OS Software Suite [12.1-20111229.0] JUNOS Kernel Software Suite [12.1-20111229.0] JUNOS Crypto Software Suite [12.1-20111229.0] JUNOS Online Documentation [12.1-20111229.0] JUNOS Enterprise Software Suite [12.1-20111229.0] LC JUNOS Installation Software [12.1-20111229.0] JUNOS Routing Software Suite [12.1-20111229.0] JUNOS Web Management [12.1-20111229.0] re1: -----------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [12.1-20111229.0] JUNOS Base OS Software Suite [12.1-20111229.0]

1700



JUNOS Kernel Software Suite [12.1-20111229.0] JUNOS Crypto Software Suite [12.1-20111229.0] JUNOS Online Documentation [12.1-20111229.0] JUNOS Enterprise Software Suite [12.1-20111229.0] LC JUNOS Installation Software [12.1-20111229.0] JUNOS Routing Software Suite [12.1-20111229.0] JUNOS Web Management [12.1-20111229.0] 6. To verify that the line cards that were online before the upgrade are online after the

upgrade, log in to the master Routing Engine and enter the show chassis nonstop-upgrade command: {backup} user@switch> request routing-engine login master {master} user@switch> show chassis nonstop-upgrade Item Status FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 3 Offline FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 6 Online (ISSU) FPC 7 Online (ISSU)

Reason

Offlined by CLI command

7. If you want to make re0 the master Routing Engine again, enter the following

command: {master} user@switch> request chassis routing-engine master switch Toggle mastership between routing engines ? [yes,no] (no) yes

You can verify that re0 is the master Routing Engine by executing the show chassis routing-engine command. 8. To ensure that the resilient dual-root partitions feature operates correctly, execute

the following command to copy the new Junos OS image into the alternate root partition on each Routing Engine: user@switch> request system snapshot slice alternate routing-engine both

Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition.


1701

®


Upgrading One Routing Engine Using NSSU This procedure describes how to upgrade one of the Routing Engines using NSSU. When the upgrade completes, the backup Routing Engine is running the new software version and is the new master. The original master Routing Engine, now the backup Routing Engine, continues to run the previous software version. To upgrade one Routing Engine using NSSU: 1.

Download the software package by following the procedure in “Downloading Software Packages from Juniper Networks” on page 123.


the file to the /var/tmp directory. 3. Log in to the master Routing Engine. 4. Request an NSSU and specify the no-old-master-upgrade option:

{master} user@switch> request system software nonstop-upgrade no-old-master-upgrade /var/tmp/package-name-m.nZx-distribution.tgz

where package-name-m.nZx-distribution.tgz is, for example, jinstall-ex-8200-10.4R2.5-domestic-signed.tgz. The switch displays the following status messages as the upgrade executes: Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Pushing bundle to re1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Backup upgrade done Rebooting Backup RE Rebooting re1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 3 Offline FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 6 Online (ISSU) FPC 7 Online (ISSU) Resolving mastership...

1702

Reason




Complete. The other routing engine becomes the master. ISSU: RE switchover Done Skipping Old Master Upgrade ISSU: IDLE

When the upgrade is complete, the original master Routing Engine (re0) becomes the backup Routing Engine. 5. To verify that the original backup Routing Engine (re1) has been upgraded, enter the

following command: {backup} user@switch> show version invoke-on all-routing-engines re0: ---------------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [11.3-20110429.1] JUNOS Base OS Software Suite [11.3-20110429.1] JUNOS Kernel Software Suite [11.3-20110429.1] JUNOS Crypto Software Suite [11.3-20110429.1] JUNOS Online Documentation [11.3-20110429.1] JUNOS Enterprise Software Suite [11.3-20110429.1] LC JUNOS Installation Software [11.3-20110429.1] JUNOS Routing Software Suite [11.3-20110429.1] JUNOS Web Management [11.3-20110429.1] re1: ---------------------------------------------------------------------Hostname: switch Model: ex8208 JUNOS Base OS boot [12.1-20111229.0] JUNOS Base OS Software Suite [12.1-20111229.0] JUNOS Kernel Software Suite [12.1-20111229.0] JUNOS Crypto Software Suite [12.1-20111229.0] JUNOS Online Documentation [12.1-20111229.0] JUNOS Enterprise Software Suite [12.1-20111229.0] LC JUNOS Installation Software [12.1-20111229.0] JUNOS Routing Software Suite [12.1-20111229.0] JUNOS Web Management [12.1-20111229.0] 6. To verify that the line cards that were online before the upgrade are online after the

upgrade, log in to the new master Routing Engine and enter the show chassis nonstop-upgrade command: {backup} user@switch> request routing-engine login master --- JUNOS 12.1-20111229.0 built 2011-12-29 04:12:22 UTC {master} user@switch> show chassis nonstop-upgrade Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online FPC 3 Offline Offlined by CLI command FPC 4 Online FPC 5 Online FPC 6 Online FPC 7 Online


1703

®


7. To ensure that the resilient dual-root partitions feature operates correctly, copy the

new Junos OS image into the alternate root partition of the Routing Engine: user@switch> request system snapshot slice alternate

Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition.

Upgrading the Original Master Routing Engine This procedure describes how to upgrade the original master Routing Engine after you have upgraded the original backup Routing Engine as described in “Upgrading One Routing Engine Using NSSU” on page 1702. 1.

Log in to the current master Routing Engine (re1):

2. Enter configuration mode and disable nonstop active routing: {master}[edit] user@switch# delete routing-options nonstop-routing 3. Deactivate graceful Routing Engine switchover and commit the configuration: {master}[edit] user@switch# deactivate chassis redundancy graceful-switchover {master}[edit] user@switch# commit 4. Log in to the current backup Routing Engine (re0) using a console connection. 5. Request a software installation:

user@switch> request system software add reboot /var/tmp/package-name-m.nZx-distribution.tgz

NOTE: When you use NSSU to upgrade only one Routing Engine, the installation package is not automatically deleted from /var/tmp, leaving the package available to be used to upgrade the original master Routing Engine.

6. After the upgrade completes, log in to the current master Routing Engine (re1) and

enter CLI configuration mode. 7. Re-enable nonstop active routing and graceful Routing Engine switchover: [edit] user@switch# activate chassis redundancy graceful-switchover [edit] user@switch# set routing-options nonstop-routing [edit] user@switch# commit

1704



8. To ensure that the resilient dual-root partitions feature operates correctly, exit the

CLI configuration mode and copy the new Junos OS image into the alternate root partition of the Routing Engine: user@switch> request system snapshot slice alternate

Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition. 9. (Optional) To return control to the original master Routing Engine (re0), enter the

following command: {master} user@switch> request chassis routing-engine master switch Toggle mastership between routing engines ? [yes,no] (no) yes

You can verify that re0 is the master Routing Engine by executing the show chassis routing-engine command. Related Documentation

•


•


•


•


•


•


Upgrading Software on an EX8200 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) You can use nonstop software upgrade (NSSU) to upgrade the software on an EX8200 Virtual Chassis. NSSU upgrades the software running on all Routing Engines with minimal traffic disruption during the upgrade. NSSU is supported on EX8200 Virtual Chassis with redundant XRE200 External Routing Engines running Junos OS Release 11.1 or later.

NOTE: NSSU upgrades all Routing Engines on all members of the Virtual Chassis and on the XRE200 External Routing Engines. Using NSSU, you cannot choose to upgrade the backup Routing Engines only, nor can you choose to upgrade a specific member of the Virtual Chassis. If you need to upgrade a specific member of the Virtual Chassis, see “Installing Software for a Single Device in an EX8200 Virtual Chassis” on page 1573.



•

Upgrading the Software Using NSSU on page 1707


1705

®


Preparing the Switch for Software Installation Before you begin software installation using NSSU: •

(Optional) Configure line-card upgrade groups as described in “Configuring Line-Card Upgrade Groups for Nonstop Software Upgrade (CLI Procedure)” on page 1692. By default, NSSU upgrades line cards one at a time, starting with the line card in slot 0 of member 0. This permits aggregated Ethernet links that have members on different line cards remain up through the upgrade process. Configuring line-card upgrade groups reduces the time an upgrade takes because the line cards in each upgrade group are upgraded at the same time rather than sequentially.

•

Verify that the members are running the same version of the software: {master:8} user@external-routing-engine> show version all-members

If the Virtual Chassis members are not running the same version of the software, use the request system software add command to upgrade the software on the inconsistent members. For instructions, see “Installing Software for a Single Device in an EX8200 Virtual Chassis” on page 1573. •

Ensure that nonstop active routing (NSR) and graceful Routing Engine switchover (GRES) are enabled. To verify that they are enabled, you need to check only the state of nonstop active routing—if nonstop active routing is enabled, then graceful Routing Engine switchover is enabled. To verify that nonstop active routing is enabled: {master:8} user@switch> show task replication Stateful Replication: Enabled RE mode: Master Protocol PIM

Synchronization Status Complete

If nonstop active routing is not enabled (Stateful Replication is Disabled), see “Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure)” on page 1688 for information on how to enable it.

1706



Upgrading the Software Using NSSU This procedure describes how to upgrade the software running on all Routing Engines using NSSU. When the upgrade completes, all Routing Engines are running the new version of the software. The backup external Routing Engine is now the master external Routing Engine, and the internal backup Routing Engines in the member switches are now the internal master Routing Engines in those member switches. To upgrade all Routing Engines using NSSU: 1.

Download the software package for the XRE200 External Routing Engine by following the procedure in “Downloading Software Packages from Juniper Networks” on page 123. The name of the software package for the XRE200 External Routing Engine contains the term xre200.


the file to the /var/tmp directory. 3. Log in to the master external Routing Engine using the console connection. You can

perform an NSSU from the management interface, but a console connection allows you to monitor the progress of the master Routing Engine reboot. 4. Install the new software package:

{master:8} user@external-routing-engine> request system software nonstop-upgrade reboot /var/tmp/package-name-m.nZx-distribution.tgz

where package-name-m.nZx-distribution.tgz is, for example, jinstall-ex-xre200-11.1R2.5-domestic-signed.tgz.

NOTE: You can omit reboot option. When you include the reboot option, NSSU automatically reboots the original master Routing Engines after the new image has been installed on them. If you omit the reboot option, you must manually reboot the original master Routing Engines (now the backup Routing Engines) to complete the upgrade. To perform the reboot, you must establish a connection to the console port on the Switch Fabric and Routing Engine (SRE) module or Routing Engine (RE) module.

The switch displays status messages similar to the following messages as the upgrade executes: Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing LCC Backup REs ISSU: Preparing Backup RE Pushing bundle /var/tmp/jinstall-ex-xre200-11.1-20110208.0-domestic-signed.tgz to member9 member9: -------------------------------------------------------------------------WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately VC Backup upgrade done Rebooting VC Backup RE


1707

®


Rebooting member9 ISSU: Backup RE Prepare Done Waiting for VC Backup RE reboot Pushing bundle to member0-backup Pushing bundle to member1-backup WARNING: A reboot is required to install the WARNING: Use the 'request system reboot' WARNING: A reboot is required to install the WARNING: Use the 'request system reboot'

software command immediately software command immediately

Rebooting member0-backup Rebooting LCC [member0-backup] Rebooting member1-backup Rebooting LCC [member1-backup] ISSU: LCC Backup REs Prepare Done GRES operational Initiating Chassis Nonstop-Software-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking Nonstop-Upgrade status member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) ISSU: Upgrading Old Master RE Pushing bundle /var/tmp/incoming-package-8200.tgz to member0-master Pushing bundle /var/tmp/incoming-package-8200.tgz to member1-master ISSU: RE switchover Done

1708



WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately ISSU: Old Master Upgrade Done ISSU: IDLE *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY

Shutdown NOW!

NOTE: If you omit the reboot option in this step, you must complete the upgrade by separately rebooting the original master Routing Engine on each Virtual Chassis member and the original master external Routing Engine. To reboot the original master Routing Engine on a Virtual Chassis member, you must establish a connection to the console port on the Switch Fabric and Routing Engine (SRE) module or Routing Engine (RE) module.

5. Log in after the reboot completes. To verify that the software on all Routing Engines

in the Virtual Chassis members has been upgraded, enter the following command: {backup:8} user@external-routing-engine> show version all-members 6. Verify that the line cards that were online before the upgrade are online after the

upgrade by entering the show chassis nonstop-upgrade command: {backup:8} user@external-routing-engine> show chassis nonstop-upgrade member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online FPC 5 Online member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online FPC 5 Online


•


•


•


•


•



1709

®


•


Upgrading Software on an EX4200 Virtual Chassis, EX4500 Virtual Chassis, or Mixed EX4200 and EX4500 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure) You can use nonstop software upgrade (NSSU) to upgrade the software running on all member switches in a Virtual Chassis with minimal traffic disruption during the upgrade. NSSU is supported on EX4200 Virtual Chassis, EX4500 Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis running Junos OS Release 12.1 or later. NSSU is also supported on EX8200 Virtual Chassis—see “Upgrading Software on an EX8200 Virtual Chassis Using Nonstop Software Upgrade (CLI Procedure)” on page 1705. This topic covers: •


•

Upgrading the Software Using NSSU on page 1711

Preparing the Switch for Software Installation Before you begin software installation using NSSU: •

•

Ensure that the Virtual Chassis is configured correctly to support NSSU. Verify that: •

The Virtual Chassis members are connected in a ring topology. A ring topology prevents the Virtual Chassis from splitting during an NSSU.

•

The Virtual Chassis master and backup are adjacent to each other in the ring topology. Adjacency permits the master and backup to always be in sync, even when the switches in linecard roles are rebooting.

•

The Virtual Chassis is preprovisioned so that the linecard role has been explicitly assigned to member switches acting in the linecard role. During an NSSU, the Virtual Chassis members must maintain their roles—the master and backup must maintain their master and backup roles (although mastership will change), and the other member switches must maintain their linecard roles.

•

A two-member Virtual Chassis has no-split-detection configured so that the Virtual Chassis does not split when an NSSU upgrades a member.

Verify that the members are running the same version of the software: user@switch> show version

If the Virtual Chassis members are not running the same version of the software, use the request system software add command to upgrade the software on the inconsistent members. •

1710

Ensure that nonstop active routing (NSR) and graceful Routing Engine switchover (GRES) are enabled. To verify that they are enabled, you need to check only the state of nonstop active routing—if nonstop active routing is enabled, then graceful Routing Engine switchover is enabled.



To verify that nonstop active routing is enabled: user@switch> show task replication Stateful Replication: Enabled RE mode: Master Protocol OSPF BGP PIM

Synchronization Status Complete Complete Complete

If nonstop active routing is not enabled (Stateful Replication is Disabled), see “Configuring Nonstop Active Routing on EX Series Switches (CLI Procedure)” on page 1688 for information on how to enable it. •

(Optional) Back up the system software—Junos OS, the active configuration, and log files—on each member to an external storage device with the request system snapshot command.

Upgrading the Software Using NSSU This procedure describes how to upgrade the software running on all Virtual Chassis members using NSSU. When the upgrade completes, all members are running the new version of the software. Because a graceful Routing Engine switchover occurs during the upgrade, the original Virtual Chassis backup is the new master. To upgrade all members using NSSU: 1.

Download the software package by following the procedure in “Downloading Software Packages from Juniper Networks” on page 123. If you are upgrading the software running on a mixed EX4200 and EX4500 Virtual Chassis, download the software packages for both switch types.

2. Copy the software package or packages to the Virtual Chassis. We recommend that

you copy the file to the /var/tmp directory on the master. 3. Log in to the Virtual Chassis using the console connection or the virtual management

Ethernet (VME) interface. Using a console connection allows you to monitor the progress of the master switch reboot. 4. Start the NSSU: •

On a EX4200 Virtual Chassis or EX4500 Virtual Chassis, enter: user@switch> request system software nonstop-upgrade /var/tmp/package-name.tgz

where package-name.tgz is, for example, jinstall-ex4200-12.1R2.5-domestic-signed.tgz. •

On a mixed EX4200 and EX4500 Virtual Chassis, enter: user@switch> request system software nonstop-upgrade set [/var/tmp/package-name.tgz /var/tmp/package-name.tgz]

where [/var/tmp/package-name.tgz /var/tmp/package-name.tgz] specifies the EX4200 and EX4500 software packages.


1711

®


The switch displays status messages similar to the following messages as the upgrade executes: Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Installing image on other FPC's along with the backup Checking pending install on fpc1 Pushing bundle to fpc1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc1 Checking pending install on fpc2 Pushing bundle to fpc2 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc2 Rebooting fpc1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online (ISSU) Going to install image on master WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately relinquish mastership ISSU: IDLE *** FINAL System shutdown message from user@switch *** System going down IMMEDIATELY

Shutdown NOW! [pid 9336] 5. Log in after the reboot of the original master switch completes. To verify that the

software on all Routing Engines in the Virtual Chassis members has been upgraded, enter the following command: user@switch> show version 6. To ensure that the resilient dual-root partitions feature operates correctly, copy the

new Junos OS image into the alternate root partitions of all members: user@switch> request system snapshot slice alternate all-members

1712



Resilient dual-root partitions allow the switch to boot transparently from the alternate root partition if the system fails to boot from the primary root partition. Related Documentation

•


•


•


•


•


Verifying Power Configuration and Use Purpose

Action

Verify on an EX6200 or EX8200 switch: •

The power redundancy and line card priority settings

•

The PoE power budgets for line cards that support PoE

•

Whether the N+1 or N+N power requirements are being met

•

Whether the switch has sufficient power for a new line card or an N+N configuration

Enter the following command: user@switch> show chassis power-budget-statistics

Example output for an EX6200 switch:

PSU 0 (EX6200-PWR-AC2500) : 2500 W Online PSU 1 (EX6200-PWR-AC2500) : 2500 W Online PSU 2 (EX6200-PWR-AC2500) : 2500 W Online PSU 3 (EX6200-PWR-AC2500) : 2500 W Online Total Power supplied by all Online PSUs : 10000 W Power Redundancy Configuration : N+1 Power Reserved for the Chassis : 500 W Fan Tray Statistics Base power Power Used FTC 0 : 300 W 43.04 W FPC Statistics Base power Power Used PoE power Priority FPC FPC FPC FPC FPC FPC FPC FPC

1 2 3 4 5 6 8 9

(EX6200-48P) (EX6200-48P) (EX6200-48P) (EX6200-SRE64-4XS) (EX6200-SRE64-4XS) (EX6200-48P) (EX6200-48P) (EX6200-48T) Total Total Power Total

: : : : : : : :

220 220 220 100 100 220 220 150

(non-PoE) Power allocated Power allocated for PoE Available (Redundant case) Power Available

W W W W W W W W

49.47 47.20 1493.57 51.38 50.28 49.38 61.41 12.49 : : : :

W W W W W W W W

1750 5920 5750 2515

1440 800 1440 0 0 800 1440 0

W W W W W W W W

1 2 0 0 0 6 9 9

W W W W

Example output for an EX8200 switch:


1713

®


FPC FPC FPC FPC FPC FPC FPC

PSU 0 (EX8200-AC2K) PSU 1 (EX8200-AC2K) PSU 2 (EX8200-AC2K) PSU 3 (EX8200-AC2K) Total Power supplied by all Online PSUs Power Redundancy Configuration Power Reserved for the Chassis Statistics Base 0 (EX8200-48T) : 1 (EX8200-2XS-40P) : 2 (EX8200-48PL) : 4 (EX8200-2XS-40P) : 5 (EX8200-48TL) : 6 (EX8200-48TL) : Total Total Power Total

Meaning

•


: : : :

: 1200 W : 1200 W : 1200 W : 1200 W : 4800 W : N+1 : 1600 W power PoE 350 W 387 W 267 W 387 W 230 W 230 W 3451 950 149 510

Online Online Online Online

power 0 W 300 W 350 W 300 W 0 W 0 W

Priority 2 0 15 1 15 15

W W W W

Example output for an EX6200 switch —The online power supplies can supply a total of 10,000 W to the switch. The switch is configured for N+1 redundancy, which means 7500 W of redundant power can be supplied. The Power Available (Redundant case) field shows that the switch is meeting the N+1 power requirements, with an additional 5750 W available. This value is calculated by subtracting all power allocations except PoE power allocations from redundant power (7500 W). The total amount of power available on the switch is 2515 W. This value is calculated by subtracting all power allocations, including PoE power allocations, from the total power (10,000 W). On a switch with PoE line cards, if Total Power Available is 0, some or all of the PoE line cards might not be allocated their configured PoE power budgets, which means power to some or all PoE ports might be disabled. The power priority order of the line cards, from highest priority line card to the lowest priority line card, is 4, 5, 3, 1, 2, 6, 8, 9. Slots 4 and 5, which contain the Switch Fabric and Routing Engine (SRE) modules, always have highest priority, even if a lower-numbered slot, such as slot 3 in this example, has a priority of 0. Should two or more 2500 W power supplies fail, power management will remove or reduce the PoE power allocations from the PoE line cards in the following order to balance the power budget: 8, 6, 2, 1, and 3. The Power Used values for the fan tray and line cards shows the actual power being consumed for these components at the time the command was executed. These values are for your information only; power management uses allocated power, which is based on the maximum power the component might consume, and not actual power consumed, in determining its power budget.

•

1714

Example output for an EX8200 switch—The online power supplies can supply a total of 4800 W to the switch. The switch is configured for N+1 redundancy, which means 3600 W of redundant power can be supplied. The Power Available (Redundant case) field shows that the switch is meeting the N+1 power requirements, with an additional 149 W available. This value is calculated by subtracting all power allocations except PoE power allocations from redundant power (3600 W). Because 149 W is insufficient



power for a line card, another line card cannot be added to the switch while maintaining N+1 redundancy. The total amount of power available on the switch is 510 W. This value is calculated by subtracting all power allocations, including PoE power allocations, from the total power (4800 W). On a switch with PoE line cards, if Total Power Available is 0, some or all of the PoE line cards might not be allocated their configured PoE power budgets, which means power to some or all PoE ports might be disabled. The power priority order of the line cards, from highest priority line card to the lowest priority line card, is 1, 4, 0, 2, 5, 6. Should one or more 1200 W power supplies fail, power management will remove or reduce the PoE power allocations from the PoE line cards in the following order to balance the power budget: 2, 4, and 1.


•


•



1715

®


1716


CHAPTER 54

Configuration Statements for High Availability •

[edit redundant-power-system] Configuration Statement Hierarchy on page 1717

[edit redundant-power-system] Configuration Statement Hierarchy redundant-power-system { member member-number { priority (0|1|2|3|4|5|6); } }


•


•

Setting Priority for Switches Connected to the Redundant Power System (CLI Procedure)

•

Determining and Setting Priority for Switches Connected to an EX Series RPS

•

EX Series Redundant Power System Hardware Overview


1717

®


commit synchronize Syntax Hierarchy Level Release Information

Description

commit synchronize; [edit system]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For devices with multiple Routing Engines only. Configure a commit command to automatically result in a commit synchronize command. The Routing Engine on which you execute the commit command (the requesting Routing Engine) copies and loads its candidate configuration to the other (the responding) Routing Engines. All Routing Engines then perform a syntax check on the candidate configuration file being committed. If no errors are found, the configuration is activated and becomes the current operational configuration on all Routing Engines. Starting with Junos OS Release 9.3, accounting of events and operations on a backup Routing Engine is not supported on accounting servers such as TACACS+ or RADIUS. Logging of accounting events is supported only for events and operations on a master Routing Engine.


1718


Configuring Multiple Routing Engines to Synchronize Committed Configurations Automatically


Chapter 54: Configuration Statements for High Availability

disk-failure-action Syntax Hierarchy Level


disk-failure-action (halt | reboot); [edit chassis redundancy on-disk-failure] [edit chassis routing-engine on-disk-failure]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure the Routing Engine to halt or reboot when the Routing Engine hard disk fails. halt—Specify the Routing Engine to halt. reboot—Specify the Routing Engine to reboot.




•

Configuring the Junos OS to Enable a Routing Engine to Reboot on Hard Disk Errors

•


•



1719

®


failover (Chassis) Syntax


failover { on-disk-failure; on-loss-of-keepalives; } [edit chassis redundancy]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Specify conditions on the master Routing Engine that cause the backup router to take mastership. The remaining statements are explained separately.


1720



•

On Detection of a Hard Disk Error on the Master Routing Engine

•


•




fpc Syntax


fpc slot { pic pic-number { sfpplus { pic-modemode; } tunnel-port port-number tunnel-services; } power (off | on); power-budget-priority priority; } [edit chassis]

Statement introduced in Junos OS Release 9.4 for EX Series switches. On an EX3200 or an EX4200 switch, specify the port of the SFP+ uplink module for which you want to configure the operating mode. On an EX6200 or an EX8200 switch, specify the line card slot for which you want to assign a power priority.

NOTE: On an EX6200 switch, you cannot change the power priority of a slot containing a Switch Fabric and Routing Engine (SRE) module. Although the CLI allows you to set a different power priority for the slot, your change does not go into effect, and the power priority remains 0. A message is sent to the system log to inform you that changing the power priority of the slot is unsupported.

For generic routing encapsulation (GRE) tunneling, use the fpc statement with the tunnel-port statement to specify the port on the switch that you want to convert to a GRE tunnel port. Options

slot—Number of the slot: •

0—EX3200 and standalone EX4200 switches. The FPC value refers to the switch itself.

•

0–9—EX4200 switch in a Virtual Chassis configuration. The value corresponds to the switch’s member ID.

•

0–3 and 6–9—EX6210 switch. The slot is a line card slot. 4–5—The slot is a line card slot or an SRE module slot.

•

0–7—EX8208 switch. The slot is a line card slot.

•

0–15—EX8216 switch. The slot is a line card slot.

The remaining statements are explained separately.


1721

®




Setting the Mode on an SFP+ Uplink Module (CLI Procedure) on page 1880

•


•

Configuring Generic Routing Encapsulation Tunneling (CLI Procedure) on page 1882

fpcs Syntax Hierarchy Level


Options

fpcs (slot-number | [list-of-slot-numbers]); [edit chassis nssu upgrade-group group-name], [edit chassis nssu upgrade-group group-name member (NSSU Upgrade Groups) member-id]

Statement introduced in Junos OS Release 10.4 for EX Series switches. (EX8200 switches and EX8200 Virtual Chassis only) Assign one or more line cards to a line-card upgrade group by specifying their slot numbers. list-of-slot-numbers—A list of slot numbers of multiple line cards to be included in the

upgrade group. Separate the slot numbers with spaces and enclose the list in square brackets—for example: [3 4 7]. slot-number—The slot number of a single line card to be included in the upgrade group.


1722



•




graceful-switchover Syntax Hierarchy Level Release Information Description


graceful-switchover; [edit chassis redundancy]

Statement introduced in Junos OS Release 9.2 for EX Series switches. For switches with more than one Routing Engine, including those in a Virtual Chassis, configure the master Routing Engine to switch over gracefully to a backup Routing Engine without interruption to packet forwarding. Graceful Routing Engine switchover (GRES) is disabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•


inet6-advertise-interval Syntax Hierarchy Level


Options

inet6-advertise-interval milliseconds; [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure the interval between Virtual Router Redundancy Protocol (VRRP) IPv6 advertisement packets. milliseconds—Interval, in milliseconds, between advertisement packets.

Range: 100 to 40,000 ms Default: 1 second Required Privilege Level Related Documentation




1723

®


keepalive-time Syntax Hierarchy Level Release Information

keepalive-time seconds; [edit chassis redundancy]


Description

Configure the time period that must elapse before the backup router takes mastership when it detects loss of the keepalive signal.

Default

The on-loss-of-keepalives statement at the [edit chassis redundancy failover] hierarchy level must be included for failover to occur. When the on-loss-of-keepalives statement is included and graceful Routing Engine switchover is not configured, failover occurs after 300 seconds (5 minutes). When the on-loss-of-keepalives statement is included and graceful Routing Engine switchover is configured, the keepalive signal is automatically enabled and the failover time is set to 2 seconds.

Options

seconds—Time before the backup router takes mastership when it detects loss of the

keepalive signal. The range of values is 2 through 10,000. Required Privilege Level Related Documentation

1724


failover (Chassis) on page 1720

•


•

on-loss-of-keepalives on page 1729

•




member Syntax


member member-id { fpcs (slot-number | [list-of-slot-numbers]); } [edit chassis nssu upgrade-group group-name]

Statement introduced in Junos OS Release 11.1 for EX Series switches. (EX8200 Virtual Chassis only) Specify the Virtual Chassis member whose line cards you are assigning to the upgrade group. To create an upgrade group that includes line cards from different Virtual Chassis members, separately configure each Virtual Chassis member as part of the upgrade group.

Options

member-id—The ID of the Virtual Chassis member.




•


n-plus-n Syntax Hierarchy Level Release Information Description


n-plus-n; [edit chassis psu redundancy]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure N+N power supply redundancy for power management on an EX6200 or EX8200 switch. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •



1725

®


nonstop-bridging Syntax Hierarchy Level Release Information Description


nonstop-bridging; [edit ethernet-switching-options]

Statement introduced in Junos OS Release 11.3 for EX Series switches. For switches with two Routing Engines or for Virtual Chassis, configure a master Routing Engine to switch over gracefully to a backup Routing Engine and preserve Layer 2 protocol information for the Layer 2 protocols that support nonstop bridging (NSB). For a list of the EX Series switches and Layer 2 protocols that support nonstop bridging, see “EX Series Switch Software Features Overview” on page 3. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


nonstop-routing Syntax Hierarchy Level Release Information

Description


1726

nonstop-routing; [edit routing-options]

Statement introduced in Junos OS Release 8.4. Statement introduced in Junos OS Release 10.4 for EX Series switches. For routing platforms with two Routing Engines, configure a master Routing Engine to switch over gracefully to a backup Routing Engine and preserve routing protocol information. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Configuring Nonstop Active Routing

•




nssu Syntax


nssu { upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } } [edit chassis]

Statement introduced in Junos OS Release 10.4 for EX Series switches. (EX8200 switches and EX8200 Virtual Chassis only) Define a line-card upgrade group for nonstop software upgrade (NSSU). All line cards in an upgrade group are upgraded to the new software version at the same time. The remaining statements are explained separately.

Default


If no line-card upgrade groups are defined, NSSU upgrades line cards one at a time in ascending order by slot number. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•



1727

®


on-disk-failure Syntax

Hierarchy Level

Release Information Description Options Required Privilege Level Related Documentation

1728

on-disk-failure { disk-failure-action (halt | reboot); } [edit chassis redundancy] [edit chassis routing-engine]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Instruct the router to halt or reboot if it detects hard disk errors on the Routing Engine. The remaining statement is explained separately. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•




on-loss-of-keepalives Syntax Hierarchy Level Release Information Description

Default

on-loss-of-keepalives; [edit chassis redundancy failover]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Instruct the backup router to take mastership if it detects a loss of keepalive signal from the master Routing Engine. The on-loss-of-keepalives statement must be included at the [edit chassis redundancy failover] hierarchy level for failover to occur. When the on-loss-of-keepalives statement is included but graceful Routing Engine switchover is not configured, failover occurs after 300 seconds (5 minutes). When the on-loss-of-keepalives statement is included and graceful Routing Engine switchover is configured, the keepalive signal is automatically enabled and the failover time is set to 2 seconds.




•

keepalive-time on page 1724

•


•



1729

®


power-budget-priority Syntax Hierarchy Level Release Information Description

power-budget-priority priority; [edit chassis fpc slot]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Assign a power priority to the specified line card slot on an EX6200 or EX8200 switch.

NOTE: On an EX6200 switch, you cannot change the power priority of a slot containing a Switch Fabric and Routing Engine (SRE) module. Although the CLI allows you to set a different power priority for the slot, your change does not go into effect, and the power priority remains 0. A message is sent to the system log to inform you that changing the power priority of the slot is unsupported.

Default

Options


1730

All line card slots are initially assigned the lowest priority, with the exception of slot 4 and slot 5 on the EX6200 switch, which always are assigned a priority of 0. priority—Assigned power priority for the slot, with 0 being the highest priority: •

0 through 9 for an EX6200 switch

•


•






preempt Syntax

Hierarchy Level


(preempt | no-preempt) { hold-time seconds; } [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure whether a backup router can preempt a master router: •

preempt—Allow the master router to be preempted.

•

no-preempt—Prohibit the preemption of the master router.





1731

®


priority Syntax Hierarchy Level

Release Information

priority number; [edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id], [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]


Description

Configure a switch’s priority for becoming the master default routing platform. The routing platform with the highest priority within the group becomes the master.

Options

number—Routing platform’s priority for being elected to be the master router in the VRRP

group. A larger value indicates a higher priority for being elected. Range: 1 through 255 Default: 100 (for backup routers)

NOTE: Priority 255 cannot be assigned to routed VLAN interfaces (RVIs).


1732





psu Syntax


psu { redundancy { n-plus-n (Power Management); } } [edit chassis]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure N+N power supply redundancy for power management on an EX6200 or EX8200 switch. The remaining statements are explained separately.





1733

®


redundancy (Graceful Switchover) Syntax


redundancy { failover { on-disk-failure; on-loss-of-keepalives; } graceful-switchover; } [edit chassis]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Enable redundant Routing Engines on a Virtual Chassis with two or more member switches or on a standalone EX6200 or EX8200 switch with more than one Routing Engine. The remaining statements are explained separately.


1734

Redundancy is enabled for the Routing Engines. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•




redundancy (Power Management) Syntax


redundancy { n-plus-n (Power Management); } [edit chassis psu]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure N+N power supply redundancy for power management on an EX6200 or EX8200 switch. The remaining statement is explained separately.


N+1 power supply redundancy is configured by default. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


routing-engine Syntax



routing-engine { on-disk-failure { disk-failure-action (halt | reboot); } } [edit chassis]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure a Routing Engine to halt or reboot automatically when a hard disk error occurs. A hard disk error may cause a Routing Engine to enter a state in which it responds to local pings and interfaces remain up, but no other processes are responding. Rebooting or halting prevents this. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•

Junos High Availability Configuration Guide


1735

®


traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file name > ; flag flag ; } [edit protocols bfd], [edit protocols bgp], [edit protocols isis], [edit protocols ldp], [edit protocols mpls], [edit protocols msdp] [edit protocols ospf], [edit protocols ospf3], [edit protocols pim], [edit protocols rip], [edit protocols ripng], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 10.4 for EX Series switches. nsr-synchronization flag for BGP, IS-IS, LDP, and OSPF added in Junos OS Release 8.4. nsr-synchronization and nsr-packet flags for BFD sessions added in Junos OS Release 8.5. nsr-synchronization flag for RIP and RIPng added in Junos OS Release 9.0. nsr-synchronization flag for Layer 2 VPNs and VPLS added in Junos OS Release 9.1. nsr-synchronization flag for PIM added in Junos OS Release 9.3. nsr-synchronization flag for MPLS added in Junos OS Release 10.1. nsr-synchronization flag for MSDP added in Junos OS Release 12.1. Define tracing operations that track nonstop active routing (NSR) functionality in the router. To specify more than one tracing operation, include multiple flag statements.

Default Options

If you do not include this statement, no global tracing operations are performed. disable—(Optional) Disable the tracing operation. You can use this option to disable a

single operation when you have defined a broad group of tracing operations, such as all. file name—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. We recommend that you place global routing protocol tracing output in the file routing-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

1736



Range: 2 through 1000 files Default: 2 files If you specify a maximum number of files, you also must specify a maximum file size with the size option. flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. The nonstop active routing tracing options are: •

nsr-packet—Detailed trace information for BFD nonstop active routing only

•

nsr-synchronization—Tracing operations for nonstop active routing

•

nsr-synchronization-detail—(MPLS only) Tracing operations for nonstop active routing

in detail flag-modifier—(Optional) Modifier for the tracing flag. Except for BFD sessions, you can

specify one or more of these modifiers: •

detail—Detailed trace information

•

receive—Packets being received

•

send—Packets being transmitted

no-world-readable—Restrict users from reading the log file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. world-readable—Allow users to read the log file.


routing and trace—To view this statement in the configuration. routing-control and trace-control—To add this statement to the configuration. •



1737

®


upgrade-group Syntax


Options

upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } [edit chassis nssu]

Statement introduced in Junos OS Release 10.4 for EX Series switches. (EX8200 switches and EX8200 Virtual Chassis only) Assign a name to the line-card upgrade group being created for nonstop software upgrade (NSSU). group-name—Name of the upgrade group.


1738



•




virtual-inet6-address Syntax Hierarchy Level


virtual-inet6-address [addresses]; [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure the addresses of the virtual routers in a Virtual Router Redundancy Protocol (VRRP) IPv6 group. You can configure up to eight addresses.

NOTE: The address of an aggregated Ethernet interface (a LAG) or a routed VLAN interface (RVI) cannot be assigned as the virtual router address in a VRRP IPv6 group.

Options

addresses—Addresses of one or more virtual routers. Do not include a prefix length. If the

address is the same as the interface’s physical address, the interface becomes the master virtual router for the group. Required Privilege Level Related Documentation




1739

®


virtual-link-local-address Syntax Hierarchy Level



1740

virtual-link-local-address ipv6-address; [edit interfaces interface-name unit logical-unit-number family inet address address vrrp-inet6-group group-id] [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure a virtual link local address for a Virtual Router Redundancy Protocol (VRRP) IPv6 group. You must explicitly define a virtual link local address for each VRRP IPv6 group. The virtual link local address must be in the same subnet as the physical interface address. ipv6-address—Virtual link local IPv6 address for VRRP for an IPv6 group.





vrrp-inet6-group Syntax


vrrp-inet6-group group-id { inet6-advertise-interval milliseconds; preempt{ hold-time seconds; } priority number; virtual-inet6-address; virtual-link-local-address } [edit interfaces interface-name unit logical-unit-number family inet6 address address]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure a Virtual Router Redundancy Protocol (VRRP) IPv6 group. group-id—VRRP group identifier. If you enable MAC source address filtering on the

interface, you must include the virtual MAC address in the list of source MAC addresses that you specify in the source-address-filter statement. MAC addresses ranging from 00:00:5e:00:01:00 through 00:00:5e:00:01:ff are reserved for VRRP, as defined in RFC 3768. The VRRP group number must be the decimal equivalent of the last hexadecimal byte of the virtual MAC address. Range: 0 through 255 The remaining statements are explained separately. Required Privilege Level Related Documentation




1741

®


1742


CHAPTER 55

Operational Commands for High Availability


1743

®


request system software nonstop-upgrade Syntax

Release Information

Description

request system software nonstop-upgrade (package-name | set [package-name package-name])

Command introduced in Junos OS Release 10.4 for EX Series switches. Option set [package-name package-name] added in Junos OS Release 12.1 for EX Series switches. Perform a nonstop software upgrade (NSSU) on a switch with redundant Routing Engines or on a Virtual Chassis. The behavior of this command depends on which switch or Virtual Chassis it is executed on: •

When you execute this command on an EX4200, EX4500, or mixed EX4200 and EX4500 Virtual Chassis, all Virtual Chassis members are upgraded. The original Virtual Chassis backup becomes the master. The original master is automatically upgraded and rebooted and rejoins the Virtual Chassis after the upgrade completes.

•

When you execute this command on an EX8200 switch, both the backup and master Routing Engines are upgraded, with the original backup Routing Engine becoming the new master at the end of the upgrade. The original master Routing Engine is not automatically rebooted, unless you specify the reboot option.

•

When you execute this command on an EX8200 Virtual Chassis, all master and backup Routing Engines are upgraded in the Virtual Chassis, including the external Routing Engines. The original backup Routing Engines become the new master Routing Engines. The original master Routing Engines are not automatically rebooted, unless you specify the reboot option.

This command has the following requirements:

1744

•

All Virtual Chassis members and all Routing Engines must be running the same Junos OS release.

•

Graceful Routing Engine switchover (GRES) must be enabled.

•

Nonstop active routing (NSR) must be enabled.

•

The command must be executed from the master Routing Engine on a standalone switch or from the master on a Virtual Chassis.

•

For minimal traffic disruption, you must define link aggregation groups (LAGs) such that the member links reside on different Virtual Chassis members (for EX4200 , EX4500, and mixed EX4200 and EX4500 Virtual Chassis) or on different line cards (for EX8200 switches and EX8200 Virtual Chassis).

•

For EX4200, EX4500, and mixed EX4200 and EX4500 Virtual Chassis:


Chapter 55: Operational Commands for High Availability

Options

•

The Virtual Chassis members must be connected in a ring topology. A ring topology prevents the Virtual Chassis from splitting during an NSSU.

•

The Virtual Chassis master and backup must be adjacent to each other in the ring topology. Adjacency permits the master and backup to always be in sync, even when the switches in linecard roles are rebooting.

•

The Virtual Chassis must be preprovisioned so that the linecard role has been explicitly assigned to member switches acting in a linecard role. During an NSSU, the Virtual Chassis members must maintain their roles—the master and backup must maintain their Routing Engine roles (although mastership will change), and the remaining switches must maintain their linecard roles.

•

A two-member Virtual Chassis must have no-split-detection configured so that the Virtual Chassis does not split when an NSSU upgrades a member.

package-name—Location from which the software package or bundle is to be installed.

For example: •

/var/tmp/package-name—For a software package or bundle that is being installed

from a local directory on the switch. •

protocol://hostname/pathname/package-name—For a software package or bundle

that is to be downloaded and installed from a remote location. Replace protocol with one of the following: •

ftp—File Transfer Protocol.

Use ftp://hostname/pathname/package-name. To specify authentication credentials, use ftp://:@hostname/pathname/package-name. To have the system prompt you for the password, specify prompt in place of the password. If a password is required, and you do not specify the password or prompt, an error message is displayed. •

http—Hypertext Transfer Protocol.

Use http://hostname/pathname/package-name. To specify authentication credentials, use http://:@hostname/pathname/package-name. If a password is required and you omit it, you are prompted for it. •

scp—Secure copy (available only for Canada and U.S. version).

Use scp://hostname/pathname/package-name. To specify authentication credentials, use scp://:@hostname/pathname/package-name.

NOTE: The pathname in the protocol is the relative path to the user home directory on the remote system and not the root directory.


1745

®


set [package-name package-name]—(Mixed EX4200 and EX4500 Virtual Chassis only)

Locations of the EX4200 and the EX4500 installation packages. These packages must be for the same Junos OS release. See the description of the package-name option for information about how to specify the location of the installation packages. no-copy—(Optional) Install a software package or bundle, but do not save copies of

package or bundle files. no-old-master-upgrade—(Optional) (Standalone EX8200 switches only) Upgrade the

backup Routing Engine only. After the upgrade completes, the original master Routing Engine becomes the backup Routing Engine and continues running the previous software version. reboot—(Optional) (EX8200 switch and EX8200 Virtual Chassis only) When the reboot

option is included, the original master (new backup) Routing Engines are automatically rebooted after being upgraded to the new software. When the reboot option is not included, you must manually reboot the original master (new backup) Routing Engines using the request system reboot command.

NOTE: If you do not use the reboot option on an EX8200 Virtual Chassis, you must establish a connection to the console port on the Switch Fabric and Routing Engine (SRE) module or Routing Engine (RE) module to perform the manual reboot of the backup Routing Engines.

unlink—(Optional) Remove the software package after a successful upgrade is completed.


maintenance

•

show chassis nonstop-upgrade on page 1752

•


•


•



request system software nonstop-upgrade (EX4200 Virtual Chassis) on page 1747 request system software nonstop-upgrade reboot (EX8200 Switch) on page 1748 request system software nonstop-upgrade no-old-master-upgrade (EX8200 Switch) on page 1749 request system software nonstop-upgrade reboot (EX8200 Virtual Chassis) on page 1749

Output Fields


1746



Sample Output request system software nonstop-upgrade (EX4200 Virtual Chassis)

user@switch> request system software nonstop-upgrade /var/tmp/jinstall-ex-4200–12.1R5.5–domestic-signed.tgz Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Installing image on other FPC's along with the backup Checking pending install on fpc1 Pushing bundle to fpc1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc1 Checking pending install on fpc2 Pushing bundle to fpc2 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc2 Checking pending install on fpc3 Pushing bundle to fpc3 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc3 Checking pending install on fpc4 Pushing bundle to fpc4 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc4 Checking pending install on fpc5 Pushing bundle to fpc5 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc5 Checking pending install on fpc6 Pushing bundle to fpc6 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc6 Checking pending install on fpc7 Pushing bundle to fpc7 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Completed install on fpc7 Backup upgrade done Rebooting Backup RE Rebooting fpc1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons


1747

®


ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online (ISSU) FPC 3 Online (ISSU) FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 6 Online (ISSU) FPC 7 Online (ISSU) Going to install image on master WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately relinquish mastership ISSU: IDLE *** FINAL System shutdown message from root@switch *** System going down IMMEDIATELY

Shutdown NOW! [pid 9336]

request system software nonstop-upgrade reboot (EX8200 Switch)

{master} user@switch> request system software nonstop-upgrade reboot /var/tmp/jinstall-ex-8200–10.4R1.5–domestic-signed.tgz Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Pushing bundle to re1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Backup upgrade done Rebooting Backup RE Rebooting re1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online (ISSU) FPC 2 Offline Offlined by CLI command FPC 3 Online (ISSU) Resolving mastership... Complete. The other routing engine becomes the master. ISSU: RE switchover Done ISSU: Upgrading Old Master RE WARNING: A reboot is required to install the software

1748



WARNING: Use the 'request system reboot' command immediately ISSU: Old Master Upgrade Done ISSU: IDLE Shutdown NOW! [pid 2635]

*** FINAL System shutdown message from user@switch *** System going down IMMEDIATELY

request system software nonstop-upgrade no-old-master-upgrade (EX8200 Switch)

{master} user@switch> request system software nonstop-upgrade no-old-master-upgrade /var/tmp/jinstall-ex-8200–10.4R1.5–domestic-signed.tgz Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing Backup RE Pushing bundle to re1 WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Backup upgrade done Rebooting Backup RE Rebooting re1 ISSU: Backup RE Prepare Done Waiting for Backup RE reboot GRES operational Initiating Chassis In-Service-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking In-Service-Upgrade status Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 3 Offline Offlined by CLI command FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 6 Online (ISSU) FPC 7 Online (ISSU) Resolving mastership... Complete. The other routing engine becomes the master. ISSU: RE switchover Done Skipping Old Master Upgrade ISSU: IDLE

request system software nonstop-upgrade reboot (EX8200 Virtual Chassis)

{master:9} user@external-routing-engine> request system software nonstop-upgrade reboot /var/tmp/jinstall-ex-xre200-11.1-20101130.0-domestic-signed.tgz Chassis ISSU Check Done ISSU: Validating Image ISSU: Preparing LCC Backup REs ISSU: Preparing Backup RE Pushing bundle /var/tmp/jinstall-ex-xre200-11.1-20101130.0-domestic-signed.tgz to member8 -------------------------------------------------------------------------WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately


1749

®


VC Backup upgrade done Rebooting VC Backup RE Rebooting member8 ISSU: Backup RE Prepare Done Waiting for VC Backup RE reboot Pushing bundle to member0-backup Pushing bundle to member1-backup WARNING: A reboot is required to install the WARNING: Use the 'request system reboot' WARNING: A reboot is required to install the WARNING: Use the 'request system reboot'

software command immediately software command immediately

Rebooting member0-backup Rebooting LCC [member0-backup] Rebooting member1-backup Rebooting LCC [member1-backup] ISSU: LCC Backup REs Prepare Done GRES operational Initiating Chassis Nonstop-Software-Upgrade Chassis ISSU Started ISSU: Preparing Daemons ISSU: Daemons Ready for ISSU ISSU: Starting Upgrade for FRUs ISSU: Preparing for Switchover ISSU: Ready for Switchover Checking Nonstop-Upgrade status member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Offline Offlined due to config FPC 2 Online (ISSU) FPC 3 Online (ISSU) FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 7 Online (ISSU) member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Online (ISSU) FPC 2 Online (ISSU) FPC 5 Online (ISSU) member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online (ISSU) FPC 1 Offline Offlined due to config FPC 2 Online (ISSU)

1750



FPC 3 Online (ISSU) FPC 4 Online (ISSU) FPC 5 Online (ISSU) FPC 7 Online (ISSU) ISSU: Upgrading Old Master RE Pushing bundle /var/tmp/incoming-package-8200.tgz to member0-master Pushing bundle /var/tmp/incoming-package-8200.tgz to member1-master ISSU: RE switchover Done WARNING: A reboot is required to install the software WARNING: Use the 'request system reboot' command immediately Rebooting ... shutdown: [pid 2188] Shutdown NOW! ISSU: Old Master Upgrade Done ISSU: IDLE Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY


1751

®


show chassis nonstop-upgrade Syntax Release Information Description



Output Fields

show chassis nonstop-upgrade

Command introduced in Junos OS Release 10.4 for EX Series switches. (EX8200 switches and EX8200 Virtual Chassis only) Display the status of the line cards or Virtual Chassis members in the linecard role after the most recent nonstop software upgrade (NSSU). This command must be issued on the master Routing Engine. view

•

request system software nonstop-upgrade on page 1744

•


•


show chassis nonstop-upgrade (EX8200 Switch) on page 1752 show chassis nonstop-upgrade (EX8200 Virtual Chassis) on page 1753 Table 193 on page 1752 lists the output fields for the show chassis nonstop-upgrade command. Output fields are listed in the approximate order in which they appear.

Table 193: show chassis nonstop-upgrade Output Fields Field Name

Field Description

Item

Line card slot number.

Status

State of line card:

Reason

•

Error—Line card is in an error state.

•

Offline—Line card is powered down.

•

Online—Line card is online and running.

Reason for the state (if the line card is offline).

Sample Output show chassis nonstop-upgrade (EX8200 Switch)

1752

user@switch> show chassis nonstop-upgrade Item Status FPC 0 Online FPC 1 Online FPC 2 Online FPC 3 Offline FPC 4 Online FPC 5 Online

Reason




FPC 6 FPC 7

show chassis nonstop-upgrade (EX8200 Virtual Chassis)

Online Online

user@external-routing-engine> show chassis nonstop-upgrade member0: -------------------------------------------------------------------------Item Status Reason FPC 0 Online FPC 1 Online FPC 2 Online FPC 5 Online member1: -------------------------------------------------------------------------Item Status Reason FPC 0 Online FPC 1 Offline Offlined due to config FPC 2 Online FPC 3 Online FPC 4 Online FPC 5 Online FPC 7 Online


1753

®


show chassis power-budget-statistics Syntax Release Information Description Required Privilege Level Related Documentation


Output Fields

show chassis power-budget-statistics

Command introduced in Junos OS Release 10.2 for EX Series switches. Display the power budget of an EX6200 or EX8200 switch. view

•


•


•


show chassis power-budget-statistics (EX6200 Switch) on page 1756 show chassis power-budget-statistics (EX8200 Switch) on page 1756 Table 194 on page 1754 lists the output fields for the show chassis power-budget-statistics command. Output fields are listed in the approximate order in which they appear.

Table 194: show chassis power-budget-statistics Output Fields Field Name

Field Description

PSU n (supply type)

Capacity rating of the power supply and whether the power supply is currently operating (Online) or not (Offline). If a power supply is offline, the capacity is shown as 0 W.

Total Power supplied by all Online PSUs

Total number of watts supplied by all currently operating power supplies.

Power Redundancy Configuration

Configured power redundancy setting, either N+1 or N+N.

Power Reserved for the Chassis

Power reserved for the chassis: •

For an EX6200 switch, 500 W.

•

For an EX8208 switch: 1600 W in an N+1 configuration; 1200 W in an N+N configuration

•

For an EX8216 switch: 2400 W in an N+1 configuration; 1800 W in an N+N configuration

The power reserved for the chassis includes the maximum power requirements for the fan tray and Switch Fabric and Routing Engine (SRE), Routing Engine (RE), and Switch Fabric (SF) modules in both base and redundant configurations.

1754



Table 194: show chassis power-budget-statistics Output Fields (continued) Field Name

Field Description

Fan Tray Statistics

(EX6200 switch only) Information about the fan tray: •

Base power—Power allocated to the fan tray in the power budget. This allocation is included in Power Reserved for the Chassis.

•

Power Used—Actual power being used by the fan tray. This

value is for informational purposes only: the power budget for the switch is based on allocated power (the theoretical maximum the fan tray might use) rather than used power. FPC n (card type)

Information about the line card installed in slot n. For EX6200 switches, information about the SRE modules in slot 4 and slot 5 is also shown. •

Base power—For line cards without PoE ports, the total

power allocated to the line card. For line cards with PoE ports, the power allocated to the line card before the PoE power budget is allocated. The base power includes 37 W of PoE power that is always allocated to line cards that support PoE. •

Power Used—(EX6200 switch only) The actual power being

consumed by the line card or SRE module, including PoE power. This value is for informational purposes only: the power budget for the switch is based on allocated power (the theoretical maximum the line card might use) rather than used power. •

PoE power—For line cards with PoE ports, the PoE power

budget allocated to the line card. This value includes the 37 W of PoE power that is always part of the base power allocation for line cards that support PoE. For line cards without PoE ports, the value is always 0 W. •

The power priority assigned to the line card slot.

Total (non-PoE) Power allocated

Power budgeted for all the components in the switch, excluding the PoE power budget allocated to line cards. This value is equal to the power reserved for the chassis plus the base power allocations of all online line cards.

Total Power allocated for PoE

The total of the PoE power budgets allocated to the line cards in the switch. This figure includes the 37 W of PoE power always included in the base allocation for each line card that supports PoE.

Power Available (Redundant case)

Unused power available to the switch in the power budget, not including the power reserved for redundancy. If power is insufficient to meet the N+1 or N+N redundancy requirements, this value is 0. PoE power allocations are not included in the calculation of this value.


1755

®


Table 194: show chassis power-budget-statistics Output Fields (continued) Field Name

Field Description

Total Power Available

Unused power available to the switch in the power budget. This value is derived by subtracting all power allocations, including PoE power allocations, from the total power available on the switch (the Total Power supplied by all Online PSUs value).

Sample Output show chassis power-budget-statistics (EX6200 Switch)

user@switch> show chassis power-budget-statistics PSU 0 (EX6200-PWR-AC2500) : 2500 W Online PSU 1 (EX6200-PWR-AC2500) : 2500 W Online PSU 2 (EX6200-PWR-AC2500) : 2500 W Online PSU 3 (EX6200-PWR-AC2500) : 2500 W Online Total Power supplied by all Online PSUs : 10000 W Power Redundancy Configuration : N+1 Power Reserved for the Chassis : 500 W Fan Tray Statistics Base power Power Used FTC 0 : 300 W 43.04 W FPC Statistics Base power Power Used PoE power Priority FPC FPC FPC FPC FPC FPC FPC FPC

1 2 3 4 5 6 8 9

(EX6200-48P) (EX6200-48P) (EX6200-48P) (EX6200-SRE64-4XS) (EX6200-SRE64-4XS) (EX6200-48P) (EX6200-48P) (EX6200-48T) Total Total Power Total

show chassis power-budget-statistics (EX8200 Switch)

: : : : : : : :

W W W W W W W W

49.47 47.20 1493.57 51.38 50.28 49.38 61.41 12.49


: : : :

W W W W W W W W

1 5 9 10 12

(EX8200-48T) (EX8200-2XS-40P) (EX8200-48PL) (EX8200-2XS-40T) (EX8200-48T)

Total (non-PoE) Power allocated Total Power allocated for PoE

: : : : : : :

1440 800 1440 0 0 800 1440 0

1750 5920 5750 2515

user@switch> show chassis power-budget-statistics PSU 0 (EX8200-AC2K) : 2000 W PSU 1 (EX8200-AC2K) : 2000 W PSU 2 (EX8200-AC2K) : 2000 W PSU 3 (EX8200-AC2K) : 2000 W PSU 4 (EX8200-AC2K) : 2000 W Total Power supplied by all Online PSUs : 10000 W Power Redundancy Configuration : N+1 Power Reserved for the Chassis : 2400 W FPC Statistics Base power FPC FPC FPC FPC FPC

1756

220 220 220 100 100 220 220 150

350 387 267 350 350

W W W W W

W W W W W W W W

1 2 0 0 0 6 9 9

W W W W

Online Online Online online Online

PoE power 0 792 915 0 0

W W W W W

Priority 15 0 15 1 15

4104 W 1707 W



Power Available (Redundant case) Total Power Available


: :

3896 W 4263 W

1757

®


show vrrp Syntax

Release Information

Description Options

show vrrp

Statement introduced in Junos OS Release 10.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Display information and status about VRRP groups. none—(Same as brief) Display brief status information about all VRRP interfaces. brief | detail | extensive | summary—(Optional) Display the specified level of output. interface interface-name —(Optional) Display information and status about the specified

VRRP interface. track interfaces—(Optional) Display information and status about VRRP track interfaces.


Output Fields

view

•


show vrrp on page 1763 show vrrp brief on page 1763 show vrrp detail (IPv6) on page 1763 show vrrp detail (Route Track) on page 1764 show vrrp extensive on page 1764 show vrrp interface on page 1765 show vrrp summary on page 1766 show vrrp track detail on page 1766 show vrrp track summary on page 1766 Table 195 on page 1758 lists the output fields for the show vrrp command. Output fields are listed in the approximate order in which they appear.

Table 195: show vrrp Output Fields Field Name

Field Description

Level of Output

Interface


none, brief, extensive, summary

Interface index

Physical interface index number, which reflects its initialization sequence.

extensive

Groups

Total number of VRRP groups configured on the interface.

extensive

1758



Table 195: show vrrp Output Fields (continued) Field Name

Field Description

Level of Output

Active

Total number of VRRP groups that are active (that is, whose interface state is either up or down).

extensive

Interface VRRP PDU statistics

Nonerrored statistics for the logical interface:

extensive

•

Advertisement sent—Number of VRRP advertisement protocol data units

(PDUs) that the interface has transmitted. •

Advertisement received—Number of VRRP advertisement PDUs received by

the interface. •

Packets received—Number of VRRP packets received for VRRP groups on the

interface. •

No group match received—Number of VRRP packets received for VRRP groups

that do not exist on the interface. Interface VRRP PDU error statistics

Errored statistics for the logical interface: •

extensive

Invalid IPAH next type received—Number of packets received that use the IP

Authentication Header protocol (IPAH) and that do not encapsulate VRRP packets. •

Invalid VRRP ttl value received—Number of packets received whose IP time-

to-live (TTL) value is not 255. •

Invalid VRRP version received—Number of packets received whose VRRP

version is not 2. •

Invalid VRRP pdu type received—Number of packets received whose VRRP

PDU type is not 1. •

Invalid VRRP authentication type received—Number of packets received whose

VRRP authentication is not none, simple, or md5. •

Invalid VRRP IP count received—Number of packets received whose VRRP IP

count exceeds 8. •

Invalid VRRP checksum received—Number of packets received whose VRRP

checksum does not match the calculated value. Physical interface

Name of the physical interface.

detail, extensive

Unit

Logical unit number.

All levels

Address

Address of the physical interface.

none, brief, detail, extensive

Index

Physical interface index number, which reflects its initialization sequence.

detail, extensive

SNMP ifIndex

SNMP index number for the physical interface.

detail, extensive

VRRP-Traps

Status of VRRP traps: Enabled or Disabled.

detail, extensive


1759

®



Field Description

Level of Output

Type and Address

Identifier for the address and the address itself:

none, brief, summary

•

lcl—Configured local interface address.

•

mas—Address of the master virtual router. This address is displayed only

when the local interface is acting as a backup router. •

Interface state or Int state

vip—Configured virtual IP addresses.

State of the physical interface:


•

down—The device is present and the link is unavailable.

•

not present—The interface is configured, but no physical device is present.

•

unknown—The VRRP process has not had time to query the kernel about the

state of the interface. •

up—The device is present and the link is established.

Group

VRRP group number.


State

VRRP state:

extensive

•

backup—The interface is acting as the backup router interface.

•

bringup—VRRP is just starting, and the physical device is not yet present.

•

idle—VRRP is configured on the interface and is disabled. This can occur when

VRRP is first enabled on an interface whose link is established. •

initializing—VRRP is initializing.

•

master—The interface is acting as the master router interface.

•

transition—The interface is changing between being the backup and being

the master router. Priority

Configured VRRP priority for the interface.

detail, extensive

Advertisement interval

Configured VRRP advertisement interval.

detail, extensive

Authentication type

Configured VRRP authentication type: none, simple, or md5.

detail, extensive

Preempt

Whether preemption is allowed on the interface: yes or no.

detail, extensive

Accept-data mode

Whether the interface is configured to accept packets destined for the virtual IP address: yes or no.

detail, extensive

VIP count

Number of virtual IP addresses that have been configured on the interface.

detail, extensive

VIP

List of virtual IP addresses configured on the interface.

detail, extensive

Advertisement timer

Time until the advertisement timer expires.

detail, extensive

1760




Field Description

Level of Output

Master router

IP address of the interface that is acting as the master. If the VRRP interface is down, the output is N/A.

detail, extensive

Virtual router uptime

Time that the virtual router has been up.

detail, extensive

Master router uptime

Time that the master router has been up.

detail, extensive

Virtual MAC

MAC address associated with the virtual IP address.

detail, extensive

Tracking

Whether tracking is enabled or disabled.

detail, extensive

Current priority

Current operational priority for being the VRRP master.

detail, extensive

Configured priority

Configured base priority for being the VRRP master.

detail, extensive

Priority hold-time

Minimum time interval, in seconds, between successive changes to the current priority. Disabled indicates no minimum interval.

detail, extensive

Remaining-time

(track option only) Displays the time remaining in the priority hold-time interval.

detail

Interface tracking

Whether interface tracking is enabled or disabled. When enabled, the output also displays the number of tracked interfaces.

detail extensive

Interface/Tracked interface

Name of the tracked interface.

detail extensive

Int state/Interface state

Current operational state of the tracked interface: up or down.

detail, extensive

Int speed/Speed

Current operational speed, in bits per second, of the tracked interface.

detail, extensive

Incurred priority cost

Operational priority cost incurred due to the state and speed of this tracked interface. This cost is applied to the configured priority to obtain the current priority.

detail, extensive

Threshold

Speed below which the corresponding priority cost is incurred. In other words, when the speed of the interface drops below the threshold speed, the corresponding priority cost is incurred.

detail, extensive

An entry of down means that the corresponding priority cost is incurred when the interface is down. Route tracking

Whether route tracking is enabled or disabled. When enabled, the output also displays the number of tracked routes.

detail, extensive

Route count

The number of routes being tracked.

detail, extensive


1761

®



Field Description

Level of Output

Route

The IP address of the route being tracked.

detail, extensive

VRF name

The VPN routing and forwarding (VRF) routing instance that the tracked route is in.

detail, extensive

Route state

The state of the route being tracked: up, down, or unknown.

detail, extensive

Priority cost

Configured priority cost. This value is incurred when the interface speed drops below the corresponding threshold or when the tracked route goes down.

detail, extensive

Active

Whether the threshold is active (*). If the threshold is active, the corresponding priority cost is incurred.

detail, extensive

Group VRRP PDU statistics

Number of VRRP advertisements sent and received by the group.

extensive

Group VRRP PDU error statistics

Errored statistics for the VRRP group:

extensive

•

Bad authentication type received—Number of VRRP PDUs received with an invalid authentication type. The received authentication can be none, simple, or md5 and must be the same for all routers in the VRRP group.

•

Bad password received—Number of VRRP PDUs received with an invalid key

(password). The password for simple authentication must be the same for all routers in the VRRP group •

Bad MD5 digest received—Number of VRRP PDUs received for which the MD5

digest computed from the VRRP PDU differs from the digest expected by the VRRP instance configured on the router. •

Bad advertisement timer received—Number of VRRP PDUs received with an

advertisement time interval that is inconsistent with the one in use among the routers in the VRRP group. •

Bad VIP count received—Number of VRRP PDUs whose virtual IP address

counts differ from the count that has been configured on the VRRP instance. •

Bad VIPADDR received—Number of VRRP PDUs whose virtual IP addresses

differ from the list of virtual IP addresses configured on the VRRP instance. Group state transition statistics

State transition statistics for the VRRP group: •

extensive

Idle to master transitions—Number of times that the VRRP instance

transitioned from the idle state to the master state. •

Idle to backup transitions—Number of times that the VRRP instance

transitioned from the idle state to the backup state. •

Backup to master transitions—Number of times that the VRRP instance

transitioned from the backup state to the master state. •

Master to backup transitions—Number of times that the VRRP instance

transitioned from the master state to the backup state. Vlan-id

1762

ID of Vlan

detail




Field Description

Level of Output

VR state

VRRP information:

none, brief

•

backup—The interface is acting as the backup router interface.

•

bringup—VRRP is just starting, and the physical device is not yet present.

•

idle—VRRP is configured on the interface and is disabled. This can occur when

VRRP is first enabled on an interface whose link is established. •

initializing—VRRP is initializing.

•

master—The interface is acting as the master router interface.

•

transition—The interface is changing between being the backup and being

the master router. VRRP timer information:

Timer

none, brief

•

A—Time, in seconds, until the advertisement timer expires.

•

D—Time, in seconds, until the Master is Dead timer expires.

Sample Output show vrrp

user@host> show vrrp Interface State ge-0/0/0.121 up

ge-0/0/2.131

up

Group 1

1

VR state master

master

Timer A 1.052

A 0.364

Type lcl

Address gec0::12:1:1:1

vip

ge80::12:1:1:99

vip lcl

gec0::12:1:1:99 gec0::13:1:1:1

vip

ge80::13:1:1:99

vip

gec0::13:1:1:99

show vrrp brief

The output for the show vrrp brief command is identical to that for the show vrrp command. For sample output, see show vrrp on page 1763.

show vrrp detail (IPv6)

user@host> show vrrp detail Physical interface: ge-0/0/0, Unit: 121, Vlan-id: 212, Address: gec0::12:1:1:1/120 Index: 67, SNMP ifIndex: 45, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 200, Advertisement interval: 1, Authentication type: none Preempt: yes, Accept-data mode: no, VIP count: 2, VIP: ge80::12:1:1:99, gec0::12:1:1:99 Advertisement timer: 1.121s, Master router: ge80::12:1:1:1 Virtual router uptime: 00:03:47, Master router uptime: 00:03:41 Virtual MAC: 00:00:5e:00:02:01 Tracking: disabled Physical interface: ge-0/0/2, Unit: 131, Vlan-id: 213, Address: gec0::13:1:1:1/120 Index: 69, SNMP ifIndex: 47, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 200, Advertisement interval: 1, Authentication type: none


1763

®


Preempt: yes, Accept-data mode: no, VIP count: 2, VIP: ge80::13:1:1:99, gec0::13:1:1:99 Advertisement timer: 0.327s, Master router: ge80::13:1:1:1 Virtual router uptime: 00:03:47, Master router uptime: 00:03:41 Virtual MAC: 00:00:5e:00:02:01 Tracking: disabled

show vrrp detail (Route Track)

show vrrp extensive

user@host> show vrrp detail Physical interface: ge-1/1/0, Unit: 0, Address: 30.30.30.30/24 Index: 67, SNMP ifIndex: 379, VRRP-Traps: enabled Interface state: up, Group: 100, State: master Priority: 150, Advertisement interval: 1, Authentication type: none Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 30.30.30.100 Advertisement timer: 1.218s, Master router: 30.30.30.30 Virtual router uptime: 00:04:28, Master router uptime: 00:00:13 Virtual MAC: 00:00:5e:00:01:64 Tracking: enabled Current priority: 150, Configured priority: 150 Priority hold-time: disabled Interface tracking: disabled Route tracking: enabled, Route count: 1 Route VRF name Route state Priority cost 192.168.40.0/22 default up 30 user@host> show vrrp extensive Interface: ge-0/0/0.121, Interface index: 67, Groups: 1, Active : 1 Interface VRRP PDU statistics Advertisement sent : 188 Advertisement received : 0 Packets received : 0 No group match received : 0 Interface VRRP PDU error statistics Invalid IPAH next type received : 0 Invalid VRRP TTL value received : 0 Invalid VRRP version received : 0 Invalid VRRP PDU type received : 0 Invalid VRRP authentication type received: 0 Invalid VRRP IP count received : 0 Invalid VRRP checksum received : 0 Physical interface: ge-0/0/0, Unit: 121, Vlan-id: 212, Address: gec0::12:1:1:1/120 Index: 67, SNMP ifIndex: 45, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 200, Advertisement interval: 1, Authentication type: none Preempt: yes, Accept-data mode: no, VIP count: 2, VIP: ge80::12:1:1:99, gec0::12:1:1:99 Advertisement timer: 1.034s, Master router: ge80::12:1:1:1 Virtual router uptime: 00:04:04, Master router uptime: 00:03:58 Virtual MAC: 00:00:5e:00:02:01 Tracking: disabled Group VRRP PDU statistics Advertisement sent : 188 Advertisement received : 0 Group VRRP PDU error statistics Bad authentication type received: 0 Bad password received : 0 Bad MD5 digest received : 0 Bad advertisement timer received: 0 Bad VIP count received : 0 Bad VIPADDR received : 0

1764



Group state transition statistics Idle to master transitions Idle to backup transitions Backup to master transitions Master to backup transitions

: : : :

0 1 1 0

Interface: ge-0/0/2.131, Interface index: 69, Groups: 1, Active : 1 Interface VRRP PDU statistics Advertisement sent : 186 Advertisement received : 0 Packets received : 0 No group match received : 0 Interface VRRP PDU error statistics Invalid IPAH next type received : 0 Invalid VRRP TTL value received : 0 Invalid VRRP version received : 0 Invalid VRRP PDU type received : 0 Invalid VRRP authentication type received: 0 Invalid VRRP IP count received : 0 Invalid VRRP checksum received : 0 Physical interface: ge-0/0/2, Unit: 131, Vlan-id: 213, Address: gec0::13:1:1:1/120 Index: 69, SNMP ifIndex: 47, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 200, Advertisement interval: 1, Authentication type: none Preempt: yes, Accept-data mode: no, VIP count: 2, VIP: ge80::13:1:1:99, gec0::13:1:1:99 Advertisement timer: 0.396s, Master router: ge80::13:1:1:1 Virtual router uptime: 00:04:04, Master router uptime: 00:03:58 Virtual MAC: 00:00:5e:00:02:01 Tracking: disabled Group VRRP PDU statistics Advertisement sent : 186 Advertisement received : 0 Group VRRP PDU error statistics Bad authentication type received: 0 Bad password received : 0 Bad MD5 digest received : 0 Bad advertisement timer received: 0 Bad VIP count received : 0 Bad VIPADDR received : 0 Group state transition statistics Idle to master transitions : 0 Idle to backup transitions : 1 Backup to master transitions : 1 Master to backup transitions : 0

show vrrp interface

user@host> show vrrp interface Interface: ge-0/0/0.121, Interface index: 67, Groups: 1, Active : 1 Interface VRRP PDU statistics Advertisement sent : 205 Advertisement received : 0 Packets received : 0 No group match received : 0 Interface VRRP PDU error statistics Invalid IPAH next type received : 0 Invalid VRRP TTL value received : 0 Invalid VRRP version received : 0 Invalid VRRP PDU type received : 0 Invalid VRRP authentication type received: 0


1765

®


Invalid VRRP IP count received Invalid VRRP checksum received

: :

0 0

Physical interface: ge-0/0/0, Unit: 121, Vlan-id: 212, Address: gec0::12:1:1:1/120 Index: 67, SNMP ifIndex: 45, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 200, Advertisement interval: 1, Authentication type: none Preempt: yes, Accept-data mode: no, VIP count: 2, VIP: ge80::12:1:1:99, gec0::12:1:1:99 Advertisement timer: 0.789s, Master router: ge80::12:1:1:1 Virtual router uptime: 00:04:26, Master router uptime: 00:04:20 Virtual MAC: 00:00:5e:00:02:01 Tracking: disabled Group VRRP PDU statistics Advertisement sent : 205 Advertisement received : 0 Group VRRP PDU error statistics Bad authentication type received: 0 Bad password received : 0 Bad MD5 digest received : 0 Bad advertisement timer received: 0 Bad VIP count received : 0 Bad VIPADDR received : 0 Group state transition statistics Idle to master transitions : 0 Idle to backup transitions : 1 Backup to master transitions : 1 Master to backup transitions : 0

show vrrp summary

show vrrp track detail

show vrrp track summary

1766

user@host> show vrrp summary Interface State Group ge-4/1/0.0 up 1

VR state backup

Type lcl vip

Address 10.57.0.2 10.57.0.100

user@host> show vrrp track detail Tracked interface: ae1.211 State: up, Speed: 400m Incurred priority cost: 0 Threshold Priority cost Active 400m 10 300m 60 200m 110 100m 160 down 190 Tracking VRRP interface: ae0.210, Group: 1 VR State: master Current priority: 200, Configured priority: 200 Priority hold-time: disabled, Remaining-time: 50.351 user@host> show vrrp track summary Track if State Speed ae1.211 up 400m

VRRP if ae0.210

Group 1

VR State master

Current priority 200


PART 13

Interfaces on EX Series Switches •

Interfaces—Overview on page 1769

•

Examples of Interfaces Configuration on page 1791

•

Configuring Interfaces on page 1817

•

Verifying Interfaces on page 1885

•

Troubleshooting Interfaces on page 1893

•

Configuration Statements for Interfaces on page 1901

•

Operational Commands for Interfaces on page 1977


1767

®


1768


CHAPTER 56

Interfaces—Overview •


•


•


•

Understanding Interface Ranges on EX Series Switches on page 1777

•

Understanding Layer 3 Subinterfaces on page 1778

•

Understanding Unicast RPF for EX Series Switches on page 1779

•

Understanding IP Directed Broadcast for EX Series Switches on page 1783

•

802.1Q VLANs Overview on page 1785

•

Understanding Generic Routing Encapsulation on page 1786

EX Series Switches Interfaces Overview Juniper Networks EX Series Ethernet Switches have two types of interfaces: network interfaces and special interfaces. This topic provides brief information on these interfaces. For additional information, see the Junos OS Interfaces Fundamentals Configuration Guide. For information on interface-naming conventions on EX Series switches, see “Understanding Interface Naming Conventions on EX Series Switches” on page 1772. This topic describes: •

Network Interfaces on page 1769

•

Special Interfaces on page 1770

Network Interfaces Network interfaces connect to the network and carry network traffic. Table 196 on page 1769 lists the types of network interfaces supported on EX Series switches.

Table 196: Network Interface Types and Purposes Type

Purpose

Aggregated Ethernet interfaces

All EX Series switches allow you to group Ethernet interfaces at the physical layer to form a single link layer interface, also known as a link aggregation group (LAG) or bundle. These aggregated Ethernet interfaces help to balance traffic and increase the uplink bandwidth.


1769

®


Table 196: Network Interface Types and Purposes (continued) Type

Purpose

LAN access interfaces

Use these EX Series switch interfaces to connect a personal computer, laptop, file server, or printer to the network. When you power on an EX Series switch and use the factory-default configuration, the software automatically configures interfaces in access mode for each of the network ports. The default configuration also enables autonegotiation for both speed and link mode.

Power over Ethernet (PoE) interfaces

EX Series switches provide PoE network ports with various switch models. These ports can be used to connect voice over IP (VoIP) telephones, wireless access points, video cameras, and point-of-sale devices to safely receive power from the same access ports that are used to connect personal computers to the network. PoE interfaces are enabled by default in the factory configuration.

Trunk interfaces

EX Series access switches can be connected to a distribution switch or customer-edge (CE) switches or routers. To use a port for this type of connection, you must explicitly configure the port interface for trunk mode. The interfaces from the distribution switch or CE switch to the access switches must also be configured for trunk mode.

Special Interfaces Table 197 on page 1770 lists the types of special interfaces supported on EX Series switches.

Table 197: Special Interface Types and Purposes Type

Purpose

Console port

Each EX Series switch has a serial port, labeled CON or CONSOLE, for connecting tty-type terminals to the switch using standard PC-type tty cables. The console port does not have a physical address or IP address associated with it. However, it is an interface in the sense that it provides access to the switch. On an EX3300 Virtual Chassis, an EX4200 Virtual Chassis, or an EX4500 Virtual Chassis, you can access the master and configure all members of the Virtual Chassis through any member's console port. For more information on the console port in a Virtual Chassis, see “Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis” on page 1291.

Loopback

All EX Series switches have this software-only virtual interface that is always up. The loopback interface provides a stable and consistent interface and IP address on the switch.

Management interface

The Juniper Networks Junos operating system (Junos OS) for EX Series switches automatically creates the switch's management Ethernet interface, me0. The management Ethernet interface provides an out-of-band method for connecting to the switch. To use me0 as a management port, you must configure its logical port, me0.0, with a valid IP address. You can connect to the management interface over the network using utilities such as SSH or Telnet. SNMP can use the management interface to gather statistics from the switch. (The management interface me0 is analogous to the fxp0 interfaces on routers running Junos OS.)

Routed VLAN Interface (RVI)

EX Series switches use a Layer 3 routed VLAN interface (RVI) named vlan to route traffic from one broadcast domain to another and to perform other Layer 3 functions such as traffic engineering. These functions are typically performed by a router interface in a traditional network. The RVI functions as a logical router, eliminating the need for having both a switch and a router. The RVI (the vlan interface) must be configured as part of a broadcast domain or virtual private LAN service (VPLS) routing instance for Layer 3 traffic to be routed out of it.

1770


Chapter 56: Interfaces—Overview

Table 197: Special Interface Types and Purposes (continued) Type

Purpose

Virtual Chassis port (VCP) interfaces

Virtual Chassis ports (VCPs) are used to interconnect switches in a Virtual Chassis: •

EX3300 switches—Port 2 and port 3 of the SFP+ uplink ports are preconfigured as VCPs and can be used to interconnect up to six EX3300 switches in an EX3300 Virtual Chassis. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434.

•

EX4200 and EX4500 switches—Each EX4200 switch or each EX4500 switch with a Virtual Chassis module installed has two dedicated VCPs on its rear panel. These ports can be used to interconnect up to ten EX4200 switches in an EX4200 Virtual Chassis, up to ten EX4500 switches in an EX4500 Virtual Chassis, and up to ten switches in a mixed EX4200 and EX4500 Virtual Chassis. When you power on switches that are interconnected in this manner, the software automatically configures the VCP interfaces for the dedicated ports that have been interconnected. These VCP interfaces are not configurable or modifiable. See “Understanding the High-Speed Interconnection of the EX4200 and EX4500 Virtual Chassis Members” on page 1294. You can also interconnect EX4200 and EX4500 switches by using uplink module ports. Using uplink ports allows you to connect switches over longer distances than you can by using the dedicated VCPs. To use the uplink ports as VCPs, you must explicitly configure the uplink module ports on the members you want to connect as VCPs. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434 or “Setting an SFP+ Port as a Virtual Chassis Port on an EX4500 Switch (CLI Procedure)” on page 1438.

•

EX8200 switches—EX8200 switches can be connected to an XRE200 External Routing Engine to create an EX8200 Virtual Chassis. The XRE200 External Routing Engine has dedicated VCPs that connect to ports on the internal Routing Engines of the EX8200 switches and can connect to another XRE200 External Routing Engine for redundancy. These ports require no configuration. You can also connect two members of an EX8200 Virtual Chassis so that they can exchange Virtual Chassis Control Protocol (VCCP) traffic. To do so, you explicitly configure network ports on the EX8200 switches as VCPs. See “Understanding Virtual Chassis Ports in an EX8200 Virtual Chassis” on page 1547.

Virtual management Ethernet (VME) interface

EX3300, EX4200, and EX4500 switches have a VME interface. This is a logical interface that is used for Virtual Chassis configurations and allows you to manage all the members of the Virtual Chassis through the master. For more information on the VME interface, see “Understanding Global Management of an EX3300, EX4200, or EX4500 Virtual Chassis” on page 1291. EX8200 switches do not use a VME interface. An EX8200 Virtual Chassis is managed through the management Ethernet (me0) interface on the XRE200 External Routing Engine.


•


•


•


•


•


•


•


•



1771

®


•


•


•


•


Understanding Interface Naming Conventions on EX Series Switches Juniper Networks EX Series Ethernet Switches use a naming convention for defining the interfaces that is similar to that of other platforms running under Juniper Networks Junos operating system (Junos OS). This topic provides brief information on the naming conventions used for interfaces on EX Series switches. For additional information, see the Junos OS Network Interfaces Configuration Guide. This topic describes: •

Physical Part of an Interface Name on page 1772

•

Logical Part of an Interface Name on page 1773

•

Wildcard Characters in Interface Names on page 1774

Physical Part of an Interface Name Network interfaces in Junos OS are specified as follows: type-fpc / pic / port EX Series switches apply this convention as follows: •

•

1772

type—EX Series interfaces use the following media types: •

ge—Gigabit Ethernet interface

•

xe—10 Gigabit Ethernet interface

fpc—Flexible PIC Concentrator. EX Series interfaces use the following convention for the FPC number in interface names: •

On an EX2200 switch, an EX3200 switch, a standalone EX3300 switch, a standalone EX4200 switch, and a standalone EX4500 switch, FPC refers to the switch itself. The FPC number is always 0 on these switches.

•

On an EX3300 Virtual Chassis, an EX4200 Virtual Chassis, an EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis, the FPC number indicates the member ID of the switch in the Virtual Chassis.

•

On an EX6200 and a standalone EX8200 switch, the FPC number indicates the slot number of the line card that contains the physical interface. On an EX6200 switch,



the FPC number also indicates the slot number of the Switch Fabric and Routing Engine (SRE) module that contains the uplink port. •

•

•

On an EX8200 Virtual Chassis, the FPC number indicates the slot number of the line card on the Virtual Chassis. The line card slots on Virtual Chassis member 0 are numbered 0 through 15; on member 1, they are numbered 16 through 31, and so on.

pic—EX Series interfaces use the following convention for the PIC (Physical Interface Card) number in interface names: •

On EX2200, EX3200, EX3300, EX4200, and EX4500 switches, the PIC number is 0 for all built-in interfaces (interfaces that are not an uplink port).

•

On EX2200, EX3200, EX3300, and EX4200 switches, the PIC number is 1 for uplink ports.

•

On EX4500 switches, the PIC number is 1 for uplink ports on the left-hand uplink module and 2 for uplink ports on right-hand uplink module.

•

On EX6200 and EX8200 switches, the PIC number is always 0.

port—EX Series interfaces use the following convention for port numbers: •

On EX2200, EX3200, EX3300, EX4200, and EX4500 switches, built-in network ports are numbered from left to right. On models that have two rows of ports, the ports on the top row start with 0 followed by the remaining even-numbered ports, and the ports on the bottom row start with 1 followed by the remaining odd-numbered ports.

•

Uplink ports in EX2200, EX3200, EX3300, EX4200, and EX4500 switches are labeled from left to right, starting with 0.

•

On EX6200 and EX8200 switches, the network ports are numbered from left to right on each line card. On line cards that have two rows of ports, the ports on the top row start with 0 followed by the remaining even-numbered ports, and the ports on the bottom row start with 1 followed by the remaining odd-numbered ports.

•

Uplink ports on an SRE module in an EX6200 switch are labeled from left to right, starting with 0.

Logical Part of an Interface Name The logical unit part of the interface name corresponds to the logical unit number, which can be a number from 0 through 16384. In the virtual part of the name, a period (.) separates the port and logical unit numbers: type-fpc/pic/port.logical-unit-number. For example, if you issue the show ethernet-switching interfaces command on a system with a default VLAN, the resulting display shows the logical interfaces associated with the VLAN: Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/10.0


State down down down

VLAN members remote-analyzer default default

Blocking unblocked unblocked unblocked

1773

®


Wildcard Characters in Interface Names In the show interfaces and clear interfaces commands, you can use wildcard characters in the interface-name option to specify groups of interface names without having to type each name individually. You must enclose all wildcard characters except the asterisk (*) in quotation marks (" "). Related Documentation

•


•


•


•


•


•


•


•


•


Understanding Aggregated Ethernet Interfaces and LACP IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form a single link layer interface, also known as a link aggregation group (LAG) or bundle. Aggregating multiple links between physical interfaces creates a single logical point-to-point trunk link or a LAG. The LAG balances traffic across the member links within an aggregated Ethernet bundle and effectively increases the uplink bandwidth. Another advantage of link aggregation is increased availability, because the LAG is composed of multiple member links. If one member link fails, the LAG continues to carry traffic over the remaining links. Link Aggregation Control Protocol (LACP), a component of IEEE 802.3ad, provides additional functionality for LAGs. This topic describes: •

Link Aggregation Group (LAG) on page 1774

•

Link Aggregation Control Protocol (LACP) on page 1776

Link Aggregation Group (LAG) You configure a LAG by specifying the link number as a physical device and then associating a set of interfaces (ports) with the link. All the interfaces must have the same speed and be in full-duplex mode. Juniper Networks Junos operating system (Junos OS) for EX Series Ethernet Switches assigns a unique ID and port priority to each interface. The ID and priority are not configurable.

1774



The number of interfaces that can be grouped into a LAG and the total number of LAGs supported on a switch varies according to switch model. Table 198 on page 1775 lists the EX Series switches and the maximum number of interfaces per LAG and maximum number of LAGs they support.

Table 198: Maximum Interfaces per LAG and Maximum LAGs per Switch Switch

Maximum Interfaces per LAG

Maximum LAGs

EX2200

8

32

EX3200

8

32

EX3300 and EX3300 Virtual Chassis

8

32


8

64


8

64

EX6200

8

64

EX8200

12

255


12

239

When configuring LAGs, consider the following guidelines: •

The LAG must be configured on both sides of the link.

•

The interfaces on either side of the link must be set to the same speed.

•

You can configure and apply firewall filters on a LAG.

•

LACP can optionally be configured for link negotiation.

You can combine physical Ethernet ports belonging to different member switches of a Virtual Chassis configuration to form a LAG. See “Understanding EX3300, EX4200, and EX4500 Virtual Chassis Link Aggregation” on page 1294 and “Understanding Link Aggregation into an EX8200 Virtual Chassis” on page 1549.

NOTE: The interfaces that are included within a bundle or LAG are sometimes referred to as member interfaces. Do not confuse this term with member switches, which refers to switches that are interconnected as a Virtual Chassis. It is possible to create a LAG that is composed of member interfaces that are located in different member switches of a Virtual Chassis.

A LAG creates a single logical point-to-point connection. A typical deployment for a LAG would be to aggregate trunk links between an access switch and a distribution switch or customer edge (CE) router.


1775

®


Link Aggregation Control Protocol (LACP) When LACP is configured, it detects misconfigurations on the local end or the remote end of the link. About enabling LACP: •

When LACP is not enabled, a local LAG might attempt to transmit packets to a remote single interface, which causes the communication to fail.

•

When LACP is enabled, a local LAG cannot transmit packets unless a LAG with LACP is also configured on the remote end of the link.

By default, Ethernet links do not exchange protocol data units (PDUs), which contain information about the state of the link. You can configure Ethernet links to actively transmit PDUs, or you can configure the links to passively transmit them, sending out LACP PDUs only when they receive them from another link. The transmitting link is known as the actor and the receiving link is known as the partner. In a scenario where a dual-homed server is deployed with a switch, the network interface cards form a LAG with the switch. During a server upgrade, the server may not be able to exchange LACP PDUs. In such a situation you can configure an interface to be in the UP state even if no PDUs are exchanged. Use the force-up statement to configure an interface when the peer has limited LACP capability. The interface selects the associated LAG by default, whether the switch and peer are both in active or passive mode. When there are no received PDUs, the partner is considered to be working in the passive mode. Therefore, LACP PDU transmissions are controlled by the transmitting link. If the remote end of the LAG link is a security device, LACP might not be supported because security devices require a deterministic configuration. In this case, do not configure LACP. All links in the LAG are permanently operational unless the switch detects a link failure within the Ethernet physical layer or data link layers. Related Documentation

1776

•


•


•


•


•


•




Understanding Interface Ranges on EX Series Switches You can use the interface ranges to group interfaces of the same type that share a common configuration profile. This helps reduce the time and effort in configuring interfaces on Juniper Networks EX Series Ethernet switches. The configurations common to all the interfaces can be included in the interface range definition. The interface range definition contains the name of the interface range defined, the names of the individual member interfaces that do not fall in a series of interfaces, a range of interfaces defined in the member range, and the configuration statements common to all the interfaces. An interface range defined with member ranges and individual members but without any common configurations, is also a valid definition.

NOTE: The interface range definition is supported only for Gigabit, 10-Gigabit, and Fast Ethernet interfaces.

The common configurations defined in the interface range will be overridden by the local configuration. The defined interface ranges can be used at places where the interface node is used in the following configuration hierarchies: •

ethernet-switching-options analyzer name input egress interface

•

ethernet-switching-options analyzer name input ingress interface

•

ethernet-switching-options analyzer output interface

•

ethernet-switching-options bpdu-block interface

•

ethernet-switching-options interfaces

•

ethernet-switching-options redundant-trunk-group group-name interface

•

ethernet-switching-options secure-access-port interface

•

ethernet-switching-options voip interface

•

poe interface

•

protocols dot1x authentication interface

•

protocols gvrp interface

•

protocols igmp interface

•

protocols igmp-snooping vlan vlan-name interface

•

protocols isis interface

•

protocols link-management peer lmp-control-channel interface

•

protocols link-management te-link name interface

•

protocols lldp interface


1777

®



•

protocols lldp-med interface

•

protocols mpls interface

•

protocols mstp interface

•

protocols mstp msti-id interface

•

protocols mstp msti-id vlan vlan-id interface

•

protocols oam ethernet link-fault-management interface

•

protocols ospf area

•

protocols pim interface

•

protocols rip group group-name neighbor

•

protocols ripng group group-name neighbor

•

protocols router-advertisement interface

•

protocols router-discovery interface

•

protocols rsvp interface

•

protocols sflow interfaces

•

protocols stp interface

•

protocols vstp vlan vlan-id interface

•

vlans vlan-name interface

•

Interface Ranges on page 1850

•


•


•


•


•

interface-range on page 1934

Understanding Layer 3 Subinterfaces A Layer 3 subinterface is a logical division of a physical interface that operates at the network level and therefore can receive and forward 802.1Q VLAN tags. You can use Layer 3 subinterfaces to route traffic among multiple VLANs along a single trunk line that connects a Juniper Networks EX Series Ethernet Switch to a Layer 2 switch. Only one physical connection is required between the switches. This topology is often called a “router on a stick” or a “one-armed router” when the Layer 3 device is a router. To create Layer 3 subinterfaces on an EX Series switch, you enable VLAN tagging, partition the physical interface into logical partitions, and bind the VLAN ID to the logical interface.

1778



You can partition one physical interface into up to 4094 different subinterfaces, one for each VLAN. We recommend that you use the VLAN ID as the subinterface number when you configure the subinterface. Juniper Networks Junos operating system (Junos OS) reserves VLAN IDs 0 and 4095. VLAN tagging places the VLAN ID in the frame header, allowing each physical interface to handle multiple VLANs. When you configure multiple VLANs on an interface, you must also enable tagging on that interface. Junos OS on EX Series switches supports a subset of the 802.1Q standard for receiving and forwarding routed or bridged Ethernet frames with single VLAN tags and running Virtual Router Redundancy Protocol (VRRP) over 802.1Q-tagged interfaces. Double-tagging is not supported. Related Documentation

•


•

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 1802

•


Understanding Unicast RPF for EX Series Switches Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source address of each packet that arrives on an ingress interface where unicast RPF is enabled. It also helps ensure that traffic arriving on ingress interfaces comes from a network source that the receiving interface can reach. When you enable unicast RPF, the switch forwards a packet only if the receiving interface is the best return path to the packet's unicast source address. This is known as strict mode unicast RPF.

NOTE: On Juniper Networks EX3200 and EX4200 Ethernet Switches, the switch applies unicast RPF globally to all interfaces when unicast RPF is configured on any interface. For additional information, see “Limitations of the Unicast RPF Implementation on EX3200 and EX4200 Switches” on page 1782.


Unicast RPF for EX Series Switches Overview on page 1780

•

Unicast RPF Implementation for EX Series Switches on page 1780

•

When to Enable Unicast RPF on page 1781

•

When Not to Enable Unicast RPF on page 1782

•

Limitations of the Unicast RPF Implementation on EX3200 and EX4200 Switches on page 1782


1779

®


Unicast RPF for EX Series Switches Overview Unicast RPF functions as an ingress filter that reduces the forwarding of IP packets that might be spoofing an address. By default, unicast RPF is disabled on the switch interfaces. The type of unicast RPF provided on the switches—that is, strict mode unicast RPF is especially useful on untrusted interfaces. An untrusted interface is an interface where untrusted users or processes can place packets on the network segment. The switch supports only the active paths method of determining the best return path back to a unicast source address. The active paths method looks up the best reverse path entry in the forwarding table. It does not consider alternate routes specified using routing-protocol-specific methods when determining the best return path. If the forwarding table lists the receiving interface as the interface to use to forward the packet back to its unicast source, it is the best return path interface. Strict mode unicast RPF recognizes only one best return path to a unicast source address. Use strict mode unicast RPF only on symmetrically routed interfaces. (For information about symmetrically routed interfaces, see “When to Enable Unicast RPF” on page 1781.) For more information about strict unicast RPF, see RFC 3704, Ingress Filtering for Multihomed Networks at http://www.ietf.org/rfc/rfc3704.txt.

Unicast RPF Implementation for EX Series Switches This section includes: •

Unicast RPF Packet Filtering on page 1780

•

Bootstrap Protocol (BOOTP) and DHCP Requests on page 1780

•

Default Route Handling on page 1781

Unicast RPF Packet Filtering When you enable unicast RPF on the switch, the switch handles traffic in the following manner: •

If the switch receives a packet on the interface that is the best return path to the unicast source address of that packet, the switch forwards the packet.

•

If the best return path from the switch to the packet's unicast source address is not the receiving interface, the switch discards the packet.

•

If the switch receives a packet that has a source IP address that does not have a routing entry in the forwarding table, the switch discards the packet.

Bootstrap Protocol (BOOTP) and DHCP Requests Bootstrap protocol (BOOTP) and DHCP request packets are sent with a broadcast MAC address and therefore the switch does not perform unicast RPF checks on them. The switch forwards all BOOTP packets and DHCP request packets without performing unicast RPF checks.

1780



Default Route Handling If the best return path to the source is the default route (0.0.0.0) and the default route points to reject, the switch discards all unicast RPF packets. If the default route points to a valid network interface, the switch performs a normal unicast RPF check on the packets.

When to Enable Unicast RPF Enable unicast RPF when you want to ensure that traffic arriving on a network interface comes from a source that resides on a network that that interface can reach. You can enable unicast RPF on untrusted interfaces to filter spoofed packets. For example, a common application for unicast RPF is to help defend an enterprise network from DoS/DDoS attacks coming from the Internet. Enable unicast RPF only on symmetrically routed interfaces. A symmetrically routed interface uses the same route in both directions between the source and the destination, as shown in Figure 49 on page 1781. Symmetrical routing means that if an interface receives a packet, the switch uses the same interface to send a reply to the packet source (the receiving interface matches the forwarding-table entry for the best return path to the source).

Figure 49: Symmetrically Routed Interfaces

Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces receive a packet and reply to its source) results in packets from legitimate sources being filtered (discarded) because the best return path is not the same interface that received the packet. The following switch interfaces are most likely to be symmetrically routed and thus are candidates for unicast RPF enabling: •

The service provider edge to a customer

•

The customer edge to a service provider

•

A single access point out of the network (usually on the network perimeter)

•

A terminal network that has only one link

NOTE: Because unicast RPF is enabled globally on EX3200 and EX4200 switches, ensure that all interfaces are symmetrically routed before you enable unicast RPF on those switches. Enabling unicast RPF on asymmetrically routed interfaces results in packets from legitimate sources being filtered.


1781

®


TIP: Enabling unicast RPF as close as possible to the traffic source stops spoofed traffic before it can proliferate or reach interfaces that do not have unicast RPF enabled.

When Not to Enable Unicast RPF Typically, you will not enable unicast RPF if: •

Switch interfaces are multihomed.

•

Switch interfaces are trusted interfaces.

•

BGP is carrying prefixes and some of those prefixes are not advertised or are not accepted by the ISP under its policy. (The effect in this case is the same as filtering an interface by using an incomplete access list.)

•

Switch interfaces face the network core. Core-facing interfaces are usually asymmetrically routed.

An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, as shown in Figure 50 on page 1782. This means that if an interface receives a packet, that interface does not match the forwarding table entry as the best return path back to the source. If the receiving interface is not the best return path to the source of a packet, unicast RPF causes the switch to discard the packet even though it comes from a valid source.

Figure 50: Asymmetrically Routed Interfaces

NOTE: Do not enable unicast RPF on EX3200 and EX4200 switches if any switch interfaces are asymmetrically routed, because unicast RPF is enabled globally on all interfaces of those switches. All switch interfaces must be symmetrically routed for you to enable unicast RPF without the risk of the switch discarding traffic that you want to forward.

Limitations of the Unicast RPF Implementation on EX3200 and EX4200 Switches On EX3200 and EX4200 switches, the switch implements unicast RPF on a global basis. You cannot enable unicast RPF on a per-interface basis. Unicast RPF is globally disabled by default. •

1782

When you enable unicast RPF on any interface, it is automatically enabled on all switch interfaces, including link aggregation groups (LAGs) and routed VLAN interfaces (RVIs).



•

When you disable unicast RPF on the interface (or interfaces) on which you enabled unicast RPF, it is automatically disabled on all switch interfaces.

NOTE: You must explicitly disable unicast RPF on every interface on which it was explicitly enabled or unicast RPF remains enabled on all switch interfaces.

The EX3200 and EX4200 switches do not perform unicast RPF filtering on equal-cost multipath (ECMP) traffic. The unicast RPF check examines only one best return path to the packet source, but ECMP traffic employs an address block consisting of multiple paths. Using unicast RPF to filter ECMP traffic on EX3200 and EX4200 switches can result in the switch discarding packets that you want to forward because the unicast RPF filter does not examine the entire ECMP address block. Related Documentation

•

Example: Configuring Unicast RPF on an EX Series Switch on page 1809

•

Configuring Unicast RPF (CLI Procedure) on page 1876

•

Disabling Unicast RPF (CLI Procedure) on page 1877

Understanding IP Directed Broadcast for EX Series Switches IP directed broadcast helps you implement remote administration tasks such as backups and wake-on-LAN (WOL) application tasks by sending broadcast packets targeted at the hosts in a specified destination subnet. IP directed broadcast packets traverse the network in the same way as unicast IP packets until they reach the destination subnet. When they reach the destination subnet and IP directed broadcast is enabled on the receiving switch, the switch translates (“explodes”) the IP directed broadcast packet into a broadcast that floods the packet on the target subnet. All hosts on the target subnet receive the IP directed broadcast packet. This topic covers: •

IP Directed Broadcast for EX Series Switches Overview on page 1783

•

IP Directed Broadcast Implementation for EX Series Switches on page 1784

•

When to Enable IP Directed Broadcast on page 1784

•

When Not to Enable IP Directed Broadcast on page 1784

IP Directed Broadcast for EX Series Switches Overview IP directed broadcast packets have a destination IP address that is a valid broadcast address for the subnet that is the target of the directed broadcast (the target subnet). The intent of an IP directed broadcast is to flood the target subnet with the broadcast packets without broadcasting to the entire network. IP directed broadcast packets cannot originate from the target subnet.


1783

®


When you send an IP directed broadcast packet, as it travels to the target subnet, the network forwards it in the same way as it forwards a unicast packet. When the packet reaches a switch that is directly connected to the target subnet, the switch checks to see whether IP directed broadcast is enabled on the interface that is directly connected to the target subnet: •

If IP directed broadcast is enabled on that interface, the switch broadcasts the packet on that subnet by rewriting the destination IP address as the configured broadcast IP address for the subnet. The switch converts the packet to a link-layer broadcast packet that every host on the network processes.

•

If IP directed broadcast is disabled on the interface that is directly connected to the target subnet, the switch drops the packet.

IP Directed Broadcast Implementation for EX Series Switches You configure IP directed broadcast on a per-subnet basis by enabling IP directed broadcast on the Layer 3 interface of the subnet’s VLAN. When the switch that is connected to that subnet receives a packet that has the subnet’s broadcast IP address as the destination address, the switch broadcasts the packet to all hosts on the subnet. By default, IP directed broadcast is disabled.

When to Enable IP Directed Broadcast IP directed broadcast is disabled by default. Enable IP directed broadcast when you want to perform remote management or administration services such as backups or WOL tasks on hosts in a subnet that does not have a direct connection to the Internet. Enabling IP directed broadcast on a subnet affects only the hosts within that subnet. Only packets received on the subnet’s Layer 3 interface that have the subnet’s broadcast IP address as the destination address are flooded on the subnet.

When Not to Enable IP Directed Broadcast Typically, you do not enable IP directed broadcast on subnets that have direct connections to the Internet. Disabling IP directed broadcast on a subnet’s Layer 3 interface affects only that subnet. If you disable IP directed broadcast on a subnet and a packet that has the broadcast IP address of that subnet arrives at the switch, the switch drops the broadcast packet. If a subnet has a direct connection to the Internet, enabling IP directed broadcast on it increases the network’s susceptibility to denial-of-service (DoS) attacks. For example, a malicious attacker can spoof a source IP address (use a source IP address that is not the actual source of the transmission to deceive a network into identifying the attacker as a legitimate source) and send IP directed broadcasts containing Internet Control Message Protocol (ICMP) echo (ping) packets. When the hosts on the network with IP directed broadcast enabled receive the ICMP echo packets, they all send replies to the victim that has the spoofed source IP address. This creates a flood of ping replies in a DoS attack that can overwhelm the spoofed source address; this is known as a “smurf” attack. Another common DoS attack on exposed networks with IP directed

1784



broadcast enabled is a “fraggle” attack, which is similar to a smurf attack except that the malicious packet is a User Datagram Protocol (UDP) echo packet instead of an ICMP echo packet. Related Documentation

•

Example: Configuring IP Directed Broadcast on an EX Series Switch on page 1813

•

Configuring IP Directed Broadcast (CLI Procedure) on page 1878

802.1Q VLANs Overview For Ethernet, Fast Ethernet, Tri-Rate Ethernet copper, Gigabit Ethernet, 10-Gigabit Ethernet, and aggregated Ethernet interfaces supporting VPLS, the Junos OS supports a subset of the IEEE 802.1Q standard for channelizing an Ethernet interface into multiple logical interfaces, allowing many hosts to be connected to the same Gigabit Ethernet switch, but preventing them from being in the same routing or bridging domain. Related Documentation

•

Configuring Dynamic 802.1Q VLANs

•

802.1Q VLAN IDs and Ethernet Interface Types

•

Enabling VLAN Tagging

•

Binding VLAN IDs to Logical Interfaces

•

Configuring VLAN Encapsulation

•

Configuring Extended VLAN Encapsulation

•

Guidelines for Configuring VLAN ID List-Bundled Logical Interfaces That Connect CCCs

•

Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface

•

Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance

•

Specifying the Interface Over Which VPN Traffic Travels to the CE Router

•

Specifying the Interface to Handle Traffic for a CCC

•

Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface

•

Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance

•

Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2 Circuit

•

Example: Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface

•

Example: Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface

•

Configuring a Logical Interface for Access Mode

•

Configuring a Logical Interface for Trunk Mode

•

Configuring the VLAN ID List for a Trunk Interface

•

Configuring a Trunk Interface on a Bridge Network


1785

®


•


Understanding Generic Routing Encapsulation Tunneling provides a private, secure path for transporting packets through an otherwise public network by encapsulating packets inside a transport protocol known as an IP encapsulation protocol. Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to transport packets over a network. Information is sent from one network to the other through a GRE tunnel. This topic describes: •

Overview of GRE on page 1786

•

GRE Tunneling on page 1786

•

Configuration Limitations for GRE on EX Series Switches on page 1788

Overview of GRE GRE encapsulates packets into IP packets and redirects them to an intermediate host, where they are de-encapsulated and routed to their final destination. Because the route to the intermediate host appears to the inner datagrams as one hop, Juniper Networks EX Series Ethernet switches can operate as if they have a virtual point-to-point connection with each other. GRE tunnels allow routing protocols like RIP and OSPF to forward data packets from one switch to another switch across the Internet. In addition, GRE tunnels can encapsulate multicast data streams for transmission over the Internet. GRE is described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The switches support RFC 2784, but not completely. (For a list of limitations, see “Configuration Limitations for GRE on EX Series Switches” on page 1788.) As a tunnel source router, the switch encapsulates a payload packet for transport through the tunnel to a destination network. The payload packet is first encapsulated in a GRE packet, and the resulting GRE packet is encapsulated in a delivery protocol. The switch performing the role of a tunnel remote router extracts the tunneled packet and forwards the packet to the destination network.

GRE Tunneling Data is routed by the system to the GRE endpoint over routes established in the route table. (These routes can be statically configured or dynamically learned by routing protocols such as RIP or OSPF.) When a data packet is received by the GRE endpoint, it is de-encapsulated and routed again by means of the endpoint configuration to the destination address of the tunnel. In this way, each data packet traveling over the GRE tunnel gets routed through the system twice. Because GRE tunnels are stateless, the endpoint of the tunnel contains no information about the state or availability of the remote tunnel endpoint. Therefore, the switch operating as a tunnel source router cannot change the state of the GRE tunnel interface to down if the remote endpoint is unreachable.

1786



For details of GRE tunneling, see: •

Encapsulation and De-Encapsulation on the Switch on page 1787

•

Number of Source and Destination Tunnels Allowed on a Switch on page 1787

•

Class of Service on GRE Tunnels on page 1787

•

Firewall Filters on GRE Tunnels on page 1788

Encapsulation and De-Encapsulation on the Switch Encapsulation—A switch operating as a tunnel source router encapsulates and forwards GRE packets as follows: 1.

When a switch receives a data packet (payload) to be tunneled, it sends the packet to the tunnel interface.

2. The tunnel interface encapsulates the data in a GRE packet. 3. The system encapsulates the GRE packet in an IP packet. 4. The IP packet is forwarded based on its destination address and routing table.

De-encapsulation—A switch operating as a tunnel remote router handles GRE packets as follows: 1.

When the destination switch receives the IP packet from the tunnel interface, the switch checks the destination address.

2. The IP header is removed, and the packet is submitted to the GRE protocol. 3. The GRE protocol strips off the GRE header and submits the payload packet for

forwarding.

Number of Source and Destination Tunnels Allowed on a Switch Depending on your network, you can configure up to approximately 500 GRE tunnels to operate between switches transmitting IPv4 or IPv6 payload packets over GRE. If a passenger protocol in addition to IPv4 and IPv6 is used, you can configure up to approximately 333 GRE tunnels between the switches. A switch can have a maximum of 20 tunnel source IP addresses configured, and each tunnel source IP can be configured with up to 20 destination IP addresses on a second switch. As a result, the two connected switches can have a maximum of 400 GRE tunnels. If the first switch is also connected to a third switch, the possible maximum number of tunnels can reach 500.

Class of Service on GRE Tunnels When a network experiences congestion and delay, some packets might be dropped. Junos OS class of service (CoS) divides traffic into classes to which you can apply different levels of throughput and packet loss when congestion occurs and thereby set rules for packet loss. For CoS details, see Junos OS CoS for EX Series Switches Overview.


1787

®


The following CoS components are available on a switch operating as a GRE tunnel source router or GRE tunnel remote router: •

•

At the GRE tunnel source—On a switch operating as a tunnel source router, you can apply CoS classifiers on an ingress port or on a GRE port, with the following results on CoS component support on tunneled packets: •

Schedulers only—Based on the CoS classification on the ingress port, you can apply CoS schedulers on a GRE port of the switch to define output queues and control the transmission of packets through the tunnel after GRE encapsulation. However, you cannot apply CoS rewrite rules to these packets.

•

Schedulers and rewrite rules—Based on the CoS classification on the GRE port, you can apply both schedulers and rewrite rules to the encapsulated packets transmitted through the tunnel.

At the GRE tunnel endpoint—When the switch is a tunnel remote router, you can apply CoS classifiers on the GRE port and schedulers and rewrite rules on the egress port to control the transmission of a de-encapsulated GRE packet out the egress port.

Firewall Filters on GRE Tunnels Firewall filters provide rules that define whether to permit, deny, or forward packets that are transiting an interface on a switch from a source address to a destination address. For details, see Firewall Filters for EX Series Switches Overview. The effectiveness of a firewall filter on a packet sent through a GRE tunnel depends on whether a switch is at the source or endpoint of the tunnel: •

GRE tunnel source—On a switch operating as a tunnel source router, you can configure a firewall filter on a egress port to control tunnel payload packets and GRE-encapsulated IP packets at the tunnel source.

•

GRE tunnel endpoint—When the switch is a tunnel remote router, a firewall filter can control a GRE packet only after the packet has been de-encapsulated.

Configuration Limitations for GRE on EX Series Switches Some GRE tunneling features are not currently available on EX Series switches. Be aware of the following limitations when you are configuring GRE on a switch: •

1788

Unsupported features—GRE on the switches does not support the following features: •

Virtual routing over GRE

•

Bidirectional Forwarding Detection (BFD) protocol over GRE distributed mode

•

MPLS over GRE tunnels

•

GRE keepalives




•

GRE keys, payload packet fragmentation, and sequence numbers for fragmented packets

•

BGP dynamic tunnels

•

Platform limitation—Encapsulation over GRE tunnels is supported on EX3200, EX4200, and EX8200 switches. However, de-encapsulation is supported only on EX3200 and EX4200 switches.

•

IPv6 limitation—Both IPv4 and IPv6 packets are accepted as payload packets for GRE encapsulation, but only IPv4 is supported as the GRE delivery protocol (the protocol through the tunnel).

•

OSPF limitation—Enabling OSPF on a GRE interface creates two equal-cost routes to the destination: one through the Ethernet network or uplink interface (for example, ge-fpc/pic/port) and the other through the tunnel interface (gr-fpc/pic/port). If data is routed through the tunnel interface, the interface might go down. To keep the interface operational, we recommend that you use a static route, disable OSPF on the tunnel interface, or configure the peer not to advertise the tunnel destination over the tunnel interface.

•



1789

®


1790


CHAPTER 57

Examples of Interfaces Configuration •


•


•


•


•


Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch EX Series switches allow you to combine multiple Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. The number of Ethernet links you can combine into a LAG depends on your EX Series switch model. See “Understanding Aggregated Ethernet Interfaces and LACP” on page 1774 for more information. This example describes how to configure uplink LAGs to connect a Virtual Chassis access switch to a Virtual Chassis distribution switch: •


•


•


•


•




•



1791

®


•


•


Before you configure the LAGs, be sure you have: •

Configured the Virtual Chassis switches. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408.

•


Overview and Topology For maximum speed and resiliency, you can combine uplinks between an access switch and a distribution switch into LAGs. Using LAGs can be particularly effective when connecting a multimember Virtual Chassis access switch to a multimember Virtual Chassis distribution switch. The Virtual Chassis access switch in this example is composed of two member switches. Each member switch has an uplink module with two 10-Gigabit Ethernet ports. These ports are configured as trunk ports, connecting the access switch with the distribution switch. Configuring the uplinks as LAGs has the following advantages: •

Link Aggregation Control Protocol (LACP) can optionally be configured for link negotiation.

•

It doubles the speed of each uplink from 10 Gbps to 20 Gbps.

•

If one physical port is lost for any reason (a cable is unplugged or a switch port fails, or one member switch is unavailable), the logical port transparently continues to function over the remaining physical port.

The topology used in this example consists of one Virtual Chassis access switch and one Virtual Chassis distribution switch. The access switch is composed of two EX4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their Virtual Chassis ports (VCPs) as member switches of Host-A. The distribution switch is composed of two EX4200-24F switches (SWD-0 and SWD-1), interconnected with their VCPs as member switches of Host-D. Each member of the access switch has an uplink module installed. Each uplink module has two ports. The uplinks are configured to act as trunk ports, connecting the access switch with the distribution switch. One uplink port from SWA-0 and one uplink port from SWA-1 are combined as LAG ae0 to SWD-0. This link is used for one VLAN. The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1. LAG ae1 is used for another VLAN.

1792


Chapter 57: Examples of Interfaces Configuration

NOTE: If the remote end of the LAG link is a security device, LACP might not be supported because security devices require a deterministic configuration. In this case, do not configure LACP. All links in the LAG are permanently operational unless the switch detects a link failure within the Ethernet physical layer or data link layers.

Figure 51: Topology for LAGs Connecting an EX4200 Virtual Chassis Access Switch to an EX4200 Virtual Chassis Distribution Switch

Table 157 on page 1357 details the topology used in this configuration example.

Table 199: Components of the Topology for Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch Switch SWA-0

Hostname and VCID

Base Hardware

Uplink Module

Member ID

Trunk Port


EX4200-48P switch


0


VCID 1 SWA-1


EX4200-48P switch


1


VCID 1


1793

®


Table 199: Components of the Topology for Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch (continued) Switch SWD-0

Hostname and VCID

Base Hardware

Uplink Module

Member ID

Trunk Port


EX4200 L-24F switch


0


VCID 4 SWD-1


EX4200 L-24F switch


1


VCID 4

Configuration To configure two uplink LAGs from the Virtual Chassis access switch to the Virtual Chassis distribution switch: CLI Quick Configuration

To quickly configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access switch and a Virtual Chassis distribution switch, copy the following commands and paste them into the switch terminal window: [edit] set chassis aggregated-devices ethernet device-count 2 set interfaces ae0 aggregated-ether-options minimum-links 1 set interfaces ae0 aggregated-ether-options link-speed 10g set interfaces ae1 aggregated-ether-options minimum-links 1 set interfaces ae1 aggregated-ether-options link-speed 10g set interfaces ae0 unit 0 family inet address 192.0.2.0/25 set interfaces ae1 unit 0 family inet address 192.0.2.128/25 set interfaces xe-0/1/0 ether-options 802.3ad ae0 set interfaces xe-1/1/0 ether-options 802.3ad ae0 set interfaces xe-0/1/1 ether-options 802.3ad ae1 set interfaces xe-1/1/1 ether-options 802.3ad ae1


To configure aggregated Ethernet high-speed uplinks between a Virtual Chassis access switch and a Virtual Chassis distribution switch: 1.

Specify the number of LAGs to be created on the chassis: [edit chassis] user@Host-A# set aggregated-devices ethernet device-count 2

2.


3.


4.


1794



5.


6.


7.


8.

Specify that LAG ae0 belongs to the subnet for the employee broadcast domain: [edit interfaces] user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25

9.

Specify that LAG ae1 belongs to the subnet for the guest broadcast domain: [edit interfaces] user@Host-A# set ae1 unit 0 family inet address 192.0.2.128/25

Display the results of the configuration: [edit] chassis { aggregated-devices { ethernet { device-count 2; } } } interfaces { ae0 { aggregated-ether-options { link-speed 10g; minimum-links 1; } unit 0 { family inet { address 192.0.2.0/25; } } } ae1 { aggregated-ether-options { link-speed 10g; minimum-links 1; } unit 0 { family inet { address 192.0.2.128/25; } } xe–0/1/0 { ether-options { 802.3ad ae0;


1795

®


} } xe–1/1/0 { ether-options { 802.3ad ae0; } } xe–0/1/1 { ether-options { 802.3ad ae1; } } xe–1/1/1 { ether-options { 802.3ad ae1; } } }

Verification To verify that switching is operational and two LAGs have been created, perform these tasks: •


•



Verify that LAG ae0 has been created on the switch. show interfaces ae0 terse Interface ae0 ae0.0

Meaning

Admin up up

Link Proto up up inet

Local

Remote

192.0.2.0/25



Verify that LAG ae1 has been created on the switch show interfaces ae1 terse Interface ae1 ae1.0

Meaning

1796

Admin Link Proto up down up down inet

Local

Remote

192.0.2.128/25

The output shows that the ae1 link is down.



Troubleshooting Troubleshooting a LAG That Is Down Problem


Solution



•


•


•

Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet (Layer 3 LAG).

•


•


•


•


•

Example: Connecting an Access Switch to a Distribution Switch on page 2131.

•


•


•


Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch EX Series switches allow you to combine multiple Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. EX Series switches allow you to further enhance these links by configuring Link Aggregation Control Protocol (LACP). This example describes how to overlay LACP on the LAG configurations that were created in “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354: •


•


•

Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 1798

•

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch on page 1799


1797

®


•


•




•


•


•

Four EX Series XFP uplink modules

Before you configure LACP, be sure you have: •

Set up the Virtual Chassis switches. See “Configuring an EX4200 or EX4500 Virtual Chassis (CLI Procedure)” on page 1408.

•


•

Configured the LAGs. See “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354.

Overview and Topology This example assumes that you are familiar with “Example: Configuring Aggregated Ethernet High-Speed Uplinks Between an EX4200 Virtual Chassis Access Switch and an EX4200 Virtual Chassis Distribution Switch” on page 1354. The topology in this example is exactly the same as the topology in that other example. This example shows how to use LACP to enhance the LAG functionality. LACP exchanges are made between actors (the transmitting link) and partners (the receiving link). The LACP mode can be either active or passive.

NOTE: If the actor and partner are both in passive mode, they do not exchange LACP packets, which results in the aggregated Ethernet links not coming up. By default, LACP is in passive mode. To initiate transmission of LACP packets and responses to LACP packets, you must enable LACP in active mode.

By default, the actor and partner send LACP packets every second. The interval can be fast (every second) or slow (every 30 seconds).

Configuring LACP for the LAGs on the Virtual Chassis Access Switch To configure LACP for the access switch LAGs, perform these tasks: CLI Quick Configuration

1798

To quickly configure LACP for the access switch LAGs, copy the following commands and paste them into the switch terminal window:



[edit] set interfaces ae0 aggregated-ether-options lacp active periodic fast set interfaces ae1 aggregated-ether-options lacp active periodic fast


To configure LACP for Host-A LAGs ae0 and ae1: 1.

Specify the aggregated Ethernet options for both bundles: [edit interfaces] user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast user@Host-A#set ae1 aggregated-ether-options lacp active periodic fast

Results

Display the results of the configuration: [edit interfaces] user@Host-A# show ae0 { aggregated-ether-options { lacp { active; periodic fast; } } } ae1 { aggregated-ether-options { lacp { active; periodic fast; } } }

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch To configure LACP for the two uplink LAGs from the Virtual Chassis access switch to the Virtual Chassis distribution switch, perform these tasks: CLI Quick Configuration

To quickly configure LACP for the distribution switch LAGs, copy the following commands and paste them into the switch terminal window: [edit interfaces] set ae0 aggregated-ether-options lacp passive periodic fast set ae1 aggregated-ether-options lacp passive periodic fast


To configure LACP for Host D LAGs ae0 and ae1: 1.

Specify the aggregated Ethernet options for both bundles: [edit interfaces] user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast user@Host-D#set ae1 aggregated-ether-options lacp passive periodic fast

Results

Display the results of the configuration: [edit interfaces] user@Host-D# show ae0 {


1799

®


aggregated-ether-options { lacp { passive; periodic fast; } } } ae1 { aggregated-ether-options { lacp { passive periodic fast; } } }

Verification To verify that LACP packets are being exchanged, perform these tasks: •

Verifying the LACP Settings on page 1800

•

Verifying That the LACP Packets Are Being Exchanged on page 1800

Verifying the LACP Settings Purpose Action

Verify that LACP has been set up correctly. Use the show lacp interfaces interface-name command to check that LACP has been enabled as active on one end. user@Host-A> show lacp interfaces xe-0/1/0 Aggregated interface: ae0 LACP state:

Role

Def

Dist

Col

Syn

Aggr

Timeout

Activity

xe-0/1/0

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive


Meaning

Exp


Transmit State

Mux State

Fast periodic

Detached

The output indicates that LACP has been set up correctly and is active at one end.

Verifying That the LACP Packets Are Being Exchanged Purpose Action

Verify that LACP packets are being exchanged. Use the show interfaces aex statistics command to display LACP information. user@Host-A> show interfaces ae0 statistics

1800



Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning

The output here shows that the link is down and that no protocol data units (PDUs) are being exchanged.

Troubleshooting To troubleshoot a nonworking LACP link, perform these tasks: •

Troubleshooting a Nonworking LACP Link on page 1801

Troubleshooting a Nonworking LACP Link Problem

The LACP link is not working.

Solution



•

Remove the LACP configuration and verify whether the static LAG is up.

•

Verify that LACP is configured at both ends.

•

Verify that LACP is not passive at both ends.

•

Verify whether LACP protocol data units (PDUs) are being exchanged by running the monitor traffic-interface lag-member detail command.

•


•


•


•



1801

®


Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch In a large LAN, you commonly need to partition the network into multiple VLANs. You can configure Layer 3 subinterfaces to route traffic between the VLANs. In one common topology, known as a “router on a stick” or a “one-armed router,” you connect a router to an access switch with connections to multiple VLANs. This example describes how to create Layer 3 subinterfaces on trunk interfaces of a distribution switch and access switch so that you can route traffic among multiple VLANs: •


•


•

Configuring the Access Switch Subinterfaces on page 1803

•

Configuring the Distribution Switch Subinterfaces on page 1805

•



For the distribution switch, one EX4200-24F switch. This model is designed to be used as a distribution switch for aggregation or collapsed core network topologies and in space-constrained data centers. It has twenty-four 1-Gigabit Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit Ethernet XFP ports.

•

For the access switch, any Layer 2 switch that supports 802.1Q VLAN tags.

•

Junos OS Release 9.2 or later for EX Series switches.

Before you connect the switches, make sure you have: •

Connected the two switches.

•

Configured the necessary VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217.

Overview and Topology In a large office with multiple buildings and VLANs, you commonly aggregate traffic from a number of access switches into a distribution switch. This configuration example shows a simple topology to illustrate how to connect a single Layer 2 access switch connected to multiple VLANs to a distribution switch, enabling traffic to pass between those VLANs. In the example topology, the LAN is segmented into five VLANs, all associated with interfaces on the access switch. One 1-Gigabit Ethernet port on the access switch's uplink module connects to one 1-Gigabit Ethernet port on the distribution switch. Table 200 on page 1803 lists the settings for the example topology.

1802



Table 200: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution Switch Property

Settings

Access switch hardware

Any Layer 2 switch with multiple 1-Gigabit Ethernet ports and at least one 1-Gigabit Ethernet uplink module

Distribution switch hardware

EX4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one 2-port 10-Gigabit Ethernet XFP uplink module (EX-UM-4SFP)

VLAN names and tag IDs

vlan1, tag 101 vlan2, tag 102 vlan3, tag 103 vlan4, tag 104 vlan5, tag 105

VLAN subnets

vlan1: 1.1.1.0/24 (addresses 1.1.1.1 through 1.1.1.254) vlan2: 2.1.1.0/24 (addresses 2.1.1.1 through 2.1.1.254) vlan3: 3.1.1.0/24 (addresses 3.1.1.1 through 3.1.1.254) vlan4: 4.1.1.0/24 (addresses 4.1.1.1 through 4.1.1.254) vlan5: 5.1.1.0/24 (addresses 5.1.1.1 through 5.1.1.254)

Port interfaces

On the access switch: ge-0/1/0 On the distribution switch: ge-0/0/0

Configuring the Access Switch Subinterfaces CLI Quick Configuration

To quickly create and configure subinterfaces on the access switch, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/1/0 vlan-tagging set interfaces ge-0/1/0 unit 0 vlan-id 101 family inet address 1.1.1.1/24 set interfaces ge-0/1/0 unit 1 vlan-id 102 family inet address 2.1.1.1/24 set interfaces ge-0/1/0 unit 2 vlan-id 103 family inet address 3.1.1.1/24 set interfaces ge-0/1/0 unit 3 vlan-id 104 family inet address 4.1.1.1/24 set interfaces ge-0/1/0 unit 4 vlan-id 105 family inet address 5.1.1.1/24


To configure the subinterfaces on the access switch: 1.

On the trunk interface of the access switch, enable VLAN tagging: [edit interfaces ge-0/1/0] user@access-switch# set vlan-tagging

2.

Bind vlan1's VLAN ID to the logical interface: [edit interfaces ge-0/1/0] user@access-switch# set unit 0 vlan-id 101

3.

Set vlan1's subinterface IP address:


1803

®


[edit interfaces ge-0/1/0] user@access-switch# set unit 0 family inet address 1.1.1.1/24

Bind vlan2's VLAN ID to the logical interface:

4.

[edit interfaces ge-0/1/0] user@access-switch# set unit 1 vlan-id 102


5.



6.

[edit interfaces ge-0/1/0] user@access-switch# set unit 2 vlan–id 103


7.



8.

[edit interfaces ge-0/1/0] user@access-switch# set unit 3 vlan-id 104


9.

[edit interfaces ge-0/1/0] user@access-switch# set unit 3 family inet address 4.1.1.1/24 10.

Bind vlan5's VLAN ID to the logical interface: [edit interfaces ge-0/1/0] user@access-switch# set unit 4 vlan-id 105

11.

Set vlan5's subinterface IP address: [edit interfaces ge-0/1/0] user@access-switch# set unit 4 family inet address 5.1.1.1/24

Check the results of the configuration: user@access-switch> show configuration interfaces { ge-0/1/0 { vlan-tagging; unit 0 { vlan-id 101; family inet { address 1.1.1.1/24; } } unit 1 { vlan-id 102; family inet { address 2.1.1.1/24; } } unit 2 { vlan-id 103; family inet { address 3.1.1.1/24; } } unit 3 {

1804



vlan-id 104; family inet { address 4.1.1.1/24; } } unit 4 { vlan-id 105; family inet { address 5.1.1.1/24; } } }

Configuring the Distribution Switch Subinterfaces CLI Quick Configuration

To quickly create and configure subinterfaces on the distribution switch, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 unit 0 vlan-id 101 family inet address 1.1.1.2/24 set interfaces ge-0/0/0 unit 1 vlan-id 102 family inet address 2.1.1.2/24 set interfaces ge-0/0/0 unit 2 vlan-id 103 family inet address 3.1.1.2/24 set interfaces ge-0/0/0 unit 3 vlan-id 104 family inet address 4.1.1.2/24 set interfaces ge-0/0/0 unit 4 vlan-id 105 family inet address 5.1.1.2/24


To configure subinterfaces on the distribution switch: 1.

On the trunk interface of the distribution switch, enable VLAN tagging: [edit interfaces ge-0/0/0] user@distribution-switch# set vlan-tagging

2.

Bind vlan1's VLAN ID to the logical interface: [edit interfaces ge-0/0/0] user@distribution-switch# set unit 0 vlan-id 101

3.

Set vlan1's subinterface IP address: [edit interfaces ge-0/0/0] user@distribution-switch# set unit 0 family inet address 1.1.1.2/24

4.


5.


6.


7.


8.



1805

®



9.

[edit interfaces ge-0/0/0] user@distribution-switch# set unit 3 family inet address 4.1.1.2/24 10.


11.


user@distribution-switch> show configuration interfaces { ge-0/0/0 { vlan-tagging; unit 0 { vlan-id 101; family inet { address 1.1.1.2/24; } } unit 1 { vlan-id 102; family inet { address 2.1.1.2/24; } } unit 2 { vlan-id 103; family inet { address 3.1.1.2/24; } } unit 3 { vlan-id 104; family inet { address 4.1.1.2/24; } } unit 4 { vlan-id 105; family inet { address 5.1.1.2/24; } } }

Verification To confirm that the configuration is working properly, perform these tasks:

1806

•

Verifying That Subinterfaces Were Created on page 1807

•

Verifying That Traffic Passes Between VLANs on page 1807



Verifying That Subinterfaces Were Created Purpose

Action

Verify that the subinterfaces were properly created on the access switch and distribution switch. 1.

Use the show interfaces command on the access switch: user@access-switch> show interfaces ge-0/1/0 terse Interface Admin Link Proto Local ge-0/1/0 up up ge-0/1/0.0 up up inet 1.1.1.1/24 ge-0/1/0.1 up up inet 2.1.1.1/24 ge-0/1/0.2 up up inet 3.1.1.1/24 ge-0/1/0.3 up up inet 4.1.1.1/24 ge-0/1/0.4 up up inet 5.1.1.1/24 ge-0/1/0.32767 up up

Remote

2. Use the show interfaces command on the distribution switch: user@distribution-switch> show interfaces ge-0/0/0 terse Interface Admin Link Proto Local ge-0/0/0 up up ge-0/0/0.0 up up inet 1.1.1.2/24 ge-0/0/0.1 up up inet 2.1.1.2/24 ge-0/0/0.2 up up inet 3.1.1.2/24 ge-0/0/0.3 up up inet 4.1.1.2/24 ge-0/0/0.4 up up inet 5.1.1.2/24 ge-0/0/0.32767 up up

Meaning

Remote

Each subinterface created is displayed as a ge-fpc/pic/port.x logical interface, where x is the unit number in the configuration. The status is listed as up, indicating the link is working.

Verifying That Traffic Passes Between VLANs Purpose Action

Verify that the distribution switch is correctly routing traffic from one VLAN to another. Ping from the access switch to the distribution switch on each subinterface. 1.

From the access switch, ping the address of the vlan1 subinterface on the distribution switch: user@access-switch> ping 1.1.1.2 count 4 PING 1.1.1.2 (1.1.1.2): 56 data bytes 64 bytes from 1.1.1.2: icmp_seq=0 ttl=64 64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 64 bytes from 1.1.1.2: icmp_seq=3 ttl=64

time=0.333 time=0.113 time=0.112 time=0.158

ms ms ms ms

--- 1.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.112/0.179/0.333/0.091 ms 2. From the access switch, ping the address of the vlan2 subinterface on the distribution

switch: user@access-switch> ping 2.1.1.2 count 4


1807

®


PING 2.1.1.2 (2.1.1.2): 56 data bytes 64 bytes from 2.1.1.2: icmp_seq=0 ttl=64 64 bytes from 2.1.1.2: icmp_seq=1 ttl=64 64 bytes from 2.1.1.2: icmp_seq=2 ttl=64 64 bytes from 2.1.1.2: icmp_seq=3 ttl=64


ms ms ms ms


switch: user@access-switch> ping 3.1.1.2 count 4 PING 3.1.1.2 (3.1.1.2): 56 data bytes 64 bytes from 3.1.1.2: icmp_seq=0 ttl=64 64 bytes from 3.1.1.2: icmp_seq=1 ttl=64 64 bytes from 3.1.1.2: icmp_seq=2 ttl=64 64 bytes from 3.1.1.2: icmp_seq=3 ttl=64


ms ms ms ms




ms ms ms ms




ms ms ms ms

--- 5.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.102/0.150/0.224/0.051 ms

Meaning


1808

If all the ping packets are transmitted and are received by the destination address, the subinterfaces are up and working.

•

Understanding Layer 3 Logical Interfaces

•


•

Configuring a Layer 3 Logical Interface



•


Example: Configuring Unicast RPF on an EX Series Switch Unicast reverse-path forwarding (RPF) helps protect the switch against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by verifying the unicast source address of each packet that arrives on an ingress interface where unicast RPF is enabled. This example shows how to help defend the switch ingress interfaces against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by configuring unicast reverse-path forwarding (RPF) on a customer-edge interface to filter incoming traffic: •


•


•


•




•

Two EX8200 switches

Before you begin, be sure you have: •

Connected the two switches by symmetrically routed interfaces.

•

Ensured that the interface on which you will configure unicast RPF is symmetrically routed.

Overview and Topology Large amounts of unauthorized traffic such as attempts to flood a network with fake (bogus) service requests in a denial-of-service (DoS) attack can consume network resources and deny service to legitimate users. One way to help prevent DoS and distributed denial-of-service (DDoS) attacks is to verify that incoming traffic originates from legitimate network sources. Unicast RPF helps ensure that a traffic source is legitimate (authorized) by comparing the source address of each packet that arrives on an interface to the forwarding-table entry for its source address. If the switch uses the same interface that the packet arrived on to reply to the packet's source, this verifies that the packet originated from an authorized source, and the switch forwards the packet. If the switch does not use the same interface that the packet arrived on to reply to the packet's source, the packet might have originated from an unauthorized source, and the switch discards the packet.


1809

®


This example uses two EX8200 switches. On EX3200 and EX4200 switches, you cannot configure individual interfaces for unicast RPF. On EX3200 and EX4200 switches, the switch applies unicast RPF globally to all interfaces on the switch. See “Understanding Unicast RPF for EX Series Switches” on page 1779 for more information on limitations regarding the configuration of unicast RPF on EX3200 and EX4200 switches. In this example, an enterprise network's system administrator wants to protect Switch A against potential DoS and DDoS attacks from the Internet. The administrator configures unicast RPF on interface ge-1/0/10 on Switch A. Packets arriving on interface ge-1/0/10 on Switch A from the Switch B source also use incoming interface ge-1/0/10 as the best return path to send packets back to the source. The topology of this configuration example uses two EX8200 switches, Switch A and Switch B, connected by symmetrically routed interfaces: •

Switch A is on the edge of an enterprise network. The interface ge-1/0/10 on Switch A connects to the interface ge-1/0/5 on Switch B.

•

Switch B is on the edge of the service provider network that connects the enterprise network to the Internet.

Configuration To enable unicast RPF, perform these tasks: CLI Quick Configuration

To quickly configure unicast RPF on Switch A, copy the following command and paste it into the switch terminal window: [edit interfaces] set ge-1/0/10 unit 0 family inet rpf-check


To configure unicast RPF on Switch A: 1.

Enable unicast RPF on interface ge-1/0/10: [edit interfaces] user@switch# set ge-1/0/10 unit 0 family inet rpf-check

Results

Check the results: [edit interfaces] user@switch# show ge-1/0/10 { unit 0 { family inet { rpf-check; } } }

Verification To confirm that the configuration is correct, perform these tasks: •

1810

Verifying That Unicast RPF Is Enabled on the Switch on page 1811



Verifying That Unicast RPF Is Enabled on the Switch Purpose Action

Verify that unicast RPF is enabled. Verify that unicast RPF is enabled on interface ge-1/0/10 by using the show interfaces ge-1/0/10 extensive or show interfaces ge-1/0/10 detail command. user@switch> show interfaces ge-1/0/10 extensive Physical interface: ge-1/0/10, Enabled, Physical link is Down Interface index: 139, SNMP ifIndex: 58, Generation: 140 Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort

0

0

0

1 assured-forw

0

0

0

5 expedited-fo

0

0

0

7 network-cont

0

0

0

Active alarms : LINK Active defects : LINK MAC statistics: Total octets Total packets Unicast packets Broadcast packets Multicast packets CRC/Align errors


Receive 0 0 0 0 0 0

Transmit 0 0 0 0 0 0

1811

®


FIFO errors 0 MAC control frames 0 MAC pause frames 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count Output packet pad count Output packet error count CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Incomplete Packet Forwarding Engine configuration: Destination slot: 1 Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol inet, Generation: 144, Route table: 0 Flags: uRPF Addresses, Flags: Is-Preferred Is-Primary

Meaning


1812

0 0 0

0 0 0

(Generation 135)

0 0 0 0

bps bps pps pps

The second-to-last line of the display shows the unicast RPF flag enabled, confirming that unicast RPF is enabled on interface ge-1/0/10.

•


•




Example: Configuring IP Directed Broadcast on an EX Series Switch IP directed broadcast provides a method of sending broadcast packets to hosts on a specified subnet without broadcasting those packets to hosts on the entire network. This example shows how to enable a subnet to receive IP directed broadcast packets so you can perform backups and other network management tasks remotely: •


•


•




•

One PC

•

One EX Series switch

Before you configure IP directed broadcast for a subnet: •

Ensure that the subnet does not have a direct connection to the Internet.

•

Configure routed VLAN interfaces (RVIs) for the ingress and egress VLANs on the switch. See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217.

Overview and Topology You might want to perform remote administration tasks such as backups and wake-on-LAN (WOL) application tasks to manage groups of clients on a subnet. One way to do this is to send IP directed broadcast packets targeted at the hosts in a particular target subnet. The network forwards IP directed broadcast packets as if they were unicast packets. When the IP directed broadcast packet is received by a VLAN that is enabled for targeted-broadcast, the switch broadcasts the packet to all the hosts in its subnet. In this topology (see Figure 52 on page 1814), a host is connected to an interface on an EX Series switch to manage the clients in subnet 10.1.2.1/24. When the switch receives a packet with the broadcast IP address of the target subnet as its destination address, it forwards the packet to the subnet’s Layer 3 interface and broadcasts it to all the hosts within the subnet.


1813

®


Figure 52: Topology for IP Directed Broadcast

Table 201 on page 1814 shows the settings of the components in this example.

Table 201: Components of the IP Directed Broadcast Topology Property

Settings

Switch hardware

EX Series switch

Ingress VLAN name

v0

Ingress VLAN IP address

10.1.1.1/24

Egress VLAN name

v1

Egress VLAN IP address

10.1.2.1/24

Interfaces in VLAN v0

ge-0/0/3.0

Interfaces in VLAN v1

ge-0/0/0.0 and ge-0/0/1.0

Configuration To configure IP directed broadcast on a subnet to enable remote management of its hosts: CLI Quick Configuration

To quickly configure the switch to accept IP directed broadcasts targeted at subnet 10.1.2.1/24, copy the following commands and paste them into the switch’s terminal window: [edit] set interfaces ge-0/0/0.0 family ethernet-switching vlan members v1 set interfaces ge-0/0/1.0 family ethernet-switching vlan members v1 set interfaces vlan.1 family inet address 10.1.2.1/24 set interfaces ge-0/0/3.0 family ethernet-switching vlan members v0 set interfaces vlan.0 family inet address 10.1.1.1/24 set vlans v1 l3-interface vlan.1 set vlans v0 l3-interface vlan.0 set interfaces vlan.1 family inet targeted-broadcast


To configure the switch to accept IP directed broadcasts targeted at subnet 10.1.2.1/24: 1.

Add logical interface ge-0/0/0.0 to VLAN v1: [edit interfaces] user@switch# set ge-0/0/0.0 family ethernet-switching vlan members v1

2.

Add logical interface ge-0/0/1.0 to VLAN v1: [edit interfaces]

1814



user@switch# set ge-0/0/1.0 family ethernet-switching vlan members v1 3.

Configure the IP address for the egress VLAN, v1: [edit interfaces] user@switch# set vlan.1 family inet address 10.1.2.1/24

4.

Add logical interface ge-0/0/3.0 to VLAN v0: [edit interfaces] user@switch# set ge-0/0/3.0 family ethernet-switching vlan members v0

5.

Configure the IP address for the ingress VLAN: [edit interfaces] user@switch# set vlan.0 family inet address 10.1.1.1/24

6.

To route traffic between the ingress and egress VLANs, associate a Layer 3 interface with each VLAN: [edit vlans] user@switch# set v1 l3-interface (VLANs)vlan.1 user@switch# set v0 l3–interface vlan.0

7.

Enable the Layer 3 interface for the egress VLAN to receive IP directed broadcasts: [edit interfaces] user@switch# set vlan.1 family inet targeted-broadcast

Results

Check the results: user@switch# show interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members v1; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members v1; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members v0; } } } } vlan { unit 0 { family inet {


1815

®


targeted-broadcast; address 10.1.1.1/24; } } unit 1 { family inet { targeted-broadcast; address 10.1.2.1/24; } } } vlans { default; v0 { l3-interface vlan.0; } v1 { l3-interface vlan.1; } }


1816

•



CHAPTER 58

Configuring Interfaces •


•

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 1821

•

Port Role Configuration with the J-Web Interface (with CLI References) on page 1828

•

Adding an Interface Description to the Configuration on page 1832

•

Adding a Logical Unit Description to the Configuration on page 1833

•

Disabling a Physical Interface on page 1834

•

Disabling a Logical Interface on page 1835

•

Configuring Flow Control on page 1835

•

Configuring the Interface Address on page 1836

•

Configuring the Interface Bandwidth on page 1839

•

Configuring the Media MTU on page 1839

•

Setting the Protocol MTU on page 1850

•

Interface Ranges on page 1850

•

Configuring Accounting for the Physical Interface on page 1860

•

Configuring Accounting for the Logical Interface on page 1861

•

Configuring Ethernet Loopback Capability on page 1862

•

Configuring Gratuitous ARP on page 1863

•

Configuring Static ARP Table Entries on page 1864

•

Disabling the Transmission of Redirect Messages on an Interface on page 1865

•

Configuring Restricted and Unrestricted Proxy ARP on page 1865

•

Enabling or Disabling SNMP Notifications on Logical Interfaces on page 1866

•

Enabling or Disabling SNMP Notifications on Physical Interfaces on page 1867

•

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 1867

•

Configuring Aggregated Ethernet Interfaces (J-Web Procedure) on page 1868

•

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 1871

•

Configuring Aggregated Ethernet Link Protection on page 1872

•

Configuring Aggregated Ethernet Link Speed on page 1873

•

Configuring Aggregated Ethernet Minimum Links on page 1874


1817

®


•

Configuring Tagged Aggregated Ethernet Interfaces on page 1875

•


•


•


•


•

Tracing Operations of an Individual Router or Switch Interface on page 1879

•

Tracing Operations of the Interface Process on page 1879

•


•

Configuring the Media Type on Dual-Purpose Uplink Ports (CLI Procedure) on page 1881

•


•

Damping Interface Transitions on page 1883

Configuring Gigabit Ethernet Interfaces (CLI Procedure) An Ethernet interface must be configured for optimal performance in a high-traffic network. EX Series switches include a factory default configuration that: •

Enables all the network interfaces on the switch

•

Sets a default port mode (access)

•

Sets default link settings

•

Specifies a logical unit (unit 0) and assigns it to family ethernet-switching (except on EX8200 switches and Virtual Chassis)

•

Specifies Rapid Spanning Tree Protocol (RSTP) and Link Layer Discovery Protocol (LLDP)


Configuring VLAN Options and Port Mode on page 1818

•

Configuring the Link Settings on page 1819

•

Configuring the IP Options on page 1821

Configuring VLAN Options and Port Mode By default, when you boot a switch and use the factory default configuration, or when you boot the switch and do not explicitly configure a port mode, all interfaces on the switch are in access mode and accept only untagged packets from the VLAN named default. You can optionally configure another VLAN and use that instead of default. You can also configure a port to accept untagged packets from the user-configured VLAN. For details on this concept (native VLAN), see “Understanding Bridging and VLANs on EX Series Switches” on page 2073 If you are connecting either a desktop phone, wireless access point or a security camera to a Power over Ethernet (PoE) port, you can configure some parameters for the PoE interface. PoE interfaces are enabled by default. For detailed information on PoE settings, see “Configuring PoE (CLI Procedure)” on page 4635.

1818


Chapter 58: Configuring Interfaces

If you are connecting a device to other switches and to routers on the LAN, you need to assign the interface to a logical port and configure the logical port as a trunk port. See “Port Role Configuration with the J-Web Interface (with CLI References)” on page 1828 for more information about port configuration. If you are connecting to a server that contains virtual machines and a VEPA for packet aggregation from those virtual machines, configure the port as a tagged-access port. See “Understanding Bridging and VLANs on EX Series Switches” on page 2073 for more information about tagged access. To configure a Gigabit Ethernet interface or 10-Gigabit Ethernet interface for trunk port mode: [edit] user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching port-mode trunk

To configure a Gigabit Ethernet interface or 10-Gigabit Ethernet interface for tagged-access port mode: [edit] user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching port-mode tagged-access

Configuring the Link Settings EX Series switches include a factory default configuration that enables interfaces with the following link settings: •

All Gigabit Ethernet interfaces are set to auto-negotiation.

•

The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to operate at 10m, 100m, or 1g. The link operates at the highest possible speed, depending on the capabilities of the remote end.

•

The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces is set to enabled.

•

The link mode is set to auto, allowing the interface to operate as either full duplex or half duplex. The link operates as full duplex unless this mode is not supported at the remote end.

•

The 10-Gigabit Ethernet interfaces default to no auto-negotiation. The default speed is 10g and the default link mode is full duplex.


1819

®


To configure the link settings: •

Set link settings for a Gigabit Ethernet interface: [edit] user@switch# set interfaces ge-fpc/pic/port ether-options

•

Set link settings for a 10-Gigabit Ethernet interface: [edit] user@switch# set interfaces xe-fpc/pic/port ether-options

NOTE: On EX Series switches, fpc can have the following values: •

On an EX2200 switch, an EX3200 switch, a standalone EX3300 switch, a standalone EX4200 switch, and a standalone EX4500 switch, FPC refers to the switch itself. The FPC number is always 0 on these switches.

•

On an EX3300 Virtual Chassis, an EX4200 Virtual Chassis, an EX4500 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis, the FPC number indicates the member ID of the switch within the Virtual Chassis.

•

On an EX6200 switch and a standalone EX8200 switch, the FPC number indicates the slot number of the line card that contains the physical interface. On an EX6200 switch, the FPC number also indicates the slot number of the Switch Fabric and Routing Engine (SRE) module that contains the uplink port.

•

On an EX8200 Virtual Chassis, the FPC number indicates the slot number of the line card on the Virtual Chassis. The line card slots on Virtual Chassis member 0 are numbered 0 through 15; on member 1, they are numbered 16 through 31, and so on.

pic can have the following values: •

On EX2200, EX3200, EX3300, EX4200, and EX4500 switches, the PIC number is 0 for all built-in interfaces (interfaces that are not an uplink port).

•

On EX2200, EX3200, and EX4200 switches, the PIC number is 1 for uplink ports.

•

On EX4500 switches, the PIC number is 1 for uplink ports on the left-hand uplink module and 2 for uplink ports on the right-hand uplink module.

•

On EX6200 and EX8200 switches, the PIC number is always 0.

The ether-options statement allows you to modify the configuration: •

802.3ad—Specify an aggregated Ethernet bundle. See “Configuring Aggregated Ethernet

Links (CLI Procedure)” on page 1867. •

auto-negotiation—Enable or disable autonegotation of flow control, link mode, and

speed. •

1820

flow-control—Enable or disable flow control.



•

link-mode—Specify full-duplex, half-duplex, or automatic.

•

loopback—Enable or disable loopback mode.

•

speed—Specify 10m, 100m, 1g, or autonegotiation.

Configuring the IP Options To specify an IP address for the logical unit using IPv4: [edit] user@switch# set interfaces interface-name unit logical-unit-number family inet address ip-address

To specify an IP address for the logical unit using IPv6: [edit] user@switch# set interfaces interface-name unit logical-unit-number family inet6 address ip-address

NOTE: Access interfaces on EX2200, EX3200, EX3300, EX4200, and EX4500 switches are set to family ethernet-switching by default. You might have to delete this or another user-configured family setting before changing the setting to family inet or family inet6.


•


•

Monitoring Interface Status and Traffic on page 1885

•

show interfaces ge- on page 2014

•

show interfaces xeon page 2050

•


Configuring Gigabit Ethernet Interfaces (J-Web Procedure) An Ethernet interface must be configured for optimal performance in a high-traffic network.


1821

®


To configure properties on a Gigabit Ethernet interface or a 10-Gigabit Ethernet interface on an EX Series switch: 1.

Select Interfaces > Ports. The page lists Gigabit Ethernet and 10-Gigabit Ethernet interfaces and their link status.

NOTE: After you make changes to the configuration in this page, you must commit the changes immediately for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes for details about all commit options.

2. Select the interface you want to configure. If the interface you want to configure is

not listed under Ports in the top table on the page, select the FPC (the FPC is the line card on an EX8200 switch or the member switch in a Virtual Chassis configuration) that includes that interface from the List Ports for FPC list. Details for the selected interface such as administrative status, link status, speed, duplex, and flow control are displayed in the bottom table on the page.

NOTE: You can select multiple interfaces and modify their settings at the same time. When you do this, you cannot modify the IP address or enable or disable the administrative status of the selected interface.

NOTE: In the J-Web interface, you cannot configure interface ranges and interface groups.

3. Click Edit and select the set of options you want to configure first:

1822



•

Port Role—Enables you to assign a profile for the selected interface.

NOTE: When you select a particular port role, pre-configured port security parameters are set for the VLAN that the interface belongs to. For example, if you select the port role Desktop, the port security options examine-dhcp and arp-inspection are enabled on the VLAN that the interface belongs to. If there are interfaces in the VLAN that have static IP addresses, those interfaces might lose connectivity because those static IP addresses might not be present in the DHCP pool. Therefore, when you are selecting a port role, ensure that the corresponding port security settings for the VLAN are applicable to the interface. For basic information on port security features such as DHCP snooping (CLI option examine-dhcp) or dynamic ARP inspection (DAI) (CLI option arp-inspection), see “Configuring Port Security (J-Web Procedure)” on page 4136. For detailed descriptions of port security features, see the Port Security topics in the EX Series documentation at http://www.juniper.net/techpubs/.

Click Details to view the configuration parameters for the selected port role. •

VLAN Options—Enables you to configure VLAN options for the selected interface.

•

Link Options—Enables you to modify the following link options for the selected interface:

•

•

Speed

•

MTU

•

Autonegotiation

•

Flow Control

•

Duplex

IP Options—Enables you to configure an IP address for the interface.

4. Configure the interface by configuring options in the selected option set. See Table

202 on page 1824 for details on options. 5. Repeat steps 3 and 4 for the remaining option sets that you want to configure for the

interface.

NOTE: To enable or disable the administrative status for a selected interface, click Enable Port or Disable Port.


1823

®


Table 202: Port Edit Options Field

Function

Port Role

Specifies a profile (role) to assign to the interface.

Your Action

NOTE: Once a port role is configured on the interface, you cannot specify VLAN options or IP options. NOTE: Only the following port roles can be applied on EX8200 switch interfaces:

Default

Desktop

Desktop and Phone

•

Default

•

Layer 2 uplink

•

Routed uplink

Applies the default role.

1.

The interface family is set to ethernet-switching, port mode is set to access, and RSTP is enabled.

2. Click OK.

Applies the desktop role.

1.

The interface family is set to ethernet-switching, port mode is set to access, RSTP is enabled with the edge and point-to-point options, and port security parameters (MAC limit =1; dynamic ARP inspection and DHCP snooping enabled) are set.

2. Click Details to view CLI commands for this role.

Applies the desktop and phone role.

1.

The interface family is set to ethernet-switching, port mode is set to access, port security parameters (MAC limit =1; dynamic ARP Inspection and DHCP snooping enabled) are set, and recommended CoS parameters are specified for forwarding classes, schedulers, and classifiers. See Table 203 on page 1827 for more CoS information.

Click Details to view CLI commands for this role.

Select an existing VLAN configuration or type the name of a new VLAN configuration to be associated with the interface.

3. Click OK.

Select an existing VLAN configuration or type the name of a new VLAN configuration to be associated with the interface. You can also select an existing VoIP VLAN configuration or a new VoIP VLAN configuration to be associated with the interface.

NOTE: VoIP is not supported on EX8200 switches. 2. Click Details to view CLI commands for this role. 3. Click OK.

Wireless Access Point

Applies the wireless access point role.

1.

Select an existing VLAN configuration or type the name of a new VLAN configuration to be associated with the interface. Type the VLAN ID for a new VLAN.

The interface family is set to ethernet-switching, port mode is set to access, and RSTP is enabled with the edge and point-to-point options.

2. Click Details to view CLI commands for this role. 3. Click OK.

1824



Table 202: Port Edit Options (continued) Field

Function

Your Action

Routed Uplink

Applies the routed uplink role.

To specify an IPv4 address:

The interface family is set to inet, and recommended CoS parameters are set for schedulers and classifiers. See Table 203 on page 1827 for more CoS information.

1.


2. Type an IP address—for example: 10.10.10.10. 3. Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. 4. Click OK. To specify an IPv6 address: 1.


2. Type an IP address—for example: 2001:ab8:85a3::8a2e:370:7334. 3. Enter the subnet mask or address prefix. 4. Click OK. NOTE: Ipv6 is not supported on EX2200 and EX4500 switches.

Layer 2 Uplink

Applies the Layer 2 uplink role. The interface family is set to ethernet-switching, port mode is set to trunk, RSTP is enabled with the point-to-point option, and port security is set to dhcp-trusted.

None

1.

For this port role you can select a VLAN member and associate a native VLAN with the interface.

2. Click Details to view CLI commands for this role. 3. Click OK.

Specifies that no port role is configured for the selected interface.

NOTE: See “Port Role Configuration with the J-Web Interface (with CLI References)” on page 1828 for details on the CLI commands that are associated with each port role. NOTE: For an EX8200 switch, dynamic ARP inspection and DHCP snooping parameters are not configured. VLAN Options


1825

®



Function

Your Action

Port Mode

Specifies the mode of operation for the interface: trunk or access.

If you select Trunk, you can: 1.

Click Add to add a VLAN member.

2. Select the VLAN and click OK. 3. (Optional) Associate a native VLAN with the interface. 4. Click OK. If you select Access, you can: 1.

Select the VLAN member to be associated with the interface.

2. (Optional) Associate a VoIP VLAN with the interface. Only a VLAN with a VLAN ID can be associated as a VoIP VLAN. NOTE: VoIP is not supported on EX8200 switches. 3. Click OK. Link Options MTU (bytes)

Specifies the maximum transmission unit size for the interface.

Type a value from 256 through 9216. The default MTU for Gigabit Ethernet interfaces is 1514.

Speed

Specifies the speed for the mode.

Select one of the following values: 10 Mbps, 100 Mbps, 1000 Mbps, or Auto-Negotiation.

Duplex

Specifies the link mode.

Select one: automatic, half, or full.

Description

Describes the link.

Enter a brief description for the link.

NOTE: If the interface is part of a link aggregation group (LAG), only the option Description is enabled. Enable Auto Negotiation

Enables or disables autonegotiation.

Select the check box to enable autonegotiation, or clear the check box to disable it. By default, autonegotiation is enabled.

Enable Flow Control

Enables or disables flow control.

Select the check box to enable flow control to regulate the amount of traffic sent out of the interface, or clear the check box to disable flow control and permit unrestricted traffic. Flow control is enabled by default.

IP Options

1826




Function

Your Action

IPv4 Address

Specifies an IPv4 address for the interface.

1.

NOTE: If the IP address is cleared, the interface still belongs to the inet family.

2. Type an IP address—for example: 10.10.10.10.

To specify an IPv4 address, select the check box IPv4 address.

3. Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. 4. Click OK. IPv6 Address

Specifies an IPv6 address for the interface. NOTE: If the IP address is cleared, the interface still belongs to the inet family.

1.

To specify an IPv6 address, select the check box IPv6 address.

2. Type an IP address—for example: 2001:ab8:85a3::8a2e:370:7334. 3. Enter the subnet mask or address prefix. 4. Click OK. NOTE: Ipv6 is not supported on EX2200 and EX4500 switches.

Table 203: Recommended CoS Settings for Port Roles CoS Parameter

Recommended Settings

Forwarding Classes

There are four forwarding classes:

Schedulers

•

voice—Queue number is set to 7.

•

expedited-forwarding—Queue number is set to 5.

•

assured-forwarding—Queue number is set to 1.

•

best-effort—Queue number is set to 0.

The schedulers and their settings are: •

Strict-priority—Transmission rate is set to 10 percent and buffer size to 5 percent.

•

Expedited-scheduler—Transmission rate is set to 30 percent, buffer size to 30 percent, and priority to low.

•

Assured-scheduler—Transmission rate is set to 25 percent, buffer size to 25 percent, and priority to low.

•

Best-effort scheduler—Transmission rate is set to 35 percent, buffer size to 40 percent, and priority to low.

Scheduler maps

When a desktop and phone, routed uplink, or layer 2 uplink role is applied on an interface, the forwarding classes and schedulers are mapped using the scheduler map.

ieee-802.1 classifier

Imports the default ieee-802.1 classifier configuration and sets the loss priority to low for the code point 101 for the voice forwarding class.

dscp classifier

Imports the default dscp classifier configuration and sets the loss priority to low for the code point 101110 for the voice forwarding class.


1827

®



•


•


•


•

Junos OS CoS for EX Series Switches Overview on page 4420

•


Port Role Configuration with the J-Web Interface (with CLI References) When you configure Gigabit Ethernet interface properties with the J-Web interface (Configure > Interfaces) you can optionally select pre-configured port roles for those interfaces. When you select a role from the Port Role field and apply it to a port, the J-Web interface modifies the switch configuration using CLI commands. Table 204 on page 1828 lists the CLI commands applied for each port role.

NOTE: If there is an existing port role configuration, it is cleared before the new port role configuration is applied.

Table 204: Port Role Configuration Summary Configuration Description

CLI Commands

Default Port Role Set the port role to Default.

set interfaces interfaceapply-macro juniper-port-profile Default

Set port family to ethernet-switching.

set interfaces interface unit 0 family ethernet-switching port-mode access

Set port mode to access. Enable RSTP if redundant trunk groups are not configured.

delete protocols rstp interface interface disable

Disable RSTP if redundant trunk groups are configured.

set protocols rstp interface interface disable

Desktop Port Role Set the port role to desktop.

set interfaces interface apply-macro juniper-port-profile Desktop

Set VLAN if new VLAN is specified.

set vlans vlan-id

Set port family to ethernet-switching.


Set Port Mode to Access. Set VLAN if new VLAN is specified.

1828

set interfaces interface unit 0 family ethernet-switching vlan members vlan-members



Table 204: Port Role Configuration Summary (continued) Configuration Description

CLI Commands

Set port security parameters.

set ethernet-switching-options secure-access-port vlan MacTest arp-inspection

Set RSTP protocol with edge option.

set protocols rstp interface interface edge

RSTP protocol is disabled if redundant trunk groups are configured.


Desktop and Phone Port Role Set the port role to desktop and phone.

set interfaces interfaceapply-macro juniper-port-profile Desktop and Phone

Set data VLAN if new VLAN is specified.

set vlans vlan-namevlan-id vlan id

Set voice VLAN if new voice VLAN is specified. Set port family to ethernet-switching.

set interfaces interfaceunit 0 family ethernet-switching port-mode access

Set Port Mode to access. Set data VLAN on port stanza.


Set port security parameters.

set ethernet-switching-options secure-access-port vlan MacTest arp-inspection

Set VOIP VLAN.

set ethernet-switching-options voip interface interface.0 vlan vlan vlan name

Set class of service parameters

set class-of-service interfaces interfacescheduler-map juniper-port-profile-map set class-of-service interfaces interface unit 0 classifiers ieee-802.1 juniper_ieee_classifier set class-of-service interfaces interfaceunit 0 classifiers dscp juniper-dscp-classifier

SCHEDULER_MAP=juniper-port-profile-map IEEE_CLASSIFIER=juniper-ieee-classifier DSCP_CLASSIFIER=juniper-dscp-classifier

Set CoS Configuration

Refer Table 205 on page 1831 for details.

Wireless Access Point Port Role Set the port role to wireless access point.

set interfaces interface apply-macro juniper-port-profile Wireless Access Point

Set VLAN on VLANs stanza.

set vlans vlan namevlan-id vlan-id

Set port family to ethernet-ewitching


Set port mode to Access. Set VLAN on port stanza.


Set RSTP protocol with edge option.

set protocols rstp interface interface edge


1829

®


Table 204: Port Role Configuration Summary (continued) Configuration Description

CLI Commands

RSTP protocol is disabled if redundant trunk groups are configured.


Routed Uplink Port Role Set the port role to Routed Uplink.

set interfaces interface apply-macro juniper-port-profile Routed Uplink

Set port family to inet.

set interfaces interfaceunit 0 family inet address ipaddress

Set IP address on the port. Set class-of-service parameters SCHEDULER_MAP=juniper-port-profile-map IEEE_CLASSIFIER=juniper-ieee-classifier DSCP_CLASSIFIER=juniper-dscp-classifier

Set CoS configuration


Refer Table 205 on page 1831 for details.

Layer 2 Uplink Port Role Set the port role to Layer 2 Uplink.

set interfaces interface apply-macro juniper-port-profile Layer2 Uplink

Set port family to ethernet-switching

set interfaces interface unit 0 family ethernet-switching port-mode trunk

Set port mode to trunk. Set Native VLAN name.

set interfaces interface unit 0 family ethernet-switching native-vlan-id vlan-name

Set the port as part of all valid VLANs; ”valid" refers to all VLANs except native VLAN and voice VLANs.


Set port security parameter.

set ethernet-switching-options secure-access-port dhcp-trusted

Set RSTP protocol with point-to-point option.

set protocols rstp interface interface mode point-to-point

Disable RSTP if redundant trunk groups are configured.


Set class-of-service parameters.


SCHEDULER_MAP=juniper-port-profile-map IEEE_CLASSIFIER=juniper_ieee_classifier DSCP_CLASSIFIER=juniper_dscp_classifier

Set CoS configuration

1830

Refer to Table 205 on page 1831 for details.



Table 205 on page 1831 lists the CLI commands for the recommended CoS settings that are committed when the CoS configuration is set.

Table 205: Recommended CoS Settings for Port Roles CoS Parameter

CLI Command

Forwarding Classes voice

set class-of-service forwarding-classes class voice queue-num 7

expedited-forwarding

set class-of-service forwarding-classes class expedited-forwarding queue-num 5

assured-forwarding

set class-of-service forwarding-classes class assured-forwarding queue-num 1

best-effort

set class-of-service forwarding-classes class best-effort queue-num 0

Schedulers strict-priority-scheduler

The CLI commands are: •

expedited-scheduler

set class-of-service schedulers strict-priority-scheduler transmit-rate percent 10 set class-of-service schedulers strict-priority-scheduler buffer-size percent 5 set class-of-service schedulers strict-priority-scheduler priority strict-high

The CLI commands are: •

assured-scheduler

set class-of-service schedulers expedited-scheduler transmit-rate percent 30 set class-of-service schedulers expedited-scheduler buffer-size percent 30 set class-of-service schedulers expedited-scheduler priority low

The CLI commands are: set class-of-service schedulers assured-scheduler transmit-rate percent 25 set class-of-service schedulers strict-priority-scheduler buffer-size percent 25 set class-of-service schedulers strict-priority-scheduler priority low

best-effort-scheduler

The CLI commands are: set class-of-service schedulers best-effort-scheduler transmit-rate percent 35 set class-of-service schedulers best-effort-scheduler buffer-size percent 40 set class-of-service schedulers best-effort-scheduler priority low

Classifiers

The classifiers are: set class-of-service classifiers ieee-802.1 juniper_ieee_classifier import default forwarding-class voice loss-priority low code-points 101 set class-of-service classifiers dscp juniper_dscp_classifier import default forwarding-class voice loss-priority low code-points 101110


•


•



1831

®


Adding an Interface Description to the Configuration You can include a text description of each physical interface in the configuration file. Any descriptive text you include is displayed in the output of the show interfaces commands, and is also exposed in the ifAlias Management Information Base (MIB) object. It has no impact on the interface’s configuration. To add a text description, include the description statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] description text;

The description can be a single line of text. If the text contains spaces, enclose it in quotation marks.

NOTE: You can configure the extended DHCP relay to include the interface description in the option 82 Agent Circuit ID suboption. See Enabling and Disabling Insertion of Option 82 Information in the Junos OS Subscriber Access Configuration Guide.

For information about describing logical units, see “Adding a Logical Unit Description to the Configuration” on page 1833.

Example: Adding an Interface Description to the Configuration Add a description to a Fast Ethernet interface: [edit interfaces] user@host# set fe-0/0/1 description "Backbone connection to PHL01" [edit interfaces] user@host# show fe-0/0/1 { description "Backbone connection to PHL01"; unit 0 { family inet { address 192.168.0.1/30; } } }

To display the description from the router or switch CLI, use the show interfaces command: user@host> show interfaces fe-0/0/1 Physical interface: fe-0/0/1, Enabled, Physical link is Up Interface index: 129, SNMP ifIndex: 23 Description: Backbone connection to PHL01 ...

To display the interface description from the interfaces MIB, use the snmpwalk command from a server. To isolate information for a specific interface, search for the interface index

1832



shown in the SNMP ifIndex field of the show interfaces command output. The ifAlias object is in ifXTable. user-server>snmpwalk host-fxp0.mylab public ifXTable | grep -e '\.23' snmpwalk host-fxp0.mylab public ifXTable | grep -e '\.23' ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName.23 = fe-0/0/1 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifInMulticastPkts.23 = Counter32: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifInBroadcastPkts.23 = Counter32: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifOutMulticastPkts.23 = Counter32: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifOutBroadcastPkts.23 = Counter32: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInUcastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInMulticastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInBroadcastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets.23 = Counter64: 42 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutUcastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutMulticastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutBroadcastPkts.23 = Counter64: 0 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifLinkUpDownTrapEnable.23 = enabled(1) ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHighSpeed.23 = Gauge32: 100 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifPromiscuousMode.23 = false(2) ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifConnectorPresent.23 = true(1) ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifAlias.23 = Backbone connection to PHL01 ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifCounterDiscontinuityTime.23 = Timeticks: (0) 0:00:00.00

Adding a Logical Unit Description to the Configuration You can include a text description of each logical unit in the configuration file. Any descriptive text you include is displayed in the output of the show interfaces commands, and is also exposed in the ifAlias Management Information Base (MIB) object. It has no impact on the interface’s configuration. To add a text description, include the description statement: description text;

You can include this statement at the following hierarchy levels: •

[edit interfaces interface-name unit logical-unit-number]

•

[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

The description can be a single line of text. If the text contains spaces, enclose it in quotation marks.

NOTE: You can configure the extended DHCP relay to include the interface description in the option 82 Agent Circuit ID suboption. See “Enabling and Disabling Insertion of Option 82 Information” in the Junos OS Subscriber Access Configuration Guide.

For information about describing physical interfaces, see “Adding an Interface Description to the Configuration” on page 1832.


1833

®


Disabling a Physical Interface You can disable a physical interface, marking it as being down, without removing the interface configuration statements from the configuration. To do this, include the disable statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] disable;

CAUTION: Dynamic subscribers and logical interfaces use physical interfaces for connection to the network. The Junos OS allows you to set the interface to disable and commit the change while dynamic subscribers and logical interfaces are still active. This action results in the loss of all subscriber connections on the interface. Use care when disabling interfaces.

NOTE: On the router, when you use the disable statement at the edit interfaces hierarchy level, depending on the PIC type, the interface might or might not turn off the laser. Older PIC transceivers do not support turning off the laser, but newer Gigabit Ethernet PICs with SFP and XFP transceivers do support it and the laser will be turned off when the interface is disabled.

WARNING: Do not stare into the laser beam or view it directly with optical instruments even if the interface has been disabled.

Example: Disabling a Physical Interface Disable a physical interface: [edit interfaces] so-1/1/0 { mtu 8000; clocking internal; encapsulation ppp; sonet-options { fcs 16; } unit 0 { family inet { address 172.16.0.0/12 { destination 172.16.0.4; } } } } [edit interfaces] user@host# set so-1/1/0 disable [edit interfaces]

1834



user@host# show so-1/1/0 so-1/1/0 { disable;# Interface is marked as disabled mtu 8000; clocking internal; encapsulation ppp; sonet-options { fcs 16; } unit 0 { family inet { address 172.16.0.0 { destination 172.16.0.3; } } } }

Disabling a Logical Interface You can unconfigure a logical interface, effectively disabling that interface, without removing the logical interface configuration statements from the configuration. To do this, include the disable statement: disable;



•


When an interface is disabled, a route (pointing to the reserved target “REJECT”) with the IP address of the interface and a 32–bit subnet mask is installed in the routing table. See Routing Protocols.

Configuring Flow Control By default, the router or switch imposes flow control to regulate the amount of traffic sent out on a Fast Ethernet, Tri-Rate Ethernet copper, Gigabit Ethernet, and 10-Gigabit Ethernet interface. Flow control is not supported on the 4-port Fast Ethernet PIC. This is useful if the remote side of the connection is a Fast Ethernet or Gigabit Ethernet switch. You can disable flow control if you want the router or switch to permit unrestricted traffic. To disable flow control, include the no-flow-control statement: no-flow-control;

To explicitly reinstate flow control, include the flow-control statement: flow-control;

You can include these statements at the following hierarchy levels:


1835

®



•

[edit interfaces interface-name aggregated-ether-options]

•

[edit interfaces interface-name ether-options]

•

[edit interfaces interface-name fastether-options]

•

[edit interfaces interface-name gigether-options]

•

flow-control on page 1931

•

Ethernet Interfaces Overview

•


Configuring the Interface Address You assign an address to an interface by specifying the address when configuring the protocol family. For the inet or inet6 family, configure the interface IP address. For the iso family, configure one or more addresses for the loopback interface. For the ccc, ethernet-switching, tcc, mpls, tnp, and vpls families, you never configure an address.

NOTE: The point-to-point (PPP) address is taken from the loopback interface address that has the primary attribute. When the loopback interface is configured as an unnumbered interface, it takes the primary address from the donor interface.

To assign an address to an interface, include the address statement: address address { broadcast address; destination address; destination-profile name; eui-64; preferred; primary; }

You can include these statements at the following hierarchy levels: •

[edit interfaces interface-name unit logical-unit-number family family]

•

[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

In the address statement, specify the network address of the interface.

1836



For each address, you can optionally configure one or more of the following: •

Broadcast address for the interface subnet—Specify this in the broadcast statement; this applies only to Ethernet interfaces, such as the management interface fxp0, em0, or me0 the Fast Ethernet interface, and the Gigabit Ethernet interface.

•

Address of the remote side of the connection (for point-to-point interfaces only)—Specify this in the destination statement.

•

PPP properties to the remote end—Specify this in the destination-profile statement. You define the profile at the [edit access group-profile name ppp] hierarchy level (for point-to-point interfaces only).

•

Whether the router or switch automatically generates the host number portion of interface addresses—The eui-64 statement applies only to interfaces that carry IPv6 traffic, in which the prefix length of the address is 64 bits or less, and the low-order 64 bits of the address are zero. This option does not apply to the loopback interface (lo0) because IPv6 addresses configured on the loopback interface must have a 128-bit prefix length.

NOTE: IPv6 is not currently supported for the QFX Series.

•

Whether this address is the preferred address—Each subnet on an interface has a preferred local address. If you configure more than one address on the same subnet, the preferred local address is chosen by default as the source address when you originate packets to destinations on the subnet. By default, the preferred address is the lowest-numbered address on the subnet. To override the default and explicitly configure the preferred address, include the preferred statement when configuring the address.

•

Whether this address is the primary address—Each interface has a primary local address. If an interface has more than one address, the primary local address is used by default as the source address when you send packets from an interface where the destination provides no information about the subnet (for example, some ping commands).

By default, the primary address on an interface is the lowest-numbered non-127 (in other words, non-loopback) preferred address on the interface. To override the default and explicitly configure the preferred address, include the primary statement when configuring the address. •

Configuring Interface IPv4 Addresses on page 1837

•

Configuring Interface IPv6 Addresses on page 1838

Configuring Interface IPv4 Addresses You can configure router or switch interfaces with a 32-bit IP version 4 (IPv4) address and optionally with a destination prefix, sometimes called a subnet mask. An IPv4 address utilizes a 4-octet dotted decimal address syntax (for example, 192.16.1.1). An IPv4 address with destination prefix utilizes a 4-octet dotted decimal address syntax with a destination prefix appended (for example, 192.16.1.1/30).


1837

®


To configure an IPv4 address on routers and switches running Junos OS, use the edit interface interface-name unit number family inet address a.b.c.d/nn statement at the [edit interfaces] hierarchy level.

NOTE: Juniper Networks routers and switches support /31 destination prefixes when used in point-to-point Ethernet configurations; however, they are not supported by many other devices, such as hosts, hubs, routers, or switches. You must determine if the peer system also supports /31 destination prefixes before configuration.

Configuring Interface IPv6 Addresses NOTE: IPv6 is not currently supported for the QFX Series.

You represent IP version 6 (IPv6) addresses in hexadecimal notation using a colon-separated list of 16-bit values. You assign a 128-bit IPv6 address to an interface by including the address statement: address aaaa:bbbb:...:zzzz/nn;

NOTE: You cannot configure a subnet zero IPv6 address because RFC 2461 reserves the subnet-zero address for anycast addresses, and Junos OS complies with the RFC.


[edit interfaces interface-name unit logical-unit-number family inet6]

•

[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet6]

The double colon (::) represents all bits set to 0, as shown in the following example: interfaces fe-0/0/1 { unit 0 { family inet6 { address fec0:1:1:1::2/64; } } }

NOTE: You must manually configure the router or switch advertisement and advertise the default prefix for autoconfiguration to work on a specific interface.

1838




•

Configuring IPCP Options

•

Configuring Default, Primary, and Preferred Addresses and Interfaces

Configuring the Interface Bandwidth By default, the Junos OS uses the physical interface’s speed for the MIB-II object, ifSpeed. You can configure the logical unit to populate the ifSpeed variable by configuring a bandwidth value for the logical interface. The bandwidth statement sets an informational-only parameter; you cannot adjust the actual bandwidth of an interface with this statement.

NOTE: We recommend that you be careful when setting this value. Any interface bandwidth value that you configure using the bandwidth statement affects how the interface cost is calculated for a dynamic routing protocol, such as OSPF. By default, the interface cost for a dynamic routing protocol is calculated using the following formula: cost = reference-bandwidth/bandwidth,

where bandwidth is the physical interface speed. However, if you specify a value for bandwidth using the bandwidth statement, that value is used to calculate the interface cost, rather than the actual physical interface bandwidth.

To configure the bandwidth value for a logical interface, include the bandwidth statement: bandwidth rate;



•


rate is the peak rate, in bps or cps. You can specify a value in bits per second either as a

complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). You can also specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second using the formula 1 cps = 384 bps. The value can be any positive integer. The bandwidth statement is valid for all logical interfaces, except multilink interfaces.

Configuring the Media MTU The default media MTU size used on a physical interface depends on the encapsulation used on that interface. In some cases, the default IP Protocol MTU depends on whether the protocol used is IP version 4 (IPv4) or International Organization for Standardization (ISO). Table 206 on page 1840 through Table 216 on page 1847 list the media and protocol


1839

®


MTU sizes by interface type, and Table 217 on page 1847 lists the encapsulation overhead by encapsulation type.

Table 206: Media MTU Sizes by Interface Type for M5, M7i with CFEB, M10, M10i with CFEB, M20, and M40 Routers Default Media MTU (Bytes)

Maximum MTU (Bytes)

Default IP Protocol MTU (Bytes)

Adaptive Services (MTU size not configurable)

9192

N/A

N/A

ATM

4482

9192

4470

E1/T1

1504

9192

1500

E3/T3

4474

9192

4470

Fast Ethernet

1514

9192 (4-port)

1500 (IPv4), 1497 (ISO)

Interface Type

1532 (8-port) 1532 (12-port) Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

Serial

1504

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

9192

4470

Table 207: Media MTU Sizes by Interface Type for M40e Routers Default Media MTU (Bytes)

Maximum MTU (Bytes)



9192

N/A

N/A

ATM

4482

9192

4470

E1/T1

1504

4500

1500

E3/T3

4474

4500

4470

Interface Type

9192 (4-port)

1840

E3/DS3 IQ

4474

9192

4470

Fast Ethernet

1514

4500

1500 (IPv4), 1497 (ISO)



Table 207: Media MTU Sizes by Interface Type for M40e Routers (continued) Interface Type

Default Media MTU (Bytes)

Maximum MTU (Bytes)

Gigabit Ethernet

1514

9192 (1- or 2-port)

Default IP Protocol MTU (Bytes) 1500 (IPv4), 1497 (ISO)

9192 (4-port) Serial

1504

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

4500 (1-port nonconcatenated)

4470

9192 (4-port OC3) 9192 (4-port OC3c) 4500 (1-port OC12) 4500 (4-port OC12) 4500 (4-port OC12c) 4500 (1-port OC48) 9192 (2-port OC3) 9192 (2-port OC3c) 9192 (1-port OC12c) 9192 (1-port OC48c) 4500 (1-port OC192) 9192 (1-port OC192c)

Table 208: Media MTU Sizes by Interface Type for M160 Routers Default Media MTU (Bytes)

Maximum MTU (Bytes)



9192

N/A

N/A

ATM

4482

9192

4470

E1/T1

1504

4500

1500

E3/T3

4474

4500

4470

E3/DS3 IQ

4474

9192

4470

Interface Type


1841

®


Table 208: Media MTU Sizes by Interface Type for M160 Routers (continued) Interface Type


Maximum MTU (Bytes)


Fast Ethernet

1514

4500

1500 (IPv4), 1497 (ISO)

Gigabit Ethernet

1514

9192 (1- or 2-port)

1500 (IPv4), 1497 (ISO)

4500 (4-port) Serial

1504

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

4500 (1-port nonconcatenated)

4470

9192 (1- or 2-port) 4500 (4-port)

Table 209: Media MTU Sizes by Interface Type for M7i with CFEB-E, M10i with CFEB-E, M320 and M120 Routers Interface Type


Maximum MTU (Bytes)


ATM2 IQ

4482

9192

4470

Channelized DS3 IQ

4471

4500

4470

Channelized E1 IQ

1504

4500

1500

Channelized OC12 IQ

4474

9192

4470

Channelized STM1 IQ

4474

9192

4470

DS3

4471

4500

4470

E1

1504

4500

1500

E3 IQ

4471

4500

4470

Fast Ethernet

1514

9192 (4-port)

1500 (IPv4), 1497 (ISO)

1532 (8-, 12- and 48-port)

1842

Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

9192

4470



Table 209: Media MTU Sizes by Interface Type for M7i with CFEB-E, M10i with CFEB-E, M320 and M120 Routers (continued) Interface Type


Maximum MTU (Bytes)


T1

1504

4500

1500

CT3 IQ

4474

9192

4470

(excluding M120)

Table 210: Media MTU Sizes by Interface Type for MX Series Routers Interface Type


Maximum MTU (Bytes)


Gigabit Ethernet

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

10-Gigabit Ethernet

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

Multi-Rate Ethernet

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

Tri-Rate Ethernet

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

Channelized SONET/SDH OC3/STM1 (Multi-Rate)

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

DS3/E3 (Multi-Rate)

1514

9192

1500 (IPv4) 1488 (MPLS) 1497 (ISO)

Table 211: Media MTU Sizes by Interface Type for T320 Routers Interface Type


Maximum MTU (Bytes)


ATM

4482

9192

4470

ATM2 IQ

4482

9192

4470

Channelized OC12 IQ

4474

9192

4470

Channelized STM1 IQ

4474

9192

4470


1843

®


Table 211: Media MTU Sizes by Interface Type for T320 Routers (continued) Interface Type


Maximum MTU (Bytes)


DS3

4471

4500

4470

Fast Ethernet

1514

4500 (4-port)

1500 (IPv4), 1497 (ISO)

1532 (12- and 48-port) Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

9192

4470

CT3 IQ

4474

9192

4470

Table 212: Media MTU Sizes by Interface Type for T640 Platforms Interface Type


Maximum MTU (Bytes)


ATM2 IQ

4482

9192

4470

48-port Fast Ethernet

1514

1532

1500 (IPv4), 1497 (ISO)

Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

SONET/SDH

4474

9192

4470

CT3 IQ

4474

9192

4470

Table 213: Media MTU Sizes by Interface Type for J2300 Platforms Default Media MTU (Bytes)

Maximum MTU (Bytes)


Fast Ethernet (10/100)

1514

9192

1500

G.SHDSL

4482

9150

4470

ISDN BRI

1504

4092

1500

Serial

1504

9150

1500

T1 or E1

1504

9150

1500

Interface Type

1844



Table 214: Media MTU Sizes by Interface Type for J4300 and J6300 Platforms Interface Type


Maximum MTU (Bytes)


ADSL2+ PIM

4482

9150

4470

Dual-port Fast Ethernet (10/100) PIM

1514

9192

1500

Dual-port Serial PIM

1504

9150

1500

Dual-port T1 or E1 PIM

1504

9150

1500

Dual-port Channelized T1/E1 PIM (channelized to DS0s)

1504

4500

1500

Dual-port Channelized T1/E1 PIM (clear channel T1 or E1)

1504

9150

1500

Fast Ethernet (10/100) built-in interface

1514

9192

1500

G.SHDSL PIM

4482

9150

4470

4-port ISDN BRI PIM

1504

4092

1500

T3 (DS3) or E3 PIM

4474

9192

4470

Table 215: Media MTU Sizes by Interface Type for J4350 and J6350 Platforms Interface Type


Maximum MTU (Bytes)


4-port ISDN BRI PIM

1504

4092

1500

ADSL2+ PIM

4482

9150

4470

Dual-port Fast Ethernet (10/100) PIM

1514

9192

1500

Dual-port Serial PIM

1504

9150

1500

Dual-port T1 or E1 PIM

1504

9150

1500


1845

®


Table 215: Media MTU Sizes by Interface Type for J4350 and J6350 Platforms (continued) Default Media MTU (Bytes)

Maximum MTU (Bytes)


Dual-port Channelized T1/E1 PIM (channelized to DS0s)

1504

4500

1500

Dual-port Channelized T1/E1 PIM (clear channel T1 or E1)

1504

9150

1500

4-port Fast Ethernet (10/100) ePIM

1518

1518

1500

Gigabit Ethernet (10/100/1000) built-in interface

1514

9018

1500

Gigabit Ethernet (10/100/1000) Enhanced Physical Interface Module (ePIM)

1514

9018

1500

Gigabit Ethernet (10/100/1000) SFP ePIM

1514

9018

1500

G.SHDSL PIM

4482

9150

4470

T3 (DS3) or E3 PIM

4474

9192

4470

Interface Type

1846



NOTE: On Gigabit Ethernet ePIMs in J4350 and J6350 Services Routers, you can configure a maximum transmission unit (MTU) size of only 9018 bytes even though the CLI indicates that you can configure an MTU of up to 9192 bytes. If you configure an MTU greater than 9018 bytes, the router does not accept the configuration and generates a system log error message similar to the following: /kernel: ge-0/0/0: Illegal media change. MTU invalid: 9192. Max MTU supported on this PIC: 9018

On 4-port Fast Ethernet ePIMs in J4350 and J6350 Services Routers, you can configure a maximum transmission unit (MTU) size of only 1518 bytes even though the CLI indicates that you can configure an MTU of up to 9192 bytes. If you configure an MTU greater than 1518 bytes, the router does not accept the configuration and generates a system log error message similar to the following: /kernel: fe-3/0/1: Illegal media change. MTU invalid: 9192. Max MTU supported on this PIC: 1518

Table 216: Media MTU Sizes by Interface Type for EX Series Switches Interface Type


Maximum MTU (Bytes)


Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

10-Gigabit Ethernet

1514

9192

1500 (IPv4), 1497 (ISO)

Table 217: Encapsulation Overhead by Encapsulation Type Interface Encapsulation

Encapsulation Overhead (Bytes)

802.1Q/Ethernet 802.3

21

802.1Q/Ethernet Subnetwork Access Protocol (SNAP)

26

802.1Q/Ethernet version 2

18

ATM Cell Relay

4

ATM permanent virtual connection (PVC)

12

Cisco HDLC

4

Ethernet 802.3

17

Ethernet circuit cross-connect (CCC) and virtual private LAN service (VPLS)

4


1847

®


Table 217: Encapsulation Overhead by Encapsulation Type (continued) Interface Encapsulation

Encapsulation Overhead (Bytes)

Ethernet over ATM

32

Ethernet SNAP

22

Ethernet translational cross-connect (TCC)

18

Ethernet version 2

14

Extended virtual local area network (VLAN) CCC and VPLS

4

Extended VLAN TCC

22

Frame Relay

4

PPP

4

VLAN CCC

4

VLAN VPLS

4

VLAN TCC

22

The default media MTU is calculated as follows: Default media MTU = Default IP MTU + encapsulation overhead

When you are configuring point-to-point connections, the MTU sizes on both sides of the connections must be the same. Also, when you are configuring point-to-multipoint connections, all interfaces in the subnet must use the same MTU size.

1848



NOTE: The actual frames transmitted also contain cyclic redundancy check (CRC) bits, which are not part of the media MTU. For example, the media MTU for a Gigabit Ethernet Version 2 interface is specified as 1514 bytes, but the largest possible frame size is actually 1518 bytes; you need to consider the extra bits in calculations of MTUs for interoperability. The physical MTU for Ethernet interfaces does not include the 4-byte frame check sequence (FCS) field of the Ethernet frame. A SONET/SDH interface operating in concatenated mode has a “c” added to the rate descriptor. For example, a concatenated OC48 interface is referred to as OC48c. If you do not configure an MPLS MTU, the Junos OS derives the MPLS MTU from the physical interface MTU. From this value, the software subtracts the encapsulation-specific overhead and space for the maximum number of labels that might be pushed in the Packet Forwarding Engine. Currently, the software provides for three labels of four bytes each, for a total of 12 bytes. In other words, the formula used to determine the MPLS MTU is the following: MPLS MTU = physical interface MTU – encapsulation overhead – 12

If you configure an MTU value by including the mtu statement at the [edit interfaces interface-name unit logical-unit-number family mpls] hierarchy level, the configured value is used.

For information about configuring the encapsulation on an interface, see Configuring Interface Encapsulation on Physical Interfaces. To modify the default media MTU size for a physical interface, include the mtu statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] mtu bytes;

If you change the size of the media MTU, you must ensure that the size is equal to or greater than the sum of the protocol MTU and the encapsulation overhead.

NOTE: Changing the media MTU or protocol MTU causes an interface to be deleted and added again.

You configure the protocol MTU by including the mtu statement at the following hierarchy levels: •


•



1849

®


Because tunnel services interfaces are considered logical interfaces, you cannot configure the MTU setting for the physical interface. This means you cannot include the mtu statement at the [edit interfaces interface-name] hierarchy level for the following interface types: generic routing encapsulation (gr-), IP-IP (ip-), loopback (lo-), link services (ls-), multilink services (ml-), and multicast (pe-, pd-). You can, however, configure the protocol MTU on tunnel interfaces, as described in “Setting the Protocol MTU” on page 1850.

Setting the Protocol MTU When you initially configure an interface, the protocol maximum transmission unit (MTU) is calculated automatically. If you subsequently change the media MTU, the protocol MTU on existing address families automatically changes. For a list of default protocol MTU values, see “Configuring the Media MTU” on page 1839. To modify the MTU for a particular protocol family, include the mtu statement: mtu bytes;



•


If you increase the size of the protocol MTU, you must ensure that the size of the media MTU is equal to or greater than the sum of the protocol MTU and the encapsulation overhead. For a list of encapsulation overhead values, see Table 217 on page 1847. If you reduce the media MTU size, but there are already one or more address families configured and active on the interface, you must also reduce the protocol MTU size. (You configure the media MTU by including the mtu statement at the [edit interfaces interface-name] hierarchy level, as discussed in “Configuring the Media MTU” on page 1839.)

NOTE: Changing the media MTU or protocol MTU causes an interface to be deleted and added again.

The maximum number of data-link connection identifiers (DLCIs) is determined by the MTU on the interface. If you have keepalives enabled, the maximum number of DLCIs is 1000, with the MTU set to 5012. The actual frames transmitted also contain cyclic redundancy check (CRC) bits, which are not part of the MTU. For example, the default protocol MTU for a Gigabit Ethernet interface is 1500 bytes, but the largest possible frame size is actually 1504 bytes; you need to consider the extra bits in calculations of MTUs for interoperability.

Interface Ranges The Junos OS allows you to group a range of identical interfaces into an interface range. You first specify the group of identical interfaces in the interface range. Then you can

1850



apply a common configuration to the specified interface range, reducing the number of configuration statements required and saving time while producing a compact configuration. •

Configuring Interface Ranges on page 1851

•

Expanding Interface Range Member and Member Range Statements on page 1854

•

Configuration Inheritance for Member Interfaces on page 1856

•

Member Interfaces Inheriting Configuration from Configuration Groups on page 1857

•

Interfaces Inheriting Common Configuration on page 1858

•

Configuring Inheritance Range Priorities on page 1858

•

Configuration Expansion Where Interface Range Is Used on page 1859

Configuring Interface Ranges To configure an interface range, include the interface-range statement at the [edit interfaces] hierarchy level. The interface-range statement accepts only physical networking interface names in its definition. The following interface types are supported and example CLI descriptors are shown: •

ATM—at-fpc/pic/port

•

Channelized—(coc | cstm)n-fpc/pic/port

•

DPC—xe-fpc/pic/port

•

E1/E3—(e1 | e3)-fpc/pic/port

•

Ethernet—(xe | ge | fe)-fpc/pic/port

•

ISDN—isdn-fpc/pic/port

•

Serial—se-fpc/pic/port

•

SONET/SDH—so-fpc/pic/port

•

T1/T3—(t1 | t3)-fpc/pic/port

Interfaces can be grouped either as a range of interfaces or using a number range under the interface-range statement definition. Interfaces in an interface-range definition can be added as part of a member range or as individual members or multiple members using a number range. To specify a member range, use the member-range statement at the [edit interfaces interface-range name] hierarchy level. To specify interfaces in lexical order, use the member-range start-range to end-range statement.


1851

®


A range for a member statement should contain the following: •

*—All, specifies all available interfaces.

•

num—Number, specifies one specific interface by its number.

•

[low-high]—Numbers between low to high, specifies a range of sequential interfaces.

•

[num1, num2, num3]—Numbers num1, num2, and num3 specify multiple specific

interfaces. Example: Specifying an Interface Range Member Range

member-range ge-0/0/0 to ge-4/0/40;

To specify one or multiple members, use the member statement at the [edit interfaces interface-range name] hierarchy level. To specify the list of interface range members individually or for multiple interfaces using regex, use the member list of interface names statement. Example: Specifying an Interface Range Member

member ge-0/0/0; member ge-0/*/* member ge-0/[1-10]/0; member ge-0/[1,2,3]/3;

Regex or wildcards are not supported for interface-type prefixes. For example, prefixes ge, fe, and xe must be mentioned explicitly. An interface-range definition can contain both member and member-range statements within it. There is no maximum limit on the number of member or member-range statements within an interface-range. However, at least one member or member-range statement must exist within an interface-range definition. Example: Interface Range Common Configuration

1852

Configuration common to an interface range can be added as a part of the interface-range definition, as follows: [edit] interfaces { + interface-range foo { + member-range ge-1/0/0 to ge-4/0/40; + member ge-0/1/1; + member ge-5/[1-10]/*; /*Common configuration is added as part of interface-range definition*/ mtu 256; hold-time up 10; ether-options { flow-control; speed { 100m; } 802.3ad primary; } } }



An interface-range definition having just member or member-range statements and no common configurations statements is valid. These defined interface ranges can be used in other configuration hierarchies, in places where an interface node exists. Example: Interface-Range foo Used Under the Protocols Hierarchy

protocols { dot1x { authenticator { interface foo{ retries 1; } } } } foo should be an interface-range defined at the [interfaces] hierarchy level. In the above

example, the interface node can accept both individual interfaces and interface ranges.

TIP: To view an interface range in expanded configuration, use the (show | display inheritance) command. For more information, see the Junos OS CLI User Guide.

By default, interface-range is not available to configure in the CLI where the interface statement is available. The following locations are supported; however, some of the hierarchies shown in this list are product specific: •

protocols dot1x authentication interface

•

protocols dvmrp interface

•

protocols oam ethernet lmi interface

•

protocols esis interface

•

protocols igmp interface

•

protocols igmp-host client num interface

•

protocols mld-host client num interface

•

protocols router-advertisement interface

•

protocols isis interface

•

protocols ldp interface

•

protocols oam ethernet link-fault-management interface

•


•

protocols link-management peer lmp-control-channel interface

•

protocols link-management peer control-channel

•

protocols link-management te-link name interface

•

protocols mld interface


1853

®


•

protocols ospf area id interface

•

protocols pim interface

•

protocols router-discovery interface

•

protocols rip group name neighbour

•

protocols ripng group name neighbour

•

protocols rsvp interface

•

protocols snmp interface

•

protocols layer2-control bpdu-block interface

•

protocols layer2-control mac-rewrite interface

•

protocols mpls interface

•

protocols stp interface

•

protocols rstp interface

•

protocols mstp interface

•

protocols vstp interface

•

protocols mstp msti id interface

•

protocols mstp msti vlan id interface

•

protocols vstp vlan name interface

•

protocols gvrp interface

•

protocols igmp-snooping vlan name interface

•


•

protocols lldp-med interface

•

protocols sflow interfaces

•

ethernet-switching-options analyzer name input [egress | ingress ] interface

•

ethernet-switching-options analyzer name output interface

•

ethernet-switching-options secure-access-port interface

•

ethernet-switching-options interfaces ethernet-switching-options voip interface

•

ethernet-switching-options redundant-trunk-group group g1 interface

•

ethernet-switching-options redundant-trunk-group group g1 interface

•

ethernet-switching-options bpdu-block interface

•

poe interface vlans pro-bng-mc1-bsd1 interface

Expanding Interface Range Member and Member Range Statements All member and member-range statements in an interface range definition are expanded to generate the final list of interface names for the specified interface range.

1854



Example: Expanding Interface Range Member and Member Range Statements

[edit] interfaces { interface-range range-1 { member-range ge-0/0/0 to ge-4/0/20; member ge-10/1/1; member ge-5/[0-5]/*; /*Common configuration is added part of the interface-range definition*/ mtu 256; hold-time up 10; ether-options { flow-control; speed { 100m; } 802.3ad primary; } } }

For the member-range statement, all possible interfaces between start-range and end-range are considered in expanding the members. For example, the following member-range statement: member-range ge-0/0/0 to ge-4/0/20

expands to: [ge-0/0/0, ge-0/0/1 ... ge-0/0/max_ports ge-0/1/0 ge-0/1/1 ... ge-0/1/max_ports ge-0/2/0 ge-0/2/1 ... ge-0/2/max_ports . . ge-0/MAX_PICS/0 ... ge-0/max_pics/max_ports ge-1/0/0 ge-1/0/1 ... ge-1/0/max_ports . ge-1/MAX_PICS/0 ... ge-1/max_pics/max_ports . . ge-4/0/0 ge-4/0/1 ... ge-4/0/max_ports]

The following member statement: ge-5/[0-5]/*

expands to: ge-5/0/0 ... ge-5/0/max_ports ge-5/1/0 ... ge-5/0/max_ports . . ge-5/5/0 ... ge-5/5/max_ports

The following member statement: ge-5/1/[2,3,6,10]

expands to: ge-5/1/2 ge-5/1/3


1855

®


ge-5/1/6 ge-5/1/10

Configuration Inheritance for Member Interfaces When the Junos OS expands the member and member-range statements present in an interface-range, it creates interface objects if they are not explicitly defined in the configuration. The common configuration is copied to all its member interfaces in the interface-range. Example: Configuration Priorities

Foreground interface configuration takes priority compared to configuration inherited by the interface through the interface-range. interfaces { interface-range range-1 { member-range ge-1/0/0/ to ge-10/0/47; mtu 256; } ge-1/0/1 { mtu 1024; } }

In the preceding example, interface ge-1/0/1 will have an MTU value of 1024. This can be verified with output of the show interfaces | display inheritance command, as follows: user@host: # show interfaces | display inheritance ## 'ge-1/0/0' was expanded from interface-range 'range-1' ## ge-1/0/0 { ## ## '256' was expanded from interface-range 'range-1' ## mtu 256; } ge-1/0/1 { mtu 1024; } ## ## 'ge-1/0/2' was expanded from interface-range 'range-1' ## ge-1/0/2 { ## ## '256' was expanded from interface-range 'range-1' ## mtu 256; } ......... ......... ## ## 'ge-10/0/47' was expanded from interface-range 'range-1' ## ge-10/0/47 { ## ## '256' was expanded from interface-range 'range-1' ##

1856



mtu 256; }

Member Interfaces Inheriting Configuration from Configuration Groups Interface range member interfaces inherit the config-groups configuration like any other foreground configuration. interface-range is similar to any other foreground configuration statement. The only difference is that the interface-range goes through a member interfaces expansion before the Junos OS reads this configuration. groups { global { interfaces { { hold-time up 10; } } } apply-groups [global]; interfaces { interface-range range-1 { member-range ge-1/0/0 to ge-10/0/47; mtu 256; } } }

The hold-time configuration is applied to all members of interface-range range-1. This can be verified with show interfaces | display inheritance as below: user@host# show interfaces | display inheritance ge-1/0/0 { ## ## '256' was expanded from interface-range 'range-1' ## mtu 256; ## ## 'hold-time' was inherited from group 'global' ## '10' was inherited from group 'global' ## hold-time up 10; } ge-1/0/1 { ## ## '256' was expanded from interface-range 'range-1' ## mtu 256; ## ## 'hold-time' was inherited from group 'global' ## '10' was inherited from group 'global' ## hold-time up 10; } ge-10/0/47 { ## ## '256' was expanded from interface-range 'range-1' ## mtu 256;


1857

®


## ## 'hold-time' was inherited from group 'global' ## '10' was inherited from group 'global' ## hold-time up 10; }

Interfaces Inheriting Common Configuration If an interface is a member of several interface ranges, that interface will inherit the common configuration from all of those interface ranges. [edit] interfaces { interface-range range-1 { member-range ge-1/0/0 to ge-10/0/47; mtu 256; } } interfaces { interface-range range-1 { member-range ge-10/0/0 to ge-10/0/47; hold-time up 10; } }

In this example, interfaces ge-10/0/0 through ge-10/0/47 will have both hold-time and mtu.

Configuring Inheritance Range Priorities The interface ranges are defined in the order of inheritance priority, with the first interface range configuration data taking priority over subsequent interface ranges. [edit] interfaces { interface-range int-grp-one { member-range ge-0/0/0 to ge-4/0/40; member ge-1/1/1; /*Common config is added part of the interface-range definition*/ mtu 256; hold-time up 10; } } interfaces { interface-range int-grp-two { member-range ge-5/0/0 to ge-10/0/40; member ge-1/1/1; mtu 1024; } }

Interface ge-1/1/1 exists in both interface-range int-grp-one and interface-range int-grp-two. This interface inherits mtu 256 from interface-range int-grp-one because it was defined first.

1858



Configuration Expansion Where Interface Range Is Used In this example, interface-range range-1 is used under the protocols hierarchy: [edit] interfaces { interface-range range-1 { member ge-10/1/1; member ge-5/5/1; mtu 256; hold-time up 10; ether-options { flow-control; speed { 100m; } 802.3ad primary; } } protocols { dot1x { authenticator { interface range-1 { retries 1; } } } } }

The interface node present under authenticator is expanded into member interfaces of the interface-range range-1 as follows: protocols { dot1x { authenticator { interface ge-10/1/1 { retries 1; } interface ge-5/5/1 { retries 1; } } } }

The interface range-1 statement is expanded into two interfaces, ge-10/1/1 and ge-5/5/1, and configuration retries 1 is copied under those two interfaces. This configuration can be verified using the show protocols dot1x | display inheritance command.


1859

®


Configuring Accounting for the Physical Interface Juniper Networks routers and switches can collect various kinds of data about traffic passing through the router and switch. You can set up one or more accounting profiles that specify some common characteristics of this data, including the following: •

The fields used in the accounting records

•

The number of files that the router or switch retains before discarding, and the number of bytes per file

•

The polling period that the system uses to record the data

You configure the profiles and define a unique name for each profile using statements at the [edit accounting-options] hierarchy level. There are two types of accounting profiles: interface profiles and filter profiles. You configure interface profiles by including the interface-profile statement at the [edit accounting-options] hierarchy level. You configure filter profiles by including the filter-profile statement at the [edit accounting-options] hierarchy level. For more information, see the Junos OS Network Management Configuration Guide. You apply filter profiles by including the accounting-profile statement at the [edit firewall filter filter-name] and [edit firewall family family filter filter-name] hierarchy levels. For more information, see the Junos OS Policy Framework Configuration Guide.

Applying an Accounting Profile to the Physical Interface To enable accounting on an interface, include the accounting-profile statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] accounting-profile name;

You can also reference profiles by logical unit; for more information, see “Configuring Accounting for the Logical Interface” on page 1861.

Example: Applying an Accounting Profile to the Physical Interface Configure an accounting profile for an interface and apply it to a physical interface: [edit] accounting-options { file if_stats { size 4m files 10 transfer-interval 15; archive-sites { "ftp://login:password@host/path"; } } interface-profile if_profile { interval 15; file if_stats { fields { input-bytes; output-bytes;

1860



input-packets; output-packets; input-errors; output-errors; } } } } [edit interfaces ge-1/0/1] accounting-profile if_profile;

Configuring Accounting for the Logical Interface Juniper Networks routers or switches can collect various kinds of data about traffic passing through the router or switch . You can set up one or more accounting profiles that specify some common characteristics of this data, including the following: •

The fields used in the accounting records

•

The number of files that the router or switch retains before discarding, and the number of bytes per file

•

The period that the system uses to record the data

You configure the profiles and define a unique name for each profile using statements at the [edit accounting-options] hierarchy level. There are two types of accounting profiles: interface profiles and filter profiles. You configure interface profiles by including the interface-profile statement at the [edit accounting-options] hierarchy level. You configure filter profiles by including the filter-profile statement at the [edit accounting-options] hierarchy level. For more information, see the Junos OS Network Management Configuration Guide. You apply filter profiles by including the accounting-profile statement at the [edit firewall filter filter-name] and [edit firewall family family filter filter-name] hierarchy levels. For more information, see the Junos OS Policy Framework Configuration Guide.

Applying an Accounting Profile to the Logical Interface To enable accounting on a logical interface, include the accounting-profile statement: accounting-profile name;

You can include this statement at the following hierarchy level: •


You can also reference profiles for the physical interface; for more information, see “Configuring Accounting for the Physical Interface” on page 1860.

Example: Applying an Accounting Profile to the Logical Interface Configure an accounting profile for an interface and apply it to a logical interface: [edit] accounting-options {


1861

®


file if_stats { size 4m files 10 transfer-interval 15; archive-sites { "ftp://login:password@host/path"; } } interface-profile if_profile { interval 15; file if_stats { fields { input-bytes; output-bytes; input-packets; output-packets; input-errors; output-errors; } } } } [edit interfaces ge-1/0/1 unit 1] accounting-profile if_profile;

To reference profiles by physical interface, see “Applying an Accounting Profile to the Physical Interface” on page 1860. For information about configuring a firewall filter accounting profile, see the Junos OS Policy Framework Configuration Guide.

Configuring Ethernet Loopback Capability By default, local aggregated Ethernet, Fast Ethernet, Tri-Rate Ethernet copper, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces connect to a remote system. To place an interface in loopback mode, include the loopback statement: loopback;

NOTE: If you configure a local loopback on a 1-port 10-Gigabit IQ2 and IQ2-E PIC using the loopback statement at the [edit interfaces interface-name gigether-options] hierarchy level, the transmit-path stops working, causing the remote end to detect a link down.

To return to the default—that is, to disable loopback mode—delete the loopback statement from the configuration: [edit] user@host# delete interfaces fe-fpc/pic/port fastether-options loopback

To explicitly disable loopback mode, include the no-loopback statement: no-loopback;

1862



You can include the loopback and no-loopback statements at the following hierarchy levels:


•

[edit interfaces interface-name aggregated-ether-options]

•

[edit interfaces interface-name ether-options]

•

[edit interfaces interface-name fastether-options]

•

[edit interfaces interface-name gigether-options]

•

loopback on page 1948

•


•


Configuring Gratuitous ARP Gratuitous Address Resolution Protocol (ARP) requests provide duplicate IP address detection. A gratuitous ARP request is a broadcast request for a router’s own IP address. If a router or switch sends an ARP request for its own IP address and no ARP replies are received, the router- or switch-assigned IP address is not being used by other nodes. If a router or switch sends an ARP request for its own IP address and an ARP reply is received, the router- or switch-assigned IP address is already being used by another node. By default, the router or switch responds to gratuitous ARP requests. On Ethernet interfaces, you can disable responses to gratuitous ARP requests. To disable responses to gratuitous ARP requests, include the no-gratuitous-arp-request statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] no-gratuitous-arp-request;

To return to the default—that is, to respond to gratuitous ARP requests—delete the no-gratuitous-arp-request statement from the configuration: [edit] user@host# delete interfaces interface-name no-gratuitous-arp-request

Gratuitous ARP replies are reply packets sent to the broadcast MAC address with the target IP address set to be the same as the sender’s IP address. When the router or switch receives a gratuitous ARP reply, the router or switch can insert an entry for that reply in the ARP cache. By default, updating the ARP cache on gratuitous ARP replies is disabled on the router or switch. On Ethernet interfaces, you can enable handling of gratuitous ARP replies on a specific interface by including the gratuitous-arp-reply statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] gratuitous-arp-reply;


1863

®


To restore the default behavior, include the no-gratuitous-arp-reply statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] no-gratuitous-arp-reply;


•

gratuitous-arp-reply on page 1932

•

no-gratuitous-arp-request

•


•


Configuring Static ARP Table Entries To configure static ARP table entries, include the arp statement: arp ip-address (mac | multicast-mac) mac-address ;


[edit interfaces interface-name unit logical-unit-number family inet address address]

•

[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address]

The IP address that you specify must be part of the subnet defined in the enclosing address statement. To associate a multicast MAC address with a unicast IP address, include the multicast-mac statement. Specify the MAC address as six hexadecimal bytes in one of the following formats: nnnn.nnnn.nnnn or nn:nn:nn:nn:nn:nn; for example, 0011.2233.4455 or 00:11:22:33:44:55. For unicast MAC addresses only, if you include the publish option, the router or switch replies to proxy ARP requests.

NOTE: By default, an ARP policer is installed that is shared among all the Ethernet interfaces on which you have configured the family inet statement. By including the arp statement at the [edit interfaces interface-name unit logical-unit-number family inet policer] hierarchy level, you can apply a specific ARP-packet policer to an interface. This feature is not available on EX Series switches. When you need to conserve IP addresses, you can configure an Ethernet interface to be unnumbered by including the unnumbered-address statement at the [edit interfaces interface-name unit logical-unit-number family inet] hierarchy level.

1864



NOTE: The Junos OS supports the IPv6 static neighbor discovery cache entries, similar to the static ARP entries in IPv4.

Example: Configuring Static ARP Table Entries Configure two static ARP table entries on the router or switch’s management interface: [edit interfaces] fxp0 { unit 0 { family inet { address 10.10.0.11/24 { arp 10.10.0.99 mac 0001.0002.0003; arp 10.10.0.101 mac 00:11:22:33:44:55 publish; } } } }


•

Management Ethernet Interface Overview

•

Applying Policers

•

Configuring an Unnumbered Interface

•


Disabling the Transmission of Redirect Messages on an Interface By default, the interface sends protocol redirect messages. To disable the sending of these messages on an interface, include the no-redirects statement: no-redirects;



•


To disable the sending of protocol redirect messages for the entire router or switch, include the no-redirects statement at the [edit system] hierarchy level.

Configuring Restricted and Unrestricted Proxy ARP To configure restricted or unrestricted proxy ARP, include the proxy-arp statement: proxy-arp (restricted |unrestricted);


[edit interfaces interface-name unit logical-unit-number ]


1865

®


•


To return to the default—that is, to disable restricted or unrestricted proxy ARP—delete the proxy-arp statement from the configuration: [edit] user@host# delete interfaces interface-name unit logical-unit-number proxy-arp

You can track the number of restricted or unrestricted proxy ARP requests processed by the router or switch by issuing the show system statistics arp operational mode command.

NOTE: When proxy ARP is enabled as default or unrestricted, the router responds to any ARP request as long as the router has an active route to the target address of the ARP request. This gratuitous ARP behavior can result in an error when the receiving interface and target response interface are the same and the end device (for example, a client) performs a duplicate address check. To prevent this error, configure the router interface with the no-gratuitous-arp-reply statement. See “Configuring Gratuitous ARP” on page 1863 for information about how to disable responses to gratuitous ARP requests.


•

proxy-arp on page 1962

•

Restricted and Unrestricted Proxy ARP Overview

•


•


Enabling or Disabling SNMP Notifications on Logical Interfaces By default, Simple Network Management Protocol (SNMP) notifications are sent when the state of an interface or a connection changes. To explicitly enable these notifications on the logical interface, include the traps statement; to disable these notifications on the logical interface, include the no-traps statement: (traps | no-traps);

You can include these statements at the following hierarchy levels: •


•


NOTE: Gigabit Ethernet interfaces on J Series routers do not support SNMP.

1866



Enabling or Disabling SNMP Notifications on Physical Interfaces By default, Simple Network Management Protocol (SNMP) notifications are sent when the state of an interface or a connection changes. To explicitly enable these notifications on the physical interface, include the traps statement at the [edit interfaces interface-name] hierarchy level. To disable these notifications on the physical interface, include the no-traps statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] (traps | no-traps);

NOTE: Gigabit Ethernet interfaces on J Series routers do not support SNMP.

Configuring Aggregated Ethernet Interfaces (CLI Procedure) Use the link aggregation feature to aggregate one or more links to form a virtual link or link aggregation group (LAG). The MAC client can treat this virtual link as if it were a single link. Link aggregation increases bandwidth, provides graceful degradation as failure occurs, and increases availability.

NOTE: An interface with an already configured IP address cannot form part of the aggregation group.

To configure aggregated Ethernet interfaces, using the CLI: 1.

Specify the number of aggregated Ethernet interfaces to be created: [edit chassis] user@switch# set aggregated-devices ethernet device-count 2

2. Specify the minimum number of links for the aggregated Ethernet interface (aex),

that is, the defined bundle, to be labeled “up”:

NOTE: By default only one link must be up for the bundle to be labeled “up”.

[edit interfaces] user@switch# set ae0 aggregated-ether-options minimum-links 2 3. Specify the link speed for the aggregated Ethernet bundle: [edit interfaces] user@switch# set ae0 aggregated-ether-options link-speed 10g 4. Specify the members to be included within the aggregated Ethernet bundle: [edit interfaces] user@switch# set xe-0/1/0 ether-options 802.3ad ae0 user@switch# set xe-1/1/0 ether-options 802.3ad ae0 5. Specify an interface family for the aggregated Ethernet bundle: [edit interfaces]


1867

®


user@switch# set ae0 unit 0 family inet address 192.0.2.0/25

For information about adding LACP to a LAG, see “Configuring Aggregated Ethernet LACP (CLI Procedure)” on page 1871. Related Documentation

•


•


•


•

Verifying the Status of a LAG Interface on page 1886

•


Configuring Aggregated Ethernet Interfaces (J-Web Procedure) Use the link aggregation feature to aggregate one or more Ethernet interfaces to form a virtual link or link aggregation group (LAG) on an EX Series switch. The MAC client can treat this virtual link as if it were a single link. Link aggregation increases bandwidth, provides graceful degradation as failure occurs, and increases availability. You can use the J-Web interface to configure aggregated Ethernet interfaces, or a LAG, on the switch.

NOTE: Interfaces that are already configured with MTU, duplex, flow control, or logical interfaces are listed but are not available for aggregation.

To configure an aggregated Ethernet interface (also referred to as a LAG): 1.

Select Configure > Interfaces > Link Aggregation. The list of aggregated interfaces is displayed.


2. Click one of the following: •

Add—Creates an aggregated Ethernet interface, or LAG. Enter information as specified in Table 218 on page 1869.

•

Edit—Modifies a selected LAG. •

1868

Aggregation—Modifies settings for the selected LAG. Enter information as specified in Table 218 on page 1869.



•

VLAN—Specifies VLAN options for the selected LAG. Enter information as specified in Table 219 on page 1870.

•

IP Option—Specifies IP options for the selected LAG. Enter information as specified in Table 220 on page 1870.

•

Delete—Deletes the selected LAG.

•

Disable Port or Enable Port—Disables or enables the administrative status on the selected interface.

•

Device Count—Configures the number of aggregated logical devices available to the switch. Select the number and click OK.

Table 218: Aggregated Ethernet Interface Options Field

Function

Your Action

Aggregated Interface

Specifies the name of the aggregated interface.

None. The name is supplied by the software.

LACP Mode

Specifies the mode in which LACP packets are exchanged between the interfaces. The modes are:

Select from the list.

•

None—Indicates that no mode is applicable.

•

Active—Indicates that the interface initiates transmission of LACP packets

•

Passive—Indicates that the interface responds only to LACP packets.

Description

Specifies a description for the LAG.

Enter a description.

Interface

Specifies the interfaces in the LAG.

To add interfaces to the LAG, select the interfaces and click Add. Click OK. To remove an interface from the LAG, select the interface and click Remove. NOTE: Only interfaces that are configured with the same speed can be selected together for a LAG.

Enable Log


Specifies whether to enable generation of log entries for the LAG.

Select the check box to enable log generation, or clear the check box to disable log generation.

1869

®


Table 219: VLAN Options Field

Function

Your Action

Port Mode

Specifies the mode of operation for the port: trunk or access.

If you select Trunk, you can: 1.

Click Add to add a VLAN member.

2. Select the VLAN and click OK. 3. (Optional) Associate a native VLAN ID with the port. If you select Access, you can: 1.

Select the VLAN member to be associated with the port.

2. (Optional) Associate a VoIP VLAN with the interface. Only a VLAN with a VLAN ID can be associated as a VoIP VLAN. Click OK.

Table 220: IP Options Field

Function

Your Action

IPv4 Address

Specifies an IPv4 address for the selected LAG.

1.


2. Type an IP address—for example, 10.10.10.10. 3. Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. 4. Click OK.

IPv6 Address

Specifies an IPv6 address for the selected LAG.

1.


2. Type an IP address—for example, 2001:ab8:85a3::8a2e:370:7334. 3. Enter the subnet mask or address prefix. 4. Click OK.


1870

•


•


•


•




•


•


Configuring Aggregated Ethernet LACP (CLI Procedure) For aggregated Ethernet interfaces on EX Series switches, you can configure the Link Aggregation Control Protocol (LACP). LACP is one method of bundling several physical interfaces to form one logical interface. You can configure aggregated Ethernet with or without LACP enabled. Before you configure LACP, be sure you have: •

Configured the aggregated Ethernet bundles—also known as link aggregation groups (LAGs). See “Configuring Aggregated Ethernet Links (CLI Procedure)” on page 1867

When LACP is enabled, the local and remote sides of the aggregated Ethernet links exchange protocol data units (PDUs), containing information about the state of the link. You can configure Ethernet links to actively transmit PDUs, or you can configure the links to passively transmit them, sending out LACP PDUs only when they receive them from another link. One side of the link must be configured as active for the link to be up.

NOTE: Do not add LACP to a LAG if the remote end of the LAG link is a security device, unless the security device supports LACP. Security devices often do not support LACP because they require a deterministic configuration.

To configure LACP: 1.

Enable one side of the aggregated Ethernet link as active: [edit interfaces] user@switch# set aex aggregated-ether-options lacp active

2. Specify the interval at which the interfaces send LACP packets: [edit interfaces] user@switch# set aex aggregated-ether-options lacp periodic fast

NOTE: The LACP process exists in the system only if you configure the system in either active or passive LACP mode.


•


•


•



1871

®


•


•


•


Configuring Aggregated Ethernet Link Protection You can configure link protection for aggregated Ethernet interfaces to provide QoS on the links during operation. On aggregated Ethernet interfaces, you designate a primary and backup link to support link protection. Egress traffic passes only through the designated primary link. This includes transit traffic and locally generated traffic on the router or switch. When the primary link fails, traffic is routed through the backup link. Because some traffic loss is unavoidable, egress traffic is not automatically routed back to the primary link when the primary link is reestablished. Instead, you manually control when traffic should be diverted back to the primary link from the designated backup link. •

Configuring Link Protection for Aggregated Ethernet Interfaces on page 1872

•

Configuring Primary and Backup Links for Link Aggregated Ethernet Interfaces on page 1872

•

Reverting Traffic to a Primary Link When Traffic is Passing Through a Backup Link on page 1873

•

Disabling Link Protection for Aggregated Ethernet Interfaces on page 1873

Configuring Link Protection for Aggregated Ethernet Interfaces Aggregated Ethernet interfaces support link protection to ensure QoS on the interface. To configure link protection: 1.

Specify that you want to configure the options for an aggregated Ethernet interface. user@host# edit interfaces aex aggregated-ether-options

2. Configure the link protection mode.

[edit interfaces aex aggregated-ether-options] user@host# set link-protection

Configuring Primary and Backup Links for Link Aggregated Ethernet Interfaces To configure link protection, you must specify a primary and a secondary, or backup, link. To configure a primary link and a backup link: 1.

Configure the primary logical interface. [edit interfaces interface-name] user@host# set (fastether-options | gigether-options) 802.3ad aex primary

1872



2. Configure the backup logical interface.

[edit interfaces interface-name] user@host# set (fastether-options | gigether-options) 802.3ad aex backup

Reverting Traffic to a Primary Link When Traffic is Passing Through a Backup Link On aggregated Ethernet interfaces, you designate a primary and backup link to support link protection. Egress traffic passes only through the designated primary link. This includes transit traffic and locally generated traffic on the router or switch. When the primary link fails, traffic is routed through the backup link. Because some traffic loss is unavoidable, egress traffic is not automatically routed back to the primary link when the primary link is reestablished. Instead, you manually control when traffic should be diverted back to the primary link from the designated backup link. To manually control when traffic should be diverted back to the primary link from the designated backup link, enter the following operational command: user@host> request interface revert aex

Disabling Link Protection for Aggregated Ethernet Interfaces To disable link protection, issue the delete interface revert aex configuration command. user@host# delete interfaces aex aggregated-ether-options link-protection

Configuring Aggregated Ethernet Link Speed On aggregated Ethernet interfaces, you can set the required link speed for all interfaces included in the bundle. All interfaces that make up a bundle must be the same speed. If you include in the aggregated Ethernet interface an individual link that has a speed different from the speed you specify in the link-speed parameter, an error message will be logged. To set the required link speed: 1.

Specify that you want to configure the aggregated Ethernet options. user@host# edit interfaces interface-name aggregated-ether-options

2. Configure the link speed.

[edit interfaces interface-name aggregated-ether-options ] user@host# set link-speed speed speed can be in bits per second either as a complete decimal number or as a decimal

number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Aggregated Ethernet interfaces on the M120 router can have one of the following speed values: •

100m—Links are 100 Mbps.

•

10g—Links are 10 Gbps.


1873

®


•


•

OC192—Links are OC192 or STM64c.

Aggregated Ethernet interfaces on EX Series switches can have one of the following speed values:


•

10m—Links are 10 Mbps

•

100m—Links are 100 Mbs

•

1g—Links are 1 Gbps

•

10g—Links are 10 Gbps

•

aggregated-ether-options

•


Configuring Aggregated Ethernet Minimum Links On aggregated Ethernet interfaces, you can configure the minimum number of links that must be up for the bundle as a whole to be labeled up. By default, only one link must be up for the bundle to be labeled up. To configure the minimum number of links: 1.

Specify that you want to configure the aggregated Ethernet options. user@host# edit interfaces interface-name aggregated-ether-options

2. Configure the minimum number of links.

[edit interfaces interface-name aggregated-ether-options] user@host# set minimum-links number

On M120, M320, MX Series, T Series, and TX Matrix routers with Ethernet interfaces, the valid range for minimum-links number is 1 through 16. When the maximum value (16) is specified, all configured links of a bundle must be up for the bundle to be labeled up. On all other routers and on EX Series switches, other than EX8200 switches, the range of valid values for minimum-links number is 1 through 8. When the maximum value (8) is specified, all configured links of a bundle must be up for the bundle to be labeled up. On EX8200 switches, the range of valid values for minimum-links number is 1 through 12. When the maximum value (12) is specified, all configured links of a bundle must be up for the bundle to be labeled up. If the number of links configured in an aggregated Ethernet interface is less than the minimum link value configured under the aggregated-ether-options statement, the configuration commit fails and an error message is displayed. Related Documentation

1874

•

aggregated-ether-options



•

minimum-links on page 1953

•


Configuring Tagged Aggregated Ethernet Interfaces To specify aggregated Ethernet interfaces, include the vlan-tagging statement at the [edit interfaces aex] hierarchy level: [edit interfaces aex] vlan-tagging;

You must also include the vlan-id statement: vlan-id number;



•


For more information about the vlan-tagging and vlan-id statements, see “802.1Q VLANs Overview” on page 1785. Related Documentation

•

vlan-id

•

vlan-tagging on page 1976

Configuring a Layer 3 Subinterface (CLI Procedure) EX Series switches use Layer 3 subinterfaces to divide a physical interface into multiple logical interfaces, each corresponding to a VLAN. The switch uses the Layer 3 subinterfaces to route traffic between subnets. To configure Layer 3 subinterfaces, you enable VLAN tagging and partition one or more physical ports into multiple logical interfaces, each corresponding to a VLAN ID. Before you begin, make sure you set up your VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217. To configure Layer 3 subinterfaces: 1.

Enable VLAN tagging: [edit interfaces interface-name] user@switch# set vlan-tagging

2. Bind each VLAN ID to a logical interface: [edit interfaces interface-name] user@switch# set unit logical-unit-number vlan-id (Layer 3 Subinterfaces) vlan-id-number


1875

®



•


•

Verifying That Layer 3 Subinterfaces Are Working on page 1888

•


Configuring Unicast RPF (CLI Procedure) Unicast reverse-path forwarding (RPF) can help protect your LAN from denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted interfaces. Enabling unicast RPF on the switch interfaces filters traffic with source addresses that do not use the incoming interface as the best return path back to the source. When a packet comes into an interface, if that interface is not the best return path to the source, the switch discards the packet. If the incoming interface is the best return path to the source, the switch forwards the packet.

NOTE: On EX3200 and EX4200 switches, you can only enable unicast RPF globally, on all switch interfaces. You cannot enable unicast RPF on a per-interface basis.

Before you begin: •

On an EX8200 and EX6200 switches, ensure that the selected switch interface is symmetrically routed before you enable unicast RPF. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.

•

On an EX3200 or EX4200 switch, ensure that all switch interfaces are symmetrically routed before you enable unicast RPF on an interface. When you enable unicast RPF on any interface, it is enabled globally on all switch interfaces. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.

To enable unicast RPF, configure it explicitly on a selected customer-edge interface: [edit interfaces] user@switch# set ge-1/0/10 unit 0 family inet rpf-check

BEST PRACTICE: On EX3200 and EX4200 switches, unicast RPF is enabled globally on all switch interfaces, regardless of whether you configure it explicitly on only one interface or only on some interfaces.

1876



On EX3200 and EX4200 switches, we recommend that you enable unicast RPF explicitly on either all interfaces or only one interface. To avoid possible confusion, do not enable it on only some interfaces:


•

Enabling unicast RPF explicitly on only one interface makes it easier if you choose to disable it in the future because you must explicitly disable unicast RPF on every interface on which you explicitly enabled it. If you explicitly enable unicast RPF on two interfaces and you disable it on only one interface, unicast RPF is still implicitly enabled globally on the switch. The drawback to this approach is that the switch displays the flag that indicates that unicast RPF is enabled only on interfaces on which unicast RPF is explicitly enabled, so even though unicast RPF is enabled on all interfaces, this status is not displayed.

•

Enabling unicast RPF explicitly on all interfaces makes it easier to know whether unicast RPF is enabled on the switch because every interface shows the correct status. (Only interfaces on which you explicitly enable unicast RPF display the flag that indicates that unicast RPF is enabled.) The drawback to this approach is that if you want to disable unicast RPF, you must explicitly disable it on every interface. If unicast RPF is enabled on any interface, it is implicitly enabled on all interfaces.

•


•

Verifying Unicast RPF Status on page 1889

•


•

Troubleshooting Unicast RPF on page 1897

•


Disabling Unicast RPF (CLI Procedure) Unicast reverse-path forwarding (RPF) can help protect your LAN from denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks on untrusted interfaces. Unicast RPF filters traffic with source addresses that do not use the incoming interface as the best return path back to the source. If the network configuration changes so that an interface that has unicast RPF enabled becomes a trusted interface or becomes asymmetrically routed (the interface that receives a packet is not the best return path to the packet’s source), disable unicast RPF. To disable unicast RPF on an EX3200 or EX4200 switch, you must delete it from every interface on which you explicitly configured it. If you do not disable unicast RPF on every interface on which you explicitly enabled it, it remains implicitly enabled on all interfaces. If you attempt to delete unicast RPF from an interface on which it was not explicitly enabled, the message warning: statement not found displays. If you do not disable unicast RPF on every interface on which you explicitly enabled it, unicast RPF remains implicitly enabled on all interfaces of the EX3200 or EX4200 switch.


1877

®


On EX8200 and EX6200 switches, the switch does not apply unicast RPF to an interface unless you explicitly enable that interface for unicast RPF. To disable unicast RPF, delete its configuration from the interface: [edit interfaces] user@switch# delete ge-1/0/10 unit 0 family inet rpf-check

NOTE: On EX3200 and EX4200 switches, if you do not disable unicast RPF on every interface on which you explicitly enabled it, unicast RPF remains implicitly enabled on all interfaces.


•


•


•


•


Configuring IP Directed Broadcast (CLI Procedure) You can use IP directed broadcast on an EX Series switch to facilitate remote network management by sending broadcast packets to hosts on a specified subnet without broadcasting to the entire network. IP directed broadcast packets are broadcast on only the target subnet. The rest of the network treats IP directed broadcast packets as unicast packets and forwards them accordingly. Before you begin to configure IP directed broadcast: •

Ensure that the subnet on which you want broadcast packets using IP direct broadcast is not directly connected to the Internet.

•

Configure a routed VLAN interface (RVI) for the subnet that will be enabled for IP direct broadcast. See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217.

NOTE: We recommend that you do not enable IP directed broadcast on subnets that have a direct connection to the Internet because of increased exposure to denial-of-service (DoS) attacks.

1878



To enable IP directed broadcast for a specified subnet: 1.

Add the target subnet’s logical interfaces to the VLAN: [edit interfaces] user@switch# set ge-0/0/0.0 family ethernet-switching vlan members v1 user@switch# set ge-0/0/1.0 family ethernet-switching vlan members v1

2. Configure the Layer 3 interface on the VLAN that is the target of the IP directed

broadcast packets: [edit interfaces] user@switch# set vlan.1 family inet address 10.1.2.1/24 3. Associate a Layer 3 interface with the VLAN: [edit vlans] user@switch# set v1 l3-interface (VLANs) vlan.1 4. Enable the Layer 3 interface for the VLAN to receive IP directed broadcasts: [edit interfaces] user@switch# set vlan.1 family inet targeted-broadcast


•


•


Tracing Operations of an Individual Router or Switch Interface To trace the operations of individual router or switch interfaces, include the traceoptions statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] traceoptions { flag flag; }

You can specify the following interface tracing flags: •

all—Trace all interface operations.

•

event—Trace all interface events.

•

ipc—Trace all interface interprocess communication (IPC) messages.

•

media—Trace all interface media changes.

The interfaces traceoptions statement does not support a trace file. The logging is done by the kernel, so the tracing information is placed in the system syslog files. Related Documentation

•


•

Tracing Interface Operations Overview

Tracing Operations of the Interface Process To trace the operations of the router or switch interface process, dcd, include the traceoptions statement at the [edit interfaces] hierarchy level:


1879

®


[edit interfaces] traceoptions { file ; flag flag ; no-remote-trace; }

By default, interface process operations are placed in the file named dcd and three 1-MB files of tracing information are maintained. You can specify the following flags in the interfaces traceoptions statement: •

change-events—Log changes that produce configuration events.

•

config-states—Log the configuration state machine changes.

•

kernel—Log configuration IPC messages to kernel.

•

kernel-detail—Log details of configuration messages to kernel.

For general information about tracing, see the tracing and logging information in the Junos OS System Basics Configuration Guide. Related Documentation

•

Tracing Interface Operations Overview

•


Setting the Mode on an SFP+ Uplink Module (CLI Procedure) SFP+ uplink modules are supported on EX3200 and EX4200 switches. You can use these uplink modules either for two SFP+ transceivers or four SFP transceivers. You configure the operating mode on the module to match the type of transceiver you want to use—that is, for SFP+ transceivers, you configure the 10-gigabit operating mode, and for SFP transceivers, you configure the 1-gigabit operating mode. By default, the SFP+ uplink module operates in the 10-gigabit mode and supports only SFP+ transceivers. If you have not changed the module from the default setting and you want to use SFP+ transceivers, you do not need to configure the operating mode. To set the operating mode of an SFP+ uplink module: 1.

Change the operating mode to the appropriate mode for the transceiver type you want to use by using one of the following commands: [edit] user@switch# set chassis fpc 0 pic 1 sfpplus pic-mode 1g [edit] user@switch# set chassis fpc 0 pic 1 sfpplus pic-mode 10g

2. If the switch is running: •

1880

Junos OS Release 10.1 or later, the changed operating mode takes effect immediately unless a port on the SFP+ uplink module is a Virtual Chassis port (VCP). If any port on the SFP+ uplink module is a VCP, the changed operating mode does not take effect until the next reboot of the switch.



NOTE: During the operating mode change, the Packet Forwarding Engine is restarted. In a Virtual Chassis configuration, this means that the Flexible PIC Concentrator connection with the master is dropped and then reconnected.

•

Junos OS Release 10.0 or earlier, reboot the switch.

You can see whether the operating mode has been changed to the new mode you configured by issuing the show chassis pic fpc-slot slot-number pic-slot 1 command. Related Documentation

•


•


•

Optical Interface Support in EX3200 Switches

•

Optical Interface Support in EX4200 Switches

Configuring the Media Type on Dual-Purpose Uplink Ports (CLI Procedure) EX2200-C switches provide two dual-purpose uplink ports. Each dual uplink port is a single interface that offers a choice of two connections: an RJ-45 connection for a copper Ethernet cable and an SFP connection for a fiber-optic Ethernet cable. You can choose to use either connection, but only one connection can be active at a time. By default, if you plug a transceiver into the SFP connector, the port becomes a fiber-optic Gigabit Ethernet port, even if a copper Ethernet cable is plugged into the RJ-45 connection as well. If a transceiver is not plugged into the SFP connector, the port defaults to a copper 10/100/1000 Ethernet port. You can constrain the use of the port to one connection type by configuring the media type for the port to be either copper or fiber. When you configure a media type on the port, the port will no longer accept the alternate connection type. For example, if you configure the uplink port as a fiber port and then plug a copper Ethernet cable into the RJ-45 connector, the interface will not come up. To configure the media type for an uplink port: user@switch# set interfaces interface-name media-type (Dual-Purpose Uplink Ports) media-type

For example, to set the media type for uplink port ge-0/1/0 to copper: user@switch# set interfaces ge-0/1/0 media-type copper

NOTE: When you change the media type setting for a dual-purpose uplink port, it can take up to 6 seconds for the interface to appear in operational commands.


1881

®



•


Configuring Generic Routing Encapsulation Tunneling (CLI Procedure) GRE tunneling is accomplished through routable tunnel endpoints that operate on top of existing physical and other logical endpoints. GRE tunnels connect one endpoint to another and provide a clear data path between them. This topic describes: 1.

Configuring a GRE Tunnel Port on page 1882

2. Configuring Tunnels to Use Generic Routing Encapsulation on page 1882

Configuring a GRE Tunnel Port To configure GRE tunnels on a switch, you convert a network port or uplink port on the switch chassis to a GRE tunnel port for tunnel services. Each physical tunnel port, named gr-fpc/pic/port, can have one or more logical interfaces each of which is a GRE tunnel. After conversion to a GRE tunnel port, the physical port cannot be used for network traffic. To configure a tunnel port on a switch: 1.

Determine the network port or uplink port on your switch platform to convert to a GRE tunnel port.

2. Configure the port as a tunnel port for GRE tunnel services: [edit chassis] user@switch# set fpc slot pic pic-number tunnel-port port-number tunnel-services

NOTE: On EX3200 switches and standalone EX4200 switches, the FPC number is 0 because it refers to the switch itself. On EX4200 Virtual Chassis, the FPC number is the member ID of the Virtual Chassis member with the port you are configuring. On EX8200 switches, the FPC number is the number of the slot containing the line card with the port you are configuring. For built-in ports on EX3200 and EX4200 switches and on EX8200 switches, the PIC number is 0. For uplink ports on EX3200 and EX4200 switches, the PIC number is 1.

Configuring Tunnels to Use Generic Routing Encapsulation Normally, a GRE tunnel port comes up as soon as it is configured and stays up as long as a valid tunnel source address exists or an interface is operational. Each logical interface you configure on the port can be configured as the source or endpoint of a GRE tunnel. To configure a tunnel port to use GRE:

1882



1.

Configure a physical GRE port with a logical interface name and address: •

For IPv4 over GRE, specify the protocol family inet: [edit interfaces] user@switch# set gr-fpc/pic/port unit number family inet address

•

For IPv6 over GRE, specify the protocol family inet6: [edit interfaces] user@switch# set gr-fpc/pic/port unit number family inet6 address

2. Specify the tunnel source address for the logical interface:

[edit interfaces] user@switch# set gr-fpc/pic/port unit number tunnel source source-address 3. Specify the destination address:

[edit interfaces] user@switch# set gr-fpc/pic/port unit number tunnel destination address


•

Verifying That Generic Routing Encapsulation Tunneling Is Working Correctly on page 1891

•

Understanding Generic Routing Encapsulation on page 1786

Damping Interface Transitions By default, when an interface changes from being up to being down, or from down to up, this transition is advertised immediately to the hardware and Junos OS. In some situations—for example, when an interface is connected to an add-drop multiplexer (ADM) or wavelength-division multiplexer (WDM), or to protect against SONET/SDH framer holes—you might want to damp interface transitions. This means not advertising the interface’s transition until a certain period of time has passed, called the hold-time. When you have damped interface transitions and the interface goes from up to down, the interface is not advertised to the rest of the system as being down until it has remained down for the hold-time period. Similarly when an interface goes from down to up, it is not advertised as being up until it has remained up for the hold-time period. To damp interface transitions, include the hold-time statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] hold-time up milliseconds down milliseconds;

The time can be a value from 0 through 4,294,967,295 milliseconds. The default value is 0, which means that interface transitions are not damped. Junos OS advertises the transition within 100 milliseconds of the time value you specify. For most Ethernet interfaces, hold timers are implemented using a 1-second polling algorithm. For 1-port, 2-port, and 4-port Gigabit Ethernet interfaces with small form-factor pluggable transceivers (SFPs), hold timers are interrupt-driven.


1883

®


NOTE: The hold-time option is not available for controller interfaces.

1884


CHAPTER 59

Verifying Interfaces •


•


•

Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets on page 1887

•

Verifying That Layer 3 Subinterfaces Are Working on page 1888

•


•

Verifying IP Directed Broadcast Status on page 1891

•

Verifying That Generic Routing Encapsulation Tunneling Is Working Correctly on page 1891

Monitoring Interface Status and Traffic Purpose

Use the monitoring functionality to view interface status or to monitor interface bandwidth utilization and traffic statistics on the EX Series switches. The J-Web interface monitors interface bandwidth utilization and plots real-time charts to display input and output rates in bytes per second. In addition, the Interface monitoring page displays input and output packet counters and error counters in the form of charts. Alternatively, you can enter the show commands in the CLI to view interface status and traffic statistics.

NOTE: For logical interfaces on EX Series switches, the traffic statistics fields in show interfaces commands show only control traffic; the traffic statistics do not include data traffic.

Action

To view general interface information in the J-Web interface such as available interfaces, select Monitor > Interfaces. Click any interface to view details about its status. To set up interface monitoring for Virtual Chassis and EX8200 switches, select a member from the Port for FPC list. Details such as the admin status and link status are displayed in the table.


1885

®


NOTE: By default, the details of the first member in the Port for FPC drop-down list is displayed.

You have the following options: •

Start/Stop—Starts or stops monitoring the selected interface.

•

Show Graph—Displays input and output packet counters and error counters in the form of charts. Also, click on the pop-up icon to view the graph in a separate window.

•

Details—Displays interface information such as general details, traffic statistics, I/O errors, CoS counters, and Ethernet statistics.

•

Refresh Interval (sec)—Displays the time interval you have set for page refresh.

•

Clear Statistics—Clears the statistics for the interface selected from the table.

Using the CLI:

Meaning

•

To view interface status for all the interfaces, enter show interfaces xe-.

•

To view status and statistics for a specific interface, enter show interfaces xe-interface-name.

•

To view status and traffic statistics for all interfaces, enter either show interfaces xedetail or show interfaces xe- extensive.

In the J-Web interface the charts displayed are: •

Bar charts—Display the input and output error counters.

•

Pie charts—Display the number of broadcast, unicast, and multicast packet counters.

For details about output from the CLI commands, see show interfaces ge- (Gigabit Ethernet) or show interfaces xe- (10-Gigabit Ethernet).


•


•


Verifying the Status of a LAG Interface Purpose Action

Verify that a LAG (ae0) has been created on the switch. Enter the following command: user@switch> show interfaces ae0 terse Interface Admin Link Proto ae0 up up ae0.0 up up inet

1886

Local

Remote

10.10.10.2/24


Chapter 59: Verifying Interfaces

Meaning



•


•


•


Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets Verify that LACP has been set up correctly and that the bundle members are transmitting LACP protocol packets. 1.

Verifying the LACP Setup on page 1887

2. Verifying That LACP Packets Are Being Exchanged on page 1887

Verifying the LACP Setup Purpose Action

Verify that the LACP has been set up correctly. TO verify that LACP has been enabled as active on one end: user@switch>show lacp interfaces xe-0/1/0 Aggregated interface: ae0 LACP state:

Role

Def

Dist

Col

Syn

Aggr

Timeout

Activity

xe-0/1/0

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive


Meaning

Exp


Transmit State

Mux State

Fast periodic

Detached

This example shows that LACP has been configured with one side as active and the other as passive. When LACP is enabled, one side must be set as active in order for the bundled link to be up.

Verifying That LACP Packets Are Being Exchanged Purpose Action

Verify that LACP packets are being exchanged between interfaces. Use the show interfaces aex statistics command to display LACP BPDU exchange information.


1887

®


show interfaces ae0 statistics Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet, Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning


The output here shows that the link is down and that no PDUs are being exchanged (when there is no other traffic flowing on the link).

•

Configuring Aggregated Ethernet LACP

•

Verifying the Status of a LAG Interface

Verifying That Layer 3 Subinterfaces Are Working Purpose

Action

After configuring Layer 3 subinterfaces, verify they are set up properly and transmitting data. 1.

Use the show interfaces command to determine if you successfully created the subinterfaces and the links are up: user@switch> show interfaces interface-name terse Interface Admin Link Proto Local ge-0/0/0 up up ge-0/0/0.0 up up inet 1.1.1.1/24 ge-0/0/0.1 up up inet 2.1.1.1/24 ge-0/0/0.2 up up inet 3.1.1.1/24 ge-0/0/0.3 up up inet 4.1.1.1/24 ge-0/0/0.4 up up inet 5.1.1.1/24 ge-0/0/0.32767 up up

Remote

2. Use the ping command from a device on one subnet to an address on another subnet

to determine if packets were transmitted correctly on the subinterface VLANs: user@switch> ping ip-address

1888



PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.157 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.238 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.255 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.128 ms --- 1.1.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss

Meaning


The output confirms that the subinterfaces are created and the links are up.

•


•


Verifying Unicast RPF Status Purpose

Action

Verify that unicast reverse-path forwarding (RPF) is enabled and is working on the interface. Use one of the show interfaces interface-name commands with either the extensive or detail options to verify that unicast RPF is enabled and working on the switch. The example below displays output from the show interfaces ge- extensive command. user@switch> show interfaces ge-1/0/10 extensive Physical interface: ge-1/0/10, Enabled, Physical link is Down Interface index: 139, SNMP ifIndex: 58, Generation: 140 Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use


1889

®


Queue counters:

Queued packets

Transmitted packets

Dropped packets

0 best-effort

0

0

0

1 assured-forw

0

0

0

5 expedited-fo

0

0

0

7 network-cont

0

0

0

Active alarms : LINK Active defects : LINK MAC statistics: Receive Total octets 0 Total packets 0 Unicast packets 0 Broadcast packets 0 Multicast packets 0 CRC/Align errors 0 FIFO errors 0 MAC control frames 0 MAC pause frames 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count Output packet pad count Output packet error count CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Incomplete Packet Forwarding Engine configuration: Destination slot: 1

Transmit 0 0 0 0 0 0 0 0 0

0 0 0

Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) (Generation 135) Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps

1890



Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol inet, Generation: 144, Route table: 0 Flags: uRPF Addresses, Flags: Is-Preferred Is-Primary

Meaning

0 pps 0 pps

The show interfaces ge-1/0/10 extensive command (and the show interfaces ge-1/0/10 detail command) displays in-depth information about the interface. The Flags: output field near the bottom of the display reports the unicast RPF status. If unicast RPF has not been enabled, the uRPF flag is not displayed. On EX3200 and EX4200 switches, unicast RPF is implicitly enabled on all switch interfaces, including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs) and routed VLAN interfaces (RVIs) when you enable unicast RPF on a single interface. However, the unicast RPF status is shown as enabled only on interfaces for which you have explicitly configured unicast RPF. Thus, the uRPF flag is not displayed on interfaces for which you have not explicitly configured unicast RPF even though unicast RPF is implicitly enabled on all interfaces on EX3200 and EX4200 switches.


•

show interfaces xeon page 2050

•


•


•


•


Verifying IP Directed Broadcast Status Purpose Action


Verify that IP directed broadcast is enabled and is working on the subnet. Use the show vlans extensive command to verify that IP directed broadcast is enabled and working on the subnet as shown in the following example.

•


•


Verifying That Generic Routing Encapsulation Tunneling Is Working Correctly Purpose Action

Verify that the generic routing encapsulation (GRE) interface is sending tunneled traffic. Display status information about the specified GRE interface with the command show interfaces (GRE).


1891

®


user@switch> show interfaces gr-0/0/0 Physical interface: gr-0/0/0, Enabled, Physical link is Up Interface index: 132, SNMP ifIndex: 26 Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Logical interface gr-0/0/0.0 (Index 68) (SNMP ifIndex 47) Flags: Point-To-Point SNMP-Traps 16384 IP-Header 1.1.1.2:1.1.1.1:47:df:64:0000000000000000 Encapsulation: GRE-NULL Input packets : 0 Output packets: 0 Protocol inet, MTU: 1476 Flags: None Addresses, Flags: Is-Primary Local: 1.10.1.1

Meaning


1892

The output indicates that the GRE interface gr-0/0/0 is up. The output displays the name of the physical interface, and the traffic statistics on the interface: the number and rate of bytes and packets received and transmitted on the physical interface.

•



CHAPTER 60

Troubleshooting Interfaces •

Troubleshooting Network Interfaces on EX3200 Switches on page 1893

•


•

Troubleshooting an Aggregated Ethernet Interface on page 1895

•

Troubleshooting Interface Configuration and Cable Faults on page 1896

•


•

Troubleshooting Virtual Chassis Port Connectivity on an EX4200 Switch on page 1897

•

Diagnosing a Faulty Twisted-Pair Cable (CLI Procedure) on page 1898

Troubleshooting Network Interfaces on EX3200 Switches This topic provides troubleshooting information for specific problems related to interfaces on EX3200 switches. •

The interface on one of the last four built-in network ports in an EX3200 switch (for example, interface ge-0/0/23) is down on page 1893

•

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down on page 1894

The interface on one of the last four built-in network ports in an EX3200 switch (for example, interface ge-0/0/23) is down Problem

The interface on one of the last four built-in ports (ge-0/0/20 through ge-0/0/23 on 24-port models or ge-0/0/44 through ge-0/0/47 on 48-port models) of an EX3200 switch is down. An SFP or SFP+ uplink module is installed in the switch and a transceiver is installed in one of the ports on the uplink module. When you check the status with the CLI command show interfaces ge- or with the J-Web user interface, the disabled port is not listed.

Cause

The last four built-in ports use the same ASIC as the SFP uplink module. Therefore, if you install a transceiver in an SFP or SFP+ uplink module installed in an EX3200 switch, a corresponding base port from the last four built-in ports is disabled.


1893

®


Solution

If you need to use the disabled built-in port, you must remove the transceiver from the SFP or SFP+ uplink module. Alternatively, you can install an XFP uplink module instead of an SFP or SFP+ uplink module. There is no conflict between the built-in network ports and the ports on the XFP uplink modules.

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down Problem

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module installed in an EX3200 switch is down. When you check the status with the CLI command show interfaces ge- or with the J-Web user interface, the disabled port is not listed.

Cause

Solution


By default, the SFP+ uplink module operates in the 10-gigabit mode and supports only SFP+ transceivers. The operating mode for the module is incorrectly set. Either SFP+ or SFP transceivers can be installed in SFP+ uplink modules. You must configure the operating mode of the SFP+ uplink module to match the type of transceiver you want to use. For SFP+ transceivers, configure the 10-gigabit operating mode and for SFP transceivers, configure the 1-gigabit operating mode. See “Setting the Mode on an SFP+ Uplink Module (CLI Procedure)” on page 1880.

•

Troubleshooting Uplink Module Installation or Replacement on EX3200 Switches

•


•


•


•

Removing a Transceiver from an EX Series Switch

•


•


Troubleshooting Network Interfaces on EX4200 Switches This topic provides troubleshooting information for specific problems related to interfaces on EX4200 switches. •

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down on page 1894

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module is down Problem

1894

The interface on the port in which an SFP or SFP+ transceiver is installed in an SFP+ uplink module installed in an EX4200 switch is down.


Chapter 60: Troubleshooting Interfaces

When you check the status with the CLI command show interfaces ge- or with the J-Web user interface, the disabled port is not listed. Cause

Solution


By default, the SFP+ uplink module operates in the 10-gigabit mode and supports only SFP+ transceivers. The operating mode for the module is incorrectly set. Either SFP+ or SFP transceivers can be installed in SFP+ uplink modules. You must configure the operating mode of the SFP+ uplink module to match the type of transceiver you want to use. For SFP+ transceivers, configure the 10-gigabit operating mode and for SFP transceivers, configure the 1-gigabit operating mode. See “Setting the Mode on an SFP+ Uplink Module (CLI Procedure)” on page 1880.

•

Troubleshooting Virtual Chassis Port Connectivity on an EX4200 Switch on page 1897

•


•


•


•


•


•


Troubleshooting an Aggregated Ethernet Interface Troubleshooting issues for aggregated Ethernet interfaces: •

Show Interfaces Command Shows the LAG is Down on page 1895

•

Logical Interface Statistics Do Not Reflect All Traffic on page 1895

Show Interfaces Command Shows the LAG is Down Problem


Solution

Check the following: •


•


•

Verify that a LAG is part of family ethernet—switching (Layer 2 LAG) or family inet (Layer 3 LAG).

•


•


Logical Interface Statistics Do Not Reflect All Traffic Problem

The traffic statistics for a logical interface do not include all of the traffic.


1895

®


Solution


Traffic statistics fields for logical interfaces in show interfaces commands show only control traffic; the traffic statistics do not include data traffic. You can view the statistics for all traffic only per physical interface.

•


•


•


Troubleshooting Interface Configuration and Cable Faults Troubleshooting interface configuration and connectivity on the EX Series switch: 1.

Interface Configuration or Connectivity Is Not Working on page 1896

Interface Configuration or Connectivity Is Not Working Problem

You encounter errors when you attempt to configure an interface on the switch, or the interface is exhibiting connectivity problems.

Solution

Use the port troubleshooter feature in the J-Web interface to identify and rectify port configuration and connectivity related problems. To use the J-Web interface port troubleshooter: 1.

Select the option Troubleshoot from the main menu.

2. Click Troubleshoot Port. The Port Troubleshooting wizard is displayed. Click Next. 3. Select the ports to troubleshoot. 4. Select the test cases to be executed on the selected port. Click Next.

When the selected test cases are executed, the final result and the recommended action is displayed. If there is a cable fault, the port troubleshooter displays details and the recommended action. For example, the cable must be replaced. If the port configuration needs to be modified, the port troubleshooter displays details and the recommended action.


1896

•


•


•


•




•


Troubleshooting Unicast RPF Troubleshooting issues for unicast reverse-path forwarding (RPF) on EX Series switches include: 1.

Legitimate Packets Are Discarded on page 1897

Legitimate Packets Are Discarded Problem

The switch filters valid packets from legitimate sources, which results in the switch's discarding packets that should be forwarded.

Solution

The interface or interfaces on which legitimate packets are discarded are asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, so the interface that receives a packet is not the same interface the switch uses to reply to the packet's source. Unicast RPF works properly only on symmetrically routed interfaces. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Unicast RPF filters packets by checking the forwarding table for the best return path to the source of an incoming packet. If the best return path uses the same interface as the interface that received the packet, the switch forwards the packet. If the best return path uses a different interface than the interface that received the packet, the switch discards the packet.

NOTE: On EX3200 and EX4200 switches, unicast RPF works properly only if all switch interfaces—including aggregated Ethernet interfaces (also referred to as link aggregation groups or LAGs) and routed VLAN interfaces (RVIs)—are symmetrically routed, because unicast RPF is enabled globally on all switch interfaces.


•


•


Troubleshooting Virtual Chassis Port Connectivity on an EX4200 Switch This topic provides troubleshooting information for specific problems related to uplink module ports on EX4200 switches. 1.

Virtual Chassis port (VCP) connection does not work on page 1898


1897

®


Virtual Chassis port (VCP) connection does not work Problem

The Virtual Chassis port (VCP) connection configured in an EX4200 switch does not work. A port of the uplink module is set as a VCP.

Cause Solution


The uplink module installed in the switch was replaced. Set a port in the uplink module as a VCP. See “Setting an Uplink Port on an EX3300 or EX4200 Switch as a Virtual Chassis Port (CLI Procedure)” on page 1434.

•


•


•


•


•


•


•

Understanding EX4200, EX4500, and EX4550 Virtual Chassis Hardware Configurations

Diagnosing a Faulty Twisted-Pair Cable (CLI Procedure) Problem

A 10/100/1000BASE-T Ethernet interface has connectivity problems that you suspect might be caused by a faulty cable.

Solution

Use the time domain reflectometry (TDR) test to determine whether a twisted-pair Ethernet cable is faulty. The TDR test: •

Detects and reports faults for each twisted pair in an Ethernet cable. Faults detected include open circuits, short circuits, and impedance mismatches.

•

Reports the distance to fault to within 1 meter.

•

Detects and reports pair swaps, pair polarity reversals, and excessive pair skew.

The TDR test is supported on the following switches and interfaces: •

EX2200, EX3200, EX3300, and EX4200 switches—RJ-45 network interfaces. The TDR test is not supported on management interfaces and SFP interfaces.

•

EX6200 and EX8200 switches—RJ-45 network interfaces on line cards.

NOTE: We recommend running the TDR test on an interface when there is no traffic on the interface.

1898



To diagnose a cable problem by running the TDR test: 1.

Run the request diagnostics tdr command. user@switch> request diagnostics tdr start interface ge-0/0/10 Interface TDR detail: Test status

: Test successfully executed

ge-0/0/10

2. View the results of the TDR test with the show diagnostics tdr command. user@switch> show diagnostics tdr interface ge-0/0/10 Interface TDR detail: Interface name Test status Link status MDI pair Cable status Distance fault Polartiy swap Skew time MDI pair Cable status Distance fault Polartiy swap Skew time MDI pair Cable status Distance fault Polartiy swap Skew time MDI pair Cable status Distance fault Polartiy swap Skew time Channel pair Pair swap Channel pair Pair swap Downshift

: : : : : : : : : : : : : : : : : : : : : : : : : : : :

ge-0/0/10 Passed Down 1-2 Normal 0 Meters N/A N/A 3-6 Normal 0 Meters N/A N/A 4-5 Open 1 Meters N/A N/A 7-8 Normal 0 Meters N/A N/A 1 N/A 2 N/A N/A

3. Examine the Cable status field for the four MDI pairs to determine if the cable has a

fault. In the preceding example, the twisted pair on pins 4 and 5 is broken or cut at approximately one meter from the ge-0/0/10 port connection.

NOTE: The Test Status field indicates the status of the TDR test, not the cable. The value Passed means the test completed—it does not mean that the cable has no faults.

The following is additional information about the TDR test: •

The TDR test can take some seconds to complete. If the test is still running when you execute the show diagnostics tdr command, the Test status field displays Started. For example:


1899

®


user@switch> show diagnostics tdr interface ge-0/0/22 Interface TDR detail: Interface name Test status

: ge-0/0/22 : Started

•

You can terminate a running TDR test before it completes by using the request diagnostics tdr abort interface interface-name command. The test terminates with no results, and the results from any previous test are cleared.

•

You can display summary information about the last TDR test results for all interfaces on the switch that support the TDR test by not specifying an interface name with the show diagnostics tdr command. For example: user@switch> show diagnostics tdr Interface Test status Link status ge-0/0/0 Passed UP ge-0/0/1 Not Started N/A ge-0/0/2 Passed UP ge-0/0/3 Not Started N/A ge-0/0/4 Passed UP ge-0/0/5 Passed UP ge-0/0/6 Passed UP ge-0/0/7 Not Started N/A ge-0/0/8 Passed Down ge-0/0/9 Not Started N/A ge-0/0/10 Passed Down ge-0/0/11 Passed UP ge-0/0/12 Not Started N/A ge-0/0/13 Not Started N/A ge-0/0/14 Not Started N/A ge-0/0/15 Not Started N/A ge-0/0/16 Not Started N/A ge-0/0/17 Not Started N/A ge-0/0/18 Not Started N/A ge-0/0/19 Passed Down ge-0/0/20 Not Started N/A ge-0/0/21 Not Started N/A ge-0/0/22 Passed UP ge-0/0/23 Not Started N/A


1900

Cable status OK N/A OK N/A OK OK OK N/A OK N/A Fault OK N/A N/A N/A N/A N/A N/A N/A OK N/A N/A OK N/A

Max distance fault 0 N/A 0 N/A 0 0 0 N/A 0 N/A 1 0 N/A N/A N/A N/A N/A N/A N/A 0 N/A N/A 0 N/A

•

Troubleshooting Interface Configuration and Cable Faults on page 1896

•

request diagnostics tdr on page 1989

•

show diagnostics tdr on page 1991


CHAPTER 61

Configuration Statements for Interfaces •


•


[edit chassis] Configuration Statement Hierarchy chassis { aggregated-devices { ethernet (Aggregated Devices) { device-count number; } } auto-image-upgrade; fpc slot { pic pic-number { sfpplus { pic-modemode; } } power (off | on); power-budget-priority priority; } lcd-menu { fpc slot-number { menu-item (menu-name | menu-option) { disable; } } } nssu { upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } } psu { redundancy { n-plus-n (Power Management); } }


1901

®


redundancy { graceful-switchover; } }


•


•


•


•


•


•


•


[edit interfaces] Configuration Statement Hierarchy interfaces { aex { accounting-profile name; aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted);

1902


Chapter 61: Configuration Statements for Interfaces

(traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } ge-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; media-type (Dual-Purpose Uplink Ports); mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } interface-range name { accounting-profile name; description text;


1903

®


disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } lo0 { accounting-profile name; description text; disable; hold-time up milliseconds down milliseconds; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number {

1904



accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); } } me0 { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } vlan { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); } } traceoptions { file ; flag flag ;


1905

®


no-remote-trace; } vme { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } xe-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag;

1906



} (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } }


•


•


•


•


•


•


•


•



1907

®


802.3ad Syntax

Hierarchy Level


802.3ad { aex; (backup | primary); lacp { force-up; } } [edit interfaces interface-name ether-options], [edit interfaces interface-range name ether-options]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure membership in a link aggregration group (LAG). •

aex—Name of the LAG.

•

backup—Designate the interface as the backup interface for link-protection mode.

•

primary—Designate the interface as the primary interface for link-protection mode.

The remaining statements are described separately. Required Privilege Level Related Documentation

1908



•


•


•


•


•




accounting-profile Syntax Hierarchy Level

Release Information

Description


accounting-profile name; [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number], [edit interfaces interface-range name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable collection of accounting data for the specified physical or logical interface or interface range. name—Name of the accounting profile.


Applying an Accounting Profile to the Physical Interface on page 1860

•

Applying an Accounting Profile to the Logical Interface on page 1861


1909

®


address

1910

Syntax

address address { arp ip-address (mac | multicast-mac) mac-address ; broadcast address; destination address; destination-profile name; eui-64; master-only; multipoint-destination address dlci dlci-identifier; multipoint-destination address { epd-threshold cells; inverse-arp; oam-liveness { up-count cells; down-count cells; } oam-period (disable | seconds); shaping { (cbr rate | rtvbr peak rate sustained rate burst length | vbr peak rate sustained rate burst length); queue-length number; } vci vpi-identifier.vci-identifier; } primary; preferred; (vrrp-group | vrrp-inet6-group) group-number { (accept-data | no-accept-data); advertise–interval seconds; authentication-type authentication; authentication-key key; fast-interval milliseconds; (preempt | no-preempt) { hold-time seconds; } priority-number number; track { priority-cost seconds; priority-hold-time interface-name { interface priority; bandwidth-threshold bits-per-second { priority; } } route ip-address/mask routing-instance instance-name priority-cost cost; } virtual-address [ addresses ]; } }

Hierarchy Level

[edit interfaces interface-name unit logical-unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]



Release Information

Description

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the interface address.

NOTE: The vrrp High Availability functionality is not available on the QFX Series.

Options

address—Address of the interface.


NOTE: The edit logical-systems hierarchy is not available on QFabric switches.



Configuring the Protocol Family

•

negotiate-address

•

unnumbered-address (Ethernet)

•



1911

®


aggregated-devices Syntax


aggregated-devices { ethernet (Aggregated Devices) { device-count number; } } [edit chassis]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure properties for aggregated devices on the switch. The remaining statements are explained separately.


1912

Aggregated devices are disabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•




aggregated-ether-options Syntax


aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } [edit interfaces aex]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the aggregated Ethernet properties of a specific aggregated Ethernet interface. The remaining statements are explained separately.




•


•


•


•


•



1913

®


arp Syntax Hierarchy Level

Release Information

Description

Options

arp ip-address (mac | multicast-mac) mac-address publish; [edit interfaces interface-name unit logical-unit-number family inet address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address ˇaddress]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. For Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces only, configure Address Resolution Protocol (ARP) table entries, mapping IP addresses to MAC addresses. ip-address—IP address to map to the MAC address. The IP address specified must be

part of the subnet defined in the enclosing address statement. mac mac-address—MAC address to map to the IP address. Specify the MAC address as

six hexadecimal bytes in one of the following formats: nnnn.nnnn.nnnn or nn:nn:nn:nn:nn:nn. For example, 0011.2233.4455 or 00:11:22:33:44:55. multicast-mac mac-address—Multicast MAC address to map to the IP address. Specify

the multicast MAC address as six hexadecimal bytes in one of the following formats: nnnn.nnnn.nnnn or nn:nn:nn:nn:nn:nn. For example, 0011.2233.4455 or 00:11:22:33:44:55. publish—(Optional) Have the router or switch reply to ARP requests for the specified IP

address. If you omit this option, the router or switch uses the entry to reach the destination but does not reply to ARP requests.



1914


Configuring Static ARP Table Entries on page 1864

•

Configuring Static ARP Entries



auto-negotiation Syntax

Hierarchy Level

Release Information

Description

(auto-negotiation | no-auto-negotiation) ; [edit interfaces interface-name ether-options], [edit interfaces interface-name gigether-options], [edit interfaces ge-pim/0/0 switch-options switch-port port-number]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 8.4 for J Series Services Routers. Statement introduced in Junos OS Release 9.0 for EX Series switches. For Gigabit Ethernet interfaces on M Series, MX Series, T Series, and TX Matrix routers, explicitly enable autonegotiation and remote fault. For EX Series switches and J Series Services Routers, explicitly enable autonegotiation only. •

auto-negotiation—Enables autonegotiation. This is the default.

•

no-auto-negotiation—Disable autonegotiation. When autonegotiation is disabled, you

must explicitly configure the link mode and speed. When you configure Tri-Rate Ethernet copper interfaces to operate at 1 Gbps, autonegotiation must be enabled.

NOTE: On EX Series switches, an interface configuration that disables autonegotiation and manually sets the link speed to 1 Gbps is accepted when you commit the configuration; however, if the interface you are configuring is a Tri-Rate Ethernet copper interface, the configuration is ignored as invalid and autonegotiation is enabled by default. To correct the invalid configuration and disable autonegotiation: 1.

Delete the no-auto-negotiation statement and commit the configuration.

2. Set the link speed to 10 or 100 Mbps, set no-auto-negotiation, and commit

the configuration.

On J Series Services Routers with universal Physical Interface Modules (uPIMs) and on EX Series switches, if the link speed and duplex mode are also configured, the interfaces use the values configured as the desired values in the negotiation. If autonegotiation is disabled, the link speed and link mode must be configured. Default

Autonegotiation is automatically enabled. No explicit action is taken after the autonegotiation is complete or if the negotiation fails.


1915

®


Options

remote-fault (local-interface-online | local-interface-offline)—(Optional) For M Series,

MX Series, T Series, and TX Matrix routers only, manually configure remote fault on an interface. Default: local-interface-online Required Privilege Level Related Documentation

1916


Gigabit Ethernet Autonegotiation Overview

•

Configuring J Series Services Router Switching Interfaces

•


•




bandwidth Syntax Hierarchy Level

Release Information

Description

bandwidth rate; [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an informational-only bandwidth value for an interface. This statement is valid for all logical interface types except multilink and aggregated interfaces.

NOTE: We recommend that you be careful when setting this value. Any interface bandwidth value that you configure using the bandwidth statement affects how the interface cost is calculated for a dynamic routing protocol, such as OSPF. By default, the interface cost for a dynamic routing protocol is calculated using the following formula: cost = reference-bandwidth/bandwidth,

where bandwidth is the physical interface speed. However, if you specify a value for bandwidth using the bandwidth statement, that value is used to calculate the interface cost, rather than the actual physical interface bandwidth.

Options

rate—Peak rate, in bits per second (bps) or cells per second (cps). You can specify a

value in bits per second either as a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). You can also specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second by means of the formula 1 cps = 384 bps. Range: Not limited. Required Privilege Level Related Documentation


Configuring the Interface Bandwidth on page 1839


1917

®


broadcast Syntax Hierarchy Level

Release Information

Description

Default Options

broadcast address; [edit interfaces interface-name unit logical-unit-number family family address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Set the broadcast address on the network or subnet. On a subnet you cannot specify a host address of 0, nor can you specify a broadcast address. The default broadcast address has a host portion of all ones. address—Broadcast address. The address must have a host portion of either all ones or

all zeros. You cannot specify the addresses 0.0.0.0 or 255.255.255.255.



1918





chassis Syntax


chassis { aggregated-devices { ethernet (Aggregated Devices) { device-count number; } } auto-image-upgrade; fpc slot { pic pic-number { sfpplus { pic-mode mode; } } power-budget-priority priority; } lcd-menu { fpc slot-number { menu-item (menu-name | menu-option) { disable; } } } nssu { upgrade-group group-name { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); member (NSSU Upgrade Groups) member-id { fpcs (NSSU Upgrade Groups) (slot-number | [list-of-slot-numbers]); } } } psu { redundancy { n-plus-n (Power Management); } } redundancy { graceful-switchover; } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure chassis-specific properties for the switch. The remaining statements are explained separately.




1919

®



•


•


•


•


•


•


•



Release Information

Description

description text; [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Provide a textual description of the interface or the logical unit. Any descriptive text you include is displayed in the output of the show interfaces commands, and is also exposed in the ifAlias Management Information Base (MIB) object. It has no effect on the operation of the interface on the router or switch. The textual description can also be included in the extended DHCP relay option 82 Agent Circuit ID suboption.

Options

text—Text to describe the interface. If the text includes spaces, enclose the entire text

in quotation marks. Required Privilege Level Related Documentation

1920


Adding an Interface Description to the Configuration on page 1832

•

Adding a Logical Unit Description to the Configuration on page 1833

•


•

Enabling and Disabling Insertion of Option 82 Information



destination (Tunnels) Syntax Hierarchy Level

Release Information

Description


destination address; [edit interfaces interface-name unit logical-unit-number family inet address address], [edit interfaces interface-name unit logical-unit-number family inet unnumbered-address interface-name], [edit interfaces interface-name unit logical-unit-number tunnel], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet unnumbered-address interface-name], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. For encrypted, PPP-encapsulated, and tunnel interfaces, specify the remote address of the connection. address—Address of the remote side of the connection.



•


•

Junos OS Services Interfaces Configuration Guide

•

point-to-point


1921

®


device-count Syntax Hierarchy Level Release Information

Description Options

device-count number; [edit chassis aggregated-devices ethernet (Aggregated Devices)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Range updated in Junos OS Release 9.5 for EX Series switches. Configure the number of aggregated Ethernet logical devices available to the switch. number—Maximum number of aggregated Ethernet logical interfaces on the switch.

Range: 1 through 32 for EX2200, EX3200, and standalone EX3300 switches and for EX3300 Virtual Chassis Range: 1 through 64 for standalone EX4200, standalone EX4500, and EX6200 switches and for EX4200 and EX4500 Virtual Chassis Range: 1 through 239 for EX8200 Virtual Chassis Range: 1 through 255 for standalone EX8200 switches Required Privilege Level Related Documentation

1922



•


•




disable (Interface) Syntax Hierarchy Level

Release Information

Description

disable; [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable a physical or a logical interface, effectively unconfiguring it.

CAUTION: Dynamic subscribers and logical interfaces use physical interfaces for connection to the network. The Junos OS allows you to set the interface to disable and commit the change while dynamic subscribers and logical interfaces are still active. This action results in the loss of all subscriber connections on the interface. Use care when disabling interfaces.

NOTE: When you use the disable statement at the edit interfaces hierarchy level, depending on the PIC type, the interface might or might not turn off the laser. Older PIC transceivers do not support turning off the laser, but newer Gigabit Ethernet (GE) PICs with SFP and XFP transceivers do support it and the laser will be turned off when the interface is disabled.

NOTE: When you disable or deactivate an interface, then all the references made to the deactivated interface must be removed from the routing instance.

WARNING: Do not stare into the laser beam or view it directly with optical instruments even if the interface has been disabled.



Disabling a Physical Interface on page 1834

•

Disabling a Logical Interface on page 1835


1923

®


ether-options Syntax

Gigabit Ethernet interfaces: ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (speed | auto-negotiation); }

10-Gigabit Ethernet interfaces: ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); (loopback | no-loopback); }

Hierarchy Level


[edit interfaces interface-name], [edit interfaces interface-range name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Ethernet properties for a Gigabit Ethernet interface or a 10-Gigabit Ethernet interface on an EX Series switch. The remaining statements are explained separately.


1924



•


•


•


•




ethernet Syntax


ethernet { device-count number; } [edit chassis aggregated-devices]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure properties for Ethernet aggregated devices on the switch. The remaining statement is explained separately.




•


eui-64 Syntax Hierarchy Level Release Information

Description


eui-64; [edit interfaces interface-name unit number family inet6 address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. For interfaces that carry IP version 6 (IPv6) traffic, automatically generate the host number portion of interface addresses. Not supported on QFX Series switches. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •



1925

®


family (for EX Series switches) Syntax

family ccc family ethernet-switching

family inet

1926

family ccc on page 712 family ethernet-switching on page 712 family inet on page 712 family inet6 on page 713 family iso on page 713 family mpls on page 713 family ccc; family ethernet-switching { filter [input | output] filter-name; native-vlan-id vlan-id; port-mode mode; vlan (802.1Q Tagging) { members [ (all | names | vlan-ids) ]; } } family inet { address address { arp ip-address (mac | multicast-mac) mac-address ; broadcast; preferred; primary; vrrp-group group-id { advertise-interval milliseconds; preempt | no-preempt { hold-time seconds; } priority number; virtual-address [addresses]; virtual-link-local-address ip-address; } } dhcp { client-identifier (ascii ascii | hexadecimal hexadecimal); lease-time (seconds | infinite); retransmission-attempt number; retransmission-interval seconds; server-address ip-address; update-server; vendor-id vendor-id; } filter { input filter-name; output filter-name; } mtu bytes; no-redirects; no-neighbor-learn; primary; rpf-check;



targeted-broadcast; }

family inet6

family iso

family mpls

Hierarchy Level

Release Information

Description

family inet6 { address address { eui-64; ndp ip-address (mac | multicast-mac) mac-address ; preferred; primary; vrrp-inet6-group group-id { inet6-advertise-interval milliseconds; preempt | preempt { hold-time seconds; } priority number; virtual-inet6-address [addresses]; virtual-link-local-address ipv6–address; } } (dad-disable | no-dad-disable); filter { input filter-name; output filter-name; } mtu bytes; no-neighbor-learn rpf-check; } family iso { address interface-address; mtu bytes; } family mpls { mtu bytes; } [edit interfaces interface-name unit logical-unit-number], [edit interfaces interface-range name unit logical-unit-number]

Statement introduced in Junos OS Release 9.0 for EX Series switches, including options ethernet-switching, inet, and iso. Option inet6 introduced in Junos OS Release 9.3 for EX Series switches. Options ccc and mpls introduced in Junos OS Release 9.5 for EX Series switches. Configure protocol family information for the logical interface on the switch.


1927

®


Default

Interfaces on EX2200, EX3200, EX3300, EX4200, and EX4500 switches are set to family ethernet-switching by the default factory configuration. If you are going to change the family setting for an interface, you might have to delete this default setting or any user-configured family setting before you change the setting to another family type. EX6200 and EX8200 switch interfaces do not have a default family setting. You must configure a logical interface to be able to use the physical device.

1928



Options

See Table 90 on page 715 for protocol families available on the switch interfaces. Different protocol families support different subsets of the interfaces types on the switch. Interface types on the switch are: •

Aggregated Ethernet (ae)

•

Gigabit Ethernet (ge)

•

Interface-range configuration (interface-range)

•

Loopback (lo0)

•

Management Ethernet (me0)

•

Routed VLAN interface (RVI) (vlan)

•

Virtual management Ethernet (vme)

•

10-Gigabit Ethernet (xe)

If you are using an interface range, the supported protocol families are the ones supported by the interface types that compose the range. Not all interface types support all family substatements. Check your switch CLI for supported substatements for a particular protocol family configuration.

Table 221: Protocol Families and Supported Interface Types Supported Interface Types Family

Description

ae

ge

lo0

me0

vlan

vme

xe

ccc

Circuit cross-connect protocol family

✓*

✓

ethernetswitching

Ethernet switching protocol family

✓

✓

inet


✓

✓

✓

✓

✓

✓

✓

inet6


✓

✓

✓

✓

✓

✓

✓

iso

Junos OS protocol family for IS-IS traffic

✓

✓

✓

✓

✓

✓

✓

mpls

MPLS protocol family

✓

✓

✓

✓

✓

✓

✓ ✓

✓





1929

®



•


•


•


•


•


filter Syntax

Hierarchy Level


Options

filter { group filter-group-number; input filter-name; input-list [ filter-names ]; output filter-name; output-list [ filter-names ]; } [edit interfaces interface-name unit logical-unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Statement introduced before Junos OS Release 7.4. Apply a filter to an interface. You can also use filters for encrypted traffic. When you configure filters, you can configure them under the family ethernet-switching, inet, inet6, mpls, or vpls only. group filter-group-number—Define an interface to be part of a filter group. The default

filter group number is 0. Range: 0 through 255 input filter-name—Name of one filter to evaluate when packets are received on the

interface. output filter-name—Name of one filter to evaluate when packets are transmitted on the

interface. The remaining statements are explained separately. Required Privilege Level Related Documentation

1930


Applying a Filter to an Interface

•


•

Junos OS Policy Framework Configuration Guide

•




flow-control Syntax Hierarchy Level

Release Information

Description


(flow-control | no-flow-control); [edit interfaces interface-name aggregated-ether-options], [edit interfaces interface-name ether-options], [edit interfaces interface-name fastether-options], [edit interfaces interface-name gigether-options], [edit interfaces interface-name multiservice-options], [edit interfaces interface-range name aggregated-ether-options], [edit interfaces interface-range name ether-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 in EX Series switches. For aggregated Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces only, explicitly enable flow control, which regulates the flow of packets from the router or switch to the remote side of the connection. Enabling flow control is useful when the remote device is a Gigabit Ethernet switch. Flow control is not supported on the 4-port Fast Ethernet PIC. Flow control is enabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Configuring Flow Control on page 1835

•


force-up Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

force-up; [edit interfaces interface-name ether-options 802.3ad lacp]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Set the state of the interface as UP when the peer has limited LACP capability. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•



1931

®


gratuitous-arp-reply Syntax Hierarchy Level Release Information

Description


1932

(gratuitous-arp-reply | no-gratuitous-arp-reply); [edit interfaces interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 in EX Series switches. For Ethernet interfaces, enable updating of the ARP cache for replies received in response to gratuitous ARP requests. Updating of the ARP cache is disabled on all Ethernet interfaces. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•

no-gratuitous-arp-request



hold-time (Physical Interface) Syntax Hierarchy Level

Release Information

Description

hold-time up milliseconds down milliseconds; [edit interfaces interface-name], [edit interfaces interface-range interface-range-name]

Statement introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 10.4R5 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Specify the hold-time value to use to damp interface transitions. When an interface goes from up to down, it is not advertised to the rest of the system as being down until it has remained down for the hold-time period. Similarly, an interface is not advertised as being up until it has remained up for the hold-time period.

NOTE: The hold-time option is not available for controller interfaces.

Default Options

Interface transitions are not damped. down milliseconds—Hold time to use when an interface transitions from up to down.

Junos OS advertises the transition within 100 milliseconds of the time value you specify. Range: 0 through 4,294,967,295 milliseconds Default: 0 milliseconds (interface transitions are not damped) up milliseconds—Hold time to use when an interface transitions from down to up. Junos

OS advertises the transition within 100 milliseconds of the time value you specify. Range: 0 through 4,294,967,295 milliseconds Default: 0 milliseconds (interface transitions are not damped) Required Privilege Level Related Documentation


Damping Interface Transitions on page 1883

•

advertise-interval

•

interfaces (for EX Series switches) on page 732


1933

®


interface-range Syntax


interface-range name { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } [edit interfaces]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Group interfaces that share a common configuration profile.

NOTE: You can use interface ranges only for Gigabit and 10-Gigabit Ethernet interfaces.

1934



Options

name—Name of the interface range.

NOTE: You can use regular expressions and wildcards to specify the interfaces in the member configuration. Do not use wildcards for interface types.




•


•


•



1935

®


interfaces (for EX Series switches) Syntax

1936

interfaces ae on page 732 interfaces ge on page 732 interfaces interface-range on page 734 interfaces lo0 on page 734 interfaces me0 on page 735 interfaces traceoptions on page 735 interfaces vlan on page 735 interfaces vme on page 736 interfaces xe on page 737

interfaces ae

aex { accounting-profile name; aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }

interfaces ge

ge-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad {



aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; media-type (Dual-Purpose Uplink Ports); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }


1937

®


interfaces interface-range

interfaces lo0

1938

interface-range name { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes; unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } lo0 { accounting-profile name; description text; disable; hold-time up milliseconds down milliseconds; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); } }



interfaces me0

interfaces traceoptions

interfaces vlan

me0 { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } traceoptions { file ; flag flag ; no-remote-trace; } vlan { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); } }


1939

®


interfaces vme

1940

vme { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; }



interfaces xe


xe-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure interfaces on EX Series switches.


1941

®


Options

See Table 91 on page 738 for the interface types and protocol-family options supported on the switch. Different protocol families support different subsets of the interface types on the switch. See the family statement for syntax of the protocol families supported for switch interfaces. Not all interface types support all family substatements. Check your switch CLI for supported substatements for a particular protocol family configuration.

Table 222: Interface Types and Their Supported Protocol Families Supported Protocol Families Interface Type

Description

ccc

ethernetswitching

inet

inet6

iso

mpls

ae

Aggregated Ethernet interface (also referred to as a link aggregation group [LAG])

✓*

✓

✓

✓

✓

✓

ge

Gigabit Ethernet interface

✓

✓

✓

✓

✓

✓

interface-range

Interface-range configuration

Supported protocol families are the ones supported by the interface types that compose the range.

lo0

Loopback interface

me0

Management Ethernet interface

vlan

✓

✓

✓

✓

✓

✓

✓

✓


✓

✓

✓

vme

Virtual management Ethernet interface

✓

✓

✓

✓

xe

10-Gigabit Ethernet interface

✓

✓

✓

✓

✓

✓

✓



1942





•


•


•


•


•


•


•


•


lacp (802.3ad) Syntax

Hierarchy Level Release Information Description Required Privilege Level Related Documentation

lacp { force-up; } [edit interfaces interface-name ether-options 802.3ad]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure the Link Aggregation Control Protocol (LACP) parameters for interfaces. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•


•


•



1943

®


lacp (Aggregated Ethernet) Syntax


Description

Default Options

lacp { (active | passive); admin-key key; link-protection { disable; (revertive |non-revertive); } periodic interval; system-id mac-address; system-priority priority; } [edit interfaces aex aggregated-ether-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For aggregated Ethernet interfaces only, configure Link Aggregation Control Protocol (LACP). If you do not specify LACP as either active or passive, LACP remains passive. •

active—Initiate transmission of LACP packets.

•

passive—Respond to LACP packets.


1944



•


•




link-mode Syntax Hierarchy Level

Release Information

Description Options

link-mode mode (automatic | full-duplex | half-duplex); [edit interfaces interface-name], [edit interfaces interface-name ether-options], [edit interfaces ge-pim/0/0 switch-options switch-port port-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the device’s link connection characteristic. mode—Link characteristics: •

automatic—Link mode is negotiated. This is the default for EX Series switches.

•

full-duplex—Connection is full duplex.

•

half-duplex—Connection is half duplex.

Default: Fast Ethernet interfaces, except the J Series ePIM Fast Ethernet interfaces, can operate in either full-duplex or half-duplex mode. The router’s management Ethernet interface, fxp0 or em0, the built-in Fast Ethernet interfaces on the FIC (M7i router), and the Gigabit Ethernet ports on J Series Services Routers with uPIMs installed and configured for access switching mode autonegotiate whether to operate in full-duplex or half-duplex mode. Unless otherwise noted here, all other interfaces operate only in full-duplex mode.

NOTE: On J Series ePIM Fast Ethernet interfaces, if you specify half-duplex (or if full-duplex mode is not autonegotiated), the following message is written to the system log: "Half-duplex mode not supported on this PIC, forcing full-duplex mode."

NOTE: On EX Series switches, if no-auto-negotiation is specified in [edit interfaces interface-name ether-options], you can select only full-duplex or half-duplex. If auto-negotiation is specified, you can select any mode.



Configuring the Link Characteristics on Ethernet Interfaces

•

Understanding Management Ethernet Interfaces


1945

®


link-protection Syntax

Hierarchy Level

Release Information

Description

link–protection { disable; (revertive |non-revertive); } [edit interfaces aex aggregated-ether-options] [edit interfaces aex aggregated-ether-options lacp]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for disable, revertive, and non-revertive statements added in Junos OS Release 9.3. On the router, for aggregated Ethernet interfaces only, configure link protection. In addition to enabling link protection, a primary and a secondary (backup) link must be configured to specify what links egress traffic should traverse. To configure primary and secondary links on the router, include the primary and backup statements at the [edit interfaces ge-fpc/pic/port gigether-options 802.3ad aex] hierarchy level or the [edit interfaces fe-fpc/pic/port fastether-options 802.3ad aex] hierarchy level. To configure those links on the switch, configure those statements at the [edit interfaces ge-fpc/pic/port ether-options 802.3ad aex] hierarchy level or at the [edit interfaces xe-fpc/pic/port ether-options 802.3ad aex] hierarchy level.


1946

The statements are explained separately. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Configuring Aggregated Ethernet Link Protection on page 1872



link-speed (Aggregated Ethernet) Syntax Hierarchy Level

Release Information

Description Options

link-speed speed; [edit interfaces aex aggregated-ether-options], [edit interfaces interface-range name aggregated-ether-options], [edit interfaces interface-range name aggregated-sonet-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For aggregated Ethernet interfaces only, set the required link speed. speed—For aggregated Ethernet links, you can specify speed in bits per second either as

a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Aggregated Ethernet links on the M120 router can have one of the following speed values: •

100m—Links are 100 Mbps.

•


•


•

oc192—Links are OC192 or STM64c.

Aggregated Ethernet links on EX Series switches can be configured to operate at one of the following speed values:


•

10m

•

100m

•

1g

•

10g


Configuring Aggregated Ethernet Link Speed on page 1873

•


•



1947

®


loopback (Aggregated Ethernet, Fast Ethernet, and Gigabit Ethernet) Syntax Hierarchy Level

Release Information

Description

(loopback | no-loopback); [edit interfaces interface-name aggregated-ether-options], [edit interfaces interface-name ether-options], [edit interfaces interface-name fastether-options], [edit interfaces interface-name gigether-options], [edit interfaces interface-range name ether-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For aggregated Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces, enable or disable loopback mode.

NOTE: By default, local aggregated Ethernet, Fast Ethernet, Tri-Rate Ethernet copper, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces connect to a remote system.


1948


Configuring Ethernet Loopback Capability on page 1862



media-type Syntax Hierarchy Level Release Information Description

Default

Options

media-type (copper | fiber); [edit interfaces interface-name]

Statement introduced in Junos OS Release 11.3 for EX Series switches. (EX2200-C switch only) Configure the media type for a dual-purpose uplink port (one RJ-45 port and one SFP port) on an EX2200 switch. If you use the media-type for a dual-purpose uplink port, the alternate media type cannot be used with the port. When media-type is not set, the port accepts either type of connection. The media type is fiber if a transceiver is installed in the SFP connection. If no transceiver is installed, the media type is copper. copper—The dual-purpose uplink port accepts only a 10/100/1000BASE-T copper

connection. fiber—The dual-purpose uplink port accepts only an SFP fiber connection.



Configuring the Media Type on Dual-Purpose Uplink Ports (CLI Procedure) on page 1881

member Syntax Hierarchy Level Release Information Description


member interface-name; [edit interfaces interface-range interface-range-name]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify the name of the member interface belonging to an interface range on the EX Series switch. interface-name—Name of the interface.



•


•


•



1949

®


members Syntax Hierarchy Level

Release Information

Description

members [ (all | names | vlan-ids) ]; [edit interfaces interface-name unit logical-unit-number family ethernet-switching vlan (802.1Q Tagging)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches. For trunk interfaces, configure the VLANs that can carry traffic.

TIP: To display a list of all configured VLANs on the system, including VLANs that are configured but not committed, type ? after vlan or vlans in your configuration mode command line. Note that only one VLAN is displayed for a VLAN range.

NOTE: The number of VLANs supported per switch varies for each model. Use the configuration-mode command set vlans id vlan-id ? to determine the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because each VLAN is assigned an ID number when it is created. You can, however, exceed the recommended VLAN member maximum. To determine the maximum number of VLAN members allowed on a switch, multiply the VLAN maximum for the switch times 8 (vmember limit = vlan max * 8). If a switch configuration exceeds the recommended VLAN member maximum, you see a warning message when you commit the configuration. If you ignore the warning and commit such a configuration, the configuration succeeds but you run the risk of crashing the Ethernet switching process (eswd) due to memory allocation failure.

Options

all—Specifies that this trunk interface is a member of all the VLANs that are configured

on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.

NOTE: Since VLAN members are limited, specifying all could cause the number of VLAN members to exceed the limit at some point.

names—Name of one or more VLANs. VLAN IDs are applied automatically in this case.

1950



NOTE: all cannot be a VLAN name.

vlan-ids—Numeric identifier of one or more VLANs. For a series of tagged VLANs, specify

a range; for example, 10-20 or 10-20 23 27-30.

NOTE: Each configured VLAN must have a specified VLAN ID to successfully commit the configuration; otherwise, the configuration commit fails.



show ethernet-switching interfaces on page 1996

•

show vlans on page 2399

•


•


•


•


•

Configuring VLANs for EX Series Switches (CLI Procedure) on page 2220

•

Creating a Series of Tagged VLANs (CLI Procedure) on page 2226

•

Understanding Bridging and VLANs on EX Series Switches on page 2073

•



1951

®


member-range Syntax Hierarchy Level Release Information Description

Options


1952

member-range starting-interface-name to ending-interface-name; [edit interfaces interface-range interface-range-name]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify the names of the first and last members of a sequence of interfaces belonging to an interface range. Range: Starting interface-name to ending interface-name—The name of the first member and the name of the last member in the interface sequence. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•




minimum-links Syntax Hierarchy Level

Release Information

Description

Options

minimum-links number; [edit interfaces aex aggregated-ether-options], [edit interfaces aex aggregated-sonet-options], [edit interfaces interface-name mlfr-uni-nni-bundle-options], [edit interfaces interface-name unit logical-unit-number], [edit interfaces interface-range range aggregated-ether-options], [edit interfaces interface-range range aggregated-sonet-options], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For aggregated Ethernet, SONET/SDH, multilink, link services, and voice services interfaces only, set the minimum number of links that must be up for the bundle to be labeled up. number—Number of links.

Range: 1 through 8 (1 through 16 for Ethernet and SONET interfaces on the MX Series, M320, M120, T Series, or TX Matrix routers, and 1 through 12 for EX8200 switches) Default: 1 Required Privilege Level Related Documentation


Configuring Aggregated Ethernet Minimum Links on page 1874

•

Configuring Aggregated SONET/SDH Minimum Links

•


•


•



1953

®


mtu Syntax Hierarchy Level

Release Information

Description

mtu bytes; [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number family family], [edit interfaces interface-range name], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the maximum transmission unit (MTU) size for the media or protocol. The default MTU size depends on the device type. Changing the media MTU or protocol MTU causes an interface to be deleted and added again.

NOTE: If a packet whose size is larger than the configured MTU size is received on the receiving interface, the packet is eventually dropped. The value considered for MRU (maximum receive unit) size is also the same as the MTU size configured on that interface.

NOTE: Not all devices allow you to set an MTU value, and some devices have restrictions on the range of allowable MTU values. You cannot configure an MTU for management Ethernet interfaces (fxp0, em0, or me0) or for loopback, multilink, and multicast tunnel devices.

For more information on configuring MTU for specific interfaces and router or switch combinations, see “Configuring the Media MTU” on page 1839. Options

bytes—MTU size.

Range: 256 through 9192 bytes Default: 1500 bytes (INET, INET6, and ISO families), 1448 bytes (MPLS) Required Privilege Level Related Documentation

1954


Configuring the Media MTU on page 1839

•

Setting the Protocol MTU on page 1850



native-vlan-id Syntax Hierarchy Level Release Information Description Options

native-vlan-id vlan-id; [edit interfaces interface-name unit 0 family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the VLAN identifier to associate with untagged packets received on the interface. vlan-id—Numeric identifier of the VLAN.


routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•


no-redirects Syntax Hierarchy Level Release Information

Description

no-redirects; [edit interfaces interface-name unit logical-unit-number family family]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Do not send protocol redirect messages on the interface. To disable the sending of protocol redirect messages for the entire router or switch, include the no-redirects statement at the [edit system] hierarchy level.


Interfaces send protocol redirect messages. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Disabling the Transmission of Redirect Messages on an Interface on page 1865

•



1955

®


periodic Syntax Hierarchy Level

Release Information

Description

Options

periodic interval; [edit interfaces aex aggregated-ether-options lacp], [edit interfaces interface-range name aggregated-ether-options lacp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For aggregated Ethernet interfaces only, configure the interval for periodic transmission of LACP packets. interval—Interval for periodic transmission of LACP packets. •

fast—Transmit packets every second.

•

slow—Transmit packets every 30 seconds.

Default: fast Required Privilege Level Related Documentation

1956



•


•




pic Syntax


pic pic-number { sfpplus { pic-modemode; } tunnel-port port-number tunnel-services; } [edit chassis fpc slot]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Enable the specified port of the SFP+ uplink module to perform in the operating mode specified by pic-mode. The port is indicated by a Physical Interface Card (PIC) number. For generic routing encapsulation (GRE) tunneling, use the pic statement with the tunnel-port statement to specify the number of the port on the switch that you want to convert to a GRE tunnel port.

Options

pic-number—Number of the PIC. For uplink ports in EX3200 and EX4200 switches, the

PIC number is always 1. Otherwise, the PIC number is 0 on all EX Series switches. The remaining statements are explained separately. Required Privilege Level Related Documentation



•



1957

®


pic-mode Syntax Hierarchy Level Release Information Description

Options


1958

pic-mode mode; [edit chassis fpc slot pic pic-number sfpplus ]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the operating mode for the specified port on the SFP+ uplink module on an EX3200 or EX4200 switch. mode—Operating mode of the SFP+ uplink module: •

1G—1-gigabit operating mode

•

10G—10-gigabit operating mode





port-mode Syntax Hierarchy Level Release Information Description

Default Options

port-mode mode; [edit interfaces interface-name unit logical-unit-number family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure whether an interface on the switch operates in access, tagged-access, or trunk mode. All switch interfaces are in access mode. mode—Operating mode for an interface can be one of the following: •

access—In this mode, the interface can be in a single VLAN only. Access interfaces

typically connect to single network devices such as PCs, printers, IP telephones, and IP cameras. •

tagged-access—In this mode, the interface can accept tagged packets from one access

device. Tagged-access interfaces typically connect to servers running Virtual machines using VEPA technology. •

trunk—In this mode, the interface can be in multiple VLANs and accept tagged packets

from multiple devices. Trunk interfaces typically connect to other switches and to routers on the LAN.





•



1959

®


•


•


preferred Syntax Hierarchy Level

Release Information

Description

preferred; [edit interfaces interface-name unit logical-unit-number family family address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure this address to be the preferred address on the interface. If you configure more than one address on the same subnet, the preferred source address is chosen by default as the source address when you initiate frame transfers to destinations on the subnet.



1960

The lowest-numbered address on the subnet is the preferred address. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •




primary (Address on Interface) Syntax Hierarchy Level

Release Information

Description

primary; [edit interfaces interface-name unit logical-unit-number family family address address], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure this address to be the primary address of the protocol on the interface. If the logical unit has more than one address, the primary address is used by default as the source address when packet transfer originates from the interface and the destination address does not indicate the subnet.


Default


For unicast traffic, the primary address is the lowest non-127 (in other words, non-loopback) preferred address on the unit. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •



1961

®


proxy-arp Syntax Hierarchy Level

Release Information

Description

Default

Options

proxy-arp (restricted | unrestricted); [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.6 for EX Series switches. restricted added in Junos OS Release 10.0 for EX Series switches. For Ethernet interfaces only, configure the router or switch to respond to any ARP request, as long as the router or switch has an active route to the ARP request’s target address. Proxy ARP is not enabled. The router or switch responds to an ARP request only if the destination IP address is its own. •

none—The router or switch responds to any ARP request for a local or remote address

if the router or switch has a route to the target IP address. •

restricted—(Optional) The router or switch responds to ARP requests in which the

physical networks of the source and target are different and does not respond if the source and target IP addresses are in the same subnet. The router or switch must also have a route to the target IP address. •

unrestricted—(Optional) The router or switch responds to any ARP request for a local

or remote address if the router or switch has a route to the target IP address. Default: unrestricted Required Privilege Level Related Documentation

1962



•

Configuring Proxy ARP (CLI Procedure) on page 2239

•

Example: Configuring Proxy ARP on an EX Series Switch on page 2193

•




rpf-check Syntax Hierarchy Level


rpf-check; [edit interfaces interface-name unit logical-unit-number family inet], [edit interfaces interface-name unit logical-unit-number family inet6]

Statement introduced in Junos OS Release 9.3 for EX Series switches. On EX3200 and EX4200 switches, enable a reverse-path forwarding (RPF) check on unicast traffic (except ECMP packets) on all ingress interfaces. On EX8200 switches, enable an RPF check on unicast traffic, including ECMP packets, on the selected ingress interface.


Unicast RPF is disabled on all interfaces. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•



1963

®


sfpplus Syntax


sfpplus { pic-modemode; } [edit chassis fpc slot pic pic-number]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the operating mode for the specified port on the SFP+ uplink module on the EX3200 or EX4200 switch. The remaining statement is explained separately.

Default

By default, the SFP+ uplink module operates in the 10-gigabit mode and supports SFP+ transceivers.

NOTE: The SFP+ uplink module provides two ports for 10-gigabit small form-factor pluggable (SFP+) transceivers when configured to operate in 10-gigabit mode or four ports for 1-gigabit small form-factor pluggable (SFP) transceivers when configured to operate in 1-gigabit mode.


1964





source Syntax Hierarchy Level Release Information

Description

source source-address; [edit interfaces interface-name unit logical-unit-number tunnel]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the source address of the tunnel.

Default

If you do not specify a source address, the tunnel uses the unit’s primary address as the source address of the tunnel.

Options

source-address—Address of the local side of the tunnel. This is the address that is placed

in the outer IP header’s source field. Required Privilege Level Related Documentation


Tunnel Properties

•



1965

®


speed Syntax Hierarchy Level Release Information Description Default

Options

speed (auto-negotiation | speed) ; [edit interfaces interface-name ether-options]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the interface’s speed. If the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is enabled, the auto-negotiation option is enabled by default. •

auto-negotiation—Automatically negotiate the speed based on the speed of the other

end of the link. This option is available only when the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is enabled. •

speed—Specify the interface speed. If the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is disabled, you must specify

a specific value. This value sets the speed that is used on the link. If the auto-negotiation statement is enabled, you might want to configure a specific speed value to advertise the desired speed to the remote end.


1966

•

10m—10 Mbps

•

100m—100 Mbps

•

1g—1 Gbps



•


•




targeted-broadcast Syntax

targeted-broadcast;

Hierarchy Level

[edit interfaces ge-chassis/slot/port unit logical-unit-number family inet]

Release Information



Enable IP directed broadcast on a specified subnet. IP directed broadcast is disabled. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•



1967

®


traceoptions (Individual Interfaces) Syntax


Description

traceoptions { file filename ; flag flag; match; } [edit interfaces interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define tracing operations for individual interfaces. To specify more than one tracing operation, include multiple flag statements. The interfaces traceoptions statement does not support a trace file. The logging is done by the kernel, so the tracing information is placed in the system syslog file in the directory /var/log.

Default Options

If you do not include this statement, no interface-specific tracing operations are performed. file name—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. By default, interface process tracing output is placed in the file files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten.dcd. match—(Optional) Regular expression for lines to be traced. no-world-readable—(Optional) Prevent any user from reading the log file. world-readable—(Optional) Allow any user to read the log file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements. The following are the interface-specific tracing options.

1968

•

all—All interface tracing operations

•

event—Interface events

•

ipc—Interface interprocess communication (IPC) messages




•

media—Interface media changes

•

q921—Trace ISDN Q.921 frames

•

q931—Trace ISDN Q.931 frames




1969

®


traceoptions (Interface Process) Syntax



traceoptions { file ; flag flag ; no-remote-trace; } [edit interfaces]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define tracing operations for the interface process (dcd). If you do not include this statement, no interface-specific tracing operations are performed. disable—(Optional) Disable the tracing operation. You can use this option to disable a

single operation when you have defined a broad group of tracing operations, such as all. filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. By default, interface process tracing output is placed in the file dcd. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements. You can include the following flags: •

all

•

change-events—Log changes that produce configuration events

•

config-states—Log the configuration state machine changes

•

kernel—Log configuration IPC messages to kernel

•

kernel-detail—Log details of configuration messages to kernel

no-world-readable—(Optional) Disallow any user to read the log file.

1970




or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify kilobytes, xm to specify megabytes, or xg to specify gigabytes Range: 10 KB through the maximum file size supported on your router Default: 1 MB world-readable—(Optional) Allow any user to read the log file. match regex—(Optional) Refine the output to include only those lines that match the

given regular expression. Required Privilege Level Related Documentation



traps Syntax Hierarchy Level

Release Information

Description


(traps | no-traps); [edit interfaces interface-name], [edit interfaces interface-name unit logical-unit-number], [edit interfaces interface-range name], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable or disable the sending of Simple Network Management Protocol (SNMP) notifications when the state of the connection changes. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

Enabling or Disabling SNMP Notifications on Physical Interfaces on page 1867

•

Enabling or Disabling SNMP Notifications on Logical Interfaces on page 1866


1971

®


ttl Syntax Hierarchy Level Release Information

Description Options

ttl value; [edit interfaces interface-name unit number tunnel]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Set the time-to-live value bit in the header of the outer IP packet. value—Time-to-live value.



Tunnel Properties

•


tunnel Syntax


tunnel { destination destination-address; source source-address; ttl number; } [edit interfaces interface-name unit logical-unit-number]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure a tunnel. You can use the tunnel for unicast and multicast traffic or just for multicast traffic. You can also use tunnels for encrypted traffic. The remaining statements are explained separately.


1972





tunnel-port Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

tunnel-port port-number tunnel-services; [edit chassis fpc slot pic pic-number]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure the port number for generic routing encapsulation (GRE) tunneling. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


unit Syntax

Hierarchy Level


Options

unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } [edit interfaces interface-name], [edit interfaces interface-range name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device. logical-unit-number—Number of the logical unit.

Range: 0 through 16,384 The remaining statements are explained separately. Required Privilege Level Related Documentation



•


•


•



1973

®


vlan Syntax


vlan { members [ (all | names | vlan-ids) ]; } [edit interfaces interface-name unit logical-unit-number family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Bind an 802.1Q VLAN tag ID to a logical interface. The remaining statement is explained separately.


1974



•


•


•


•




vlan-id Syntax Hierarchy Level Release Information Description

vlan-id vlan-id-number; [edit interfaces interface-name unit logical-unit-number]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Bind an 802.1Q VLAN tag ID to a logical interface.

NOTE: The VLAN tag ID cannot be configured on logical interface unit 0. The logical unit number must be 1 or higher.

Options

vlan-id-number—A valid VLAN identifier.



vlan-tagging on page 1976

•


•


•


•


•



1975

®


vlan-tagging Syntax Hierarchy Level Release Information

Description


1976

vlan-tagging; [edit interfaces interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For Fast Ethernet and Gigabit Ethernet interfaces and aggregated Ethernet interfaces configured for VPLS, enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

802.1Q VLANs Overview on page 1785

•

vlan-id on page 1975

•


•

Configuring Tagged Aggregated Ethernet Interfaces on page 1875

•



CHAPTER 62

Operational Commands for Interfaces


1977

®


clear ipv6 neighbors Syntax

Release Information

Description Options

clear ipv6 neighbors

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.3 for EX Series switches. Clear IPv6 neighbor cache information. none—Clear all IPv6 neighbor cache information. all—(Optional) Clear all IPv6 neighbor cache information. host hostname—(Optional) Clear the information for the specified IPv6 neighbors.


view

•

show ipv6 neighbors on page 2063

clear ipv6 neighbors on page 1978 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ipv6 neighbors

1978

user@host> clear ipv6 neighbors


Chapter 62: Operational Commands for Interfaces

monitor interface Syntax

Release Information

Description

monitor interface

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display real-time statistics about interfaces, updating the statistics every second. Check for and display common interface failures, such as SONET/SDH and T3 alarms, loopbacks detected, and increases in framing errors.

NOTE: This command is not supported on the QFX3000 QFabric switch.

Options

none—Display real-time statistics for all interfaces. interface-name—(Optional) Display real-time statistics for the specified interface. In a

TX Matrix or TX Matrix Plus router, display real-time statistics for the physical interfaces on the specified line-card chassis (LCC) only. traffic—(Optional) Display traffic data for all active interfaces. In a TX Matrix or TX Matrix

Plus router, display real-time statistics for the physical interfaces on the specified LCC only. detail—(Optional) With traffic option only, display detailed output.


The output of this command shows how much each field has changed since you started the command or since you cleared the counters by using the c key. For a description of the statistical information provided in the output of this command, see the show interfaces extensive command for a particular interface type in the Junos OS Interfaces Command Reference. To control the output of the monitor interface interface-name command while it is running, use the keys listed in Table 223 on page 1979. The keys are not case-sensitive.

Table 223: Output Control Keys for the monitor interface interface-name Command Key

Action

c

Clears (returns to zero) the delta counters since monitor interface was started. This does not clear the accumulative counter. To clear the accumulative counter, use the clear interfaces interval command.

f

Freezes the display, halting the display of updated statistics and delta counters.

i

Displays information about a different interface. The command prompts you for the name of a specific interface.


1979

®


Table 223: Output Control Keys for the monitor interface interface-name Command (continued) Key

Action

n

Displays information about the next interface. The monitor interface command displays the physical or logical interfaces in the same order as the show interfaces terse command.

q or Esc

Quits the command and returns to the command prompt.

t

Thaws the display, resuming the update of the statistics and delta counters.

To control the output of the monitor interface traffic command while it is running, use the keys listed in Table 224 on page 1980. The keys are not case-sensitive.

Table 224: Output Control Keys for the monitor interface traffic Command


Output Fields

1980

Key

Action

b

Displays the statistics in units of bytes and bytes per second (bps).

c

Clears (return to 0) the delta counters in the Current Delta column. The statistics counters are not cleared.

d

Displays the Current Delta column (instead of the rate column) in bps or packets per second (pps).

p

Displays the statistics in units of packets and packets per second (pps).

q or Esc

Quits the command and returns to the command prompt.

r

Displays the rate column (instead of the Current Delta column) in bps and pps.

trace

monitor interface (Physical) on page 1982 monitor interface (OTN Interface) on page 1984 monitor interface (Logical) on page 1985 monitor interface traffic on page 1985 monitor interface (QFX3500 Switch) on page 1986 monitor interface traffic on page 1986 monitor interface traffic (QFX3500 Switch) on page 1986 monitor interface traffic detail (QFX3500 Switch) on page 1987 Table 225 on page 1981 describes the output fields for the monitor interface command. Output fields are listed in the approximate order in which they appear.



Table 225: monitor interface Output Fields Field Name

Field Description

Level of Output

router1

Hostname of the router.

All levels

Seconds

How long the monitor interface command has been running or how long since you last cleared the counters.

All levels

Time

Current time (UTC).

All levels

Delay x/y/z

Time difference between when the statistics were displayed and the actual clock time.

All levels

•

x—Time taken for the last polling (in milliseconds).

•

y—Minimum time taken across all pollings (in milliseconds).

•

z—Maximum time taken across all pollings (in milliseconds).

Interface

Short description of the interface, including its name, status, and encapsulation.

All levels

Link

State of the link: Up, Down, or Test.

All levels

Current delta

Cumulative number for the counter in question since the time shown in the Seconds field, which is the time since you started the command or last cleared the counters.

All levels

Local Statistics

(Logical interfaces only) Number and rate of bytes and packets destined to the router or switch through the specified interface. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.:

All levels

Remote Statistics

•

Input bytes—Number of bytes received on the interface.

•

Output bytes—Number of bytes transmitted on the interface.

•

Input packets—Number of packets received on the interface.

•

Output packets—Number of packets transmitted on the interface.

(Logical interfaces only) Statistics for traffic transiting the router or switch. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.: •


•


•


•



All levels

1981

®


Table 225: monitor interface Output Fields (continued) Field Name

Field Description

Level of Output

Traffic statistics

Total number of bytes and packets received and transmitted on the interface. These statistics are the sum of the local and remote statistics. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.

All levels

Description

•


•


•


•


With the traffic option, displays the interface description configured at the [edit interfaces interface-name] hierarchy level.

detail

Sample Output monitor interface (Physical)

user@host> monitor interface so-0/0/0 router1 Seconds: 19 Interface: so-0/0/0, Enabled, Link is Up Encapsulation: PPP, Keepalives, Speed: OC48 Traffic statistics: Input packets: 6045 (0 Input bytes: 6290065 (0 Output packets: 10376 (0 Output bytes: 10365540 (0 Encapsulation statistics: Input keepalives: 1901 Output keepalives: 1901 NCP state: Opened LCP state: Opened Error statistics: Input errors: 0 Input drops: 0 Input framing errors: 0 Policed discards: 0 L3 incompletes: 0 L2 channel errors: 0 L2 mismatch timeouts: 0 Carrier transitions: 1 Output errors: 0 Output drops: 0 Aged packets: 0 Active alarms : None Active defects: None SONET error counts/seconds: LOS count 1 LOF count 1 SEF count 1 ES-S 0 SES-S 0 SONET statistics: BIP-B1 458871 BIP-B2 460072

1982

Time: 15:46:29

pps) bps) pps) bps)

Current Delta [11] [13882] [10] [9418] [2] [2]

[0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0]

[0] [0] [0] [0] [0] [0] [0]



REI-L BIP-B3 REI-P


465610 458978 458773

[0] [0] [0]

1983

®


Received SONET overhead: F1 : 0x00 J0 K2 : 0x00 S1 C2(cmp) : 0x00 F2 Z4 : 0x00 S1(cmp) Transmitted SONET overhead: F1 : 0x00 J0 K2 : 0x00 S1 F2 : 0x00 Z3

: : : :

0x00 0x00 0x00 0x00

K1 C2 Z3

: 0x00 : 0x00 : 0x00

: 0x01 : 0x00 : 0x00

K1 C2 Z4

: 0x00 : 0xcf : 0x00

Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

monitor interface (OTN Interface)

user@host> monitor interface ge-7/0/0

Interface: ge-7/0/0, Enabled, Link is Up Encapsulation: Ethernet, Speed: 10000mbps Traffic statistics: Input bytes: 0 (0 bps) Output bytes: 0 (0 bps) Input packets: 0 (0 pps) Output packets: 0 (0 pps) Error statistics: Input errors: 0 Input drops: 0 Input framing errors: 0 Policed discards: 0 L3 incompletes: 0 L2 channel errors: 0 L2 mismatch timeouts: 0 Carrier transitions: 5 Output errors: 0 Output drops: 0 Aged packets: 0 Active alarms : None Active defects: None Input MAC/Filter statistics: Unicast packets 0 Broadcast packets 0 Multicast packets 0 Oversized frames 0 Packet reject count 0 DA rejects 0 SA rejects 0 Output MAC/Filter Statistics: Unicast packets 0 Broadcast packets 0 Multicast packets 0 Packet pad count 0 Packet error count 0 OTN Link 0 OTN Alarms: OTU_BDI, OTU_TTIM, ODU_BDI OTN Defects: OTU_BDI, OTU_TTIM, ODU_BDI, ODU_TTIM OTN OC - Seconds LOS 2 LOF 9 OTN OTU - FEC Statistics Corr err ratio N/A Corr bytes 0 Uncorr words 0 OTN OTU - Counters

1984



BIP BBE ES SES UAS OTN ODU - Counters BIP BBE ES SES UAS OTN ODU - Received Overhead

monitor interface (Logical)

0 0 0 0 422 0 0 0 0 422 APSPCC 0-3:

user@host> monitor interface so-1/0/0.0 host name Seconds: 16

0

Time: 15:33:39 Delay: 0/0/1

Interface: so-1/0/0.0, Enabled, Link is Down Flags: Hardware-Down Point-To-Point SNMP-Traps Encapsulation: PPP Local statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Remote statistics: Input bytes: 0 (0 bps) Output bytes: 0 (0 bps) Input packets: 0 (0 pps) Output packets: 0 (0 pps) Traffic statistics: Destination address: 192.168.8.193, Local: 192.168.8.21

Current delta [0] [0] [0] [0] [0] [0] [0] [0]

Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

monitor interface traffic

user@host> monitor interface traffic host name Seconds: 15 Interface so-1/0/0 so-1/1/0 so-1/1/1 so-1/1/2 so-1/1/3 t3-1/2/0 t3-1/2/1 t3-1/2/2 t3-1/2/3 so-2/0/0 so-2/0/1 so-2/0/2 so-2/0/3 so-2/1/0 so-2/1/1 so-2/1/2 so-2/1/3 at-2/3/0 at-2/3/1

Link Down Down Down Down Down Down Down Down Down Up Up Up Up Up Down Down Up Up Down

Input packets 0 0 0 0 0 0 0 0 0 211035 192753 211020 211029 189378 0 0 0 0 0

Time: 12:31:09 (pps) (0) (0) (0) (0) (0) (0) (0) (0) (0) (1) (1) (1) (1) (1) (0) (0) (0) (0) (0)

Output packets 0 0 0 0 0 0 0 0 0 36778 36782 36779 36776 36349 18747 16078 80338 0 0

(pps) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0)

Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=Û, Down=^D


1985

®


monitor interface (QFX3500 Switch)

user@switch> monitor interface ge-0/0/0 Interface: ge-0/0/0, Enabled, Link is Down Encapsulation: Ethernet, Speed: Unspecified Traffic statistics: Input bytes: 0 (0 bps) Output bytes: 0 (0 bps) Input packets: 0 (0 pps) Output packets: 0 (0 pps) Error statistics: Input errors: 0 Input drops: 0 Input framing errors: 0 Policed discards: 0 L3 incompletes: 0 L2 channel errors: 0 L2 mismatch timeouts: 0 Carrier transitions: 0 Output errors: 0 Output drops: 0 Aged packets: 0 Active alarms : LINK Active defects: LINK Input MAC/Filter statistics: Unicast packets 0 Broadcast packets 0 Multicast packet

Current delta [0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0] [0]

[0] [0]

Interface warnings: o Outstanding LINK alarm

monitor interface traffic

user@host> monitor interface traffic host name Seconds: 15 Interface so-1/0/0 so-1/1/0 so-1/1/1 so-1/1/2 so-1/1/3 t3-1/2/0 t3-1/2/1 t3-1/2/2 t3-1/2/3 so-2/0/0 so-2/0/1 so-2/0/2 so-2/0/3 so-2/1/0 so-2/1/1 so-2/1/2 so-2/1/3 at-2/3/0 at-2/3/1

Link Down Down Down Down Down Down Down Down Down Up Up Up Up Up Down Down Up Up Down

Input packets 0 0 0 0 0 0 0 0 0 211035 192753 211020 211029 189378 0 0 0 0 0

Time: 12:31:09 (pps) (0) (0) (0) (0) (0) (0) (0) (0) (0) (1) (1) (1) (1) (1) (0) (0) (0) (0) (0)

Output packets 0 0 0 0 0 0 0 0 0 36778 36782 36779 36776 36349 18747 16078 80338 0 0

(pps) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0)

Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=Û, Down=^D

monitor interface traffic (QFX3500 Switch)

1986

user@switch> monitor interface traffic switch Interface ge-0/0/0

Link Down

Input packets 0

Seconds: 7 (pps) (0)

Time: 16:04:37 Output packets 0

(pps) (0)



ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/11 ge-0/0/12 ge-0/0/13 ge-0/0/14 ge-0/0/15 ge-0/0/16 ge-0/0/17 ge-0/0/18 ge-0/0/19 ge-0/0/20 ge-0/0/21 ge-0/0/22 ge-0/0/23 vcp-0 vcp-1 ae0 bme0

monitor interface traffic detail (QFX3500 Switch)

Up Down Down Down Down Down Down Down Up Down Down Down Down Down Down Down Down Down Down Down Down Up Up Down Down Down Up

392187 0 0 0 0 0 0 0 392184 0 0 0 0 0 0 0 0 0 0 0 0 392172 392185 0 0 0 0

(0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0)

(0)

user@switch> monitor interface traffic detail switch Time: 16:03:02 Interface Description ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/11 ge-0/0/12 ge-0/0/13 ge-0/0/14 ge-0/0/15 ge-0/0/16 ge-0/0/17 ge-0/0/18 ge-0/0/19 ge-0/0/20 ge-0/0/21 ge-0/0/22 ge-0/0/23 vcp-0 vcp-1


392170 0 0 0 0 0 0 0 392171 0 0 0 0 0 0 0 0 0 0 0 0 392187 392173 0 0 0 1568706

(0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0)

(0)

Seconds: 74

Link

Input packets

(pps)

Output packets

(pps)

Down Up Down Down Down Down Down Down Down Up Down Down Down Down Down Down Down Down Down Down Down Down Up Up Down Down

0 392183 0 0 0 0 0 0 0 392181 0 0 0 0 0 0 0 0 0 0 0 0 392169 392182 0 0

(0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0)

0 392166 0 0 0 0 0 0 0 392168 0 0 0 0 0 0 0 0 0 0 0 0 392184 392170 0 0

(0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (1) (0)

1987

®


ae0 bme0

1988

Down Up

0 0

(0)

0 1568693

(0)



request diagnostics tdr Syntax Release Information Description

request diagnostics tdr (abort | start) interface interface-name

Command introduced in Junos OS Release 9.0 for EX Series switches. Start a time domain reflectometry (TDR) diagnostic test on the specified interface. This test characterizes and locates faults on twisted-pair Ethernet cables. For example, it can detect a broken twisted pair and provide the approximate distance to the break. It can also detect polarity swaps, pair swaps, and excessive skew. The TDR test is supported on the following switches and interfaces: •


•

EX6200 and EX8200 switches—RJ-45 interfaces on line cards.

NOTE: We recommend running the TDR test when there is no traffic on the interface under test.

You view the results of the TDR test with the show diagnostics tdr command. Options

abort—Stop the TDR test currently in progress on the specified interface. No results are

reported, and previous results, if any, are cleared. interface-name—The name of the interface. start—Start a TDR test on the specified interface.



maintenance

•

show diagnostics tdr on page 1991

•


request diagnostics tdr start interface ge-0/0/19 on page 1990 Table 226 on page 1990 lists the output fields for the request diagnostics tdr command. Output fields are listed in the approximate order in which they appear.


1989

®


Table 226: request diagnostics tdr Output Fields Field Name

Field Description

Test Status

Information about the status of the TDR test request: •

Admin Down interface-name—The interface is administratively down.

The TDR test cannot run on interfaces that are administratively down. •

Interface interface-name not found—The interface does not exist.

•

Test successfully executed interface-name—The test has successfully started on the interface. You can view the test results with the show diagnostics tdr command.

•

VCT not supported on interface-name—The TDR test is not supported

on the interface.

Sample Output request diagnostics tdr start interface ge-0/0/19

1990

user@switch> request diagnostics tdr start interface ge-0/0/19 Interface TDR detail: Test status

: Test successfully executed

ge-0/0/19



show diagnostics tdr Syntax


show diagnostics tdr

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the results of a time domain reflectometry (TDR) diagnostic test run on an interface. A TDR test characterizes and locates faults on twisted-pair Ethernet cables. For example, it can detect a broken twisted pair and provide the approximate distance to the break. It can also detect polarity swaps, pair swaps, and excessive skew. The TDR test is supported on the following switches and interfaces: •


•

EX6200 and EX8200 switches— RJ-45 interfaces on line cards.

Use the request diagnostics tdr command to request a TDR test on a specified interface. Use the show diagnostic tdr command to display the last TDR test results for a specified interface or the last TDR test results for all network interfaces on the switch that support the TDR test. Options

none—Show summarized last results for all interfaces on the switch that support the

TDR test. interface interface-name—(Optional) Show detailed last results for the specified interface

or a range of interfaces. Specify a range of interfaces by entering the beginning and ending interface in the range, separated by a dash—for example, ge-0/0/15-ge-0/0/20. Required Privilege Level Related Documentation


Output Fields

view

•

request diagnostics tdr on page 1989

•


show diagnostics tdr interface ge-0/0/19 (Normal Cable) on page 1993 show diagnostics tdr interface ge-2/0/2 (Faulty Cable) on page 1994 show diagnostics tdr (All Supported Interfaces) on page 1994 Table 227 on page 1992 lists the output fields for the show diagnostics tdr command. Output fields are listed in the approximate order in which they appear.


1991

®


Table 227: show diagnostics tdr Output Fields Field Name

Field Description

Interface name or

Name of interface for which TDR test results are being reported.

Interface Test status

Status of TDR test: •

Aborted—Test was terminated by operator before it was complete.

•

Failed—Test was not completed successfully.

•

Interface interface-name not found—Specified interface does not

exist. •

Not Started—No TDR test results are available for the interface.

•

Passed—Test completed successfully. The cable, however, might still have a fault—see the Cable status field for information on the

cable. •

Started—Test is currently running and not yet complete.

•

VCT not supported on interface-name—TDR test is not supported

on the interface. Link status

Operating status of link: UP or Down.

MDI pair

Twisted pair for which test results are being reported, identified by pin numbers. (Displayed only when the interface option is used.)

Cable status

When detailed information is displayed, status for a twisted pair: •

Failed—TDR test failed on the cable pair.

•

Impedance Mismatch—Impedance on the twisted pair is not correct.

Possible reasons for an impedance mismatch include: •

The twisted pair is not connected properly.

•

The twisted pair is damaged.

•

The connector is faulty.

•

Normal—No cable fault detected for the twisted pair.

•

Open—Lack of continuity between the pins at each end of the

twisted-pair. •

Short on Pair-n—A short-circuit was detected on the twisted pair.

When summary information for all interfaces is displayed, status for the cable as a whole:

Distance fault or

•

Fault—A fault was detected on one or more of the twisted-pairs.

•

OK—No fault was detected on any of the twisted pairs.

Distance to the fault in whole meters. If there is no fault, this value is 0.

Max distance fault

When summary information for all interfaces is displayed, this value is the distance to the most distant fault if there is more than one twisted pair with a fault.

1992



Table 227: show diagnostics tdr Output Fields (continued) Field Name

Field Description

Polarity swap

Indicates the polarity status of the twisted pair: •

Normal—Polarity is normal. Each conductor in the twisted pair has

been connected the same pins at the both ends of the connection. For example, a conductor connected to pin 1 at the near end of the connection is connected to pin 1 at the far end. •

Reversed—Polarity has been reversed. For the twisted pair, the

conductors have switched which pins they are connected to at the near and far ends of the connection. For example, the conductor connected to pin 1 at the near end is connected to pin 2 at the far end. (Not available on EX8200 switches.) (Displayed only when the interface option is used) Skew time

Difference in nanoseconds between the propagation delay on this twisted pair and the twisted pair with the shortest propagation delay. (Not available on EX8200 switches.) (Displayed only when the interface option is used.)

Channel Pair

Number of the 10/100BASE-T transmit/receive pair being reported on.

Pair Swap

Indicates whether or not the twisted pairs are swapped: •

MDI—The pairs are not swapped (straight-through cable).

•

MDIX—The pairs are swapped (cross-over cable).

(Displayed only when the interface option is used.) Downshift

Indicates whether the connection speed is being downshifted: •

No Downshift—No downshifting of connection speed.

•

Downshift occurs—Connection speed is downshifted to 10 or 100

Mbs. This occurs if the cable is a two-pair cable rather than the four-pair cable required by Gigabit Ethernet. (Displayed only when the interface option is used.)

Sample Output show diagnostics tdr interface ge-0/0/19 (Normal Cable)

user@switch> show diagnostics tdr interface ge-0/0/19 Interface TDR detail: Interface name : ge-0/0/19 Test status : Passed Link status : UP MDI pair : 1-2 Cable status : Normal Distance fault : 0 Meters Polartiy swap : Normal Skew time : 0 ns MDI pair : 3-6 Cable status : Normal Distance fault : 0 Meters


1993

®


Polartiy swap Skew time MDI pair Cable status Distance fault Polartiy swap Skew time MDI pair Cable status Distance fault Polartiy swap Skew time Channel pair Pair swap Channel pair Pair swap Downshift

: : : : : : : : : : : : : : : : :

Normal 8 ns 4-5 Normal 0 Meters Normal 8 ns 7-8 Normal 0 Meters Normal 8 ns 1 MDI 2 MDI No Downshift

show diagnostics tdr interface ge-2/0/2 (Faulty Cable)

user@switch> show diagnostics tdr interface ge-2/0/2 Interface TDR detail: Interface name : ge-2/0/2 Test status : Passed Link status : Down MDI Pair : 1-2 Cable status : 1-2 Distance fault : 2 Meters Polartiy swap : N/A Skew time : N/A MDI Pair : 3-6 Cable status : Impedance Mismatch Distance fault : 3 Meters Polartiy swap : N/A Skew time : N/A MDI Pair : 4-5 Cable status : Impedance Mismatch Distance fault : 3 Meters Polartiy swap : N/A Skew time : N/A MDI Pair : 7-8 Cable status : Short on Pair-2 Distance fault : 3 Meters Polartiy swap : N/A Skew time : N/A Channel pair : 1 Pair swap : N/A Channel pair : 2 Pair swap : N/A Downshift : N/A

show diagnostics tdr (All Supported Interfaces)

user@switch> show diagnostics tdr Interface Test status Link status ge-0/0/0 Not Started N/A ge-0/0/1 Not Started N/A ge-0/0/2 Started N/A ge-0/0/3 Started N/A ge-0/0/4 Passed UP ge-0/0/5 Passed UP ge-0/0/6 Passed UP ge-0/0/7 Passed UP ge-0/0/8 Passed UP ge-0/0/9 Passed UP

1994

Cable status N/A N/A N/A N/A OK Fault OK OK OK OK

Max distance fault N/A N/A N/A N/A 0 173 0 0 0 0



ge-0/0/10 ge-0/0/11 ge-0/0/12 ge-0/0/13 ge-0/0/14 ge-0/0/15 ge-0/0/16 ge-0/0/17 ge-0/0/18 ge-0/0/19 ge-0/0/20 ge-0/0/21 ge-0/0/22 ge-0/0/23


Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed

UP UP UP UP UP UP UP UP UP UP Down Down UP UP

OK OK OK OK OK OK OK OK OK OK Fault Fault OK OK

0 0 0 0 0 0 0 0 0 0 0 5 0 0

1995

®


show ethernet-switching interfaces Syntax

Release Information

show ethernet-switching interfaces

Command introduced in Junos OS Release 9.0 for EX Series switches. In Junos OS Release 9.6 for EX Series switches, the following updates were made: •

Blocking field output was updated.

•

The default view was updated to include information about 802.1Q tags.

•

The detail view was updated to include information on VLAN mapping.

In Junos OS Release 11.1 for EX Series switches, the detail view was updated to include reflective relay information. Description Options

Display information about Ethernet switching interfaces. none—Display brief information for Ethernet switching interfaces. brief | detail | summary—(Optional) Display the specified level of output. interface interface-name—(Optional) Display Ethernet switching information for a specific

interface. Required Privilege Level Related Documentation

view

•

show ethernet-switching mac-learning-log on page 2366

•

show ethernet-switching table on page 2374

•

Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure) on page 4014


show ethernet-switching interfaces on page 1998 show ethernet-switching interfaces ge-0/0/15 brief on page 1998 show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG rtggroup) on page 1998 show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP) on page 1999 show ethernet-switching interfaces ge-0/0/17 detail (Disabled by bpdu-control) on page 1999 show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping) on page 1999 show ethernet-switching interfaces detail (Reflective Relay Is Configured) on page 1999

Output Fields

Table 178 on page 1609 lists the output fields for the show ethernet-switching interfaces command. Output fields are listed in the approximate order in which they appear.

1996



Table 228: show ethernet-switching interfaces Output Fields Field Name

Field Description

Level of Output

Interface

Name of a switching interface.

none, brief, detail, summary

Index

VLAN index internal to Junos OS.

detail

State

Interface state. Values are up and down.

none, brief, detail

Port mode

The access mode is the port mode default and works with a single VLAN. Port mode can also be trunk, which accepts tagged packets from multiple VLANs on other switches. The third port mode value is tagged-access, which accepts tagged packets from access devices.

detail

Reflective Relay Status

Reflective relay allows packets to use the same interface for both upstream and downstream traffic. When reflective relay has been configured, the status displayed is always enabled . When reflective relay is not configured, this entry does not appear in the command output.

detail

Ether type for the interface

Ether type is a two-octet field in an Ethernet frame used to indicate which protocol is encapsulated in the payload of an incoming Ethernet packet. Both 802.1Q packets and Q-in-Q packets use this field. The output displayed for this particular field indicates the interface’s Ether type, which is used to match the Ether type of incoming 802.1Q packets and Q-in-Q packets. The indicated Ether type field is also added to the interface’s outgoing 802.1Q and Q-in-Q packets.

detail

VLAN membership

Names of VLANs that belong to this interface.

none, brief, detail,

Tag

Number of the 802.1Q tag.


Tagging

Specifies whether the interface forwards 802.1Q tagged or untagged traffic.


Blocking

The forwarding state of the interface:


•

unblocked—Traffic is forwarded on the interface.

•

blocked—Traffic is not being forwarded on the interface.

•

Disabled by bpdu control—The interface is disabled due to receiving BPDUs on a protected interface. If the disable-timeout statement has been included

in the BPDU configuration, the interface automatically returns to service after the timer expires. •

blocked by RTG—The specified redundant trunk group is disabled.

•

blocked by STP—The interface is disabled due to a spanning-tree protocol

error. •

MAC limit exceeded—The interface is temporarily disabled due to a MAC limit

error. The disabled interface is automatically restored to service when the disable timeout expires. •

MAC move limit exceeded—The interface is temporarily disabled due to a MAC

move limit error. The disabled interface is automatically restored to service when the disable timeout expires. •

Storm control in effect—The interface is temporarily disabled due to a storm

control error. The disabled interface is automatically restored to service when the disable timeout expires.


1997

®


Table 228: show ethernet-switching interfaces Output Fields (continued) Field Name

Field Description

Level of Output

Number of MACs learned on IFL

Number of MAC addresses learned by this interface.

detail

mapping

When mapping is configured, the status is one of the following C-VLAN to S-VLAN mapping types:

detail

•

dot1q-tunneled—The interface maps all traffic to the S-VLAN (all-in-one

bundling). •

native—The interface maps untagged and priority tagged packets to the

S-VLAN. •

push—The interface maps packets to a firewall filter to an S-VLAN.

•

policy-mapped—The interface maps packets to a specifically defined S-VLAN.

•

integer—The interface maps packets to the specified S-VLAN.

When mapping is not configured, this entry does not appear in the command output.

Sample Output show ethernet-switching interfaces

user@switch> show ethernet-switching interfaces Interface

State

ae0.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ge-0/0/13.0 ge-0/0/14.0

up up up down down down down up up

ge-0/0/15.0

up

ge-0/0/16.0 ge-0/0/17.0

down down

VLAN members

Tag

default vlan300 default default default default default default vlan100 vlan200 vlan100 vlan200 default vlan100

300

100 200 100 200 100

vlan200

show ethernet-switching interfaces ge-0/0/15 brief show ethernet-switching interfaces ge-0/0/2 detail (Blocked by RTG rtggroup)

1998

200

Tagging

Blocking

untagged unblocked untagged blocked by RTG (rtggroup) blocked by STP MAC limit exceeded MAC move limit exceeded Storm control in effect unblocked untagged unblocked tagged unblocked tagged unblocked tagged blocked by STP tagged blocked by STP untagged unblocked tagged Disabled by bpdu-control tagged

Disabled by bpdu-control

user@switch> show ethernet-switching interfaces ge-0/0/15 brief Interface State VLAN members Tag Tagging Blocking ge-0/0/15.0

up

vlan100 vlan200

100 200

tagged tagged

blocked by STP blocked by STP

user@switch> show ethernet-switching interfaces ge-0/0/2 detail Interface: ge-0/0/2.0, Index: 65, State: up, Port mode: Access Ether type for the interface: 0X8100 VLAN membership: vlan300, 802.1Q Tag: 300, untagged, msti-id: 0, blocked by RTG(rtggroup)



Number of MACs learned on IFL: 0

show ethernet-switching interfaces ge-0/0/15 detail (Blocked by STP)

user@switch> show ethernet-switching interfaces ge-0/0/15 detail Interface: ge-0/0/15.0, Index: 70, State: up, Port mode: Trunk Ether type for the interface: 0X8100 VLAN membership: vlan100, 802.1Q Tag: 100, tagged, msti-id: 0, blocked by STP vlan200, 802.1Q Tag: 200, tagged, msti-id: 0, blocked by STP Number of MACs learned on IFL: 0

show ethernet-switching interfaces ge-0/0/17 detail (Disabled by bpdu-control)

user@switch> show ethernet-switching interfaces ge-0/0/17 detail

show ethernet-switching interfaces detail (C-VLAN to S-VLAN Mapping)

user@switch>show ethernet-switching interfaces ge-0/0/6.0 detail Interface: ge-0/0/6.0, Index: 73, State: up, Port mode: Access Ether type for the interface: 0X8100 VLAN membership: map, 802.1Q Tag: 134, Mapped Tag: native, push, dot1q-tunneled, unblocked map, 802.1Q Tag: 134, Mapped Tag: 20, push, dot1q-tunneled, unblocked

show ethernet-switching interfaces detail (Reflective Relay Is Configured)

Interface: ge-0/0/17.0, Index: 71, State: down, Port mode: Trunk Ether type for the interface: 0X8100 VLAN membership: vlan100, 802.1Q Tag: 100, tagged, msti-id: 1, Disabled by bpdu-control vlan200, 802.1Q Tag: 200, tagged, msti-id: 2, Disabled by bpdu-control Number of MACs learned on IFL: 0

user@switch1> show ethernet-switching interfaces ge-7/0/2 detail Interface: ge-7/0/2, Index: 66, State: down, Port mode: Tagged-access Ether type for the interface: 0X8100 Reflective Relay Status: Enabled Ether type for the interface: 0x8100 VLAN membership: VLAN_Purple VLAN_Orange VLAN_Blue, 802.1Q Tag: 450, tagged, unblocked Number of MACs learned on IFL: 0


1999

®


show interfaces (GRE) Syntax

Release Information

Description

Options

show interfaces interface-type

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 12.1 for EX Series switches. Display status information about the specified generic routing encapsulation (GRE) interface. interface-type—On M Series and T Series routers and EX Series switches, the interface

type is gr-fpc/pic/port. On J Series routers, the interface type is gr-pim/0/port. brief | detail | extensive | terse—(Optional) Display the specified output level of interface

information. descriptions—(Optional) Display interface description strings. media—(Optional) Display media-specific information about network interfaces. snmp-index snmp-index—(Optional) Display information for the specified SNMP index

of the interface. statistics—(Optional) Display static interface statistics.


view


show interfaces (GRE) on page 2004 show interfaces brief (GRE) on page 2004 show interfaces detail (GRE) on page 2004 show interfaces detail (GRE) on an EX4200 Virtual Chassis Member Switch on page 2005 show interfaces extensive (GRE) on page 2006

Output Fields

Table 229 on page 2000 lists the output fields for the show interfaces (GRE) command. Output fields are listed in the approximate order in which they appear.

Table 229: GRE show interfaces Output Fields Field Name

Field Description

Level of Output

Physical interface


All levels

Enabled

State of the interface. Possible values are described in the “Enabled Field” section under Common Output Fields Description.

All levels

Physical Interface

2000



Table 229: GRE show interfaces Output Fields (continued) Field Name

Field Description

Level of Output

Interface index

Physical interface's index number, which reflects its initialization sequence.

detail extensive none

SNMP ifIndex



Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Type

Type of interface.

All levels

Link-level type

Encapsulation used on the physical interface.

All levels

MTU

MTU size on the physical interface.

All levels

Speed

Speed at which the interface is running.

All levels

Hold-times

Current interface hold-time up and hold-time down, in milliseconds.

detail extensive

Device Flags

Information about the physical device. Possible values are described in the “Device Flags” section under Common Output Fields Description.

All levels

Interface Flags

Information about the interface. Possible values are described in the “Interface Flags” section under Common Output Fields Description.

All levels

Input rate

Input rate in bits per second (bps) and packets per second (pps).

None specified

Output rate

Output rate in bps and pps.

None specified

Statistics last cleared

Time when the statistics for the interface were last set to zero.

detail extensive

Traffic statistics

Number and rate of bytes and packets received and transmitted on the physical interface.

detail extensive

•


•


•


•


Logical Interface Logical interface


All levels

Index

Logical interface index number, which reflects its initialization sequence.


SNMP ifIndex

Logical interface SNMP interface index number.


Generation

Unique number for use by Juniper Networks technical support.

detail extensive


2001

®



Field Description

Level of Output

Flags

Information about the logical interface. Possible values listed in the “Logical Interface Flags” section under Common Output Fields Description. describe general information about the logical interface.

All levels

GRE-specific information about the logical interface is indicated by the presence or absence of the following value in this field: •

Reassemble-Pkts—If the Flags field includes this string, the GRE tunnel is

configured to reassemble tunnel packets that were fragmented after tunnel encapsulation. IP-Header

IP header of the logical interface. If the tunnel key statement is configured, this information is included in the IP Header entry.

All levels

GRE-specific information about the logical interface is indicated by the presence or absence of the following value in this field: •

df—If the IP-Header field includes this string immediately following the 16 bits of identification information (that is, if :df: displays after the twelfth byte),

the GRE tunnel is configured to allow fragmentation of GRE packets after encapsulation. Encapsulation

Encapsulation on the logical interface.

All levels

Copy-tos-toouter-ip-header

Status of type of service (ToS) bits in the GRE packet header:

detail extensive

•

On—ToS bits were copied from the payload packet header into the header of the IP packet sent through the GRE tunnel.

•

Off—ToS bits were not copied from the payload packet header and are set to 0 in the GRE packet header.

NOTE: EX Series switches do not support copying ToS bits to the encapsulated packet, so the value of this field is always Off in switch output. Gre keepalives configured

Indicates whether a GRE keepalive time and hold time are configured for the GRE tunnel.

detail extensive

NOTE: EX Series switches do not support configuration of GRE tunnel keepalive times and hold times, so the value of this field is always Off in switch output. Gre keepalives adjacency state

Status of the other end of the GRE tunnel: Up or Down. If keepalive messages are not received by either end of the GRE tunnel within the hold-time period, the GRE keepalive adjacency state is down even when the GRE tunnel is up.

detail extensive

Input packets

Number of packets received on the logical interface.

None specified

Output packets

Number of packets transmitted on the logical interface.

None specified

2002




Field Description

Level of Output

Traffic statistics

Total number of bytes and packets received and transmitted on the logical interface. These statistics are the sum of the local and transit statistics. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.

detail extensive

•

Input rate—Rate of bits and packets received on the interface.

•

Output rate—Rate of bits and packets transmitted on the interface.

Local statistics

Statistics for traffic received from and transmitted to the Routing Engine. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.

detail extensive

Transit statistics

Statistics for traffic transiting the router. When a burst of traffic is received, the value in the output packet rate field might briefly exceed the peak cell rate. It takes awhile (generally, less than 1 second) for this counter to stabilize.


Protocol

Protocol family configured on the logical interface, such as iso, inet6, or mpls.


protocol-family

Protocol family configured on the logical interface. If the protocol is inet, the IP address of the interface is also displayed.

brief

MTU

MTU size on the logical interface.


Generation


detail extensive

Route table

Routing table in which the logical interface address is located. For example, 0 refers to the routing table inet.0.

detail extensive

Flags

Information about the protocol family flags. Possible values are described in the “Family Flags” section under Common Output Fields Description.


Addresses, Flags

Information about the address flags. Possible values are described in the “Addresses Flags” section under Common Output Fields Description.


Destination

IP address of the remote side of the connection.


Local

IP address of the logical interface.


Broadcast

Broadcast address of the logical interface.


Generation


detail extensive


2003

®


Sample Output show interfaces (GRE)

user@host> show interfaces gr-1/2/0 Physical interface: gr-0/0/0, Enabled, Physical link is Up Interface index: 132, SNMP ifIndex: 26 Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Logical interface gr-0/0/0.0 (Index 68) (SNMP ifIndex 47) Flags: Point-To-Point SNMP-Traps 16384 IP-Header 1.1.1.2:1.1.1.1:47:df:64:0000000000000000 Encapsulation: GRE-NULL Input packets : 0 Output packets: 0 Protocol inet, MTU: 1476 Flags: None Addresses, Flags: Is-Primary Local: 1.10.1.1

show interfaces brief (GRE)

user@host> show interfaces gr-1/2/0 brief Physical interface: gr-1/2/0, Enabled, Physical link is Up Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Logical interface gr-1/2/0.0 Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 IP-Header 10.10.0.2:10.10.0.1:47:df:64:0000000000000000 Encapsulation: GRE-NULL inet 10.100.0.1/30 mpls

show interfaces detail (GRE)

user@host> show interfaces gr-1/2/0 detail Physical interface: gr-0/0/0, Enabled, Physical link is Up Interface index: 132, SNMP ifIndex: 26, Generation: 13 Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps Hold-times : Up 0 ms, Down 0 ms Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Logical interface gr-0/0/0.0 (Index 68) (SNMP ifIndex 47) (Generation 8) Flags: Point-To-Point SNMP-Traps 16384 IP-Header 1.1.1.2:1.1.1.1:47:df:64:0000000000000000 Encapsulation: GRE-NULL Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0

2004



Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, MTU: 1476, Generation: 12, Route table: 0 Flags: None Addresses, Flags: Is-Primary Destination: Unspecified, Local: 1.10.1.1, Broadcast: Unspecified, Generation: 15

show interfaces detail (GRE) on an EX4200 Virtual Chassis Member Switch

user@switch> show interfaces gr-2/0/15 detail Physical interface: gr-2/0/15, Enabled, Physical link is Up Interface index: 195, SNMP ifIndex: 846, Generation: 198 Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 1000mbps Hold-times : Up 0 ms, Down 0 ms Current address: 00:1f:12:38:0f:d2, Hardware address: 00:1f:12:38:0f:d2 Device flags : Present Running Interface flags: Point-To-Point SNMP-Traps Statistics last cleared: 2011-09-14 17:43:15 UTC (00:00:18 ago) Traffic statistics: Input bytes : 5600636 0 bps Output bytes : 5600636 0 bps Input packets: 20007 0 pps Output packets: 20007 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Logical interface gr-2/0/15.0 (Index 75) (SNMP ifIndex 847) (HW Token 4093) (Generation 140) Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 180.20.30.2:180.20.20.3:47:df:64:0000000000000000 Encapsulation: GRE-NULL Copy-tos-to-outer-ip-header: Off Gre keepalives configured: Off, Gre keepalives adjacency state: down Traffic statistics: Input bytes : 5600886 Output bytes : 2881784 Input packets: 20010 Output packets: 10018 Local statistics: Input bytes : 398 Output bytes : 264 Input packets: 5 Output packets: 3 Transit statistics: Input bytes : 5600488 0 bps Output bytes : 2881520 0 bps Input packets: 20005 0 pps Output packets: 10015 0 pps Protocol inet, Generation: 159, Route table: 0 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 90.90.90/24, Local: 90.90.90.10, Broadcast: 90.90.90.255, Generation: 144 Logical interface gr-2/0/15.1 (Index 80) (SNMP ifIndex 848) (HW Token 4088)


2005

®


(Generation 150) Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 160.20.40.2:160.20.30.1:47:df:64:0000000000000000 Encapsulation: GRE-NULL Copy-tos-to-outer-ip-header: Off Gre keepalives configured: Off, Gre keepalives adjacency state: down Traffic statistics: Input bytes : 260 Output bytes : 2880148 Input packets: 4 Output packets: 10002 Local statistics: Input bytes : 112 Output bytes : 0 Input packets: 2 Output packets: 0 Transit statistics: Input bytes : 148 0 bps Output bytes : 2880148 0 bps Input packets: 2 0 pps Output packets: 10002 0 pps Protocol inet, Generation: 171, Route table: 0 Flags: None Addresses, Flags: Is-Preferred Is-Primary Destination: 70.70.70/24, Local: 70.70.70.10, Broadcast: 70.70.70.255, Generation: 160

show interfaces extensive (GRE)

2006

The output for the show interfaces extensive command is identical to that for the show interfaces detail command. For sample output, see show interfaces detail (GRE) on page 2004 and show interfaces detail (GRE) on an EX4200 Virtual Chassis Member Switch on page 2005.



show interfaces diagnostics optics Syntax Release Information Description

show interfaces diagnostics optics interface-name

Command introduced in Junos OS Release 10.0 for EX Series switches. Display diagnostics data and alarms for Gigabit Ethernet optical transceivers (SFP, SFP+, or XFP) installed in EX Series switches. The information provided by this command is known as digital optical monitoring (DOM) information. Thresholds that trigger a high alarm, low alarm, high warning, or low warning are set by the transponder vendors. Generally, a high alarm or low alarm indicates that the optics module is not operating properly. This information can be used to diagnose why a transceiver is not working.

Options

interface-name—Name of the interface associated with the port in which the transceiver

is installed: ge-fpc/pic/port or xe-fpc/pic/port. Required Privilege Level Related Documentation


Output Fields

view

•


•

Installing a Transceiver in an EX Series Switch

•


•


show interfaces diagnostics optics ge-0/1/0 (SFP Transceiver) on page 2011 show interfaces diagnostics optics xe-0/1/0 (SFP+ Transceiver) on page 2012 show interfaces diagnostics optics xe-0/1/0 (XFP Transceiver) on page 2012 Table 230 on page 2007 lists the output fields for the show interfaces diagnostics optics command. Output fields are listed in the approximate order in which they appear.

Table 230: show interfaces diagnostics optics Output Fields Field Name

Field Description

Physical interface

Displays the name of the physical interface.

Laser bias current

Displays the magnitude of the laser bias power setting current, in milliamperes. The laser bias provides direct modulation of laser diodes and modulates currents.

Laser output power

Displays the laser output power, in milliwatts (mW) and decibels referred to 1.0 mW (dBm).

Module temperature

Displays the temperature, in Celsius and Fahrenheit.


2007

®


Table 230: show interfaces diagnostics optics Output Fields (continued) Field Name

Field Description

Module voltage

Displays the voltage, in Volts.

(Not available for XFP transceivers) Laser rx power

Displays the laser received optical power, in milliwatts (mW) and decibels referred to 1.0 mW (dBm).

(Not available for SFP and SFP+ transceivers) Receiver signal average optical power

Displays the receiver signal average optical power, in milliwatts (mW) and decibels referred to 1.0 mW (dBm).

(Not available for XFP transceivers) Laser bias current high alarm

Displays whether the laser bias power setting high alarm is On or Off.

Laser bias current low alarm

Displays whether the laser bias power setting low alarm is On or Off.

Laser bias current high warning

Displays whether the laser bias power setting high warning is On or Off.

Laser bias current low warning

Displays whether the laser bias power setting low warning is On or Off.

Laser output power high alarm

Displays whether the laser output power high alarm is On or Off.

Laser output power low alarm

Displays whether the laser output power low alarm is On or Off.

Laser output power high warning

Displays whether the laser output power high warning is On or Off.

Laser output power low warning

Displays whether the laser output power low warning is On or Off.

Module temperature high alarm

Displays whether the module temperature high alarm is On or Off.

Module temperature low alarm

Displays whether the module temperature low alarm is On or Off.

Module temperature high warning

Displays whether the module temperature high warning is On or Off.

Module temperature low warning

Displays whether the module temperature low warning is On or Off.

Module voltage high alarm

Displays whether the module voltage high alarm is On or Off.

(Not available for XFP transceivers) Module voltage low alarm

Displays whether the module voltage low alarm is On or Off.

(Not available for XFP transceivers) Module voltage high warning

Displays whether the module voltage high warning is On or Off.

(Not available for XFP transceivers)

2008




Field Description

Module voltage low warning

Displays whether the module voltage low warning is On or Off.

(Not available for XFP transceivers) Laser rx power high alarm

Displays whether the receive laser power high alarm is On or Off.

Laser rx power low alarm

Displays whether the receive laser power low alarm is On or Off.

Laser rx power high warning

Displays whether the receive laser power high warning is On or Off.

Laser rx power low warning

Displays whether the receive laser power low warning is On or Off.

Laser bias current high alarm threshold

Displays the vendor-specified threshold for the laser bias current high alarm.

Module not ready alarm

Displays whether the module not ready alarm is On or Off. When the output is On, the module has an operational fault.

(Not available for SFP and SFP+ transceivers) Module power down alarm

Displays whether the module power down alarm is On or Off. When the output is On, module is in a limited power mode, low for normal operation.

(Not available for SFP and SFP+ transceivers) Tx data not ready alarm

Any condition leading to invalid data on the transmit path. Displays whether the Tx data not ready alarm is On or Off.

(Not available for SFP and SFP+ transceivers) Tx not ready alarm

Any condition leading to invalid data on the transmit path. Displays whether the Tx not ready alarm is On or Off.

(Not available for SFP and SFP+ transceivers) Tx laser fault alarm

Laser fault condition. Displays whether the Tx laser fault alarm is On or Off.

(Not available for SFP and SFP+ transceivers) Tx CDR loss of lock alarm

(Not available for SFP and SFP+ transceivers) Rx not ready alarm

Transmit clock and data recovery (CDR) loss of lock. Loss of lock on the transmit side of the CDR. Displays whether the Tx CDR loss of lock alarm is On or Off. Any condition leading to invalid data on the receive path. Displays whether the Rx not ready alarm is On or Off.

(Not available for SFP and SFP+ transceivers) Rx loss of signal alarm

(Not available for SFP and SFP+ transceivers) Rx CDR loss of lock alarm

Receive loss of signal alarm. When on, indicates insufficient optical input power to the module. Displays whether the Rx loss of signal alarm is On or Off. Receive CDR loss of lock. Loss of lock on the receive side of the CDR. Displays whether the Rx CDR loss of lock alarm is On or Off.

(Not available for SFP and SFP+ transceivers)


2009

®



Field Description

Laser bias current low alarm threshold

Displays the vendor-specified threshold for the laser bias current low alarm.

Laser bias current high warning threshold

Displays the vendor-specified threshold for the laser bias current high warning.

Laser bias current low warning threshold

Displays the vendor-specified threshold for the laser bias current low warning.

Laser output power high alarm threshold

Displays the vendor-specified threshold for the laser output power high alarm.

Laser output power low alarm threshold

Displays the vendor-specified threshold for the laser output power low alarm.

Laser output power high warning threshold

Displays the vendor-specified threshold for the laser output power high warning.

Laser output power low warning threshold

Displays the vendor-specified threshold for the laser output power low warning.

Module temperature high alarm threshold

Displays the vendor-specified threshold for the module temperature high alarm.

Module temperature low alarm threshold

Displays the vendor-specified threshold for the module temperature low alarm.

Module temperature high warning threshold

Displays the vendor-specified threshold for the module temperature high warning.

Module temperature low warning threshold

Displays the vendor-specified threshold for the module temperature low warning.

Module voltage high alarm threshold

Displays the vendor-specified threshold for the module voltage high alarm.

(Not available for XFP transceivers) Module voltage low alarm threshold

Displays the vendor-specified threshold for the module voltage low alarm.

(Not available for XFP transceivers) Module voltage high warning threshold

Displays the vendor-specified threshold for the module voltage high warning.

(Not available for XFP transceivers) Module voltage low warning threshold

Displays the vendor-specified threshold for the module voltage low warning.

(Not available for XFP transceivers) Laser rx power high alarm threshold

2010

Displays the vendor-specified threshold for the laser rx power high alarm.




Field Description

Laser rx power low alarm threshold

Displays the vendor-specified threshold for the laser rx power low alarm.

Laser rx power high warning threshold

Displays the vendor-specified threshold for the laser rx power high warning.

Laser rx power low warning threshold

Displays the vendor-specified threshold for the laser rx power low warning.

Sample Output show interfaces diagnostics optics ge-0/1/0 (SFP Transceiver)

user@host> show interfaces diagnostics optics ge-0/1/0 Physical interface: ge-0/1/0 Laser bias current : Laser output power : Module temperature : Module voltage : Receiver signal average optical power : Laser bias current high alarm : Laser bias current low alarm : Laser bias current high warning : Laser bias current low warning : Laser output power high alarm : Laser output power low alarm : Laser output power high warning : Laser output power low warning : Module temperature high alarm : Module temperature low alarm : Module temperature high warning : Module temperature low warning : Module voltage high alarm : Module voltage low alarm : Module voltage high warning : Module voltage low warning : Laser rx power high alarm : Laser rx power low alarm : Laser rx power high warning : Laser rx power low warning : Laser bias current high alarm threshold : Laser bias current low alarm threshold : Laser bias current high warning threshold : Laser bias current low warning threshold : Laser output power high alarm threshold : Laser output power low alarm threshold : Laser output power high warning threshold : Laser output power low warning threshold : Module temperature high alarm threshold : Module temperature low alarm threshold : Module temperature high warning threshold : Module temperature low warning threshold : Module voltage high alarm threshold : Module voltage low alarm threshold : Module voltage high warning threshold : Module voltage low warning threshold : Laser rx power high alarm threshold : Laser rx power low alarm threshold :


5.444 mA 0.3130 mW / -5.04 dBm 36 degrees C / 97 degrees F 3.2120 V 0.3840 mW / -4.16 dBm Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off 15.000 mA 1.000 mA 12.000 mA 2.000 mA 0.6300 mW / -2.01 dBm 0.0660 mW / -11.80 dBm 0.6300 mW / -2.01 dBm 0.0780 mW / -11.08 dBm 109 degrees C / 228 degrees F -29 degrees C / -20 degrees F 103 degrees C / 217 degrees F -13 degrees C / 9 degrees F 3.900 V 2.700 V 3.700 V 2.900 V 1.2589 mW / 1.00 dBm 0.0100 mW / -20.00 dBm

2011

®


Laser rx power high warning threshold Laser rx power low warning threshold

: :

0.7939 mW / -1.00 dBm 0.0157 mW / -18.04 dBm

Sample Output show interfaces diagnostics optics xe-0/1/0 (SFP+ Transceiver)

user@host> show interfaces diagnostics optics xe-0/1/0 Physical interface: xe-0/1/0 Laser bias current : Laser output power : Module temperature : Module voltage : Receiver signal average optical power : Laser bias current high alarm : Laser bias current low alarm : Laser bias current high warning : Laser bias current low warning : Laser output power high alarm : Laser output power low alarm : Laser output power high warning : Laser output power low warning : Module temperature high alarm : Module temperature low alarm : Module temperature high warning : Module temperature low warning : Module voltage high alarm : Module voltage low alarm : Module voltage high warning : Module voltage low warning : Laser rx power high alarm : Laser rx power low alarm : Laser rx power high warning : Laser rx power low warning : Laser bias current high alarm threshold : Laser bias current low alarm threshold : Laser bias current high warning threshold : Laser bias current low warning threshold : Laser output power high alarm threshold : Laser output power low alarm threshold : Laser output power high warning threshold : Laser output power low warning threshold : Module temperature high alarm threshold : Module temperature low alarm threshold : Module temperature high warning threshold : Module temperature low warning threshold : Module voltage high alarm threshold : Module voltage low alarm threshold : Module voltage high warning threshold : Module voltage low warning threshold : Laser rx power high alarm threshold : Laser rx power low alarm threshold : Laser rx power high warning threshold : Laser rx power low warning threshold :

4.968 mA 0.4940 mW / -3.06 dBm 27 degrees C / 81 degrees F 3.2310 V 0.0000 Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off On Off On 10.500 mA 2.000 mA 9.000 mA 2.500 mA 1.4120 mW / 1.50 dBm 0.0740 mW / -11.31 dBm 0.7070 mW / -1.51 dBm 0.1860 mW / -7.30 dBm 75 degrees C / 167 degrees F -5 degrees C / 23 degrees F 70 degrees C / 158 degrees F 0 degrees C / 32 degrees F 3.630 V 2.970 V 3.465 V 3.135 V 1.5849 mW / 2.00 dBm 0.0407 mW / -13.90 dBm 0.7943 mW / -1.00 dBm 0.1023 mW / -9.90 dBm

Sample Output show interfaces diagnostics optics xe-0/1/0 (XFP Transceiver)

2012

user@host> show interfaces diagnostics optics xe-0/1/0 Physical interface: xe-0/1/0 Laser bias current : 8.029 mA Laser output power : 0.6430 mW / -1.92 dBm Module temperature : 4 degrees C / 39 degrees F



Laser rx power Laser bias current high alarm Laser bias current low alarm Laser bias current high warning Laser bias current low warning Laser output power high alarm Laser output power low alarm Laser output power high warning Laser output power low warning Module temperature high alarm Module temperature low alarm Module temperature high warning Module temperature low warning Laser rx power high alarm Laser rx power low alarm Laser rx power high warning Laser rx power low warning Module not ready alarm Module power down alarm Tx data not ready alarm Tx not ready alarm Tx laser fault alarm Tx CDR loss of lock alarm Rx not ready alarm Rx loss of signal alarm Rx CDR loss of lock alarm Laser bias current high alarm threshold Laser bias current low alarm threshold Laser bias current high warning threshold Laser bias current low warning threshold Laser output power high alarm threshold Laser output power low alarm threshold Laser output power high warning threshold Laser output power low warning threshold Module temperature high alarm threshold Module temperature low alarm threshold Module temperature high warning threshold Module temperature low warning threshold Laser rx power high alarm threshold Laser rx power low alarm threshold Laser rx power high warning threshold Laser rx power low warning threshold


: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

0.0012 mW / -29.21 dBm Off Off Off Off Off Off Off Off Off Off Off Off Off On Off On On Off Off Off Off Off On On On 13.000 mA 2.000 mA 12.000 mA 3.000 mA 0.8310 mW / -0.80 dBm 0.1650 mW / -7.83 dBm 0.7410 mW / -1.30 dBm 0.1860 mW / -7.30 dBm 90 degrees C / 194 degrees F 0 degrees C / 32 degrees F 85 degrees C / 185 degrees F 0 degrees C / 32 degrees F 0.8912 mW / -0.50 dBm 0.0912 mW / -10.40 dBm 0.7943 mW / -1.00 dBm 0.1023 mW / -9.90 dBm

2013

®


show interfaces ge Syntax


show interfaces ge-fpc/pic/port

Command introduced in Junos OS Release 9.0 for EX Series switches. Display status information about the specified Gigabit Ethernet interface.

NOTE: You must have a transceiver plugged into an SFP or SFP+ port before information about the interface can be displayed.

Options

ge-fpc/pic/port—Display standard information about the specified Gigabit Ethernet

interface. brief | detail | extensive | terse—(Optional) Display the specified level of output. media—(Optional) Display media-specific information about network interfaces. statistics—(Optional) Display static interface statistics.



Output Fields

view

•


•


•


•


•


show interfaces ge-0/0/0 on page 2021 show interfaces ge-0/0/0 brief on page 2021 show interfaces ge-0/0/0 detail on page 2022 show interfaces ge-0/0/4 extensive on page 2023 Table 231 on page 2014 lists the output fields for the show interfaces ge- command. Output fields are listed in the approximate order in which they appear.

Table 231: show interfaces ge- Output Fields Field Name

Field Description

Level of Output


All levels

Physical Interface Physical interface

2014



Table 231: show interfaces ge- Output Fields (continued) Field Name

Field Description

Level of Output

Enabled

State of the interface: Enabled or Disabled.

All levels

Interface index

Index number of the physical interface, which reflects its initialization sequence.


SNMP ifIndex



Generation


detail extensive

Description

Optional user-specified description.

brief detail extensive

Link-level type

Encapsulation being used on the physical interface.

All levels

MTU

Maximum transmission unit size on the physical interface. Default is 1514.

All levels

Speed

Speed of the interface: Auto if autonegotiation of speed is enabled; speed in megabits per second if the interface speed is explicitly configured.

All levels

Duplex

Link mode of interface: Auto if autonegotiation of link mode is enabled; Full-Duplex or Half-Duplex if the link mode is explicitly configured.

All levels

Loopback

Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: Local or Remote.

All levels

Source filtering

Source filtering status: Enabled or Disabled.

All levels

Flow control

Flow control status: Enabled or Disabled.

All levels

Auto-negotiation

Autonegotiation status: Enabled or Disabled.

All levels

Remote-fault

Remote fault status:

All levels

•

Online—Autonegotiation is manually configured as online.

•

Offline—Autonegotiation is manually configured as offline.

Device flags

Information about the physical device.

All levels

Interface flags

Information about the interface.

All levels

Link flags

Information about the link.

All levels

CoS queues

Number of CoS queues configured.


Hold-times


detail extensive

Current address

Configured MAC address.


Hardware address

MAC address of the hardware.



2015

®



Field Description

Level of Output

Last flapped

Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second ago). For example, Last flapped: 2008–01–16 10:52:40 UTC (3d 22:58 ago).




detail extensive

Traffic statistics


detail extensive

•


•


•

Input packets—Number of packets received on the interface

•


NOTE: The bandwidth bps counter is not enabled on the switch. Input errors

Input errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious: •

Errors—Sum of the incoming frame aborts and FCS errors.

•

Drops—Number of packets dropped by the input queue of the I/O Manager

extensive

ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism. •

Framing errors—Number of packets received with an invalid frame checksum

(FCS). •

Runts—Number of frames received that are smaller than the runt threshold.

•

Policed discards—Number of frames that the incoming packet match code

discarded because they were not recognized or not of interest. Usually, this field reports protocols that the Junos OS does not handle. •

L3 incompletes—Number of incoming packets discarded because they failed

Layer 3 sanity checks of the headers. For example, a frame with less than 20 bytes of available IP header is discarded. •

L2 channel errors—Number of times the software did not find a valid logical

interface for an incoming frame. •

L2 mismatch timeouts—Number of malformed or short packets that caused

the incoming packet handler to discard the frame as unreadable. •

FIFO errors—Number of FIFO errors in the receive direction that are reported

by the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning. •

2016

Resource errors—Sum of transmit drops.




Field Description

Level of Output

Output errors

Output errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:

extensive

•

Carrier transitions—Number of times the interface has gone from down to up.

This number does not normally increment quickly, increasing only when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC or PIM is malfunctioning. •

Errors—Sum of the outgoing frame aborts and FCS errors.

•

Drops—Number of packets dropped by the output queue of the I/O Manager


Collisions—Number of Ethernet collisions. The Gigabit Ethernet PIC supports

only full-duplex operation, so for Gigabit Ethernet PICs, this number should always remain 0. If it is nonzero, there is a software bug. •

Aged packets—Number of packets that remained in shared packet SDRAM

so long that the system automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possibly malfunctioning hardware. •

FIFO errors—Number of FIFO errors in the send direction as reported by the

ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning. •

HS link CRC errors—Number of errors on the high-speed links between the

ASICs responsible for handling the switch interfaces. •

MTU errors—Number of packets whose size exceeded the MTU of the interface.

•


Egress queues

Total number of egress queues supported on the specified interface.

detail extensive

Queue counters (Egress )

CoS queue number and its associated user-configured forwarding class name.

detail extensive

Active alarms and Active defects

•

Queued packets—Number of queued packets.

•

Transmitted packets—Number of transmitted packets.

•

Dropped packets—Number of packets dropped by the ASIC's RED mechanism.

Ethernet-specific defects that can prevent the interface from passing packets. When a defect persists for a certain amount of time, it is promoted to an alarm. Based on the switch configuration, an alarm can ring the red or yellow alarm bell on the switch or turn on the red or yellow alarm LED on the front of the switch. These fields can contain the value None or Link. •

None—There are no active defects or alarms.

•

Link—Interface has lost its link state, which usually means that the cable is


unplugged, the far-end system has been turned off, or the PIC is malfunctioning.


2017

®



Field Description

Level of Output

MAC statistics

Receive and Transmit statistics reported by the PIC's MAC subsystem.

extensive

•

Total octets and total packets—Total number of octets and packets. For

Gigabit Ethernet IQ PICs, the received octets count varies by interface type. •

Unicast packets, Broadcast packets, and Multicast packets—Number of unicast,

broadcast, and multicast packets. •

CRC/Align errors—Total number of packets received that had a length

(excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). •

FIFO error—Number of FIFO errors that are reported by the ASIC on the PIC.

If this value is ever nonzero, the PIC is probably malfunctioning. •

MAC control frames—Number of MAC control frames.

•

MAC pause frames—Number of MAC control frames with pause operational

code. •

Oversized frames—Number of frames that exceed 1518 octets.

•

Jabber frames—Number of frames that were longer than 1518 octets (excluding

framing bits, but including FCS octets), and had either an FCS error or an alignment error. This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms to 150 ms. •

Fragment frames—Total number of packets that were less than 64 octets in

length (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted. •

Code violations—Number of times an event caused the PHY to indicate “Data

reception error” or “invalid data symbol error.” Filter Statistics

Receive and Transmit statistics reported by the PIC's MAC address filter

extensive

subsystem.

2018




Field Description

Level of Output

Autonegotiation information

Information about link autonegotiation:

extensive

•

Negotiation status: •

Complete—The autonegotiation process between the local and remote

Ethernet interfaces was successful. •

Incomplete—Remote Ethernet interface has the speed or link mode

configured or does not perform autonegotiation. •

No autonegotiation—Local Ethernet interface has autonegotiation disabled

and the link mode and speed are manually configured. •

Link partner—Information from the link partner: •

Link mode—Depending on the capability of the attached Ethernet device, either Full-duplex or Half-duplex. If the link mode of the remote device cannot be determined, value is Unknown.

•

Flow control—Types of flow control supported by the remote Ethernet device. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports PAUSE on both receive and transmit or PAUSE only on receive).

•

Remote fault—Remote fault information from the link partner—Failure indicates a receive link error. OK indicates that the link partner is receiving. Negotiation error indicates a negotiation error. Offline indicates that the

link partner is going offline. • •

Link partner speed—Speed of the link partner.

Local resolution—Resolution of the autonegotiation process on the local

interface: •

Flow control—Type of flow control that is used by local interface. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports PAUSE on both receive and transmit or PAUSE only on receive).

•

Link mode—Link mode of local interface: either Full-duplex or Half-duplex. Displayed when Negotiation status is Incomplete.

•

Local link speed—Speed of the local interface. Displayed when Negotiation status is Incomplete.

•

Remote fault—Remote fault information. Link OK (no error detected on receive), Offline (local interface is offline), and Link Failure (link error

detected on receive). Packet Forwarding Engine configuration

Information about the configuration of the Packet Forwarding Engine: •

extensive

Destination slot—FPC slot number: •

On standalone switches with built-in interfaces, the slot number refers to the switch itself and is always 0.

•

On Virtual Chassis composed of switches with built-in interfaces, the slot number refers to the member ID of the switch.

•

On switches with line cards or on Virtual Chassis composed of switches with line cards, the slot number refers to the line card slot number on the switch or Virtual Chassis.

Logical Interface


2019

®



Field Description

Level of Output

Logical interface


All levels

Index

Index number of the logical interface, which reflects its initialization sequence.


SNMP ifIndex

SNMP interface index number for the logical interface.


Generation


detail extensive

Flags

Information about the logical interface.

All levels

Encapsulation


All levels

Protocol

Protocol family.


Traffic statistics

Number and rate of bytes and packets received (input) and transmitted (output) on the specified interface.

detail extensive

NOTE: For logical interfaces on EX Series switches, the traffic statistics fields in show interfaces commands show only control traffic; the traffic statistics do not include data traffic. IPv6 transit statistics

If IPv6 statistics tracking is enabled, number of IPv6 bytes and packets received and transmitted on the logical interface.

extensive

Local statistics

Number and rate of bytes and packets destined to and from the switch.

extensive

Transit statistics

Number and rate of bytes and packets transiting the switch.

extensive

Generation


detail extensive

Route Table

Route table in which the logical interface address is located. For example, 0 refers to the routing table inet.0.


Input Filters

Names of any input filters applied to this interface.

detail extensive

Output Filters

Names of any output filters applied to this interface.

detail extensive

Flags

Information about protocol family flags.

detail extensive

If unicast reverse-path forwarding (RPF) is explicitly configured on the specified interface, the uRPF flag is displayed. If unicast RPF was configured on a different interface (and therefore is enabled on all switch interfaces) but was not explicitly configured on the specified interface, the uRPF flag is not displayed even though unicast RPF is enabled. protocol-family


brief

Flags

Information about the address flags.


2020




Field Description

Level of Output

Destination



Local



Broadcast

Broadcast address of the logical interlace.


Generation


detail extensive

Sample Output show interfaces ge-0/0/0

user@switch> show interfaces ge-0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Down Interface index: 129, SNMP ifIndex: 21 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled Remote fault: Online Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:3f:41, Hardware address: 00:19:e2:50:3f:41 Last flapped : 2008-01-16 11:40:53 UTC (4d 02:30 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Ingress rate at Packet Forwarding Engine : 0 bps (0 pps) Ingress drop rate at Packet Forwarding Engine : 0 bps (0 pps) Active alarms : None Active defects : None Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 22) Flags: SNMP-Traps Encapsulation: ENET2 Input packets : 0 Output packets: 0 Protocol eth-switch Flags: None

show interfaces ge-0/0/0 brief

user@switch> show interfaces ge-0/0/0 brief Physical interface: ge-0/0/0, Enabled, Physical link is Down Description: voice priority and tcp and icmp traffic rate-limiting filter at i ngress port Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None Logical interface ge-0/0/0.0 Flags: Device-Down SNMP-Traps Encapsulation: ENET2 eth-switch


2021

®


show interfaces ge-0/0/0 detail

user@switch> show interfaces ge-0/0/0 detail Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 193, SNMP ifIndex: 206, Generation: 196 Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:1f:12:30:ff:40, Hardware address: 00:1f:12:30:ff:40 Last flapped : 2009-05-05 06:03:05 UTC (00:22:13 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort

0

0

0

1 assured-forw

0

0

0

5 expedited-fo

0

0

0

7 network-cont

0

0

0

Active alarms : None Active defects : None Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 235) Flags: SNMP-Traps Encapsulation: ENET2 Bandwidth: 0 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol eth-switch, Generation: 146, Route table: 0 Flags: Is-Primary Input Filters: f1, Output Filters: f2,,,,

2022

(Generation 130)

0 0 0 0

bps bps pps pps



show interfaces ge-0/0/4 extensive

user@switch> show interfaces ge-0/0/4 extensive Physical interface: ge-0/0/4, Enabled, Physical link is Up Interface index: 165, SNMP ifIndex: 152, Generation: 168 Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:1f:12:33:65:44, Hardware address: 00:1f:12:33:65:44 Last flapped : 2008-09-17 11:02:25 UTC (16:32:54 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 2989761 984 bps Input packets: 0 0 pps Output packets: 24307 1 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort

0

0

0

1 assured-forw

0

0

0

5 expedited-fo

0

0

0

7 network-cont

0

24307

0

Active alarms : None Active defects : None MAC statistics: Total octets Total packets Unicast packets Broadcast packets Multicast packets CRC/Align errors FIFO errors MAC control frames MAC pause frames Oversized frames Jabber frames Fragment frames Code violations Autonegotiation information: Negotiation status: Complete


Receive 0 0 0 0 0 0 0 0 0 0 0 0 0

Transmit 2989761 24307 0 0 24307 0 0 0 0

2023

®


Link partner: Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps Local resolution: Flow control: None, Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 NA low none 7 network-control 5 50000000 5 NA low none Logical interface ge-0/0/4.0 (Index 82) (SNMP ifIndex 184) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 4107883 Input packets: 0 Output packets: 24307 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 4107883 Input packets: 0 Output packets: 24307 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol eth-switch, Generation: 159, Route table: 0 Flags: None Input Filters: f2, Output Filters: f1,,,,

2024

(Generation 147)

0 0 0 0

bps bps pps pps



show interfaces me0 Syntax

show interfaces me0

Release Information


Description

Display status information about the management Ethernet interface.

Options

none—Display standard information about the management Ethernet interface. brief | detail | extensive | terse—(Optional) Display the specified level of output. descriptions—(Optional) Display interface description strings. media—(Optional) Display media-specific information about network interfaces. routing-instance—(Optional) Display the name of the routing instance. statistics—(Optional) Display static interface statistics.



Output Fields

view

•

Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch on page 4319

•


show interfaces me0 on page 2029 show interfaces me0 brief on page 2029 show interfaces me0 detail on page 2029 show interfaces me0 extensive on page 2030 Table 232 on page 2025 lists the output fields for the show interfaces me0 command. Output fields are listed in the approximate order in which they appear.

Table 232: show interfaces me0 Output Fields Field Name

Field Description

Level of Output

Physical interface


All levels

Enabled

State of the interface: Enabled or Disabled.

All levels

Interface index



Physical Interface


2025

®


Table 232: show interfaces me0 Output Fields (continued) Field Name

Field Description

Level of Output

SNMP ifIndex



Generation


detail extensive

Description

Optional user-specified description.


Type

Information about the type of functional interface.

All levels

Link-level type


All levels

MTU

Maximum transmission unit size on the physical interface. The default is 1514.

All levels

Clocking

Interface that acts as a clock source. This field is not supported on EX Series switches and the default value is always Unspecified.

detail extensive

Speed


All levels

Device flags


All levels

Interface flags


All levels

Link type

Information about whether the link is duplex and whether the negotiation is manual or automatic.


Physical info

Information about the device dependent physical interface selector. This field is applied only when a clocking option is specified. This field is not supported on EX Series switches and the default value is always Unspecified.

detail extensive

Hold-times


detail extensive

Current address



Hardware address



Alternate link address

Information about alternate hardware address.

detail extensive

Last flapped

Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour:minute:second timezone (weeksw:daysdhour:minute:second ago). For example, Last flapped: 2008–01–16


10:52:40 UTC (3w:3d 22:58 ago). Statistics last cleared

2026

Time when the statistics for the interface was last set to zero. The format is

detail extensive

Last flapped: year-month-day hour:minute:second timezone (weeksw:daysdhour:minute:second ago). For example, Last flapped: 2008–01–16 10:52:40 UTC (3w:3d 22:58 ago).




Field Description

Level of Output

Traffic statistics


detail extensive

Following are fields in Traffic statistics:

IPv6 transit statistics

•


•


•


•


Number and rate of bytes and IPv6 packets received and transmitted on the physical interface.

detail extensive

Following are fields in IPv6 transit statistics:

Input errors

•


•


•


•


Input errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious: •

Errors—Sum of the incoming frame aborts and frame checksum (FCS) errors.

•


extensive

ASIC. •

Framing errors—Number of packets received with an invalid FCS.

•


•

Giants— Number of packets that exceed the size for the medium. For example, if the medium is Ethernet, the Giant field shows the count of packets with

size greater than 1518 bytes. •



Output errors


Output errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious: •

extensive


This number does not normally increment quickly. It increases only when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increment quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC or PIM is malfunctioning. •


•




•



2027

®



Field Description

Level of Output

Logical interface


All levels

Index



SNMP ifIndex



Generation


detail extensive

Flags


All levels

Encapsulation


All levels

Traffic statistics


detail extensive


If IPv6 statistics tracking is enabled, number of IPv6 bytes and packets received and transmitted on the logical interface.

detail extensive

Local statistics

Number and rate of bytes and packets destined to and exiting from the switch.

extensive

Protocol

Protocol family.


Generation


detail extensive

Route Table

Routing table in which the logical interface address is located. For example, 0 refers to the routing table inet.0.

detail extensive

Flags


detail extensive

Input Filter

Ingress filter name.

extensive

Output Filter

Egress filter name.

extensive

Addresses

Information about the management interface addresses.


Flags



Destination



Local



Broadcast



Generation


detail extensive

Logical Interface

2028



Sample Output show interfaces me0

user@switch> show interfaces me0 Physical interface: me0, Enabled, Physical link is Up Interface index: 1, SNMP ifIndex: 33 Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps Device flags : Present Running Interface flags: SNMP-Traps Link type : Full-Duplex Current address: 00:1f:12:35:3c:bf, Hardware address: 00:1f:12:35:3c:bf Last flapped : 2010-07-31 23:45:50 PDT (5d 00:32 ago) Input packets : 1661830 Output packets: 3200 Logical interface me0.0 (Index 3) (SNMP ifIndex 34) Flags: SNMP-Traps Encapsulation: ENET2 Input packets : 1661830 Output packets: 3200 Protocol inet Flags: Is-Primary Addresses, Flags: Is-Preferred Is-Primary Destination: 10.204.32/20, Local: 10.204.33.103, Broadcast: 10.204.47.255 Protocol inet6 Flags: Is-Primary Addresses, Flags: Is-Preferred Destination: fe80::/64, Local: fe80::21f:12ff:fe35:3cbf

show interfaces me0 brief

user@switch> show interfaces me0 brief Physical interface: me0, Enabled, Physical link is Up Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Clocking: Unspecified, Speed: 1000mbps Device flags : Present Running Interface flags: SNMP-Traps Logical interface me0.0 Flags: SNMP-Traps Encapsulation: ENET2 inet 10.204.33.103/20 inet6 fe80::21f:12ff:fe35:3cbf/64

show interfaces me0 detail

user@switch> show interfaces me0 detail Physical interface: me0, Enabled, Physical link is Up Interface index: 1, SNMP ifIndex: 33, Generation: 1 Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Clocking: Unspecified, Speed: 1000mbps Device flags : Present Running Interface flags: SNMP-Traps Link type : Full-Duplex Physical info : Unspecified Hold-times : Up 0 ms, Down 0 ms Current address: 00:1f:12:35:3c:bf, Hardware address: 00:1f:12:35:3c:bf Alternate link address: Unspecified Last flapped : 2010-07-31 23:45:50 PDT (5d 00:37 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 366663167 Output bytes : 498590 Input packets: 1664031 Output packets: 3259


2029

®


IPv6 transit statistics: Input bytes : Output bytes : Input packets: Output packets:

0 0 0 0

Logical interface me0.0 (Index 3) (SNMP ifIndex 34) (Generation 1) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 366665637 Output bytes : 500569 Input packets: 1664048 Output packets: 3275 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 366665637 Output bytes : 500569 Input packets: 1664048 Output packets: 3275 Protocol inet, Generation: 1, Route table: 0 Flags: Is-Primary Addresses, Flags: Is-Preferred Is-Primary Destination: 10.204.32/20, Local: 10.204.33.103, Broadcast: 10.204.47.255, Generation: 1 Protocol inet6, Generation: 2, Route table: 0 Flags: Is-Primary Addresses, Flags: Is-Preferred Destination: fe80::/64, Local: fe80::21f:12ff:fe35:3cbf Generation: 2

show interfaces me0 extensive

2030

user@switch> show interfaces me0 extensive Physical interface: me0, Enabled, Physical link is Up Interface index: 1, SNMP ifIndex: 33, Generation: 1 Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Clocking: Unspecified, Speed: 100mbps Device flags : Present Running Interface flags: SNMP-Traps Link type : Full-Duplex Physical info : Unspecified Hold-times : Up 0 ms, Down 0 ms Current address: 00:1f:12:38:58:bf, Hardware address: 00:1f:12:38:58:bf Alternate link address: Unspecified Last flapped : 2010-08-15 06:27:33 UTC (03:06:22 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 82310392 Output bytes : 1966952 Input packets: 110453 Output packets: 17747 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0, Resource errors: 0



Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0 Logical interface me0.0 (Index 3) (SNMP ifIndex 34) (Generation 1) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 82310392 Output bytes : 1966952 Input packets: 110453 Output packets: 17747 Local statistics: Input bytes : 82310392 Output bytes : 1966952 Input packets: 110453 Output packets: 17747 Protocol inet, Generation: 1, Route table: 0 Flags: Is-Primary Input Filters: mgmt_filter, Addresses, Flags: Is-Default Is-Preferred Is-Primary Destination: 10.204.96/20, Local: 10.204.96.234, Broadcast: 10.204.111.255, Generation: 1


2031

®


show interfaces queue Syntax


show interfaces queue

Command introduced in Junos OS Release 9.0 for EX Series switches. Display class-of-service (CoS) queue information for physical interfaces. none—Show detailed CoS queue statistics for all physical interfaces. both-ingress-egress—(Optional) Show both ingress and egress queue statistics. (Ingress

statistics are not available for all interfaces.) egress—(Optional) Show egress queue statistics only. forwarding-class forwarding-class—(Optional) Show queue statistics only for the specified

forwarding class. ingress—(Optional) Show ingress queue statistics only. (Ingress statistics are not available

for all interfaces.) interface-name—(Optional) Show queue statistics for the specified interface.



Output Fields

view

•


•

Monitoring Interfaces That Have CoS Components on page 4515

•

Defining CoS Schedulers (CLI Procedure) on page 4493

•


show interfaces queue ge-0/0/0 (EX2200 Switch) on page 2034 show interfaces queue xe-6/0/39 (Line Card with Oversubscribed Ports in an EX8200 Switch) on page 2035 Table 233 on page 2032 lists the output fields for the show interfaces queue command. Output fields are listed in the approximate order in which they appear.

Table 233: show interfaces queue Output Fields Field Name

Field Description

Physical Interface and Forwarding Class Information Physical interface

2032




Table 233: show interfaces queue Output Fields (continued) Field Name

Field Description

Enabled

State of the interface. Possible values are: •

Administratively down, Physical link is Down—The interface is turned off, and

the physical link is inoperable. •

Administratively down, Physical link is Up—The interface is turned off, but the

physical link is operational and can pass packets when it is enabled. •

Enabled, Physical link is Down—The interface is turned on, but the physical

link is inoperable and cannot pass packets. •

Enabled, Physical link is Up—The interface is turned on, and the physical link

is operational and can pass packets. Interface index


SNMP ifIndex


Description

User-configured interface description.

Forwarding classes

Number of forwarding classes supported and in use for the interface.

Ingress Queues Information (not shown for all interfaces) Ingress queues

Number of input queues supported and in use on the specified interface. For an interface on a line card with oversubscribed ports, the ingress queue handles low priority traffic on the interface.

Transmitted

Transmission statistics for the queue: •

Packets—Number of packets transmitted by this queue.

•

Bytes—Number of bytes transmitted by this queue.

•

Tail-dropped packets—Number of packets dropped because the queue

buffers were full. PFE chassis queues

For an interface on a line card with oversubscribed ports, the number of Packet Forwarding Engine chassis queues supported and in use for the port group to which the interface belongs. The Packet Forwarding Engine chassis queue for a port group handles high priority traffic from all the interfaces in the port group.

Egress Queues Information Egress queues

Number of output queues supported and in use on the specified interface.

Queue

CoS queue number.

Queued

This counter is not supported on EX Series switches.


2033

®


Table 233: show interfaces queue Output Fields (continued) Field Name

Field Description

Transmitted

Number of packets and bytes transmitted by this queue. Information on transmitted packets and bytes can include: •

Packets—Number of packets transmitted.

•

Bytes—Number of bytes transmitted.

•

Tail-dropped packets—Number of arriving packets dropped because output

queue buffers were full. •

RED-dropped packets—Number of packets dropped because of random early

detection (RED).

•

•

Low—Number of low loss priority packets dropped because of RED.

•

High—Number of high loss priority packets dropped because of RED.

RED-dropped bytes—Number of bytes dropped because of random early

detection (RED).

Packet Forwarding Engine Chassis Queues

•

Low—Number of low loss priority bytes dropped because of RED.

•

High—Number of high loss priority bytes dropped because of RED.

For an interface on a line card with oversubscribed ports, the number of Packet Forwarding Engine chassis queues supported and in use for the port group to which the interface belongs. The queue statistics reflect the traffic flowing on all the interfaces in the port group.

Sample Output show interfaces queue ge-0/0/0 (EX2200 Switch)

2034

user@switch> show interfaces queue ge–0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Down Interface index: 130, SNMP ifIndex: 501 Forwarding classes: 16 supported, 4 in use Egress queues: 8 supported, 4 in use Queue: 0, Forwarding classes: best-effort Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 1, Forwarding classes: assured-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 5, Forwarding classes: expedited-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 7, Forwarding classes: network-control Queued: Transmitted: Packets : 0



Bytes : Tail-dropped packets :

show interfaces queue xe-6/0/39 (Line Card with Oversubscribed Ports in an EX8200 Switch)

0 0

user@switch> show interfaces queue xe-6/0/39 Physical interface: xe-6/0/39, Enabled, Physical link is Up Interface index: 291, SNMP ifIndex: 1641 Forwarding classes: 16 supported, 7 in use Ingress queues: 1 supported, 1 in use Transmitted: Packets : 337069086018 Bytes : 43144843010304 Tail-dropped packets : 8003867575 PFE chassis queues: 1 supported, 1 in use Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Forwarding classes: 16 supported, 7 in use Egress queues: 8 supported, 7 in use Queue: 0, Forwarding classes: best-effort Queued: Transmitted: Packets : 334481399932 Bytes : 44151544791024 Tail-dropped packets : 0 Queue: 1, Forwarding classes: assured-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 2, Forwarding classes: mcast-be Queued: Transmitted: Packets : 274948977 Bytes : 36293264964 Tail-dropped packets : 0 Queue: 4, Forwarding classes: mcast-ef Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 5, Forwarding classes: expedited-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 6, Forwarding classes: mcast-af Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 Queue: 7, Forwarding classes: network-control Queued: Transmitted: Packets : 46714 Bytes : 6901326


2035

®


Tail-dropped packets :

0

Packet Forwarding Engine Chassis Queues: Queues: 8 supported, 7 in use Queue: 0, Forwarding classes: best-effort Queued: Transmitted: Packets : 739338141426 Bytes : 94635282101928 Tail-dropped packets : 0 RED-dropped packets : 5606426444 Low : 5606426444 High : 0 RED-dropped bytes : 683262846464 Low : 683262846464 High : 0 Queue: 1, Forwarding classes: assured-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0 RED-dropped bytes : 0 Low : 0 High : 0 Queue: 2, Forwarding classes: mcast-be Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0 RED-dropped bytes : 0 Low : 0 High : 0 Queue: 4, Forwarding classes: mcast-ef Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0 RED-dropped bytes : 0 Low : 0 High : 0 Queue: 5, Forwarding classes: expedited-forwarding Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0

2036



RED-dropped bytes : 0 Low : 0 High : 0 Queue: 6, Forwarding classes: mcast-af Queued: Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0 RED-dropped bytes : 0 Low : 0 High : 0 Queue: 7, Forwarding classes: network-control Queued: Transmitted: Packets : 97990 Bytes : 14987506 Tail-dropped packets : 0 RED-dropped packets : 0 Low : 0 High : 0 RED-dropped bytes : 0 Low : 0 High : 0


2037

®


show interfaces vlan Syntax


show interfaces (vlan | vlan.vlan-id)

Command introduced in Junos OS Release 9.0 for EX Series switches. Display status information about routed VLAN interfaces (RVIs). vlan | vlan.vlan-id—Display status information for the specified RVI. brief | detail | extensive | terse—(Optional) Display the specified level of output. descriptions—(Optional) Display interface description strings. media—(Optional) Display media-specific information about network interfaces. routing-instance (all | instance-name)—(Optional) Associate this RVI with the named

routing instance. snmp-index snmp-index—(Optional) Display information for the specified SNMP index

of the interface. statistics—(Optional) Display static interface statistics.



Output Fields

2038

view

•


•


•


•


•


•

Verifying Routed VLAN Interface Status and Statistics

show interfaces vlan on page 2046 show interfaces vlan terse on page 2046 show interfaces vlan extensive on page 2047 show interfaces vlan detail on page 2048 Table 234 on page 2039 lists the output fields for the show interfaces vlan command. Output fields are listed in the approximate order in which they appear. The level of output none means the basic command with no optional options—that is, either just show interfaces vlan or show interfaces vlan.vlan-id.



Table 234: show interfaces vlan Output Fields Field Name

Field Description

Level of Output

Physical interface

Name of the physical interface, which is always vlan.

All levels

Enabled

State of the interface: Enabled or Disabled, followed by the statement Physical

All levels

Physical Interface

link is Interface index


detail extensive

none SNMP ifIndex


detail extensive

none Generation


detail extensive

Type

Because this is routed VLAN interface information, this entry is always VLAN.

detail extensive

none Link-level type

Encapsulation (added control information) being used on the physical interface. Because this is routed VLAN interface information, this entry is always VLAN.

All levels

MTU

Maximum transmission unit (MTU) size on the physical interface. The default MTU size depends on the switch platform. Changing either the media MTU or protocol MTU causes an interface to be deleted and added again.

All levels

Clocking

Value is always Unspecified—not applicable on switches.

detail extensive

Speed

Speed of the interface, either Auto if autonegotiation of speed is enabled or a number representing the configured speed in megabits per second.

detail extensive

none


2039

®


Table 234: show interfaces vlan Output Fields (continued) Field Name

Field Description

Level of Output

Device flags

Information about the physical device such as: Dest-route-down—The routing process detected that the link was not operational and changed the interface routes to nonforwarding status. Down—Device has been administratively disabled. Hear-Own-Xmit—Device receives its own transmissions. Is-Default—This address is the default address of the switch. The default address is used as the source address by SNMP, ping, traceroute, and other network utilities. Is-Preferred—This address is the default local address for packets originating from the local switch and sent to destinations on the subnet. Is-Primary—This address is the default local address for broadcast and multicast packets originated locally and sent out the interface. Link-Layer-Down—The link-layer protocol has failed to connect with the remote endpoint. Loopback—Switch is in physical loopback. Loop-Detected—The link layer has received frames that it sent, thereby detecting a physical loopback. No-Carrier—On media that support carrier recognition, no carrier is currently detected. No-Multicast—Device does not support multicast traffic. Preferred—This address is a candidate to become the preferred address. Present—Device is physically present and recognized. Promiscuous—Device is in promiscuous mode and recognizes frames addressed to all physical addresses on the media. Primary—This address is a candidate to become the primary address. Quench—Transmission on the device is quenched, because the output buffer is overflowing Recv-All-Multicasts—Device is in multicast promiscuous mode and therefore provides no multicast filtering. Running—Device is active and enabled.

detail extensive

Link mode of the interface—Auto if autonegotiation is enabled, or the configured Full-Duplex or Half-Duplex.

detail extensive

Link type

none

none Link flags

Value is always None—not applicable on switches.

detail extensive

none Physical Info


detail extensive

Hold-times


detail extensive

Current address


detail extensive

none Hardware address

MAC address of the switch.

detail extensive

none

2040




Field Description

Level of Output

Alternate link address


detail extensive

Last flapped

Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second ago). For example, Last flapped: 2008–01–16 10:52:40 UTC (3d 22:58 ago). The entry can also be Never.

detail extensive


detail extensive


none

none Traffic statistics

Number and rate of bytes and packets transmitted or received on the physical interface for supported switches. •

detail extensive

Input bytes—Number of bytes received on the interface for this switch. This

value reflects the information gathered by the automatic ingress counter on EX3200 switches and EX4200 switches. EX8200 switches can also be configured to collect this information with the command l3-interface-ingress-counting. •

Output bytes—Number of bytes sent on the interface. This value reflects the

information gathered by the automatic egress counter for EX8200 switches. •

Input packets—Number of packets received on the interface for this switch.

This value reflects the information gathered by the automatic ingress counter for EX3200 and EX4200 switches. EX8200 switches can also be configured to collect this information with the command l3-interface-ingress-counting. •

Output packets—Number of packets sent on the interface. This value reflects

the information gathered by the automatic egress counter for EX8200 switches. IPv6 transit statistics

Number and rate of bytes and packets transmitted and/or received on the IPv6 interface for supported switches. •

detail extensive

Input bytes—Number of bytes received on the interface. This value reflects

the information gathered by the automatic ingress counter for EX3200 and EX4200 switches. EX8200 switches can also be configured to collect this information with the command l3-interface-ingress-counting. •

Output bytes—Number of bytes sent on the IPv6 interface. This value reflects

the information gathered by the automatic egress counter for EX8200 switches. •

Input packets—Number of packets received on the interface. This value reflects

the information gathered by the automatic ingress counter for EX3200 and EX4200 switches. EX8200 switches can also be configured to collect this information with the command l3-interface-ingress-counting. •

Output packets—Number of packets sent on the IPv6 interface. This value

reflects the information gathered by the automatic egress counter for and EX8200 switches.


2041

®



Field Description

Level of Output

Input Errors

Input errors on the interface. The following paragraphs explain some of the counters whose meaning may not be obvious.

extensive

•


•


ASIC. If the interface is saturated, this value increments once for every packet that is dropped by the ASIC's RED mechanism. •


(FCS). •


•


discarded because they were not recognized or not of interest. Usually, this field reports protocols that Junos OS does not handle. •


Layer 3 sanity checks of the headers. For example, a frame with less than 20 bytes of available IP header is discarded. •






by the ASIC. If this value is ever nonzero, the interface is probably malfunctioning. •

2042





Field Description

Level of Output

Output errors

Output errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:

extensive

•


This value does not normally increment quickly, increasing only when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the interface is malfunctioning. •


•



Collisions—Number of Ethernet collisions. Both Gigabit Ethernet interfaces

and 10 Gigabit Ethernet interfaces support only full-duplex operation, so for those two interfaces, this value should always be zero. If the value is nonzero for either Gigabit Ethernet or 10 Gigabit Ethernet, there is a software bug. •




ASIC on the interface. If this value is ever nonzero, the interface is probably malfunctioning. •




•


Logical Interface vlan.vlan-id, Index, SNMP ifIndex

VLAN ID, index, and SNMP index number for the logical interface. The logical interface index values reflect the item’s initialization sequence.

detail extensive

none Generation

Unique number for Juniper Networks Technical support use only.

detail extensive

none Flags

Errors that have occurred on this interface, such as Link Layer Down. Other possible flags include:

detail extensive

none •

Device-down—Device has been administratively disabled.

•

Disabled—Interface is administratively disabled.

•

Down—A hardware failure has occurred.

•

Hardware-Down—Interface protocol initialization failed to complete

successfully. •

SNMP-Traps—SNMP trap notifications are enabled.

•

Up—Interface is enabled and operational.


2043

®



Field Description

Level of Output

SNMP-Traps

Each configured SNMP trap has a number that appears here—0x0 is always displayed for logical interface SNMP traps.

detail extensive

none Encapsulation

Encapsulation method, which is the process of adding control information. The value is always Ethernet 2 (ENET2) for logical encapsulation.

detail extensive

none Traffic statistics

Number and rate of bytes and packets received and transmitted on the logical interface of supported switches. Traffic statistics represent the sum of the next two fields, Local statistics and Transit statistics. Note that these are not the values for the RVI ingress or egress counters—for that value, see Transit statistics below. •

detail extensive

Input bytes—Number of bytes received on the interface. Same value as the

physical interface. •

Output bytes—Number of bytes sent on the interface. Same value as the


Input packets—Number of packets received on the interface. Same value as

the physical interface. •

Output packets—Number of bytes sent on the interface. Same value as the

physical interface. NOTE: The bandwidth bps counter is not enabled on the switches. Local statistics

Number and rate of bytes and packets received and transmitted locally by the Routing Engine on the logical interface of supported switches. All packets for protocols and process statistics are counted here. •

detail extensive

none

Input bytes—Number of bytes received on the interface. Same value as for

the physical interface. •

Output bytes—Number of bytes sent on the interface. Same value as for the


Input packets—Number of packets received on the interface. Same value as

for the physical interface. •

Output packets—Number of bytes sent on the interface. Same value as for

the physical interface. Transit statistics

Number and rate of bytes and packets received and transmitted on the RVI logical interface of supported switches. Look at this value to see the RVI ingress and egress count. •

detail extensive

Input bytes—Number of bytes received on the interface. This ingress counter

is automatic for EX3200 and EX4200 switches and configurable for EX8200 switches. •

Output bytes—Number of bytes sent on the interface. This egress counter is

automatic for EX8200. •

Input packets—Number of packets received on the interface. This ingress

counter is automatic for EX3200 and EX4200 switches and configurable for EX8200 switches. •

Output packets—Number of packets sent on the interface. This egress counter

is automatic for EX8200 switches.

2044




Field Description

Level of Output


Number and rate of IPv6 bytes and packets received and transmitted on the RVI logical interface of supported switches. Transit values are unique to the logical interface and do not appear in physical interface output. Look at the values listed below to see the RVI ingress and egress count for IPv6 traffic.

detail extensive

•

Input bytes—Number of bytes received on the interface. This ingress counter

is automatic for EX3200 and EX4200 switches and configurable for EX8200 switches. •

Output bytes—Number of bytes sent by the interface. This egress counter is

automatic for EX8200 switches. •

Input packets—Number of packets received on the interface. This ingress

counter is automatic for EX3200 and EX4200 and configurable for EX8200 switches. •

Output packets—Number of packets sent by the interface. This egress counter

is automatic for EX8200 switches. NOTE: The bandwidth bps counter is not enabled on the switches. Protocol

Protocol used for the logical interface—this value is inet for IPv4 traffic and inet6 for IPv6 traffic.

All levels

Generation


detail extensive

Route table


detail extensive

none Protocol flags

Information about the protocol such as Targeted-broadcast.

detail extensive

none Protocol addresses and Address flags

Protocol address values here can be: Dest-route-down—The routing process detected that the link was not operational and changed the interface routes to nonforwarding status Device-down—Device has been administratively disabled. Disabled—Interface is administratively disabled. Down—A hardware failure has occurred. Hardware-Down—Interface protocol initialization failed to complete successfully. Is-Default—This address is the default address of the switch. The default address is used as the source address by SNMP, ping, traceroute, and other network utilities. Is-Preferred—This address is the default local address for packets originating from the local switch and sent to destinations on the subnet. Is-Primary—This address is the default local address for broadcast and multicast packets originated locally and sent out the interface. Preferred—This address is a candidate to become the preferred address. Primary—This address is a candidate to become the primary address.

detail extensive

none

SNMP-Traps—SNMP trap notifications are enabled. Up—Interface is enabled and operational.


2045

®



Field Description

Level of Output

Address destination

Logical destination’s network address.

detail extensive

none Local address


detail extensive

none Broadcast address


detail extensive

none Generation


detail extensive

Sample Output show interfaces vlan

user@switch> show interfaces vlan Physical interface: vlan, Enabled, Physical link is Up Interface index: 150, SNMP ifIndex: 556 Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps Device flags : Present Running Link type : Full-Duplex Link flags : None Current address: 00:21:59:c5:f0:40, Hardware address: 00:21:59:c5:f0:40 Last flapped : Never Input packets : 0 Output packets: 0 Logical interface vlan.0 (Index 82) (SNMP ifIndex 557) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 0 Output packets: 1 Protocol inet Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.1/24, Local: 10.1.1.1, Broadcast: 10.1.1.255 Logical interface vlan.1 (Index 83) (SNMP ifIndex 558) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 0 Output packets: 1 Protocol inet Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.2/24, Local: 10.1.2.1, Broadcast: 10.1.2.255

show interfaces vlan terse

2046

user@switch> show interfaces vlan terse Interface Admin Link Proto vlan up up

Local

Remote



vlan.0 vlan.1

show interfaces vlan extensive

up up

down inet down inet

10.1.1.1/24 10.1.2.1/24

user@switch> show interfaces vlan extensive Physical interface: vlan, Enabled, Physical link is Up Interface index: 150, SNMP ifIndex: 556, Generation: 153 Type: VLAN, Link-level type: VLAN, MTU: 1518, Clocking: Unspecified, Speed: 1000mbps Device flags : Present Running Link type : Full-Duplex Link flags : None Physical info : Unspecified Hold-times : Up 0 ms, Down 0 ms Current address: 00:21:59:c5:f0:40, Hardware address: 00:21:59:c5:f0:40 Alternate link address: Unspecified Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors: 0 Logical interface vlan.0 (Index 82) (SNMP ifIndex 557) (Generation 147) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, Generation: 159, Route table: 0 Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.1/24, Local: 10.1.1.1, Broadcast: 10.1.1.255, Generation: 138 Logical interface vlan.1 (Index 83) (SNMP ifIndex 558) (Generation 148) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0


2047

®


Output bytes : 42 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, Generation: 160, Route table: 0 Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.2/24, Local: 10.1.2.1, Broadcast: 10.1.2.255, Generation: 140

show interfaces vlan detail

user@switch> show interfaces vlan detail Physical interface: vlan, Enabled, Physical link is Up Interface index: 150, SNMP ifIndex: 556, Generation: 153 Type: VLAN, Link-level type: VLAN, MTU: 1518, Clocking: Unspecified, Speed: 1000mbps Device flags : Present Running Link type : Full-Duplex Link flags : None Physical info : Unspecified Hold-times : Up 0 ms, Down 0 ms Current address: 00:21:59:c5:f0:40, Hardware address: 00:21:59:c5:f0:40 Alternate link address: Unspecified Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Logical interface vlan.0 (Index 82) (SNMP ifIndex 557) (Generation 147) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps

2048



Output packets: 0 0 pps Protocol inet, Generation: 159, Route table: 0 Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.1/24, Local: 10.1.1.1, Broadcast: 10.1.1.255, Generation: 138 Logical interface vlan.1 (Index 83) (SNMP ifIndex 558) (Generation 148) Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 42 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, Generation: 160, Route table: 0 Flags: Targeted-broadcast Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.1.2/24, Local: 10.1.2.1, Broadcast: 10.1.2.255, Generation: 140


2049

®


show interfaces xeSyntax


show interfaces xe-fpc/pic/port

Command introduced in Junos OS Release 9.0 for EX Series switches. Display status information about the specified 10-Gigabit Ethernet interface.

NOTE: You must have a transceiver plugged into an SFP+ or XFP port before information about the interface can be displayed.

Options

xe-fpc/pic/port —Display standard information about the specified 10-Gigabit Ethernet

interface. brief | detail | extensive | terse—(Optional) Display the specified level of output. media—(Optional) Display media-specific information about network interfaces. For

10-Gigabit Ethernet interfaces, using the media option does not provide you with new or additional information. The output is the same as when the media option is not used. statistics—(Optional) Display static interface statistics. For 10-Gigabit Ethernet interfaces,

using the statistics option does not provide you with new or additional information. The output is the same as when the statistics option is not used. Required Privilege Level Related Documentation


Output Fields

2050

view

•


•


•


•


•


show interfaces xe-4/1/0 on page 2059 show interfaces xe-0/1/0 brief on page 2059 show interfaces xe-4/1/0 detail on page 2059 show interfaces xe-6/0/39 extensive on page 2060 Table 235 on page 2051 lists the output fields for the show interfaces xe- command. Output fields are listed in the approximate order in which they appear.



Table 235: show interfaces xe- Output Fields Field Name

Field Description

Level of Output

Fields for the Terse Output Level Only Interface

Name of the physical or logical interface.

terse

Admin

Administrative state of the interface.

terse

Link

State of the physical link.

terse

Proto

Protocol family configured on the logical interface.

terse

Local

Local IP address of the logical interface.

terse

Remote

Remote IP address of the logical interface.

terse

Fields for the Physical Interface Physical interface



none Enabled

State of the interface. Can be one of the following: •

Administratively down, Physical link is Down—The interface is turned off, and

the physical link is inoperable and cannot pass packets even when it is enabled. •


none

Administratively down, Physical link is Up—The interface is turned off, but the

physical link is operational and can pass packets when it is enabled. •

Enabled, Physical link is Down—The interface is turned on, but the physical

link is inoperable and cannot pass packets. •

Enabled, Physical link is Up—The interface is turned on, and the physical link

is operational and can pass packets. Interface index


detail extensive

none SNMP ifIndex


detail extensive

none Generation


detail extensive

Description

User-configured interface description.


none


2051

®


Table 235: show interfaces xe- Output Fields (continued) Field Name

Field Description

Level of Output

Link-level type



none MTU

Maximum transmission unit size on the physical interface.


none Speed



none Duplex

Duplex mode of the interface.


none BPDU Error

Not supported on EX Series switches.

detail extensive

none MAC-REWRITE Error

Not supported on EX Series switches.

detail extensive

none Loopback

Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: Local or Remote.


none Source filtering

Source filtering status: Enabled or Disabled.


none Flow control

Flow control status: Enabled or Disabled.


none Device flags



none Interface flags



none

2052




Field Description

Level of Output

Link flags

Information about the link.


none CoS queues


detail extensive

none Hold-times


detail extensive

Current address


detail extensive

none Hardware address

Hardware MAC address.

detail extensive

none Last flapped

Date, time, and how long ago the interface went from down to up. The format is year-month-day hour:minute:second timezone (weekswdaysd hours:minutes:seconds ago). For example, 2008–01–16 10:52:40 UTC (3d 22:58

detail extensive

none

ago). Input Rate

Input rate in bits per second (bps) and packets per second (pps).

none

Output Rate

Output rate in bps and pps.

none


Date, time, and how long ago the statistics for the interface were cleared. The format is year-month-day hour:minute:second timezone (weekswdaysd hours:minutes:seconds ago). For example, 2010-05-17 07:51:28 PDT (00:04:33 ago).

detail extensive

Traffic statistics


detail extensive

•

Input bytes—Number of bytes received on the interface and rate in bits per

second. •

Output bytes—Number of bytes transmitted on the interface and rate in bits

per second. •

Input packets—Number of packets received on the interface and rate in

packets per second. •

Output packets—Number of packets transmitted on the interface and rate in

packets per second.


2053

®



Field Description

Level of Output


If IPv6 statistics tracking is enabled, number of IPv6 bytes and packets received and transmitted on the logical interface:

detail extensive

Input errors

•


•


•


•


Input errors on the interface:

extensive

•


•




(FCS). •


•




Layer 3 sanity checks of the header. For example, a frame with less than 20 bytes of available IP header is discarded. L3 incomplete errors can be ignored if you configure the ignore-l3-incompletes statement. •






by the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning. •

2054





Field Description

Level of Output

Output errors

Output errors on the interface:

extensive

•


This number does not normally increment quickly, increasing only when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC or PIM is malfunctioning. •


•



Collisions—Number of Ethernet collisions. A 10-Gigabit Ethernet interface

supports only full-duplex operation, so for 10-Gigabit Ethernet interfaces, this number should always remain 0. If it is nonzero, there is a software bug. •




ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning. •




•


Ingress queues

Number of CoS ingress queues supported on the specified interface. Displayed only for an interface on a line card with oversubscribed ports.

detail extensive

Egress queues

Number of CoS egress queues supported on the specified interface.

detail extensive

PFE Egress queues

Number of Packet Forwarding Engine egress queues shared by the interfaces in a port group. Displayed only for an interface on a line card with oversubscribed ports.

detail extensive

Queue counters

Statistics for queues:

detail extensive

•

Queued packets—Number of queued packets. This counter is not supported

on EX switches and always contains 0. •


•



2055

®



Field Description

Level of Output

Active alarms and Active defects

Ethernet-specific defects that can prevent the interface from passing packets. When a defect persists for a certain amount of time, it is promoted to an alarm. Based on the switch configuration, an alarm can ring the red or yellow alarm bell on the switch or turn on the red or yellow alarm LED on the front of the switch. These fields can contain the value None or Link.

detail extensive

•

None—There are no active defects or alarms.

•

Link—Interface has lost its link state, which usually means that the cable is

none

unplugged, the far-end system has been turned off, or the PIC is malfunctioning. MAC statistics

Receive and Transmit statistics reported by the PIC's MAC subsystem.

extensive

•

Total octets and total packets—Total number of octets and packets.

•

Unicast packets, Broadcast packets, and Multicast packets—Number of unicast,

broadcast, and multicast packets. •

CRC/Align errors—Total number of packets received that had a length

(excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). •

FIFO error—Number of FIFO errors that are reported by the ASIC on the PIC.

If this value is ever nonzero, the PIC is probably malfunctioning. •

MAC control frames—Number of MAC control frames.

•

MAC pause frames—Number of MAC control frames with pause operational

code. •

Oversized frames—Number of frames that exceed 1518 octets.

•

Jabber frames—Number of frames that were longer than 1518 octets (excluding


Fragment frames—Total number of packets that were less than 64 octets in

length (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted. •

Code violations—Number of times an event caused the PHY to indicate “Data

reception error” or “invalid data symbol error.” Packet Forwarding Engine configuration

2056


extensive

Destination slot—FPC slot number: •

On standalone switches with built-in interfaces, the slot number refers to the switch itself and is always 0.

•

On Virtual Chassis composed of switches with built-in interfaces, the slot number refers to the member ID of the switch.

•

On switches with line cards or on Virtual Chassis composed of switches with line cards, the slot number refers to the line card slot number on the switch or Virtual Chassis.




Field Description

Level of Output

CoS Information

Scheduler information for the CoS egress queues on the physical interface:

extensive

•

Direction—Queue direction, always Output.

•

CoS transmit queue—Queue number and its associated user-configured

forwarding class name. •

•

Bandwidth—Information about bandwidth allocated to the queue: •

%—Bandwidth allocated to the queue as a percentage

•

bps—Bandwidth allocated to the queue in bps

Buffer—Information about buffer space allocated to the queue: •

%—Buffer space allocated to the queue as a percentage.

•

usec—Buffer space allocated to the queue in microseconds. This value is

nonzero only if the buffer size is configured in terms of time. •

Priority—Queue priority: low or high.

•

Limit—Displayed if rate limiting is configured for the queue. Possible values are none and exact. If exact is configured, the queue transmits only up to the configured bandwidth, even if excess bandwidth is available. If none is

configured, the queue transmits beyond the configured bandwidth if bandwidth is available.

Fields for Logical Interfaces Logical interface



none Index


detail extensive

none SNMP ifIndex


detail extensive

none Generation


detail extensive

Description

User-configured description of the interface.


none Flags



none Encapsulation



none


2057

®



Field Description

Level of Output

Traffic statistics


detail extensive

NOTE: For logical interfaces on EX Series switches, the traffic statistics fields in show interfaces commands show only control traffic; the traffic statistics do not include data traffic. Local statistics

Number and rate of bytes and packets destined to and from the switch.

extensive

Transit statistics

Number and rate of bytes and packets transiting the switch.

extensive

Protocol

Protocol family.

detail extensive

none Generation


detail extensive

Route Table


detail extensive

none Input Filters

Names of any input filters applied to this interface.

detail extensive

Output Filters

Names of any output filters applied to this interface.

detail extensive

Flags


detail extensive

If unicast reverse-path forwarding (RPF) is explicitly configured on the specified interface, the uRPF flag is displayed. If unicast RPF was configured on a different interface (and therefore is enabled on all switch interfaces) but was not explicitly configured on the specified interface, the uRPF flag is not displayed even though unicast RPF is enabled. Addresses, Flags


detail extensive

none protocol-family


brief

Flags


detail extensive

none Destination


detail extensive

none

2058




Field Description

Level of Output

Local


detail extensive

none Broadcast

Broadcast address of the logical interlace.

detail extensive

none Generation


detail extensive

Sample Output show interfaces xe-4/1/0

user@switch show interfaces xe-4/1/0 Physical interface: xe-4/1/0, Enabled, Physical link is Up Interface index: 387, SNMP ifIndex: 369 Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, Duplex: Full-Duplex, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:23:9c:03:8e:70, Hardware address: 00:23:9c:03:8e:70 Last flapped : 2009-05-12 08:01:04 UTC (00:13:44 ago) Input rate : 36432 bps (3 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Logical interface xe-4/1/0.0 (Index 66) (SNMP ifIndex 417) Flags: SNMP-Traps Encapsulation: ENET2 Input packets : 0 Output packets: 0 Protocol eth-switch Flags: None

show interfaces xe-0/1/0 brief

user@switch> show interfaces xe-0/1/0 brief Physical interface: xe-0/1/0, Enabled, Physical link is Up Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None Logical interface xe-0/1/0.0 Flags: SNMP-Traps Encapsulation: ENET2 eth-switch

show interfaces xe-4/1/0 detail

user@switch> show interfaces xe-4/1/0 detail Physical interface: xe-4/1/0, Enabled, Physical link is Up Interface index: 387, SNMP ifIndex: 369, Generation: 390 Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, Duplex: Full-Duplex,


2059

®


BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:23:9c:03:8e:70, Hardware address: 00:23:9c:03:8e:70 Last flapped : 2009-05-12 08:01:04 UTC (00:13:49 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 4945644 48576 bps Output bytes : 0 0 bps Input packets: 3258 4 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort

0

0

0

1 assured-forw

0

0

0

5 expedited-fo

0

0

0

7 network-cont

0

0

0

Active alarms : None Active defects : None Logical interface xe-4/1/0.0 (Index 66) (SNMP ifIndex 417) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol eth-switch, Generation: 174, Route table: 0 Flags: None Input Filters: f1, Output Filters: f2,,,,

show interfaces xe-6/0/39 extensive

2060

(Generation 158)

0 0 0 0

bps bps pps pps

user@switch> show interfaces xe-6/0/39 extensive Physical interface: xe-6/0/39, Enabled, Physical link is Up Interface index: 291, SNMP ifIndex: 1641, Generation: 316 Link-level type: Ethernet, MTU: 1514, Speed: 10Gbps, Duplex: Full-Duplex, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,



Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:72:f2:88, Hardware address: 00:19:e2:72:f2:88 Last flapped : 2010-05-13 14:49:43 PDT (1d 00:14 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 49625962140160 4391057408 bps Output bytes : 47686985710805 4258984960 bps Input packets: 387702829264 4288139 pps Output packets: 372554570944 4159166 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Ingress queues: 2 supported, 2 in use Queue counters: Queued packets Transmitted packets Dropped packets Low priority 0 336342805223 7986622358 High priorit 0 0 0 Egress queues: 8 supported, 8 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 333760130103 0 1 assured-forw 0 0 0 2 mcast-be 0 274948977 0 3 queue3 0 0 0 4 mcast-ef 0 0 0 5 expedited-fo 0 0 0 6 mcast-af 0 0 0 7 network-cont 0 46613 0 PFE Egress queues: 8 supported, 8 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 737867061290 5595302082 1 assured-forw 0 0 0 2 mcast-be 0 0 0 3 queue3 0 0 0 4 mcast-ef 0 0 0 5 expedited-fo 0 0 0 6 mcast-af 0 0 0 7 network-cont 0 97800 0 Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 49625962140160 47686985710805 Total packets 387702829264 372554570944 Unicast packets 387702829264 372554518472 Broadcast packets 0 2 Multicast packets 0 52470 CRC/Align errors 0 0 FIFO errors 0 0


2061

®


MAC control frames MAC pause frames Oversized frames Jabber frames Fragment frames Code violations Packet Forwarding Engine configuration: Destination slot: 6 CoS information: Direction : Output CoS transmit queue Bandwidth % bps 0 best-effort 75 7500000000 2 mcast-be 20 2000000000 7 network-cont 5 500000000

0 0 0 0 0 0

0 0

% 75 20 5

Buffer Priority usec 0 low 0 low 0 low

Limit none none none

Logical interface xe-6/0/39.0 (Index 1810) (SNMP ifIndex 2238) (Generation 1923) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 9375416 Input packets: 0 Output packets: 48901 Local statistics: Input bytes : 0 Output bytes : 9375416 Input packets: 0 Output packets: 48901 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol eth-switch, Generation: 1937, Route table: 0 Flags: Trunk-Mode

2062

0 0 0 0

bps bps pps pps



show ipv6 neighbors Syntax Release Information


Output Fields

show ipv6 neighbors

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.3 for EX Series switches. Display information about the IPv6 neighbor cache. This command has no options. view

•

clear ipv6 neighbors on page 1978

show ipv6 neighbors on page 2063 show ipv6 neighbors on page 2063 Table 236 on page 2063 describes the output fields for the show ipv6 neighbors command. Output fields are listed in the approximate order in which they appear.

Table 236: show ipv6 neighbors Output Fields Field Name

Field Description

IPv6 Address

Name of the IPv6 interface.

Linklayer Address

Link-layer address.

State

State of the link: up, down, incomplete, reachable, stale, or unreachable.

Exp

Number of seconds until the entry expires.

Rtr

Whether the neighbor is a routing device: yes or no.

Secure

Whether this entry was created using the Secure Neighbor Discovery (SEND) protocol: yes or no.

Interface

Name of the interface.

Sample Output show ipv6 neighbors

show ipv6 neighbors

user@host> show ipv6 neighbors IPv6 Address Linklayer Address fe80::2a0:c9ff:fe5b:4c1e 00:a0:c9:5b:4c:1e

State reachable

Exp 15

Rtr yes

Interface fxp0.0

user@host > show ipv6 neighbors


2063

®


IPv6 Address Interface fe80::14fb:5dcf:54bd:ff76 ge-3/2/0.0

2064

Linklayer Address

State

Exp Rtr Secure

00:90:69:a0:a8:bc

stale

1113 yes yes



show lacp interfaces Syntax Release Information

Description

Options

show lacp interfaces interface-name

Command introduced in Junos 10.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display Link Aggregation Control Protocol (LACP) information about the specified aggregated Ethernet or Gigabit Ethernet interface. none—Display LACP information for all interfaces. interface-name—(Optional) Display LACP information for the specified interface:



Output Fields

•

Aggregated Ethernet—aex

•

Gigabit Ethernet—ge-fpc/pic/port

•

10-Gigabit Ethernet—xe-fpc/pic/port

view

•


•


•

Example: Configuring Link Aggregation Between a QFX Series Product and an Aggregation Switch

•


•

Configuring Link Aggregation

•


•


•


•

Understanding Aggregated Ethernet Interfaces and LACP

•


show lacp interfaces (EX Series Switches) on page 2067 show lacp interfaces (QFabric Switches) on page 2068 Table 237 on page 2066 lists the output fields for the show lacp interfaces command. Output fields are listed in the approximate order in which they appear.


2065

®


Table 237: show lacp interfaces Output Fields Field Name

Field Description

Aggregated interface

Aggregated Ethernet interface name.

LACP State

LACP state information for each aggregated Ethernet interface: •

For a child interface configured with force-up, LACP state displays FUP along with the interface name.

•

Role—Role played by the interface. It can be one of the following:

•

•

Actor—Local device participating in LACP negotiation.

•

Partner—Remote device participating in LACP negotiation.

Exp—Expired state. Yes indicates the actor or partner is in an expired state. No indicates the actor

or partner is not in an expired state. •

Def—Default. Yes indicates that the actor’s receive machine is using the default operational partner information, administratively configured for the partner. No indicates the operational partner

information in use has been received in an LACP PDU. •

Dist—Distribution of outgoing frames. No indicates distribution of outgoing frames on the link is currently disabled and is not expected to be enabled. Otherwise, the value is Yes.

•

Col—Collection of incoming frames. Yes indicates collection of incoming frames on the link is currently enabled and is not expected to be disabled. Otherwise, the value is No.

•

Syn—Synchronization. If the value is Yes, the link is considered synchronized. It has been allocated

to the correct link aggregation group, the group has been associated with a compatible aggregator, and the identity of the link aggregation group is consistent with the system ID and operational key information transmitted. If the value is No, the link is not synchronized. It is currently not in the right aggregation. •

Aggr—Ability of aggregation port to aggregate (Yes) or to operate only as an individual link (No).

•

Timeout—LACP timeout preference. Periodic transmissions of LACP PDUs occur at either a slow or fast transmission rate, depending upon the expressed LACP timeout preference (Long Timeout or Short Timeout).

•

Activity—Actor or partner’s port activity. Passive indicates the port’s preference for not transmitting LAC PDUs unless its partner’s control value is Active. Active indicates the port’s preference to

participate in the protocol regardless of the partner’s control value.

2066



Table 237: show lacp interfaces Output Fields (continued) Field Name

Field Description

LACP Protocol

LACP protocol information for each aggregated interface: •

Link state (active or standby) indicated in parentheses next to the interface when link protection is configured.

•

Receive State—One of the following values: •

Current—The state machine receives an LACP PDU and enters the Current state.

•

Defaulted—If no LACP PDU is received before the timer for the Current state expires a second time, the state machine enters the Defaulted state.

•

Expired—If no LACP PDU is received before the timer for the Current state expires once, the state machine enters the Expired state.

•

Initialize—When the physical connectivity of a link changes or a Begin event occurs, the state machine enters the Initialize state.

•

LACP Disabled—If the port is operating in half duplex, the operation of LACP is disabled on the port, forcing the state to LACP Disabled. This state is similar to the Defaulted state, except that

the port is forced to operate as an individual port. •

•

•

Port Disabled—If the port becomes inoperable and a Begin event has not occurred, the state machine enters the Port Disabled state.

Transmit State—Transmit state of the state machine. One of the following values: •

Fast periodic—Periodic transmissions are enabled at a fast transmission rate.

•

No periodic—Periodic transmissions are disabled.

•

Periodic timer—Transitory state entered when the periodic timer expires.

•

Slow periodic—Periodic transmissions are enabled at a slow transmission rate.

Mux State—State of the multiplexer state machine for the aggregation port. The state is one of the

following values: •

Attached—Multiplexer state machine initiates the process of attaching the port to the selected

aggregator. •

Collecting—Yes indicates that the receive function of this link is enabled with respect to its

participation in an aggregation. Received frames are passed to the aggregator for collection. No indicates the receive function of this link is not enabled. •

Collecting distributing—Collecting and distributing states are merged together to form a combined

state (coupled control). Because independent control is not possible, the coupled control state machine does not wait for the partner to signal that collection has started before enabling both collection and distribution. •

Detached—Process of detaching the port from the aggregator is in progress.

•

Distributing—Yes indicates that the transmit function of this link is enabled with respect to its

participation in an aggregation. Frames may be passed down from the aggregator’s distribution function for transmission. No indicates the transmit function of this link is not enabled. •

Waiting—Multiplexer state machine is in a holding process, awaiting an outcome.

Sample Output show lacp interfaces (EX Series Switches)

user@switch> show lacp interfaces ae1 Aggregated interface: ae1 LACP state: Role Exp Def Dist Col Syn Aggr ge-0/0/22 Actor No No Yes Yes Yes Yes ge-0/0/22 Partner No No Yes Yes Yes Yes ge-0/0/23 Actor No No Yes Yes Yes Yes ge-0/0/23 Partner No No Yes Yes Yes Yes LACP protocol: Receive State Transmit State


Timeout Activity Fast Active Fast Passive Fast Active Fast Passive Mux State

2067

®


ge-0/0/22 ge-0/0/23

show lacp interfaces (QFabric Switches)

Current Current

Fast periodic Collecting distributing Fast periodic Collecting distributing

user@switch> show lacp interfaces nodegroup1:ae0 extensive Aggregated interface: nodegroup1:ae0 LACP state: Role Exp Def Dist Col Syn

Aggr

Timeout

Activity

node1:xe-0/0/1FUP Actor No Yes No No No Yes Fast Active node1xe-0/0/1FUP Partner No Yes No No No Yes Fast Passive node2:xe-0/0/2 Actor No Yes No No No Yes Fast Active node2:xe-0/0/2 Partner No Yes No No No Yes Fast Passive LACP protocol: Receive State Transmit State Mux State node1:xe-0/0/1FUP Current Fast periodic Collecting distributing node2:xe-0/0/2 Current Fast periodic Collecting distributing node1:xe-0/0/1 (active) Current Fast periodic Collecting distributing node2:xe-0/0/2 (standby) Current Fast periodic WAITING

2068



test interface restart-auto-negotiation Syntax Release Information


test interface restart-auto-negotiation interface-name

Command introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 9.0 for EX Series switches. Restarts auto-negotiation on a Fast Ethernet or Gigabit Ethernet interface. interface-name—Interface name: fe-fpc/pic/port or ge-fpc/pic/port.

view

test interface restart-auto-negotiation on page 2069 Use the show interfaces extensive command to see the state for auto-negotiation.

Sample Output test interface restart-auto-negotiation

user@host> test interface restart-auto-negotiation fe-1/0/0


2069

®


2070


PART 14

Ethernet Switching •

Ethernet Switching—Overview on page 2073

•

Examples: Ethernet Switching Configuration on page 2117

•

Configuring Ethernet Switching on page 2217

•

Verifying Ethernet Switching Configuration on page 2247

•

Troubleshooting Ethernet Switching Configuration on page 2261

•

Configuration Statements for Ethernet Switching on page 2263

•

Operational Commands for Ethernet Switching on page 2345


2071

®


2072


CHAPTER 63

Ethernet Switching—Overview •


•

Understanding Private VLANs on EX Series Switches on page 2080

•

Understanding Virtual Routing Instances on EX Series Switches on page 2088

•


•


•


•

Understanding Layer 2 Protocol Tunneling on EX Series Switches on page 2096

•


•


•

Understanding MAC Address Aging on page 2102

•

Understanding Reflective Relay for Use with VEPA Technology on page 2103

•

Understanding Routed VLAN Interfaces on EX Series Switches on page 2105

•

Understanding Edge Virtual Bridging for Use with VEPA Technology on page 2108

•

Ethernet Ring Protection Switching Overview on page 2110

•

Understanding Ethernet Ring Protection Switching Functionality on page 2111

Understanding Bridging and VLANs on EX Series Switches Network switches use Layer 2 bridging protocols to discover the topology of their LAN and to forward traffic toward destinations on the LAN. This topic explains the following concepts regarding bridging and VLANs on Juniper Networks EX Series Ethernet Switches: •

History of VLANs on page 2074

•

How Bridging of VLAN Traffic Works on page 2074

•

Packets Are Either Tagged or Untagged on page 2075

•

Switch Interface Modes—Access, Trunk, or Tagged Access on page 2076

•

Additional Advantages of Using VLANs on page 2077

•

Maximum VLANs and VLAN Members Per Switch on page 2078

•

A Default VLAN Is Configured on Most Switches on page 2078


2073

®


•

Assigning Traffic to VLANs on page 2079

•

Forwarding VLAN Traffic on page 2079

•

VLANs Communicate with RVIs on page 2079

History of VLANs Ethernet LANs were originally designed for small, simple networks that primarily carried text. However, over time, the type of data carried by LANs grew to include voice, graphics, and video. This more complex data, when combined with the ever-increasing speed of transmission, eventually became too much of a load for the original Ethernet LAN design. Multiple packet collisions were significantly slowing down the larger LANs. The IEEE 802.1D-2004 standard helped evolve Ethernet LANs to cope with the higher data and transmission requirements by defining the concept of transparent bridging (generally called simply bridging). Bridging divides a single physical LAN (now called a single broadcast domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of some of the LAN nodes grouped together to form individual broadcast domains. When VLANs are grouped logically by function or organization, a significant percentage of data traffic stays within the VLAN. This relieves the load on the LAN because all traffic no longer has to be forwarded to all nodes on the LAN. A VLAN first transmits packets within the VLAN, thereby reducing the number of packets transmitted on the entire LAN. Because packets whose origin and destination are in the same VLAN are forwarded only within the local VLAN, packets that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. This way, bridging and VLANs limit the amount of traffic flowing across the entire LAN by reducing the possible number of collisions and packet retransmissions within VLANs and on the LAN as a whole.

How Bridging of VLAN Traffic Works Because the objective of the IEEE 802.1D-2004 standard was to reduce traffic and therefore reduce potential transmission collisions for Ethernet , a system was implemented to reuse information. Instead of having a switch go through a location process every time a frame is sent to a node, the transparent bridging protocol allows a switch to record the location of known nodes. When packets are sent to nodes, those destination node locations are stored in address-lookup tables called Ethernet switching tables. Before sending a packet, a switch using bridging first consults the switching tables to see if that node has already been located. If the location of a node is known, the frame is sent directly to that node. Transparent bridging uses five mechanisms to create and maintain Ethernet switching tables on the switch:

2074

•

Learning

•

Forwarding

•

Flooding

•

Filtering

•

Aging


Chapter 63: Ethernet Switching—Overview

The key bridging mechanism used by LANs and VLANs is learning. When a switch is first connected to an Ethernet LAN or VLAN, it has no information about other nodes on the network. As packets are sent, the switch learns the embedded MAC addresses of the sending nodes and stores them in the Ethernet switching table, along with two other pieces of information—the interface (or port) on which the traffic was received on the destination node and the time the address was learned. Learning allows switches to then do forwarding. By consulting the Ethernet switching table to see whether the table already contains the frame’s destination MAC address, switches save time and resources when forwarding packets to the known MAC addresses. If the Ethernet switching table does not contain an entry for an address, the switch uses flooding to learn that address. Flooding finds a particular destination MAC address without using the Ethernet switching table. When traffic originates on the switch and the Ethernet switching table does not yet contain the destination MAC address, the switch first floods the traffic to all other interfaces within the VLAN. When the destination node receives the flooded traffic, it can send an acknowledgment packet back to the switch, allowing it to learn the MAC address of the node and add the address to its Ethernet switching table. Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the local VLAN whenever possible. As the number of entries in the Ethernet switching table grows, the switch pieces together an increasingly complete picture of the VLAN and the larger LAN—it learns which nodes are in the local VLAN and which are on other network segments. The switch uses this information to filter traffic. Specifically, for traffic whose source and destination MAC addresses are in the local VLAN, filtering prevents the switch from forwarding this traffic to other network segments. To keep entries in the Ethernet switching table current, the switch uses a fifth bridging mechanism, aging. Aging is the reason that the Ethernet switching table entries include timestamps. Each time the switch detects traffic from a MAC address, it updates the timestamp. A timer on the switch periodically checks the timestamp, and if it is older than a user-configured value, the switch removes the node's MAC address from the Ethernet switching table. This aging process eventually flushes unavailable network nodes out of the Ethernet switching table.

Packets Are Either Tagged or Untagged To identify which VLAN a packet belongs to, all packets on an Ethernet VLAN are identified by a numeric tag, as defined in the IEEE 802.1Q standard. For a simple network that has only a single VLAN, all traffic has the same default 802.1Q tag, which is the only VLAN membership that does not mark the packet as tagged. These packets are untagged native packets. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q ID. That unique VLAN 802.1Q ID is applied to all packets so that network nodes receiving the packets can detect which non-default VLAN the packets belong to. The presence of these unique IDs means the packets are now tagged. VLAN tags 0 and 4095 are reserved by the Juniper Networks Junos operating system (Junos OS), so you cannot assign those tags to a VLAN in your network. The VLAN tags 1 through 4094 can be assigned to VLANs.


2075

®


Switch Interface Modes—Access, Trunk, or Tagged Access Ports, or interfaces, on a switch operate in one of three modes: •

Access mode

•

Trunk mode

•

Tagged-access mode

Access Mode An interface in access mode connects a switch to a single network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. By default, when you boot a switch and use the factory default configuration, or when you boot the switch and do not explicitly configure a port mode, all interfaces on the switch are in access mode and accept only untagged packets from the VLAN named default. You can optionally configure another VLAN and use that instead of default. You can also configure a port to accept untagged packets from the user-configured VLAN. For details on this concept (native VLAN), see “Trunk Mode and Native VLAN” on page 2076.

Trunk Mode Trunk mode interfaces are generally used to connect switches to one another. Traffic sent between switches can then consist of packets from multiple VLANs, with those packets multiplexed so that they can be sent over the same physical connection. Trunk interfaces usually accept only tagged packets and use the VLAN ID tag to determine both the packets’ VLAN origin and VLAN destination. An untagged packet is not recognized on a trunk access port unless you configure additional settings on the port connected in access mode. In the rare case where you want untagged packets to be recognized on a trunk port, you must configure the single VLAN on the access port as native VLAN.

Trunk Mode and Native VLAN With native VLAN configured, frames that do not carry VLAN tags are sent over the trunk interface. If you have a situation where packets pass from a device to a switch in access mode, and you want to then send those packets from the switch over a trunk port, use native VLAN mode. Configure the single VLAN on the switch’s port (which is in access mode) as a native VLAN. The switch’s trunk port will then treat those frames differently than the other tagged packets. For example, if a trunk port has three VLANs, 10, 20, and 30, assigned to it with VLAN 10 being the native VLAN, frames on VLAN 10 that leave the trunk port on the other end have no 802.1Q header (tag). There is another native VLAN option. You can have the switch add and remove tags for untagged packets. To do this, you first configure the single VLAN as a native VLAN on a port attached to a device on the edge. Then, assign a VLAN ID tag to the single native VLAN on the port connected to a device. Last, add the VLAN ID to the trunk port. Now, when the switch receives the untagged packet, it adds the ID you specified and sends and receives the tagged packets on the trunk port configured to accept that VLAN.

2076



Tagged-Access Mode Tagged-access mode accommodates cloud computing, specifically scenarios including virtual machines or virtual computers. Because several virtual computers can be included on one physical server, the packets generated by one server can contain an aggregation of VLAN packets from different virtual machines on that server. To accommodate this situation, tagged-access mode reflects packets back to the physical server on the same downstream port when the destination address of the packet was learned on that downstream port. Packets are also reflected back to the physical server on the downstream port when the destination has not yet been learned. Therefore, the third interface mode, tagged access, has some characteristics of access mode and some characteristics of trunk mode: •

Like access mode, tagged-access mode connects the switch to an access layer device. Unlike access mode, tagged-access mode is capable of accepting VLAN tagged packets.

•

Like trunk mode, tagged-access mode accepts VLAN tagged packets from multiple VLANs. Unlike trunk port interfaces, which are connected at the core/distribution layer, tagged-access port interfaces connect devices at the access layer. Like trunk mode, tagged-access mode also supports native VLAN.

NOTE: Control packets are never reflected back on the downstream port.

Additional Advantages of Using VLANs In addition to reducing traffic and thereby speeding up the network, VLANs have the following advantages: •

VLANs provide segmentation services traditionally provided by routers in LAN configurations, thereby reducing hardware equipment costs.

•

Packets coupled to a VLAN can be reliably identified and sorted into different domains. You can contain broadcasts within parts of the network, thereby freeing up network resources. For example, when a DHCP server is plugged into a switch and starts broadcasting its presence, you can prevent some hosts from accessing it by using VLANs to split up the network.

•

For security issues, VLANs provide granular control of the network because each VLAN is identified by a single IP subnetwork. All packets passing in and out of a VLAN are consistently tagged with the VLAN ID of that VLAN, thereby providing easy identification, because a VLAN ID on a packet cannot be altered. (We recommend that you avoid using 1 as a VLAN ID, because that ID is a default.)

•

VLANs react quickly to host relocation—this is also due to the persistent VLAN tag on packets.

•

On an Ethernet LAN, all network nodes must be physically connected to the same network. In VLANs, the physical location of nodes is not important—you can group network devices in any way that makes sense for your organization, such as by department or business function, types of network nodes, or physical location.


2077

®


Maximum VLANs and VLAN Members Per Switch The number of VLANs supported per switch varies for each switch. Use the configuration-mode command set vlans id vlan-id ? to determine the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because you have to assign a specific ID number when you create a VLAN—you could overwrite one of the numbers, but you cannot exceed the limit. You can, however, exceed the recommended VLAN member maximum for a switch. To determine the maximum number of VLAN members allowed on a switch, multiply the VLAN maximum for the switch times 8 (vmember limit = vlan max * 8). If a switch configuration exceeds the recommended VLAN member maximum, you see a warning message when you commit the configuration. If you ignore the warning and commit such a configuration, the configuration succeeds, but you risk crashing the Ethernet switching process (eswd) due to memory allocation failure.

A Default VLAN Is Configured on Most Switches Some EX Series switches are pre-configured with a VLAN named default that does not tag packets and operates only with untagged packets. On those switches, each interface already belongs to the VLAN named default and all traffic uses this VLAN until you configure more VLANs and assign traffic to those VLANs. There are two situations where switches are not pre-configured to belong to default or any other VLAN—modular switches such as the EX8200 switches and EX6200 switches, and any switch that is part of a Virtual Chassis. The reason that these switches are not pre-configured is that the physical configuration in both situations is flexible. There is no way of knowing which line cards have been inserted in either the EX8200 switch or EX6200 switch. There is also no way of knowing which switches are included in the Virtual Chassis. Switch interfaces in these two cases must first be defined as Ethernet switching interfaces. Once an interface is defined as an Ethernet switching interface, the default VLAN appears in output from the ? help and other commands.

NOTE: When a Juniper Networks EX4500 Ethernet Switch, EX4200 Ethernet Switch, or EX3300 Ethernet Switch is interconnected with other switches in a Virtual Chassis configuration, each individual switch that is included as a member of the configuration is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a Virtual Chassis configuration, you specify the appropriate member ID (0 through 9) as the slot element of the interface name. The default factory settings for a Virtual Chassis configuration include FPC 0 as a member of the default VLAN because FPC 0 is configured as part of the ethernet-switching family. In order to include FPC 1 through FPC 9 in the default VLAN, add the ethernet-switching family to the configurations for those interfaces.

2078



Assigning Traffic to VLANs You can assign traffic on any switch to a particular VLAN by referencing either the interface port of the traffic or the MAC addresses of devices sending traffic.

Assign VLAN Traffic According to the Interface Port Source This method is most commonly used to assign traffic to VLANs. In this case, you specify that all traffic received on a particular switch interface is assigned to a specific VLAN. You configure this VLAN assignment when you configure the switch, by using either the VLAN number (called a VLAN ID) or by using the VLAN name, which the switch then translates into a numeric VLAN ID. This method is referred to simply as creating a VLAN because it is the most commonly used method.

Assign VLAN Traffic According to the Source MAC Address In this case, all traffic received from a specific MAC address is forwarded to a specific egress interface (next hop) on the switch. MAC-based VLANs are either static (named MAC addresses configured one at a time) or dynamic (configured using a RADIUS server). To configure a static MAC-based VLAN, see “Configuring Static MAC Bypass of Authentication (CLI Procedure)” on page 3633. MAC-based VLANs can also be configured dynamically with multiple supplicant authentication. This VLAN traffic assignment can be cumbersome to configure manually, but it can be useful when automated databases manage the switches on your network. For details on setting this up to work dynamically, see “Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch” on page 3583.

Forwarding VLAN Traffic To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including IEEE 802.1Q spanning-tree protocols and Multiple VLAN Registration Protocol (MVRP). To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols, such as static routing, OSPF, and RIP. On EX Series switches, the same interfaces that support Layer 2 bridging protocols also support Layer 3 routing protocols, providing multilayer switching. To pass traffic from a single device on an access port to a switch and then pass those packets on a trunk port, use the native mode configuration previously discussed under “Trunk Mode” on page 2076.

VLANs Communicate with RVIs Traditionally, switches sent traffic to hosts that were part of the same broadcast domain but routers were needed to route traffic from one broadcast domain (VLAN) to another. Also, only routers performed other Layer 3 functions such as traffic engineering. EX Series switches perform inter-VLAN routing functions using a routed VLAN interface (RVI) named vlan. The RVI detects both MAC addresses and IP addresses and routes data to Layer 3 interfaces, thereby frequently eliminating the need to have both a switch


2079

®


and a router. For more RVI information, see “Understanding Routed VLAN Interfaces on EX Series Switches” on page 2105. Related Documentation

•


•


•


•


•


•


•


•


Understanding Private VLANs on EX Series Switches VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by limiting communication within the VLAN. PVLANs accomplish this limitation by restricting traffic flows through their member switch ports (which are called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port (or link aggregation group or LAG) is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other. PVLANs provide Layer 2 isolation between ports within the same VLAN, splitting a broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside another primary VLAN. Just like regular VLANs, PVLANs are isolated on Layer 2 and require that a Layer 3 device be used to route traffic among them. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other. Another typical use for a PVLAN is to provide per-room Internet access in a hotel.

NOTE: You can configure a PVLAN to span different supported switches. See the “EX Series Switch Software Features Overview” on page 3 for a list of switches that support this feature.

This topic explains the following concepts regarding PVLANs on EX Series switches:

2080

•

Typical Structure and Primary Application of PVLANs on page 2081

•

PVLANs Use 802.1Q Tags to Identify Packets on page 2082

•

PVLANs Use IP Addresses Efficiently on page 2083



•

PVLANs Use Four Different Ethernet Switch Port Types on page 2083

•

Creating a PVLAN on page 2085

Typical Structure and Primary Application of PVLANs The configured PVLAN becomes the primary domain, and secondary VLANs become subdomains that are nested inside the primary domain. A PVLAN can be created on a single switch or can be configured to span multiple switches. The PVLAN shown in Figure 53 on page 2081 includes two switches, with a primary PVLAN domain and various subdomains.

Figure 53: Subdomains in a PVLAN

As shown in Figure 53 on page 2081, a PVLAN has only one primary domain and multiple secondary domains. The types of domains are: •

Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.

•

Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.


2081

®


•

Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one switch to another through PVLAN trunk ports.

•

Secondary community VLAN—VLAN used to transport frames among members of a community, which is a subset of users within the VLAN, and to forward frames upstream to the primary VLAN.

For example, Figure 54 on page 2082 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one inter-switch isolated domain.

Figure 54: PVLAN Spanning Multiple Switches VLAN 100

VLAN 300

VLAN 300

VLAN 400

Finance Community

Finance Community

HR Community

VLAN 400

Router

PVLAN Trunk

VLAN 200

HR Community

Mail server

Backup server

Isolated Domain

Switch 2

VLAN 200

CVS server

Isolated Domain

g020909

Switch 1

Contains VLAN 100,VLAN 200, VLAN 300, and VLAN 400.

PVLANs Use 802.1Q Tags to Identify Packets When packets are marked with a customer-specific 802.1Q tag, that tag identifies ownership of the packets for any switch or router in the network. Sometimes, 802.1Q tags are needed within PVLANs to keep track of packets from different subdomains. Table 238 on page 2082 indicates when a VLAN 802.1Q tag is needed on the primary VLAN or on secondary VLANs.

Table 238: When VLANs in a PVLAN Need 802.1Q Tags

Primary VLAN

2082

On a Single Switch

On Multiple Switches

Specify an 802.1Q tag by setting a VLAN ID.

Specify an 802.1Q tag by setting a VLAN ID.



Table 238: When VLANs in a PVLAN Need 802.1Q Tags (continued)

Secondary VLAN

On a Single Switch

On Multiple Switches

No tag needed on VLANs.

VLANs need 802.1Q tags: •

Specify an 802.1Q tag for each community VLAN by setting a VLAN ID.

•

Specify the 802.1Q tag for an isolation VLAN ID by setting an isolation ID.

PVLANs Use IP Addresses Efficiently PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In PVLANs, the hosts in all secondary VLANs belong to the same IP subnet because the subnet is allocated to the primary VLAN. Hosts within the secondary VLAN are assigned IP addresses based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet.

PVLANs Use Four Different Ethernet Switch Port Types PVLANs isolate ports within the same broadcast domain. To do this, four different kinds of PVLAN ports are used, with different restrictions for different situations. For example, the network in Figure 54 on page 2082 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one interswitch isolated domain. This configuration requires one type of port to transport all information to the router, another type to connect the finance and HR communities to their respective switches, a third type of port to connect the servers, and a fourth type of port to connect the two switches.


2083

®


Figure 55: PVLAN Spanning Multiple Switches VLAN 100

VLAN 300

VLAN 300

VLAN 400

Finance Community

Finance Community

HR Community

VLAN 400

Router

PVLAN Trunk

VLAN 200

HR Community

Mail server

Backup server

Isolated Domain

Switch 2

VLAN 200

CVS server

Isolated Domain

g020909

Switch 1

Contains VLAN 100,VLAN 200, VLAN 300, and VLAN 400.

PVLANs use four different port configurations to meet these different needs. The network depicted above uses a promiscuous port to transport information to the router, community ports to connect the finance and HR communities to their respective switches, isolated ports to connect the servers, and a PVLAN trunk port to connect the two switches. These ports have different restrictions to fit different situations:

2084

•

Promiscuous port—A promiscuous port is an upstream trunk port connected to a router, firewall, server, or provider network. A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN. Each private VLAN typically contains a single promiscuous uplink port. Use a promiscuous port to move traffic between ports in community or isolated VLANs.

•

Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

•

Isolated port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports—an isolated port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN (or interswitch isolated VLAN) domain. Typically, a server, such as a mail server or a backup server, is connected on an isolated port. In a hotel, each room would typically be connected on an isolated port, meaning that room-to-room communication is not possible, but each room can access the Internet on the promiscuous port.

•

PVLAN trunk port—A PVLAN trunk port is a trunk port that connects two switches when a PVLAN spans those switches. The PVLAN trunk port is a member of all VLANs within



the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN). It can communicate with all ports other than the isolated ports. Communication between a PVLAN trunk port and an isolated port is unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that incoming traffic on the PVLAN trunk port is never assigned to the interswitch isolated VLAN. An isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port cannot forward packets to an isolated port. Table 239 on page 2085 summarizes whether Layer 2 connectivity exists between the different types of ports.

Table 239: PVLAN Ports and Layer 2 Connectivity Port Type

Promiscuous Port

Community Port

Isolated Port

PVLAN Trunk Port

Promiscuous

Yes

Yes

Yes

Yes

Community

Yes

Yes—same community only.

No

Yes

Isolated

Yes

No

No

Yes NOTE: This communication is unidirectional.

PVLAN trunk

Yes

Yes—same community only.

Yes

Yes

NOTE: If you enable no-mac-learning on a primary VLAN, all isolated VLANs (or the interswitch isolated VLAN) in the PVLAN inherit that setting. However, if you want to disable MAC address learning on any community VLANs, you must configure no-mac-learning on each of those VLANs.

Creating a PVLAN The flowcharts shown in Figure 3 and Figure 4 give you a general idea of the process for creating PVLANs. If you complete your configuration steps in the order shown, you will not violate these PVLAN rules: •

The primary VLAN must be a tagged VLAN.

•

If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

•

If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

•

Secondary VLANs and the PVLAN trunk port must be committed on a single commit if MVRP is configured on the PVLAN trunk port.

NOTE: Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.


2085

®


Configuring a PVLAN on a Single Switch Configuring a VLAN on a single switch is relatively simple, as shown in Figure 56 on page 2086.

Figure 56: Configuring a PVLAN on a Single Switch

Configuring a primary VLAN consists of these steps: 1.

Configure the primary VLAN name and 802.1Q tag.

2. Set no-local-switching on the primary VLAN. 3. Configure the promiscuous trunk port and access ports. 4. Make the promiscuous trunk and access ports members of the primary VLAN.

Within a primary VLAN, you can configure secondary community VLANs or secondary isolated VLANs or both. Configuring a secondary community VLAN consists of these steps: 1.

Configure a VLAN using the usual process.

2. Configure access interfaces for the VLAN. 3. Assign a primary VLAN to the community VLAN,

Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and the option no-local-switching is enabled on the primary VLAN. For detailed instructions for creating a PVLAN on a single switch, see “Creating a Private VLAN on a Single EX Series Switch (CLI Procedure)” on page 2228 . Configuring a PVLAN on Multiple Switches The procedure for configuring a VLAN on a multiple switches is shown in Figure 57 on page 2087.

2086



Figure 57: Configuring a PVLAN on a Multiple Switches

Configuring a primary VLAN consists of these steps: 1.

Configure the primary VLAN name and 802.1Q tag.

2. Set no-local-switching on the primary VLAN. 3. Configure the promiscuous trunk port and access ports. 4. Make the promiscuous trunk and access ports members of the primary VLAN.

Within a primary VLAN, you can configure community VLANs or isolated VLANs or both. Configuring a secondary community VLAN consists of these steps: 1.

Configure a VLAN using the usual process.

2. Configure access interfaces for the VLAN. 3. Assign a primary VLAN to the community VLAN,

Isolated VLANs are created internally when two criteria have been met: the VLAN has access interfaces as members and the primary VLAN has the option no-local-switching enabled. If you configure an isolation ID across multiple switches, be sure that you first configure the primary VLAN and the PVLAN trunk port. 802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.


2087

®


Trunk ports are only needed for multiswitch PVLAN configurations—the trunk port carries traffic from the primary VLAN and all secondary VLANs. For detailed instructions for creating a PVLAN on multiple switches, see “Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)” on page 2230. Related Documentation

•


•

Example: Configuring a Private VLAN on a Single EX Series Switch on page 2149

•

Example: Configuring a Private VLAN Spanning Multiple EX Series Switches on page 2155

•


•

Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure) on page 2230

Understanding Virtual Routing Instances on EX Series Switches Virtual routing instances allow administrators to divide a Juniper Networks EX Series Ethernet Switch into multiple independent virtual routers, each with its own routing table. Splitting a device into many virtual routing instances isolates traffic traveling across the network without requiring multiple devices to segment the network. You can use virtual routing instances to isolate customer traffic on your network and to bind customer-specific instances to customer-owned interfaces. Virtual routing and forwarding (VRF) is often used in conjunction with Layer 3 subinterfaces, allowing traffic on a single physical interface to be differentiated and associated with multiple virtual routers. Each logical Layer 3 subinterface can belong to only one routing instance. EX Series switches support IPv4 and IPv6 unicast and multicast VRF traffic. Related Documentation

2088

•


•


•




Understanding Redundant Trunk Links on EX Series Switches In a typical enterprise network comprised of distribution and access layers, a redundant trunk link provides a simple solution for network recovery when a trunk port on a Juniper Networks EX Series Ethernet Switch goes down. In that case, traffic is routed to another trunk port, keeping network convergence time to a minimum. You can configure a maximum of 16 redundant trunk groups on a standalone switch or on most Virtual Chassis. The exception is the EX8200 Virtual Chassis, which can support up to 254 redundant trunk groups. To configure a redundant trunk link, create a redundant trunk group. The redundant trunk group is configured on the access switch, and contains two links: a primary or active link, and a secondary link. If the active link fails, the secondary link automatically starts forwarding data traffic without waiting for normal spanning-tree protocol convergence. Data traffic is forwarded only on the active link. Data traffic on the secondary link is dropped and shown as dropped packets when you issue the operational mode command show interfaces xe- xe-fpc/pic/port extensive. While data traffic is blocked on the secondary link, Layer 2 control traffic is still permitted. For example, an LLDP session can be run between two switches on the secondary link. Rapid Spanning Tree Protocol (RSTP) is enabled by default on EX Series switches to create a loop-free topology, but an interface is not allowed to be in both a redundant trunk group and in a spanning-tree protocol topology at the same time. You must disable RSTP on an interface if a redundant trunk group is configured on that interface. For example, in Figure 58 on page 2090, in addition to disabling RSTP on the Switch 3 interfaces, you must also disable RSTP on the Switch 1 and Switch 2 interfaces connected to Switch 3. Spanning-tree protocols can, however, continue operating on other interfaces on those switches, for example on the link between Switch 1 and Switch 2. Figure 58 on page 2090 shows three switches in a basic topology for redundant trunk links. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the access layer. Switch 3 is connected to the distribution layer through trunk ports ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Link 1 and Link 2 are in a redundant trunk group called group1. Link 1 is designated as the primary link. Traffic flows between Switch 3 in the access layer and Switch 1 in the distribution layer through Link 1. While Link 1 is active, Link 2 blocks traffic.


2089

®


Figure 58: Redundant Trunk Group, Link 1 Active

Figure 59 on page 2090 illustrates how the redundant trunk link topology works when the primary link goes down.

Figure 59: Redundant Trunk Group, Link 2 Active

2090



When Link 1 goes down between Switch 3 and Switch 1, Link 2 takes over as the active link after one second. Traffic between the access layer and the distribution layer is then automatically switched to Link 2 between Switch 1 and Switch 2. Related Documentation

•

Example: Configuring Redundant Trunk Links for Faster Recovery on page 2141

Understanding Q-in-Q Tunneling on EX Series Switches Q-in-Q tunneling allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites. Using Q-in-Q tunneling, providers can also segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs, because the customer’s 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN (S-VLAN) tag. The Juniper Networks Junos operating system (Junos OS) implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard. This topic describes: •

How Q-in-Q Tunneling Works on page 2091

•

Disabling MAC Address Learning on page 2092

•

Mapping C-VLANs to S-VLANs on page 2092

•

Routed VLAN Interfaces on Q-in-Q VLANs on page 2093

•

Limitations for Q-in-Q Tunneling on page 2094

How Q-in-Q Tunneling Works In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a customer-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed. When Q-in-Q tunneling is enabled on Juniper Networks EX Series Ethernet Switches, trunk interfaces are assumed to be part of the service provider network and access interfaces are assumed to be customer facing. An access interface can receive both tagged and untagged frames in this case. An interface can be a member of multiple S-VLANs. You can map one C-VLAN to one S-VLAN (1:1) or multiple C-VLANs to one S-VLAN (N:1). Packets are double-tagged for an additional layer of segregating or bundling of C-VLANs. C-VLAN and S-VLAN tags are unique; so you can have both a C-VLAN 101 and an S-VLAN 101, for example. You can limit the set of accepted customer tags to a range of tags or to discrete values. Class-of-service (CoS) values of C-VLANs are unchanged in the downstream direction. You may, optionally, copy ingress priority and CoS settings to the S-VLAN. Using private VLANs, you can isolate users to prevent the forwarding of traffic between user interfaces even if the interfaces are on the same VLAN.


2091

®


You can use the native option to specify an S-VLAN for untagged and priority tagged packets when using many-to-one bundling and mapping a specific interface approaches to map C-VLANs to S-VLANs. Otherwise the packets are discarded. The native option is not available for all-in-one bundling because there is no need to specify untagged and priority tagged packets when all packets are mapped to the C-VLAN. See the Mapping C-VLANs to S-VLANs section of this document for information on the methods of mapping C-VLANs to S-VLANs. Firewall filters allow you to map an interface to a VLAN based on a policy. Using firewall filters to map an interface to a VLAN is useful when you want a subset of traffic from a port to be mapped to a selected VLAN instead of the designated VLAN. To configure a firewall filter to map an interface to a VLAN, the vlan option has to be configured as part of the firewall filter and the mapping policy option must be specified in the interface configuration for each logical interface using the filter.

Disabling MAC Address Learning In a Q-in-Q deployment, customer packets from downstream interfaces are transported without any changes to source and destination MAC addresses. You can disable MAC address learning at both the interface level and the VLAN level. Disabling MAC address learning on an interface disables learning for all the VLANs of which that interface is a member. When you disable MAC address learning on a VLAN, MAC addresses that have already been learned are flushed. If you disable MAC address learning on an interface or a VLAN, you cannot include MAC move limiting or 802.1X authentication in that same VLAN configuration. When a routed VLAN interface (RVI) is associated with either an interface or a VLAN on which MAC address learning is disabled, the Layer 3 routes resolved on that VLAN or that interface are not resolved with the Layer 2 component. This results in routed packets flooding all the interfaces associated with the VLAN.

Mapping C-VLANs to S-VLANs There are three ways to map C-VLANs to an S-VLAN:

2092

•

All-in-one bundling—Use the dot1q-tunneling option to map without specifying customer VLANs. All packets from all access interfaces are mapped to the S-VLAN.

•

Many-to-one bundling—Use the customer-vlans option to specify which C-VLANs are mapped to the S-VLAN.

•

Mapping a specific interface—Use the mapping option to indicate a specific S-VLAN for a given C-VLAN. The specified C-VLAN applies to only one VLAN and not all access interfaces as in the cases of all-in-one and many-to-one bundling.



If you configure multiple methods, the switch gives priority to mapping a specific interface, then to many-to-one bundling, and last to all-in-one bundling. However, you cannot have overlapping rules for the same C-VLAN under a given approach. •

All-in-One Bundling on page 2093

•

Many-to-One Bundling on page 2093

•

Mapping a Specific Interface on page 2093

All-in-One Bundling All-in-one bundling maps all packets from all access interfaces to the S-VLAN. All-in-one bundling is configured using the dot1q-tunneling option without specifying customer VLANs. When all-in-one bundling is used, all packets leaving the C-VLAN, including untagged and priority tagged packets, enter the S-VLAN.

Many-to-One Bundling Many-to-one bundling is used to specify which C-VLANs are mapped to an S-VLAN. Many-to-one bundling is configured using the customer-vlans option. Many-to-one bundling is used when you want a subset of the C-VLANs on the access switch to be part of the S-VLAN. When using many-to-one bundling, untagged and priority tagged packets can be mapped to the S-VLAN when the native option is specified along with the customer-vlans option.

Mapping a Specific Interface Use the mapping a specific interface approach when you want to assign an S-VLAN to a specific C-VLAN on an interface. The mapping a specific interface configuration only applies to the configured interface, not to all access interfaces as in the cases of the all-in-one bundling and many-to-one bundling approaches. The mapping a specific interface approach is configured using the mapping option to indicate a specific S-VLAN for a given C-VLAN. The mapping a specific interface approach has two suboptions for treatment of traffic: swap and push. When traffic that is mapped to a specific interface is pushed, the packet retains its tag as it moves between the S-VLAN and C-VLAN and an additional VLAN tag is added to the packet. When traffic that is mapped to a specific interface is swapped, the incoming tag is replaced with a new VLAN tag. Using the swap option is also referred to as VLAN ID translation. It might be useful to have S-VLANs that provide service to multiple customers. Each customer will typically have its own S-VLAN plus access to one or more S-VLANs that are used by multiple customers. A specific tag on the customer side is mapped to an S-VLAN. Typically, this functionality is used to keep data from different customers separate or to provide individualized treatment of the packets on a certain interface.

Routed VLAN Interfaces on Q-in-Q VLANs Routed VLAN interfaces (RVIs) are supported on Q-in-Q VLANs.


2093

®


Packets arriving on an RVI that is using Q-in-Q VLANs will get routed regardless of whether the packet is single or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface.

Limitations for Q-in-Q Tunneling Q-in-Q tunneling does not support most access port security features. There is no per-VLAN (customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q tunneling unless you configure these security features using firewall filters. Related Documentation

•


•


•

Configuring Q-in-Q Tunneling (CLI Procedure) on page 2231

Understanding Multiple VLAN Registration Protocol (MVRP) on EX Series Switches Multiple VLAN Registration Protocol (MVRP) is a Layer 2 messaging protocol that manages the addition, deletion, and renaming of active virtual LANs, thereby reducing network administrators’ time spent on these tasks. Use MVRP on Juniper Networks EX Series Ethernet Switches to dynamically register and unregister active VLANs on trunk interfaces. Using MVRP means that you do not have to manually register VLANs on all connections—that is, you do not need to explicitly bind a VLAN to each trunk interface. With MVRP, you configure a VLAN on one switch interface and the VLAN configuration is distributed through all active switches in the domain. MVRP is an application protocol of the Multiple Registration Protocol (MRP) and is defined in the IEEE 802.1ak standard. MRP and MVRP replace Generic Attribute Registration Protocol (GARP) and GARP VLAN Registration Protocol (GVRP) and overcome GARP and GVRP limitations. This topic describes: •

How MVRP Updates, Creates, and Deletes VLANs on the Switches on page 2094

•

MVRP Is Disabled by Default on the Switches on page 2095

•

MRP Timers Control MVRP Updates on page 2095

•

MVRP Uses MRP Messages to Transmit Switch and VLAN States on page 2095

•

Compatibility Issues With Junos OS Release 11.3 and Later on page 2096

How MVRP Updates, Creates, and Deletes VLANs on the Switches When any MVRP-member VLAN is changed, that VLAN sends a protocol data unit (PDU) to all other MVRP-member active VLANs. The PDU informs the other VLANs which switches and interfaces currently belong to the sending VLAN. This way, all MVRP-member VLANs are always updated with the current VLAN state of all other MVRP-member VLANs. Timers dictate when PDUs can be sent and when switches receiving MVRP PDUs can update their MVRP VLAN information.

2094



In addition to sending PDU updates, MVRP dynamically creates VLANs on member interfaces when a new VLAN is added to any one interface. This way, VLANs created on one member switch are propagated to other member switches as part of the MVRP message exchange process. To keep VLAN membership information current, MVRP removes switches and interfaces when they become unavailable. Pruning VLAN information has these benefits: •

Limits the network VLAN configuration to active participants, thereby reducing network overhead.

•

Limits broadcast, unknown unicast, and multicast (BUM) traffic to interested devices.

MVRP Is Disabled by Default on the Switches MVRP is disabled by default on the switches and, when enabled, affects only trunk interfaces. Once you enable MVRP, all VLAN interfaces on the switch belong to MVRP (the default normal mode) and those interfaces accept PDU messages and send their own PDU messages. To prevent one or more interfaces from participating in MVRP, you can specifically configure an interface to forbidden mode instead of the default normal mode. VLAN updating, dynamic VLAN configuration through MVRP, and VLAN pruning are all active on trunk interfaces when MVRP is enabled.

MRP Timers Control MVRP Updates MVRP registration and updates are controlled by timers that are part of the MRP. These timers are set on a per-interface basis and define when MVRP PDUs can be sent and when MVRP information can be updated on a switch. The following MRP timers are used to control the operation of MVRP: •

Join timer—Controls the interval for the next MVRP PDU transmit opportunity.

•

Leave timer—Controls the period of time that an interface on the switch waits in the leave state before changing to the unregistered state.

•

LeaveAll timer—Controls the frequency with which the interface generates LeaveAll messages.

BEST PRACTICE: Unless there is a compelling reason to change the timer settings, leave the default settings in place. Modifying timers to inappropriate values can cause an imbalance in the operation of MVRP.

MVRP Uses MRP Messages to Transmit Switch and VLAN States MVRP uses MRP messages to register and declare MVRP states for a switch or VLAN and to inform the switching network that a switch or VLAN is leaving MVRP. These messages are communicated as part of the PDU sent by any switch interface to the other switches in the network.


2095

®


The following MRP messages are communicated for MVRP: •

Empty—MVRP information is not declared and no VLAN is registered.

•

In—MVRP information is not declared but a VLAN is registered.

•

JoinEmpty—MVRP information is declared but no VLAN is registered.

•

JoinIn—MVRP information is declared and a VLAN is registered.

•

Leave—MVRP information that was previously declared is withdrawn.

•

LeaveAll—Unregister all VLANs on the switch. VLANs must re-register to participate in MVRP.

•

New—The MVRP information is new and a VLAN might not be registered yet.

Compatibility Issues With Junos OS Release 11.3 and Later Prior to Junos OS Release 11.3, the protocol data units (PDUs) sent and received by MVRP contained an extra byte. This extra byte in the PDUs prevented MVRP from conforming to the IEEE standard 802.1ak and was removed in Release 11.3 to make MVRP running on Junos OS compatible with the standard. If all switches in your network are running Release 11.3, you will see no change in MVRP operation and there are no steps you need to take to continue using MVRP. If your network is running only Release 11.2 or earlier, you also do not need to do anything to continue using MVRP. If your network is running a mix of Release 11.3 and earlier releases, you need to take steps to make your switches compatible when using MVRP. Switches running a version of Junos OS earlier than Release 11.3 require the extra MVRP byte to be part of each PDU they receive—they will not recognize a PDU with this byte missing. You can determine whether the switches in your network are running incompatible versions of MVRP by issuing the show mvrp statistics command. For more information on diagnosing and correcting this MVRP compatibility situation, see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233. Related Documentation

•


•

Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switches on page 2172

•

Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure) on page 2233

Understanding Layer 2 Protocol Tunneling on EX Series Switches Layer 2 protocol tunneling (L2PT) allows service providers to send Layer 2 protocol data units (PDUs) across the provider’s cloud and deliver them to Juniper Networks EX Series Ethernet Switches that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

2096




Layer 2 Protocols Supported by L2PT on EX Series Switches on page 2097

•

How L2PT Works on page 2098

•

L2PT Basics on EX Series Switches on page 2099

Layer 2 Protocols Supported by L2PT on EX Series Switches L2PT on EX Series switches supports the following Layer 2 protocols: •

802.1X authentication

•

802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM)

NOTE: If you enable L2PT for untagged OAM LFM (Operation, Administration, and Maintenance of link fault management) packets, do not configure link fault management (LFM) on the corresponding access interface.

•

Cisco Discovery Protocol (CDP)

•

Ethernet local management interface (E-LMI)

•

MVRP VLAN Registration Protocol (MVRP)

•


NOTE: If you enable L2PT for untagged LACP packets, do not configure Link Aggregation Control Protocol (LACP) on the corresponding access interface.

•


•

Multiple MAC Registration Protocol (MMRP)

•

Multiple VLAN Registration Protocol (MVRP)

•

Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)

•

Unidirectional Link Detection (UDLD)

•


•

VLAN Trunking Protocol (VTP)

NOTE: CDP, UDLD, and VTP cannot be configured on EX Series switches. L2PT does, however, tunnel CDP, UDLD, and VTP PDUs.


2097

®


How L2PT Works L2PT works by encapsulating Layer 2 PDUs, tunneling them across a service provider network, and decapsulating them for delivery to their destination switches. L2PT encapsulates Layer 2 PDUs by enabling the ingress provider edge (PE) device to rewrite the PDUs’ destination media access control (MAC) addresses before forwarding them onto the service provider network. The devices in the service provider network treat these encapsulated PDUs as multicast Ethernet packets. Upon receipt of these PDUs, the egress PE devices decapsulate them by replacing the destination MAC addresses with the address of the Layer 2 protocol that is being tunneled before forwarding the PDUs to their destination switches. This process is illustrated in Figure 60 on page 2098.

Figure 60: L2PT Example

L2PT supports tunneling of STP, LLDP, CDP and VTP control PDUs across the service provider network. The PE device identifies the Layer 2 control protocols by their encapsulated MAC address. The destination MAC address used by different protocols is listed in Table 240 on page 2098:

Table 240: Protocol Destination MAC Addresses Protocol

Ethernet Encapsulation

MAC Address

802.1X

Ether-II

01:80:C2:00:00:03

802.3ah

Ether-II

01:80:C2:00:00:02

Cisco Discovery Protocol (CDP)

SNAP

01:00:0C:CC:CC:CC

Ethernet local management interface (E-LMI)

Ether-II

01:80:C2:00:00:07

MVRP VLAN Registration Protocol (MVRP)

Ether-II

01:80C2:00:00:21


Ether-II

01:80:C2:00:00:02

2098



Table 240: Protocol Destination MAC Addresses (continued) Protocol

Ethernet Encapsulation

MAC Address

Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)

SNAP

01:80:C2:00:00:21


Ether-II

01:80:0C:00:00:0E

Multiple MAC Registration Protocol (MMRP)

Ether-II

01:80:C2:00:00:OE

Unidirectional Link Detection (UDLD)

SNAP

01:00:0C:CC:CC:CC


SNAP

01:00:0C:CC:CC:CD

VLAN Trunking Protocol (VTP)

SNAP

01:00:0C:CC:CC:CC

When a PE device receives a Layer 2 control PDU from any of the customer PE devices, it changes the destination MAC address to 01:00:0C:CD:CD:D0. The modified packet is then sent to the provider network. All devices on the provider network treat these packets as multicast Ethernet packets and deliver them to all PE devices for the customer. The egress PE devices receive all the control PDUs with the same MAC address (01:00:0C:CD:CD:D0). Then they identify the packet type by doing deeper packet inspection and replace the destination MAC address 01:00:0C:CD:CD:D0 with the appropriate destination address. The modified PDUs are sent out to the customer PE devices, thus ensuring the Layer 2 control PDUs are delivered, in their original state, across the provider network. The L2PT protocol is valid for all types of packets (untagged, tagged, and Q-in-Q tagged).

L2PT Basics on EX Series Switches L2PT is enabled on a per-VLAN basis. When you enable L2PT on a VLAN, all access interfaces are considered to be customer-facing interfaces, all trunk interfaces are considered to be service provider network-facing interfaces, and the specified Layer 2 protocol is disabled on the access interfaces. L2PT only acts on logical interfaces of the family ethernet-switching. L2PT PDUs are flooded to all trunk and access ports within a given S-VLAN.

NOTE: Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If an access interface does receive L2PT-tunneled PDUs, it might mean that there is a loop in the network. As a result, the interface will be shut down.

L2PT is configured under the [edit vlans vlan-name dot1q-tunneling] hierarchy level, meaning Q-in-Q tunneling is (and must be) enabled. If L2PT is not enabled, Layer 2 PDUs are handled in the same way they were handled before L2PT was enabled.


2099

®


NOTE: If the switch receives untagged or priority-tagged Layer 2 control PDUs to be tunneled, then you must configure the switch to map untagged and priority-tagged packets to an L2PT-enabled VLAN. For more information on assigning untagged and priority-tagged packets to VLANs, see “Understanding Q-in-Q Tunneling on EX Series Switches” on page 2091 and “Configuring Q-in-Q Tunneling (CLI Procedure)” on page 2231.


•


•


Understanding Proxy ARP on EX Series Switches You can configure proxy Address Resolution Protocol (ARP) on your Juniper Networks EX Series Ethernet Switch to enable the switch to respond to ARP queries for network addresses by offering its own Ethernet media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination. Proxy ARP is useful in situations where hosts are on different physical networks and you do not want to use subnet masking. Because ARP broadcasts are not propagated between hosts on different physical networks, hosts will not receive a response to their ARP request if the destination is on a different subnet. Enabling the switch to act as an ARP proxy allows the hosts to transparently communicate with each other through the switch. Proxy ARP can help hosts on a subnet reach remote subnets without your having to configure routing or a default gateway. •

What Is ARP? on page 2100

•

Proxy ARP Overview on page 2100

•

Best Practices for Proxy ARP on EX Series Switches on page 2101

What Is ARP? Ethernet LANs use ARP to map Ethernet MAC addresses to IP addresses. Each device maintains a cache containing a mapping of MAC addresses to IP addresses. The switch maintains this mapping in a cache that it consults when forwarding packets to network devices. If the ARP cache does not contain an entry for the destination device, the host (the DHCP client) broadcasts an ARP request for that device's address and stores the response in the cache.

Proxy ARP Overview When proxy ARP is enabled, if the switch receives an ARP request for which it has a route to the target (destination) IP address, the switch responds by sending a proxy ARP reply packet containing its own MAC address. The host that sent the ARP request then sends its packets to the switch, which forwards them to the intended host.

2100



NOTE: For security reasons, the source address in an ARP request must be on the same subnet as the interface on which the ARP request is received.

You can configure proxy ARP for each interface. You can also configure proxy ARP for a VLAN by using a routed VLAN interface (RVI). EX Series switches support two modes of proxy ARP, restricted and unrestricted. Both modes require that the switch have an active route to the destination address of the ARP request. •

Restricted—The switch responds to ARP requests in which the physical networks of the source and target are different and does not respond if the source and target IP addresses are on the same subnet. In this mode, hosts on the same subnet communicate without proxy ARP. We recommend that you use this mode on the switch.

•

Unrestricted—The switch responds to all ARP requests for which it has a route to the destination. This is the default mode (because it is the default mode in Juniper Networks Junos operating system (Junos OS) configurations other than those on the switch). We recommend using restricted mode on the switch.

Best Practices for Proxy ARP on EX Series Switches We recommend these best practices for configuring proxy ARP on the switches:


•

Set proxy ARP to restricted mode.

•

Use restricted mode when configuring proxy ARP on RVIs.

•

If you set proxy ARP to unrestricted, disable gratuitous ARP requests on each interface enabled for proxy ARP.

•


•


Understanding MAC Notification on EX Series Switches Juniper Networks EX Series Switches track clients on a network by storing Media Access Control (MAC) addresses in the Ethernet switching table on the switch. When switches learn or unlearn a MAC address, SNMP notifications can be sent to the network management system at regular intervals to record the addition or removal of the MAC address. This process is known as MAC notification. The MAC Notification MIB controls MAC notification for the network management system. For general information on the MAC Notification MIB, see the Junos OS Network Management Configuration Guide. The MAC notification interval defines how often these SNMP notifications are sent to the network management system. The MAC notification interval works by tracking all of the MAC address additions or removals on the switch over a period of time and then


2101

®


sending all of the tracked MAC address additions or removals to the network management server at the end of the interval. For instance, if the MAC notification interval is set to 10, all of the MAC address addition and removal SNMP notifications are sent to the network management system every 10 seconds. Enabling MAC notification allows users to monitor the addition and removal of MAC addresses from the Ethernet switching table remotely using a network management system. The advantage of setting a high MAC notification interval is that the amount of network traffic is reduced because updates are sent less frequently. The advantage of setting a low MAC notification interval is that the network management system is better synchronized with the switch. MAC notification is disabled by default. When MAC notification is enabled, the default MAC notification interval is 30 seconds. Related Documentation

•

Configuring MAC Notification (CLI Procedure) on page 2238

•


Understanding MAC Address Aging Juniper Networks EX Series Ethernet Switches store MAC addresses in the Ethernet switching table, also called the MAC table. When the aging time for a MAC address in the table expires, the address is removed. You can configure the MAC table aging time on all VLANs on the switch or on a per-VLAN basis. You can also configure aging time to be unlimited, either on all VLANs or per-VLAN, so that MAC addresses never age out of the table. To learn MAC addresses, the switch reads all packets that it detects on the LAN or on the local VLAN, looking for MAC addresses of sending nodes. It places these addresses into its Ethernet switching table, along with two other pieces of information—the interface on which the traffic was received and the time when the address was learned. When the switch receives traffic on an interface, it searches the Ethernet switching table for the MAC address of the destination. If the MAC address is not found, the traffic is flooded out all of the other interfaces associated with the VLAN—if traffic is received on an interface that is associated with VLAN v-10 and there is no entry in the Ethernet switching table for VLAN v-10 (the Ethernet switching table is organized by VLAN), then the traffic is flooded to all access and trunk interfaces that are members of VLAN v-10. Flooding allows the switch to learn about destinations that are not yet in its Ethernet switching table. If a particular destination MAC address is not in the Ethernet switching table, the switch floods the traffic to all interfaces except the interface on which it was received. When the destination node receives the flooded traffic, it sends an acknowledgment packet back to the switch, allowing the switch to learn the MAC address of the node and to add the address to its Ethernet switching table. The switch uses a mechanism called aging to keep the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch

2102



detects traffic from a MAC address that is in its Ethernet switching table, it updates the timestamp of that MAC address. A timer on the switch periodically checks the timestamp, and if it is older than the value set for mac-table-aging-time, the switch removes the node's MAC address from the Ethernet switching table. This aging process ensures that the switch tracks only active MAC addresses on the network and that it is able to flush out from the Ethernet switching table MAC addresses that are no longer available. You configure how long MAC addresses remain in the Ethernet switching table using the mac-table-aging-time statement in either the edit ethernet-switching-options or the vlans hierarchy, depending on whether you want to configure it for the entire switch or only for specific VLANs. For example, if you have a printer VLAN, you might choose to configure the aging time for that VLAN to be considerably longer than for other VLANs so that MAC addresses of printers on this VLAN age out less frequently. Because the MAC addresses remain in the table, even if a printer has been idle for some time before traffic arrives for it, the switch still finds the MAC address and does not need to flood the traffic to all other interfaces. Similarly, in a data center environment where the list of servers connected to the switch is fairly stable, you might choose to increase MAC address aging time, or even set it to unlimited, to increase the efficiency of the utilization of network bandwidth by reducing flooding. Related Documentation

•

Configuring MAC Table Aging (CLI Procedure) on page 2224

•

Controlling Authentication Session Timeouts (CLI Procedure) on page 3652

Understanding Reflective Relay for Use with VEPA Technology Reflective relay returns packets to a device using the same downstream port that delivered the packets to the Juniper Networks EX Series Ethernet Switch. You use reflective relay in situations when one interface must both send and receive packets—for example, when a switch receives aggregated virtual machine packets from a technology such as virtual Ethernet packet aggregation (VEPA). •

What Is VEPA and Why Does It Require Reflective Relay? on page 2103

•

How Does Reflective Relay Work? on page 2104

What Is VEPA and Why Does It Require Reflective Relay? Even though virtual machines are capable of sending packets directly to one another with a technology called VEB (virtual Ethernet bridging), you typically want to use physical switches for switching because VEB uses expensive server hardware to accomplish the task. Instead of using VEB, you can install VEPA on a server to aggregate virtual machine packets and pass them to a physical switch. By passing aggregated packets to a physical switch, you both off-load switching activities from a server’s virtual switches and you take advantage of the physical switch’s security and tracking features. When aggregated packets such as VEPA packets are received on a switch, reflective relay must be configured on that switch because some packets may have to be sent back to the server, destined for another virtual machine on the same server. Reflective


2103

®


relay returns those packets to the original device using the same downstream port that delivered the packets to the switch.

How Does Reflective Relay Work? The switches execute reflective relay, also known as hairpin turns, by receiving and returning packets back to the physical server on the same downstream port. Reflective relay only does this in two situations: •

When the destination address of the packet was learned on that downstream port.

•

When the destination has not yet been learned.

NOTE: Control packets are never reflected back on the downstream port.

Other than this, reflective relay does not change the operation of the switch. If the source VLAN and MAC address of the virtual machine packet are not yet included in the Ethernet switching table, an entry is added. If the destination VLAN and MAC address of an incoming packet is not yet present in the Ethernet switching table, the switch floods the packet on all the other ports that are members of the same VLAN, including the port on which the packet arrived. Related Documentation

2104

•


•

Example: Configuring Edge Virtual Bridging for Use with VEPA Technology on page 2189



Understanding Routed VLAN Interfaces on EX Series Switches Virtual LANs (VLANs), by definition, divide a LAN’s broadcast environment into isolated virtual broadcast domains, thereby limiting the amount of traffic flowing across the entire LAN and reducing the possible number of collisions and packet retransmissions within the LAN. For example, you might want to create a VLAN that includes the employees in a department and the resources that they use often, such as printers, servers, and so on. Of course, you also want to allow these employees to communicate with people and resources in other VLANs. To forward packets between VLANs, you traditionally needed a router that connected the VLANs. However, you can also accomplish this forwarding with a switch by configuring a routed VLAN interface (RVI). Using this approach reduces complexity and avoids the costs associated with purchasing, installing, managing, powering, and cooling a router. RVIs route only VLAN traffic. An RVI works by logically dividing a switch into multiple virtual routing instances, thereby isolating VLAN traffic traveling across the network into virtual segments. Routed VLAN interfaces allow switches to recognize which packets are being sent to another VLAN’s MAC addresses—then, packets are bridged (switched) whenever the destination is within the same VLAN and are only routed through the RVI when necessary. Whenever packets can be switched instead of routed, several layers of processing are eliminated. The switches rely on their Layer 3 capabilities to provide this basic RVI routing between VLANs: •

Two VLANs on the same switch

•

Two VLANs on different switches (Routing is provided by an intermediary third switch.)

Figure 61 on page 2105 illustrates a switch routing VLAN traffic between two access layer switches.

Figure 61: An RVI on a Switch Providing Routing Between Two Other Switches


When Should I Use an RVI? on page 2106


2105

®


•

How Does an RVI Work? on page 2106

•

Creating an RVI on page 2106

•

Viewing RVI Statistics on page 2107

•

RVI Functions and Other Technologies on page 2108

When Should I Use an RVI? In addition to providing communication between VLANs, an RVI binds specific VLANs to specific Layer 3 interfaces, allowing you to track RVI use for billing purposes. Configure an RVI for a VLAN if you need to: •

Allow traffic to be routed between VLANs.

•

Provide Layer 3 IP connectivity to the switch.

•

Monitor individual VLANs for billing purposes. Service providers often need to monitor traffic for this purpose, but this capability can be useful for enterprises where various groups share the cost of the network.

How Does an RVI Work? An RVI is a special type of Layer 3 virtual interface named vlan. Like all Layer 3 interfaces, the vlan interface requires a logical unit number with an IP address. In fact, to be useful, an RVI requires at least two logical units and two IP addresses—you must create units with addresses in each of the subnets associated with the VLANs between which you want traffic to be routed. That is, if you have two VLANs (for example, VLAN red and VLAN blue) with corresponding subnets, your RVI must have a logical unit with an address in the subnet for red and a logical unit with an address in the subnet for blue. The switch automatically creates direct routes to these subnets and uses these routes to forward traffic between VLANs. The RVI interface on the switch detects both MAC addresses and IP addresses and then routes data to other Layer 3 interfaces on routers or other switches. RVIs detect both IPv4 and IPv6 unicast and multicast virtual routing and forwarding (VRF) traffic. Each logical Layer 3 subinterface can belong to only one routing instance. An RVI is subdivided into logical interfaces, each with a logical interface number appended as a suffix to vlan —for example, vlan.10.

Creating an RVI There are four basic steps when creating an RVI, as shown in Figure 62 on page 2107.

2106



Figure 62: Creating an RVI

The following explanations correspond to the four steps for creating a VLAN, as depicted in Figure 62 on page 2107. •

Configure VLANs—Virtual LANs are groups of hosts that communicate as if they were attached to the same broadcast stream. VLANs are created with software and do not require a physical router to forward traffic. VLANs are Layer 2 constructs.

•

Create RVIs for the VLANs—The switch's RVI uses Layer 3 logical interfaces on the switch (unlike routers, which can use either physical or logical interfaces).

•

Assign an IP address to each VLAN—An RVI cannot be activated unless it is associated with a physical interface.

•

Bind the VLANs to the logical interfaces—There is a one-to-one mapping between a VLAN and an RVI, so only one RVI can be mapped to a VLAN.

For more specific instructions for creating an RVI, see “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223.

Viewing RVI Statistics Some switches automatically track RVI traffic statistics. Other switches allow you to turn that tracking on or off. Table 2 illustrates the RVI tracking capability on various switches.

Table 241: Tracking RVI Usage Switch

Input (ingress)

Output (Egress)

EX3200, EX4200

Automatic

–


2107

®


Table 241: Tracking RVI Usage (continued) Switch

Input (ingress)

Output (Egress)

EX8200

Configurable

Automatic

EX2200, EX3300, EX4500, EX6200

–

–

You can view RVI input (ingress) and output (egress) totals with the command show interfaces vlan extensive. Look at the input and output values in the field Logical Unit Transit Statistics for RVI activity values.

RVI Functions and Other Technologies RVIs are similar to IRBs, SVIs, and BVIs. They can also be combined with other functions:


•

RVIs are similar to integrated routing and bridging (IRB) interfaces supported on Juniper routers and switch virtual interfaces (SVIs) and bridge-group virtual interfaces (BVIs) supported on other vendors’ devices.

•

VRF is often used in conjunction with Layer 3 subinterfaces, allowing traffic on a single physical interface to be differentiated and associated with multiple virtual routers. For more information about VRF, see “Understanding Virtual Routing Instances on EX Series Switches” on page 2088.

•

For redundancy, you can combine an RVI with implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging and virtual private LAN service (VPLS) environments. For more information about VRRP, see “Understanding VRRP on EX Series Switches” on page 1663.

•


•


Understanding Edge Virtual Bridging for Use with VEPA Technology Servers using virtual Ethernet port aggregator (VEPA) do not send packets directly from one virtual machine (VM) to another. Instead, the packets are sent to virtual bridges on an adjacent switch for processing. EX Series switches use edge virtual bridging (EVB) as a virtual bridge to return the packets on the same interface that delivered the packets.

2108

•

What Is EVB? on page 2109

•

What Is VEPA? on page 2109

•

Why Use VEPA Instead of VEB? on page 2109

•

How Does EVB Work? on page 2109

•

How Do I Implement EVB? on page 2110



What Is EVB? EVB is a software capability on a switch running Junos OS that allows multiple virtual machines to communicate with each other and with external hosts in the Ethernet network environment.

What Is VEPA? VEPA is a software capability on a server that collaborates with an adjacent, external switch to provide bridging support between multiple virtual machines and external networks. The VEPA collaborates with the adjacent switch by forwarding all VM-originated frames to the adjacent switch for frame processing and frame relay (including hairpin forwarding) and by steering and replicating frames received from the VEPA uplink to the appropriate destinations.

Why Use VEPA Instead of VEB? Even though virtual machines are capable of sending packets directly to one another with a technology called virtual Ethernet bridging (VEB), you typically want to use physical switches for switching because VEB uses expensive server hardware to accomplish the task. Instead of using VEB, you can install VEPA on a server to offload switching functionality to an adjacent, less expensive physical switch. Additional advantages of using VEPA include: •

VEPA reduces complexity and allows higher performance at the server.

•

VEPA takes advantage of the physical switch’s security and tracking features.

•

VEPA provides visibility of inter-virtual-machine traffic to network management tools designed for an adjacent bridge.

•

VEPA reduces the amount of network configuration required by server administrators, and as a consequence, reduces work for the network administrator.

How Does EVB Work? EVB uses two protocols, Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP) and Edge Control Protocol (ECP), to program policies for each individual virtual switch instance—specifically, EVB maintains the following information for each VSI instance: •

VLAN ID

•

VSI type

•

VSI type version

•

MAC address of the server

VDP is used by the VEPA server to propagate VSI information to the switch. This allows the switch to program policies on individual VSIs and supports virtual machine migration by implementing logic to preassociate a VSI with a particular interface.


2109

®


ECP is a Link Layer Discovery Protocol (LLDP)-like transport layer that allows multiple upper layer protocols to send and receive protocol data units (PDUs). ECP improves upon LLDP by implementing sequencing, retransmission and an ack mechanism, while at the same time remaining lightweight enough to be implemented on a single-hop network. ECP is implemented in an EVB configuration when you configure LLDP on interfaces that you have configured for EVB. That is, you configure LLDP, not ECP.

How Do I Implement EVB? You can configure EVB on a switch when that switch is adjacent to a server that includes VEPA technology. In general, this is what you do to implement EVB:


•

The network manager creates a set of VSI types. Each VSI type is represented by a VSI type ID and a VSI version--the network manager can deploy one or more VSI versions at any given time.

•

The VM manager configures VSI (which is a virtual station interface for a VM that is represented by a MAC address and VLAN ID pair) . To accomplish this, the VM manager queries available VSI type IDs (VTIDs) and creates a VSI instance consisting of a VSI Instance ID and the chosen VTID. This instance is known as VTDB and contains a VSI manager ID, a VSI type ID, a VSI version, and a VSI instance ID.

•


•


Ethernet Ring Protection Switching Overview Ethernet ring protection switching (ERPS) helps achieve high reliability and network stability. Links in the ring will never form loops that fatally affect the network operation and services availability. The basic idea of an Ethernet ring is to use one specific link to protect the whole ring. This special link is called a ring protection link (RPL). If no failure happens in other links of the ring, the RPL blocks the traffic and is not used. The RPL is controlled by a special node called an RPL owner. There is only one RPL owner in a ring. The RPL owner is responsible for blocking traffic over the RPL. Under ring failure conditions, the RPL owner is responsible for unblocking traffic over the RPL. A ring failure results in protection switching of the RPL traffic. An automation protocol suite (APS) protocol is used to coordinate the protection actions over the ring. Protection switching blocks traffic on the failed link and unblocks the traffic on the RPL. When the failure clears, revertive protection switching blocks traffic over the RPL and unblocks traffic on the link on which the failure is cleared. The following standards provide detailed information on Ethernet ring protection switching:

2110

•

IEEE 802.1Q - 1998

•

IEEE 802.1D - 2004

•

IEEE 802.1Q - 2003



•

Draft ITU-T Recommendation G.8032/Y.1344, Ethernet Ring protection switching

•

ITU-T Y.1731, OAM functions and mechanisms for Ethernet-based networks

For additional information on configuring Ethernet ring protection switching on EX Series switches, see “Example: Configuring Ethernet Ring Protection Switching on EX Series Switches” on page 2202. For additional information on configuring Ethernet ring protection switching on MX Series routers, see the Layer 2 Configuration Guide for a complete example of Ethernet rings and information about STP loop avoidance and prevention. Related Documentation

•


•

Configuring Ethernet Ring Protection Switching

•

Example: Ethernet Ring Protection Switching Configuration on MX Routers

•

Example: Configuring Ethernet Ring Protection Switching on EX Series Switches on page 2202

•


Understanding Ethernet Ring Protection Switching Functionality •

Acronyms on page 2111

•

Ring Nodes on page 2112

•

Ring Node States on page 2112

•

Failure Detection on page 2112

•

Logical Ring on page 2112

•

FDB Flush on page 2113

•

Traffic Blocking and Forwarding on page 2113

•

RAPS Message Blocking and Forwarding on page 2113

•

Dedicated Signaling Control Channel on page 2114

•

RAPS Message Termination on page 2115

•

Multiple Rings on page 2115

•

Node ID on page 2115

•

Bridge Domains with the Ring Port (MX Series Routers Only) on page 2115

Acronyms The following acronyms are used in the discussion about Ethernet ring protection switching: •

MA—Maintenance association

•

MEP—Maintenance association end point

•

OAM—Connectivity fault management daemon


2111

®


•

FDB—MAC forwarding database

•

STP—Spanning Tree Protocol

•

RAPS—Ring automatic protection switching

•

WTR—Wait to restore

•

RPL—Ring protection link

Ring Nodes Multiple nodes are used to form a ring. For each ring node. There are two different node types: •

Normal node—The node has no special role on the ring.

•

RPL owner node—The node owns the RPL and blocks or unblocks traffic over the RPL. This node also initiates the RAPS message.

Ring Node States There are three different states for each node of a specific ring: •

init—Not a participant of a specific ring.

•

idle—No failure on the ring; the node is performing normally. For a normal node, traffic is unblocked on both ring ports. For the RPL owner, traffic is blocked on the ring port that connects to the RPL and unblocked on the other ring port.

•

protection—A failure occurred on the ring. For normal node, traffic is blocked on the ring port that connects to the failing link and unblocked on working ring ports. For the RPL owner, traffic is unblocked on both ring ports if they connect to non-failure links.

There can be only one RPL owner for each ring. The user configuration must guarantee this, because the APS protocol cannot check this.

Failure Detection Ethernet ring operation depends on quick and accurate failure detection. The failure condition signal failure (SF) is supported. For SF detection, an Ethernet continuity check MEP must be configured for each ring link. For fast protection switching, a 10-ms transmission period for this MEP group is supported. OAM monitors the MEP group's MA and reports SF or SF clear events to the Ethernet ring control module. For this MEP group, the action profile must be configured to update the interface device IFF_LINKDOWN flag. OAM updates the IFF_LINKDOWN flag to notify the Ethernet ring control module.

Logical Ring This feature currently supports only the physical ring, which means that two adjacent nodes of a ring must be physically connected and the ring must operate on the physical interface, not the VLAN.

2112



FDB Flush When ring protection switching occurs, normally an FDB flush should be executed. The Ethernet ring control module (or, on the switch, the ERPS configuration) should use the same mechanism as the STP to trigger the FDB flush. The Ethernet ring control module controls the ring port physical interface's default STP index to execute the FDB flush.

Traffic Blocking and Forwarding Ethernet ring control uses the same mechanism as the STP to control forwarding or discarding of user traffic. The Ethernet ring control module sets the ring port physical interface default STP index state to forwarding or discarding in order to control user traffic.

RAPS Message Blocking and Forwarding The router or switch treats the ring automatic protection switching (RAPS) message the same as it treats user traffic for forwarding RAPS messages between two ring ports. The ring port physical interface default STP index state also controls forwarding RAPS messages between the two ring ports. Other than forwarding RAPS messages between the two ring ports, as shown in Figure 63 on page 2113, the system also needs to forward the RAPS message between the CPU (Ethernet ring control module) and the ring port. This type of forwarding does not depend on the ring port physical interfaces’ STP index state. The RAPS message is always sent by the router or switch through the ring ports, as shown in Figure 64 on page 2113. A RAPS message received from a discarding ring port is sent to the Ethernet ring control module, but is not sent to the other ring port.

Figure 63: Protocol Packets from the Network to the Router other ring port (STP index state applies on this port and the incoming ring port) g017271

Incoming ring port, R_APS multicast MAC address (01-19-a7-00-00-01) CPU (Ethernet ring module) (STP index state does not apply on the incoming ring port)

Figure 64: Protocol Packets from the Router or Switch to the Network

CPU, R_APS multicast MAC address (01-19-a7-00-00-01) west ring port (STP index state does not apply)

g017270

east ring port (STP index state does not apply)

Juniper Networks EX Series switches and Juniper Networks MX Series routers use different methods to achieve these routes. The switches use forwarding database entries to direct the RAPS messages. The forwarding database entry (keyed by the RAPS multicast address and VLAN) has a composite next hop associated with it—the composite next hop associates the two ring interfaces with the forwarding database entry and uses the split horizon feature to prevent sending the packet out on the interface that it is received on. This is an example of the forwarding database entry relating to the RAPS multicast MAC (a result of the show ethernet-switching table detail command):


2113

®


VLAN: v1, Tag: 101, MAC: 01:19:a7:00:00:01, Interface: ERP Interfaces: ge-0/0/9.0, ge-0/0/3.0 Type: Static Action: Mirror Nexthop index: 1333

The routers use an implicit filter to achieve ERP routes. Each implicit filter binds to a bridge domain. Therefore, the east ring port control channel and the west ring port control channel of a particular ring instance must be configured to the same bridge domain. For each ring port control channel, a filter term is generated to control RAPS message forwarding. The filter number is the same as the number of bridge domains that contain the ring control channels. If a bridge domain contains control channels from multiple rings, the filter related to this bridge domain will have multiple terms and each term will relate to a control channel. The filter has command parts and control-channel related parts, as follows: •

•

Common terms: •

term 1: if [Ethernet type is not OAM Ethernet type (0x8902) ] { accept packet }

•

term 2: if [source MAC address belongs to this bridge] { drop packet, our packet loop through the ring and come back to home}

•

term 3: if [destination is the RAPS PDU multicast address(0x01,0x19,0xa7, 0x00,0x00,0x01] AND[ring port STP status is DISCARDING] { send to CPU }

Control channel related terms: •

if [destination is the RAPS PDU multicast address(0x01,0x19,0xa7,0x00,0x00, 0x01] AND[ring port STP status is FORWARDING] AND [Incoming interface IFL equal to control channel IFL] { send packet to CPU and send to the other ring port } default term: accept packet.

Dedicated Signaling Control Channel For each ring port, a dedicated signaling control channel with a dedicated VLAN ID must be configured. In Ethernet ring configuration, only this control logical interface is configured and the underlying physical interface is the physical ring port. Each ring requires that two control physical interfaces be configured. These two logical interfaces must be configured in a bridge domain for routers (or the same VLAN for switches) in order to forward RAPS protocol data units (PDUs) between the two ring control physical interfaces. If the router control channel logical interface is not a trunk port, only control logical interfaces will be configured in ring port configuration. If this router control channel logical interface is a trunk port, in addition to the control channel logical interfaces, a dedicated VLAN ID must be configured for routers. For EX Series switches, always specify either a VLAN name or VLAN ID for all links.

2114



RAPS Message Termination The RAPS message starts from the originating node, travels through the entire ring, and terminates in the originating node unless a failure is present in the ring. The originating node must drop the RAPS message if the source MAC address in the RAPS message belongs to itself. The source MAC address is the node's node ID.

Multiple Rings The Ethernet ring control module supports multiple rings in each node (two logical interfaces are part of each ring). However, interconnection of multiple rings is not supported in this release. The interconnection of two rings means that two rings may share the same link or share the same node.

Node ID For each node in the ring, a unique node ID identifies each node. The node ID is the node's MAC address. For routers only, you can configure this node ID when configuring the ring on the node or automatically select an ID such as STP. In most cases, you will not configure this and the router will select a node ID, like STP does. It should be the manufacturing MAC address. The ring node ID should not be changed, even if you change the manufacturing MAC address. Any MAC address can be used if you make sure each node in the ring has a different node ID. The node ID on EX Series switches is selected automatically and is not configurable.

Bridge Domains with the Ring Port (MX Series Routers Only) On the routers, the protection group is seen as an abstract logical port that can be configured to any bridge domain. Therefore, if you configure one ring port or its logical interface in a bridge domain, you must configure the other related ring port or its logical interface to the same bridge domain. The bridge domain that includes the ring port acts as any other bridge domain and supports the IRB Layer 3 interface. Related Documentation

•


•

Configuring Ethernet Ring Protection Switching

•

Example: Ethernet Ring Protection Switching Configuration on MX Routers

•


•


•

Configuring Ethernet Ring Protection Switching (CLI Procedure) on page 2244


2115

®


2116


CHAPTER 64

Examples: Ethernet Switching Configuration •


•


•


•


•


•


•


•


•


•


•

Example: Configuring Reflective Relay for Use with VEPA Technology on page 2189

•


•


•


Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch EX Series switches use bridging and virtual LANs (VLANs) to connect network devices in a LAN—desktop computers, IP telephones, printers, file servers, wireless access points, and others—and to segment the LAN into smaller bridging domains. The switch's default configuration provides a quick setup of bridging and a single VLAN. This example describes how to configure basic bridging and VLANs for an EX Series switch: •


•



2117

®


•


•




•

One EX4200 Virtual Chassis switch

Before you set up bridging and a VLAN, be sure you have: •

Installed your EX Series switch. See Installing and Connecting an EX3200 Switch.

•

Performed the initial switch configuration. See “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259.

Overview and Topology EX Series switches connect network devices in an office LAN or a data center LAN to provide sharing of common resources such as printers and file servers and to enable wireless devices to connect to the LAN through wireless access points. Without bridging and VLANs, all devices on the Ethernet LAN are in a single broadcast domain, and all the devices detect all the packets on the LAN. Bridging creates separate broadcast domains on the LAN, creating VLANs, which are independent logical networks that group together related devices into separate network segments. The grouping of devices on a VLAN is independent of where the devices are physically located in the LAN. To use an EX Series switch to connect network devices on a LAN, you must, at a minimum, configure bridging and VLANs. If you simply power on the switch and perform the initial switch configuration using the factory-default settings, bridging is enabled on all the switch's interfaces, all interfaces are in access mode, and all interfaces belong to a VLAN called default, which is automatically configured. When you plug access devices—such as desktop computers, Avaya IP telephones, file servers, printers, and wireless access points—into the switch, they are joined immediately into the default VLAN and the LAN is up and running. The topology used in this example consists of one EX4200-24T switch, which has a total of 24 ports. Eight of the ports support Power over Ethernet (PoE), which means they provide both network connectivity and electric power for the device connecting to the port. To these ports, you can plug in devices requiring PoE, such as Avaya VoIP telephones, wireless access points, and some IP cameras. (Avaya phones have a built-in hub that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one port on the switch.) The remaining 16 ports provide only network connectivity. You use them to connect devices that have their own power sources, such as desktop and laptop computers, printers, and servers. Table 242 on page 2119 details the topology used in this configuration example.

2118


Chapter 64: Examples: Ethernet Switching Configuration

Table 242: Components of the Basic Bridging Configuration Topology Property

Settings

Switch hardware

EX4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephone—with integrated hub, to connect phone and desktop PC to a single port (requires PoE)

ge-0/0/1 through ge-0/0/7

Direct connections to desktop PCs (no PoE required)


Connections to file servers (no PoE required)

ge-0/0/17 and ge-0/0/18

Connections to integrated printer/fax/copier machines (no PoE required)


Unused ports (for future expansion)

ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through ge-0/0/23


By default, after you perform the initial configuration on the EX4200 switch, switching is enabled on all interfaces, a VLAN named default is created, and all interfaces are placed into this VLAN. You do not need to perform any other configuration on the switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs, file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20.


To configure bridging and VLANs:

Results

1.

Make sure the switch is powered on.

2.

Connect the wireless access point to switch port ge-0/0/0.

3.

Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

4.

Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.

5.

Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.

6.

Connect the two printers to ports ge-0/0/19 and ge-0/0/20.

Check the results of the configuration: user@switch> show configuration ## Last commit: 2008-03-06 00:11:22 UTC by triumph version 9.0; system {


2119

®


root-authentication { encrypted-password "$1$urmA7AFM$x5SaGEUOdSI3u1K/iITGh1"; ## SECRET-DATA } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching;

2120



} } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; }


2121

®


} ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } }

2122



ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { lldp { interface all; } rstp; } poe { interface all; }

Verification To verify that switching is operational and that a VLAN has been created, perform these tasks: •

Verifying That the VLAN Has Been Created on page 2123

•

Verifying That Interfaces Are Associated with the Proper VLANs on page 2123

Verifying That the VLAN Has Been Created Purpose Action

Verify that the VLAN named default has been created on the switch. List all VLANs configured on the switch: user@switch> show vlans Name default

Tag

Interfaces ge-0/0/0.0*, ge-0/0/4.0, ge-0/0/8.0*, ge-0/0/12.0, ge-0/0/16.0, ge-0/0/20.0, ge-0/1/0.0*,

ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0*, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0*, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*

mgmt me0.0*

Meaning

The show vlans command lists the VLANs configured on the switch. This output shows that the VLAN default has been created.

Verifying That Interfaces Are Associated with the Proper VLANs Purpose

Action

Verify that Ethernet switching is enabled on switch interfaces and that all interfaces are included in the VLAN. List all interfaces on which switching is enabled:


2123

®


user@switch> show ethernet-switching interfaces Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ge-0/0/8.0 ge-0/0/9.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/12.0 ge-0/0/13.0 ge-0/0/14.0 ge-0/0/15.0 ge-0/0/16.0 ge-0/0/17.0 ge-0/0/18.0 ge-0/0/19.0 ge-0/0/20.0 ge-0/0/21.0 ge-0/0/22.0 ge-0/0/23.0 ge-0/1/0.0 ge-0/1/1.0 ge-0/1/2.0 ge-0/1/3.0 me0.0

Meaning


State up down down down down down down down up down down up down down down down down down down up down down down down up up up up up

VLAN members default default default default default default default default default default default default default default default default default default default default default default default default default default default default mgmt

Blocking unblocked blocked blocked blocked blocked blocked blocked blocked unblocked blocked blocked unblocked blocked blocked blocked blocked blocked blocked blocked unblocked blocked blocked blocked blocked unblocked unblocked unblocked unblocked unblocked

blocked blocked blocked blocked blocked blocked blocked

by by by by by by by

STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG

blocked by STP/RTG blocked by STP/RTG blocked blocked blocked blocked blocked blocked blocked

by by by by by by by

STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG

blocked blocked blocked blocked

by by by by

STP/RTG STP/RTG STP/RTG STP/RTG

The show ethernet-switching interfaces command lists all interfaces on which switching is enabled (in the Interfaces column), along with the VLANs that are active on the interfaces (in the VLAN members column). The output in this example shows all the connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20 and that they are all part of VLAN default. Notice that the interfaces listed are the logical interfaces, not the physical interfaces. For example, the output shows ge-0/0/0.0 instead of ge-0/0/0. This is because Junos OS creates VLANs on logical interfaces, not directly on physical interfaces.

•


•


•


Example: Setting Up Bridging with Multiple VLANs for EX Series Switches To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs) on an EX Series switch. Each VLAN is a collection of network nodes. When you use VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN, and only frames not destined for the local VLAN are forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the

2124



entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN. This example describes how to configure bridging for an EX Series switch and how to create two VLANs to segment the LAN: •


•


•


•



One EX4200-48P Virtual Chassis switch

•


Before you set up bridging and VLANs, be sure you have: •

Installed the EX Series switch. See Installing and Connecting an EX3200 Switch.

•


Overview and Topology EX Series switches connect all devices in an office or data center into a single LAN to provide sharing of common resources such as printers and file servers and to enable wireless devices to connect to the LAN through wireless access points. The default configuration creates a single VLAN, and all traffic on the switch is part of that broadcast domain. Creating separate network segments reduces the span of the broadcast domain and allows you to group related users and network resources without being limited by physical cabling or by the location of a network device in the building or on the LAN. This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing group, and a second, called support, is for the customer support team. The sales and support groups each have their own dedicated file servers, printers, and wireless access points. For the switch ports to be segmented across the two VLANs, each VLAN must have its own broadcast domain, identified by a unique name and tag (VLAN ID). In addition, each VLAN must be on its own distinct IP subnet. The topology for this example consists of one EX4200-48P switch, which has a total of 48 Gigabit Ethernet ports, all of which support Power over Ethernet (PoE). Most of the switch ports connect to Avaya IP telephones. The remainder of the ports connect to wireless access points, file servers, and printers. Table 243 on page 2126 explains the components of the example topology.


2125

®


Table 243: Components of the Multiple VLAN Topology Property

Settings

Switch hardware

EX4200-48P, 48 Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through ge-0/0/47)


sales, tag 100 support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN sales

Avaya IP telephones: ge-0/0/3 through ge-0/0/19 Wireless access points: ge-0/0/0 and ge-0/0/1 Printers: ge-0/0/22 and ge-0/0/23 File servers: ge-0/0/20 and ge-0/0/21

Interfaces in VLAN support

Avaya IP telephones: ge-0/0/25 through ge-0/0/43 Wireless access points: ge-0/0/24 Printers: ge-0/0/44 and ge-0/0/45 File servers: ge-0/0/46 and ge-0/0/47

Unused interfaces

ge-0/0/2 and ge-0/0/25

This configuration example creates two IP subnets, one for the sales VLAN and the second for the support VLAN. The switch bridges traffic within a VLAN. For traffic passing between two VLANs, the switch routes the traffic using a Layer 3 routing interface on which you have configured the address of the IP subnet. To keep the example simple, the configuration steps show only a few devices in each of the VLANs. Use the same configuration procedure to add more LAN devices.

Configuration Configure Layer 2 switching for two VLANs: CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (sales and support) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/0 unit 0 description “Sales wireless access point port” set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/3 unit 0 description “Sales phone port” set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/22 unit 0 description “Sales printer port” set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/20 unit 0 description “Sales file server port” set interfaces ge-0/0/20 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/24 unit 0 description “Support wireless access point port” set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/26 unit 0 description “Support phone port” set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/44 unit 0 description “Support printer port”

2126



set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/46 unit 0 description “Support file server port” set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support set interfaces vlan unit 0 family inet address 192.0.2.0/25 set interfaces vlan unit 1 family inet address 192.0.2.128/25 set vlans sales l3–interface vlan.0 set vlans sales vlan-id 100 set vlans support vlan-id 200 set vlans support l3-interface vlan.1


Configure the switch interfaces and the VLANs to which they belong. By default, all interfaces are in access mode, so you do not have to configure the port mode. 1.

Configure the interface for the wireless access point in the sales VLAN: [edit interfaces ge-0/0/0 unit 0] user@switch# set description “Sales wireless access point port” user@switch# set family ethernet-switching vlan members sales

2.

Configure the interface for the Avaya IP phone in the sales VLAN: [edit interfaces ge-0/0/3 unit 0] user@switch# set description “Sales phone port” user@switch# set family ethernet-switching vlan members sales

3.

Configure the interface for the printer in the sales VLAN: [edit interfaces ge-0/0/22 unit 0] user@switch# set description “Sales printer port” user@switch# set family ethernet-switching vlan members sales

4.

Configure the interface for the file server in the sales VLAN: [edit interfaces ge-0/0/20 unit 0] user@switch# set description “Sales file server port” user@switch# set family ethernet-switching vlan members sales

5.

Configure the interface for the wireless access point in the support VLAN: [edit interfaces ge-0/0/24 unit 0] user@switch# set description “Support wireless access point port” user@switch# set family ethernet-switching vlan members support

6.

Configure the interface for the Avaya IP phone in the support VLAN: [edit interfaces ge-0/0/26 unit 0] user@switch# set description “Support phone port” user@switch# set family ethernet-switching vlan members support

7.

Configure the interface for the printer in the support VLAN: [edit interfaces ge-0/0/44 unit 0] user@switch# set description “Support printer port” user@switch# set family ethernet-switching vlan members support

8.

Configure the interface for the file server in the support VLAN: [edit interfaces ge-0/0/46 unit 0] user@switch# set description “Support file server port” user@switch# set family ethernet-switching vlan members support

9.

Create the subnet for the sales broadcast domain: [edit interfaces] user@switch# set vlan unit 0 family inet address 192.0.2.1/25

10.

Create the subnet for the support broadcast domain: [edit interfaces] user@switch# set vlan unit 1 family inet address 192.0.2.129/25

11.

Configure the VLAN tag IDs for the sales and support VLANs:


2127

®


[edit vlans] user@switch# set sales vlan-id 100 user@switch# set support vlan-id 200 12.

To route traffic between the sales and support VLANs, define the interfaces that are members of each VLAN and associate a Layer 3 interface: [edit vlans] user@switch# set sales l3-interface user@switch# set support l3-interface vlan.1

Display the results of the configuration: user@switch> show configuration interfaces { ge-0/0/0 { unit 0 { description “Sales wireless access point port”; family ethernet-switching { vlan members sales; } } } ge-0/0/3 { unit 0 { description “Sales phone port”; family ethernet-switching { vlan members sales; } } } ge-0/0/22 { unit 0 { description “Sales printer port”; family ethernet-switching { vlan members sales; } } } ge-0/0/20 { unit 0 { description “Sales file server port”; family ethernet-switching { vlan members sales; } } } ge-0/0/24 { unit 0 { description “Support wireless access point port”; family ethernet-switching { vlan members support; } } } ge-0/0/26 { unit 0 {

2128



description “Support phone port”; family ethernet-switching { vlan members support; } } } ge-0/0/44 { unit 0 { description “Support printer port”; family ethernet-switching { vlan members support; } } } ge-0/0/46 { unit 0 { description “Support file server port”; family ethernet-switching { vlan members support; } } vlans { unit 0 { family inet address 192.0.2.0/25; } unit 1 { family inet address 192.0.2.128/25; } } } } vlans { sales { vlan-id 100; interface ge-0/0/0.0: interface ge-0/0/3/0; interface ge-0/0/20.0; interface ge-0/0/22.0; l3-interface vlan 0; } support { vlan-id 200; interface ge-0/0/24.0: interface ge-0/0/26.0; interface ge-0/0/44.0; interface ge-0/0/46.0; l3-interface vlan 1; } }

TIP: To quickly configure the sales and support VLAN interfaces, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.


2129

®


Verification To verify that the “sales” and “support” VLANs have been created and are operating properly, perform these tasks: •

Verifying That the VLANs Have Been Created and Associated to the Correct Interfaces on page 2130

•

Verifying That Traffic Is Being Routed Between the Two VLANs on page 2130

•

Verifying That Traffic Is Being Switched Between the Two VLANs on page 2131

Verifying That the VLANs Have Been Created and Associated to the Correct Interfaces Purpose

Action

Verify that the VLANs sales and support have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN. List all VLANs configured on the switch: Use the operational mode commands: user@switch> show vlans Name Tag Interfaces default ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*, ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0, ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0, ge-0/0/47.0, ge-0/1/0.0*, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0* sales

100 ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0

support

200 ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*

mgmt me0.0*

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the sales and support VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0, ge-0/0/44.0, and ge-0/0/46.0.

Verifying That Traffic Is Being Routed Between the Two VLANs Purpose

2130

Verify routing between the two VLANs.



Action

List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table: user@switch> show arp MAC Address Address 00:00:0c:06:2c:0d 00:13:e2:50:62:e0

Meaning

Name 192.0.2.3 192.0.2.11

Flags vlan.0 vlan.1

None None

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). The ARP table displays the mapping between the IP address and MAC address for both vlan.0 (associated with sales) and vlan.1 (associated with support). These VLANs can route traffic to each other.

Verifying That Traffic Is Being Switched Between the Two VLANs Purpose Action

Verify that learned entries are being added to the Ethernet switching table. List the contents of the Ethernet switching table: user@switch> show ethernet-switching table Ethernet-switching table: 8 entries, 5 learned VLAN MAC address Type default * Flood default 00:00:05:00:00:01 Learn default 00:00:5e:00:01:09 Learn default 00:19:e2:50:63:e0 Learn sales * Flood sales 00:00:5e:00:07:09 Learn support * Flood support 00:00:5e:00:01:01 Learn

Meaning


Age – –

Interfaces All-members ge-0/0/10.0 ge-0/0/13.0 ge-0/0/23.0 All-members ge-0/0/0.0 All–members ge-0/0/46.0

The output shows that learned entries for the sales and support VLANs have been added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0 and ge-0/0/46.0. Even though the VLANs were associated with more than one interface in the configuration, these interfaces are the only ones that are currently operating.

•


•


•


Example: Connecting an Access Switch to a Distribution Switch In large local area networks (LANs), you commonly need to aggregate traffic from a number of access switches into a distribution switch. This example describes how to connect an access switch to a distribution switch: •


•



2131

®


•

Configuring the Access Switch on page 2134

•

Configuring the Distribution Switch on page 2138

•



For the distribution switch, one EX4200-24F switch. This model is designed to be used as a distribution switch for aggregation or collapsed core network topologies and in space-constrained data centers. It has twenty-four 1-Gigabit Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit Ethernet XFP ports.

•

For the access switch, one EX3200-24P, which has twenty-four 1-Gigabit Ethernet ports, all of which support Power over Ethernet (PoE), and an uplink module with four 1-Gigabit Ethernet ports.

•


Before you connect an access switch to a distribution switch, be sure you have: •

Installed the two switches. See the installation instructions for your switch.

•

Performed the initial software configuration on both switches. See “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259.

Overview and Topology In a large office that is spread across several floors or buildings, or in a data center, you commonly aggregate traffic from a number of access switches into a distribution switch. This configuration example shows a simple topology to illustrate how to connect a single access switch to a distribution switch. In the topology, the LAN is segmented into two VLANs, one for the sales department and the second for the support team. One 1-Gigabit Ethernet port on the access switch's uplink module connects to the distribution switch, to one 1-Gigabit Ethernet port on the distribution switch. Figure 65 on page 2133 shows one EX4200 switch that is connected to the three access switches.

2132



Figure 65: Topology for Configuration

Table 244 on page 2133 explains the components of the example topology. The example shows how to configure one of the three access switches. The other access switches could be configured in the same manner.

Table 244: Components of the Topology for Connecting an Access Switch to a Distribution Switch Property

Settings

Access switch hardware

EX3200-24P, 24 1-Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through ge-0/0/23); one 4-port 1–Gigabit Ethernet uplink module (EX-UM-4SFP)

Distribution switch hardware

EX4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one 2–port 10–Gigabit Ethernet XFP uplink module (EX-UM-4SFP)


sales, tag 100 support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Trunk port interfaces

On the access switch: ge-0/1/0 On the distribution switch: ge-0/0/0

Access port interfaces in VLAN sales (on access switch)

Avaya IP telephones: ge-0/0/3 through ge-0/0/19 Wireless access points: ge-0/0/0 and ge-0/0/1 Printers: ge-0/0/22 and ge-0/0/23 File servers: ge-0/0/20 and ge-0/0/21

Access port interfaces in VLAN support (on access switch)

Avaya IP telephones: ge-0/0/25 through ge-0/0/43 Wireless access points: ge-0/0/24 Printers: ge-0/0/44 and ge-0/0/45 File servers: ge-0/0/46 and ge-0/0/47


2133

®


Table 244: Components of the Topology for Connecting an Access Switch to a Distribution Switch (continued) Property

Settings

Unused interfaces on access switch

ge-0/0/2 and ge-0/0/25

Configuring the Access Switch To configure the access switch: CLI Quick Configuration

To quickly configure the access switch, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/0 unit 0 description "Sales Wireless access point port" set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/3 unit 0 description "Sales phone port" set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/22 unit 0 description "Sales printer port" set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/20 unit 0 description "Sales file server port" set interfaces ge-0/0/20 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/24 unit 0 description "Support wireless access point port" set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/26 unit 0 description "Support phone port" set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/44 unit 0 description "Support printer port" set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/46 unit 0 description "Support file server port" set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support set interfaces ge-0/1/0 unit 0 description "Uplink module port connection to distribution switch" set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id 1 set interfaces ge-0/1/0 unit 0 family ethernet switching vlan members [sales support] set interfaces vlan unit 0 family inet address 192.0.2.1/25 set interfaces vlan unit 1 family inet address 192.0.2.129/25 set vlans sales interface ge-0/0/0.0 set vlans sales interface ge-0/0/3.0 set vlans sales interface ge-0/0/22.0 set vlans sales interface ge-0/0/20.0 set vlans sales l3-interface vlan.0 set vlans sales vlan-id 100 set vlans support interface ge-0/0/24.0 set vlans support interface ge-0/0/26.0 set vlans support interface ge-0/0/44.0 set vlans support interface ge-0/0/46.0 set vlans support vlan-id 200 set vlans support l3–interface vlan.1

2134




To configure the access switch: 1.

Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk port that connects to the distribution switch: [edit interfaces ge-0/1/0 unit 0] user@access-switch# set description "Uplink module port connection to distribution switch" user@access-switch# set ethernet-switching port-mode trunk

2.

Specify the VLANs to be aggregated on the trunk port: [edit interfaces ge-0/1/0 unit 0] user@access-switch# set ethernet-switching vlan members [ sales support ]

3.

Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets): [edit interfaces ge-0/1/0 unit 0] user@access-switch# set ethernet-switching native-vlan-id 1

4.

Configure the sales VLAN: [edit vlans sales] user@access-switch# set vlan-id (802.1Q Tagging) 100 user@access-switch# set l3-interface (VLANs) vlan.0

5.

Configure the support VLAN: [edit vlans support] user@access-switch# set vlan-id (802.1Q Tagging) 200 user@access-switch# set l3-interface (VLANs) vlan.1

6.

Create the subnet for the sales broadcast domain: [edit interfaces] user@access-switch# set vlan unit 0 family inet address 192.0.2.1/25

7.

Create the subnet for the support broadcast domain: [edit interfaces] user@access-switch# set vlan unit 1 family inet address 192.0.2.129/25

8.

Configure the interfaces in the sales VLAN: [edit interfaces] user@access-switch# user@access-switch# user@access-switch# user@access-switch# user@access-switch# user@access—switch# user@access-switch# user@access-switch#

9.

set ge-0/0/0 unit 0 description "Sales wireless access point port" set ge-0/0/0 unit 0 family ethernet-switching vlan members sales set ge-0/0/3 unit 0 description "Sales phone port" set ge-0/0/3 unit 0 family ethernet-switching vlan members sales set ge-0/0/20 unit 0 description "Sales file server port" set ge-0/0/20 unit 0 family ethernet-switching vlan members sales set ge-0/0/22 unit 0 description "Sales printer port" set ge-0/0/22 unit 0 family ethernet-switching vlan members sales

Configure the interfaces in the support VLAN: [edit interfaces] user@access-switch# port" user@access-switch# support user@access-switch# user@access-switch# support user@access-switch# user@access-switch# support user@access-switch#


set ge-0/0/24 unit 0 description "Support wireless access point set ge-0/0/24 unit 0 family ethernet-switching vlan members set ge-0/0/26 unit 0 description "Support phone port" set ge-0/0/26 unit 0 family ethernet-switching vlan members set ge-0/0/44 unit 0 description "Support printer port" set ge-0/0/44 unit 0 family ethernet-switching vlan members set ge-0/0/46 unit 0 description "Support file server port"

2135

®


user@access-switch# set ge-0/0/46 unit 0 family ethernet-switching vlan members support 10.

Configure descriptions and VLAN tag IDs for the sales and support VLANs: [edit vlans] user@access-switch# user@access-switch# user@access-switch# user@access-switch#

11.

set sales vlan-description "Sales VLAN" set sales vlan-id 100 set support vlan-description "Support VLAN" set support vlan-id 200

To route traffic between the sales and support VLANs and associate a Layer 3 interface with each VLAN: [edit vlans] user@access-switch# set sales l3-interface vlan.0 user@access-switch# set support l3-interface vlan.1

Results

Display the results of the configuration: user@access-switch> show interfaces { ge-0/0/0 { unit 0 { description "Sales wireless access point port"; family ethernet-switching { vlan members sales; } } } ge-0/0/3 { unit 0 { description "Sales phone port"; family ethernet-switching { vlan members sales; } } } ge-0/0/20 { unit 0 { description "Sales file server port"; family ethernet-switching { vlan members sales; } } } ge-0/0/22 { unit 0 { description "Sales printer port"; family ethernet-switching { vlan members sales; } } } ge-0/0/24 { unit 0 { description "Support wireless access point port"; family ethernet-switching { vlan members support;

2136



} } } ge-0/0/26 { unit 0 { description "Support phone port"; family ethernet-switching { vlan members support; } } } ge-0/0/44 { unit 0 { description "Support printer port"; family ethernet-switching { vlan members sales; } } } ge-0/0/46 { unit 0 { description "Support file server port"; family ethernet-switching { vlan members support; } } } ge-0/1/0 { unit 0 { description "Uplink module port connection to distribution switch"; family ethernet-switching { port-mode trunk; vlan members [ sales support ]; native-vlan-id 1; } } } vlan { unit 0 { family inet address 192.0.2.1/25; } unit 1 { family inet address 192.0.2.129/25; } } } vlans { sales { vlan-id 100; vlan-description "Sales VLAN"; l3-interface vlan.0; } support { vlan-id 200; vlan-description "Support VLAN"; l3-interface vlan.1;


2137

®


} }

TIP: To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Configuring the Distribution Switch To configure the distribution switch: CLI Quick Configuration

To quickly configure the distribution switch, copy the following commands and paste them into the switch terminal window: set interfaces ge-0/0/0 description "Connection to access switch" set interfaces ge-0/0/0 ethernet-switching port-mode trunk set interfaces ge-0/0/0 ethernet-switching vlan members [ sales support ] set interfaces ge-0/0/0 ethernet-switching native-vlan-id 1 set interfaces vlan unit 0 family inet address 192.0.2.2/25 set interfaces vlan unit 1 family inet address 192.0.2.130/25 set vlans sales vlan-description "Sales VLAN" set vlans sales vlan-id 100 set vlans sales l3-interface vlan.0 set vlans support vlan-description "Support VLAN" set vlans support vlan-id 200 set vlans support l3-interface vlan.1


To configure the distribution switch: 1.

Configure the interface on the switch to be the trunk port that connects to the access switch: [edit interfaces ge-0/0/0 unit 0] user@distribution-switch# set description "Connection to access switch" user@distribution-switch# set ethernet-switching port-mode trunk

2.

Specify the VLANs to be aggregated on the trunk port: [edit interfaces ge-0/0/0 unit 0] user@distribution-switch# set ethernet-switching vlan members [ sales support ]

3.

Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets): [edit interfaces] user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id 1

4.

Configure the sales VLAN: [edit vlans sales] user@distribution-switch# set vlan-description "Sales VLAN" user@distribution-switch# set vlan-id (802.1Q Tagging) 100 user@distribution-switch# set l3-interface (VLANs) vlan.0

The reason that the VLAN configuration for this distribution switch includes the statement set l3-interface vlan.0 is that the VLAN is being configured for an attached router. The access switch VLAN configuration did not include this statement because the access switch is not monitoring IP addresses, but is instead passing them to the distribution switch for interpretation.

2138



5.

Configure the support VLAN: [edit vlans support] user@distribution-switch# set vlan-description "Support VLAN" user@distribution-switch# set vlan-id (802.1Q Tagging) 200 user@distribution-switch# set l3-interface (VLANs) vlan.1

The reason that the VLAN configuration for this distribution switch includes the statement set l3-interface vlan.1 is that the VLAN is being configured for an attached router. The access switch VLAN configuration did not include this statement because the access switch is not monitoring IP addresses, but is instead passing them to the distribution switch for interpretation. 6.

Create the subnet for the sales broadcast domain: [edit interfaces] user@distribution-switch# set vlan unit 0 family inet address 192.0.2.2/25

7.

Create the subnet for the support broadcast domain: [edit interfaces] user@distribution-switch# set vlan unit 1 family inet address 192.0.2.130/25

Results

Display the results of the configuration: user@distribution-switch> show interfaces { ge-0/0/0 { description "Connection to access switch"; unit 0 { family ethernet-switching { port-mode trunk; vlan members [ sales support ]; native-vlan-id 1; } } } vlan { unit 0 { family inet address 192.0.2.2/25; } unit 1 { family inet address 192.0.2.130/25; } } } vlans { sales { vlan-id 100; vlan-description "Sales VLAN"; l3-interface vlan.0; } support { vlan-id 200; vlan-description "Support VLAN"; l3-interface vlan.1; } }


2139

®


TIP: To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.


Verifying the VLAN Members and Interfaces on the Access Switch on page 2140

•

Verifying the VLAN Members and Interfaces on the Distribution Switch on page 2140

Verifying the VLAN Members and Interfaces on the Access Switch Purpose Action

Verify that the sales and support have been created on the switch. List all VLANs configured on the switch: user@switch> show vlans Name default

Tag

Interfaces ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0*, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/14.0, ge-0/0/18.0, ge-0/0/25.0, ge-0/0/30.0, ge-0/0/34.0, ge-0/0/38.0, ge-0/0/42.0, ge-0/1/1.0*,

sales

ge-0/0/11.0*, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/19.0*,ge-0/0/21.0, ge-0/0/23.0, ge-0/0/27.0*,ge-0/0/28.0, ge-0/0/29.0, ge-0/0/31.0*,ge-0/0/32.0, ge-0/0/33.0, ge-0/0/35.0*,ge-0/0/36.0, ge-0/0/37.0, ge-0/0/39.0*,ge-0/0/40.0, ge-0/0/41.0, ge-0/0/43.0*,ge-0/0/45.0, ge-0/0/47.0, ge-0/1/2.0*, ge-0/1/3.0*

100 ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0, ge-0/1/0.0*,

support

200 ge-0/0/24.0*, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0,

mgmt me0.0*

Meaning

The output shows the sales and support VLANs and the interfaces associated with them.

Verifying the VLAN Members and Interfaces on the Distribution Switch Purpose Action

2140

Verify that the sales and support have been created on the switch. List all VLANs configured on the switch:



user@switch> show vlans Name default

Tag

Interfaces ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0*, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0*, ge-0/0/23.0, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*

sales

100 ge-0/0/0.0*

support

200 ge-0/0/0.0*

mgmt me0.0*

Meaning


The output shows the sales and support VLANs associated to interface ge-0/0/0.0. Interface ge-0/0/0.0 is the trunk interface connected to the access switch.

•


•


•


Example: Configuring Redundant Trunk Links for Faster Recovery You can manage network convergence by configuring both a primary link and a secondary link on a switch; this is called a redundant trunk group (RTG). If the primary link in a redundant trunk group fails, it passes its known MAC address locations to the secondary link, which automatically takes over after one minute. This example describes how to create a redundant trunk group with a primary and a secondary link: •


•


•

Disabling RSTP on Switches 1 and 2 on page 2144

•

Configuring Redundant Trunk Links on Switch 3 on page 2145

•



Two EX Series distribution switches

•

One EX Series access switch


2141

®


•


Before you configure the redundant trunk links network on the access and distribution switches, be sure you have: •

Configured interfaces ge-0/0/9 and ge-0/0/10 on the access switch, Switch 3, as trunk interfaces. See “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818.

•

Configured one trunk interface on each distribution switch, Switch 1 and Switch 2.

•

Connected the three switches as shown in the topology for this example (see Figure 66 on page 2144).

Overview and Topology In a typical enterprise network comprised of distribution and access layers, a redundant trunk link provides a simple solution for trunk interface network recovery. When a trunk interface fails, data traffic is routed to another trunk interface after one minute, thereby keeping network convergence time to a minimum. This example shows the configuration of a redundant trunk group, which includes one primary link (and its interface) and one unspecified link (and its interface) that serves as the secondary link. A second type of redundant trunk group, not illustrated in the example, consists of two unspecified links (and their interfaces); in this case, neither of the links is primary. In this second case, the software selects an active link by comparing the port numbers of the two links and activating the link with the higher port number. For example, if the two link interfaces use interfaces ge-0/1/0 and ge-0/1/1, the software activates ge-0/1/1. (In the interface names, the final number is the port number.) The two links in a redundant trunk group generally operate the same way, whether they are configured as primary/unspecified or unspecified/unspecified. Data traffic initially passes through the active link but is blocked on the inactive link. While data traffic is blocked on the secondary link, note that Layer 2 control traffic is still permitted if the link is active. For example, an LLDP session can be run between two switches on the secondary link. If the active link either goes down or is disabled administratively, it broadcasts a list of its known MAC addresses for data traffic; the other link immediately picks up and adds the MAC addresses to its address table, becomes active, and begins forwarding traffic. The one difference in operation between the two types of redundant trunk groups occurs when a primary link is active, goes down, is replaced by the secondary link, and then reactivates. When a primary link is re-enabled like this while the secondary link is active, the primary link waits 2 minutes (you can change the length of time to accommodate your network) and then takes over as the active link. In other words, the primary link has priority and is always activated if it is available. This differs from the behavior of two unspecified links, which act as equals. Because the unspecified links are equal, the active link remains active until it either goes down or is disabled administratively; this is the only time that the other unspecified link learns the MAC addresses and immediately becomes active.

2142



The example given here illustrates a primary/unspecified configuration for a redundant trunk group because that configuration gives you more control and is more commonly used.

NOTE: Rapid Spanning Tree Protocol (RSTP) is enabled by default on EX Series switches to create a loop-free topology, but an interface is not allowed to be in both a redundant trunk group and in a spanning-tree protocol topology at the same time. You will need to disable RSTP on the two distribution switches in the example, Switch 1 and Switch 2. Spanning-tree protocols can, however, continue operating in other parts of the network—for example, between the distribution switches and also in links between distribution switches and the enterprise core.

Figure 66 on page 2144 displays an example topology containing three switches. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the access layer. Switch 3 is connected to the distribution layer through trunk interfaces ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Table 245 on page 2144 lists the components used in this redundant trunk group. Because RSTP and RTG cannot operate simultaneously on a switch, you disable RSTP on Switch 1 and Switch 2 in the first configuration task, and you disable RSTP on Switch 3 in the second task. The second configuration task also creates a redundant group called example 1 on Switch 3. The trunk interfaces ge-0/0/9.0 and ge-0/0/10.0 are the two links configured in the second configuration task. You configure the trunk interface ge-0/0/9.0 as the primary link. You configure the trunk interface ge-0/0/10.0 as an unspecified link, which becomes the secondary link by default.


2143

®


Figure 66: Topology for Configuring the Redundant Trunk Links

Table 245: Components of the Redundant Trunk Link Topology Property

Settings

Switch hardware

•

Switch 1–1 EX Series distribution switch

•

Switch 2–1 EX Series distribution switch

•

Switch 3–1 EX Series access switch

Trunk interfaces

On Switch 3 (access switch): ge-0/0/9.0 and ge-0/0/10.0

Redundant trunk group

example1

Disabling RSTP on Switches 1 and 2 To disable RSTP on Switch 1 and Switch 2, perform this task on each switch: CLI Quick Configuration

To quickly disable RSTP on Switch 1 and Switch 2, copy the following command and paste it into each switch terminal window: [edit] set protocols rstp disable


To disable RSTP on Switch 1 and Switch 2: 1.

Disable RSTP on Switch 1 and Switch 2: [edit] user@switch# set protocols rstp disable

Results

2144

Check the results of the configuration:



[edit] user@switch# show protocols { rstp { disable; } }

Configuring Redundant Trunk Links on Switch 3 To configure redundant trunk links on Switch 3, perform this task: CLI Quick Configuration

To quickly configure the redundant trunk group example1 on Switch 3, copy the following commands and paste them into the switch terminal window: [edit] set protocols rstp disable set ethernet-switching-options redundant-trunk-group group example1 interface ge-0/0/9.0 primary set ethernet-switching-options redundant-trunk-group group example1 interface ge-0/0/10.0 set redundant-trunk-group group example1 preempt-cutover-timer 60


Configure the redundant trunk group example1 on Switch 3. 1.

Turn off RSTP: [edit] user@switch# set protocols rstp disable

2.

Name the redundant trunk group example1 while configuring trunk interface ge-0/0/9.0 as the primary link and ge-0/0/10 as an unspecified link to serve as the secondary link: [edit ethernet-switching-options] user@switch# set redundant-trunk-group group example1 interface (Redundant Trunk Groups) ge-0/0/9.0 primary user@switch# set redundant-trunk-group group example1 interface ge-0/0/10.0

3.

(Optional) Change the length of time (from the default 120 seconds) that a re-enabled primary link waits to take over for an active secondary link: [edit ethernet-switching-options] user@switch# set redundant-trunk-group group example1 preempt-cutover-timer 60

Results

Check the results of the configuration: [edit] user@switch# show ethernet-switching-options redundant-trunk-group { group example1 { preempt-cutover-timer 60; interface ge-0/0/9.0 primary; interface ge-0/0/10.0; } } protocols rstp {


2145

®


disable; }

Verification To confirm that the configuration is working properly, perform this task: •

Verifying That a Redundant Trunk Group Was Created on page 2146

Verifying That a Redundant Trunk Group Was Created Purpose

Action

Verify that the redundant trunk group example1 has been created on Switch 1 and that trunk interfaces are members of the redundant trunk group. List all redundant trunk groups configured on the switch: user@switch> show redundant-trunk-group Group Interface State Time of last flap name example1

Meaning


ge-0/0/9.0 Up/Pri ge-0/0/10.0 Up

Never Never

Flap count 0 0

The show redundant-trunk-group command lists all redundant trunk groups configured on the switch, both links’ interface addresses, and the links’ current states (up or down for an unspecified link, and up or down and primary for a primary link). For this configuration example, the output shows that the redundant trunk group example1 is configured on the switch. The (Up) beside the interfaces indicates that both link cables are physically connected. The (Pri) beside trunk interface ge-0/0/9.0 indicates that it is configured as the primary link.

•

Configuring Redundant Trunk Links for Faster Recovery (CLI Procedure) on page 2241

Example: Setting Up Q-in-Q Tunneling on EX Series Switches Service providers can use Q-in-Q tunneling to transparently pass Layer 2 VLAN traffic from a customer site, through the service provider network, to another customer site without removing or changing the customer VLAN tags or class-of-service (CoS) settings. You can configure Q-in-Q tunneling on EX Series switches. This example describes how to set up Q-in-Q:

2146

•


•


•


•




Requirements This example requires one EX Series switch with Junos OS Release 9.3 or later for EX Series switches. Before you begin setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217.

Overview and Topology In this service provider network, there are multiple customer VLANs mapped to one service VLAN. Table 246 on page 2147 lists the settings for the example topology.

Table 246: Components of the Topology for Setting Up Q-in-Q Tunneling Interface

Description

ge-0/0/11.0

Tagged S-VLAN trunk port

ge-0/0/12.0

Untagged customer-facing access port

ge-0/0/13.0

Untagged customer-facing access port

ge-0/0/14.0

Tagged S-VLAN trunk port


To quickly create and configure Q-in-Q tunneling, copy the following commands and paste them into the switch terminal window: [edit] set vlans qinqvlan vlan-id 4001 set vlans qinqvlan dot1q-tunneling customer-vlans 1-100 set vlans qinqvlan dot1q-tunneling customer-vlans 201-300 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members 4001 set ethernet-switching-options dot1q-tunneling ether-type 0x9100


To configure Q-in-Q tunneling: 1.

Set the VLAN ID for the S-VLAN: [edit vlans] user@switch# set qinqvlan vlan-id (Layer 3 Subinterfaces) 4001

2.

Enable Q-in-Q tuennling and specify the customer VLAN ranges: [edit vlans]


2147

®


user@switch# set qinqvlan dot1q-tunneling customer-vlans 1-100 user@switch# set qinqvlan dot1q-tunneling customer-vlans 201-300 3.

Set the port mode and VLAN information for the interfaces: [edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/11 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/14 unit 0 family ethernet-switching vlan members 4001

4.

Set the Q-in-Q Ethertype value: [edit] user@switch# set ethernet-switching-options dot1q-tunneling ether-type 0x9100

Check the results of the configuration: user@switch> show configuration vlans qinqvlan vlan-id 4001 { dot1q-tunneling { customer-vlans [ 1-100 201-300 ]; } user@switch> show configuration interfaces ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan members 4001; } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode access; vlan members 4001; } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; vlan members 4001; } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode trunk; vlan members 4001; } }

2148



} user@switch> show ethernet-switching-options dot1q-tunneling { ether-type 0x9100; }


Verifying That Q-in-Q Tunneling Was Enabled on page 2149

Verifying That Q-in-Q Tunneling Was Enabled Purpose Action

Verify that Q-in-Q tunneling was properly enabled on the switch. Use the show vlans command: user@switch> show vlans qinqvlan extensive VLAN: qinqvlan, Created at: Thu Sep 18 07:17:53 2008 802.1Q Tag: 4001, Internal index: 18, Admin State: Enabled, Origin: Static Dot1q Tunneling Status: Enabled Customer VLAN ranges: 1-100 201-300 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 4 (Active = 0) ge-0/0/11.0, tagged, trunk ge-0/0/14.0, tagged, trunk ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access

Meaning


The output indicates that Q-in-Q tunneling is enabled and that the VLAN is tagged and shows the associated customer VLANs.

•


Example: Configuring a Private VLAN on a Single EX Series Switch For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. This example describes how to create a PVLAN on a single EX Series switch:


2149

®



•


•


•


•




•


Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

Overview and Topology In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server. Table 247 on page 2150 lists the settings for the example topology.

Table 247: Components of the Topology for Configuring a PVLAN Interface

Description

ge-0/0/0.0

Primary VLAN (pvlan) trunk interface

ge-0/0/11.0

User 1, HR Community (hr-comm)

ge-0/0/12.0

User 2, HR Community (hr-comm)

ge-0/0/13.0

User 3, Finance Community (finance-comm)

ge-0/0/14.0

User 4, Finance Community (finance-comm)

ge-0/0/15.0

Mail server, Isolated (isolated)

ge-0/0/16.0

Backup server, Isolated (isolated)

ge-1/0/0.0

Primary VLAN ( pvlan) trunk interface

2150



Figure 67 on page 2151 shows the topology for this example.

Figure 67: Topology of a Private VLAN on a Single EX Series Switch

Configuration To configure a PVLAN, perform these tasks: CLI Quick Configuration

To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window: [edit] set vlans pvlan vlan-id 1000 set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode access set vlans pvlan no-local-switching set vlans pvlan interface ge-0/0/0.0 set vlans pvlan interface ge-1/0/0.0 set vlans hr-comm interface ge-0/0/11.0 set vlans hr-comm interface ge-0/0/12.0 set vlans finance-comm interface ge-0/0/13.0


2151

®


set vlans finance-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan set vlans finance-comm primary-vlan pvlan


To configure the PVLAN: 1.

Set the VLAN ID for the primary VLAN: [edit vlans] user@switch# set pvlan vlan-id (802.1Q Tagging) 1000

2.

Set the interfaces and port modes: [edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/15 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/16 unit 0 family ethernet-switching port-mode access

3.

Set the primary VLAN to have no local switching:

NOTE: The primary VLAN must be a tagged VLAN.

[edit vlans] user@switch# set pvlan no-local-switching 4.

Add the trunk interfaces to the primary VLAN: [edit vlans] user@switch# set pvlan interface ge-0/0/0.0 user@switch# set pvlan interface ge-1/0/0.0

5.

For each secondary VLAN, configure access interfaces:

NOTE: We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.

[edit vlans] user@switch# user@switch# user@switch# user@switch# 6.

set hr-comm interface ge-0/0/11.0 set hr-comm interface ge-0/0/12.0 set finance-comm interface ge-0/0/13.0 set finance-comm interface ge-0/0/14.0

For each community VLAN, set the primary VLAN: [edit vlans] user@switch# set hr-comm primary-vlan pvlan user@switch# set finance-comm primary-vlan pvlan

7.

Add each isolated interface to the primary VLAN: [edit vlans]

2152



user@switch# set pvlan interface ge-0/0/15.0 user@switch# set pvlan interface ge-0/0/16.0

Check the results of the configuration: [edit] user@switch# show interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members pvlan; } } } } ge-1/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode access; } } } vlans { finance-comm { interface { ge-0/0/13.0; ge-0/0/14.0;


2153

®


} primary-vlan pvlan; } hr-comm { interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan; } pvlan { vlan-id 1000; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0; ge-1/0/0.0; } no-local-switching; } }


Verifying That the Private VLAN and Secondary VLANs Were Created on page 2154

Verifying That the Private VLAN and Secondary VLANs Were Created Purpose Action

Verify that the primary VLAN and secondary VLANs were properly created on the switch. Use the show vlans command: user@switch> show vlans pvlan extensive VLAN: pvlan, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 1000, Internal index: 18, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-0/0/15.0, untagged, access ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __pvlan_pvlan_ge-0/0/15.0__ __pvlan_pvlan_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm user@switch> show vlans hr-comm extensive

2154



VLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 22, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans finance-comm extensive VLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 21, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/15.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 19, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/15.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/16.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 20, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk

Meaning


The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.

•


•


Example: Configuring a Private VLAN Spanning Multiple EX Series Switches For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches.


2155

®


This example describes how to create a PVLAN spanning multiple EX Series switches. The example creates one primary PVLAN, containing multiple secondary VLANs:


•


•


•

Configuring a PVLAN on Switch 1 on page 2159

•


•


•



Three EX Series switches

•


Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

Overview and Topology In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple EX Series switches, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an Interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches, two access switches and one distribution switch. The PVLAN is connected to a router through a promiscuous port, which is configured on the distribution switch.

NOTE: The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with each other even though they are included within the same domain. See “Understanding Private VLANs on EX Series Switches” on page 2080.

Figure 68 on page 2157 shows the topology for this example—two access switches connecting to a distribution switch, which has a connection (through a promiscuous port) to the router.

2156



Figure 68: PVLAN Topology Spanning Multiple Switches

Table 248 on page 2158, Table 249 on page 2158, and Table 250 on page 2159 list the settings for the example topology.


2157

®


Table 248: Components of Switch 1 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches Property

Settings


primary-vlan, tag 100 isolation-id, tag 50 finance-comm, tag 300 hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, Connects Switch 1 to Switch 3 ge-0/0/5.0, Connects Switch 1 to Switch 2

Interfaces in VLAN isolation

ge-0/0/15.0, Mail server ge-0/0/16.0, Backup server

Interfaces in VLAN finance-com

ge-0/0/11.0 ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0 ge-0/0/14.0


Settings





Interfaces in VLAN isolation

ge-0/0/17.0,CVS server

Interfaces in VLAN finance-com

ge-0/0/11.0 ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0 ge-0/0/14.0

2158




Settings





Promiscuous port

ge-0/0/2, Connects the PVLAN to the router

NOTE: You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port.

Configuring a PVLAN on Switch 1 CLI Quick Configuration

When configuring a PVLAN on multiple switches, these rules apply: •

The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.

•

Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

•


•


•


To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1: [edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/15.0 set vlans pvlan100 interface ge-0/0/16.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50


2159

®



Complete the configuration steps below in the order shown—also, complete all steps before committing the configuration in a single commit. This is the easiest way to avoid error messages triggered by violating any of these three rules: •


•


•

Secondary vlans and a PVLAN trunk must be committed on a single commit.

To configure a PVLAN on Switch 1 that will span multiple switches: 1.

Set the VLAN ID for the primary VLAN: [edit vlans] user@switch# set pvlan100 vlan–id 100

2.

Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches: [edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk

3.

Set the primary VLAN to have no local switching: [edit vlans] user@switch# set pvlan100 no-local-switching

4.

Set the VLAN ID for the finance-comm community VLAN that spans the switches: [edit vlans] user@switch# finance-comm vlan-id (802.1Q Tagging) 300 user@switch# set pvlan100 vlan–id 100

5.

Configure access interfaces for the finance-comm VLAN: [edit vlans] user@switch# set finance-comm interface (VLANs) ge-0/0/11.0 user@switch# set finance-comm interface ge-0/0/12.0

6.

Set the primary VLAN of this secondary community VLAN, finance-comm : [edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100

7.

Set the VLAN ID for the HR community VLAN that spans the switches. [edit vlans] user@switch# hr-comm vlan-id 400

8.

Configure access interfaces for the hr-comm VLAN: [edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0

9.

Set the primary VLAN of this secondary community VLAN, hr-comm : [edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100

10.

Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches: [edit vlans] user@switch# set pvlan100 isolation-id 50

2160



NOTE: To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.

Check the results of the configuration: [edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } } no-local-switching; isolation-id 50; } }


To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:


2161

®


NOTE: The configuration of Switch 2 is the same as the configuration of Switch 1 except for the interface in the inter-switch isolated domain. For Switch 2, the interface is ge-0/0/17.0.

[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/17.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50


To configure a PVLAN on Switch 2 that will span multiple switches: 1.

Set the VLAN ID for the finance-comm community VLAN that spans the switches: [edit vlans] user@switch# finance-comm vlan-id (802.1Q Tagging) 300 user@switch# set pvlan100 vlan–id 100

2.

Configure access interfaces for the finance-comm VLAN: [edit vlans] user@switch# set finance-comm interface (VLANs) ge-0/0/11.0 user@switch# set finance-comm interface ge-0/0/12.0

3.

Set the primary VLAN of this secondary community VLAN, finance-comm : [edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100

4.

Set the VLAN ID for the HR community VLAN that spans the switches. [edit vlans] user@switch# hr-comm vlan-id 400

5.

Configure access interfaces for the hr-comm VLAN: [edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0

6.

Set the primary VLAN of this secondary community VLAN, hr-comm : [edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100

7.


8.

Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches: [edit vlans]

2162



user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk

Set the primary VLAN to have no local switching:

9.

[edit vlans] user@switch# set pvlan100 no-local-switching 10.



Check the results of the configuration: [edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } ge-0/0/17.0; } no-local-switching; isolation-id 50; }


2163

®


}


To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:

NOTE: Interface ge-0/0/2.0 is a trunk port connecting the PVLAN to a router.

[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/1.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50


To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure: 1.

Set the VLAN ID for the finance-comm community VLAN that spans the switches: [edit vlans] user@switch# finance-comm vlan-id (802.1Q Tagging) 300 [edit vlans] user@switch# set pvlan100 vlan–id 100

2.

Set the primary VLAN of this secondary community VLAN, finance-comm: [edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100

3.

Set the VLAN ID for the HR community VLAN that spans the switches: [edit vlans] user@switch# hr-comm vlan-id 400

4.

Set the primary VLAN of this secondary community VLAN, hr-comm: [edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100

5.


6.

Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches: [edit vlans] user@switch# set pvlan100 interface (VLANs) ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk

7.

Set the primary VLAN to have no local switching: [edit vlans]

2164



user@switch# set pvlan100 no-local-switching 8.



Check the results of the configuration: [edit] user@switch# show vlans { finance-comm { vlan-id 300; primary-vlan pvlan100; } hr-comm { vlan-id 400; primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/0.0 { pvlan-trunk; } ge-0/0/1.0 { pvlan-trunk; } ge-0/0/2.0; } no-local-switching; isolation-id 50; } }


Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1 on page 2166

•


•



2165

®


Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1 Purpose

Action

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1: Use the show vlans extensive command: user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/15.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/15.0*, untagged, access VLAN: __pvlan_pvlan100_ge-0/0/16.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/16.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 300, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 400, Internal index: 9, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access

2166



VLAN: pvlan100, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 6 (Active = 6) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/15.0*, untagged, access ge-0/0/16.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/15.0__ __pvlan_pvlan100_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.


Action

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2: Use the show vlans extensive command: user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/17.0__, Created at: Thu Sep 16 23:19:22 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/17.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 50, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds


2167

®


Number of interfaces: Tagged 0 (Active = 0), Untagged

0 (Active = 0)

VLAN: finance-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 300, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 400, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 5 (Active = 5) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/17.0*, untagged, access Secondary VLANs: Isolated 1, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/17.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this is PVLAN spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).


Action

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3: Use the show vlans extensive command: user@switch> show vlans extensive

2168



VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 50, Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 300, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: hr-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 400, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: pvlan100, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk Secondary VLANs: Isolated 0, Community 2, Inter-switch-isolated 1 Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__

Meaning


The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the pvlan-trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.

•


•


•


•

Understanding PVLAN Traffic Flows Across Multiple Switches


2169

®


Example: Using Virtual Routing Instances to Route Among VLANs on EX Series Switches Virtual routing instances allow each EX Series switch to have multiple routing tables on a device. With virtual routing instances, you can segment your network to isolate traffic without setting up additional devices. This example describes how to create virtual routing instances: •


•


•


•




•


Before you create the virtual routing instances, make sure you have: •

Configured the necessary VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217.

Overview and Topology In a large office, you may need multiple VLANs to properly manage your traffic. This configuration example shows a simple topology to illustrate how to connect a single EX Series switch with a virtual routing instance for each of two VLANs, enabling traffic to pass between those VLANs. In the example topology, the LAN is segmented into two VLANs, each associated with an interface and a routing instance on the EX Series switch.


To quickly create and configure virtual routing instances, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet address 103.1.1.1/24 set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet address 103.1.1.1/24 set routing-instances r1 instance-type virtual-router set routing-instances r1 interface ge-0/0/1.0 set routing-instances r1 interface ge-0/0/3.0 set routing-instances r2 instance-type virtual-router set routing-instances r2 interface ge-0/0/2.0 set routing-instances r2 interface ge-0/0/3.1

2170




To configure virtual routing instances: 1.

Create a VLAN-tagged interface: [edit] user@switch# set interfaces ge-0/0/3 vlan-tagging

2.

Create two subinterfaces, on the interface, one for each routing instance: [edit] user@switch# set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet address 103.1.1.1/24 user@switch# set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet address 103.1.1.1/24

3.

Create two virtual routers: [edit] user@switch# set routing-instances r1 instance-type virtual-router user@switch# set routing-instances r2 instance-type virtual-router

4.

Set the interfaces for the virtual routers: [edit] user@switch# user@switch# user@switch# user@switch#

Results

set routing-instances r1 interface ge-0/0/1.0 set routing-instances r1 interface ge-0/0/3.0 set routing-instances r2 interface ge-0/0/2.0 set routing-instances r2 interface ge-0/0/3.1

Check the results of the configuration: user@switch> show configuration interfaces { ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { vlan-tagging; unit 0 { vlan-id 1030; family inet { address 103.1.1.1/24; } } unit 1 { vlan-id 1031; family inet { address 103.1.1.1/24; } } } routing-instances { r1 { instance-type virtual-router; interface ge-0/0/1.0; interface ge-0/0/3.0;


2171

®


} r2 { instance-type virtual-router; interface ge-0/0/2.0; interface ge-0/0/3.1; } }


Verifying That the Routing Instances Were Created on page 2172

Verifying That the Routing Instances Were Created Purpose Action

Verify that the virtual routing instances were properly created on the switch. Use the show route instance command: user@switch> show route instance Instance Type Primary RIB master forwarding inet.0 r1

r2

1/0/0 virtual-router

r2.inet.0


3/0/0

virtual-router r1.inet.0

Meaning

Active/holddown/hidden

1/0/0

Each routing instance created is displayed, along with its type, information about whether it is active or not, and its primary routing table.

•


Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switches As a network expands and the number of clients and VLANs increases, VLAN administration becomes complex and the task of efficiently configuring VLANs on multiple EX Series switches becomes increasingly difficult. To automate VLAN administration, you can enable Multiple VLAN Registration Protocol (MVRP) on the network. MVRP also dynamically creates VLANs, further simplifying the network overhead required to statically configure VLANs.

NOTE: Only trunk interfaces can be enabled for MVRP.

2172



This example describes how to use MVRP to automate administration of VLAN membership changes within your network and how to use MVRP to dynamically create VLANs: •


•


•

Configuring VLANs and MVRP on Access Switch A on page 2176

•

Configuring VLANs and MVRP on Access Switch B on page 2178

•

Configuring VLANS and MVRP on Distribution Switch C on page 2180

•



Two EX Series access switches

•

One EX Series distribution switch

•


Overview and Topology MVRP is used to manage dynamic VLAN registration in a LAN. It can also be used to dynamically create VLANs. This example uses MVRP to dynamically create VLANs on the switching network. You can disable dynamic VLAN creation and create VLANs statically, if desired. Enabling MVRP on the trunk interface of each switch in your switching network ensures that the active VLAN information for the switches in the network is propagated to each switch through the trunk interfaces, assuming dynamic VLAN creation is enabled for MVRP. MVRP ensures that the VLAN membership information on the trunk interface is updated as the switch’s access interfaces become active or inactive in the configured VLANs in a static or dynamic VLAN creation setup. You do not need to explicitly bind a VLAN to the trunk interface. When MVRP is enabled, the trunk interface advertises all the VLANs that are active (bound to access interfaces) on that switch. An MVRP-enabled trunk interface does not advertise VLANs that have been configured on the switch but that are not currently bound to an access interface. Thus, MVRP provides the benefit of reducing network overhead—by limiting the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only. When VLAN access interfaces become active or inactive, MVRP ensures that the updated information is advertised on the trunk interface. Thus, in this example, distribution Switch C does not forward traffic to inactive VLANs.


2173

®


NOTE: This example shows a network with three VLANs: finance, sales, and lab. All three VLANs are running the same version of Junos OS. If switches in this network were running a mix of Junos OS releases that included Release 11.3, additional configuration would be necessary—see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233 for details.

Access Switch A has been configured to support all three VLANS and all three VLANS are active, bound to interfaces that are connected to personal computers: •

ge-0/0/1—Connects PC1 as a member of finance, VLAN ID 100

•

ge-0/0/2—Connects PC2 as a member of lab, VLAN ID 200

•

ge-0/0/3—Connects PC3 as a member of sales, VLAN ID 300

Access Switch B has also been configured to support three VLANS. However, currently only two VLANs are active, bound to interfaces that are connected to personal computers: •

ge-0/0/0—Connects PC4 as a member of finance, VLAN ID 100

•

ge-0/0/1—Connects PC5 as a member of lab, VLAN ID 200

Distribution Switch C learns the VLANs dynamically using MVRP through the connection to the access switches. Distribution Switch C has two trunk interfaces: •

xe-0/1/1—Connects the switch to access Switch A.

•

xe-0/1/0—Connects the switch to access Switch B.

Figure 69 on page 2175 shows MVRP configured on two access switches and one distribution switch.

2174



Figure 69: MVRP Configured on Two Access Switches and One Distribution Switch for Automatic VLAN Administration

Table 251 on page 2175 explains the components of the example topology.

Table 251: Components of the Network Topology Settings

Settings

Switch hardware

•

Access Switch A

•

Access Switch B

•

Distribution Switch C



finance, tag 100 lab, tag 200 sales, tag 300

2175

®


Table 251: Components of the Network Topology (continued) Settings

Settings

Interfaces

Access Switch A interfaces: •

ge-0/0/1—Connects PC1 to access Switch A.

•


•


•

xe-0/1/1—Connects access Switch A to distribution Switch

C (trunk). Access Switch B interfaces: •

ge-0/0/0—Connects PC4 to access Switch B.

•

ge-0/0/1—Connects PC5 to access Switch B.

•

xe-0/1/0—Connects access Switch B to distribution Switch

C. (trunk) Distribution Switch C interfaces: •

xe-0/1/1—Connects distribution Switch C to access Switch

A. (trunk) •

xe-0/1/0—Connects distribution Switch C to access Switch

B. (trunk)

Configuring VLANs and MVRP on Access Switch A To configure VLANs on the switch, bind access interfaces to the VLANs, and enable MVRP on the trunk interface of access Switch A, perform these tasks: CLI Quick Configuration

To quickly configure access Switch A for MVRP, copy the following commands and paste them into the switch terminal window of Switch A: [edit] set vlans finance vlan-id 100 set vlans lab vlan-id 200 set vlans sales vlan-id 300 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members finance set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members lab set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk set protocols mvrp interface xe-0/1/1.0

NOTE: As recommended as a best practice, default MVRP timers are used in this example. The default values associated with each MVRP timer are: 200 ms for the join timer, 1000 ms for the leave timer, and 10000 ms for the leaveall timer. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

2176




To configure access Switch A for MVRP: 1.

Configure the finance VLAN: [edit] user@Access-Switch-A# set vlans finance vlan-id (802.1Q Tagging) 100

2.

Configure the lab VLAN: [edit] user@Access-Switch-A# set vlans lab vlan–id 200

3.

Configure the sales VLAN: [edit] user@Access-Switch-A# set vlans sales vlan–id 300

4.

Configure an Ethernet interface as a member of the finance VLAN: [edit] user@Access-Switch-A# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members finance

5.

Configure an Ethernet interface as a member of the lab VLAN: [edit] user@Access-Switch-A# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members lab

6.

Configure an Ethernet interface as a member of the sales VLAN: [edit] user@Access-Switch-A# set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales

7.

Configure a trunk interface: [edit] user@Access-Switch-A# set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk

8.

Enable MVRP on the trunk interface: [edit] user@Access-Switch-A# set protocols mvrp interface xe-0/1/1.0

Results

Check the results of the configuration on Switch A: [edit] user@Access-Switch-B# show interfaces { ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members finance; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members lab; } }


2177

®


} } ge-0/0/3 { unit 0 { family ethernet-switching { members sales; } } } } xe-0/1/1 { unit 0 { family ethernet-switching { port-mode trunk; } } } } protocols { mvrp { interface xe-0/1/1.0; } } vlans { finance { vlan-id 100; } lab { vlan-id 200; } sales { vlan-id 300; } }

Configuring VLANs and MVRP on Access Switch B To configure three VLANs on the switch, bind access interfaces for PC4 and PC5 to the VLANs, and enable MVRP on the trunk interface of access Switch B, perform these tasks: CLI Quick Configuration

To quickly configure Access Switch B for MVRP, copy the following commands and paste them into the switch terminal window of Switch B: [edit] set vlans finance vlan-id 100 set vlans lab vlan-id 200 set vlans sales vlan-id 300 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members finance set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lab set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk set protocols mvrp interface xe-0/1/0.0

2178




To configure access Switch B for MVRP: 1.

Configure the finance VLAN: [edit] user@Access-Switch-B# set vlans finance vlan-id (802.1Q Tagging) 100

2.

Configure the lab VLAN: [edit] user@Access-Switch-B# set vlans lab vlan–id 200

3.

Configure the sales VLAN: [edit] user@Access-Switch-B# set vlans sales vlan–id 300

4.

Configure an Ethernet interface as a member of the finance VLAN: [edit] user@Access-Switch-B# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members finance

5.

Configure an Ethernet interface as a member of the lab VLAN: [edit] user@Access-Switch-B# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lab

6.

Configure a trunk interface: user@Access-Switch-B# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk

7.

Enable MVRP on the trunk interface: [edit] user@Access-Switch-B# set protocols mvrp xe-0/1/0.0

NOTE: As we recommend as a best practice, default MVRP timers are used in this example. The default values associated with each MVRP timer are: 200 ms for the join timer, 1000 ms for the leave timer, and 10000 ms for the leaveall timer. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

Results

Check the results of the configuration for Switch B: [edit] user@Access-Switch-B# show interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members finance; } } } } ge-0/0/1 { unit 0 {


2179

®


family ethernet-switching { vlan { members lab; } } } } xe-0/1/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } } protocols { mvrp { interface xe-0/1/0.0; } } vlans { finance { vlan-id 100; } lab { vlan-id 200; } sales { vlan-id 300; } }

Configuring VLANS and MVRP on Distribution Switch C CLI Quick Configuration

To quickly configure distribution Switch C for MVRP, copy the following commands and paste them into the switch terminal window of distribution Switch C: [edit] set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk set protocols mvrp interface xe-0/1/1.0 set protocols mvrp interface xe-0/1/0.0


To configure distribution Switch C for MVRP: 1.

Configure the trunk interface to access Switch A: [edit] user@Distribution-Switch-C# set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk

2.

Configure the trunk interface to access Switch B: [edit] user@Distribution-Switch-C# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk

3.

2180

Enable MVRP on the trunk interface for xe-0/1/1 :



[edit] user@Distribution-Switch-C# set protocols mvrp interface xe-0/1/1.0 4.

Enable MVRP on the trunk interface for xe-0/1/0 : [edit] user@Distribution-Switch-C# set protocols mvrp interface xe-0/1/0.0

Results

Check the results of the configuration for Switch C: [edit] user@Distribution Switch-D# show interfaces { xe-0/1/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } xe-0/1/1 { unit 0 { family ethernet-switching { port-mode trunk; } } } } protocols { mvrp { interface xe-0/1/0.0; interface xe-0/1/1.0; }

Verification To confirm that the configuration is updating VLAN membership, perform these tasks: •

Verifying That MVRP Is Enabled on Access Switch A on page 2181

•

Verifying That MVRP Is Updating VLAN Membership on Access Switch A on page 2182

•

Verifying That MVRP Is Enabled on Access Switch B on page 2182

•

Verifying That MVRP Is Updating VLAN Membership on Access Switch B on page 2183

•

Verifying That MVRP Is Enabled on Distribution Switch C on page 2183

•

Verifying That MVRP Is Updating VLAN Membership on Distribution Switch C on page 2183

Verifying That MVRP Is Enabled on Access Switch A Purpose Action

Verify that MVRP is enabled on the switch. Show the MVRP configuration: user@Access-Switch-A> show mvrp MVRP configuration MVRP status : Enabled MVRP dynamic VLAN creation : Enabled


2181

®


MVRP timers (ms): Interface -------------all xe-0/1/1.0 Interface -------------all xe-0/1/1.0

Meaning

Join ----200 200

Leave -------1000 1000

Status -------Disabled Enabled

LeaveAll ----------10000 10000

Registration Mode ----------------Normal Normal

The results show that MVRP is enabled on the trunk interface of Switch A and that the default timers are used.

Verifying That MVRP Is Updating VLAN Membership on Access Switch A Purpose

Action

Verify that MVRP is updating VLAN membership by displaying the Ethernet switching interfaces and associated VLANs that are active on Switch A. List Ethernet switching interfaces on the switch: user@Access-Switch-A> show ethernet-switching interfaces Interface State VLAN members Tag Tagging ge-0/0/1.0 up finance 100 untagged ge-0/0/2.0 up lab 200 untagged ge-0/0/3.0 up sales 300 untagged xe-0/1/1.0 up finance 100 untagged lab 200 untagged

Meaning

Blocking unblocked unblocked unblocked unblocked unblocked

MVRP has automatically added finance and lab as VLAN members on the trunk interface because they are being advertised by access Switch B.

Verifying That MVRP Is Enabled on Access Switch B Purpose Action

Verify that MVRP is enabled on the switch. Show the MVRP configuration: user@Access-Switch-B> show mvrp MVRP configuration MVRP status MVRP dynamic VLAN creation MVRP timers (ms): Interface Join -----------------all 200 xe-0/1/0.0 200 Interface -------------all xe-0/1/0.0

2182

Status -------Disabled Enabled

: Enabled : Enabled

Leave -------1000 1000

LeaveAll ----------10000 10000

Registration Mode ----------------Normal Normal



Meaning

The results show that MVRP is enabled on the trunk interface of Switch B and that the default timers are used.

Verifying That MVRP Is Updating VLAN Membership on Access Switch B Purpose

Action

Verify that MVRP is updating VLAN membership by displaying the Ethernet switching interfaces and associated VLANs that are active on Switch B. List Ethernet switching interfaces on the switch: user@Access-Switch-B> show ethernet-switching interfaces Interface State VLAN members Tag Tagging ge-0/0/0.0 up finance 100 untagged ge-0/0/1.0 up lab 200 untagged xe-0/1/1.0 up finance 100 untagged lab 200 untagged sales 300 untagged

Meaning

Blocking unblocked unblocked unblocked unblocked unblocked

MVRP has automatically added finance, lab, and sales as VLAN members on the trunk interface because they are being advertised by access Switch A.

Verifying That MVRP Is Enabled on Distribution Switch C Purpose Action

Verify that MVRP is enabled on the switch. Show the MVRP configuration: user@Distribution-Switch-C> show mvrp MVRP configuration MVRP status MVRP dynamic VLAN creation

: Enabled : Enabled

MVRP timers (ms): Interface -------------all xe-0/0/1.0 xe-0/1/1.0

Leave -------1000 1000 1000

Interface -------------all xe-0/0/1.0 xe-0/1/1.0

Join ----200 200 200

Status -------Disabled Enabled Enabled

LeaveAll ----------10000 10000 10000

Registration Mode ----------------Normal Normal Normal

Verifying That MVRP Is Updating VLAN Membership on Distribution Switch C Purpose

Action

Verify that MVRP is updating VLAN membership on distribution Switch C by displaying the Ethernet switching interfaces and associated VLANs on distribution Switch C. List the Ethernet switching interfaces on the switch: user@Distribution-Switch-C> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking xe-0/1/1.0 up __mvrp_100__ unblocked


2183

®


xe-0/1/0.0

up

__mvrp_200__ __mvrp_300__ __mvrp_100__ __mvrp_200__

unblocked unblocked unblocked unblocked

List the VLANs that were created dynamically using MVRP on the switch: user@Distribution-Switch-C> show mvrp dynamic-vlan-memberships MVRP dynamic vlans for routing instance 'default-switch' (s) static vlan, (f) fixed registration VLAN ID 100 200 300

Interfaces xe-0/1/1.0 xe-0/1/0.0 xe-0/1/1.0 xe-0/1/0.0 xe-0/1/1.0

Note that this scenario does not have any fixed registration, which is typical when MVRP is enabled. Meaning

Distribution Switch C has two trunk interfaces. Interface xe-0/1/1.0 connects distribution Switch C to Access Switch A and is therefore updated to show that it is a member of all the VLANs that are active on Switch A. Any traffic for those VLANs will be passed on from distribution Switch C to Switch A, through interface xe-0/1/1.0. Interface xe-0/1/0.0 connects distribution Switch C to Switch B and is updated to show that it is a member of the two VLANs that are active on Switch B. Thus, distribution Switch C sends traffic for finance and lab to both Switch A and Switch B. But distribution Switch C sends traffic for sales only to Switch A. Distribution Switch C also has three dynamic VLANs created using MVRP: mvrp_100, mvrp_200, and mvrp_300. The dynamically created VLANs mvrp_100 and mvrp_200 are active on interfaces xe-0/1/1.0 and xe-0/1/1.0, and dynamically created VLAN mvrp_300 is active on interface xe-0/1/1.0.


•


•


Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches Layer 2 protocol tunneling (L2PT) allows service providers to send Layer 2 protocol data units (PDUs) across the provider’s cloud and deliver them to EX Series switches that are not part of the local broadcast domain. This feature is useful when you want to run Layer 2 protocols on a network that includes switches located at remote sites that are connected across a service provider network.

2184



NOTE: L2PT and VLAN translation configured with the mapping statement cannot both be configured on the same VLAN. However, L2PT can be configured on one VLAN on a switch while VLAN translation can be configured on a different VLAN that has no L2PT.

This example describes how to configure L2PT: •


•


•


•



Six EX Series switches, with three each at two customer sites, with one of the switches at each site designated as the provider edge (PE) device

•


Overview and Topology L2PT allows you to send Layer 2 PDUs across a service provider network and deliver them to EX Series switches that are not part of the local broadcast domain. Figure 70 on page 2186 shows a customer network that includes two sites that are connected across a service provider network. Site 1 contains three switches connected in a Layer 2 network, with Switch A designated as a provider edge (PE) device in the service provider network. Site 2 contains a Layer 2 network with a similar topology to that of Site 1, with Switch D designated as a PE device.


2185

®


Figure 70: L2PT Topology

When you enable L2PT on a VLAN, Q-in-Q tunneling is also (and must be) enabled. Q-in-Q tunneling ensures that Switches A, B, C, D, E, and F are part of the same broadcast domain. This example uses STP as the Layer 2 protocol being tunneled, but you could substitute any of the supported protocols for STP. You can also use the all keyword to enable L2PT for all supported Layer 2 protocols. Tunneled Layer 2 PDUs do not normally arrive at a high rate. If the tunneled Layer 2 PDUs do arrive at a high rate, there might be a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs so that the problem can be isolated. Alternately, if you do not want to completely shut down the interface, you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.

2186



The drop-theshold configuration statement allows you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold must be less than or equal to the shutdown threshold. If the drop threshold is greater than the shutdown threshold and you try to commit the configuration, the commit will fail. The shutdown-threshold configuration statement allows you to specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the specified interface is disabled. The shutdown threshold must be greater than or equal to the drop threshold. You can specify a drop threshold without specifying a shutdown threshold, and you can specify a shutdown threshold without specifying a drop threshold. If you do not specify these thresholds, then no thresholds are enforced. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors. In this example, we will configure both a drop threshold and a shutdown threshold to show how this is done. If L2PT-encapsulated packets are received on an access interface, the switch reacts as it does when there is a loop between the service provider network and the customer network and shuts down (disables) the access interface. Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command or else the interface will remain disabled.

Configuration To configure L2PT, perform these tasks: CLI Quick Configuration

To quickly configure L2PT, copy the following commands and paste them into the switch terminal window of each PE device (in Figure 70 on page 2186, Switch A and Switch D are the PE devices): [edit] set vlans customer-1 dot1q-tunneling set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp drop-threshold 50 set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp shutdown-threshold 100


To configure L2PT, perform these tasks on each PE device (in Figure 70 on page 2186, Switch A and Switch D are the PE devices): 1.

Enable Q-in-Q tunneling on VLAN customer-1: [edit] user@switch# set vlans customer-1 dot1q-tunneling

2.

Enable L2PT for STP on VLAN customer-1: [edit] user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp

3.

Configure the drop threshold as 50: [edit]


2187

®


user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50 4.

Configure the shutdown threshold as 100: [edit] user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100

Results

Check the results of the configuration: [edit] user@switch# show vlans customer-1 dot1q-tunneling layer2-protocol-tunneling { stp { drop-threshold 50; shutdown-threshold 100; } }

Verification To verify that L2PT is working correctly, perform this task: •

Verify That L2PT Is Working Correctly on page 2188

Verify That L2PT Is Working Correctly Purpose Action

Verify that Q-in-Q tunneling and L2PT are enabled. Check to see that Q-in-Q tunneling and L2PT are enabled on each PE device (Switch A and Switch D are the PE devices): user@switchA> show vlans extensive customer-1 VLAN: customer–1, Created at: Thu Jun 25 05:07:38 2009 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Dot1q Tunneling status: Enabled Layer2 Protocol Tunneling status: Enabled Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 3 (Active = 0) ge-0/0/7.0, untagged, access ge-0/0/8.0, untagged, access ge-0/0/9.0, untagged, access

Check to see that L2PT is tunneling STP on VLAN customer-1 and that drop-threshold and shutdown-threshold have been configured: user@switchA> show ethernet-switching layer2-protocol-tunneling vlan customer-1 Layer2 Protocol Tunneling VLAN information: VLAN Protocol Drop Shutdown Threshold Threshold customer–1 stp 50 100

Check the state of the interfaces on which L2PT has been enabled, including what kind of operation (encapsulation or decapsulation) they are performing: user@switchA> show ethernet-switching layer2-protocol-tunneling interface

2188



Layer2 Protocol Tunneling information: Interface Operation State ge-0/0/0.0 Encapsulation Shutdown ge-0/0/1.0 Decapsulation Shutdown ge-0/0/2.0 Decapsulation Active

Meaning


Description Shutdown threshold exceeded Loop detected

The show vlans extensive customer-1 command shows that Q-in-Q tunneling and L2PT have been enabled. The show ethernet-switching layer2-protocol-tunneling vlan customer-1 command shows that L2PT is tunneling STP on VLAN customer-1,the drop threshold is set to 50, and the shutdown threshold is set to 100. The show ethernet-switching layer2-protocol-tunneling interface command shows the type of operation being performed on each interface, the state of each interface and, if the state is Shutdown, the reason why the interface is shut down.

•

Configuring Layer 2 Protocol Tunneling on EX Series Switches (CLI Procedure) on page 2236

•


Example: Configuring Reflective Relay for Use with VEPA Technology Reflective relay returns packets to a device using the same downstream port that delivered the packets to the switch. You need to use reflective relay, for example, when a switch receives aggregated virtual machine packets from a technology such as virtual Ethernet packet aggregation (VEPA). This example shows how to configure a switch port interface to return packets sent by VEPA on the downstream interface back to the server using the same downstream interface: •


•


•


•



2189

®




•


Before you configure reflective relay on a switch port, be sure you have: •

Configured a server with six virtual machines, VM 1 through VM 6. See your server documentation.

•

Configured the server with three VLANS named VLAN_Purple, VLAN_Orange, and VLAN_Blue and added two virtual machines to each VLAN. See your server documentation.

•

Configured the same three VLANS named VLAN_Purple, VLAN_Orange, and VLAN_Blue on one interface. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

•

Installed and configured a VEPA to aggregate the virtual machine packets.

Overview and Topology In this example, illustrated in Figure 71 on page 2191, a switch is connected to one server that is hosting six virtual machines and is configured with a VEPA for aggregating packets. The server’s six virtual machines are VM 1 through VM 6 and each virtual machine belongs to one of the three server VLANs, VLAN_Purple, VLAN_Orange, or VLAN_Blue. Instead of the server directly passing packets between virtual machines, packets from any of the three VLANS that are destined for another one of the three VLANs are aggregated with VEPA technology and passed to the switch for processing. You must configure the switch port to accept these aggregated packets on the downstream interface and to return appropriate packets to the server on the same downstream interface after they are processed. Figure 71 on page 2191 shows the topology for this example.

2190



Figure 71: Reflective Relay Topology

In this example, you configure the physical Ethernet switch port interface for tagged-access port mode and reflective relay. Configuring tagged-access port mode allows the interface to accept VLAN tagged packets. Configuring reflective relay allows the downstream port to return those packets on the same interface. Table 252 on page 2191 shows the components used in this example.

Table 252: Components of the Topology for Configuring Reflective Relay Component

Description

EX Series switch

For a list of switches that support this feature, see EX Series Switch Software Features Overview.

ge-7/0/2

Switch interface to the server.

Server

Server with virtual machines and VEPA technology.

Virtual machines

The six virtual machines located on the server are named V1, V2, V3, V4, V5, and V6.

VLANs

The three VLANs are named VLAN_Purple, VLAN_Orange, and VLAN_Blue. Each VLAN has two virtual machine members.

VEPA

Virtual Ethernet port aggregator that aggregates virtual machine packets on the server before the resulting single stream is transmitted to the switch.


2191

®


Configuration To configure reflective relay, perform these tasks: •

Configuring Reflective Relay on the Port on page 2192

Configuring Reflective Relay on the Port CLI Quick Configuration

To quickly configure reflective relay, copy the following commands and paste them into the switch window: [edit] set interfaces ge-7/0/2 unit 0 family ethernet-switching port-mode tagged-access set interfaces ge-7/0/2 unit 0 family ethernet-switching reflective-relay set interfaces ge-7/0/2 unit 0 family ethernet-switching vlan members [VLAN_Blue VLAN_Orange VLAN_Purple]


To configure reflective relay: 1.

Configure the tagged-access port mode on the interface: [edit] user@switch# set interfaces ge-7/0/2 unit 0 family ethernet-switching port-mode tagged-access

2.

Configure reflective relay on the interface to allow it to both accept and send packets: [edit] user@switch# set interfaces ge-7/0/2 unit 0 family ethernet-switching reflective-relay

3.

Configure the interface for the three VLANs on the server: [edit] user@switch# set interfaces ge-7/0/2 unit 0 family ethernet-switching vlan members [VLAN_Purple VLAN_Orange VLAN_Blue]

Results

Check the results of the configuration: [edit interfaces ge-7/0/2] user@switch# show unit 0 { family ethernet-switching { port-mode tagged-access; reflective-relay; vlan { members [ VLAN_Purple VLAN_Orange VLAN_Blue ]; } } }

Verification To confirm that reflective relay is enabled and working correctly, perform these tasks: •

Verifying That Reflective Relay Is Enabled and Working Correctly on page 2192

Verifying That Reflective Relay Is Enabled and Working Correctly Purpose

2192

Verify that reflective relay is enabled and working correctly.



Action

Use the show ethernet-switching interfaces detail command to display the reflective relay status: user@switch> show ethernet-switching interfaces ge-7/0/2 detail Interface: ge-7/0/2, Index: 66, State: down, Port mode: Tagged-access Reflective Relay Status: Enabled Ether type for the interface: 0x8100 VLAN membership: VLAN_Purple, 802.1Q Tag: 450, tagged, unblocked VLAN_Orange, 802.1Q Tag: 460, tagged, unblocked VLAN_Blue, 802.1Q Tag: 470, tagged, unblocked Number of MACs learned on IFL: 0

Next, confirm that reflective relay is working by sending a Layer 2 broadcast message from a virtual machine located in one VLAN to a virtual machine located in a different VLAN. Check the switch to verify that the switch sends the packets back on the same interface on which they were received. One way to check this is to set up port mirroring on the switch interface, connect a traffic generator to the mirrored interface, and use the traffic generator to examine packets. See “Configuring Port Mirroring to Analyze Traffic (CLI Procedure)” on page 5104 for details on setting up port mirroring. Alternatively, if you don’t have a traffic generator available, you can send traffic between two virtual machines with FTP, Telnet, or SSH, while running tcpdump on the receiver virtual machine port to capture reflected packets. Meaning

The reflective relay status is Enabled, meaning that interface ge-7/0/2 is configured for the tagged-access port mode, which accepts VLAN-tagged packets, and for reflective relay, which accepts and returns packets on the same interface. When the traffic generator shows packets arriving at the switch and returning to the server on the same interface, reflective relay is working.


•

Configuring Edge Virtual Bridging (CLI Procedure) on page 2240

Example: Configuring Proxy ARP on an EX Series Switch You can configure proxy Address Resolution Protocol (ARP) on your EX Series switch to enable the switch to respond to ARP queries for network addresses by offering its own MAC address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination. This example shows how to configure proxy ARP on an access switch: •


•


•


•



2193

®




•


Overview and Topology This example shows the configuration of proxy ARP on an interface of an EX Series switch using restricted mode. In restricted mode, the switch does not proxy for hosts on the same subnet. The topology for this example consists of one EX Series switch. When a host wants to communicate with a host that is not already in its ARP table, it broadcasts an ARP request for the MAC address of the destination host: •

When proxy ARP is not enabled, a host that shares the same IP address replies directly to the ARP request, providing its MAC address, and future transmissions are sent directly to the destination host MAC address.

•

When proxy ARP is enabled, the switch responds to ARP requests, providing the switch’s MAC address—even when the destination IP address is the same as the source IP address. Thus, communications must be sent through the switch and then routed through the switch to the appropriate destination.

Configuration To configure proxy ARP, perform the following tasks: CLI Quick Configuration

To quickly configure proxy ARP on an interface, copy the following command and paste it into the switch terminal window: [edit] set interfaces ge-0/0/3 unit 0 proxy-arp restricted

2194




You configure proxy ARP on individual interfaces. 1.

To configure proxy ARP on an interface: [edit interfaces] user@switch# set ge-0/0/3 unit 0 proxy-arp restricted

BEST PRACTICE: We recommend that you configure proxy ARP in restricted mode. In restricted mode, the switch does not act as proxy if the source and target IP addresses are on the same subnet. If you use unrestricted mode, disable gratuitous ARP requests on the interface to avoid the situation of the switch’s response to a gratuitous ARP request appearing to the host to be an indication of an IP conflict: [edit interfaces] user@switch# set ge-0/0/3 no-gratuitous-arp-request

Results

Display the results of the configuration: user@switch> show configuration interfaces { ge-0/0/3 { unit 0 { proxy-arp restricted; family ethernet-switching; } }

Verification To verify that the switch is sending proxy ARP messages, perform these tasks: •

Verifying That the Switch Is Sending Proxy ARP Messages on page 2195

Verifying That the Switch Is Sending Proxy ARP Messages Purpose Action

Verify that the switch is sending proxy ARP messages. List the system statistics for ARP messages: user@switch> show system statistics arp arp: 198319 datagrams received 45 ARP requests received 12 ARP replies received 2 resolution requests received 2 unrestricted proxy requests 0 restricted proxy requests 0 received proxy requests 0 proxy requests not proxied 0 restricted-proxy requests not proxied 0 with bogus interface 0 with incorrect length 0 for non-IP protocol


2195

®


0 with unsupported op code 0 with bad protocol address length 0 with bad hardware address length 0 with multicast source address 0 with multicast target address 0 with my own hardware address 168705 for an address not on the interface 0 with a broadcast source address 0 with source address duplicate to mine 29555 which were not for me 0 packets discarded waiting for resolution 4 packets sent after waiting for resolution 27 ARP requests sent 47 ARP replies sent 0 requests for memory denied 0 requests dropped on entry 0 requests dropped during retry 0 requests dropped due to interface deletion 0 requests on unnumbered interfaces 0 new requests on unnumbered interfaces 0 replies for from unnumbered interfaces 0 requests on unnumbered interface with non-subnetted donor 0 replies from unnumbered interface with non-subnetted donor

Meaning


The statistics show that two proxy ARP requests were received, and the proxy requests not proxied field indicates that all the unproxied ARP requests received have been proxied by the switch.

•


•


Example: Configuring Edge Virtual Bridging for Use with VEPA Technology Virtual machines (VMs) can use a physical switch that is adjacent to the VMs’ server to send packets both to other VMs and to the rest of the network when two conditions have been met: •

Virtual Ethernet packet aggregator (VEPA) is configured on the VM server.

•

Edge virtual bridging (EVB) is configured on the switch.

This example shows how to configure EVB on the switch so that packets can flow to and from the virtual machines.

2196

•


•


•


•





One EX4500 or EX8200 switch

•


Before you configure EVB on a switch, be sure you have configured the server with virtual machines, the VLANs, and VEPA:

NOTE: The following are the numbers of components used in this example, but you can use fewer or more to configure the feature.

•

On the server, configure six virtual machines, VM 1 through VM 6 as shown in Figure 71 on page 2191. See your server documentation.

•

On the server, configure three VLANs named VLAN_Purple, VLAN_Orange, and VLAN_Blue, and add two virtual machines to each VLAN. See your server documentation.

•

On the server, install and configure VEPA to aggregate the virtual machine packets.

•

On the switch, configure one interface with the same three VLANs as the server (VLAN_Purple, VLAN_Orange, and VLAN_Blue). See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

Overview and Topology EVB is a Junos OS software capability that provides multiple virtual end stations that communicate with each other and with external switches in the Ethernet network environment. This example demonstrates the configuration that takes place on a switch when that switch is connected to a server with VEPA configured. In this example, a switch is already connected to a server hosting six virtual machines (VMs) and configured with VEPA for aggregating packets. The server’s six virtual machines are VM 1 through VM 6, and each virtual machine belongs to one of the three server VLANs—VLAN_Purple, VLAN_Orange, or VLAN_Blue. Because VEPA is configured on the server, no two VMs can communicate directly—all communication between VMs must happen via the adjacent switch. Figure 71 on page 2191 shows the topology for this example.


2197

®


Edge Virtual Bridging Example Topology

Figure 72: Edge Virtual Bridging Example Topology VLAN_Purple VM 1

VM 2

VLAN_Orange VM 3

VM 4

Virtual Ethernet Port Aggregator

VLAN_Blue VM 5

VM 6

VEPA aggregates packets for relay to the switch.

Server

Switch

EVB forwards the packets to the correct destinations, even if the destination is back on the VM server.

g020996

Edge Virtual Bridge

The VEPA component of the server pushes all packets from any VM, regardless of whether the packets are destined to other VMs on the same server or to any external host, to the adjacent switch. The adjacent switch applies policies to incoming packets based on the interface configuration and then forwards the packets to appropriate interfaces based on the MAC learning table. If the switch has not yet learned a destination MAC, it floods the packet to all interfaces, including the source port on which the packet arrived. Table 252 on page 2191 shows the components used in this example.

Table 253: Components of the Topology for Configuring EVB Component

Description

EX Series switch

For a list of switches that support this feature, see EX Series Switch Software Features Overview.

ge-0/0/20

Switch interface to the server.

Server

Server with virtual machines and VEPA technology.

Virtual machines

Six virtual machines located on the server, named VM 1, VM 2, VM 3, VM 4, VM 5, and VM 6.

VLANs

Three VLANs, named VLAN_Purple, VLAN_Orange, and VLAN_Blue. Each VLAN has two virtual machine members.

2198



Table 253: Components of the Topology for Configuring EVB (continued) Component

Description

VEPA

A virtual Ethernet port aggregator (VEPA) is a software capability on a server that collaborates with an adjacent, external switch to provide bridging support between multiple virtual machines and with external networks. The VEPA collaborates with the switch by forwarding all VM-originated frames to the adjacent bridge for frame processing and frame relay (including hairpin forwarding) and by steering and replicating frames received from the VEPA uplink to the appropriate destinations.

NOTE: Configuring EVB also enables Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP).


To quickly configure EVB, copy the following commands and paste them into the switch’s CLI at the [edit] hierarchy level. set interfaces ge-0/0/20 unit 0 family ethernet-switching port-mode tagged-access set protocols lldp interface ge-0/0/20.0 set vlans vlan_purple interface ge-0/0/20.0 set vlans vlan_purple interface ge-0/0/20.0 set vlans vlan_purple interface ge-0/0/20.0set protocols edge-virtual-bridging vsi-discovery interface ge-0/0/20.0 set policy-options vsi-policy P1 from vsi-manager 98 vsi-type 998 vsi-version 4 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb998 set policy-options vsi-policy P1 then filter f2 set policy-options vsi-policy P3 from vsi-manager 97 vsi-type 997 vsi-version 3 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 set policy-options vsi-policy P3 then filter f3 set firewall family ethernet-switching filter f2 term t1 then accept set firewall family ethernet-switching filter f2 term t1 then count f2_accept set firewall family ethernet-switching filter f3 term t1 then accept set firewall family ethernet-switching filter f3 term t1 then count f3_accept set protocols edge-virtual-bridging vsi-discovery vsi-policy P1 set protocols edge-virtual-bridging vsi-discovery vsi-policy P3


To configure EVB on the switch: 1.

Configure tagged-access mode for the interfaces on which you will enable EVB: [edit interfaces ge-0/0/20] user@switch# set unit 0 family ethernet-switching port-mode tagged-access

2.

Enable the Link Layer Discovery Protocol (LLDP) on the ports interfaces on which you will enable EVB: [edit protocols] user@switch# set lldp interface ge-0/0/20.0

3.

Configure the interface as a member of all VLANs located on the virtual machines. [edit] user@switch# set vlans vlan_purple interface ge-0/0/20.0 user@switch# set vlans vlan_orange interface ge-0/0/20.0 user@switch# set vlans vlan_blue interface ge-0/0/20.0

4.

Enable the VSI Discovery and Control Protocol (VDP) on the interface: [edit protocols]


2199

®


user@switch# set edge-virtual-bridging vsi-discovery interface ge-0/0/20.0 5.

Define policies for VSI information. VSI information is based on a VSI manager ID, VSI type, VSI version, and VSI instance ID: [edit policy-options] user@switch# set vsi-policy P1 from vsi-manager 98 vsi-type 998 vsi-version 4 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb998 user@switch# set vsi-policy P1 then filter f2 user@switch# set vsi-policy P3 from vsi-manager 97 vsi-type 997 vsi-version 3 vsi-instance 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 user@switch# set vsi-policy P3 then filter f3

6.

Two VSI policies were defined in the previous step, each of them mapping to different firewall filters. Define the firewall filters: [edit firewall family ethernet-switching] user@switch# set filter f2 term t1 then accept user@switch# set filter f2 term t1 then count f2_accept user@switch# set filter f3 term t1 then accept user@switch# set filter f3 term t1 then count f3_accept

7.

Associate VSI policies with VSI-discovery protocol [edit] user@switch# set protocols edge-virtual-bridging vsi-discovery vsi-policy P1 user@switch# set protocols edge-virtual-bridging vsi-discovery vsi-policy P3

8.

Check the statistics of ECP packet exchanges between the switch and server: [edit] user@switch# run show edge-virtual-bridging ecp statistics Interface: ge-0/0/0.0 Input ECP packets : 0 Output ECP packets: 0 Interface: ge-0/0/1.0 Input ECP packets : 3 Output ECP packets: 3

Results

Check the results of the configuration: admin@host# show edge-virtual-bridging Interface Forwarding Mode RTE ge-0/0/20.0 Reflective-relay 25

Number of VSIs 400

Protocols ECP, VDP, RTE

admin@host# show edge-virtual-bridging interface Interface: ge-0/0/20.0, Forwarding mode: Reflective-relay RTE: 25, Number of VSIs: 400, Protocols: ECP, VDP, RTE VSI profiles: Manager: 97, Type: 997, Version: 3, VSI State: Associate Instance: 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 MAC VLAN 00:10:94:00:00:04 3 admin@host# show edge-virtual-bridging vsi-profiles Interface: ge-0/0/20.0 Manager: 97, Type: 997, Version: 3, VSI State: Associate Instance: 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 MAC VLAN 00:10:94:00:00:04 3 admin@host# show edge-virtual-bridging firewall Filter name: evb_filter_ge-0/0/20 Counters:

2200



Name: evb_filter_term_3_00:10:94:00:00:04_default Bytes: 0, Packets: 0 Name: f3_accept__evb_filter_term_3_00:10:94:00:00:04-f3-t1 Bytes: 1028, Packets: 14

Verification To confirm that EVB is enabled and working correctly, perform these tasks: •

Verifying That EVB is Correctly Configured on page 2201

•

Verifying That the Virtual Machine Successfully Associated With the Switch on page 2201

•

Verifying That VSI Profiles Are Being Learned at the Switch on page 2201

Verifying That EVB is Correctly Configured Purpose Action

Meaning

Verify that EVB is correctly configured user@switch# show edge-virtual-bridging Interface Forwarding Mode RTE ge-0/0/20.0 Reflective-relay 25

Number of VSIs 400

Protocols ECP, VDP, RTE

When LLDP is first enabled, an EVB LLDP exchange takes place between switch and server using LLDP. As part of this exchange the following parameters are negotiated: Number of VSIs supported, Forwarding mode, ECP support, VDP support, and Retransmission Timer Exponent (RTE). If the output has values for the negotiated parameters, EVB is correctly configured.

Verifying That the Virtual Machine Successfully Associated With the Switch Purpose

Action

Verify that the virtual machine successfully associated with the switch. After successful association of VSI Profile with Switch interface, verify the learning of the VM’s MAC address on MAC-Table or Forwarding database Table. The learn type of the VM’s MAC addresses will be VDP, and upon successful shutdown of VM the corresponding MAC-VLAN entry will get flushed out from FDB table otherwise it will never shutdown. admin@host# run show ethernet-switching table Ethernet-switching table: 10 entries, 4 learned VLAN MAC address Type Age Interfaces v3 * Flood All-members v3 00:02:a6:11:bb:1a VDP ge-1/0/10.0 v3 00:02:a6:11:cc:1a VDP ge-1/0/10.0 v3 00:23:9c:4f:70:01 Static Router v4 * Flood All-members v4 00:02:a6:11:bb:bb VDP ge-1/0/10.0 v4 00:23:9c:4f:70:01 Static Router v5 * Flood All-members v5 00:23:9c:4f:70:01 Static Router v5 52:54:00:d5:49:11 VDP ge-1/0/20.0

Verifying That VSI Profiles Are Being Learned at the Switch Purpose

Verify that VSI profiles are being learned at the switch.


2201

®


Action

Meaning

user@switch# show edge-virtual-bridging vsi-profiles Interface: ge-0/0/20.0 Manager: 97, Type: 997, Version: 3, VSI State: Associate Instance: 09b11c53-8b5c-4eeb-8f00-c84ebb0bb997 MAC VLAN 00:10:94:00:00:04 3

Whenever VMs configured for VEPA are started at the server, the VMs start sending VDP messages. As part of this protocol VSI profiles are learned at the switch. If the output has values for Manager, Type, Version, VSI State, and Instance, VSI profiles are being learned at the switch.


•


•


Example: Configuring Ethernet Ring Protection Switching on EX Series Switches You can configure Ethernet ring protection switching (ERPS) on connected switches to prevent fatal loops from disrupting a network. ERPS is similar to spanning-tree protocols, but ERPS is more efficient than spanning-tree protocols because it is customized for ring topologies. You must configure at least three switches to form a ring. This example shows how to configure Ethernet ring protection switching on four EX Series switches that are connected to one another on a dedicated link in a ring topology: •


•


•


•



Four connected EX Series switches that will function as nodes in the ring topology. These switches can be either EX2200, EX3200, or EX4200 switches.

•


Before you begin, be sure you have:

2202

•

Configured two trunk interfaces on each of the four switches. See Table 254 on page 2204 for a list of the interface names used in this example.

•

Configured the same VLAN (erp-control-vlan-1) with ID 100 on all four switches and associated two network interfaces from each of the four switches with the VLAN. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220. See Table 254 on page 2204 for a list of the interface names used in this example.



•

Configured two VLANs (erp-data-1 and erp-data-2) with ID 101 and 102 respectively on all four switches and associated both the east and west interfaces on each switch with erp-data-1 and erp-data-2. See Table 254 on page 2204 for a list of the interface names used in this example.

Overview and Topology ERPS uses a dedicated physical link, including a control VLAN for trunk ports, between all of the switches to protect the active links. ERPS VLANs are all located on this link and are also blocked by default. When traffic between the switches is flowing with no problems, the other data links take care of all traffic. Only if an error occurs on one of the data links would the ERPS control channel take over and start passing traffic.

NOTE: Trunk ports on switches use a VLAN to create individual control channels for ERPS. When ERPS multiple instances are configured for a ring, there are multiple sets of ring protection links (RPLs) and RPL owners on the ERPS link, and a different channel is blocked for each instance. Non-trunk ports use the physical link as the control channel and protocol data units (PDUs) are untagged, with no VLAN information in the packet.

This example creates one protection ring (called a node ring) named erp1 on four switches connected in a ring by trunk ports as shown in Figure 73 on page 2203. Because the links are trunk ports, the VLAN named erp-control-vlan-1 is used for erp1 traffic. The east interface of each switch is connected with the west interface of an adjacent switch. Cobia is the RPL owner, with interface ge-0/0/0 configured as an RPL end interface. The interface ge-0/0/0 of Jas5-esc is configured as the RPL neighbor interface. In the idle state, the RPL end blocks the control VLAN and data channel VLAN for this particular ERP instance—the blocked port on Cobia is marked with a star in Figure 73 on page 2203.

Figure 73: Ethernet Ring Protection Switching Example Jas5-esc

ge -0/0/10

East ge -0/0/0

West ge -0/0/0

ge -0/0/20

West ge -0/0/20

East ge -0/0/10

East ge -0/0/30

West ge -0/0/10

West ge -0/0/20

ge -0/0/0 Jas6-esc

East ge -0/0/20

ge -0/0/0 Hairtail

g041190

Cobia

Configure the four switches with the interfaces indicated in both Figure 73 on page 2203 and Table 254 on page 2204.


2203

®


Table 254: Components to Configure for This Example Interfaces

Cobia

Jas5-esc

Jas6-esc

Hairtail

East

ge-0/0/0

ge-0/0/10

ge-0/0/30

ge-0/0/20

West

ge-0/0/20

ge-0/0/0

ge-0/0/20

ge-0/0/10

Third

ge-0/0/10

ge-0/0/20

ge-0/0/0

ge-0/0/0

Configuration •

Configure ERPS on Cobia, the RPL Owner Node on page 2204

•

Configure ERPS on Jas5-esc on page 2207

•

Configure ERPS on Hairtail on page 2210

•

Configure ERPS on Jas6-esc on page 2213

Configure ERPS on Cobia, the RPL Owner Node CLI Quick Configuration

To quickly configure Cobia, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

NOTE: RSTP and EPRS cannot both be configured on a ring port, and RSTP is configured by default . Therefore, in this example RSTP is disabled on each ring port before configuring ERPS.

set protocols rstp interface ge-0/0/0 disable set protocols rstp interface ge-0/0/20 disable set protocols protection-group ethernet-ring erp1 set protocols protection-group ethernet-ring erp1 ring-protection-link-owner set protocols protection-group ethernet-ring erp1 data-channel erp-data-1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-2 set protocols protection-group ethernet-ring erp1 control-vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/0.0 set protocols protection-group ethernet-ring erp1 east-interface ring-protection-link-end set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/20.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1


To configure ERPS on Cobia: 1.

Disable RSTP on the two ports that will use ERPS: [edit protocols] user@switch#set rstp interface ge-0/0/0 disable

2204



user@switch#set rstp interface ge-0/0/20 disable 2.

Create a node ring named erp1: [edit protocols] user@switch# set protection-group ethernet-ring erp1

3.

Designate Cobia as the RPL owner node: [edit protocols protection-group ethernet-ring erp1] user@switch# set ring-protection-link-owner

4.

Configure the VLANs erp-data-1 and erp-data-2 as data channels: [edit protocols protection-group ethernet-ring erp1] user@switch# set data-channel erp-data-1 user@switch# set data-channel erp-data-2

5.

Configure the control VLAN erp-control-vlan-1 for this ERP instance on the trunk interface: user@switch# set protocols protection-group ethernet-ring erp1 control-vlan erp-control-vlan-1

6.

Configure the east interface of the node ring erp1 with the control-channel ge-0/0/0.0 and indicate that this particular ring protection link ends here: [edit protocols protection-group ethernet-ring erp1] user@switch# set east-interface control-channel ge-0/0/0.0 user@switch# set east-interface ring-protection-link-end

7.

Configure the west interface of the node ring erp1 with the control-channel ge-0/0/20.0: [edit protocols protection-group ethernet-ring erp1] user@switch# set west-interface control-channel ge-0/0/20.0

8.

Every ring instance on a trunk port has one control VLAN in which ERP packets traverse. The control VLAN also controls data VLANs, if any are configured. Assign erp-control-vlan-1 as the control VLAN on both interfaces: [edit protocols protection-group ethernet-ring erp1] user@switch# set west-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1 user@switch# set east-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1

Results

From configuration mode, confirm your ERPS configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show protocols rstp { interface ge-0/0/20.0 { disable; } interface ge-0/0/0.0 { disable; }


2205

®


} protection-group { ethernet-ring erp1 { ring-protection-link-owner; east-interface { control-channel { ge-0/0/0.0; } ring-protection-link-end; } west-interface { control-channel { ge-0/0/20.0; } } control-vlan erp-control-vlan-1; data-channel { vlan 101-102; } }

From configuration mode, confirm your VLAN configuration by entering the show vlans command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show vlans erp-control-vlan-1 { vlan-id 100; interface { ge-0/0/0.0; ge-0/0/20.0; } } erp-data-1 { vlan-id 101; interface { ge-0/0/10.0; ge-0/0/0.0; ge-0/0/20.0; } } erp-data-2 { vlan-id 102; interface { ge-0/0/10.0; ge-0/0/0.0; ge-0/0/20.0; } }

From configuration mode, confirm your interface configurations by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. user@switch# show interfaces

2206



ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/20 { unit 0 { family ethernet-switching { port-mode trunk; } } }

If you are finished configuring the device, enter commit from configuration mode.

Configure ERPS on Jas5-esc CLI Quick Configuration

To quickly configure Jas5-esc, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. set protocols rstp interface ge-0/0/10 disable set protocols rstp interface ge-0/0/0 disable set protocols protection-group ethernet-ring erp1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-2 set protocols protection-group ethernet-ring erp1 control-vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/10.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/0.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/10.0 vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/0.0 vlan erp-control-vlan-1


To configure ERPS on Jas5-esc: 1.

Disable RSTP on the two ports: [edit protocols] user@switch#set rstp interface ge-0/0/10 disable user@switch#set rstp interface ge-0/0/0 disable

2.

Create a node ring named erp1: [edit protocols]


2207

®


user@switch# set protection-group ethernet-ring erp1 3.

Configure a control VLAN named erp-control-vlan-1 for the node ring erp1: [edit protocols protection-group ethernet-ring erp1] user@switch# set control-vlan erp-control-vlan-1

4.

Configure two data channels named erp-data-1 and erp-data-2 to define a set of VLAN IDs that belong to a ring instance. [edit protocols protection-group ethernet-ring erp1] user@switch# set data-channel erp-data-1 user@switch# set data-channel erp-data-2

5.

Configure the east interface of the node ring erp1 with the control-channel ge-0/0/10.0: [edit protocols protection-group ethernet-ring erp1] user@switch# set east-interface control-channel ge-0/0/10.0

6.


7.

Every ring instance on a trunk port has one control VLAN in which ERP packets traverse. The control VLAN also controls data VLANs, if any are configured. Assign erp-control-vlan-1 as the control VLAN: [edit protocols protection-group ethernet-ring erp1] user@switch# set west-interface control-channel ge-0/0/0.0 vlan erp-control-vlan-1 user@switch# set east-interface control-channel ge-0/0/10.0 vlan erp-control-vlan-1

Results

From configuration mode, confirm your ERPS configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. user@switch# show protocols rstp { interface ge-0/0/10.0 { disable; } interface ge-0/0/0.0 { disable; } } protection-group { east-interface { control-channel { ge-0/0/10.0; } } west-interface { control-channel { ge-0/0/0.0; } }

2208



control-vlan erp-control-vlan-1; data-channel vlan 101-102 } }

From configuration mode, confirm your VLAN configuration by entering the show vlans command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show vlans erp-control-vlan-1 { vlan-id 100; interface { ge-0/0/10.0; ge-0/0/0.0; } } erp-data-1 { vlan-id 101; interface { ge-0/0/20.0; ge-0/0/10.0; ge-0/0/0.0; } } erp-data-2 { vlan-id 102; interface { ge-0/0/20.0; ge-0/0/10.0; ge-0/0/0.0; } }

From configuration mode, confirm your interface configurations by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show interfaces ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; } } }


2209

®


ge-0/0/20 { unit 0 { family ethernet-switching { port-mode trunk; } } }


Configure ERPS on Hairtail CLI Quick Configuration

To quickly configure Hairtail, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. set protocols rstp interface ge-0/0/10 disable set protocols rstp interface ge-0/0/20 disable set protocols protection-group ethernet-ring erp1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-2 set protocols protection-group ethernet-ring erp1 control-vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/20.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/10.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/10.0 vlan erp-control-vlan-1


To configure ERPS on Hairtail: 1.

Disable RSTP on the two ports: [edit protocols] user@switch# set rstp interface ge-0/0/10 disable user@switch# set rstp interface ge-0/0/20 disable

2.


3.

Configure the control VLAN erp-control-vlan-1 for the node ring erp1: [edit protocols protection-group ethernet-ring erp1] user@switch# set control-vlan erp-control-vlan-1

4.

Configure two data channels named erp-data-1 and erp-data-1 to define a set of VLAN IDs that belong to a ring instance: [edit protocols protection-group ethernet-ring erp1] user@switch# set data-channel erp-data-1 user@switch# set data-channel erp-data-2

5.

2210

Configure the east interface of the node ring erp1 with the control-channel ge-0/0/20.0 and indicate that it connects to a ring protection link:



[edit protocols protection-group ethernet-ring erp1] user@switch# set east-interface control-channel ge-0/0/20.0 6.

Configure the west interface of the node ring erp1 with the control-channel ge-0/0/10.0 and indicate that it connects to a ring protection link: [edit protocols protection-group ethernet-ring erp1] user@switch# set west-interface control-channel ge-0/0/10.0

7.


Results

From configuration mode, confirm your ERPS configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show protocols rstp { interface ge-0/0/10.0 { disable; } interface ge-0/0/20.0 { disable; } } protection-group { ethernet-ring erp1 { east-interface { control-channel { ge-0/0/20.0; } } west-interface { control-channel { ge-0/0/10.0; } } control-vlan erp-control-vlan-1; data-channel { vlan 101-102; } } }

From configuration mode, confirm your VLAN configuration by entering the show vlans command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.


2211

®


[edit] user@switch# show vlans erp-control-vlan-1 { vlan-id 100; interface { ge-0/0/20.0; ge-0/0/10.0; } } erp-data-1 { vlan-id 101; interface { ge-0/0/0.0; ge-0/0/20.0; ge-0/0/10.0; } } erp-data-2 { vlan-id 102; interface { ge-0/0/0.0; ge-0/0/20.0; ge-0/0/10.0; } }

From configuration mode, confirm your interface configurations by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show interfaces ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; } ge-0/0/20 { unit 0 { family ethernet-switching { port-mode trunk; } }


2212



Configure ERPS on Jas6-esc CLI Quick Configuration

To quickly configure Jas6-esc, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. set protocols rstp interface ge-0/0/30 disable set protocols rstp interface ge-0/0/20 disable set protocols protection-group ethernet-ring erp1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-1 set protocols protection-group ethernet-ring erp1 data-channel erp-data-2 set protocols protection-group ethernet-ring erp1 control-vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/30.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/20.0 set protocols protection-group ethernet-ring erp1 west-interface control-channel ge-0/0/20.0 vlan erp-control-vlan-1 set protocols protection-group ethernet-ring erp1 east-interface control-channel ge-0/0/30.0 vlan erp-control-vlan-1


To configure ERPS on Jas6-esc: 1.

Disable RSTP on the two ports: [edit protocols] user@switch# set rstp interface ge-0/0/30 disable user@switch# set rstp interface ge-0/0/20 disable

2.


3.

Configure the control VLAN erp-control-vlan-1 for the node ring erp1: [edit protocols protection-group ethernet-ring erp1] user@switch# set control-vlan erp-control-vlan-1

4.

Configure two data channels named erp-data-1 and erp-data-2 to define a set of VLAN IDs that belong to a ring instance. [edit protocols protection-group ethernet-ring erp1] user@switch# set data-channel erp-data-1 user@switch# set data-channel erp-data-2

5.

Configure the east interface of the node ring erp1 with the control-channel ge-0/0/30.0 : [edit protocols protection-group ethernet-ring erp1] user@switch# set east-interface control-channel ge-0/0/30.0

6.



2213

®


7.


Results

From configuration mode, confirm your ERPS configuration by entering the show protocols command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show protocols rstp { interface ge-0/0/20.0 { disable; } interface ge-0/0/30.0 { disable; } } protection-group { ethernet-ring erp1 { east-interface { control-channel { ge-0/0/30.0; } } west-interface { control-channel { ge-0/0/20.0; } } control-vlan erp-control-vlan-1; data-channel { vlan 101-102; } } }

From configuration mode, confirm your VLAN configuration by entering the show vlans command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show vlans erp-control-vlan-1 { vlan-id 100; interface { ge-0/0/30.0; ge-0/0/20.0; }

2214



} erp-data-1 { vlan-id 101; interface { ge-0/0/0.0; ge-0/0/30.0; ge-0/0/20.0; } } erp-data-2 { vlan-id 102; interface { ge-0/0/0.0; ge-0/0/30.0; ge-0/0/20.0; } }

From configuration mode, confirm your interfaces configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@switch# show interfaces ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/20 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/30 { unit 0 { family ethernet-switching { port-mode trunk; } } }

Verification Verify that ERPS is working correctly.

Verifying That EPRS Is Working Correctly Purpose

To establish that ERPS is working, look at all the nodes in the ring with the show protection-group ethernet-ring interface command.


2215

®


Action

Check the state of the ring links. When the ring is configured but not being used (no error exists on the data links) one ERP interface is forwarding and one is discarding. Discarding blocks the ring. user@switch> show protection-group ethernet-ring interface Ethernet ring port parameters for protection group erp1 Interface Forward State RPL End Signal Failure Admin State ge-0/0/2.0 discarding yes clear ready ge-0/0/0.0 forwarding no clear ready

To find out what has occurred since the last restart, check the RPS statistics for ring-blocked events. NR is a No Request ring block, which means that the switch is not blocking either of the two ERP interfaces. NR-RB is a No Request Ring Blocked event, which means that the switch is blocking one of its ERP interfaces and sending a packet out to notify the other switches. user@switch> show protection-group ethernet-ring statistics Ring Name Local SF Remote SF NR Event NR-RB Event erp1 2 1 2 3

Meaning

The show protection-group ethernet-ring interface command output from the RPL owner node indicates that one interface is forwarding and one is discarding, meaning that the ERP is ready but not active. If at least one interface in the ring is not forwarding, the ring is blocked and therefore ERP is working. The show protection-group ethernet-ring statistics command output indicates that, since the last reboot, both local and remote signal failures have occurred (Local SF and Remote SF). The NR event count is 2, indicating that the state machine entered into an NR state twice. NR stands for No Request. This means that the switch either originated NR PDUs, or received an NR PDU from another switch and stopped blocking the interface to allow ERP to function. The three NR-RB events indicate that on three occasions, this switch either sent out NR-RB PDUs or received NR-RB PDUs from another switch. This occurs when a network problem is resolved and the switch once again blocks the ERP link at one end.


2216

•


•


•



CHAPTER 65

Configuring Ethernet Switching •

Configuring VLANs for EX Series Switches (J-Web Procedure) on page 2217

•


•


•


•

Configuring the Native VLAN Identifier (CLI Procedure) on page 2225

•


•


•


•


•


•

Configuring Redundant Trunk Groups (J-Web Procedure) on page 2232

•


•


•


•


•

Configuring Reflective Relay (CLI Procedure) on page 2240

•

Adding a Static MAC Address Entry to the Ethernet Switching Table (CLI Procedure) on page 2240

•


•


•


Configuring VLANs for EX Series Switches (J-Web Procedure) You can use the VLAN Configuration page to add a new VLAN or to edit or delete an existing VLAN on an EX Series switch.


2217

®


To access the VLAN Configuration page: 1.

Select Configure > Switching > VLAN. The VLAN Configuration page displays a list of existing VLANs. If you select a specific VLAN, the specific VLAN details are displayed in the Details section.


2. Click one: •

Add—creates a VLAN.

•

Edit—edits an existing VLAN configuration.

•

Delete—deletes an existing VLAN.

NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces is also deleted.

When you are adding or editing a VLAN, enter information as described in Table 255 on page 2218.

Table 255: VLAN Configuration Details Field

Function

Your Action

VLAN Name

Specifies a unique name for the VLAN.

Enter a name.

VLAN Id/Range

Specifies the identifier or range for the VLAN.

Select one:

General tab

•

VLAN ID—Type a unique identification number from 1 through 4094. If no value is specified, it defaults to 0.

•

VLAN Range—Type a number range to create VLANs with IDs corresponding to the range. For example, the range 2–3 will create two VLANs with the IDs 2 and 3.

Description

Describes the VLAN.

Enter a brief description for the VLAN.

MAC-Table-Aging-Time

Specifies the maximum time that an entry can remain in the forwarding table before it 'ages out'.

Type the number of seconds from 60 through 1000000.

Input filter

Specifies the VLAN firewall filter that is applied to incoming packets.

To apply an input firewall filter, select the firewall filter from the list.

2218


Chapter 65: Configuring Ethernet Switching

Table 255: VLAN Configuration Details (continued) Field

Function

Your Action

Output filter

Specifies the VLAN firewall filter that is applied to outgoing packets.

To apply an output firewall filter, select the firewall filter from the list.

Specifies the ports (interfaces) to be associated with this VLAN for data traffic. You can also remove the port association.

Click one:

Specifies IPv4 address options for the VLAN.

Select IPv4 address to enable the IPv4 address options.

Ports tab Ports

•

Add—Select the ports from the available list.

•

Remove—Select the port that you do not want associated with the VLAN.

IP address tab IPv4 address

To configure IPv4: 1.

Enter the IP address.

2. Enter the subnet mask—for example, 255.255.255.0. You can also specify the address prefix. 3. To apply an input firewall filter to an interface, select the firewall filter from the list. 4. To apply an output firewall filter to an interface, select the firewall filter from the list. 5. Click the ARP/MAC Details button. Enter the static IP address and MAC address in the window that is displayed. IPv6 address

Specifies IPv6 address options for the VLAN.

Select IPv6 address to enable the IPv6 address options. To configure IPv6: 1.

Enter the IP address—for example: 2001:ab8:85a3::8a2e:370:7334.

2. Specify the subnet mask. Voip tab Ports

Specifies the ports to be associated with this VLAN for voice traffic. You can also remove the port association.


Click one: •

Add—Select the ports from the available list.

•

Remove—Select the port that you do not want associated with the VLAN.

•


•


•



2219

®


•


Configuring VLANs for EX Series Switches (CLI Procedure) EX Series switches use VLANs to make logical groupings of network nodes with their own broadcast domains. VLANs limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions. •

Why Create a VLAN? on page 2220

•

Create a VLAN Using the Minimum Procedure on page 2220

•

Create a VLAN Using All of the Options on page 2221

•

Configuration Guidelines for VLANs on page 2222

Why Create a VLAN? Some reasons to create VLANs are: •

A LAN has more than 200 devices.

•

A LAN has a lot of broadcast traffic.

•

A group of clients requires that a higher-than-average level of security be applied to traffic entering or exiting the group's devices.

•

A group of clients requires that the group's devices receive less broadcast traffic than they are currently receiving, so that data speed across the group is increased.

Create a VLAN Using the Minimum Procedure Two steps are required to create a VLAN: •

Uniquely identify the VLAN. You do this by assigning either a name or an ID (or both) to the VLAN. When you assign just a VLAN name, an ID is generated by Junos OS.

•

Assign at least one switch port interface to the VLAN for communication. All interfaces in a single VLAN are in a single broadcast domain, even if the interfaces are on different switches. You can assign traffic on any switch to a particular VLAN by referencing either the interface sending traffic or the MAC addresses of devices sending traffic.

The following example creates a VLAN using only the two required steps. The VLAN is created with the name employee-vlan. Then, three interfaces are assigned to that VLAN so that the traffic is transmitted among these interfaces.

NOTE: In this example, you could alternatively assign an ID number to the VLAN. The requirement is that the VLAN have a unique ID.

[edit] set vlans employee-vlan set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members employee-vlan

2220



set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members employee-vlan set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members employee-vlan

In the example, all users connected to the interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 can communicate with each other, but not with users on other interfaces in this network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223.

Create a VLAN Using All of the Options To configure a VLAN, follow these steps: 1.

In configuration mode, create the VLAN by setting the unique VLAN name: [edit] user@switch# set vlans vlan-name

2. Configure the VLAN tag ID or VLAN ID range for the VLAN. (If you assigned a VLAN

name, you do not have to do this, because a VLAN ID is assigned automatically, thereby associating the name of the VLAN to an ID number. However, if you want to control the ID numbers, you can assign both a name and an ID.) [edit] user@switch# set vlans vlan-name vlan-id (802.1Q Tagging) vlan-id-number

or [edit] user@switch# set vlans vlan-name vlan-range (vlan-id-low) - (vlan-id-high) 3. Assign at least one interface to the VLAN: [edit] user@switch# set vlans vlan-name interface interface-name

NOTE: You can also specify that a trunk interface is a member of all the VLANs that are configured on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.

4. (Optional) Create a subnet for the VLAN because all computers that belong to a

subnet are addressed with a common, identical, most-significant-bit group in their IP address. This makes it easy to identify VLAN members by their IP addresses. To create the subnet for the VLAN: [edit interfaces] user@switch# set vlan unit logical-unit-number family inet (CoS) address ip-address 5. (Optional) Specify the description of the VLAN: [edit] user@switch# set vlans vlan-name description (VLANs) text-description 6. (Optional) To avoid exceeding the maximum number of members allowed in a VLAN,

specify the maximum time that an entry can remain in the forwarding table before it ages out: [edit] user@switch# set vlans vlan-name mac-table-aging-time time


2221

®


7. (Optional) For security purposes, specify a VLAN firewall filter to be applied to incoming

or outgoing packets: [edit] user@switch# set vlans vlan-name filter (VLANs) input-or-output filter-name 8. (Optional) For accounting purposes, enable a counter to track the number of times

this VLAN is accessed: [edit] user@switch# set vlans vlan-name l3-interface ingress-counting l3-interface-name

Configuration Guidelines for VLANs Two steps are required to create a VLAN. You must uniquely identify the VLAN and you must assign at least one switch port interface to the VLAN for communication. After creating a VLAN, all users all users connected to the interfaces assigned to the VLAN can communicate with each other but not with users on other interfaces in the network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223 to create an RVI. The number of VLANs supported per switch varies for each switch type. Use the command set vlans id vlan-id ? to discover the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because each VLAN is assigned an ID number when it is created. You can, however, exceed the recommended VLAN member maximum . To determine the maximum number of VLAN members allowed on a switch, multiply the VLAN maximum obtained using set vlans id vlan-id ? times 8. If a switch configuration exceeds the recommended VLAN member maximum, you see a warning message when you commit the configuration. If you ignore the warning and commit such a configuration, the configuration succeeds but you run the risk of crashing the Ethernet switching process (eswd) due to memory allocation failure. Related Documentation

2222

•


•


•


•


•




Configuring Routed VLAN Interfaces (CLI Procedure) Routed VLAN interfaces (RVIs) allow the EX Series switch to recognize packets that are being sent to local addresses so that they are bridged (switched) whenever possible and are routed only when necessary. Whenever packets can be switched instead of routed, several layers of processing are eliminated. An interface named vlan functions as a logical router on which you can configure a Layer 3 logical interface for each VLAN. For redundancy, you can combine an RVI with implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging and virtual private LAN service (VPLS) environments. Jumbo frames of up to 9216 bytes are supported on an RVI. To route jumbo data packets on the RVI, you must configure the jumbo MTU size on the member physical interfaces of the RVI and not on the RVI itself (the vlan interface). However, for jumbo control packets—for example, to ping the RVI with a packet size of 6000 bytes or more—you must explicitly configure the jumbo MTU size on the interface named vlan (the RVI).

CAUTION: Setting or deleting the jumbo MTU size on the RVI (the vlan interface) while the switch is transmitting packets might result in dropped packets.

To configure the routed VLAN interface (RVI): 1.

Create a Layer 2 VLAN by assigning it a name and a VLAN ID: [edit] user@switch# set vlans vlan-name vlan-id vlan-id

2. Assign an interface to the VLAN by naming the VLAN as a trunk member on the logical

interface, thereby making the interface part of the VLAN’s broadcast domain: [edit] user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name 3. Create a logical Layer 3 RVI (its name will be vlan.logical-interface-number, where the

value for logical-interface-number is the value you supplied for vlan-id in Step 1; in the following command, it is the logical-unit-number) on a subnet for the VLAN’s broadcast domain: [edit] user@switch# set interfaces vlan unit logical-unit-number family inet address inet-address 4. Link the Layer 2 VLAN to the logical Layer 3 interface: [edit] user@switch# set vlans vlan-name l3-interface vlan.logical-interface-number


2223

®


NOTE: Layer 3 interfaces on trunk ports allow the interface to transfer traffic between multiple Layer 2 VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed.

5. (Optional) On an EX8200 switch, enable an input counter for tracking or billing

purposes: [edit] user@switch# set vlans vlan-name l3-interface vlan logical-interface-number l3-interface-ingress-counting

NOTE: The input counter is maintained by a firewall filter—these counters are allocated on a first-come, first-served basis.


•

Verifying Routed VLAN Interface Status and Statistics

•


Configuring MAC Table Aging (CLI Procedure) The Ethernet switching table (or MAC table) aging process ensures that the EX Series switch tracks only active MAC addresses on the network and is able to flush out MAC addresses that are no longer used. You can configure the MAC table aging time, the maximum time that an entry can remain in the Ethernet Switching table before it “ages out,” either on all VLANs on the switch or on particular VLANs. This setting can influence efficiency of network resource use by affecting the amount of traffic that is flooded to all interfaces because when traffic is received for MAC addresses no longer in the Ethernet switching table, the switch floods the traffic to all interfaces. To configure the MAC table aging time on all VLANs on the switch: [edit] user@switch# set ethernet-switching-options mac-table-aging-time seconds

To configure the MAC table aging time on a VLAN: [edit] user@switch# set vlans vlan-name mac-table-aging-time seconds

NOTE: You can set the MAC table aging time to unlimited. If you specify the value as unlimited, entries are never removed from the table. Generally, use this setting only if the switch or the VLAN has a fairly static number of end devices; otherwise the table will eventually fill up. You can use this setting to minimize traffic loss and flooding that might occur when traffic arrives for MAC addresses that have been removed from the table.

2224




•


•


•


•


•


Configuring the Native VLAN Identifier (CLI Procedure) EX Series switches support receiving and forwarding routed or bridged Ethernet frames with 802.1Q VLAN tags. The logical interface on which untagged packets are to be received must be configured with the same native VLAN ID as that configured on the physical interface. To configure the native VLAN ID using the CLI: 1.

Configure the port mode so that the interface is in multiple VLANs and can multiplex traffic between different VLANs. Trunk interfaces typically connect to other switches and to routers on the LAN. Configure the port mode as trunk: [edit interfaces ge-0/0/3 unit 0 family ethernet-switching] user@switch# set port-mode trunk

2. Configure the native VLAN ID: [edit interfaces ge-0/0/3 unit 0 family ethernet-switching] user@switch# set native-vlan-id 3


•


•


•


•



2225

®


Creating a Series of Tagged VLANs (CLI Procedure) To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags. For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag. Instead of configuring VLANS and 802.1Q tags one at a time for a trunk interface, you can configure a VLAN range to create a series of tagged VLANs. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them. For example, you could configure the VLAN employee and specify a tag range of 10-12. This creates the following VLANs and tags: •

VLAN employee-10, tag 10

•


•


Creating tagged VLANs in a series has the following limitations: •

Layer 3 interfaces do not support this feature.

•

Because an access interface can only support one VLAN member, access interfaces also do not support this feature.

•

Voice over IP (VoIP) configurations do not support a range of tagged VLANs.

To configure a series of tagged VLANs using the CLI (here, the VLAN is employee): 1.

Configure the series (here, a VLAN series from 120 through 130): [edit] user@switch# set vlans employee vlan-range 120-130

2. Associate a series of tagged VLANs when you configure an interface in one of two

ways: •

Include the name of the series: [edit interfaces] user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan members employee

•

Include the VLAN range: [edit interfaces] user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan members 120–130

Associating a series of tagged VLANS to an interface by name or by VLAN range have the same result: VLANs __employee_120__ through __employee_130__ are created.

2226



NOTE: When a series of VLANs are created using the vlan-range command, the VLAN names are prefixed and suffixed with a double underscore.


•

Verifying That a Series of Tagged VLANs Has Been Created on page 2247

•


•


•


•


Configuring Virtual Routing Instances (CLI Procedure) Use virtual routing and forwarding (VRF) to divide an EX Series switch into multiple virtual routing instances. VRF allows you to isolate traffic traversing the network without using multiple devices to segment your network. VRF is supported on all Layer 3 interfaces. Before you begin, make sure to set up your VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217. To configure virtual routing instances: 1.

Create a routing instance: [edit routing-instances] user@switch# set routing-instance-name instance-type virtual-router

NOTE: EX Series switches only support the virtual-router instance type.

2. Bind each routing instance to the corresponding physical interfaces: [edit routing-instances] user@switch# set routing-instance-name interface interface-name.logical-unit-number 3. Create the logical interfaces that are bound to the routing instance. •

To create a logical interface with an IPv4 address: [edit interfaces] user@switch# set interface-name unit logical-unit-number family inet address ip-address

•

To create a logical interface with an IPv6 address: [edit interfaces] user@switch# set interface-name unit logical-unit-number family inet6 address ipv6–address


2227

®


NOTE: Do not create a logical interface using the family ethernet-switching option in this step. Binding an interface using the family ethernet-switching option to a routing instance can cause the interface to shutdown.

4. Enable VLAN tagging on each physical interface that was bound to the routing instance: [edit interfaces] user@switch# set interface-name vlan-tagging


•


•

Verifying That Virtual Routing Instances Are Working on page 2249

•


Creating a Private VLAN on a Single EX Series Switch (CLI Procedure) For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. This topic describes how to configure a PVLAN on a single switch. Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—the PVLAN is configured as part of this procedure.) The secondary VLANs should be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch. For directions for configuring the secondary VLANs, see “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220. Keep these rules in mind when configuring a PVLAN on a single switch: •

The primary VLAN must be a tagged VLAN.

•


To configure a private VLAN on a single switch: 1.

Set the VLAN ID for the primary VLAN: [edit vlans] user@switch# set pvlan vlan-id (802.1Q Tagging) vlan-id-number

2. Set the interfaces and port modes: [edit interfaces] user@switch# set interface-name unit 0 family ethernet-switching port-mode mode user@switch# set interface-name unit 0 family ethernet-switching vlan members all-or-vlan-id-or-number 3. Configure the primary VLAN to have no-local-switching: [edit vlans]

2228



user@switch# set vlan-id (802.1Q Tagging) .vlan-id-number no-local-switching 4. For each community VLAN, configure access interfaces: [edit vlans] user@switch# set community-vlan-name interface (VLANs) interface-name 5. For each community VLAN, set the primary VLAN: [edit vlans] user@switch# set community-vlan-name primary-vlan primary-vlan-name

Isolated VLANs are not configured as part of this process, but instead are created internally if no-local-switching is enabled on the primary VLAN and the isolated VLAN has access interfaces as members. Related Documentation

•


•


•

Verifying That a Private VLAN Is Working on page 2250

•



2229

®


Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure) For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. This topic describes how to configure a PVLAN to span multiple switches. Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—the PVLAN is configured as part of this procedure.) The secondary VLANs should be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch. For directions for configuring the secondary VLANs, see “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220. The following rules apply to creating PVLANs: •

The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.

•


•


•


•


To configure a private VLAN to span multiple switches: 1.

Configure the name and 802.1Q tag for a community VLAN that spans the switches: [edit vlans] user@switch# set community-vlan-name vlan-id (802.1Q Tagging) number

2. Add the access interfaces to the specified community VLAN: [edit vlans] user@switch# set community-vlan-name interface interface-name 3. Set the primary VLAN of the specified community VLAN: [edit vlans] user@switch# set community-vlan-name primary-vlan primary-vlan-name 4. Configure the name and the 802.1Q tag for the primary VLAN:. [edit vlans] user@switch# set primary-vlan-name vlan-id number 5. Add the isolated port to the specified primary VLAN: [edit vlans] user@switch# set primary-vlan-name interface interface-name

2230



NOTE: To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.

6. Set the PVLAN trunk interface that will connect the specified VLAN to the neighboring

switch: [edit vlans] user@switch# set primary-vlan-name interface interface-name pvlan-trunk 7. Set the primary VLAN to have no local switching: [edit vlans] user@switch# set primary-vlan-name no-local-switching 8. Set the 802.1Q tag of the interswitch isolated VLAN: [edit vlans] user@switch# set primary-vlan-name isolation-id number


•


•


•


•


•

Understanding PVLAN Traffic Flows Across Multiple Switches

Configuring Q-in-Q Tunneling (CLI Procedure) Q-in-Q tunneling allows service providers on Ethernet access networks to segregate or bundle customer traffic into different VLANs by adding another layer of 802.1Q tags. You can configure Q-in-Q tunneling on EX Series switches.

NOTE: You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.

Before you begin configuring Q-in-Q tunneling, make sure you set up your VLANs. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220 or “Configuring VLANs for EX Series Switches (J-Web Procedure)” on page 2217. To configure Q-in-Q tunneling: 1.

Enable Q-in-Q tunneling on the S-VLAN: [edit vlans] user@switch# set s-vlan-name dot1q-tunneling (VLANs)

2. Set the allowed C-VLANs on the S-VLAN (optional). Here, the C-VLANs are identified

by VLAN range: [edit vlans] user@switch# set s-vlan-name dot1q-tunneling customer-vlans range


2231

®


3. Change the global Ethertype value (optional): [edit] user@switch# set ethernet-switching-options dot1q-tunneling ether-type ether-type-value 4. Disable MAC address learning on the S-VLAN (optional): [edit vlans] user@switch# set s-vlan-name no-mac-learning (Q-in-Q VLANs)


•


•

Verifying That Q-in-Q Tunneling Is Working on page 2250

•


Configuring Redundant Trunk Groups (J-Web Procedure) A redundant trunk link provides a simple solution for network recovery when a trunk interface goes down. Traffic is routed to another trunk interface, keeping network convergence time to a minimum. You can configure redundant trunk groups (RTGs) with a primary link and a secondary link on trunk interfaces, or configure dynamic selection of the active interface. If the primary link fails, the secondary link automatically takes over without waiting for normal STP convergence. An RTG can be created only if the following conditions are satisfied: •

A minimum of two trunk interfaces that are not part of any RTG are available.

•

All the selected trunk interfaces to be added to the RTG have the same VLAN configuration.

•

The selected trunk interfaces are not part of a spanning-tree configuration.

To configure an RTG using the J-Web interface: 1.

Select Configure > Switching > RTG. The RTG Configuration page displays a list of existing RTGs. If you select a specific RTG, the details of the selected RTG are displayed in the Details of group section.


2. Click one:

2232

•

Add—Creates an RTG.

•

Edit—Modifies an RTG.

•

Delete—Deletes an RTG.



When you are adding or editing an RTG, enter information as described in Table 256 on page 2233. 3. Click OK to apply changes to the configuration or click Cancel to cancel without saving

changes.

Table 256: RTG Configuration Fields Field

Function

Your Action

Group Name

Specifies a unique name for the RTG.

Enter a name.

Member Interface 1

Specifies a logical interface containing multiple trunk interfaces.

Select a trunk interface from the list.

Member Interface 2

Specifies a trunk interface containing multiple VLANs.

Select a trunk interface from the list.

Select Primary Interface

Enables you to specify one of the interfaces in the RTG as the primary link. The interface without this option is the secondary link in the RTG.

1.

Specifies that the system dynamically selects the active interface.

Select the option button.

Dynamically select my active interface


Select the option button.

2. Select the primary interface.

•


•


Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure) Multiple VLAN Registration Protocol (MVRP) is used to manage dynamic VLAN registration in a LAN. You can use MVRP on EX Series switches. MVRP is disabled by default on EX Series switches. To enable MVRP or set MVRP options, follow these instructions: •

Enabling MVRP on page 2233

•

Disabling MVRP on page 2234

•

Disabling Dynamic VLANs on page 2234

•

Configuring Timer Values on page 2234

•

Configuring MVRP Registration Mode on page 2235

•

Using MVRP in a Mixed-Release Network on page 2236

Enabling MVRP MVRP can only be enabled on trunk interfaces. To enable MVRP on all trunk interfaces on the switch:


2233

®


[edit protocols mvrp] user@switch# set interface all

To enable MVRP on a specific trunk interface: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0

Disabling MVRP MVRP is disabled by default. You only need to perform this procedure if you have previously enabled MVRP. To disable MVRP on all trunk interfaces on the switch: [edit protocols mvrp] user@switch# set disable

To disable MVRP on a specific trunk interface: [edit protocols mvrp] user@switch# set disable interface xe-0/0/1.0

Disabling Dynamic VLANs Dynamic VLANs can be created on interfaces participating in MVRP by default. Dynamic VLANs are VLANs created on one switch that are propagated to other switches dynamically; in this case, using MVRP. Dynamic VLAN creation through MVRP cannot be disabled per switch interface. To disable dynamic VLAN creation for interfaces participating in MVRP, you must disable it for all interfaces on the switch. To disable dynamic VLAN creation: [edit protocols mvrp] user@switch# set no-dynamic-vlan

Configuring Timer Values The timers in MVRP define the amount of time an interface waits to join or leave MVRP or to send or process the MVRP information for the switch after receiving an MVRP PDU. The join timer controls the amount of time the switch waits to accept a registration request, the leave timer controls the period of time that the switch waits in the Leave state before changing to the unregistered state, and the leaveall timer controls the frequency with which the LeaveAll messages are communicated. The default MVRP timer values are 200 ms for the join timer, 1000 ms for the leave timer, and 10000 ms for the leaveall timer.

BEST PRACTICE: Maintain default timer settings unless there is a compelling reason to change the settings. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

2234



To set the join timer for all interfaces on the switch: [edit protocols mvrp] user@switch# set interface all join-timer 300

To set the join timer for a specific interface: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0 300

To set the leave timer for all interfaces on the switch: [edit protocols mvrp] user@switch# set interface all leave-timer 1200

To set the leave timer for a specific interface: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0 leave-timer 1200

To set the leaveall timer for all interfaces on the switch: [edit protocols mvrp] user@switch# set interface all leaveall-timer 12000

To set the leaveall timer for a specific interface: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0 leaveall-timer 12000

Configuring MVRP Registration Mode The default MVRP registration mode for any interface participating in MVRP is normal. An interface in normal registration mode participates in MVRP when MVRP is enabled on the switch. An interface in forbidden registration mode does not participate in MVRP even if MVRP is enabled on the switch. To set all interfaces to forbidden registration mode: [edit protocols mvrp] user@switch# set interface all registration forbidden

To set one interface to forbidden registration mode: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0 registration forbidden

To set all interfaces to normal registration mode: [edit protocols mvrp] user@switch# set interface all registration normal

To set one interface to normal registration mode: [edit protocols mvrp] user@switch# set interface xe-0/0/1.0 registration normal


2235

®


Using MVRP in a Mixed-Release Network MVRP was updated in Junos OS Release 11.3 to be compatible with the IEEE standard 802.1ak. Because of this, earlier OS versions of MVRP do not recognize the PDUs sent by MVRP on Release 11.3 or later. If your network has a mix of Release 11.3 and earlier releases, you must alter MVRP on the switches running Release 11.3 so they are compatible with the old protocol data units (PDUs). You can recognize an MVRP version problem by looking at the switch running the earlier Junos OS version. Because a switch running an earlier Junos OS version cannot interpret an unmodified PDU from Junos OS Release 11.3, the switch will not add VLANs from the later Junos OS version. When you execute the command show mvrp statistics on the earlier version, the values for Join Empty received and Join In received will incorrectly display zero, even though the value for MRPDU received has been increased. Another indication that MVRP is having a version problem is that unexpected VLAN activity, such as multiple VLAN creation, takes place on the switch running the earlier Junos OS version. To make MVRP on Release 11.3 or later compatible with earlier releases: [edit protocols mvrp] user@switch# set add-attribute-length-in-pdu


•


•

Verifying That MVRP Is Working Correctly on page 2257

•


Configuring Layer 2 Protocol Tunneling on EX Series Switches (CLI Procedure) Layer 2 protocol tunneling (L2PT) allows you to send Layer 2 protocol data units (PDUs) across a service provider network and deliver them to EX Series switches at a remote location. This feature is useful when you have a network that includes remote sites that are connected across a service provider network and you want to run Layer 2 protocols on switches connected across the service provider network. Tunneled Layer 2 PDUs do not normally arrive at high rate. If the tunneled Layer 2 PDUs do arrive at high rate, there might be a problem in the network. Typically, you would want to shut down the interface that is receiving a high rate of tunneled Layer 2 PDUs so that the problem can be isolated. You do so using the shutdown-threshold statement. However, if you do not want to completely shut down the interface, you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold using the drop-threshold statement. There are no default settings for drop-threshold and shutdown-threshold. If you do not specify these thresholds, then no thresholds are enforced. As a result, the switch tunnels all Layer 2 PDUs regardless of the speed at which they are received, although the number of packets tunneled per second might be limited by other factors.

2236



You can specify a drop threshold value without specifying a shutdown threshold value, and you can specify a shutdown threshold value without specifying a drop threshold value. If you specify both threshold values, then the drop threshold value must be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you try to commit the configuration, the commit will fail.

NOTE: L2PT and VLAN translation configured with the mapping statement cannot both be configured on the same switch.

NOTE: If the switch receives untagged Layer 2 control PDUs to be tunnelled, then you must configure the switch to map untagged (native) packets to an L2PT-enabled VLAN. Otherwise, the untagged Layer 2 control PDU packets are discarded. For more information, see “Understanding Q-in-Q Tunneling on EX Series Switches” on page 2091 and “Configuring Q-in-Q Tunneling (CLI Procedure)” on page 2231.

To configure L2PT on an EX Series switch: 1.

Because L2PT operates under the Q-in-Q tunneling configuration, you must enable Q-in-Q tunneling before you can configure L2PT. Enable Q-in-Q tunneling on VLAN customer-1: [edit] user@switch# set vlans customer-1 dot1q-tunneling

2. Enable L2PT for the Layer 2 protocol you want to tunnel, on the VLAN: •

To enable L2PT for a specific protocol (here, STP): [edit] user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling stp

•

To enable L2PT for all supported protocols: [edit] user@switch# set vlans customer-1 dot1q-tunneling layer2-protocol-tunneling all

3. (Optional) Configure the drop threshold:

NOTE: If you also configure the shutdown threshold, ensure that you configure the drop threshold value to be less than or equal to the shutdown threshold value. If the drop threshold value is greater than the shutdown threshold value and you to try to commit the configuration changes, the commit will fail.

[edit] user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp drop-threshold 50 4. (Optional) Configure the shutdown threshold:


2237

®


NOTE: If you also configure the drop threshold, ensure that you configure the shutdown threshold value to be greater than or equal to the drop threshold value. If the shutdown threshold value is less than the drop threshold value and you to try to commit the configuration changes, the commit will fail.

[edit] user@switch# set vlans customer-1 dot1q-tunneling layer2–protocol-tunneling stp shutdown-threshold 100

NOTE: Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command. Otherwise, the interface remains disabled.


•


•


Configuring MAC Notification (CLI Procedure) When a switch learns or unlearns a MAC address, SNMP notifications can be sent to the network management system at regular intervals to record the addition or removal of the MAC address. This process is known as MAC notification. The MAC notification interval defines how often Simple Network Management Protocol (SNMP) notifications logging the addition or removal of MAC addresses on the switch are sent to the network management system. MAC notification is disabled by default. When MAC notification is enabled, the default MAC notification interval is 30 seconds. To enable or disable MAC notification, or to set the MAC notification interval, perform these tasks: •

Enabling MAC Notification on page 2238

•

Disabling MAC Notification on page 2239

•

Setting the MAC Notification Interval on page 2239

Enabling MAC Notification MAC notification is disabled by default. You need to perform this procedure to enable MAC notification. To enable MAC notification on the switch with the default MAC notification interval of 30 seconds: [edit ethernet-switching-options] user@switch# set mac-notification

2238



To enable MAC notification on the switch with any other MAC notification interval (here, the MAC notification interval is set to 60 seconds): [edit ethernet-switching-options] user@switch# set mac-notification notification-interval 60

Disabling MAC Notification MAC Notification is disabled by default. Perform this procedure only if MAC notification was previously enabled on your switch. To disable MAC notification on the switch: [edit ethernet-switching-options] user@switch# delete mac-notification

Setting the MAC Notification Interval The default MAC notification interval is 30 seconds. The procedure to change the MAC notification interval to a different interval is identical to the procedure to enable MAC notification on the switch with a nondefault value for the MAC notification interval. To set the MAC notification interval on the switch (here, the MAC notification interval is set to 5 seconds): [edit ethernet-switching-options] user@switch# set mac-notification notification-interval 5


•

Verifying That MAC Notification Is Working Properly on page 2258

Configuring Proxy ARP (CLI Procedure) You can configure proxy Address Resolution Protocol (ARP) on your EX Series switch to enable the switch to respond to ARP queries for network addresses by offering its own media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination. To configure proxy ARP on a single interface: [edit interfaces] user@switch# set ge-0/0/3 unit 0 proxy-arp restricted

BEST PRACTICE: We recommend that you configure proxy ARP in restricted mode. In restricted mode, the switch is not a proxy if the source and target IP addresses are on the same subnet. If you use unrestricted mode, disable gratuitous ARP requests on the interface to avoid the situation of the switch’s response to a gratuitous ARP request appearing to the host to be an indication of an IP conflict:

To configure proxy ARP on a routed VLAN interface (RVI): [edit interfaces]


2239

®


user@switch# set vlan unit 100 proxy-arp restricted


•


•

Verifying That Proxy ARP Is Working Correctly on page 2258

•


Configuring Reflective Relay (CLI Procedure) Configure edge virtual bridging (EVB) when a switch is connected to a Virtual Machine server using VEPA technology. Before you begin configuring EVB, ensure that you have: •

Configured packet aggregation on the server connected to the port. See your server documentation.

•

Configured the port for all VLANs that could be included in aggregated packets. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

To configure EVB on a port interface: 1.

Create VSI types on the server and store them in the VSI Type database. [edit] user@switch# ???????????????

2. Configure the interface for reflective relay: [edit] user@switch# set interfaces interface-name unit 0 family ethernet-switching reflective-relay 3. Configure the interface for the VLANs that exist on the VM server: [edit] user@switch# set interfaces interface-name unit 0 family ethernet-switching vlan vlan-names


•


•


Adding a Static MAC Address Entry to the Ethernet Switching Table (CLI Procedure) The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses. The second way to populate the Ethernet switching table is to manually insert a VLAN node location into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process. To further optimize the switching process, indicate the next hop (next interface) packets will use after leaving the node. Before configuring a static MAC address, be sure that you have:

2240



•

Set up the VLAN. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

To add a MAC address to the Ethernet switching table: 1.

Specify the MAC address to add to the table: [edit ethernet-switching-options] set static vlan vlan-name mac mac-address

2. Indicate the next hop MAC address for packets sent to the indicated MAC address: [edit ethernet-switching-options] set static vlan vlan-name mac mac-address next-hop interface


•


Configuring Redundant Trunk Links for Faster Recovery (CLI Procedure) You can manage network convergence by configuring both a primary link and a secondary link on an EX Series switch; this is called a redundant trunk group (RTG). If the primary link in a redundant trunk group fails, it passes its known MAC address locations to the secondary link, which automatically takes over. Generally, you configure a redundant trunk group by configuring one primary link (and its interface) and one unspecified link (and its interface) to serve as the secondary link. A second type of redundant trunk group, not shown in the procedure in this topic, consists of two unspecified links (and their interfaces); in this case, neither of the links is primary. In this second case, the software selects an active link by comparing the port numbers of the two links and activating the link with the higher port number. The procedure given here describes configuring a primary/unspecified configuration for a redundant trunk group because that configuration gives you more control and is more commonly used. Rapid Spanning Tree Protocol (RSTP) is enabled by default on EX Series switches to create a loop-free topology, but an interface is not allowed to be in both a redundant trunk group and in a spanning-tree protocol topology at the same time. A primary link takes over whenever it is able. You can, however, alter the number of seconds that the primary link waits before reestablishing control by configuring the primary link’s preempt cutover timer. Before you configure the redundant trunk group on the switch, be sure you have: •

Disabled RSTP on all switches that will be linked to your redundant trunk group.

•

Configured at least two interfaces with mode set to trunk; be sure that these two interfaces are not part of any existing RTG. See “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818 .

To configure a redundant trunk group on a switch: 1.

Turn off RSTP: [edit]


2241

®


user@switch# set protocols rstp disable 2. Name the redundant trunk group while configuring one primary and one unspecified

trunk interface: [edit ethernet-switching-options] user@switch# set redundant-trunk-group group name interface (Redundant Trunk Groups) interface-name primary user@switch# set redundant-trunk-group group name interface interface-name 3. (Optional) Change the length of time (from the default 120 seconds) that a re-enabled

primary link waits to take over from an active secondary link: [edit ethernet-switching-options] set redundant-trunk-group group name preempt-cutover-timer seconds


•


•


Configuring Edge Virtual Bridging (CLI Procedure) Configure edge virtual bridging (EVB) when a switch is connected to a virtual machine (VM) server using virtual Ethernet port aggregator (VEPA) technology. EVB does not convert packets; rather, it ensures that packets from oneVM destined for another VM on the same VM server is switched. In other words, when the source and destination of a packet are the same port, EVB delivers the packet properly, which otherwise would not happen.

NOTE: Configuring EVB also enables Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP).

Before you begin configuring EVB, ensure that you have: •

Configured packet aggregation on the server connected to the port that you will use on the switch for EVB. See your server documentation.

•

Configured the EVB interface for all VLANs located on the virtual machines. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

NOTE: The port security features MAC move limiting and MAC limiting are supported on interfaces that are configured for EVB; however, the port security features IP source guard, dynamic ARP inspection (DAI), and DHCP snooping are not supported by EVB. For more information about these features, see “Port Security Overview” on page 4047.

2242



To configure EVB on the switch: 1.

Configure tagged-access mode for the interfaces on which you will enable EVB: [edit interfaces interface-name] user@switch# set unit 0 family ethernet-switching port-mode tagged-access

2. Enable the Link Layer Discovery Protocol (LLDP) on the interfaces on which you will

enable EVB:. [edit protocols] user@switch# set lldp interface interface-name 3. Configure the interfaces for EVB as members of all VLANs located on the virtual

machines. [edit protocols] user@switch# set vlans vlan-name vlan-id vlan-number 4. Enable VDP on the interfaces: [edit protocols] user@switch# set edge-virtual-bridging vsi-discovery interface interface-name 5. Define policies for VSI information, including a VSI manager ID, VSI type, VSI version,

and VSI instance ID: [edit policy-options] user@switch# set vsi-policy policy-name from vsi-manager manager-number vsi-type type-number vsi-version version-number vsi-instance instance-number user@switch# set vsi-policy policy-name then filter filter-name 6. Define the firewall filters you mapped to in the previous step. When each incoming

packet matches the filter, the count is incremented by 1. Other possible actions are accept and drop. [edit firewall family ethernet-switching] user@switch# set filter filter-name term term-name then action 7. Associate VSI policies with VDP: [edit protocols] user@switch# set edge-virtual-bridging vsi-discovery vsi-policy policy-name 8. Verify that the virtual machine successfully associated with the switch. After successful

association of the VSI Profile with the switch interface, verify the learning of the VM’s MAC address on MAC-Table or Forwarding database Table. The learn type of the VM’s MAC addresses will be VDP, and upon successful shutdown of VM the corresponding MAC-VLAN entry will get flushed out from FDB table otherwise it will never shutdown. admin@host# run show ethernet-switching table 9. Verify that VSI profiles are being learned at the switch: user@switch# show edge-virtual-bridging vsi-profiles 10. Check the statistics of ECP packet exchanges between the switch and server: user@switch# show edge-virtual-bridging ecp statistics


•


•



2243

®


Configuring Ethernet Ring Protection Switching (CLI Procedure) You can configure Ethernet ring protection switching (ERPS) on connected switches to prevent fatal loops from disrupting a network. ERPS is similar to spanning-tree protocols, but ERPS is more efficient than spanning-tree protocols because it is customized for ring topologies. You must configure at least three switches to form a ring. One of the links, called the ring protection link (RPL) end interface, is blocked until another link fails—at this time the RPL link is unblocked, ensuring connectivity.

NOTE: Ethernet OAM connectivity fault management (CFM) can be used with ERPS to detect link faults faster in some cases. See “Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure)” on page 5354. The time needed for switchover to the ERPS link is affected by three settings—link failure detection time, the number of nodes in the ring, and the time it takes to unblock the RPL after a failure is detected.

NOTE: Do not configure redundant trunk groups on ERPS interfaces. You can configure VSTP on ERPS interfaces if the VSTP uses a VLAN that is not part of the ERPS control VLAN or data channel VLANs. The total number of ERPS and VSTP or MSTP instances is limited to 253.

Before you begin: •

Optionally, configure two interfaces on each switch as trunk ports. See “Configuring Gigabit Ethernet Interfaces (CLI Procedure)” on page 1818.

•

Configure a VLAN to act as a control VLAN for ERPS if your interfaces are trunk ports. Configure the same VLAN on all switches and associate the two network interfaces from each of the switches with the VLAN. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220. If you have multiple ERPS instances, the control VLANs and data channel VLANs must not overlap.

•

Data channels are optional on the ERPS link. If you plan to use them, configure a VLAN for each data channel.

To configure ERPS:

NOTE: You must configure at least three switches, with only one switch designated as the RPL owner node.

1.

RSTP and EPRS cannot both be configured on a ring port, and RSTP is configured by default. Disable RSTP on each switch interface: user@switch#setrstpinterface interface-name disable

2. Create a node ring on each switch:

2244



[edit protocols] user@switch# set protection-group ethernet-ring ring-name 3. Configure a control VLAN for the node ring if the links are trunk ports:

[edit protocols protection-group ethernet-ring ring name] user@switch# set control-vlan vlan-name-or-vlan-id 4. Configure the east interface of the node ring with the control-channel interface. In

addition, configure either the east interface or the west interface (but not both) as a link end. [edit protocols protection-group ethernet-ring ring-name] user@switch# set east-interface control-channelchannel-name user@switch# set east-interface ring-protection-link-end 5. Configure the west interface of the node ring with the control-channel interface. In

addition, configure either the east interface or the west interface (but not both) as a link end. [edit protocols protection-group ethernet-ring ring-name] user@switch# set west-interface control-channel control-channel-interface-address user@switch# set west-interface ring protection link end 6. Configure only one switch as the RPL owner node:

[edit protocols protection-group ethernet-ring ring-name] user@switch# set ring-protection-link-owner 7. The restore interval configures the number of minutes that the node does not process

any Ethernet ring protection (ERP) protocol data units (PDUs). When a link goes down, the ring protection link (RPL) activates. When the downed link comes back up, the RPL receives notification, restores the link, and waits the length of time indicated by the restore interval before issuing another block on the same link. Optionally, configure the restore interval on each switch: [edit protocols protection-group ethernet-ring ring-name] user@switch# set restore-interval restore-interval-value 8. The guard interval prevents ring nodes from receiving outdated messages (called

RAPs). Optionally, configure the guard interval on each switch: [edit protocols protection-group ethernet-ring ring name] user@switch# set guard-interval guard-interval-value

NOTE: Local settings take priority over global settings.

Global settings are used when no local settings are present. Optionally, you can also configure these global settings on the switch: •

restore interval

•

guard interval

•

ERP traceoptions: file, page size, file size, flag name

9. Optionally, reconfigure the global guard interval on each switch:


2245

®


[edit protocols protection-group ethernet-ring ring name] user@switch# set guard-interval guard-interval-value 10. Optionally, reconfigure the global restore interval on each switch:

[edit protocols protection-group ethernet-ring ring name] user@switch# set restore-interval restore-interval-value 11. After detection of a link failure, switching takes place after the hold interval has expired.

Optionally, reconfigure the global hold interval on each switch: [edit protocols protection-group ethernet-ring ring name] user@switch# set hold-interval hold-interval-value 12. Optionally, configure VLANs for data channels on the ERPS link:

[edit protocols protection-group ethernet-ring ring name] user@switch# set data-channel vlan-name


2246

•


•


•



CHAPTER 66

Verifying Ethernet Switching Configuration •

Verifying That a Series of Tagged VLANs Has Been Created on page 2247

•

Verifying That Virtual Routing Instances Are Working on page 2249

•

Verifying That Q-in-Q Tunneling Is Working on page 2250

•


•

Monitoring Ethernet Switching on page 2255

•


•


•


Verifying That a Series of Tagged VLANs Has Been Created Purpose Action

Verify that a series of tagged VLANs is created on the switch. Display the VLANs in the ascending order of their VLAN ID: user@switch> show vlans sort-by tag Name Tag __employee_120__ 120

Interfaces ge-0/0/22.0*

__employee_121__

121

__employee_122__

122

__employee_123__

123

__employee_124__

124

__employee_125__

125

__employee_126__

126

__employee_127__

127

__employee_128__

128

__employee_129__

129

ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0* ge-0/0/22.0*


2247

®


__employee_130__

130 ge-0/0/22.0*

Display the VLANs by the alphabetical order of the VLAN name: user@switch> show vlans sort-by name Name

Tag

Interfaces

__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*

Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name is employee): user@switch> show vlans employee Name

Tag

Interfaces

__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0*

2248


Chapter 66: Verifying Ethernet Switching Configuration

__employee_130__ 130 ge-0/0/22.0*

Meaning

The sample output shows the VLANs configured on the switch. The series of tagged VLANs is displayed: __employee__120__ through __employee_130__. Each of the tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*) beside the interface name indicates that the interface is UP. When a series of VLANs is created using the vlan-range statement, the VLAN names are prefixed and suffixed with a double underscore.


•


Verifying That Virtual Routing Instances Are Working Purpose Action

After creating a virtual routing instance, make sure it is set up properly. 1.

Use the show route instance command to list all of the routing instances and their properties: user@switch> show route instance Instance Type Primary RIB master forwarding inet.0 __juniper_private1__ forwarding __juniper_private1__.inet.0

Active/holddown/hidden 3/0/0

1/0/3

__juniper_private2__ forwarding instance1

forwarding

r1

virtual-router r1.inet.0

r2

1/0/0 virtual-router

r2.inet.0

1/0/0

2. Use the show route forwarding-table command to view the forwarding table information

for each routing instance: user@switch> show route forwarding-table Routing table: r1.inet Internet: Destination Type RtRef Next hop default perm 0 0.0.0.0/32 perm 0 103.1.1.0/24 ifdn 0 103.1.1.0/32 iddn 0 103.1.1.0 103.1.1.1/32 user 0 103.1.1.1/32 intf 0 103.1.1.1 103.1.1.1/32 iddn 0 103.1.1.1 103.1.1.255/32 iddn 0 103.1.1.255 224.0.0.0/4 perm 0 224.0.0.1/32 perm 0 224.0.0.1 255.255.255.255/32 perm 0


Type Index NhRef Netif rjct 539 2 dscd 537 1 rslv 579 1 ge-0/0/3.0 recv 577 1 ge-0/0/3.0 rjct 539 2 locl 578 2 locl 578 2 bcst 576 1 ge-0/0/3.0 mdsc 538 1 mcst 534 1 bcst 535 1

2249

®


Meaning


The output confirms that the virtual routing instances are created and the links are up and displays the routing table information.

•


•


Verifying That Q-in-Q Tunneling Is Working Purpose Action

After creating a Q-in-Q VLAN, verify that it is set up properly. 1.

Use the show configuration vlans command to determine if you successfully created the primary and secondary VLAN configurations: user@switch> show configuration vlans svlan { vlan-id 300; dot1q-tunneling { customer-vlans [ 101–200 ]; } }

2. Use the show vlans command to view VLAN information and link status: user@switch> show vlans s-vlan-name extensive VLAN: svlan, Created at: Thu Oct 23 16:53:20 2008 802.1Q Tag: 300, Internal index: 2, Admin State: Enabled, Origin: Static Dot1q Tunneling Status: Enabled Customer VLAN ranges: 101–200 Protocol: Port Mode Number of interfaces: Tagged 1 (Active = 0), Untagged 1 (Active = 0) xe-0/0/1, tagged, trunk xe-0/0/2, untagged, access

Meaning


The output confirms that Q-in-Q tunnling is enabled and that the VLAN is tagged, and lists the customer VLANs that are associated with the tagged VLAN.

•


•


Verifying That a Private VLAN Is Working Purpose Action

After creating and configuring private VLANs (PVLANs), verify that they are set up properly. 1.

To determine whether you successfully created the primary and secondary VLAN configurations: •

For a PVLAN on a single switch, use the show configuration vlans command: user@switch> show configuration vlans

2250



community1 { interface { interface a; interface b; } primary-vlan pvlan; } community2 { interface { interface d; interface e; } primary-vlan pvlan; } pvlan { vlan-id 1000; interface { isolated1; isolated2; trunk1; trunk2; } no-local-switching; } •

For a PVLAN spanning multiple switches, use the show vlans extensive command: user@switch> show vlans extensive VLAN: COM1, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 100, Internal index: 3, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/0.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access

VLAN: __pvlan_primary_ge-0/0/2.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/2.0, untagged, access

VLAN: __pvlan_primary_isiv__, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static


2251

®


Private VLAN Mode: Inter-switch-isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 0 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk

VLAN: community2, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 20, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 2 (Active = 2) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, untagged, access ge-1/0/6.0*, untagged, access

VLAN: primary, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 10, Internal index: 2, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 5 (Active = 4) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access ge-0/0/1.0*, untagged, access ge-0/0/2.0, untagged, access ge-0/0/7.0*, untagged, access ge-1/0/6.0*, untagged, access Secondary VLANs: Isolated 2, Community Isolated VLANs : __pvlan_primary_ge-0/0/0.0__ __pvlan_primary_ge-0/0/2.0__ Community VLANs : COM1 community2 Inter-switch-isolated VLAN : __pvlan_primary_isiv__

2, Inter-switch-isolated

1

2. Use the show vlans extensive command to view VLAN information and link status for

a PVLAN on a single switch or for a PVLAN spanning multiple switches. •

For a PVLAN on a single switch: user@switch> show vlans pvlan extensive VLAN: pvlan, Created at: time 802.1Q Tag: vlan-id, Internal index: index-number, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) trunk1, tagged, trunk interface a, untagged, access interface b, untagged, access interface c, untagged, access

2252



interface d, untagged, access interface e, untagged, access interface f, untagged, access trunk2, tagged, trunk Secondary VLANs: Isolated 2, Community Isolated VLANs : __pvlan_pvlan_isolated1__ __pvlan_pvlan_isolated2__ Community VLANs : community1 community2 •

2

For a PVLAN spanning multiple switches: user@switch> show vlans extensive VLAN: COM1, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 100, Internal index: 3, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/0.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access

VLAN: __pvlan_primary_ge-0/0/2.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/2.0, untagged, access

VLAN: __pvlan_primary_isiv__, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 0 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk

VLAN: community2, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 20, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 2 (Active = 2)


2253

®


ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, untagged, access ge-1/0/6.0*, untagged, access



1

3. Use the show ethernet-switching table command to view logs for MAC learning on the

VLANs: user@switch> show ethernet-switching table Ethernet-switching table: 8 entries, 1 learned

2254

VLAN

MAC address

Type

Age Interfaces

default

*

Flood

- All-members

pvlan

*

Flood

- All-members

pvlan

MAC1

Replicated

- interface a

pvlan

MAC2

Replicated

- interface c

pvlan

MAC3

Replicated

- isolated2

pvlan

MAC4

Learn

0 trunk1

__pvlan_pvlan_isolated1__ *

Flood

- All-members

__pvlan_pvlan_isolated1__ MAC4

Replicated

- trunk1

__pvlan_pvlan_isolated2__ *

Flood

- All-members


Learn

0 isolated2


Replicated

- trunk1



community1

*

Flood

- All-members

community1

MAC1

Learn

0 interface a

community1

MAC4

Replicated

- trunk1

community2

*

Flood

- All-members

community2

MAC2

Learn

0 interface c

community2

MAC4

Replicated

- trunk1

NOTE: If you have configured a PVLAN spanning multiple switches, you can use the same command on all the switches to check the logs for MAC learning on those switches.

Meaning

In the output displays for a PVLAN on a single switch, you can see that the primary VLAN contains two community domains (community1 and community2), two isolated ports, and two trunk ports. The PVLAN on a single switch has only one tag (1000), which is for the primary VLAN. The PVLAN that spans multiple switches contains multiple tags: •

The community domain COM1 is identified with tag 100.

•

The community domain community2 is identified with tag 20.

•

The interswitch isolated domain is identified with tag 50.

•

The primary VLAN primary is identified with tag 10.

Also, for the PVLAN that spans multiple switches, the trunk interfaces are identified as pvlan-trunk.


•


•


•

Creating a Private VLAN on a Single Switch

•

Creating a Private VLAN Spanning Multiple Switches

Monitoring Ethernet Switching Purpose

Use the monitoring feature to view details that the EX Series switch maintains in its Ethernet switching table. These are details about the nodes on the LAN such as VLAN name, VLAN ID, member interfaces, MAC addresses, and so on.


2255

®


Action

To display Ethernet switching details in the J-Web interface, select Monitor > Switching > Ethernet Switching. To view Ethernet switching details in the CLI, enter the following commands:

Meaning

•

show ethernet-switching table

•

show vlans

•


Table 257 on page 2256 summarizes the Ethernet switching output fields.

Table 257: Ethernet Switching Output Fields Field

Value

Ethernet Switching Table Information MAC Table Count

The number of entries added to the Ethernet switching table.

MAC Table Learned

The number of dynamically learned MAC addresses in the Ethernet switching table.

Ethernet Switching Table Information VLAN

The VLAN name.

MAC Address

The MAC address associated with the VLAN. If a VLAN range has been configured for a VLAN, the output displays the MAC addresses for the entire series of VLANs that were created with that name.

Type

The type of MAC address. Values are: •

static—The MAC address is manually created.

•

learn—The MAC address is learned dynamically from a packet's source MAC address.

•

flood—The MAC address is unknown and flooded to all members.

Age

The time remaining before the entry ages out and is removed from the Ethernet switching table.

Interfaces

The associated interfaces.

MAC Learning Log VLAN-Name

The VLAN name.

MAC Address

The learned MAC address associated with the VLAN ID.

Time

Timestamp for the time at which when the MAC address was added or deleted from the MAC learning log.

State

Operating state of the interface. Values are Up and Down.

2256




•


•


Verifying That MVRP Is Working Correctly Purpose

Action

After configuring your EX Series switch to participate in MVRP, verify that the configuration is properly set and that MVRP messages are being sent and received on your switch. 1.

Confirm that MVRP is enabled on your switch. user@switch> show mvrp Global MVRP configuration MVRP status : Enabled MVRP dynamic vlan creation: Enabled MVRP Timers (ms): Interface Join Leave LeaveAll ---------------------------all 200 600 10000 xe-0/1/1.0 200 600 10000 Interface based configuration: Interface Status Registration Dynamic VLAN Creation ---------------------------------------------------all Disabled Fixed Enabled xe-0/1/1.0 Enabled Normal Enabled

2. Confirm that MVRP messages are being sent and received on your switch. user@switch> show mvrp statistics interface xe-0/1/1.0 MVRP statistics MRPDU received : 3342 Invalid PDU received : 0 New received : 2 Join Empty received : 1116 Join In received : 2219 Empty received : 2 In received : 2 Leave received : 1 LeaveAll received : 1117 MRPDU transmitted : 3280 MRPDU transmit failures : 0 New transmitted : 0 Join Empty transmitted : 1114 Join In transmitted : 2163 Empty transmitted : 1 In transmitted : 1 Leave transmitted : 1 LeaveAll transmitted : 1111

Meaning

The output of show mvrp shows that interface xe-0/1/1.0 is enabled for MVRP participation as shown in the status in the Interface based configuration field. The output for show mvrp statistics interface xe-0/1/1.0 confirms that MVRP messages are being transmitted and received on the interface.


2257

®


NOTE: You can identify an MVRP compatibility issue by looking at the output from this command. If Join Empty received and Join In received incorrectly display zero, even though the value for MRPDU received has been increased, you are probably running different versions of Junos OS, including Release 11.3, on the switches in this network. Another indication that MVRP is having a version problem is that unexpected VLAN activity, such as multiple VLAN creation, takes place on the switch running the earlier release version. To remedy these problems, see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233.


•


•


Verifying That MAC Notification Is Working Properly Purpose

Verify that MAC notification is enabled or disabled, and that the MAC notification interval is set to the specified value.

Action

Verify that MAC notification is enabled while also verifying the MAC notification interval setting. user@switch> show ethernet-switching mac-notification Notification Status: Enabled Notification Interval: 30

Meaning

The output in the Notification Status field shows that MAC notification is enabled. The output in the Notification Status field would display Disabled if MAC notification was disabled. The Notification Interval field output shows that the MAC notification interval is set to 30 seconds.


•


Verifying That Proxy ARP Is Working Correctly Purpose Action

Verify that the switch is sending proxy ARP messages. List the system statistics for ARP: user@switch> show system statistics arp arp: 198319 datagrams received 45 ARP requests received 12 ARP replies received 2 resolution requests received

2258



2 unrestricted proxy requests 0 restricted proxy requests 0 received proxy requests 0 proxy requests not proxied 0 restricted-proxy requests not proxied 0 with bogus interface 0 with incorrect length 0 for non-IP protocol 0 with unsupported op code 0 with bad protocol address length 0 with bad hardware address length 0 with multicast source address 0 with multicast target address 0 with my own hardware address 168705 for an address not on the interface 0 with a broadcast source address 0 with source address duplicate to mine 29555 which were not for me 0 packets discarded waiting for resolution 4 packets sent after waiting for resolution 27 ARP requests sent 47 ARP replies sent 0 requests for memory denied 0 requests dropped on entry 0 requests dropped during retry 0 requests dropped due to interface deletion 0 requests on unnumbered interfaces 0 new requests on unnumbered interfaces 0 replies for from unnumbered interfaces 0 requests on unnumbered interface with non-subnetted donor 0 replies from unnumbered interface with non-subnetted donor

Meaning


The statistics show that two proxy ARP requests were received, and the proxy requests not proxied field indicates that all the unproxied ARP requests received have been proxied by the switch.

•



2259

®


2260


CHAPTER 67

Troubleshooting Ethernet Switching Configuration •

Troubleshooting Ethernet Switching on page 2261

Troubleshooting Ethernet Switching Troubleshooting issues for Ethernet switching on EX Series switches: •

MAC Address in the Switch’s Ethernet Switching Table Is Not Updated After a MAC Address Move on page 2261

MAC Address in the Switch’s Ethernet Switching Table Is Not Updated After a MAC Address Move Problem

Sometimes a MAC address entry in the switch’s Ethernet switching table is not updated after the device with that MAC address has been moved from one interface to another on the switch. Typically, the switch does not wait for a MAC address expiration when a MAC move operation occurs. As soon as the switch detects the MAC address on the new interface, it immediately updates the table. Many network devices send a gratuitous ARP packet when switching an IP address from one device to another. The switch updates its ARP cache table after receipt of such gratuitous ARP messages, and then it also updates its Ethernet switching table. However, sometimes silent devices, such as SYSLOG servers or SNMP Trap receivers that receive UDP traffic but do not return acknowledgement (ACK ) messages to the traffic source, do not send gratuitous ARP packets when a device moves. If such a move occurs when the system administrator is not available to explicitly clear the affected interfaces by issuing the clear ethernet-switching table command, the entry for the moved device in the Ethernet switching table is not updated.

Solution

Set up the switch to handle unattended MAC address switchovers. 1.

Reduce the system-wide ARP aging timer. (By default, the ARP aging timer is set at 20 minutes. In Junos OS Release 9.4 and later, the range of the ARP aging timer is from 1 through 240 minutes.) [edit system arp] user@switch# set aging-timer 3

2. Set the MAC aging timer to the same value as the ARP timer. (By default, the MAC

aging timer is set to 300 seconds. The range is 15 to 1,000,000 seconds.)


2261

®


[edit vlans] user@switch# set vlans sales mac-table-aging-time 180

The ARP entry and the MAC address entry for the moved device expire within the times specified by the aging timer values. After the entries expire, the switch sends a new ARP message to the IP address of the device. The device responds to the ARP, thereby refreshing the entries in the switch’s ARP cache table and Ethernet switching table


2262

•

arp (System) on page 270

•

mac-table-aging-time on page 2313


CHAPTER 68

Configuration Statements for Ethernet Switching •


•


•


•

[edit routing-instances] Configuration Hierarchy on page 2280

•

[edit vlans] Configuration Statement Hierarchy on page 2280

[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100);


2263

®


} interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; }

2264


Chapter 68: Configuration Statements for Ethernet Switching

vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•


•


•



2265

®


•


•


•


•


•


•


•


•


•


[edit interfaces] Configuration Statement Hierarchy interfaces { aex { accounting-profile name; aggregated-ether-options { (flow-control | no-flow-control); lacp { (active | passive); admin-key key; periodic interval; system-id mac-address; } (link-protection | no-link-protection); link-speed speed; (loopback | no-loopback); minimum-links number; } description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging;

2266



} ge-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; media-type (Dual-Purpose Uplink Ports); mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } interface-range name { accounting-profile name; description text; disable; ether-options { 802.3ad { aex;


2267

®


(backup | primary); lacp { force-up; } } (auto-negotiation | no-auto-negotiation); (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); speed (auto-negotiation | speed); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; member interface-name; member-range starting-interface name to ending-interface name; mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } lo0 { accounting-profile name; description text; disable; hold-time up milliseconds down milliseconds; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable;

2268



family family-name {...} (traps | no-traps); } } me0 { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } vlan { accounting-profile name; description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); } } traceoptions { file ; flag flag ; no-remote-trace; } vme { accounting-profile name;


2269

®


description text; disable; (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name; bandwidth rate; description text; disable; family family-name {...} (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } xe-fpc/pic/port { accounting-profile name; description text; disable; ether-options { 802.3ad { aex; (backup | primary); lacp { force-up; } } (flow-control | no-flow-control); link-mode mode; (loopback | no-loopback); } (gratuitous-arp-reply | no-gratuitous-arp-reply); hold-time up milliseconds down milliseconds; mtu bytes; no-gratuitous-arp-request; optics-options { alarm low–light–alarm { (link-down | syslog); } warning low–light–warning { (link-down | syslog); } wavelength nm; } traceoptions { flag flag; } (traps | no-traps); unit logical-unit-number { accounting-profile name;

2270



bandwidth rate; description text; disable; family family-name {...} proxy-arp (restricted | unrestricted); (traps | no-traps); vlan-id (Layer 3 Subinterfaces) vlan-id-number; } vlan-tagging; } }


•


•


•


•


•


•


•


•


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) {


2271

®


data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } }

2272



} } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf;


2273

®


no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority;

2274



configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management {


2275

®


action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count;

2276



symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name {


2277

®


disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ;

2278



flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


•


•


•


•


•


•


•


•


•


•



2279

®


•


•


•


•


•


•


•


[edit routing-instances] Configuration Hierarchy routing-instances routing-instance-name { instance-type virtual-router interface (Routing Instances) interface-name }


•


•


[edit vlans] Configuration Statement Hierarchy vlans { vlan-name { description (VLANs) text-description; dot1q-tunneling (VLANs) { customer-vlans (id | native | range); layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; } } filter (VLANs); input filter-name output filter-name } interface (VLANs) interface-name { egress; ingress (vlans); mapping (native (push | swap) | policy | tag (push | swap)); pvlan-trunk; } isolation-id id-number; l3-interface (VLANs) vlan.logical-interface-number; l3-interface-ingress-counting layer-3-interface-name; mac-limit (VLANs) limit action action;

2280



mac-table-aging-time seconds; no-local-switching; no-mac-learning (Q-in-Q VLANs); primary-vlan vlan-name; vlan-id (802.1Q Tagging) number; vlan-range vlan-id-low-vlan-id-high; } }


•


•


•


•


•


•


•


arp Syntax


arp { aging-timer minutes; } [edit system]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the time interval between ARP updates. aging-timer minutes—Time interval in minutes between ARP updates. In environments

where the number of ARP entries to update is high, increasing the time between updates can improve system performance. Range: 5 to 240 minutes Default: 20 minutes Required Privilege Level Related Documentation


For more information about ARP updates, see the Junos OS System Basics Configuration Guide .


2281

®


control-channel Syntax


control-channel channel-name { vlan vlan-id; } [edit protocols protection-group ethernet-ring name (east-interface | west-interface)]


Description

Configure the Ethernet RPS control channel logical interface to carry the RAPS PDU. The related physical interface is the physical ring port.

Options

vlan vlan-id—If the control channel logical interface is a trunk port, then a dedicated vlan vlan-id defines the dedicated VLAN channel to carry the RAPS traffic. Only configure

the vlan-id when the control channel logical interface is the trunk port. Required Privilege Level Related Documentation

2282



•


•




control-vlan Syntax Hierarchy Level

control-vlan (vlan-id | vlan-name) [edit protocols protection-group ethernet-ring] [edit protocols protection-group ethernet-ring name (east-interface |west-interface)]

Release Information

Description


Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the VLAN that carries the protocol data units (PDUs) between the nodes in the protected Ethernet ring. This is a control VLAN, meaning that it carries data for one instance of an Ethernet ring protection switching (ERPS) in the control channel. Use a control VLAN on trunk port interfaces. One control channel can contain multiple control VLANs. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•



2283

®


customer-vlans Syntax Hierarchy Level Release Information

Description Options

customer-vlans (id | native | range); [edit vlans vlan-name dot1q-tunneling]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Option native introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Limit the set of accepted C-VLAN tags to a range or to discrete values. id—Numeric identifier for a VLAN. native—Accepts untagged and priority-tagged packets from access interfaces and assigns

the configured S-VLAN to the packet. range—Range of numeric identifiers for VLANs.


2284


dot1q-tunneling (Ethernet Switching) on page 2287

•

ether-type on page 2292

•


•


•


•

Configuring Q-in-Q Tunneling

•

Example: Setting Up Q-in-Q Tunneling

•


•

ether-type



data-channel Syntax


Description

data-channel { vlan number; } [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 10.2. Statement introduced in Junos OS Release 12.1 for EX Series switches. For Ethernet ring protection, configure a data channel to define a set of VLAN IDs that belong to a ring instance. VLANs specified in the data channel use the same topology used by the ERPS PDU in the control channel. Therefore, if a ring interface is blocked in the control channel, all traffic in the data channel is also blocked on that interface.


vlan number—Specify (by VLAN ID) one or more VLANs that belong to a ring instance.


Ethernet Ring Protection Using Ring Instances for Load Balancing

•

Example: Configuring Load Balancing Within Ethernet Ring Protection for MX Series Routers

•



2285

®



description text-description; [edit vlans vlan-name]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. Option text-description enhanced from supporting up to 128 characters to supporting up to 256 characters in Junos OS Release 10.2 for EX Series switches.

Description

Provide a textual description of the VLAN. The text has no effect on the operation of the VLAN or switch.

Options

text-description—Text to describe the interface. It can contain letters, numbers, and

hyphens (-) and can be up to 256 characters long. If the text includes spaces, enclose the entire text in quotation marks. Required Privilege Level Related Documentation



•


•


disable (MVRP) Syntax Hierarchy Level

Release Information Description Default Required Privilege Level Related Documentation

2286

disable; [edit protocols mvrp], [edit protocols mvrp interface(all | interface-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Disable the MVRP configuration on the interface. MVRP is disabled by default. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •




dot1q-tunneling (Ethernet Switching) Syntax


Description

dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100); } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Set a global value for the EtherType for Q-in-Q tunneling. The remaining statement is explained separately.



dot1q-tunneling on page 2288

•


•


•


•


•

dot1q-tunneling on page 2288


2287

®


dot1q-tunneling (VLANs) Syntax


Description

dot1q-tunneling { customer-vlans (id | native | range); layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; } } [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Option native introduced in Junos OS Release 9.6 for EX Series switches. Options layer2-protocol-tunneling, drop-threshold, and shutdown-threshold introduced in Junos OS Release 10.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable Q-in-Q tunneling on the specified VLAN.

NOTE: •

The VLAN on which you enable Q-in-Q tunneling must be a tagged VLAN.

•

You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.


2288



•


•


•


•

Configuring Layer 2 Protocol Tunneling

•




drop-threshold Syntax Hierarchy Level Release Information

Description

drop-threshold number; [edit vlans vlan-name dot1q-tunneling layer2-protocol-tunneling (all | protocol-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold value must be less than or equal to the shutdown threshold value. L2PT processing is done by the CPU, and L2PT traffic to the CPU is rate-limited to a maximum of 1000 pps. If traffic is received at a rate faster than this limit, the rate limit causes the traffic to be dropped before it hits the threshold and the dropped packets are not reported in L2PT statistics. This can also occur if you configure a drop threshold that is less than 1000 pps but traffic is received at a faster rate. For example, if you configure a drop threshold of 900 pps and the VLAN receives traffic at rate of 1100 pps, L2PT statistics will show that 100 packets were dropped. The 100 packets dropped because of the rate limit will not be reported. Similarly, if you do not configure a drop threshold and the VLAN receives traffic at rate of 1100 pps, the 100 packets dropped because of the rate limit are not reported.

NOTE: If the drop threshold value is greater than the shutdown threshold value and you try to commit the configuration, the commit operation fails.

You can specify a drop threshold value without specifying a shutdown threshold value. Default Options

No drop threshold is specified. number—Maximum number of Layer 2 PDUs of the specified protocol that can be received

per second on the interfaces in a specified VLAN before the switch begins dropping the Layer 2 PDUs. Range: 1 through 1000 Required Privilege Level Related Documentation



•


•


•

shutdown-threshold on page 2332


2289

®


east-interface Syntax


Description

east-interface { node-id mac-address; control-channel channel-name { interface-none ring-protection-link-end; } [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Define one of the two interface ports for Ethernet ring protection, the other being defined by the west-interface statement at the same hierarchy level. The interface must use the control channel's logical interface name. The control channel is a dedicated VLAN channel for the ring port. EX Series switches do not use the node-id statement--the node ID is automatically configured on the switches using the MAC address.

NOTE: Always configure this port first, before configuring the west-interface statement.

NOTE: The Node ID is not configurable on EX Series switches. The node ID is automatically configured using the MAC address.

The statements are explained separately. Required Privilege Level Related Documentation

2290



•


•

west-interface on page 2344

•

ethernet-ring on page 2293

•


•




edge-virtual-bridging Syntax


edge-virtual-bridging { traceoptions { file filename ; flag flag ; } vsi-discovery { interface interface-name vsi-policy vsi-policy-name } } [edit protocols]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure edge virtual bridging (EVB). EVB enables a virtualized station (a physical end station, a server, connected to virtual machines (VMs)) to network with an adjacent switch so that applications residing on the virtual machines can interact with each other and external networks through a technology called virtual Ethernet packet aggregator (VEPA). The remaining statements are explained separately.


EVB is disabled by default. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•



2291

®


ether-type Syntax Hierarchy Level Release Information Description


2292

ether-type (0x8100 | 0x88a8 | 0x9100) [edit ethernet-switching-options dot1q-tunneling]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure a global value for the Ethertype. Only one Ethertype value is supported at a time. The Ethertype value appears in the Ethernet type field of the packet. It specifies the protocol being transported in the Ethernet frame. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

dot1q-tunneling (VLANs) on page 2288

•


•




ethernet-ring Syntax


Description

Options

ethernet-ring ring-name { control-vlan (vlan-id | vlan-name); data-channel { vlan number } east-interface { control-channel channel-name { vlan number; } } guard-interval number; node-id mac-address; restore-interval number; ring-protection-link-owner; west-interface { control-channel channel-name { vlan number; } } } [edit protocols protection-group]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. For Ethernet PICs on MX Series routers or for EX Series switches, , specify the Ethernet ring in an Ethernet ring protection switching configuration. ring-name—Name of the Ethernet protection ring. The remaining statements are explained separately.




•


•



2293

®


ethernet-switching-options Syntax

2294

ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group (Redundant Trunk Groups) name { interface (Redundant Trunk Groups) interface-name ; interface (Redundant Trunk Groups) interface-name; } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; }



interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast;


2295

®


} } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


[edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Ethernet switching options. The remaining statements are explained separately.


2296



•


•


•


•


•


•


•


•


•


•




filter Syntax Hierarchy Level Release Information Description Default

Options


filter (input | output) filter-name; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply a firewall filter to traffic coming into or exiting from the VLAN. All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is sent unmodified from the VLAN. filter-name —Name of a firewall filter defined in a filter statement. •

input—Apply a firewall filter to VLAN ingress traffic.

•

output—Apply a firewall filter to VLAN egress traffic.



•


•

Configuring Firewall Filters (J-Web Procedure) on page 4331

•



2297

®


group Syntax


group name { interface (Redundant Trunk Groups) interface-name ; interface (Redundant Trunk Groups) interface-name; } [edit ethernet-switching-options redundant-trunk-group]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a redundant trunk group. name—The name of the redundant trunk group. The group name must start with a letter

and can consist of letters, numbers, dashes, and underscores. The remaining options are explained separately. Required Privilege Level Related Documentation

2298

system—To view this statement in the configuration. system–control—To add this statement to the configuration. •


•




guard-interval Syntax Hierarchy Level Release Information

Description

Options

guard-interval number; [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. When a link goes down, the ring protection link (RPL) activates. When the downed link comes back up, the RPL link receives notification, restores the link, and waits for the restore interval before issuing another block on the same link. This configuration is a global configuration and applies to all Ethernet rings if the Ethernet ring does not have a more specific configuration for this value. If no parameter is configured at the protection group level, the global configuration of this parameter uses the default value. number—Guard timer interval, in milliseconds.

Range: 10 through 2000 ms Default: 500 ms Required Privilege Level Related Documentation



•


•



2299

®


instance-type Syntax Hierarchy Level

Release Information

Description Options

instance-type type; [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.2 for EX Series switches. Define the type of routing instance. type—Can be one of the following: •

l2vpn—Enable a Layer 2 VPN on the routing instance. You must configure the interface, route-distinguisher, vrf-import, and vrf-export statements for this type of routing

instance. •

virtual-router—Enable a virtual router routing instance. You must configure the interface

statement for this type of routing instance. You do not need to configure the route-distinguisher, vrf-import, and vrf-export statements. •

vpls—Enable VPLS on the routing instance. You must configure the interface, route-distinguisher, vrf-import, and vrf-export statements for this type of routing

instance. •

vrf—VPN routing and forwarding (VRF) instance. Required to create a Layer 3 VPN.

Create a VRF table (instance-name.inet.0) that contains the routes originating from and destined for a particular Layer 3 VPN. You must configure the interface, route-distinguisher, vrf-import, and vrf-export statements for this type of routing instance. Required Privilege Level Related Documentation

2300



•

Configuring Routing Instances on PE Routers in VPNs

•




interface (MVRP) Syntax

Hierarchy Level Release Information Description Default Options

interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } [edit protocols mvrp]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify interfaces on which to configure Multiple VLAN Registration Protocol (MVRP). By default, MVRP is disabled. all—All interfaces on the switch. interface-name—Names of interface to be configured for MVRP.




•



2301

®


interface Syntax


Options

interface interface-name ; interface interface-name; [edit ethernet-switching-options redundant-trunk-group group name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a primary link and secondary link on trunk ports. If the primary link fails, the secondary link automatically takes over as the primary link without waiting for normal STP convergence. interface interface-name—A logical interface or an aggregated interface containing multiple

ports. primary—(Optional) Specify one of the interfaces in the redundant group as the primary

link. The interface without this option is the secondary link in the redundant group. If a link is not specified as primary, the software compares the two links and selects the link with the highest port number as the active link. For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software assigns ge-0/1/1 as the active link. Required Privilege Level Related Documentation

2302



•




interface Syntax Hierarchy Level

Release Information

Description


interface interface-name; [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.2 for EX Series switches. Interface over which the VPN traffic travels between the PE router or switch and customer edge (CE) router or switch. You configure the interface on the PE router or switch. If the value vrf is specified for the instance-type statement included in the routing instance configuration, this statement is required. interface-name—Name of the interface.


instance-type on page 2300

•



2303

®


interface Syntax


interface interface-name { egress; ingress (vlans); mapping (native (push | swap) | policy | tag (push | swap)); pvlan-trunk; } [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. For a specific VLAN, configure an interface. interface-name—Name of a Gigabit Ethernet interface.




•


•


•


interfaces Syntax


interfaces interface-name { no-mac-learning (Q-in-Q Interfaces); } [edit ethernet-switching-options]


Description

Configure settings for interfaces that have been assigned to family ethernet-switching.

Options

interface-name --Name of an interface that is configured for family ethernet-switching.


2304





join-timer (MVRP) Syntax Hierarchy Level Release Information Description

join-timer milliseconds; [edit protocols mvrp interface (all | interface-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure the maximum number of milliseconds interfaces must wait before sending Multiple VLAN Registration Protocol (MVRP) protocol data units (PDUs). Maintain default timer settings unless there is a compelling reason to change the settings. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

Default Options

200 milliseconds milliseconds—Number of milliseconds that the interface must wait before sending MVRP

PDUs. Required Privilege Level Related Documentation


leave-timer on page 2309

•

leaveall-timer on page 2310

•


•



2305

®


l3-interface Syntax


Default Options

l3-interface vlan.logical-interface-number { l3-interface-ingress-counting; } [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk ports to allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed. No Layer 3 (routing) interface is associated with the VLAN. vlan.logical-interface-number—Number of the logical interface defined with a set interfaces vlan unit command. For the logical interface number, use the same number you

configure in the unit statement. The remaining statement is explained separately. Required Privilege Level Related Documentation

2306



•


•




layer2-protocol-tunneling Syntax


Description

layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; } [edit vlans vlan-name dot1q-tunneling]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable Layer 2 protocol tunneling (L2PT) on the VLAN. The remaining statements are explained separately.

Default Options

L2PT is not enabled. all—Enable all supported Layer 2 protocols. protocol-name—Name of the Layer 2 protocol. Values are: •

802.1x—IEEE 802.1X authentication

•

802.3ah—IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault

management (LFM)

NOTE: If you enable L2PT for untagged OAM LFM packets, do not configure LFM on the corresponding access interface.

•

cdp—Cisco Discovery Protocol

•

e-lmi—Ethernet local management interface

•

gvrp—GARP VLAN Registration Protocol

•

lacp—Link Aggregation Control Protocol

NOTE: If you enable L2PT for untagged LACP packets, do not configure LACP on the corresponding access interface.

•

lldp—Link Layer Discovery Protocol

•

mmrp—Multiple MAC Registration Protocol

•

mvrp—Multiple VLAN Registration Protocol

•

stp—Spanning Tree Protocol, Rapid Spanning Tree Protocol, and Multiple Spanning

Tree Protocol


2307

®



2308

•

udld—Unidirectional Link Detection (UDLD)

•

vstp—VLAN Spanning Tree Protocol

•

vtp—VLAN Trunking Protocol


show ethernet-switching layer2-protocol-tunneling interface on page 2359

•

show ethernet-switching layer2-protocol-tunneling statistics on page 2361

•

show ethernet-switching layer2-protocol-tunneling vlan on page 2364

•


•


•




leave-timer (MVRP) Syntax Hierarchy Level Release Information Description

leave-timer milliseconds; [edit protocols mvrp interface (all | interface-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. For Multiple VLAN Registration Protocol (MVRP), configure the number of milliseconds the switch retains a VLAN in the Leave state before the VLAN is unregistered. If the interface receives a join message before this timer expires, the VLAN remains registered. Maintain default timer settings unless there is a compelling reason to change the settings. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

Default Options

1000 milliseconds milliseconds—Number of milliseconds that the switch retains a VLAN in the Leave state

before the VLAN is unregistered. At a minimum, set the leave-timer interval at twice the join-timer interval. Required Privilege Level Related Documentation


join-timer on page 2305

•

leaveall-timer on page 2310

•


•



2309

®


leaveall-timer (MVRP) Syntax Hierarchy Level Release Information Description

leaveall-timer milliseconds; [edit protocols mvrp interface (all | interface-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. For Multiple VLAN Registration Protocol (MVRP), configure the interval at which the LeaveAll state operates on the interface. Maintain default timer settings unless there is a compelling reason to change the settings. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.


10000 milliseconds milliseconds—Number of milliseconds between the sending of Leave All messages.


join-timer on page 2305

•

leave-timer on page 2309

•


•


mac Syntax

Hierarchy Level Description

mac mac-address { next-hop interface-name; } [edit ethernet-switching-options static vlan vlan-name]

Specify the MAC address to add to the Ethernet switching table. The remaining statement is explained separately.


2310

mac-address—MAC address


Adding a Static MAC Address Entry to the Ethernet Switching Table on page 2240



mac-limit Syntax Hierarchy Level Release Information Description

mac-limit limit action action; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the number of MAC addresses to be associated with a VLAN—the default is unlimited, which can leave the network vulnerable to flooding. Change unlimited to any number from 2 to the switch’s maximum VLAN MAC limit. The maximum number of MAC addresses allowed in a switching table per VLAN varies depending on the EX Series switch. To see the maximum number of MAC addresses per VLAN allowed on your switch, issue the set vlans vlan-name mac-limit ? configuration-mode command.

NOTE: Do not set the mac-limit value to 1. The first learned MAC address is often inserted into the forwarding database automatically—for instance, for a routed VLAN interface (RVI), the first MAC address inserted into the forwarding database is the MAC address of the RVI. For aggregated Ethernet bundles (LAGs) using LACP, the first MAC address inserted into the forwarding database in the Ethernet switching table is the source address of the protocol packet. In these cases, the switch does not learn MAC addresses other than the automatic address when mac-limit is set to 1, and this causes problems with MAC learning and forwarding.

When the MAC limit set by this statement is reached, no more MAC addresses are added to the Ethernet switching table. You can also, optionally, have a system log entry generated when the limit is exceeded by adding the option action log.

NOTE: When you reconfigure the number of MAC addresses, the Ethernet switching table is not automatically cleared. Therefore, if you reduce the number of addresses from the default (unlimited) or a previously set limit, you could already have more entries in the table than the new limit allows. Previous entries remain in the table after you reduce the number of addresses, so you should clear the Ethernet switching table for a specified interface, MAC address, or VLAN when you reduce the MAC limit. Use the command clear ethernet-switching table to clear existing MAC addresses from the table before using the mac-limit configuration statement.

Default

The MAC limit is disabled, so entries are unlimited.

Options

limit—Maximum number of MAC addresses. Range: 1 through switch maximum


2311

®


action—Log is the only action available. Configure action log to add a message to the system log when the mac-limit value is exceeded. A typical logged message looks like this: May 5 06:18:31 bmp-199p1-dev edwd[5665]: ESWD_VLAN_MAC_LIMIT_EXCEEDED: vlan default mac 00:1f:12:37:af:5b (tag 40). vlan limit exceeded




•


mac-notification Syntax


mac-notification { notification-interval seconds; } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Enable MAC notification for a switch. If you configure this statement without setting a notification interval, MAC notification is enabled with the default MAC notification interval of 30 seconds. The remaining statement is explained separately.


2312

MAC notification is disabled by default. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •




mac-table-aging-time Syntax Hierarchy Level

Release Information

Description

mac-table-aging-time (seconds | unlimited); [edit ethernet-switching-options], [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to include [edit ethernet-switching-options] hierarchy level. You configure how long MAC addresses remain in the Ethernet switching table using the mac-table-aging-time statement in either the [edit ethernet-switching-options] or the vlans hierarchy, depending on whether you want to configure it for the entire switch or only for specific VLANs. If you specify the time as unlimited, entries are never removed from the table. Generally, use this setting only if the switch or the VLAN has a fairly static number of end devices; otherwise the table will eventually fill up. You can use this setting to minimize traffic loss and flooding that might occur when traffic arrives for MAC addresses that have been removed from the table.

Default Options

Entries remain in the Ethernet switching table for 300 seconds seconds—Time that entries remain in the Ethernet switching table before being removed.

Range: 60 through 1,000,000 seconds Default: 300 seconds unlimited—Entries remain in the Ethernet switching table.



show ethernet-switching statistics aging on page 2369

•


•


•


•



2313

®


mapping Syntax Hierarchy Level

Release Information

Description

mapping (native (push | swap) | policy | tag (push | swap)); [edit vlans vlan-name interface (VLANs) interface-name egress], [edit vlans vlan-name interface (VLANs) interface-name ingress], [edit vlans vlan-name interface (VLANs) interface-name]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Option swap introduced in Junos OS Release 10.0 for EX Series switches. Map a specific C-VLAN to an S-VLAN. By default, the received incoming or outgoing tag is replaced with the new tag. This statement is also required if you are configuring firewall filters to map traffic from an interface to a VLAN. If you are configuring firewall filters to map traffic from an interface to a VLAN, the mapping policy option must be configured using this command. The firewall filter also has to be configured using the vlan action for a match condition in the firewall filter stanza for firewall filters to map traffic from an interface for a VLAN.

Options

native—Maps untagged and priority-tagged packets to an S-VLAN. policy—Maps the interface to a firewall filter policy to an S-VLAN. push—Retains the incoming tag and add an additional VLAN tag instead of replacing the

original tag. swap—Swaps the incoming VLAN tag with the VLAN ID tag of the S-VLAN. Use of this

option is also referred to as VLAN ID translation. tag—Retains the incoming 802.1Q tag on the interface.


2314



•


•




members Syntax Hierarchy Level

Release Information

Description

members [ (all | names | vlan-ids) ]; [edit interfaces interface-name unit logical-unit-number family ethernet-switching vlan (802.1Q Tagging)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches. For trunk interfaces, configure the VLANs that can carry traffic.



Options

all—Specifies that this trunk interface is a member of all the VLANs that are configured

on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.

NOTE: Since VLAN members are limited, specifying all could cause the number of VLAN members to exceed the limit at some point.

names—Name of one or more VLANs. VLAN IDs are applied automatically in this case.


2315

®


NOTE: all cannot be a VLAN name.

vlan-ids—Numeric identifier of one or more VLANs. For a series of tagged VLANs, specify

a range; for example, 10-20 or 10-20 23 27-30.

NOTE: Each configured VLAN must have a specified VLAN ID to successfully commit the configuration; otherwise, the configuration commit fails.


2316



•


•


•


•


•


•


•


•


•




mvrp Syntax


mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure Multiple VLAN Registration Protocol (MVRP) on a trunk interface to ensure that the VLAN membership information on the trunk interface is updated as the switch’s access interfaces become active or inactive in the configured VLANs.

NOTE: At Junos OS Release 11.3, MVRP was updated to conform to the IEEE standard 802.1ak. This update might result in compatibility issues in mixed release networks. For details, see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233.

The remaining statements are explained separately. Default Required Privilege Level Related Documentation

MVRP is disabled by default. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



2317

®


native-vlan-id Syntax Hierarchy Level Release Information Description Options

native-vlan-id vlan-id; [edit interfaces interface-name unit 0 family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the VLAN identifier to associate with untagged packets received on the interface. vlan-id—Numeric identifier of the VLAN.




•


•


•


•


•


next-hop Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

2318

next-hop interface-name; [edit ethernet-switching-options static vlan vlan-name mac mac-address]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the next hop for the indicated Ethernet node. interface-name—Name of the next-hop interface.





no-dynamic-vlan Syntax Hierarchy Level Release Information Description

no-dynamic-vlan; [edit protocols mvrp]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Disable the dynamic creation of VLANs using Multiple VLAN Registration Protocol (MVRP) for interfaces participating in MVRP. Dynamic VLAN configuration can be enabled on an interface independent of MVRP. The MVRP dynamic VLAN configuration setting does not override the interface configuration dynamic VLAN configuration setting. If dynamic VLAN creation is disabled on the interface in the interface configuration, no dynamic VLANs are created on the interface, including dynamic VLANs created using MVRP. This option can only be applied globally; it cannot be applied per interface.

Default


If MVRP is enabled, the dynamic creation of VLANs as a result of MVRP protocol exchange messages is enabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


no-local-switching Syntax Hierarchy Level Release Information Description


no-local-switching [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify that access ports in this VLAN domain do not forward packets to each other. You use this statement with primary VLANs and isolated secondary VLANs. system—To view this statement in the configuration. system–control—To add this statement to the configuration. •


•



2319

®


no-mac-learning Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

no-mac-learning; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Disables MAC address learning for the specified VLAN. There are no options to this statement. system—To view this statement in the configuration. system–control—To add this statement to the configuration. •


•


no-mac-learning Syntax Hierarchy Level Release Information Description


2320

no-mac-learning; [edit ethernet-switching-options interfaces (Q-in-Q Tunneling) interface-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Disable MAC address learning for the specified interface. Disabling MAC address learning on an interface disables learning for all the VLANs of which that interface is a member. There are no options to this statement. routing—To view this statement in the configuration. routing–control—To add this statement to the configuration. •




node-id Syntax Hierarchy Level Release Information Description

node-id mac-address; [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.4. For EX Series switches, node-id is not configurable. For MX Series routers, optionally specify the MAC address of a node in the protection group. If this statement is not included, the router assigns the node’s MAC address.




notification-interval Syntax Hierarchy Level Release Information Description

notification-interval seconds; [edit ethernet-switching-options mac-notification]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Configure the MAC notification interval for a switch. The MAC notification interval is the amount of time the switch waits before sending learned or unlearned MAC address SNMP notifications to the network management server. For instance, if the MAC notification interval is set to 10, all of the MAC address addition and removal SNMP notifications will be sent to the network management system every 10 seconds.

Options

seconds—The MAC notification interval, in seconds.





2321

®


port-mode Syntax Hierarchy Level Release Information Description

Default Options

port-mode mode; [edit interfaces interface-name unit logical-unit-number family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure whether an interface on the switch operates in access, tagged-access, or trunk mode. All switch interfaces are in access mode. mode—Operating mode for an interface can be one of the following: •

access—In this mode, the interface can be in a single VLAN only. Access interfaces

typically connect to single network devices such as PCs, printers, IP telephones, and IP cameras. •

tagged-access—In this mode, the interface can accept tagged packets from one access

device. Tagged-access interfaces typically connect to servers running Virtual machines using VEPA technology. •

trunk—In this mode, the interface can be in multiple VLANs and accept tagged packets

from multiple devices. Trunk interfaces typically connect to other switches and to routers on the LAN.



2322



•




•


•


preempt-cutover-timer Syntax Hierarchy Level Release Information

preempt-cutover-timer seconds; [edit ethernet-switching-options redundant-trunk-group name name]


Description

Change the length of time that a re-enabled primary link waits to take over from an active secondary link in a redundant trunk group.

Default

If you do not change the time with the preempt-cutover-timer statement, a re-enabled primary link takes over from the active secondary link after 120 seconds.

Options

seconds—Number of seconds that the primary link waits to take over from the active

secondary link. Required Privilege Level Related Documentation



•



2323

®


primary-vlan Syntax Hierarchy Level

primary-vlan vlan-name; [edit vlans vlan-name]

Release Information

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches.

Description

Configure the primary VLAN for this private VLAN (PVLAN). The primary VLAN is always tagged. •

If the PVLAN is configured on a single switch, do not assign a tag to the community VLANs.

•

If the PVLAN is configured to span multiple switches, you must assign tags to the community VLANs also.

TIP: To display a list of all configured VLANs on the system, including VLANs that are configured but not committed, type ? after vlan or vlans in your configuration mode command line. Note that only one VLAN name is displayed for a VLAN range.


2324



•


•


•




protection-group Syntax

protection-group { ethernet-ringring-name { control-vlan (vlan-id | vlan-name); data-channel { vlan number } east-interface { control-channel channel-name { vlan number; } } guard-interval number; node-id mac-address; restore-interval number; ring-protection-link-owner; west-interface { control-channel channel-name { vlan number; } } } control-vlan (vlan-id | vlan-name); east-interface { node-id mac-address; control-channel channel-name { interface-none ring-protection-link-end; } } control-channel channel-name { vlan number; } } data-channel { vlan number } guard-interval number; node-id mac-address; restore-interval number; ring-protection-link-owner; west-interface { node-id mac-address; control-channel channel-name { interface-none ring-protection-link-end; } control-channel channel-name { vlan number; } } } guard-interval number;


2325

®


restore-interval number; traceoptions { file flag } }


Description

[edit protocols]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure Ethernet ring protection switching. The statements are explained separately. All statements apply to MX Series routers. EX Series switches do not assign node-id and use control-vlan instead of control-channel.


2326



•


•

Example: Configuring Load Balancing Within Ethernet Ring Protection for MX Series Routers

•


•




proxy-arp Syntax Hierarchy Level

Release Information

Description

Default

Options

proxy-arp (restricted | unrestricted); [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.6 for EX Series switches. restricted added in Junos OS Release 10.0 for EX Series switches. For Ethernet interfaces only, configure the router or switch to respond to any ARP request, as long as the router or switch has an active route to the ARP request’s target address. Proxy ARP is not enabled. The router or switch responds to an ARP request only if the destination IP address is its own. •

none—The router or switch responds to any ARP request for a local or remote address

if the router or switch has a route to the target IP address. •

restricted—(Optional) The router or switch responds to ARP requests in which the

physical networks of the source and target are different and does not respond if the source and target IP addresses are in the same subnet. The router or switch must also have a route to the target IP address. •

unrestricted—(Optional) The router or switch responds to any ARP request for a local

or remote address if the router or switch has a route to the target IP address. Default: unrestricted Required Privilege Level Related Documentation



•


•


•



2327

®


pvlan-trunk Syntax Hierarchy Level Release Information Description


pvlan-trunk; [edit vlans vlan-name vlan-id number interface interface-name]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Configure an interface to be the trunk port, connecting switches that are configured with a private VLAN (PVLAN) across these switches. routing—To view this statement in the configuration. routing–control—To add this statement to the configuration. •


redundant-trunk-group Syntax


redundant-trunk-group { group (Redundant Trunk Groups) name { interface (Redundant Trunk Groups) interface-name ; interface (Redundant Trunk Groups) interface-name; interface (Redundant Trunk Groups) preempt-cutover-timer; } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a primary link and secondary link on trunk ports. If the primary link fails, the secondary link automatically takes over without waiting for normal STP convergence. The remaining statements are explained separately.


2328



•




registration Syntax Hierarchy Level Release Information Description

Default Options

registration (forbidden | normal); [edit protocols mvrp interface (all | interface-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specifies the Multiple VLAN Registration Protocol (MVRP) registration mode for the interface if MVRP is enabled. normal forbidden—The interface or interfaces do not register and do not participate in MVRP. normal—The interface or interfaces accept MVRP messages and participate in MVRP.




restore-interval Syntax Hierarchy Level Release Information

Description

Options

restore-interval number; [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Configures the number of minutes that the node does not process any Ethernet ring protection (ERP) protocol data units (PDUs).. This configuration is a global configuration and applies to all Ethernet rings if the Ethernet ring does not have a more specific configuration for this value. If no parameter is configured at the protection group level, the global configuration of this parameter uses the default value. number—Specify the restore interval. Range: 5 through 12 minutes




•


•



2329

®


ring-protection-link-end Syntax Hierarchy Level Release Information

Description


ring-protection-link-end; [edit protocols protection-group ethernet-ring ring-name (east-interface | west-interface)]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify that the port is one side of a ring protection link (RPL) by setting the RPL end flag. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


ring-protection-link-owner Syntax Hierarchy Level Release Information

Description


2330

ring-protection-link-owner; [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the ring protection link (RPL) owner flag in the Ethernet protection ring. Include this statement only once for each ring (only one node can function as the RPL owner). interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •




routing-instances Syntax


routing-instances routing-instance-name { instance-type virtual-router; interface (Routing Instances) interface-name; } [edit]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure a virtual routing entity. routing-instance-name—Name for this routing instance.




•



2331

®


shutdown-threshold Syntax Hierarchy Level Release Information

Description

shutdown-threshold number; [edit vlans vlan-name dot1q-tunneling layer2-protocol-tunneling (all | protocol-name)]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a specified VLAN before the interface is disabled. Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command. Otherwise, the interface remains disabled. The shutdown threshold value must be greater than or equal to the drop threshold value. If the shutdown threshold value is less than the drop threshold value, the drop threshold value has no effect. You can specify a shutdown threshold value without specifying a drop threshold value.

Default Options

No shutdown threshold is specified. number—Maximum number of Layer 2 PDUs of the specified protocol that can be received

per second on the interfaces in a specified VLAN before the interface is disabled. Range: 1 through 1000 Required Privilege Level Related Documentation

2332


drop-threshold on page 2289

•


•


•




static Syntax


static { vlan vlan-name { mac mac-address { next-hop interface-name; } } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify VLAN and MAC addresses to add to the Ethernet switching table. The remaining statements are explained separately.





2333

®


traceoptions (Edge Virtual Bridging) Syntax


Default Options

traceoptions { file filename ; flag flag; } [edit protocols edge-virtual-bridging]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Define global tracing operations for edge virtual bridging (EVB) features on Ethernet switches. Tracing operations are disabled by default. file filename—Name of the file to receive the output of the tracing operation. Enclose the


so on, until the maximum number of trace files is reached (xk to specify KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files no-world-readable—(Optional) Restrict file access to the user who created the file. replace—(Optional) Replace an existing trace file if there is one rather than appending

output to it. Default: If you do not include this option, tracing output is appended to an existing trace file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes Range: 10 KB through 1 gigabyte Default: 128 KB world-readable—(Optional) Enable unrestricted file access. flag flag—Tracing operation to perform. To specify more than one tracing operation,


2334



•

all—Trace everything.

•

ecp—Trace Edge Control Protocol (ECP) events.

•

evb-tlv— Trace EVB type, length, and value (TLV) events.

•

parse—Trace configuration parsing.

•

policy—Trace policy events.

•

vdp—Trace Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP)

events. Required Privilege Level Related Documentation




2335

®


traceoptions (Ethernet Ring Protection) Syntax


traceoptions { file filename ; flag flag; } [edit protocols protection-group]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure trace options for the protection group. file filename—Name of the file to receive the output of the tracing operation. All files are

placed in the directory /var/log. You can include the following file options: •

no-stamp—(Optional) Do not timestamp trace file.

•

no-world-readable—(Optional) Do not allow any user to read the log file.

•

replace—(Optional) Replace the trace file rather than appending to it.

•

size—(Optional) Maximum trace file size (10240..4294967295).

•

world-readable—(Optional) Allow any user to read the log file.

flag flag—Tracing operation to perform. To specify more than one tracing operation,



2336

•

all—Trace all SBC process operations.

•

configuration—Trace configuration events.

•

debug—Trace device monitor events.

•

events—Trace events to the protocol state machine

•

normal—Trace normal messages.

•

pdu—Trace RAPS PDU reception and transmission.

•

periodic-packet-management—Trace periodic packet management state and events.

•

state-machine—Trace RAPS state machine.

•

timers—Trace protocol timers.





vlan Syntax


vlan vlan-name { mac mac-address { next-hop interface-name; } } [edit ethernet-switching-options static]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the name of a VLAN to add to the Ethernet switching table. vlan-name—Name of the VLAN to add to the Ethernet switching table.




vlan Syntax


vlan { members [ (all | names | vlan-ids) ]; } [edit interfaces interface-name unit logical-unit-number family ethernet-switching]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Bind an 802.1Q VLAN tag ID to a logical interface. The remaining statement is explained separately.




•


•


•


•



2337

®


vlan-id Syntax Hierarchy Level Release Information Description Default

Options

vlan-id number; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an 802.1Q tag to apply to all traffic that originates on the VLAN. If you use the default factory configuration, all traffic originating on the VLAN is untagged and has a VLAN identifier of 1. The number zero is reserved for priority tagging and the number 4095 is also reserved. number —VLAN tag identifier

Range:


2338

•

1 through 4094 (all switches except EX8200 Virtual Chassis)

•

1 through 4092 (EX8200 Virtual Chassis only)



•


•


•


•




vlan-range Syntax Hierarchy Level Release Information Description Default Options

vlan-range vlan-id-low-vlan-id-high; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure multiple VLANs. Each VLAN is assigned a VLAN ID number from the range. None. vlan-id-low-vlan-id-high —Specify the first and last VLAN ID number for the group of

VLANs. Required Privilege Level Related Documentation



•


•


•



2339

®


vlans Syntax


Options

vlans { vlan-name { description (VLANs) text-description; dot1q-tunneling (VLANs) { customer-vlans (id | range) layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; } } filter (VLANs) input filter-name; filter (VLANs) output filter-name; interface (VLANs) interface-name { egress; ingress (vlans); mapping (native (push | swap) | policy | tag (push | swap)); pvlan-trunk; } isolation-id id-number; l3-interface (VLANs) vlan.logical-interface-number; l3-interface-ingress-counting layer-3-interface-name; mac-limit limit action action; mac-table-aging-time seconds; no-local-switching; no-mac-learning (Q-in-Q VLANs); primary-vlan vlan-name; vlan-id (802.1Q Tagging) number; vlan-range vlan-id-low-vlan-id-high; } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure VLAN properties on EX Series switches. The following configuration guidelines apply: •

Only private VLAN (PVLAN) firewall filters can be used when the VLAN is enabled for Q-in-Q tunneling.

•

An S-VLAN tag is added to the packet if the VLAN is Q-in-Q--tunneled and the packet is arriving from an access interface.

•

You cannot use a firewall filter to assign a routed VLAN interface (RVI) to a VLAN.

•

VLAN assignments performed using a firewall filter override all other VLAN assignments.

vlan-name—Name of the VLAN. The name can contain letters, numbers, hyphens (-),

and periods (.) and can be up to 255 characters long. The remaining statements are explained separately.

2340




routing—To view this statement in the configuration. routing–control—To add this statement to the configuration. •


•


•


•


•


routing-engine Syntax



routing-engine { on-disk-failure { disk-failure-action (halt | reboot); } } [edit chassis]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure a Routing Engine to halt or reboot automatically when a hard disk error occurs. A hard disk error may cause a Routing Engine to enter a state in which it responds to local pings and interfaces remain up, but no other processes are responding. Rebooting or halting prevents this. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•

Junos High Availability Configuration Guide


2341

®


vsi-discovery Syntax


Default Options

vsi-discovery { interface interface-name vsi-policy vsi-policy-name } [edit protocols edge-virtual-bridging]

Configure Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP). VDP is used to program policies for each individual station interface (VSI). VDP is disabled by default. interface-name—Name of the interface on which VDP is configured. The remaining

statement is explained separately. Required Privilege Level Related Documentation

2342



•




vsi-policy (EVB) Syntax


vsi-policy vsi-policy-namefrom vsi-manager vsi-manager-id vsi-type vsi-type vsi-version vsi-version vsi-instance instance-number; [edit policy-options]

Define and apply the named VSI policy to the edge virtual bridging (EVB) configuration. For use with edge virtual bridging, each virtual machine (VM) on the server is uniquely identified by following four parameters, which are contained in a VSI policy: •

vsi-manager-id

•

vsi-type

•

vsi-version

•

vsi-instance-id

The vsi-policy command manually configures these four parameters on the EX switch for the successful association of VM-VSI. VDP protocol helps determine the parameters defined for the virtual machines on the server and configure them on the switch. Use policy options to define the VM-VSI parameters. Configure a firewall filter for each of the VM profiles and use it in this statement. Required Privilege Level Related Documentation



•



2343

®


west-interface Syntax


Description

west-interface { node-id mac-address; control-channel channel-name { interface-none ring-protection-link-end; } [edit protocols protection-group ethernet-ring ring-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 12.1 for EX Series switches. Define one of the two interface ports for Ethernet ring protection, the other being defined by the east-interface statement at the same hierarchy level. The interface must use the control channel's logical interface name. The control channel is a dedicated VLAN channel for the ring port.

NOTE: Always configure this port second, after configuring the east-interface statement.


2344



•


•

east-interface on page 2290

•

ethernet-ring on page 2293

•


•



CHAPTER 69

Operational Commands for Ethernet Switching


2345

®


clear ethernet-switching layer2-protocol-tunneling error Syntax

Release Information

Description

Options

clear ethernet-switching layer2-protocol-tunneling error

Command introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear Layer 2 protocol tunneling (L2PT) errors on one or more interfaces. If an interface has been disabled because the amount of Layer 2 protocol traffic exceeded the shutdown threshold or because the switch has detected an error in the network topology or configuration, use this command to reenable the interface. none—Clears L2PT errors on all interfaces. interface interface-name—(Optional) Clear L2PT errors on the specified interface.



view

•


•


•


clear ethernet-switching layer2-protocol-tunneling error on page 2346 clear ethernet-switching layer2-protocol-tunneling error interface xe-0/0/1.0 on page 2346

Sample Output clear ethernet-switching layer2-protocol-tunneling error

user@switch> clear ethernet-switching layer2-protocol-tunneling error

clear ethernet-switching layer2-protocol-tunneling error interface xe-0/0/1.0

user@switch> clear ethernet-switching layer2-protocol-tunneling error interface xe-0/0/1.0

2346


Chapter 69: Operational Commands for Ethernet Switching

clear ethernet-switching layer2-protocol-tunneling statistics Syntax

Release Information

Description Options

clear ethernet-switching layer2-protocol-tunneling statistics

Command introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear Layer 2 protocol tunneling (L2PT) statistics on one or more interfaces or VLANs. none—Clear L2PT statistics on all interfaces and VLANs. interface interface-name—(Optional) Clear L2PT statistics on the specified interface. vlan vlan-name—(Optional) Clear L2PT statistics on the specified VLAN.



view

•


•


•


•


clear ethernet-switching layer2-protocol-tunneling statistics on page 2347 clear ethernet-switching layer2-protocol-tunneling error interface ge-0/1/1.0 on page 2347 clear ethernet-switching layer2-protocol-tunneling error vlan v2 on page 2347

Sample Output clear ethernet-switching layer2-protocol-tunneling statistics

user@switch> clear ethernet-switching layer2-protocol-tunneling statistics

clear ethernet-switching layer2-protocol-tunneling error interface ge-0/1/1.0

user@switch> clear ethernet-switching layer2-protocol-tunneling statistics interface xe-0/1/1.0

clear ethernet-switching layer2-protocol-tunneling error vlan v2

user@switch> clear ethernet-switching layer2-protocol-tunneling statistics vlan v2


2347

®


clear ethernet-switching table Syntax


Options

clear ethernet-switching table

Command introduced in Junos OS Release 9.3 for EX Series switches. Clear learned entries, which are media access control (MAC) addresses, in the Ethernet switching table (also called the forwarding database table). none—Clear learned entries in the Ethernet switching table, except for persistent MAC

addresses. interface interface-name—(Optional) Clear all learned MAC addresses for the specified

interface from the Ethernet switching table. mac mac-address—(Optional) Clear the specified learned MAC address from the Ethernet

switching table. management-vlan—(Optional) Clear all MAC addresses learned for the management

VLAN from the Ethernet switching table. Note that you do not specify a VLAN name because only one management VLAN exists. persistent-mac —(Optional) Clear all MAC addresses, including

persistent MAC addresses. Use the interface option to clear all MAC addresses on an interface, or use the mac-address option to clear all entries for a specific MAC address. Use this command whenever you move a device in your network that has a persistent MAC address on the switch. If you move the device to another port on the switch and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address and the device will not be able to connect. If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect—however, unless you cleared the MAC address on the original port, when the port comes back up, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the address is removed from the new port and the device loses connectivity. vlan vlan-name—(Optional) Clear all MAC addresses learned for the specified VLAN from

the Ethernet switching table. Required Privilege Level Related Documentation

2348

view

•


•

Verifying That Persistent MAC Learning Is Working Correctly on page 4175




clear ethernet-switching table on page 2349 This command produces no output.

Sample Output clear ethernet-switching table

user@switch> clear ethernet-switching table


2349

®


clear gvrp statistics Syntax Release Information Description Required Privilege Level Related Documentation


clear gvrp statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. Clear GARP VLAN Registration Protocol (GVRP) statistics. clear

•

show spanning-tree statistics on page 2569

•

Example: Configure Automatic VLAN Administration Using GVRP

clear gvrp statistics on page 2350

Sample Output clear gvrp statistics

2350

user@switch> clear gvrp statistics



clear mvrp statistics Syntax Release Information Description Options

clear mvrp statistics

Command introduced in Junos OS Release 10.0 for EX Series switches. Clear Multiple VLAN Registration Protocol (MVRP) statistics. none—Clear all MVRP statistics. interface interface-name—Clear the MVRP statistics on the specified interface.



Output Fields

clear

•

show mvrp statistics on page 2382

•


clear mvrp statistics on page 2351 clear mvrp statistics interface ge-0/0/1.0 on page 2351 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear mvrp statistics

user@switch> clear mvrp statistics

clear mvrp statistics interface ge-0/0/1.0

user@switch> clear mvrp statistics interface ge-0/0/1.0


2351

®


show edge-virtual-bridging Syntax


show edge-virtual-bridging vsi-profiles

Command introduced in Junos OS Release 12.1 for EX Series switches. Display information about edge virtual bridging (EVB). none—Display EVB parameters for all interfaces configured with EVB. detail—(Optional) Display EVB parameters and virtual station interface (VSI) profiles

associated with each interface. edge-control-protocol statistics show ethernet-switching interfaces Interface

State



ge-0/0/15.0

up

ge-0/0/16.0 ge-0/0/17.0

down down

VLAN members

Tag


300

100 200 100 200 100

vlan200


200

Tagging

Blocking




up

vlan100 vlan200

100 200

tagged tagged




2357

®










2358





show ethernet-switching layer2-protocol-tunneling interface Syntax

Release Information

Description

Options

show ethernet-switching-layer2-protocol-tunneling interface

Command introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about Layer 2 protocol tunneling (L2PT) on interfaces that have been configured for L2PT. none—Display L2PT information about all interfaces on which L2PT is enabled. interface-name—(Optional) Display L2PT information for the specified interface.


view

•


•


•


•


•


•



show ethernet-switching layer2-protocol-tunneling interface on page 2360 show ethernet-switching layer2-protocol-tunneling interface xe-0/0/0.0 on page 2360

Output Fields

Table 260 on page 2359 lists the output fields for the show ethernet-switching layer2-protocol-tunneling interface command. Output fields are listed in the approximate order in which they appear.

Table 260: show ethernet-switching layer2-protocol-tunneling interface Output Fields Field Name

Field Description

Interface

Name of an interface on the switch.

Operation

Type of operation being performed on the interface. Values are Encapsulation and Decapsulation.

State

State of the interface. Values are active and shutdown.

Description

If the interface state is shutdown, displays why the interface is shut down. If the description says Loop detected, it means that the interface is an access interface that has received L2PT-enabled PDUs. Access interfaces should not receive L2PT-enabled PDUs. This scenario might mean that there is a loop in the network.


2359

®


Sample Output show ethernet-switching layer2-protocol-tunneling interface

user@switch> show ethernet-switching layer2-protocol-tunneling interface

show ethernet-switching layer2-protocol-tunneling interface xe-0/0/0.0

user@switch> show ethernet-switching layer2-protocol-tunneling interface xe-0/0/0.0

2360

Layer2 Protocol Tunneling information: Interface Operation State xe-0/0/0.0 Encapsulation Shutdown xe-0/0/1.0 Decapsulation Shutdown xe-0/0/2.0 Decapsulation Active

Layer2 Protocol Tunneling information: Interface Operation State xe-0/0/0.0 Encapsulation Shutdown

Description Shutdown threshold exceeded Loop detected

Description Shutdown threshold exceeded



show ethernet-switching layer2-protocol-tunneling statistics Syntax

Release Information

Description

show ethernet-switching-layer2-protocol-tunneling statistics

Command introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display Layer 2 protocol tunneling (L2PT) statistics for Layer 2 PDU packets received by the switch.

NOTE: The show ethernet-switching-layer2-protocol-tunneling statistics command does not display L2PT statistics for Layer 2 PDU packets transmitted from the switch.

Options

none—Display L2PT statistics for all interfaces on which you enabled L2PT. interface interface-name—(Optional) Display L2PT statistics for the specified interface. vlan vlan-name—(Optional) Display L2PT statistics for the specified VLAN.



Output Fields

view

•

clear ethernet-switching layer2-protocol-tunneling statistics on page 2347

•


•


•


•


•


•

show vlans

•


show ethernet-switching layer2-protocol-tunneling statistics on page 2362 show ethernet-switching layer2-protocol-tunneling statistics interface xe-0/0/0.0 on page 2362 show ethernet-switching layer2-protocol-tunneling statistics vlan v2 on page 2362 Table 261 on page 2362 lists the output fields for the show ethernet-switching layer2-protocol-tunneling statistics command. Output fields are listed in the approximate order in which they appear.


2361

®


Table 261: show ethernet-switching layer2-protocol-tunneling statistics Output Fields VLAN

Field Description

VLAN

Name of a VLAN on which L2PT has been configured.

Interface

Name of an interface on which L2PT has been configured.

Protocol

Name of a protocol for which L2PT has been enabled. Values are all, 802.1x, 802.3ah, cdp, e-lmi, gvrp, lacp, lldp, mmrp, mvrp, stp, udld, vstp, and vtp.

Operation

Type of operation being performed on the interface. Values are Encapsulation and Decapsulation.

Packets

Number of packets that have been encapsulated or de-encapsulated.

Drops

Number of packets that have exceeded the drop threshold and have been dropped.

Shutdowns

Number of times that packets have exceeded the shutdown threshold and the interface has been shut down.

Sample Output show ethernet-switching layer2-protocol-tunneling statistics

user@switch> show ethernet-switching layer2-protocol-tunneling statistics

show ethernet-switching layer2-protocol-tunneling statistics interface xe-0/0/0.0

user@switch> show ethernet-switching layer2-protocol-tunneling statistics interface xe-0/0/0.0

show ethernet-switching layer2-protocol-tunneling statistics vlan v2

user@switch> show ethernet-switching layer2-protocol-tunneling statistics vlan v2

2362

Layer2 VLAN v1 v1 v1 v2 v2 v2

Protocol Tunneling Statistics: Interface Protocol Operation xe-0/0/0.0 mvrp Encapsulation xe-0/0/1.0 mvrp Decapsulation xe-0/0/2.0 mvrp Decapsulation xe-0/0/0.0 cdp Encapsulation xe-0/0/0.0 gvrp Encapsulation xe-0/0/0.0 lldp Encapsulation

Layer2 Protocol Tunneling Statistics: VLAN Interface Protocol Operation v1 xe-0/0/0.0 mvrp Encapsulation v2 xe-0/0/0.0 cdp Encapsulation v2 xe-0/0/0.0 gvrp Encapsulation v2 xe-0/0/0.0 lldp Encapsulation v2 xe-0/0/0.0 mvrp Encapsulation v2 xe-0/0/0.0 stp Encapsulation v2 xe-0/0/0.0 vtp Encapsulation v2 xe-0/0/0.0 vstp Encapsulation

Packets 0 0 60634 0 0 0

Layer2 Protocol Tunneling Statistics: VLAN Interface Protocol Operation v2 xe-0/0/0.0 cdp Encapsulation v2 xe-0/0/0.0 gvrp Encapsulation v2 xe-0/0/0.0 lldp Encapsulation v2 xe-0/0/0.0 mvrp Encapsulation v2 xe-0/0/0.0 stp Encapsulation v2 xe-0/0/0.0 vtp Encapsulation v2 xe-0/0/0.0 vstp Encapsulation

Drops 0 0 0 0 0 0

Packets 0 0 0 0 0 0 0 0

Packets 0 0 0 0 0 0 0

Drops 0 0 0 0 0 0 0 0

Drops 0 0 0 0 0 0 0

Shutdowns 0 0 0 0 0 0

Shutdowns 0 0 0 0 0 0 0 0

Shutdowns 0 0 0 0 0 0 0



v2 v2 v2 v2 v2 v2


xe-0/0/1.0 xe-0/0/1.0 xe-0/0/1.0 xe-0/0/1.0 xe-0/0/1.0 xe-0/0/1.0

cdp gvrp lldp mvrp stp vtp

Decapsulation Decapsulation Decapsulation Decapsulation Decapsulation Decapsulation

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

2363

®


show ethernet-switching layer2-protocol-tunneling vlan Syntax Release Information

Description

Options

show ethernet-switching-layer2-protocol-tunneling vlan

Command introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about Layer 2 protocol tunneling (L2PT) on VLANs that have been configured for L2PT. none—Display information about L2PT for the VLANs on which you have configured L2PT. vlan-name—(Optional) Display information about L2PT for the specified VLAN.



Output Fields

view

•


•


•


•


•


•

show vlans

•


show ethernet-switching layer2-protocol-tunneling vlan on page 2365 show ethernet-switching layer2-protocol-tunneling vlan v2 on page 2365 Table 262 on page 2364 lists the output fields for the show ethernet-switching layer2-protocol-tunneling vlan command. Output fields are listed in the approximate order in which they appear.

Table 262: show ethernet-switching layer2-protocol-tunneling vlan Output Fields Field Name

Field Description

VLAN

Name of the VLAN on which L2PT has been configured.

Protocol

Name of a protocol for which L2PT has been enabled. Values are all, 802.1x, 802.3ah, cdp, e-lmi, gvrp, lacp, lldp, mmrp, mvrp, stp, vstp, and vtp.

Drop Threshold

Maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the VLAN before the switch begins dropping the Layer 2 PDUs.

Shutdown Threshold

Maximum number of Layer 2 PDUs of the specified protocol that can be received per second on the VLAN before the interface is disabled.

2364



Sample Output show ethernet-switching layer2-protocol-tunneling vlan

user@switch> show ethernet-switching layer2-protocol-tunneling vlan

show ethernet-switching layer2-protocol-tunneling vlan v2

user@switch> show ethernet-switching layer2-protocol-tunneling vlan v2

Layer2 Protocol Tunneling VLAN information: VLAN Protocol Drop Shutdown Threshold Threshold v1 mvrp 100 200 v2 cdp 0 0 v2 cdp 0 0 v2 gvrp 0 0

Layer2 Protocol Tunneling VLAN information: VLAN Protocol Drop Shutdown Threshold Threshold v2 cdp 0 0 v2 cdp 0 0 v2 gvrp 0 0


2365

®


show ethernet-switching mac-learning-log Syntax Release Information Description Required Privilege Level Related Documentation


show ethernet-switching mac-learning-log

Command introduced in Junos OS Release 9.0 for EX Series switches. Displays the event log of learned MAC addresses. view

•


•


•


•


•


show ethernet-switching mac-learning-log on page 2366 Table 263 on page 2366 lists the output fields for the show ethernet-switching mac-learning-log command. Output fields are listed in the approximate order in which they appear.

Table 263: show ethernet-switching mac-learning-log Output Fields Field Name

Field Description

Date and Time

Timestamp when the MAC address was added or deleted from the log.

vlan_name

VLAN name. A value defined by the user for all user-configured VLANs.

MAC

Learned MAC address.

Deleted | Added

MAC address deleted or added to the MAC learning log.

Blocking

The forwarding state of the interface: •


•


Sample Output show ethernet-switching mac-learning-log

2366

user@switch> show ethernet-switching mac-learning-log Mon Feb 25 08:07:05 2008 vlan_name v1 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name v9 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name HR_vlan mac 00:00:00:00:00:00 was deleted



Mon Feb 25 08:07:05 2008 vlan_name v3 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name v12 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name v13 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name sales_vlan mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name employee1 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name employee2 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_name v3 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_name HR_vlan mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_name employee2 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_name employee1 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_name employee2 mac 00:00:05:00:00:05 was learned Mon Feb 25 08:07:05 2008 vlan_name employee1 mac 00:30:48:90:54:89 was learned Mon Feb 25 08:07:05 2008 vlan_name HR_vlan mac 00:00:5e:00:01:00 was learned Mon Feb 25 08:07:05 2008 vlan_name sales_vlan mac 00:00:5e:00:01:08 was learned [output truncated]


2367

®


show ethernet-switching mac-notification Syntax Release Information

Description Required Privilege Level Related Documentation List of Sample Output

Output Fields

show ethernet-switching mac-notification

Command introduced in Junos OS Release 9.6 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display information about MAC notification. view

•


show ethernet-switching mac-notification (MAC Notification Enabled) on page 2368 show ethernet-switching mac-notification (MAC Notification Disabled) on page 2368 Table 264 on page 2368 lists the output fields for the show ethernet-switching mac-notification command. Output fields are listed in the order in which they appear.

Table 264: show ethernet-switching mac-notification Output Fields Field Name

Field Description

Notification Status

MAC notification status:

Notification Interval

•

Enabled—MAC notification is enabled.

•

Disabled—MAC notification is disabled.

MAC notification interval in seconds.

Sample Output show ethernet-switching mac-notification (MAC Notification Enabled)

user@switch> show ethernet-switching mac-notification Notification Status : Enabled Notification Interval : 30

Sample Output show ethernet-switching mac-notification (MAC Notification Disabled)

2368

user@switch> show ethernet-switching mac-notification Notification Status : Disabled Notification Interval : 0



show ethernet-switching statistics aging Syntax Release Information Description Options

show ethernet-switching statistics aging

Command introduced in Junos OS Release 9.4 for EX Series switches. Display media access control (MAC) aging statistics. none—(Optional) Display MAC aging statistics. brief | detail—(Optional) Display the specified level of output.



view

•

show ethernet-switching statistics mac-learning on page 2371

•


show ethernet-switching statistics aging on page 2370 Table 265 on page 2369 lists the output fields for the show ethernet-switching statistics aging command. Output fields are listed in the approximate order in which they appear.

Table 265: show ethernet-switching statistics aging Output Fields Field Name

Field Description

Level of Output

Total age messages received

Total number of aging messages received from the hardware.

All levels

Immediate aging

Aging message indicating that the entry should be removed immediately.

All levels

MAC address seen

Aging message indicating that the MAC address has been detected by hardware and that the aging timer should be stopped.

All levels

MAC address not seen

Aging message indicating that the MAC address has not been detected by the hardware and that the aging timer should be started.

All levels

Error age messages

The received aging message contains the following errors:

All levels

•

Invalid VLAN—The VLAN of the packet does not exist.

•

No such entry—The MAC address and VLAN pair provided by the aging

message does not exist. •

Static entry—An unsuccessful attempt was made to age out a static MAC

entry.


2369

®


Sample Output show ethernet-switching statistics aging

2370

user@switch> show ethernet-switching statistics aging Total age messages received: 0 Immediate aging: 0, MAC address seen: 0, MAC address not seen: 0 Error age messages: 0 Invalid VLAN: 0, No such entry: 0, Static entry: 0



show ethernet-switching statistics mac-learning Syntax

Release Information

Description Options

show ethernet-switching statistics mac-learning

Command introduced in Junos OS Release 9.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display media access control (MAC) learning statistics. none—(Optional) Display MAC learning statistics for all interfaces. brief | detail—(Optional) Display the specified level of output. interface interface-name—(Optional) Display MAC learning statistics for the specified



Output Fields

view

•

show ethernet-switching statistics aging on page 2369

•


•


•


•


•


•

show ethernet-switching statistics aging

•

show ethernet-switching mac-learning-log

•


•


•

Example: Setting Up Basic Bridging and a VLAN on the QFX Series

•

Example: Setting Up Bridging with Multiple VLANs

show ethernet-switching statistics mac-learning on page 2372 show ethernet-switching statistics mac-learning detail on page 2372 show ethernet-switching statistics mac-learning interface on page 2373 show ethernet-switching statistics mac-learning detail (QFX Series) on page 2373 Table 266 on page 2372 lists the output fields for the show ethernet-switching statistics mac-learning command. Output fields are listed in the approximate order in which they appear.


2371

®


Table 266: show ethernet-switching statistics mac-learning Output Fields Field Name

Field Description

Level of Output

Interface

Name of the interface for which statistics are being reported. (Displayed in the output under the heading Interface.)

All levels

Learning message from local packets

MAC learning message generated due to packets coming in on the management interface. (Displayed in the output under the heading Local pkts.)

All levels

Learning message from transit packets

MAC learning message generated due to packets coming in on network interfaces. (Displayed in the output under the heading Transit pkts.)

All levels

Learning message with error

MAC learning messages received with errors (Displayed under the heading Error):

All levels

•

Invalid VLAN—The VLAN of the packet does not exist.

•

Invalid MAC—The MAC address is either NULL or a multicast MAC address.

•

Security violation—The MAC address is not an allowed MAC address.

•

Interface down—The MAC address is learned on an interface that is down.

•

Incorrect membership—The MAC address is learned on an interface that is

not a member of the VLAN. •

Interface limit—The number of MAC addresses learned on the interface has

exceeded the limit. •

MAC move limit—This MAC address has moved among multiple interfaces

too many times in a given interval. •

VLAN limit—The number of MAC addresses learned on the VLAN has exceeded

the limit. •

Invalid VLAN index—The VLAN of the packet, although configured, does not

yet exist in the kernel. •

Interface not learning—The MAC address is learned on an interface that does

not yet allow learning—for example, the interface is blocked. •

No nexthop—The MAC address is learned on an interface that does not have

a unicast next hop. •

MAC learning disabled—The MAC address is learned on an interface on which

MAC learning has been disabled. •

Others—The message contains some other error.

Sample Output show ethernet-switching statistics mac-learning

user@switch> show ethernet-switching statistics mac-learning

show ethernet-switching statistics mac-learning detail

user@switch> show ethernet-switching statistics mac-learning detail Learning stats: 0 learn msg rcvd, 0 error

2372

Learning stats: 0 learn msg rcvd, 0 error Interface Local pkts Transit pkts ge-0/0/0.0 0 0 ge-0/0/1.0 0 0 ge-0/0/2.0 0 0 ge-0/0/3.0 0 0

Interface: ge-0/0/0.0 Learning message from local packets:

Error 0 0 0 0

0



Learning message from transit Learning message with error: Invalid VLAN: Security violation: Incorrect membership: MAC move limit: Invalid VLAN index: No nexthop: Others:

packets: 1 0 0 Invalid MAC: 0 Interface down: 0 Interface limit: 0 VLAN limit: 0 Interface not learning: 0 MAC learning disabled: 0

Interface: ge-0/0/1.0 Learning message from local packets: 0 Learning message from transit packets: 2 Learning message with error: 0 Invalid VLAN: 0 Invalid MAC: Security violation: 0 Interface down: Incorrect membership: 0 Interface limit: MAC move limit: 0 VLAN limit: Invalid VLAN index: 0 Interface not learning: No nexthop: 0 MAC learning disabled: Others: 0

show ethernet-switching statistics mac-learning interface

user@switch> show ethernet-switching statistics mac-learning interface ge-0/0/1 Interface Local pkts Transit pkts Error ge-0/0/1.0 0 1 1

show ethernet-switching statistics mac-learning detail (QFX Series)

user@switch> show ethernet-switching statistics mac-learning detail Learning stats: 0 learn msg rcvd, 0 error Interface: xe–0/0/0.0 Learning message from local packets: 0 Learning message from transit packets: 1 Learning message with error: 0 Invalid VLAN: 0 Invalid MAC: Security violation: 0 Interface down: Incorrect membership: 0 Interface limit: MAC move limit: 0 VLAN limit: Invalid VLAN index: 0 Interface not learning: No nexthop: 0 MAC learning disabled: Others: 0 Interface: xe–0/0/1.0 Learning message from local packets: 0 Learning message from transit packets: 2 Learning message with error: 0 Invalid VLAN: 0 Invalid MAC: Security violation: 0 Interface down: Incorrect membership: 0 Interface limit: MAC move limit: 0 VLAN limit: Invalid VLAN index: 0 Interface not learning: No nexthop: 0 MAC learning disabled: Others: 0


0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

2373

®


show ethernet-switching table Syntax

Release Information

Description Options


Command introduced in Junos OS Release 9.0 for EX Series switches. Options summary, management-vlan, and vlan vlan-name introduced in Junos OS Release 9.6 for EX Series switches. Option sort-by and field name tag introduced in Junos OS Release 10.1 for EX Series switches. Option persistent-mac introduced in Junos OS Release 11.4 for EX Series switches. Display the Ethernet switching table. none—(Optional) Display brief information about the Ethernet switching table. brief | detail | extensive | summary—(Optional) Display the specified level of output. interface interface-name—(Optional) Display the Ethernet switching table for a specific

interface. management-vlan—(Optional) Display the Ethernet switching table for a management

VLAN. persistent-mac —(Optional) Display the persistent MAC

addresses learned for all interfaces or a specified interface. You can use this command to view entries that you want to clear for an interface that you intentionally disabled. sort-by (name | tag)—(Optional) Display VLANs in ascending order of VLAN IDs or VLAN

names. vlan vlan-name—(Optional) Display the Ethernet switching table for a specific VLAN.



2374

view

•

clear ethernet-switching table on page 2348

•


•


•


show ethernet-switching table on page 2376 show ethernet-switching table brief on page 2376



show ethernet-switching table detail on page 2377 show ethernet-switching table extensive on page 2377 show ethernet-switching table persistent-mac on page 2378 show ethernet-switching table persistent-mac interface ge-0/0/16.0 on page 2378 Output Fields

Table 267 on page 2375 lists the output fields for the show ethernet-switching table command. Output fields are listed in the approximate order in which they appear.

Table 267: show ethernet-switching table Output Fields Field Name

Field Description

Level of Output

VLAN

The name of a VLAN.

All levels

Tag

The VLAN ID tag name or number.

extensive

MAC or MAC address

The MAC address associated with the VLAN.

All levels

Type

The type of MAC address. Values are:

All levels except persistent-mac

•


•

learn—The MAC address is learned dynamically from a packet's source MAC

address. •


•

persistent—The learned MAC addresses that will persist across restarts of

the switch or interface-down events. Type


installed—addresses that are in the Ethernet switching table.

•

uninstalled—addresses that could not be installed in the table or were

persistent-mac

uninstalled in an interface-down event and will be reinstalled in the table when the interface comes back up. Age


All levels

Interfaces

Interface associated with learned MAC addresses or All-members (flood entry).

All levels

Learned

For learned entries, the time which the entry was added to the Ethernet switching table.

detail, extensive

Nexthop index

The next-hop index number.

detail, extensive

persistent-mac

installed indicates MAC addresses that are in the Ethernet switching table and uninstalled indicates MAC addresses that could not be installed in the table or

were uninstalled in an interface-down event (and will be reinstalled in the table when the interface comes back up).


2375

®


Sample Output show ethernet-switching table

user@switch> show ethernet-switching table Ethernet-switching table: 57 entries, 15 learned, 2 persistent VLAN MAC address Type Age Interfaces F2 * Flood - All-members F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0 F2 00:19:e2:50:7d:e0 Static - Router Linux * Flood - All-members Linux 00:19:e2:50:7d:e0 Static - Router Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0 T1 * Flood - All-members T1 00:00:05:00:00:01 Persistent 0 ge-0/0/46.0 T1 00:00:5e:00:01:00 Static - Router T1 00:19:e2:50:63:e0 Persistent 0 ge-0/0/46.0 T1 00:19:e2:50:7d:e0 Static - Router T10 * Flood - All-members T10 00:00:5e:00:01:09 Static - Router T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0 T10 00:19:e2:50:7d:e0 Static - Router T111 * Flood - All-members T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0 T111 00:19:e2:50:7d:e0 Static - Router T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0 T2 * Flood - All-members T2 00:00:5e:00:01:01 Static - Router T2 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0 T2 00:19:e2:50:7d:e0 Static - Router T3 * Flood - All-members T3 00:00:5e:00:01:02 Static - Router T3 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0 T3 00:19:e2:50:7d:e0 Static - Router T4 * Flood - All-members T4 00:00:5e:00:01:03 Static - Router T4 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0 [output truncated]

show ethernet-switching table brief

user@switch> show ethernet-switching table brief Ethernet-switching table: 57 entries, 15 learned, 2 persistent entries VLAN MAC address Type Age Interfaces F2 * Flood - All-members F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0 F2 00:19:e2:50:7d:e0 Static - Router Linux * Flood - All-members Linux 00:19:e2:50:7d:e0 Static - Router Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0 T1 * Flood - All-members T1 00:00:05:00:00:01 Persistent 0 ge-0/0/46.0 T1 00:00:5e:00:01:00 Static - Router T1 00:19:e2:50:63:e0 Persistent 0 ge-0/0/46.0 T1 00:19:e2:50:7d:e0 Static - Router T10 * Flood - All-members T10 00:00:5e:00:01:09 Static - Router T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0 T10 00:19:e2:50:7d:e0 Static - Router T111 * Flood - All-members T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0 T111 00:19:e2:50:7d:e0 Static - Router T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0 T2 * Flood - All-members

2376



T2 T2 T2 T3 T3 T3 T3 T4 T4 T4 [output truncated]

show ethernet-switching table detail

00:00:5e:00:01:01 00:19:e2:50:63:e0 00:19:e2:50:7d:e0 * 00:00:5e:00:01:02 00:19:e2:50:63:e0 00:19:e2:50:7d:e0 * 00:00:5e:00:01:03 00:19:e2:50:63:e0

Static Learn Static Flood Static Learn Static Flood Static Learn

0 0 0

Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0

user@switch> show ethernet-switching table detail Ethernet-switching table: 5 entries, 2 learned entries VLAN: default, Tag: 0, MAC: *, Interface: All-members Interfaces: ge-0/0/11.0, ge-0/0/20.0, ge-0/0/30.0, ge-0/0/36.0, ge-0/0/3.0 Type: Flood Nexthop index: 1307 VLAN: default, Tag: 0, MAC: 00:1f:12:30:b8:83, Interface: ge-0/0/3.0 Type: Learn, Age: 0, Learned: 20:09:26 Nexthop index: 1315 VLAN: v1, Tag: 101, MAC: *, Interface: All-members Interfaces: ge-0/0/31.0 Type: Flood Nexthop index: 1313 VLAN: v1, Tag: 101, MAC: 00:1f:12:30:b8:89, Interface: ge-0/0/31.0 Type: Learn, Age: 0, Learned: 20:09:25 Nexthop index: 1312 VLAN: v2, Tag: 102, MAC: *, Interface: All-members Interfaces: ae0.0 Type: Flood Nexthop index: 1317

show ethernet-switching table extensive

user@switch> show ethernet-switching table extensive Ethernet-switching table: 3 entries, 1 learned, 5 persistent entries VLAN: v1, Tag: 10, MAC: *, Interface: All-members Interfaces: ge-0/0/14.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/10.0, ge-0/0/0.0 Type: Flood Nexthop index: 567 VLAN: v1, Tag: 10, MAC: 00:21:59:c6:93:22, Interface: Router Type: Static Nexthop index: 0 VLAN: v1, Tag: 10, MAC: 00:21:59:c9:9a:4e, Interface: ge-0/0/14.0 Type: Learn, Age: 0, Learned: 18:40:50 Nexthop index: 564


2377

®


show ethernet-switching table persistent-mac

show ethernet-switching table persistent-mac interface ge-0/0/16.0

2378

user@switch> show ethernet-switching table persistent-mac VLAN MAC address Type Interface default 00:10:94:00:00:02 installed ge-0/0/42.0 default 00:10:94:00:00:03 installed ge-0/0/42.0 default 00:10:94:00:00:04 installed ge-0/0/42.0 default 00:10:94:00:00:05 installed ge-0/0/42.0 default 00:10:94:00:00:06 installed ge-0/0/42.0 default 00:10:94:00:05:02 uninstalled ge-0/0/16.0 default 00:10:94:00:06:03 uninstalled ge-0/0/16.0 default 00:10:94:00:07:04 uninstalled ge-0/0/16.0 VLAN default default default

MAC address 00:10:94:00:05:02 00:10:94:00:06:03 00:10:94:00:07:04

Type Interface uninstalled ge-0/0/16.0 uninstalled ge-0/0/16.0 uninstalled ge-0/0/16.0



show mvrp Syntax Release Information Description Required Privilege Level Related Documentation


show mvrp

Command introduced in Junos OS Release 10.0 for EX Series switches. Display Multiple VLAN Registration Protocol (MVRP) configuration information. view

•


•


•


show mvrp on page 2379 Table 268 on page 2379 lists the output fields for the show mvrp command. Output fields are listed in the approximate order in which they appear.

Table 268: show mvrp Output Fields Field Name

Field Description

Global MVRP configuration

Displays global MVRP information:

MVRP Timers (ms)

•

MVRP status—Displays whether MVRP is Enabled or Disabled.

•

MVRP dynamic vlan creation—Displays whether global MVRP dynamic VLAN creation is Dnabled or Disabled.

Displays MVRP timer information: •

Interface—The interface on which MVRP is configured.

•

Join—The maximum number of milliseconds the interfaces must wait before sending VLAN

advertisements. •

Leave—The number of milliseconds an interface must wait after receiving a Leave message to

remove the interface from the VLAN specified in the message. •

LeaveAll—The interval at which LeaveAll messages are sent on interfaces. LeaveAll messages

maintain current MVRP VLAN membership information in the network. Interface based configuration

Displays interface-specific MVRP information: •

Interface—The interface on which MVRP is configured.

•

Status—Displays whether MVRP is Enabled or Disabled.

•

Registration—Displays whether registration for the interface is Forbidden or Normal.

•

Dynamic VLAN Creation—Displays whether interface dynamic VLAN creation is Enabled or Disabled.

Sample Output show mvrp

user@switch> show mvrp


2379

®


Global MVRP configuration MVRP status : Enabled MVRP dynamic vlan creation: Enabled MVRP Timers (ms): Interface Join Leave LeaveAll ---------------------------all 200 600 10000 xe-0/1/1.0 200 600 10000 Interface based configuration: Interface Status Registration Dynamic VLAN Creation ---------------------------------------------------all Disabled Normal Enabled xe-0/1/1.0 Enabled Normal Enabled

2380



show mvrp dynamic-vlan-memberships Syntax Release Information Description



show mvrp dynamic-vlan-memberships

Command introduced in Junos OS Release 10.0 for EX Series switches. Display all VLANs that have been created dynamically using Multiple VLAN Registration Protocol (MVRP) on the switch. clear

•

show mvrp on page 2379

•


•


•


show mvrp dynamic-vlan-memberships on page 2381 Table 269 on page 2381 lists the output fields for the show mvrp dynamic-vlan-memberships command. Output fields are listed in the approximate order in which they appear.

Table 269: show mvrp dynamic-vlan-memberships Output Fields Field Name

Field Description

VLAN Name

The name of the dynamically created VLAN.

Interfaces

The interface or interfaces that are bound to the dynamically created VLAN.

Sample Output show mvrp dynamic-vlan-memberships

user@switch> show mvrp dynamic-vlan-memberships VLAN Name Interfaces ---------------------------------__mvrp_100__ xe-0/1/1.0 xe-0/1/0.0 __mvrp_200__ xe-0/1/1.0 xe-0/1/0.0 __mvrp_300__ xe-0/1/1.0


2381

®


show mvrp statistics Syntax


Options

show mvrp statistics

Command introduced in Junos OS Release 10.0 for EX Series switches. Display Multiple VLAN Registration Protocol (MVRP) statistics in the form of Multiple Registration Protocol data unit (MRPDU) messages. none—Show MVRP statistics for all interfaces on the switch. interface interface-name—(Optional) Show MVRP statistics for the specified interface.



view

•

show mvrp on page 2379

•

clear mvrp statistics on page 2351

•


•


show mvrp statistics interface xe-0/1/1.0 on page 2383 Table 270 on page 2382 lists the output fields for the show mvrp statistics command. Output fields are listed in the approximate order in which they appear.

Table 270: show mvrp statistics Output Fields Field Name

Field Description

MRPDU received

Number of MRPDU messages received on the switch.

Invalid PDU received

Number of invalid MRPDU messages received on the switch.

New received

Number of new messages received on the switch.

Join Empty received

Number of MRP JoinEmpty messages received on the switch. Either this value or the value for JoinIn received should increase when the value for MRPDU received increases. If this value is not incrementing when it should, you might have a Junos OS release version compatibility issue. To fix a version compatibility issue, see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233.

Join In received

Number of MRP JoinIn messages received on the switch. Either this value or the value for JoinEmpty received should increase when the value for MRPDU received increases. If this value is not incrementing when it should, you might have a Junos OS release version compatibility issue. To fix a version compatibility issue, see “Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure)” on page 2233.

Empty received

Number of MRP Empty messages received on the switch.

2382



Table 270: show mvrp statistics Output Fields (continued) Field Name

Field Description

In received

Number of MRP In messages received on the switch.

Leave received

Number of MRP Leave messages received on the switch.

LeaveAll received

Number of LeaveAll messages received on the switch.

MRPDU transmitted

Number of MRPDU messages transmitted from the switch.

MRPDU transmit failures

Number of MRPDU transmit failures from the switch.

New transmitted

Number of new messages transmitted from the switch.

Join Empty transmitted

Number of JoinEmpty messages sent from the switch.

Join In transmitted

Number of MRP JoinIn messages sent from the switch.

Empty transmitted

Number of MRP Empty messages sent from the switch.

In transmitted

Number of MRP In messages sent from the switch.

Leave transmitted

Number of MRP Leave Empty messages sent from the switch.

LeaveAll transmitted

Number of MRP LeaveAll messages sent from the switch.

Sample Output show mvrp statistics interface xe-0/1/1.0

user@switch> show mvrp statistics interface xe-0/1/1.0 MVRP statistics MRPDU received : 3342 Invalid PDU received : 0 New received : 2 Join Empty received : 1116 Join In received : 2219 Empty received : 2 In received : 2 Leave received : 1 LeaveAll received : 1117 MRPDU transmitted : 3280 MRPDU transmit failures : 0 New transmitted : 0 Join Empty transmitted : 1114 Join In transmitted : 2163 Empty transmitted : 1 In transmitted : 1 Leave transmitted : 1 LeaveAll transmitted : 1111


2383

®


2384



show protection-group ethernet-ring aps Syntax Release Information

Description



Output Fields

show protection-group ethernet-ring aps

Command introduced in Junos OS Release 9.4. Command introduced in Junos OS Release 12.1 for EX Series switches. Display the status of the Automatic Protection Switching (APS) and Ring APS (RAPS) messages on an Ethernet ring. This command has no options. view

•

show protection-group ethernet-ring data-channel

•

show protection-group ethernet-ring interface on page 2389

•

show protection-group ethernet-ring node-state on page 2391

•

show protection-group ethernet-ring statistics on page 2394

•

show protection-group ethernet-ring vlan

show protection-group ethernet-ring aps (EX Switches) on page 2386 show protection-group ethernet-ring aps (Owner Node, Normal Operation on MX Routers) on page 2386 show protection-group ethernet-ring aps (Ring Node, Normal Operation on MX Routers) on page 2386 show protection-group ethernet-ring aps (Owner Node, Failure Condition on MX Routers) on page 2386 show protection-group ethernet-ring aps (Ring Node, Failure Condition on MX Routers) on page 2386 Table 271 on page 2385 lists the output fields for the show protection-group ethernet-ring aps command. Output fields are listed in the approximate order in which they appear.

Table 271: show protection-group ethernet-ring aps Output Fields Field Name

Field Description

Ethernet Ring Name

Name configured for the Ethernet ring.

Request/State

Status of the Ethernet ring RAPS messages. •

NR—Indicates there is no request for APS on the ring.

•

SF—Indicates there is a signal failure on the ring.

No Flush

State of the ring flushing: No (normal) or Yes (failure).

Ring Protection Link Blocked

Blocking on the ring protection link: Yes or No.


2385

®


Table 271: show protection-group ethernet-ring aps Output Fields (continued) Field Name

Field Description

Originator

Whether this node is the ring originator: Yes or No.

Remote Node ID

Identifier (in MAC address format) of the remote node.

Sample Output show protection-group ethernet-ring aps (EX Switches)

user@switch>> show protection-group ethernet-ring aps Ring Name Request/state No Flush RPL Blocked erp1 NR no yes

Originator no

Remote Node ID 00:1F:12:30:B8:81

Sample Output show protection-group ethernet-ring aps (Owner Node, Normal Operation on MX Routers)

user@host> show protection-group ethernet-ring aps Ethernet Ring Name Request/state No Flush Ring Protection Link Blocked pg101 NR No Yes

show protection-group ethernet-ring aps (Ring Node, Normal Operation on MX Routers)

user@host> show protection-group ethernet-ring aps Ethernet Ring Name Request/state No Flush Ring Protection Link Blocked pg102 NR No Yes

show protection-group ethernet-ring aps (Owner Node, Failure Condition on MX Routers)

user@host> show protection-group ethernet-ring aps Ethernet Ring Name Request/state No Flush Ring Protection Link Blocked pg101 SF No No

show protection-group ethernet-ring aps (Ring Node, Failure Condition on MX Routers)

user@host> show protection-group ethernet-ring aps Ethernet Ring Name Request/state No Flush Ring Protection Link Blocked pg102 SF No Yes

2386

Originator Yes

Originator No

Originator No

Originator Yes

Remote Node ID

Remote Node ID 00:01:01:00:00:01

Remote Node ID 00:01:02:00:00:01

Remote Node ID 00:00:00:00:00:00



show protection-group ethernet-ring configuration Syntax Release Information Description



show protection-group ethernet-ring configuration

Command introduced in JUNOS Release 12.1. Display the configuration of Ethernet ring protection group on a switch. This statement is not used with routers. view

•

show protection-group ethernet-ring aps

•

show protection-group ethernet-ring aps on page 2385

•


•


•


•


•


show protection-group ethernet-ring configuration on page 2388 Table 272 on page 2387 lists the output fields for the command-name command. Output fields are listed in the approximate order in which they appear.

Table 272: show protection-group ethernet-ring configuration Output Fields Output Fields

Field Description

East Interface

One of the two switch interfaces that participates in a ring link.

West Interface

One of the two interfaces in a switch that participates in a ring link.

Restore Interval

Configured interval of wait time after a link is restored. When a link goes down, the RPL link activates. When the downed link comes back up, the RPL link receives notification, restores the link, and waits for the restore interval before issuing another block on the same link. The configured number of minutes can be 5 through 12. This configuration is a global configuration and applies to all Ethernet rings if the Ethernet ring doesn't have a more specific configuration for this value. If no parameter is configured at the protection group level, the global configuration of this parameter uses the default value.

Guard Interval

Configured number of milliseconds (in 10 millisecond intervals, 10 milliseconds through 2000 milliseconds) that the node does not process any Ethernet ring protection protocol data units (PDUs). This configuration is a global configuration and applies to all Ethernet rings if the Ethernet ring does not have a more specific configuration for this value. If no parameter is configured at the protection group level, the global configuration of this parameter uses the default value.


2387

®


Table 272: show protection-group ethernet-ring configuration Output Fields (continued) Output Fields

Field Description

Node Id

Node ID for the switch assigned by default (not configurable)

Control Vlan

VLAN that transfers ERP PDUs from one node to another

Physical Ring

Physical ring if the east and west interfaces are non-trunk ports

Sample Output show protection-group ethernet-ring configuration

2388

user@switch> show protection-group ethernet-ring configuration Ethernet ring configuration parameters for protection group erp1 East Interface : ge-0/0/3.0 West Interface : ge-0/0/9.0 Restore Interval : 5 minutes Guard Interval : 500 ms Node Id : 00:1F:12:30:B8:81 Control Vlan : 101 Physical Ring : yes



show protection-group ethernet-ring interface Syntax Release Information Description


show protection-group ethernet-ring interface

Command introduced in Junos OS Release 9.4. Displays the status of the Automatic Protection Switching (APS) interfaces on an Ethernet ring. This command has no options. view

•


•


•


•


•



show protection-group ethernet-ring interface (EX Series Switch Owner Node) on page 2390 show protection-group ethernet-ring interface (Owner Node MX Series Router ) on page 2390 show protection-group ethernet-ring interface (EX Series Switch Ring Node) on page 2390 show protection-group ethernet-ring interface (MX Series Router Ring Node) on page 2390

Output Fields

Table 273 on page 2389 lists the output fields for both the EX Series switch and the MX Series router show protection-group ethernet-ring interface commands. Output fields are listed in the approximate order in which they appear.

Table 273: MX Series Routers show protection-group ethernet-ring interface Output Fields Field Name

Field Description

Ethernet ring port parameters for protection group group-name

Output is organized by configured protection group.

Interface

Physical interfaces configured for the Ethernet ring.

Control Channel

(MX Series router only) Logical unit configured on the physical interface.

Forward State


•

NR—Indicates there is no request for APS on the ring.

•

SF—Indicates there is a signal failure on the ring.

State of the ring forwarding on the interface: discarding or forwarding.

2389

®


Table 273: MX Series Routers show protection-group ethernet-ring interface Output Fields (continued) Field Name

Field Description

Ring Protection Link End

Whether this interface is the end of the ring: Yes or No.

Signal Failure

Whether there a signal failure exists on the link: Clear or Set.

Admin State

State of the interface: For EX switches, ready, ifl ready, or waiting. For MX routers, IFF ready or IFF disabled.

Sample Output show protection-group ethernet-ring interface (EX Series Switch Owner Node)

show protection-group ethernet-ring interface (Owner Node MX Series Router )

user@host> show protection-group ethernet-ring interface Ethernet ring port parameters for protection group pg101 Interface

Forward State

RPL End

ge-0/0/3.0 ge-0/0/9.0

discarding forwarding

Yes No

Signal Failure

Admin State

Clear Clear

ready ready

user@host> show protection-group ethernet-ring interface Ethernet ring port parameters for protection group pg101 Interface ge-1/0/1 ge-1/2/4

Control Channel ge-1/0/1.1 ge-1/2/4.1

Forward State discarding forwarding

Ring Protection Link End Yes No

Signal Failure Admin State Clear IFF ready Clear IFF ready

show protection-group ethernet-ring interface (EX Series Switch Ring Node)

show protection-group ethernet-ring interface (MX Series Router Ring Node)

user@host> show protection-group ethernet-ring interface Ethernet ring port parameters for protection group pg102 Ethernet ring port parameters for protection group pg101 Interface

Forward State

RPL End

ge-0/0/3.0 ge-0/0/9.0

discarding forwarding

Yes No

Signal Failure

Admin State

Clear Clear

ready ready

user@host> show protection-group ethernet-ring interface Ethernet ring port parameters for protection group pg102 Interface ge-1/2/1 ge-1/0/2

Control Channel ge-1/2/1.1 ge-1/0/2.1

Forward State forwarding forwarding

Ring Protection Link End No No

Signal Failure Admin State Clear IFF ready Clear IFF ready

2390



show protection-group ethernet-ring node-state Syntax Release Information

Description


show protection-group ethernet-ring node-state

Command introduced in Junos OS Release 9.4. Command introduced in Junos OS Release 12.1 for EX Series switches. Display the status of the Automatic Protection Switching (APS) nodes on an Ethernet ring. This command has no options. view

•


•


•


•


•



show protection-group ethernet-ring node-state (EX Series Switch) on page 2392 show protection-group ethernet-ring node-state (Owner Node, Normal Operation on MX Series Router) on page 2392 show protection-group ethernet-ring node-state (Ring Node, Normal Operation on MX Series Router) on page 2392 show protection-group ethernet-ring node-state (Owner Node, Failure Condition on MX Series Router) on page 2392 show protection-group ethernet-ring node-state (Ring Node, Failure Condition on MX Series Router) on page 2392

Output Fields

Table 274 on page 2391 lists the output fields for the show protection-group ethernet-ring node-state command. Output fields are listed in the approximate order in which they appear.

Table 274: show protection-group ethernet-ring node-state Output Fields Field Name

Field Description

Ring Name

Name configured for the Ethernet ring.

APS State

State of the Ethernet ring APS.


•

idle—Indicates there is no APS on the ring.

•

protected—Indicates there is a protection switch on the ring.

2391

®


Table 274: show protection-group ethernet-ring node-state Output Fields (continued) Field Name

Field Description

Event

Events on the ring. •

NR-RB—Indicates there is no APS request and the ring link is

blocked on the ring owner node. •

NR—Indicates there is no APS request on the ring non-owner

nodes. •

SF—Indicates there is signal failure on a node link.

Ring Protection Link Owner

Whether this node is the ring owner: Yes or No.

Restore Timer (WTR Timer)

Restoration timer: Enabled or Disabled.

Guard Timer

Guard timer: Enabled or Disabled.

Operational State

State of the node: Operational or Non-operational.

Sample Output show protection-group ethernet-ring node-state (EX Series Switch)

user@switch> show protection-group ethernet-ring node-state Ring Name APS State Event RPL Owner WTR Timer Guard Timer Op State erp1 idle NR-RB yes disabled disabled operational

show protection-group ethernet-ring node-state (Owner Node, Normal Operation on MX Series Router)

user@host> show protection-group ethernet-ring node-state Ethernet ring APS State Event Ring Protection Link Owner pg101 idle NR-RB Yes

show protection-group ethernet-ring node-state (Ring Node, Normal Operation on MX Series Router)

user@host> show protection-group ethernet-ring node-state Ethernet ring APS State Event Ring Protection Link Owner pg102 idle NR-RB No

show protection-group ethernet-ring node-state (Owner Node, Failure Condition on MX Series Router)

user@host> show protection-group ethernet-ring node-state Ethernet ring APS State Event Ring Protection Link Owner pg101 protected SF Yes

show protection-group ethernet-ring node-state (Ring Node,

user@host> show protection-group ethernet-ring node-state Ethernet ring APS State Event Ring Protection Link Owner pg102 idle NR-RB No

2392

Restore Timer disabled



Quard Timer Operation state disabled operational





Failure Condition on MX Series Router)




2393

®


show protection-group ethernet-ring statistics Syntax Release Information

Description

Options

show protection-group ethernet-ring statistics

Command introduced in Junos OS Release 9.4. Command introduced in Junos OS Release 12.1 for EX Series switches. Display statistics regarding Automatic Protection Switching (APS) protection groups on an Ethernet ring. group-name—Protection group for which to display statistics. In you omit this optional

field, all protection group statistics for configured groups will be displayed. Required Privilege Level Related Documentation

view

•


•


•


•


•



show protection-group ethernet-ring statistics (EX Switch) on page 2395 show protection-group ethernet-ring statistics (Owner Node, Normal Operation on MX Router) on page 2395 show protection-group ethernet-ring statistics (Ring Node, Normal Operation on MX Router) on page 2395 show protection-group ethernet-ring statistics (Owner Node, Failure Condition on MX Router) on page 2395 show protection-group ethernet-ring statisitics (Ring Node, Failure Condition on MX Router) on page 2395

Output Fields

Table 275 on page 2394 lists the output fields for the show protection-group ethernet-ring statistics command. Output fields are listed in the approximate order in which they appear.

Table 275: show protection-group ethernet-ring statistics Output Fields

2394

Field Name

Field Description

Ethernet Ring Statistics for PG

Name of the protection group for which statistics are displayed.

RAPS sent

Number of Ring Automatic Protection Switching (RAPS) messages sent. (On MX Series switches only)

RAPS received

Number of RAPS messages received. (On MX Series switches only)



Table 275: show protection-group ethernet-ring statistics Output Fields (continued) Field Name

Field Description

Local SF

Number of times a signal failure (SF) has occurred locally.

Remote SF

Number of times a signal failure (SF) has occurred anywhere else on the ring.

NR event

Number of times a No Request (NR) event has occurred on the ring.

NR-RB event

Number of times a No Request, Ring Blocked (NR-RB) event has occurred on the ring.

Sample Output show protection-group ethernet-ring statistics (EX Switch)

user@switch> show protection-group ethernet-ring statistics Ring Name Local SF Remote SF NR Event NR-RB Event erp1 2 1 2 3

show protection-group ethernet-ring statistics (Owner Node, Normal Operation on MX Router)

user@host> show protection-group ethernet-ring statistics group-name pg101 Ethernet Ring statistics for PG pg101 RAPS sent : 1 RAPS received : 0 Local SF happened: : 0 Remote SF happened: : 0 NR event happened: : 0 NR-RB event happened: : 1

show protection-group ethernet-ring statistics (Ring Node, Normal Operation on MX Router)


show protection-group ethernet-ring statistics (Owner Node, Failure Condition on MX Router)


show protection-group ethernet-ring statisitics (Ring Node, Failure Condition on MX Router)

user@host> show protection-group ethernet-ring statistics group-name pg102 Ethernet Ring statistics for PG pg102 RAPS sent : 1 RAPS received : 1 Local SF happened: : 1 Remote SF happened: : 0


2395

®


NR event happened: NR-RB event happened:

2396

: 0 : 1



show redundant-trunk-group Syntax Release Information Description Options Required Privilege Level Related Documentation


show redundant-trunk-group

Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about redundant trunk groups. group-name group-name—Display information about the specified redundant trunk group.

view

•


•


show redundant-trunk-group group-name Group1 on page 2397 Table 276 on page 2397 lists the output fields for the show redundant-trunk-group command. Output fields are listed in the approximate order in which they appear.

Table 276: show redundant-trunk-group Output Fields Field Name

Field Description

Group Name

Name of the redundant trunk port group.

Interface

Name of an interface belonging to the trunk port group. •

(P) denotes a primary interface.

•

(A) denotes an active interface.

•

Lack of (A) denotes a blocking interface.

State

Operating state of the interface: UP or DOWN.

Last Time of Flap

Date and time at which the advertised link became unavailable, and then, available again.

# Flaps

Total number of flaps since the last switch reboot.

Sample Output show redundant-trunk-group group-name Group1

user@switch> show redundant—trunk-group group-name Group1 show redundant-trunk-group group-name Group1 Group Name Interface Group1 ge-0/0/45.0 (P) ge-0/0/47.0


State UP UP

Last Time of Flap Fri Jan 2 04:10:58 Fri Jan 2 04:10:58

# Flaps 0 0

2397

®


show system statistics arp Syntax Release Information Description Required Privilege Level Related Documentation

show system statistics arp

Command introduced in Junos OS Release 9.6 for EX Series switches. Display system-wide Address Resolution Protocol (ARP) statistics. view

•


•


Sample Output user@switch> show system statistics arp arp: 90060 datagrams received 34 ARP requests received 610 ARP replies received 0 resolution request received 0 unrestricted proxy requests 0 restricted proxy requests 0 received proxy requests 0 unrestricted proxy requests not proxied 0 restricted proxy requests not proxied 0 datagrams with bogus interface 0 datagrams with incorrect length 0 datagrams for non-IP protocol 0 datagrams with unsupported op code 0 datagrams with bad protocol address length 0 datagrams with bad hardware address length 0 datagrams with multicast source address 0 datagrams with multicast source address 0 datagrams with my own hardware address 0 datagrams for an address not on the interface 0 datagrams with a broadcast source address 294 datagrams with source address duplicate to mine 89113 datagrams which were not for me 0 packets discarded waiting for resolution 0 packets sent after waiting for resolution 309 ARP requests sent 35 ARP replies sent 0 requests for memory denied 0 requests dropped on entry 0 requests dropped during retry 0 requests dropped due to interface deletion 0 requests on unnumbered interfaces 0 new requests on unnumbered interfaces 0 replies for from unnumbered interfaces 0 requests on unnumbered interface with non-subnetted donor 0 replies from unnumbered interface with non-subnetted donor

2398



show vlans Syntax


show vlans

Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about VLANs configured on bridged Ethernet interfaces. For interfaces configured to support a voice over IP (VoIP) VLAN and a data VLAN, the show vlans command displays both tagged and untagged membership for those VLANs.

NOTE: When a series of VLANs is created with the vlan-range statement, such VLAN names are prefixed and suffixed with a double underscore. For example, a series of VLANs using the VLAN range 1–3 and the base VLAN name marketing are displayed as __marketing_1__, __marketing_2__, and __marketing_3__.

NOTE: To display an 802.1X supplicant successfully authenticated in multiple-supplicant mode with dynamic VLAN movement, use the show vlans vlan-name extensive operational mode command, where vlan-name is the name of the dynamic VLAN.

Options

none—Display information for all VLANs. VLAN information is displayed by VLAN name

in ascending order. brief | detail | extensive—(Optional) Display the specified level of output. dot1q-tunneling—(Optional) Display VLANs with the Q-in-Q tunneling feature enabled. management-vlan—(Optional) Display management VLANs. sort-by (name | tag)—(Optional) Display VLANs in ascending order of VLAN IDs or VLAN

names. summary—(Optional) Display the total number of VLANs and counts of VLANs by type—for

example, the number of dynamic, 802.1Q-tagged, and Q-in-Q tunneled VLANs. vlan-name—(Optional) Display information for the specified VLAN.


2399

®


vlan-range-name—(Optional) Display information for the specified VLAN range. To display

information for all members of the VLAN range, specify the base VLAN name—for example, employee for a VLAN range that includes __employee_1__ through __employee_10__. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


•


•


show vlans on page 2403 show vlans brief on page 2403 show vlans detail on page 2403 show vlans extensive (for a PVLAN spanning multiple switches) on page 2404 show vlans extensive (MAC-based) on page 2405 show vlans extensive (Port-based) on page 2406 show vlans sort-by tag on page 2407 show vlans sort-by name on page 2408 show vlans employee (vlan-range-name) on page 2408 show vlans summary on page 2409 Table 277 on page 2400 lists the output fields for the show vlans command. Output fields are listed in the approximate order in which they appear.

Table 277: show vlans Output Fields Field Name

Field Description

Level of Output

Name

Name of a VLAN.

none, brief

Tag

The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied.

All levels

Interfaces

Interface associated with learned MAC addresses or all-members (flood entry). An asterisk (*) beside the interface indicates that the interface is UP.

All levels

Address

The IP address.

none, brief

Ports Active / Total

The number of interfaces associated with a VLAN. The Active column indicates interfaces that are UP, and the Total column indicates interfaces that are active and inactive.

brief

VLAN

Name of a VLAN.

detail, extensive

2400



Table 277: show vlans Output Fields (continued) Field Name

Field Description

Level of Output

Admin state

Indicates whether the physical link is operational and can pass packets.

detail, extensive

Dot1q Tunneling Status

Indicates whether Q-in-Q tunneling is enabled.

detail, extensive

MAC learning Status

Indicates whether MAC learning is disabled.

detail, extensive

Description

A description for the VLAN.

detail,extensive

Primary IP

Primary IP address associated with a VLAN.

detail

Number of interfaces

The number of interfaces associated with a VLAN. Both the total number of interfaces and the number of active interfaces associated with a VLAN are displayed. Also lists the following attributes of the interfaces:

detail, extensive

•

tagged or untagged

•

trunk or access port mode

•

pvlan-trunk

STP

The spanning tree associated with a VLAN.

detail, extensive

RTG

The redundant trunk group associated with a VLAN.

detail, extensive

Tagged interfaces

The tagged interfaces to which a VLAN is associated.

detail, extensive

Untagged interfaces

The untagged interfaces to which a VLAN is associated.

detail. extensive

Customer VLAN Ranges

Lists the customer VLAN (C-VLAN) ranges associated with this service VLAN (S-VLAN).

extensive

Private VLAN Mode

The private VLAN mode (type of broadcast domain) for this VLAN. Values are Primary, Isolated, Inter-switch-isolated, and Community.

detail, extensive

Primary VLAN

The primary VLAN tag for this secondary VLAN.

extensive

Internal Index


extensive

Origin

The manner in which the VLAN was created. Values are static and learn.

extensive

Protocol

Port-based VLAN or MAC-based VLAN. MAC-based protocol is displayed when VLAN assignment is done either statically or dynamically through 802.1X.

extensive

Mac aging time

The MAC aging timer.

extensive

IP addresses

IP address associated with a VLAN.

extensive

Number of MAC entries

For MAC-based VLANs created either statically or dynamically, the MAC addresses associated with an interface.

extensive


2401

®



Field Description

Level of Output

Secondary VLANs

The secondary VLANs associated with a primary VLAN.

extensive

Isolated VLAN

The isolated VLANs associated with a primary VLAN.

extensive

Inter-switch isolated VLAN

The inter-switch isolated VLAN associated with a primary VLAN.

extensive

Community VLANs

The community VLANs associated with a primary VLAN.

extensive

VLANs summary

VLAN counts:

All levels

•

Total—Total number of VLANs on the switch.

•

Configured VLANs—Number of VLANs that are based on user-configured

settings. •

Internal VLANs—Number of VLANs created by the system with no explicit configuration or protocol—for example, the default VLAN and the VLAN

created when a trunk interface is not configured with native VLAN membership. •

Temporary VLANs—Number of VLANs from the previous configuration that

the system retains for a limited time after restart. Temporary VLANs are converted into one of the other types of VLAN, or are removed from the system if the current configuration does not require them. Dot1q VLANs summary

802.1Q VLAN counts:

All levels

•

Total—Total number of 802.1Q-tagged and untagged VLANs on the switch.

•

Tagged VLANs—Number of 802.1Q-tagged VLANs.

•

Untagged VLANs—Number of untagged 802.1Q VLANs.

•

Private VLAN—Counts of the following kinds of 802.1Q private VLANs

(PVLANs): •

Primary VLANs—Number of primary forwarding private VLANs.

•

Community VLANs—Number of community transporting and forwarding

private VLANs. •

Isolated VLANs—Number of isolated receiving and forwarding private

VLANs. •

Inter–switch–isolated VLANs—Number of inter-switch isolated receiving

and forwarding private VLANs. Dot1q Tunneled VLANs summary

Q-in-Q-tunneled VLAN counts:

All levels

•

Total—Total number of Q-in-Q-tunneled VLANs on the switch.

•

Private VLAN—Counts of primary, community, and isolated Q-in-Q-tunneled

private VLANs (PVLANs).

2402




Field Description

Level of Output

Dynamic VLANs

Counts of VLANs assigned or created dynamically by a protocol:

All levels

•

Total—Total number of dynamic VLANs on the switch.

•

Dot1x—Number of 802.1Q-tagged VLANs authenticated and assigned when

the switch learns the MAC address of a supplicant host from a packet’s source MAC address. •

MVRP—Number of VLANs created by the Multiple VLAN Registration Protocol

(MVRP).

Sample Output show vlans

user@switch> show vlans Name default

Tag None

Interfaces ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0, ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0, ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0

v0001

1

v0002

2

v0003

3

v0004

4

v0005

5

ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0 None None None None

show vlans brief

user@switch> show vlans brief Name default v0001 v0002 v0003 v0004 v0005 v0006 v0007 v0008 v0009 v0010 v0011 v0012 v0013 v0014 v0015 v0016

show vlans detail

Tag None 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Address

Ports Active/Total 0/23 0/4 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/2 0/0 0/0 0/0 0/0 0/0 0/0

user@switch> show vlans detail


2403

®


VLAN: default, Tag: Untagged, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 23 (Active = 0) STP: None, RTG: None Untagged interfaces: ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0, ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0, ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0, Tagged interfaces: None VLAN: v0001, Tag: 802.1Q Tag 1, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 4 (Active = 0) Dot1q Tunneling Status: Enabled STP: None, RTG: None Untagged interfaces: None Tagged interfaces: ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0, VLAN: v0002, Tag: 802.1Q Tag 2, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 0 (Active = 0) STP: None, RTG: None Untagged interfaces: None Tagged interfaces: None VLAN: v0003, Tag: 802.1Q Tag 3, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 0 (Active = 0) STP: None, RTG: None Untagged interfaces: None Tagged interfaces: None VLAN: vlan4000, 802.1Q Tag: Untagged, Admin State: Enabled MAC learning Status: Disabled Number of interfaces: 0 (Active = 0)

show vlans extensive (for a PVLAN spanning multiple switches)

user@switch> show vlans extensive VLAN: COM1, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 100, Internal index: 3, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/0.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access

VLAN: __pvlan_primary_ge-0/0/2.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 6, Admin State: Enabled, Origin: Static

2404



Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/2.0, untagged, access

1 (Active = 0)

VLAN: __pvlan_primary_isiv__, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 0 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk

VLAN: community2, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 20, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 2 (Active = 2) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, untagged, access ge-1/0/6.0*, untagged, access


show vlans extensive (MAC-based)


1

user@switch> show vlans extensive VLAN: default, Created at: Thu May 15 13:43:09 2008 Internal index: 3, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 2 (Active = 2)


2405

®


ge-0/0/0.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: vlan_dyn, Created at: Thu May 15 13:43:09 2008 Internal index: 4, Admin State: Enabled, Origin: Static Protocol: Port Mode Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) Protocol: MAC Based Number of MAC entries: 6 ge-0/0/0.0* 00:00:00:00:00:02 (untagged) 00:00:00:00:00:03 (untagged) 00:00:00:00:00:04 (untagged) 00:00:00:00:00:05 (untagged) 00:00:00:00:00:06 (untagged) 00:00:00:00:00:07 (untagged)

show vlans extensive (Port-based)

user@switch> show vlans extensive VLAN: default, created at Mon Feb 4 12:13:47 2008 Tag: None, Internal index: 0, Admin state: Enabled, Origin: static Description: None Dot1q Tunneling Status: Enabled Customer VLAN ranges: 1-4100 Private VLAN Mode: Primary Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 23 (Active = 0) ge-0/0/34.0 (untagged, access) ge-0/0/33.0 (untagged, access) ge-0/0/32.0 (untagged, access) ge-0/0/31.0 (untagged, access) ge-0/0/30.0 (untagged, access) ge-0/0/29.0 (untagged, access) ge-0/0/28.0 (untagged, access) ge-0/0/27.0 (untagged, access) ge-0/0/26.0 (untagged, access) ge-0/0/25.0 (untagged, access) ge-0/0/19.0 (untagged, access) ge-0/0/18.0 (untagged, access) ge-0/0/17.0 (untagged, access) ge-0/0/16.0 (untagged, access) ge-0/0/15.0 (untagged, access) ge-0/0/14.0 (untagged, access) ge-0/0/13.0 (untagged, access) ge-0/0/11.0 (untagged, access) ge-0/0/9.0 (untagged, access) ge-0/0/8.0 (untagged, access) ge-0/0/3.0 (untagged, access) ge-0/0/2.0 (untagged, access) ge-0/0/1.0 (untagged, access) Secondary VLANs: Isolated 1, Community Isolated VLANs : __pvlan_pvlan_ge-0/0/3.0__ Community VLANs : comm1

1

VLAN: v0001, created at Mon Feb 4 12:13:47 2008 Tag: 1, Internal index: 1, Admin state: Enabled, Origin: static

2406



Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 4 (Active = 0), Untagged 0 (Active = 0) ge-0/0/24.0 (tagged, trunk) ge-0/0/23.0 (tagged, trunk) ge-0/0/22.0 (tagged, trunk) ge-0/0/21.0 (tagged, trunk) VLAN: v0002, created at Mon Feb 4 12:13:47 2008 Tag: 2, Internal index: 2, Admin state: Enabled, Origin: static Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) None VLAN: v0003, created at Mon Feb 4 12:13:47 2008 Tag: 3, Internal index: 3, Admin state: Enabled, Origin: static Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) None

show vlans sort-by tag

user@switch> show vlans sort-by tag Name Tag Interfaces default None __vlan-x_1__ 1 None __vlan-x_2__ 2 None __vlan-x_3__ 3 None __vlan-x_4__ 4 None __vlan-x_5__ 5 None __vlan-x_6__ 6 None __vlan-x_7__ 7 None __vlan-x_8__ 8 None __vlan-x_9__ 9 None __vlan-x_10__ 10 None __vlan-x_11__ 11 None __vlan-x_12__ 12 None __vlan-x_13__ 13 None __vlan-x_14__ 14 None __vlan-x_15__ 15 None


2407

®


__vlan-x_16__

16

__vlan-x_17__

17

__vlan-x_18__

18

__vlan-x_19__

19

__vlan-x_20__

20

None None None None None

show vlans sort-by name

user@switch> show vlans sort-by name Name

Tag

Interfaces

__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*

show vlans employee (vlan-range-name)

user@switch> show vlans employee Name

Tag

Interfaces

__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129

2408



ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*

show vlans summary

user@switch> show vlans summary VLANs summary: Total: 8, Configured VLANs: 5 Internal VLANs: 1, Temporary VLANs: 0 Dot1q VLANs summary: Total: 8, Tagged VLANs: 2, Untagged VLANs: 6 Private VLAN: Primary VLANs: 2, Community VLANs: 2, Isolated VLANs: 3 Dot1q Tunneled VLANs summary: Total: 0 Private VLAN: Primary VLANs: 0, Community VLANs: 0, Isolated VLANs: 0 Dynamic VLANs: Total: 2, Dot1x: 2, MVRP: 0


2409

®


2410


PART 15

Spanning-Tree Protocols •

Spanning-Tree Protocols—Overview on page 2413

•

Examples of Spanning-Tree Protocols Configuration on page 2427

•

Configuring Spanning-Tree Protocols on page 2483

•

Verifying Spanning-Tree Protocols on page 2493

•

Configuration Statements for Spanning-Tree Protocols on page 2497

•

Operational Commands for Spanning-Tree Protocols on page 2545


2411

®


2412


CHAPTER 70

Spanning-Tree Protocols—Overview •


•


•


•


•

Understanding Loop Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches on page 2423

•

Understanding Root Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches on page 2424

•


Understanding STP for EX Series Switches Ethernet networks are susceptible to broadcast storms if loops are introduced. However, an Ethernet network should always include loops because they provide redundant paths in case of a link failure. Spanning-tree protocols address both of these issues because they provide link redundancy while simultaneously preventing undesirable loops. Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning–Tree Protocol (STP), Rapid Spanning–Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN Spanning-Tree Protocol (VSTP). Configure STP when you need to support older 802.1D 1998 bridges. However, note that EX Series switches configured to use STP actually run RSTP force version 0, which is compatible with STP. For an explanation of RSTP, see “Understanding RSTP for EX Series Switches” on page 2415 This topic describes: •

Selecting a Spanning-Tree Protocol on page 2413

Selecting a Spanning-Tree Protocol The default factory configuration for EX Series switches is RSTP, a faster version of STP. To determine which spanning-tree protocol is best for your situation, see Table 278 on page 2414 below.


2413

®


Table 278: Selecting a Spanning-Tree Protocol Protocol

Advantages

Disadvantages

RSTP

•

•

RSTP does not work with 802.1D 1998 bridges.

•

RSTP is not recommended for multiple VLAN networks because it is not VLAN-aware—as a result, all VLANs within a LAN share the same spanning-tree. This limits the number of forwarding paths for data traffic.

•

STP is slower than RSTP.

•

STP is not recommended for multiple VLAN networks because it is not VLAN-aware—as a result, all VLANs within a LAN share the same spanning-tree. This limits the number of forwarding paths for data traffic.

STP

MSTP

VSTP

Rapid Spanning-Tree Protocol is the default switch configuration and is recommended for most network configurations because it converges more quickly than STP after a failure.

•

Voice and video work better with RSTP than they do with STP.

•

RSTP is backward compatible with STP so switches do not all have to run RSTP.

•

RSTP supports more ports than MSTP or VSTP

•

Spanning-Tree Protocol works with 802.1D 1998 bridges.

•

RSTP is backward compatible with STP so switches do not all have to run STP.

•

Multiple Spanning-Tree Protocol works with most VLANs.

•

Some protocols require compatibility that is not provided by MSTP. In this case, use VSTP.

•

RSTP and STP are recognized as distinct spanning-tree regions by MSTP.

•

MSTP supports a limited number of ports.

•

MSTP uses more CPU than RSTP and does not converge as fast as RSTP.

•

VLAN Spanning-Tree Protocol works with VLANs that require device compatibility.

•

•

VSTP and RSTP are the only spanning-tree protocols that can be configured concurrently on a switch.

With VSTP there can be only STP instance per VLAN, whereas MSTP lets you combine multiple VLANs in one instance.

•

VSTP supports a limited number of ports compared to RSTP.

•

VSTP uses more CPU than RSTP and does not converge as fast as RSTP.

•

Having a large number of VSTP and RSTP instances can cause continuous changes in the topology. As a workaround, reduce the number of VSTP instances to fewer than 190.


2414

•

Configuring STP (CLI Procedure) on page 2484

•


•


•


•



Chapter 70: Spanning-Tree Protocols—Overview

Understanding RSTP for EX Series Switches Ethernet networks are susceptible to broadcast storms if loops are introduced. However, an Ethernet network should always include loops because they provide redundant paths in case of a link failure. Spanning tree protocols address both of these issues because they provide link redundancy while simultaneously preventing undesirable loops. Rapid Spanning-Tree Protocol (RSTP) is the default spanning-tree protocol for preventing loops on Ethernet networks. This topic describes: •

Spanning-Tree Protocols Help Prevent Broadcast Storms on page 2415

•

RSTP is an Enhancement of the Original STP on page 2415

•

Port Roles Determine Participation in The Spanning-Tree on page 2416

•

Port States Determine How a Port Processes a Frame on page 2416

•

Edge Ports Connect to Devices That Cannot Be Part of a Spanning-Tree on page 2416

•

BPDUs Maintain the Spanning-Tree on page 2417

•

When an RSTP Root Bridge Fails on page 2417

•

Switches Must Relearn MAC Addresses After a Link Failure on page 2418

•


Spanning-Tree Protocols Help Prevent Broadcast Storms Spanning tree protocols intelligently avoid loops in a network by creating a tree topology (spanning-tree) of the entire bridged network with only one available path between the tree root and a leaf. All other paths are forced into a standby state. The tree root is a switch within the network elected by the STA (spanning-tree algorithm) to use when computing the best path between bridges throughout the network and the root bridge. Frames travel through the network to their destination–a leaf such as an end-user PC–along branches. A tree branch is a network segment, or link, between bridges. Switches that forward frames through an STP spanning-tree are called designated bridges. Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning-Tree Protocol (STP), Rapid Spanning-Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN Spanning-Tree Protocol (VSTP). This topic explains the spanning-tree default RSTP.

RSTP is an Enhancement of the Original STP RSTP evolved from the original STP IEEE 802.1D protocol to provide faster spanning-tree re-convergence after a switch port, switch, or LAN failure. Where STP took up to 50 seconds to respond to topology changes, RSTP responds to changes within the timeframe of three hello BPDUs (bridge protocol data units), or 6 seconds. This is the primary reason that RSTP is the default configuration on EX Series switches. In addition, note that EX Series switches configured to use STP actually run RSTP force version 0, which is compatible with STP.


2415

®


Port Roles Determine Participation in The Spanning-Tree Each port has both a state and a role. A port’s role determines how it participates in the spanning-tree. The five port roles used in RSTP are: •

Root port—The port closest to the root bridge (has the lowest path cost from a bridge). This is the only port that receives frames from and forwards frames to the root bridge.

•

Designated port—The port that forwards traffic away from the root bridge toward a leaf. A designated bridge has one designated port for every link connection it serves. A root bridge forwards frames from all of its ports, which serve as designated ports.

•

Alternate port—A port that provides an alternate path toward the root bridge if the root port fails and is placed in the discarding state. This port is not part of the active spanning-tree, but if the root port fails, the alternate port immediately takes over.

•

Backup port—A port that provides a backup path toward the leaves of the spanning-tree if a designated port fails and is placed in the discarding state. A backup port can only exist where two or more bridge ports connect to the same LAN for which the bridge serves as the designated bridge. A backup port for a designated port immediately takes over if the port fails.

•

Disabled port—The port is not part of the active spanning-tree.

Port States Determine How a Port Processes a Frame Each port has both a state and a role. A port’s state determines how it processes a frame. RSTP places each port of a designated bridge in one of three states: •

Discarding—The port discards all BPDUs. A port in this state discards all frames it receives and does not learn MAC addresses.

•

Learning—The port prepares to forward traffic by examining received frames for location information in order to build its MAC address table.

•

Forwarding—The port filters and forwards frames. A port in the forwarding state is part of the active spanning-tree.

Edge Ports Connect to Devices That Cannot Be Part of a Spanning-Tree RSTP also defines the concept of an edge port, which is a designated port that connects to non-STP-capable devices, such as PCs, servers, routers, or hubs that are not connected to other switches. Because edge ports connect directly to end stations, they cannot create network loops and can transition to the forwarding state immediately. You can manually configure edge ports, and a switch can also detect edge ports by noting the absence of communication from the end stations. The edge ports themselves do send BPDUs to the spanning-tree. If you have a good understanding of the implications on your network and want to modify RSTP on the edge port interface, see “Configuring RSTP (CLI Procedure)” on page 2489.

2416



BPDUs Maintain the Spanning-Tree Spanning-tree protocols use frames called bridge protocol data units (BPDUs) to create and maintain the spanning-tree. A BPDU frame is a message sent from one switch to another to communicate information about itself, such as its bridge ID, root path costs, and port MAC addresses. The initial exchange of BPDUs between switches determines the root bridge. Simultaneously, BPDUs are used to communicate the cost of each link between branch devices, which is based upon port speed or user configuration. RSTP uses this path cost to determine the ideal route for data frames to travel from one leaf to another leaf and then blocks all other routes. If an edge port receives a BPDU, it automatically transitions to a regular RSTP port. When the network is in a steady state, the spanning-tree converges when the spanning-tree algorithm (STA) identifies both the root and designated bridges and all ports are in either a forwarding or blocking state. To maintain the tree, the root bridge continues to send BPDUs at a “hello time” interval (default 2 seconds). These BPDUs continue to communicate the current tree topology. When a port receives a hello BPDU, it compares the information to that already stored for the receiving port. One of three actions takes place when a switch receives a BPDU: •

If the BPDU data matches the existing entry in the MAC address table, the port resets a timer called “max age” to zero and then forwards a new BPDU with the current active topology information to the next port in the spanning-tree.

•

If the topology in the BPDU has been changed, the information is updated in the MAC address table, “max age” is again set to zero, and a new BPDU is forwarded with the current active topology information to the next port in the spanning-tree.

•

When an RSTP port does not receive a BPDU for three hello times, it reacts one of two ways. If the port is the root port, a complete rework of the spanning-tree occurs—see When an RSTP Root Bridge Fails. If the bridge is any non-root bridge, RSTP detects that the connected device cannot send BPDUs and converts that port to an edge port.

When an RSTP Root Bridge Fails When a link to the root port goes down, a flag called a topology change notification (TCN) is added to the BPDU. When this BPDU reaches the next port in the VLAN, the MAC address table is flushed and the BPDU is sent to the next bridge. Eventually, all ports in the VLAN have flushed their MAC address tables. Then, RSTP configures a new root port. After a root port or a designated port fails, the alternate or backup port takes over after an exchange of BPDUs called the proposal-agreement handshake. RSTP propagates this handshake over point-to-point links, which are dedicated links between two network nodes, or switches, that connect one port to another. If a local port becomes a new root or designated port, it negotiates a rapid transition with the receiving port on the nearest neighboring switch by using the proposal-agreement handshake to ensure a loop-free topology.


2417

®


Switches Must Relearn MAC Addresses After a Link Failure Because a link failure causes all associated ports to flush their MAC address table, the network may be slower as it floods to relearn the MAC addresses. There is a way to speed up this relearning process. During TCN propagation, the Layer 2 forwarding table of switches is flushed, resulting in a flood of data packets. The ARP feature causes the switch to proactively send ARP requests for IP addresses in the ARP cache (present because of Layer 3 VLAN interface). With ARP on STP enabled, as the reply comes through, the switches builds up the Layer 2 forwarding table, thus limiting the flooding later. Enabling ARP on STP is most useful to prevent excessive flooding in large Layer 2 networks using RVIs.

Selecting a Spanning-Tree Protocol The default factory configuration for EX Series switches is RSTP, a faster version of the original STP. To determine which spanning-tree protocol is best for your situation, see Table 278 on page 2414 below.


Advantages

Disadvantages

RSTP

•

•


•


•


•


STP

MSTP

2418


•


•


•


•


•


•


•


•


•


•




Table 279: Selecting a Spanning-Tree Protocol (continued) Protocol

Advantages

Disadvantages

VSTP

•

VLAN Spanning-Tree Protocol works with VLANS that require device compatibility.

•

•



•


•


•



•


•


•


•


•


Understanding MSTP for EX Series Switches Ethernet networks are susceptible to broadcast storms if loops are introduced. However, an Ethernet network should always include loops because they provide redundant paths in case of a link failure. Spanning-tree protocols address both of these issues because they provide link redundancy while simultaneously preventing undesirable loops. Spanning-tree protocols intelligently avoid loops in a network by creating a tree topology (spanning-tree) of the entire bridged network with only one available path between the tree root and a leaf. All other paths are forced into a standby state. The tree root is a switch within the network elected by the STA (spanning-tree algorithm) to use when computing the best path between bridges throughout the network and the root bridge. Frames travel through the network to their destination–a leaf such as an end-user PC–along branches. A tree branch is a network segment, or link, between bridges. Switches that forward frames through an STP spanning-tree are called designated bridges. Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning-Tree Protocol (STP), Rapid Spanning-Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN Spanning-Tree Protocol (VSTP). This topic explains MSTP. This topic describes: •

MSTP Maps Multiple VLANs on page 2420

•

Configuring MSTP Regions on page 2420

•



2419

®


MSTP Maps Multiple VLANs MSTP is an extension of RSTP that maps multiple independent spanning-tree instances onto one physical topology. Each spanning-tree instance (STI) includes one or more VLANs. Unlike in STP and RSTP configurations, a port may belong to multiple VLANs and be dynamically blocked in one spanning-tree instance but forwarding in another. This behavior significantly improves network resource utilization by load-balancing across the network and maintaining switch CPU loads at moderate levels. MSTP also leverages the fast re-convergence time of RSTP when a network, switch, or port failure occurs within a spanning-tree instance. MSTP creates a Common and Internal Spanning-Tree (CIST) to interconnect and manage all MSTP regions and even individual devices that run RSTP or STP, which are recognized as distinct spanning-tree regions by MSTP. The CIST views each MSTP region as a virtual bridge, regardless of the actual number of devices participating in the MSTP region, and enables MSTIs to link to other regions. The CIST is a single topology that connects all switches (STP, RSTP, and MSTP devices) through an active topology, ensuring connectivity between LANs and devices within a bridged network. This functionality provided by MSTP enables you to better utilize network resources while remaining backward-compatible with older network devices.

Configuring MSTP Regions When enabling MSTP, you define one or more MSTP regions. An MSTP region defines a logical domain where MSTIs can be administered independently of MSTIs in other regions, setting the boundary for Bridge Protocol Data Units (BPDUs) sent by one MSTI. An MSTP region is a group of switches that is defined by three parameters: •

Region name—User-defined alphanumeric name for the region.

•

Revision level—User-defined value that identifies the region.

•

Mapping table—Numerical digest of VLAN-to-instance mappings.

An MSTP region can support up to 64 MST instances, and each MSTI can support from 1 to 4094 VLANs. When you define a region, MSTP automatically creates an internal spanning-tree instance (IST instance 0) that provides the root switch for the region and includes all currently configured VLANs that are not specifically assigned to a user-defined Multiple Spanning-Tree Instance (MSTI). An MSTI includes all static VLANs that you specifically add to it. The switch places any dynamically created VLANs in the IST instance by default, unless you explicitly map them to another MSTI. Once you assign a VLAN to a user-defined MSTI, the switch removes the VLAN from the IST instance.


2420




Advantages

Disadvantages

RSTP

•

•


•


•


•


STP

MSTP

VSTP


•


•


•


•


•


•


•


•


•


•


•


•

•



•


•


•



•


•


•


•


•

Example: Configuring Network Regions for VLANs with MSTP on EX Series Switches on page 2444


2421

®


Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches Networks frequently use multiple protocols simultaneously to achieve different goals and in some cases those protocols can conflict with each other. One such case is spanning tree protocols, where a special type of switching frame called a bridge protocol data unit (BPDU) can conflict with BPDUs generated on other devices such as PCs. The different kinds of BPDUs are not compatible but they can still be recognized by other devices that use BPDUs and cause network outages. You need to protect any device that recognizes BDPUs from picking up the wrong BPDUs. •

Different Kinds of BPDUs on page 2422

•

Protecting Switches With STP From Outside BPDUs on page 2422

Different Kinds of BPDUs Spanning tree protocols such as Spanning Tree protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP) generate their own BPDUs. These peer STP applications use their BPDUs to communicate, and ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic. User bridge applications running on a PC can also generate BPDUs. If these outside BPDUs are picked up by STP applications running on the switch, they can trigger STP miscalculations, and those miscalculations can lead to network outages. At the same time, BPDUs generated by STP protocols can cause problems if they are picked up by devices like PCs that are not using STP.

Protecting Switches With STP From Outside BPDUs To protect STP on switches from outside BDPUs, enable BPDU protection on spanning tree switch interfaces connected to user devices—for example on edge ports connected to PCs. Use the same strategy when a non-STP device is connected to a switch through a trunk interface that could be forwarding STP-BDPUs. In this case, you would protect the non-STP device (like a PC) from BPDUs generated by the STP on the switch. To configure BPDU protection on a switch with a spanning tree, include the bpdu-block-on-edge statement at the [edit protocols (stp | mstp | rstp )] hierarchy level. To prevent a switch with a spanning tree from forwarding STP-BPDUs to devices, include the bpdu-block statement at the [edit ethernet-switching-options ] hierarchy level. When an interface configured with bdpu-block protection encounters an outside BDPU, it shuts down. After an interface shuts down due to external BPDUs, there are two ways to re-enable the interface:

2422

•

If you included the disable-timeout statement in the BPDU configuration, the interface automatically returns to service after the timer expires.

•

You can also issue the operational mode command clear ethernet-switching bpdu-error on the switch.



NOTE: You can also configure BPDU protection on a switch without a spanning tree—typically, you do this when a non spanning-tree switch is connected to a spanning-tree switch through a trunk interface.


•

Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations on EX Series Switches on page 2464

•

Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches on page 2468

•


•


•


•


•


•


Understanding Loop Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by preventing ports from moving into a forwarding state that would result in a loop opening up in the network. A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic. However, a blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the switch or software configuration error between the switch and its neighbor. When loop protection is enabled, the spanning-tree topology detects root ports and blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled interface stops receiving BPDUs from its designated port, it reacts as it would react to a problem with the physical connection on this interface. It doesn't transition the interface to a forwarding state, but instead transitions it to a loop-inconsistent state. The interface recovers and then it transitions back to the spanning-tree blocking state as soon as it receives a BPDU.


2423

®


We recommend that you enable loop protection on all switch interfaces that have a chance of becoming root or designated ports. Loop protection is most effective when enabled in the entire switched network. When you enable loop protection, you must configure at least one action (log, block, or both). Note that an interface can be configured for either loop protection or root protection, but not for both. Related Documentation

•

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX Series Switches on page 2472

•


•


•


•


•


•


Understanding Root Protection for STP, RSTP, VSTP, and MSTP on EX Series Switches Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP). A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic. However, a root port elected through this process has the possibility of being wrongly elected. A user bridge application running on a PC can generate BPDUs, too, and interfere with root port election. Root protection allows network administrators to manually enforce the root bridge placement in the network. Enable root protection on interfaces that should not receive superior BPDUs from the root bridge and should not be elected as the root port. These interfaces become designated ports and are typically located on an administrative boundary. If the bridge receives superior STP BPDUs on a port that has root protection enabled, that port transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge that should not be the root bridge from being elected the root bridge. After the bridge stops receiving superior STP BPDUs on the interface with root protection, the interface returns to a listening state, followed by a learning state, and ultimately back to a forwarding state. Recovery back to the forwarding state is automatic.

2424



When root protection is enabled on an interface, it is enabled for all the STP instances on that interface. The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology. An interface can be configured for either root protection or loop protection, but not for both. Related Documentation

•

Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX Series Switches on page 2476

•


•


•


•


•


•


•


Understanding VSTP for EX Series Switches Juniper Networks EX Series Ethernet Switches provide Layer 2 loop prevention through Spanning-Tree Protocol (STP), Rapid Spanning-Tree Protocol (RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN Spanning-Tree Protocol (VSTP). The default factory configuration for EX Series switches uses RSTP. If you use VLANs, however, we recommend that you enable MSTP unless your network requires the device compatibility provided by VSTP. Switches configured to run VSTP automatically assign each VLAN to one spanning-tree instance that runs RSTP. While this approach is useful to optimize network usage in small networks with a limited number of VLANs, a VSTP configuration in networks with several hundred VLANs can overload switch CPUs. MSTP ensures that your network doesn’t slow down from the increased network traffic caused by hundreds of VLANs, each with its own spanning-tree instance.

NOTE: When you configure VSTP, we recommend that you enable VSTP on all VLANs that can receive VSTP bridge protocol data units (BPDUs).



2425

®



Advantages

Disadvantages

RSTP

•

•


•


•


•


STP

MSTP

VSTP


•


•


•


•


•


•


•


•


•


•


•


•

•



•


•



2426

•


•


•


•


•

Configuring VSTP (CLI Procedure) on page 2491


CHAPTER 71

Examples of Spanning-Tree Protocols Configuration •

Example: Faster Convergence and Improved Network Stability with RSTP on EX Series Switches on page 2427

•


•

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX Series Switches on page 2464

•

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches on page 2468

•


•


Example: Faster Convergence and Improved Network Stability with RSTP on EX Series Switches EX Series switches use Rapid Spanning Tree Protocol (RSTP) by default to provide a loop-free topology. When switches that support redundant Routing Engines use RSTP, it is important to keep RSTP synchronized on both Routing Engines so that no loss of service occurs after a Routing Engine switchover. Nonstop bridging protocol keeps Routing Engines synchronized. This example describes how to configure RSTP and NSB on four EX Series switches: •


•


•

Configuring RSTP and Nonstop Bridging on Switch 1 on page 2430

•


•


•


•



2427

®




•

Four EX Series switches

Before you configure the switches for RSTP, be sure you have: •

Installed the four switches. See “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259.

•

Performed the initial software configuration on all switches. See Installing and Connecting an EX3200 Switch.

Overview and Topology RSTP works by identifying certain links as point to point links and blocking other possible paths. When one of the point-to-point links fails, a designated alternate link transitions to the forwarding state and take over. Configuring nonstop bridging (NSB) on a switch with redundant Routing Engines keeps RSTP synchronized on both Routing Engines. This way, RSTP remains active immediately after a switchover because it is already synchronized to the backup Routing Engine. RSTP does not have to reconverge after a Routing Engine switchover when NSB is enabled because the neighbor devices do not detect an RSTP change on the switch. In this example, four EX Series switches are connected in the topology displayed in Figure 74 on page 2429 to create a loop-free topology with NSB applied to switches with dual Routing Engines.

2428


Chapter 71: Examples of Spanning-Tree Protocols Configuration

Figure 74: Network Topology for RSTP

Table 282 on page 2429 shows the components of the topology for this example.

NOTE: You can configure RSTP on logical or physical interfaces. This example shows RSTP configured on logical interfaces.

Table 282: Components of the Topology for Configuring RSTP Property

Settings

Switch 1

The following interfaces on Switch 1 are connected in this way:

Switch 2

Switch 3

•

ge-0/0/9 is connected to Switch 2

•


•


The following interfaces on Switch 2 are connected in this way: •


•


The following interfaces on Switch 3 are connected in this way: •


•


•



2429

®


Table 282: Components of the Topology for Configuring RSTP (continued) Property

Settings

Switch 4

The following interfaces on Switch 4 are connected in this way:


•


•


voice-vlan, tag 10 employee-vlan, tag 20 guest-vlan, tag 30 camera-vlan, tag 40

This configuration example creates a loop-free topology between four EX Series switches using RSTP. An RSTP topology contains ports that have specific roles: •

The root port is responsible for forwarding data to the root bridge.

•

The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port.

•

The designated port forwards data to the downstream network segment or device.

•

The backup port is a backup port for the designated port. When a designated port goes down, the backup port becomes the active designated port and starts forwarding data.

NOTE: You also can create a loop-free topology between the aggregation layer and the distribution layer using redundant trunk links. For more information about configuring redundant trunk links, see “Example: Configuring Redundant Trunk Links for Faster Recovery” on page 2141.

Configuring RSTP and Nonstop Bridging on Switch 1 CLI Quick Configuration

To quickly configure RSTP and nonstop bridging on Switch 1, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan-id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/13 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

2430



set protocols rstp bridge-priority 16k set protocols rstp interface ge-0/0/13.0 cost 1000 set protocols rstp interface ge-0/0/13.0 mode point-to-point set protocols rstp interface ge-0/0/9.0 cost 1000 set protocols rstp interface ge-0/0/9.0 mode point-to-point set protocols rstp interface ge-0/0/11.0 cost 1000 set protocols rstp interface ge-0/0/11.0 mode point-to-point

If Switch 1 includes dual Routing Engines, configure NSB. To quickly configure nonstop bridging on Switch 1, copy the following commands and paste them into the switch terminal window: set chassis redundancy graceful switchover set system commit synchronize set ethernet-switching-options nonstop-bridging


To configure RSTP and nonstop bridging on Switch 1: 1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan: [edit vlans] user@switch1# user@switch1# user@switch1# user@switch1# user@switch1# user@switch1# user@switch1# user@switch1#

2.

set voice-vlan description “Voice VLAN” set voice-vlan vlan-id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan-id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan-id 30 set camera-vlan description “Camera VLAN” set camera-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet switching protocol: [edit interfaces] user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch1# set ge-0/0/13 unit 0 family ethernet-switching port-mode trunk user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode trunk user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

4.

Configure RSTP on the switch: [edit protocols] user@switch1# rstp bridge-priority 16k user@switch1# rstp interface ge-0/0/13.0 cost 1000 user@switch1# rstp interface ge-0/0/13.0 mode point-to-point user@switch1# rstp interface ge-0/0/9.0 cost 1000 user@switch1# rstp interface ge-0/0/9.0 mode point-to-point user@switch1# rstp interface ge-0/0/11.0 cost 1000 user@switch1# rstp interface ge-0/0/11.0 mode point-to-point


If Switch 1 includes dual Routing Engines, configure nonstop bridging. To configure NSB on Switch 1: 1.

Enable graceful Routing Engine switchover (GRES):


2431

®


[edit chassis redundancy] user@switch1# set graceful-switchover 2.

Configure the switch to always synchronize configuration changes between the Routing Engines: [edit system] user@switch1# set commit synchronize

If you try to commit a configuration in which nonstop bridging is configured but synchronization of configuration changes is not configured, the configuration is not committed. 3.

Enable nonstop bridging: [edit ethernet-switching-options] user@switch1# set nonstop-bridging

NOTE: This process enables NSB for all NSB-supported Layer 2 protocols on the switch, including RSTP.

Results

Check the results of the configuration: user@switch1> show configuration interfaces { ge-0/0/13 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } }

2432



} protocols { rstp { bridge-priority 16k; interface ge-0/0/13.0 { cost 1000; mode point-to-point; } interface ge-0/0/9.0 { cost 1000; mode point-to-point; } interface ge-0/0/11.0 { cost 1000; mode point-to-point; } } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } } system { commit synchronize; } chassis { redundancy { graceful-switchover; } ethernet-switching-options { nonstop-bridging; }


To quickly configure RSTP and nonstop bridging on Switch 2, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan-id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30


2433

®


set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk set protocols rstp bridge-priority 32k set protocols rstp interface ge-0/0/14.0 cost 1000 set protocols rstp interface ge-0/0/14.0 mode point-to-point set protocols rstp interface ge-0/0/18.0 cost 1000 set protocols rstp interface ge-0/0/18.0 mode point-to-point





2.

set voice-vlan description “Voice VLAN” set voice-vlan vlan-id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan-id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan-id 30 set camera-vlan vlan-description “Camera VLAN” set camera-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet switching protocol: [edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching port-mode trunk user@switch2# set ge-0/0/18 unit 0 family ethernet-switching port-mode trunk

4.

Configure RSTP on the switch: [edit protocols] user@switch2# rstp bridge-priority 32k user@switch2# rstp interface ge-0/0/14.0 cost 1000 user@switch2# rstp interface ge-0/0/14.0 mode point-to-point user@switch2# rstp interface ge-0/0/18.0 cost 1000 user@switch2# rstp interface ge-0/0/18.0 mode point-to-point



Enable graceful Routing Engine switchover (GRES): [edit chassis redundancy]

2434



user@switch2# set graceful-switchover 2.





Results

Check the results of the configuration: user@switch2> show configuration interfaces { ge-0/0/14 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/18 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } } protocols { rstp { bridge-priority 32k; interface ge-0/0/14.0 { cost 1000; mode point-to-point; } interface ge-0/0/18.0 { cost 1000; mode point-to-point;


2435

®


} } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } } system { commit synchronize; } chassis { redundancy { graceful-switchover; } ethernet-switching-options { nonstop-bridging; }


To quickly configure RSTP and nonstop bridging on Switch 3, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan-id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk set protocols rstp bridge-priority 8k set protocols rstp interface ge-0/0/26.0 cost 1000 set protocols rstp interface ge-0/0/26.0 mode point-to-point set protocols rstp interface ge-0/0/28.0 cost 1000 set protocols rstp interface ge-0/0/28.0 mode point-to-point set protocols rstp interface ge-0/0/24.0 cost 1000 set protocols rstp interface ge-0/0/24.0 mode point-to-point

2436







2.


Configure the VLANs on the interfaces, including support for the Ethernet switching protocol: [edit interfaces] user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.


4.

Configure RSTP on the switch: [edit protocols] user@switch3# rstp bridge-priority 8k user@switch3# rstp interface ge-0/0/26.0 cost 1000 user@switch3# rstp interface ge-0/0/26.0 mode point-to-point user@switch3# rstp interface ge-0/0/28.0 cost 1000 user@switch3# rstp interface ge-0/0/28.0 mode point-to-point user@switch3# rstp interface ge-0/0/24.0 cost 1000 user@switch3# rstp interface ge-0/0/24.0 mode point-to-point



Enable graceful Routing Engine switchover (GRES): [edit chassis redundancy] user@switch3# set graceful-switchover

2.



2437

®





Results

Check the results of the configuration: user@switch3> show configuration interfaces { ge-0/0/26 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/28 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } } } protocols { rstp { bridge-priority 8k; interface ge-0/0/26.0 { cost 1000;

2438



mode point-to-point; } interface ge-0/0/28.0 { cost 1000; mode point-to-point; } interface ge-0/0/24.0 { cost 1000; mode point-to-point; } } bridge-priority 8k; } } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } } system { commit synchronize; } chassis { redundancy { graceful-switchover; } ethernet-switching-options { nonstop-bridging; }


To quickly configure RSTP and nonstop bridging on Switch 4, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan–id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40]


2439

®


set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/23 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/19 unit 0 family ethernet-switching port-mode trunk set protocols rstp bridge-priority 16k set protocols rstp interface ge-0/0/23.0 cost 1000 set protocols rstp interface ge-0/0/23.0 mode point-to-point set protocols rstp interface ge-0/0/19.0 cost 1000 set protocols rstp interface ge-0/0/19.0 mode point-to-point





2.


Configure the VLANs on the interfaces, including support for the Ethernet switching protocol: [edit interfaces] user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch4# set ge-0/0/23 unit 0 family ethernet-switching port-mode trunk user@switch4# set ge-0/0/19 unit 0 family ethernet-switching port-mode trunk

4.

Configure RSTP on the switch: [edit protocols] user@switch4# rstp bridge-priority 16k user@switch4# rstp interface all cost 1000 user@switch4# rstp interface ge-0/0/23.0 cost 1000 user@switch4# rstp interface ge-0/0/23.0 mode point-to-point user@switch4# rstp interface ge-0/0/19.0 cost 1000 user@switch4# rstp interface ge-0/0/19.0 mode point-to-point



Enable graceful Routing Engine switchover (GRES): [edit chassis redundancy] user@switch4# set graceful-switchover

2440



2.





Results

Check the results of the configuration: user@switch4> show configuration interfaces { ge-0/0/23 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/19 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } } protocols { rstp { bridge-priority 16k; interface ge-0/0/23.0 { cost 1000; mode point-to-point; } interface ge-0/0/19.0 { cost 1000; mode point-to-point; }


2441

®


} } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } } system { commit synchronize; } chassis { redundancy { graceful-switchover; } ethernet-switching-options { nonstop-bridging; }

Verification To confirm that the configuration is working properly, perform these tasks on both Routing Engines: •

Verifying RSTP Configuration on Switch 1 on page 2442

•


•


•


Verifying RSTP Configuration on Switch 1 Purpose Action

Verify the RSTP configuration on Switch 1. Use the operational mode command: user@switch1> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/13.0 ge-0/0/9.0

2442

Port ID 128:526 128:522

Designated port ID 128:526 128:522

Designated bridge ID 16384.0019e25040e0 32768.0019e2503d20

Port Cost 1000 1000

State

Role

BLK BLK

ALT ALT



ge-0/0/11.0

Meaning

128:524

128:524

8192.0019e25051e0

1000

FWD

ROOT

Refer to the topology in Figure 74 on page 2429. The operational mode command show spanning-tree interface shows that ge-0/0/13.0 is in a forwarding state. The other interfaces on Switch 1 are blocking.


Use this procedure to verify the RSTP configuration on both Switch 2 Routing Engines. Use the operational mode command: user@switch2> show spanning-tree interface

Spanning tree interface parameters for instance 0 Interface ge-0/0/14.0 ge-0/0/18.0

Meaning

Port ID

Designated port ID 128:527 128:527 128:529 128:529

Designated bridge ID 32768.0019e2503d20 8192.0019e25051e0

Port State Cost 1000 FWD 1000 FWD

Role DESG ROOT

Refer to the topology in Figure 74 on page 2429. The operational mode command show spanning-tree interface shows that ge-0/0/18.0 is in a forwarding state and is the root port.


Use this procedure to verify the RSTP configuration on both Switch 3 Routing Engines. Use the operational mode commands: user@switch3> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0

Meaning

Port ID

Designated port ID 128:539 128:539 128:541 128:541 128:537 128:537

Designated bridge ID 8192.0019e25051e0 8192.0019e25051e0 8192.0019e25051e0

Port State Cost 1000 FWD 1000 FWD 1000 FWD

Role DESG DESG DESG

Refer to the topology in Figure 74 on page 2429. The operational mode command show spanning-tree interface shows that no interface is the root interface.


Use this procedure to verify the RSTP configuration on both Switch 4 Routing Engines. Use the operational mode commands:


2443

®


user@switch4> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

ge-0/0/23.0 ge-0/0/19.0

Meaning


Port ID

Designated port ID

128:536 128:532

128:536 128:532

Designated bridge ID 8192.0019e25051e0 16384.0019e25040e0

Port Cost 1000 1000

State

Role

FWD FWD

ROOT DESG

Refer to the topology in Figure 74 on page 2429. The operational mode command show spanning-tree interface shows that interface ge-0/0/23.0 is the root interface and forwarding.

•


•


Example: Configuring Network Regions for VLANs with MSTP on EX Series Switches Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in networks using multiple spanning tree regions, each region containing multiple spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs. This functionality facilitates better load sharing across redundant links. Up to 64 MSTI instances can be created for an EX Series switch, and each MSTI can support up to 4094 VLANs. This example describes how to configure MSTP on four EX Series switches: •


•


•

Configuring MSTP on Switch 1 on page 2447

•


•


•


•




•

Four EX Series switches

Before you configure the switches for MSTP, be sure you have: •

2444

Installed the four switches. See “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259.



•

Performed the initial software configuration on all switches. See Installing and Connecting an EX3200 Switch.

Overview and Topology When the number of VLANs grows in a network, MSTP provides a more efficient way of creating a loop-free topology using MSTIs. Each MSTI in the spanning tree domain maintains its own tree. Each tree can be mapped to different links, utilizing bandwidth that would be unavailable to a single tree. MSTIs reduce demand on system resources.

Figure 75: Network Topology for MSTP

The interfaces shown in Table 283 on page 2446 will be configured for MSTP.

NOTE: You can configure MSTP on logical or physical interfaces. This example shows MSTP configured on logical interfaces.


2445

®


Table 283: Components of the Topology for Configuring MSTP on EX Series Switches Property

Settings

Switch 1

The following ports on Switch 1 are connected in this way:

Switch 2

•


•


•



Switch 3

•


•



Switch 4

•


•


•


The following ports on Switch 4 are connected in this way: •


•



voice-vlan, tag 10 employee-vlan, tag 20 guest-vlan, tag 30 camera-vlan, tag 40

MSTIs

1 2

The topology in Figure 75 on page 2445 shows a Common Internal Spanning Tree (CIST). The CIST is a single spanning tree connecting all devices in the network. The switch with the highest priority is elected as the root bridge of the CIST. Also in an MSTP topology are ports that have specific roles: •


•


•


•

The backup port is a backup port for the designated port. When a designated port goes down, the backup port becomes the active designated port and starts forwarding data.

In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3, and Switch 4. Within the region, four VLANs are created:

2446



•

The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.

•

employee-vlan supports data traffic and has a VLAN tag identifier of 20.

•

The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X authentication) and has a VLAN tag identifier of 30.

•

The camera-vlan supports video traffic and has a VLAN tag identifier of 40.

The VLANs are associated with specific interfaces on each of the four switches. Two MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP parameters, such as cost, are configured on each switch.

Configuring MSTP on Switch 1 CLI Quick Configuration

To quickly configure interfaces and MSTP on Switch 1, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan-id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/13 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 16k set protocols mstp interface ge-0/0/13.0 cost 1000 set protocols mstp interface ge-0/0/13.0 mode point-to-point set protocols mstp interface ge-0/0/9.0 cost 1000 set protocols mstp interface ge-0/0/9.0 mode point-to-point set protocols mstp interface ge-0/0/11.0 cost 1000 set protocols mstp interface ge-0/0/11.0 mode point-to-point set protocols mstp msti 1 bridge-priority 16k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000 set protocols mstp msti 2 bridge-priority 8k set protocols mstp msti 2 vlan [30 40]


To configure interfaces and MSTP on Switch 1: 1.



set voice-vlan description “Voice VLAN” set voice-vlan vlan-id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan-id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan-id 30 set camera-vlan description “Camera VLAN” set guest-vlan vlan-id 40

2447

®


2.

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol: [edit interfaces] user@switch1# set ge–0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch1# set ge–0/0/13 unit 0 family ethernet-switching port-mode trunk user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode trunk user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

4.

Configure MSTP on the switch, including the two MSTIs: [edit protocols] user@switch1# mstp configuration-name region1 user@switch1# mstp bridge-priority 16k user@switch1# mstp interface ge-0/0/13.0 cost 1000 user@switch1# mstp interface ge-0/0/13.0 mode point-to-point user@switch1# mstp interface ge-0/0/9.0 cost 1000 user@switch1# mstp interface ge-0/0/9.0 mode point-to-point user@switch1# mstp interface ge-0/0/11.0 cost 4000 user@switch1# mstp interface ge-0/0/11.0 mode point-to-point user@switch1# mstp msti 1 bridge-priority 16k user@switch1# mstp msti 1 vlan [10 20] user@switch1# mstp msti 1 interface ge-0/0/11.0 cost 4000 user@switch1# mstp msti 2 bridge-priority 8k user@switch1# mstp msti 2 vlan [30 40]

Results

Check the results of the configuration: user@switch1> show configuration interfaces { ge-0/0/13 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30;

2448



members 40; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 16k; interface ge-0/0/13.0 { cost 1000; mode point-to-point; } interface ge-0/0/9.0 { cost 1000; mode point-to-point; } interface ge-0/0/11.0 { cost 4000; mode point-to-point; } msti 1 { bridge-priority 16k; vlan [ 10 20 ]; interface ge-0/0/11.0 { cost 4000; } } msti 2 { bridge-priority 8k; vlan [ 30 40 ]; } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30;


2449

®


} camera-vlan { vlan-id 40; } }


To quickly configure interfaces and MSTP on Switch 2, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan—id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan-id 40 set interfaces ge–0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 32k set protocols mstp interface ge-0/0/14.0 cost 1000 set protocols mstp interface ge-0/0/14.0 mode point-to-point set protocols mstp interface ge-0/0/18.0 cost 1000 set protocols mstp interface ge-0/0/18.0 mode point-to-point set protocols mstp msti 1 bridge-priority 32k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 2 bridge-priority 4k set protocols mstp msti 2 vlan [30 40]




2.

set voice-vlan description “Voice VLAN” set voice-vlan vlan-id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan-id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan-id 30 set camera-vlan vlan-description “Camera VLAN” set guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol: [edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching port-mode trunk

2450



user@switch2# set ge-0/0/18 unit 0 family ethernet-switching port-mode trunk 4.

Configure MSTP on the switch, including the two MSTIs: [edit protocols] user@switch2# mstp configuration-name region1 user@switch2# mstp bridge-priority 32k user@switch2# mstp interface ge-0/0/14.0 cost 1000 user@switch2# mstp interface ge-0/0/14.0 mode point-to-point user@switch2# mstp interface ge-0/0/18.0 cost 1000 user@switch2# mstp interface ge-0/0/18.0 mode point-to-point user@switch2# mstp interface all cost 1000 user@switch2# mstp msti 1 bridge-priority 32k user@switch2# mstp msti 1 vlan [10 20] user@switch2# mstp msti 2 bridge-priority 4k user@switch2# mstp msti 2 vlan [30 40]

Results

Check the results of the configuration: user@switch2> show configuration interfaces { ge-0/0/14 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/18 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 32k; interface ge-0/0/14.0 { cost 1000; mode point-to-point; } interface ge-0/0/18.0 { cost 1000;


2451

®


mode point-to-point; } msti 1 { bridge-priority 32k; vlan [ 10 20 ]; } msti 2 { bridge-priority 4k; vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }


To quickly configure interfaces and MSTP on Switch 3, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice-vlan description “Voice VLAN” set vlans voice-vlan vlan-id 10 set vlans employee-vlan description “Employee VLAN” set vlans employee-vlan vlan-id 20 set vlans guest-vlan description “Guest VLAN” set vlans guest-vlan vlan-id 30 set vlans camera-vlan description “Camera VLAN” set vlans camera-vlan vlan—id 40 set interfaces ge–0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge–0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 8k set protocols mstp interface ge-0/0/26.0 cost 1000 set protocols mstp interface ge-0/0/26.0 mode point-to-point set protocols mstp interface ge-0/0/28.0 cost 1000 set protocols mstp interface ge-0/0/28.0 mode point-to-point set protocols mstp interface ge-0/0/24.0 cost 1000 set protocols mstp interface ge-0/0/24.0 mode point-to-point set protocols mstp msti 1 bridge-priority 4k set protocols mstp msti 1 vlan [10 20]

2452



set protocols mstp msti 2 bridge-priority 16k set protocols mstp msti 2 vlan [30 40]




2.

set voice-vlan description “Voice VLAN” set voice-vlan vlan-id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan-id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan-id 30 set camera-vlan description “Camera VLAN” set guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol: [edit interfaces] user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.


4.

Configure MSTP on the switch, including the two MSTIs: [edit protocols] user@switch3# mstp configuration-name region1 user@switch3# mstp bridge-priority 8k user@switch3# mstp interface ge-0/0/26.0 cost 1000 user@switch3# mstp interface ge-0/0/26.0 mode point-to-point user@switch3# mstp interface ge-0/0/28.0 cost 1000 user@switch3# mstp interface ge-0/0/28.0 mode point-to-point user@switch3# mstp interface ge-0/0/24.0 cost 1000 user@switch3# mstp interface ge-0/0/24.0 mode point-to-point user@switch3# mstp interface all cost 1000 user@switch3# mstp msti 1 bridge-priority 4k user@switch3# mstp msti 1 vlan [10 20] user@switch3# mstp msti 2 bridge-priority 16k user@switch3# mstp msti 2 vlan [30 40]

Results

Check the results of the configuration: user@switch3> show configuration interfaces { ge-0/0/26 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20;


2453

®


members 30; members 40; } } } } ge-0/0/28 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } } protocols { mstp { configuration-name region1; bridge-priority 8k; interface ge-0/0/26.0 { cost 1000; mode point-to-point; } interface ge-0/0/28.0 { cost 1000; mode point-to-point; } interface ge-0/0/24.0 { cost 1000; mode point-to-point; } msti 1 { bridge-priority 4k; vlan [ 10 20 ]; } msti 2 { bridge-priority 16k;

2454



vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }


To quickly configure interfaces and MSTP on Switch 4, copy the following commands and paste them into the switch terminal window: [edit] set vlans voice–vlan description “Voice VLAN” set vlans voice-vlan vlan–id 10 set vlans employee—vlan description “Employee VLAN” set vlans employee—vlan vlan—id 20 set vlans guest—vlan description “Guest VLAN” set vlans guest—vlan vlan—id 30 set vlans camera—vlan description “Camera VLAN” set vlans camera—vlan vlan—id 40 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge—0/0/23 unit 0 family ethernet-switching port-mode trunk set interfaces ge—0/0/19 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 16k set protocols mstp interface ge—0/0/23.0 cost 1000 set protocols mstp interface ge—0/0/23.0 mode point-to-point set protocols mstp interface ge—0/0/19.0 cost 1000 set protocols mstp interface ge—0/0/19.0 mode point-to-point set protocols mstp msti 1 bridge-priority 16k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 2 bridge-priority 32k set protocols mstp msti 2 vlan [30 40]


2455

®





2.

set voice-vlan description “Voice VLAN” set voice-vlan vlan—id 10 set employee-vlan description “Employee VLAN” set employee-vlan vlan—id 20 set guest-vlan description “Guest VLAN” set guest-vlan vlan—id 30 set camera-vlan description “Camera VLAN” set guest-vlan vlan—id 40

Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol: [edit interfaces] user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40]

3.

Configure the port mode for the interfaces: [edit interfaces] user@switch4# set ge—0/0/23 unit 0 family ethernet-switching port-mode trunk user@switch4# set ge—0/0/19 unit 0 family ethernet-switching port-mode trunk

4.

Configure MSTP on the switch, including the two MSTIs: [edit protocols] user@switch4# mstp configuration-name region1 user@switch4# mstp bridge-priority 16k user@switch4# mstp interface all cost 1000 user@switch4# mstp interface ge—0/0/23.0 cost 1000 user@switch4# mstp interface ge—0/0/23.0 mode point-to-point user@switch4# mstp interface ge—0/0/19.0 cost 1000 user@switch4# mstp interface ge—0/0/19.0 mode point-to-point user@switch4# mstp msti 1 bridge-priority 16k user@switch4# mstp msti 1 vlan [10 20] user@switch4# mstp msti 2 bridge-priority 32k user@switch4# mstp msti 2 vlan [30 40]

Results

Check the results of the configuration: user@switch4> show configuration interfaces { ge-0/0/23 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/19 {

2456



unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 16k; interface ge-0/0/23.0 { cost 1000; mode point-to-point; } interface ge-0/0/19.0 { cost 1000; mode point-to-point; } msti 1 { bridge-priority 16k; vlan [ 10 20 ]; } msti 2 { bridge-priority 32k; vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }


2457

®



Verifying MSTP Configuration on Switch 1 on page 2458

•


•


•


Verifying MSTP Configuration on Switch 1 Purpose Action

Verify the MSTP configuration on Switch 1. Use the operational mode commands: user@switch1> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0

Port ID 128:527 128:529 128:531

Designated port ID 128:525 128:513 128:513

Designated bridge ID 16384.0019e25040e0 32768.0019e2503d20 8192.0019e25051e0

Port Cost 1000 1000 4000

State

Role

FWD BLK BLK

ROOT ALT ALT

Port Cost 1000 1000 4000

State

Role

FWD BLK BLK

ROOT ALT ALT

Port Cost 1000 1000 1000

State

Role

FWD FWD FWD

DESG ROOT DESG

Spanning tree interface parameters for instance 1 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0

Port ID 128:527 128:529 128:531




Port ID 128:527 128:529 128:531



user@switch1> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age

2458

: : : : : : : : : :

8192.00:19:e2:50:51:e0 0 ge-0/0/13.0 8192.00:19:e2:50:51:e0 2000 2 seconds 20 seconds 15 seconds 18 0



Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID

Meaning

: 3 : 921 seconds : 16384.00:19:e2:50:44:e0 : 0 : 0

: : : : : : :

4097.00:19:e2:50:51:e0 2000 ge-0/0/13.0 2 seconds 20 seconds 15 seconds 18

: 16385.00:19:e2:50:44:e0 : 0 : 1

: : : : : : :

4098.00:19:e2:50:3d:20 1000 ge-0/0/9.0 2 seconds 20 seconds 15 seconds 19

: 8194.00:19:e2:50:44:e0 : 0 : 2

The operational mode command show spanning-tree interface displays spanning-tree domain information such as the designated port and the port roles. The operational mode command show spanning-tree bridge displays the spanning-tree domain information at either the bridge level or interface level. If the optional interface name is omitted, all interfaces in the spanning-tree domain are displayed.


Verify the MSTP configuration on Switch 2. Use the operational mode commands: user@switch2> show spanning-tree interface


Port ID




Role DESG ROOT

Spanning tree interface parameters for instance 1


2459

®


Interface ge-0/0/14.0 ge-0/0/18.0

Port ID




Role

Port State Cost 1000 FWD

Role

DESG ROOT

Spanning tree interface parameters for instance 2 Interface

Port ID

ge-0/0/14.0


Designated bridge ID 4098.0019e2503d20

ge-0/0/18.0

128:519

4098.0019e2503d20

128:519

1000

FWD

DESG DESG

user@switch2> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Hello time Maximum age Forward delay Local parameters Bridge ID Extended system ID Internal instance ID

2460

: : : : : : : : : : : :

8192.00:19:e2:50:51:e0 0 ge-0/0/18.0 8192.00:19:e2:50:51:e0 1000 2 seconds 20 seconds 15 seconds 19 0 1 782 seconds

: 32768.00:19:e2:50:3d:20 : 0 : 0

: : : : : : :


: 32769.00:19:e2:50:3d:20 : 0 : 1

: : : :

4098.00:19:e2:50:3d:20 2 seconds 20 seconds 15 seconds

: 4098.00:19:e2:50:3d:20 : 0 : 2



Meaning



Verify the MSTP configuration on Switch 3. Use the operational mode commands: user@switch3> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0

Port ID




Role


Role

Port State Cost 1000 BLK 1000 FWD 1000 FWD

Role

DESG DESG DESG


Port ID



DESG DESG DESG


Port ID



ALT ROOT DESG

user@switch3> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID CIST regional root CIST internal root cost Hello time Maximum age Forward delay Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID


: : : : : : : :

8192.00:19:e2:50:51:e0 8192.00:19:e2:50:51:e0 0 2 seconds 20 seconds 15 seconds 3 843 seconds

: 8192.00:19:e2:50:51:e0 : 0 : 0

2461

®


STP bridge parameters for MSTI 1 MSTI regional root Hello time Maximum age Forward delay Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID

Meaning

: : : :

4097.00:19:e2:50:51:e0 2 seconds 20 seconds 15 seconds

: 4097.00:19:e2:50:51:e0 : 0 : 1

: : : : : : :


: 16386.00:19:e2:50:51:e0 : 0 : 2



Verify the MSTP configuration on Switch 4. Use the operational mode commands: user@switch4> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

ge-0/0/23.0 ge-0/0/19.0

Port ID

128:523 128:525



Port Cost

State

Role

FWD FWD

ROOT DESG

Port Cost 1000 1000

State

Role

FWD FWD

ROOT DESG

Port Cost

State

Role

1000 1000


Port ID 128:523 128:525



Spanning tree interface parameters for instance 2 Interface

2462

Port ID

Designated port ID

Designated bridge ID



ge-0/0/23.0 ge-0/0/19.0

128:523 128:525

128:517 128:527

16386.0019e25051e0 8194.0019e25044e0

1000 1000

BLK FWD

ALT ROOT

user@switch4> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID

Meaning

: : : : : : : : : : : :

8192.00:19:e2:50:51:e0 0 ge-0/0/23.0 8192.00:19:e2:50:51:e0 1000 2 seconds 20 seconds 15 seconds 19 0 4 887 seconds

: 16384.00:19:e2:50:40:e0 : 0 : 0

: : : : : : :


: 16385.00:19:e2:50:40:e0 : 0 : 1

: : : : : : :


: 32770.00:19:e2:50:40:e0 : 0 : 2



2463

®



•


•


Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX Series Switches EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). You need to configure BPDU protection on these STP interfaces if they could possibly receive outside BPDUs—outside BPDUs can cause network outages. This example configures BPDU protection on an EX Series switch using RSTP. The upstream configuration is done on the edge interfaces, where outside BDPUs are often received from other devices: •


•


•


•




•

Two EX Series switches in an RSTP topology

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have: •

RSTP operating on the switches.

NOTE: By default, RSTP is enabled on all EX Series switches.

Overview and Topology A loop-free network is supported through the exchange of a special type of frame called a bridge protocol data unit (BPDU). Receipt of outside BPDUs in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on STP interfaces that could receive outside BDPUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BDPU from accessing the STP interface. Two EX Series switches are displayed in Figure 76 on page 2465. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are edge access ports—edge access ports frequently receive outside BPDUs generated by PC applications.

2464



This example configures interface ge-0/0/5 and interface ge-0/0/6 as edge ports on Switch 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Switch 2. Figure 76 on page 2465 shows the topology of this example.

Figure 76: BPDU Protection Topology

Table 284 on page 2465 shows the components that will be configured for BPDU protection.

Table 284: Components of the Topology for Configuring BPDU Protection on EX Series Switches Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 on a trunk interface.

Switch 2 (Access Layer)

Switch 2 has these access ports that require BPDU protection: •

ge-0/0/5

•

ge-0/0/6

This configuration example uses RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.

Configuration To configure BPDU protection on two access interfaces:


2465

®



Quickly configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection on all edge ports on Switch 2 by copying the following commands and pasting them into the switch terminal window: [edit] set protocols rstp interface ge-0/0/5 edge set protocols rstp interface ge-0/0/6 edge set protocols rstp bpdu-block-on-edge


To configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection: 1.

Configure interface ge-0/0/5 and interface ge-0/0/6 as edge ports: [edit protocols rstp] user@switch# set interface ge-0/0/5 edge (Spanning Trees) user@switch#set interface ge-0/0/6 edge

2.

Configure BPDU protection on all edge ports on this switch: [edit protocols rstp] user@switch# set bpdu-block-on-edge

Results

Check the results of the configuration: user@switch> show configuration protocols rstp interface ge-0/0/5.0 { edge; } interface ge-0/0/6.0 { edge; } bpdu-block-on-edge;

Verification To confirm that the configuration is working properly: •

Displaying the Interface State Before BPDU Protection Is Triggered on page 2466

•

Verifying That BPDU Protection Is Working Correctly on page 2467

Displaying the Interface State Before BPDU Protection Is Triggered Purpose

Action

Before BPDUs can be received from PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state. Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0

2466

Port ID 128:513 128:514 128:515 128:516 128:517 128:518


Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00

Port Cost 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD FWD

DIS DIS DIS DESG DESG DESG



ge-0/0/6.0 128:519 [output truncated]

Meaning

128:519

32768.0019e2503f00

20000

FWD

DESG

The output from the operational mode command show spanning-tree interface shows that ge-0/0/5.0 and interface ge-0/0/6.0 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly Purpose

Action

In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on the interfaces. Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

Port ID

ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 (Bpdu—Incon) ge-0/0/6.0 128:519 (Bpdu—Incon) ge-0/0/7.0 128:520 ge-0/0/8.0 128:521 [output truncated]

Meaning


Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00

Port Cost 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD BLK

DIS DIS DIS DESG DESG DIS

128:519

32768.0019e2503f00

20000

BLK

DIS

128:1 128:521

16384.00aabbcc0348 32768.0019e2503f00

20000 20000

FWD FWD

ROOT DESG

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down. Disabling the BPDU protection configuration on an interface does not automatically re-enable the interface. However, if the disable-timeout (Spanning Trees) statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear ethernet-switching bpdu-error to unblock and re-enable the interface. If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that is sending BPDUs to Switch 2.


•



2467

®


•


•


•


•


Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches Spanning-tree protocols support loop-free network communication through the exchange of a special type of frame called a bridge protocol data unit (BPDU). However, when STP-BPDUs are communicated to non-STP devices that recognize BPDUs, this can lead to network outages. You can, however, enable BPDU protection on non-STP switch interfaces and prevent STP-BPDUs from passing through that interface. When protection is enabled, an interface shuts down when a BPDU is encountered, thereby preventing the STP-BPDU from reaching a device that could be shut down by STP-BPDUs. This example configures BPDU protection on non-STP switch downstream interfaces that connect to two PCs: •


•


•


•




•

One EX Series switch in an RSTP topology

•

One EX Series switch that is not in any spanning-tree topology

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have: •

RSTP operating on Switch 1.

•

Disabled RSTP on Switch 2.


2468



Overview and Topology EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices also use BPDUs—PC bridging applications, for example, generate their own BPDUs. These different BPDUs are not compatible. When STP-BPDUs are transmitted to a device that is not using a spanning-tree protocol but uses another type of BPDU, they can cause problems on the device. Therefore, you should configure BPDU protection on a non-STP switch between an STP-enabled switch and devices that use different BPDUs-–for example PCs. This blocks STP-BPDUs at the switch in the middle and prevents them from ever reaching the devices that could be damaged. This example explains how to block STP-generated BPDUs from reaching a switch port connected to non-STP devices, thereby protecting the non-STP devices. If BPDUs attempt to access a BPDU-protected interface on a switch, the interface transitions to a blocking state that shuts down the interface. Two EX Series switches are displayed in Figure 77 on page 2470. In this example, Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP, but Switch 2 has no spanning-tree protocol. This example configures downstream BPDU protection on switch interfaces ge-0/0/5 and ge-0/0/6. When BPDU protection is enabled, the switch interfaces will shut down if STP-BPDUs attempt to access the laptops. Figure 77 on page 2470 shows the topology for this example.

CAUTION: When configuring BPDU protection on a non-STP configured port connected to an STP-configured switch, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on switch interfaces (such as a trunk interface) that should be receiving BPDUs from an STP-configured switch.


2469

®


Figure 77: BPDU Protection Topology

Table 285 on page 2470 shows the components that will be configured for BPDU protection.

Table 285: Components of the Topology for Configuring BPDU Protection on EX Series Switches Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured for RSTP. Switch 2 is not configured for any spanning-tree protocol.

Switch 2 (Access Layer)

Switch 2 has the default RSTP disabled and has two downstream access ports connected to laptops that require BPDU protection: •

ge-0/0/5

•

ge-0/0/6

Configuration To configure BPDU protection on the interfaces: CLI Quick Configuration

To quickly configure BPDU protection on non-STP Switch 2, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options bpdu-block interface ge-0/0/5 [edit] set ethernet-switching-options bpdu-block interface ge-0/0/6

2470




To configure BPDU protection: 1.

Configure bdpu-block on the downstream interface ge-0/0/5 on Switch 2: [edit ethernet-switching-options] user@switch#set bpdu-block interface ge-0/0/5

2.

Configure bdpu-block on the downstream interface ge-0/0/6 on Switch 2: [edit ethernet-switching-options] user@switch#set bpdu-block interface ge-0/0/6

Results

Check the results of the configuration: user@switch> show ethernet-switching-options bpdu-block { interface ge-0/0/5.0; interface ge-0/0/6.0; }


Displaying the Interface State Before BPDU Protection Is Triggered on page 2471

•

Verifying That BPDU Protection Is Working Correctly on page 2471

Displaying the Interface State Before BPDU Protection Is Triggered Purpose

Action

Before any BPDUs can be received from Switch 1 on either interface ge-0/0/5 or interface ge-0/0/6, confirm the state of those interfaces. Use the operational mode command show ethernet-switching interfaces: user@switch> show ethernet-switching interfaces Interface State ge-0/0/0.0 down ge-0/0/1.0 down ge-0/0/2.0 down ge-0/0/3.0 up ge-0/0/4.0 up ge-0/0/5.0 up ge-0/0/6.0 up [output truncated]

Meaning

VLAN members default default default default v1 v1 default

Blocking unblocked unblocked unblocked unblocked unblocked unblocked unblocked

The output from the operational mode command show ethernet-switching interfaces shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.

Verifying That BPDU Protection Is Working Correctly Purpose

In this example, RSTP-enabled Switch 1 sends BPDUs to non-STP Switch 2 and Switch 2 tries to forward them to the laptops through interfaces ge-0/0/5 and ge-0/0/6 . This shuts down the two interfaces because bpdu-block has been configured on those interfaces.


2471

®


Action

Use the operational mode command show ethernet-switching interfaces again to see what happened when the BPDUs reached the two interfaces: user@switch> show ethernet-switching interfaces Interface State VLAN members ge-0/0/0.0 up default ge-0/0/1.0 up default ge-0/0/2.0 up default ge-0/0/3.0 up default ge-0/0/4.0 up v1 ge-0/0/5.0 down v1 ge-0/0/6.0 down default [output truncated]

Meaning

Blocking unblocked unblocked unblocked unblocked unblocked blocked - blocked by bpdu-control blocked - blocked by bpdu-control

When the BPDUs sent from Switch 1 reached interfaces ge-0/0/5 and ge-0/0/6 the interfaces transitioned to a BPDU inconsistent state, shutting down the two interfaces to prevent BPDUs from reaching the laptops. The blocked interfaces need to be re-enabled. There are two ways to do this. If you included the statement disable-timeout (Spanning Trees) in the BPDU configuration, the interface returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to unblock and re-enable ge-0/0/5 and ge-0/0/5. If BPDUs reach the downstream interfaces on Switch 2 again, BPDU protection is triggered again and the interfaces shut down. In such cases, you need to find and repair the misconfiguration that is sending BPDUs to interfaces ge-0/0/5 and ge-0/0/6.


•


•


•


•


•


Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX Series Switches EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by preventing interfaces from moving into a forwarding state that would result in a loop opening up in the network.

2472



This example describes how to configure loop protection for an interface on an EX Series switch in an RSTP topology: •


•


•


•




•

Three EX Series switches in an RSTP topology

Before you configure the interface for loop protection, be sure you have: •



Overview and Topology A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic. A blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the switch or software configuration error between the switch and its neighbor. When this happens, a loop opens up in the spanning tree. Loops in a Layer 2 topology cause broadcast, unicast, and multicast frames to continuously circle the looped network. As a switch processes a flood of frames in a looped network, its resources become depleted and the ultimate result is a network outage.

CAUTION: An interface can be configured for either loop protection or root protection, but not for both.

Three EX Series switches are displayed in Figure 78 on page 2474. In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is blocking traffic between Switch 3 and Switch 1; thus, traffic is forwarded through interface ge-0/0/7 on Switch 2. BPDUs are being sent from the root bridge on Switch 1 to both of these interfaces.


2473

®


This example shows how to configure loop protection on interface ge-0/0/6 to prevent it from transitioning from a blocking state to a forwarding state and creating a loop in the spanning-tree topology.

Figure 78: Network Topology for Loop Protection

Table 286 on page 2474 shows the components that will be configured for loop protection.

Table 286: Components of the Topology for Configuring Loop Protection on EX Series Switches Property

Settings

Switch 1

Switch 1 is the root bridge.

Switch 2

Switch 2 has the root port ge-0/0/7.

Switch 3

Switch 3 is connected to Switch 1 through interface ge-0/0/6.

A spanning-tree topology contains ports that have specific roles: •


•


•


This configuration example uses an RSTP topology. However, you also can configure loop protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.

Configuration To configure loop protection on an interface:

2474




To quickly configure loop protection on interface ge-0/0/6:


To configure loop protection:

[edit] set protocols rstp interface ge-0/0/6 bpdu-timeout-action block

1.

Configure interface ge-0/0/6 on Switch 3: [edit protocols rstp] user@switch# set interface ge-0/0/6 bpdu-timeout-action (Spanning Trees) block

Results

Check the results of the configuration: user@switch> show configuration protocols rstp interface ge-0/0/6.0 { bpdu-timeout-action { block; } }


Displaying the Interface State Before Loop Protection Is Triggered on page 2475

•

Verifying That Loop Protection Is Working on an Interface on page 2476

Displaying the Interface State Before Loop Protection Is Triggered Purpose

Action

Before loop protection is triggered on interface ge-0/0/6, confirm that the interface is blocking. Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

Port ID

ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 [output truncated]

Meaning

Designated port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:2

Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348

Port Cost 20000 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD FWD BLK

DIS DIS DIS DESG DESG DESG ALT

The output from the operational mode command show spanning-tree interface shows that ge-0/0/6.0 is the alternate port and in a blocking state.


2475

®


Verifying That Loop Protection Is Working on an Interface Purpose

Action

Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled on interface ge-0/0/4 on Switch 1. This will stop BPDUs from being sent to interface ge-0/0/6 and trigger loop protection on the interface. Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

Port ID

ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 (Loop-Incon) [output truncated]

Meaning



Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00

Port Cost 20000 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD FWD BLK

DIS DIS DIS DESG DESG DESG DIS

The operational mode command show spanning-tree interface shows that interface ge-0/0/6.0 has detected that BPDUs are no longer being forwarded to it and has moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface from transitioning to a forwarding state. The interface recovers and transitions back to its original state as soon as it receives BPDUs.

•


•


•


•


•


Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX Series Switches EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing network administrators to manually enforce the root bridge placement in the network.

2476



This example describes how to configure root protection on an interface on an EX Series switch: •


•


•


•




•

Four EX Series switches in an RSTP topology

Before you configure the interface for root protection, be sure you have: •



Overview and Topology Peer STP applications running on switch interfaces exchange a special type of frame called a bridge protocol data unit (BPDU). Switches communicate interface information using BPDUs to create a loop-free topology that ultimately determines the root bridge and which interfaces block or forward traffic in the spanning tree. However, a root port elected through this process has the possibility of being wrongly elected. A user bridge application running on a PC can generate BPDUs, too, and interfere with root port election. To prevent this from happening, enable root protection on interfaces that should not receive superior BPDUs from the root bridge and should not be elected as the root port. These interfaces are typically located on an administrative boundary and are designated ports. When root protection is enabled on an interface: •

The interface is blocked from becoming the root port.

•

Root protection is enabled for all STP instances on that interface.

•

The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology.

CAUTION: An interface can be configured for either root protection or loop protection, but not for both.


2477

®


Four EX Series switches are displayed in Figure 79 on page 2478. In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on Switch 1 is a designated port on an administrative boundary. It connects to Switch 4. Switch 3 is the root bridge. Interface ge-0/0/6 on Switch 1 is the root port. This example shows how to configure root protection on interface ge-0/0/7 to prevent it from transitioning to become the root port.

Figure 79: Network Topology for Root Protection

Table 287 on page 2478 shows the components that will be configured for root protection.

Table 287: Components of the Topology for Configuring Root Protection on EX Series Switches Property

Settings

Switch 1

Switch 1 is connected to Switch 4 through interface ge-0/0/7.

Switch 2

Switch 2 is connected to Switch 1 and Switch 3. Interface ge-0/0/4 is the alternate port in the RSTP topology.

Switch 3

Switch 3 is the root bridge and is connected to Switch 1 and Switch 2.

2478



Table 287: Components of the Topology for Configuring Root Protection on EX Series Switches (continued) Property

Settings

Switch 4

Switch 4 is connected to Switch 1. After loop protection is configured on interface ge-0/0/7, Switch 4 will send superior BPDUs that will trigger loop protection on interface ge-0/0/7.

A spanning tree topology contains ports that have specific roles: •


•


•


This configuration example uses an RSTP topology. However, you also can configure root protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.

Configuration To configure root protection on an interface: CLI Quick Configuration

To quickly configure root protection on interface ge-0/0/7, copy the following command and paste it into the switch terminal window: [edit] set protocols rstp interface ge-0/0/7 no-root-port


To configure root protection: 1.

Configure interface ge-0/0/7: [edit protocols rstp] user@switch# set interface ge-0/0/7 no-root-port (Spanning Trees)

Results

Check the results of the configuration: user@switch> show configuration protocols rstp interface ge-0/0/7.0 { no-root-port; }


Displaying the Interface State Before Root Protection Is Triggered on page 2479

•

Verifying That Root Protection Is Working on the Interface on page 2480

Displaying the Interface State Before Root Protection Is Triggered Purpose

Before root protection is triggered on interface ge-0/0/7, confirm the interface state.


2479

®


Action

Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

Port ID

ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 ge-0/0/7.0 128:520 [output truncated]

Meaning

Designated port ID 128:513 128:514 128:515 128:516 128:517 128:2 128:1 128:520

Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 16384.00aabbcc0348 32768.0019e2503f00

Port Cost 20000 20000 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD BLK FWD FWD

DIS DIS DIS DESG DESG ALT ROOT DESG

The output from the operational mode command show spanning-tree interface shows that ge-0/0/7.0 is a designated port in a forwarding state.

Verifying That Root Protection Is Working on the Interface Purpose

Action

A configuration change takes place on Switch 4. A smaller bridge priority on the Switch 4 causes it to send superior BPDUs to interface ge-0/0/7. Receipt of superior BPDUs on interface ge-0/0/7 will trigger root protection. Verify that root protection is operating on interface ge-0/0/7. Use the operational mode command: user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

Port ID

ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 ge-0/0/7.0 128:520 (Root—Incon) [output truncated]

Meaning

2480

Designated port ID 128:513 128:514 128:515 128:516 128:517 128:2 128:1 128:520

Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 16384.00aabbcc0348 32768.0019e2503f00

Port Cost 20000 20000 20000 20000 20000 20000 20000 20000

State

Role

BLK BLK BLK FWD FWD BLK FWD BLK

DIS DIS DIS DESG DESG ALT ROOT DIS

The operational mode command show spanning-tree interface shows that interface ge-0/0/7.0 has transitioned to a loop inconsistent state. The loop inconsistent state makes the interface block and prevents the interface from becoming a candidate for the root port. When the root bridge no longer receives superior STP BPDUs from the interface, the interface will recover and transition back to a forwarding state. Recovery is automatic.




•


•


•


•


•



2481

®


2482


CHAPTER 72

Configuring Spanning-Tree Protocols •

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 2483

•


•

Configuring Spanning-Tree Protocols (J-Web Procedure) on page 2485

•

Configuring MSTP (CLI Procedure) on page 2488

•

Configuring RSTP (CLI Procedure) on page 2489

•


Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) EX Series switches use bridge protocol data unit (BPDU) protection on interfaces to prevent them from receiving BPDUs that could trigger a spanning-tree misconfiguration. If BPDUs are received on a BPDU-protected interface, the interface transitions to a blocking state and stops forwarding frames. After the misconfiguration that triggered the BPDUs being sent to an interface is fixed in the topology, the interface can be unblocked and returned to service. To unblock an interface and return it to service using the CLI: •

Automatically unblock an interface by configuring a timer that expires (here, the interface is ge-0/0/6): [edit ethernet-switching-options] user@switch# set bpdu-block disable-timeout (Spanning Trees) 30 interface ge-0/0/6

•

Manually unblock an interface using the operational mode command: user@switch> clear ethernet-switching bpdu-error interface ge-0/0/6


•


•


•



2483

®


Configuring STP (CLI Procedure) The default spanning-tree protocol for EX Series switches is Rapid Spanning Tree Protocol (RSTP). RSTP provides faster convergence times than the original Spanning Tree Protocol (STP). However, some legacy networks require the slower convergence times of basic STP that work with 802.1D 1998 bridges. If your network includes 802.1D 1998 bridges, you can remove RSTP and explicitly configure STP. When you explicitly configure STP, the switches use the IEEE 802.1D 2004 specification, force version 0. This configuration runs a version of RSTP that is compatible with the classic, basic STP. To configure STP: 1.

Either delete RSTP on the entire switch or disable RSTP on specific interfaces: •

To delete RSTP on the entire switch: [edit protocols] user@switch# delete rstp (Spanning Trees)

•

To disable RSTP on a specific interface: [edit protocols] user@switch# set rstp (Spanning Trees) interface interface-name disable

2. Enable STP either on all interfaces or on a specific interface: •

To enable STP on all interfaces: [edit protocols] user@switch# set stp interface all

•

To enable STP on a specific interface: [edit protocols] user@switch# set stp interface interface-name

3. (Optional) Only if a routed VLAN interface (RVI) is configured, enable the Address

Resolution Protocol (ARP) for faster MAC address recovery: •

To enable ARP on STP on all interfaces: [edit protocols] user@switch# set stp interface all arp-on-stp

•

To enable ARP on STP on a specific interface: [edit protocols] user@switch# set stp interface interface-name arp-on-stp


2484

•

show spanning-tree bridge on page 2549

•

show spanning-tree interface on page 2560

•



Chapter 72: Configuring Spanning-Tree Protocols

Configuring Spanning-Tree Protocols (J-Web Procedure) EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP), and VLAN Spanning Tree Protocol (VSTP). You can configure STP, RSTP, and MSTP using the J-Web interface. You can configure bridge protocol data unit (BPDU) protection on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages. To configure STP, MSTP, or RSTP for an EX Series switch using the J-Web interface: 1.

Select Configure > Switching > Spanning Tree. The Spanning Tree Configuration page displays the spanning-tree protocol configuration parameters and a list of interfaces configured for each spanning-tree protocol configuration.


2. Click one: •

Add—Creates a spanning-tree protocol configuration. a. Select a protocol name. b. Enter information as described in Table 288 on page 2485. c. Click OK to apply changes to the configuration or click Cancel to cancel without

saving changes. •

Edit—Modifies a selected spanning-tree protocol configuration. a. Enter information as described in Table 288 on page 2485. b. Click OK to apply changes to the configuration or click Cancel to cancel without

saving changes. •

Delete—Deletes a selected spanning-tree protocol configuration.

Table 288: Spanning-Tree Protocol Configuration Parameters Field

Function

Your Action

Specifies the spanning-tree protocol type: STP, MSTP, or RSTP.

None.

General Protocol Name


2485

®


Table 288: Spanning-Tree Protocol Configuration Parameters (continued) Field

Function

Your Action

Disable

Disables spanning-tree protocol on the interface.

To enable this option, select the check box.

BPDU Protect

Specifies BPDU protection on all edge interfaces on the switch.

To enable this option, select the check box.

Bridge Priority

Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment.

Select a value from the list.

Forward Delay

Specifies the number of seconds an interface waits before changing from spanning-tree learning and listening states to the forwarding state.

Type a value.

Hello Time

Specifies the time interval in seconds at which the root bridge transmits configuration BPDUs.

Type a value.

Max Age

Specifies the maximum-aging time in seconds for all MST instances. The maximum aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration.

Type a value.

Max Hops

(MSTP only) Specifies the number of hops in a region before the BPDU is discarded.

Type a value.

Configuration Name

(MSTP only) Specifies the MSTP region name carried in the MSTP BPDUs.

Type a name.

Revision Level

(MSTP only) Specifies the revision number of the MSTP configuration.

Type a value.

Specifies an interface for the spanning-tree protocol.

1.

Ports Interface Name

Click the Ports tab.

2. Choose one:

Cost

2486

Specifies the link cost to determine which bridge is the designated bridge and which interface is the designated interface.

•

Click Add and select an interface from the list.

•

Select an interface in the Port/State table and click Edit.

•

To delete an interface from the configuration, select it in the Port/State table and click Remove.

Type a value.




Function

Your Action

Priority

Specifies the interface priority to determine which interface is elected as the root port.


Disable Port

Disables the spanning-tree protocol on the interface.

To enable the option, select the check box.

Edge

Configures the interface as an edge interface. Edge interfaces immediately transition to a forwarding state.


No Root Port

Specifies an interface as a spanning-tree designated port. If the bridge receives superior STP BPDUs on a root-protected interface, that interface transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge that should not be the root bridge from being elected the root bridge. When the bridge stops receiving superior STP BPDUs on the root-protected interface, interface traffic is no longer blocked.


Interface Mode

Specifies the link mode.

1.


2. Select one:

BPDU Timeout Action

Specifies the BPDU timeout action for the interface.

•

Point to Point–For a full-duplex link, the default link mode is point-to-point.

•

Shared–For a half-duplex link, the default link mode is shared.

Select one: •

Log

•

Block

MSTI (MSTP only) MSTI Name

Specifies a name (an MSTI ID) for the MST instance.

1.

Click the MSTI tab.

2. Choose one:

Bridge Priority

Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment.


•

Click Add.

•

Select an MSTI ID and click Edit.

•

To delete an MSTI from the configuration, select the MSTI ID and slick Remove.


2487

®



Function

Your Action

VLAN ID

Specifies the VLAN for the MST instance.

In the VLAN box, choose one:

Interfaces

Specifies an interface for the MST instance.

•

Click Add, select a VLAN from the list and click OK.

•

To remove a VLAN association, select the VLAN ID, click Remove, and click OK.

1.

In the Interfaces box, click Add and select an interface from the list, or select an interface from the list and click Edit.

2. Specify the link cost to determine which bridge is the designated bridge and which interface is the designated interface. 3. Specify the interface priority to determine which interface is elected as the root port. 4. If you want to disable the interface, select the check box. 5. Click OK. To delete an interface configuration, select the interface, click Remove, and click OK.


•


•

Monitoring Spanning-Tree Protocols on page 2493

•


•


•


•


Configuring MSTP (CLI Procedure) Multiple Spanning Tree Protocol (MSTP) maps multiple independent spanning-tree instances onto one physical topology on EX Series switches. Use MSTP to run a spanning-tree protocol on a selected group of VLANs. Because the default spanning-tree protocol for switches is Rapid Spanning Tree Protocol (RSTP), you must disable RSTP before enabling MSTP. To configure MSTP: 1.

Either delete RSTP on the entire switch or disable RSTP on specific interfaces: •

2488

To delete RSTP on the entire switch:



[edit protocols] user@switch# delete rstp (Spanning Trees) •

To disable RSTP on a specific interface: [edit protocols] user@switch# set rstp (Spanning Trees) interface interface-name disable

2. Enable MSTP on multiple VLANs using a VLAN range: [edit protocols] user@switch# set mstp msti msti-id vlan vlan-id-range 3. (Optional) If a routed VLAN interface (RVI) is configured, enable the Address

Resolution Protocol (ARP) for faster MAC address recovery: [edit protocols] user@switch# set mstp msti msti-id vlan vlan-id-range interface interface-name arp-on-stp


•


•


•


•


Configuring RSTP (CLI Procedure) The default spanning-tree protocol for EX Series switches is Rapid Spanning Tree Protocol (RSTP). RSTP provides faster convergence times than the original Spanning Tree Protocol (STP). Because RSTP is configured by default, you only need to use this procedure If another spanning-tree protocol has been configured. In that case, you can reconfigure RSTP. To enable RSTP: 1.

Disable the other configured spanning-tree protocol (STP, MSTP, or VSTP) from all interfaces or specific interfaces: •

To disable STP on all interfaces: [edit protocols] user@switch# set stp interface all disable

•

To disable STP on a specific interface: [edit protocols] user@switch# set stp interface interface-name disable

•

To disable MSTP on all interfaces: [edit protocols] user@switch# set mstp interface all disable

•

To disable MSTP on a specific interface: [edit protocols] user@switch# set mstp interface interface-name disable


2489

®


NOTE: You can issue the same commands for VSTP as you would for STP or MSTP, but this is not required because RSTP and VSTP are the only two protocols that can co-exist on an interface. Having both protocols configured is recommended under some circumstances—see “Configuring VSTP (CLI Procedure)” on page 2491.

2. Configure RSTP on the interface: •

To enable RSTP on all interfaces: [edit protocols] user@switch# set rstp interface all

•

To enable RSTP on a specific interface:

[edit protocols] user@switch# set rstp interface interface-name 3. (Optional) Enable the Address Resolution Protocol (ARP) for faster MAC address

recovery only if a routed VLAN interface (RVI) is configured: •

To enable ARP on RSTP on all interfaces: [edit protocols] user@switch# set rstp interface all arp-on-stp

•

To enable ARP on RSTP on a specific interface: [edit protocols] user@switch# set rstp interface interface-name arp-on-stp


2490

•


•


•


•




Configuring VSTP (CLI Procedure) The default spanning-tree protocol for EX Series switches is Rapid Spanning Tree Protocol (RSTP). VLAN Spanning Tree Protocol (VSTP) is an alternate protocol that allows EX Series switches to run one or more Spanning Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) instances for each VLAN on which VSTP is enabled. For networks with multiple VLANs, VSTP improves intelligent tree spanning by defining best paths within the VLANs instead of within the entire network.

NOTE: EX Series switches can have a maximum of 253 VLANs on VSTP. Therefore, to have as many spanning-tree protocol VLANs as possible, use both VSTP and RSTP. RSTP will then be applied to VLANs that exceed the limit for VSTP. Because RSTP is enabled by default, you just need to additionally enable VSTP.

You can configure VSTP for an interface at the global level (for all configured VLANs) or for a specific VLAN.

NOTE: •

If you configure VSTP on an interface at both the global and the specific VLAN level, the interface configuration that is defined at the specific VLAN level overrides the interface configuration that is defined at the global level.

•

If you specify VSTP to be configured on an interface that is not configured to belong to the VLAN (or VLANs), an error message is displayed.

To configure VSTP: 1.

Configure VSTP on a group of VLANs, on all VLANs, or on a specific VLAN, or a specific interface within a VLAN, or on a specific interface that belongs to all VLANs: •

To enable VSTP on multiple VLANs using a VLAN group: [edit protocols] user@switch# set vstp vlan-group group group-name vlan vlan-id-range

NOTE: EX Series switches can have a maximum of 253 VLANs on VSTP.

•

To enable VSTP on all VLANs:

NOTE: If you configure VSTP with the set prototocol vstp vlan all command, vlan-id 1 is excluded to be compatible with Cisco PVST+. If you want vlan-id 1 to be included in VSTP, you must set it separately using the set protocol vstp vlan 1 command.


2491

®


[edit protocols] user@switch# set vstp vlan all

NOTE: EX Series switches can have a maximum of 253 VLANs on VSTP. RSTP will then be applied to VLANs that exceed the limit for VSTP. Be sure that RSTP is also enabled (the default setting) when you use the command set vstp vlan all. In addition to this being a recommended practice, your configuration will not commit if VSTP is enabled on a switch with more than 253 VLANs.

•

To enable VSTP on a VLAN using a single VLAN ID: [edit protocols] user@switch# set vstp vlan vlan-id

•

To enable VSTP on a VLAN using a single VLAN name: [edit protocols] user@switch# set vstp vlan vlan-name

•

To enable VSTP on an interface at the global level: [edit protocols] user@switch# set vstp vlan all interface interface-name

•

To enable VSTP on an interface for a specific VLAN: [edit protocols] user@switch# set vstp vlan (vlan-id | vlan-name)interface interface-name

2. (Optional) Enable the Address Resolution Protocol (ARP) for faster MAC address

recovery only If a routed VLAN interface (RVI) is configured: •

To enable ARP on VSTP for all VLANs: [edit protocols] user@switch# set vstp vlan all arp-on-stp

•

To enable ARP on VSTP on a VLAN using a single VLAN ID: [edit protocols] user@switch# set vstp vlan vlan-id arp-on-stp

•

To enable ARP on VSTP on a VLAN using a single VLAN name: [edit protocols] user@switch# set vstp vlan vlan-name arp-on-stp


2492

•


•


•



CHAPTER 73

Verifying Spanning-Tree Protocols •

Monitoring Spanning-Tree Protocols on page 2493

Monitoring Spanning-Tree Protocols Purpose

Action

Use the monitoring feature to view status and information about the spanning-tree protocol parameters on your EX Series switch. To display spanning-tree protocol parameter details in the J-Web interface, select Monitor > Switching > STP. To display spanning-tree protocol parameter details in the CLI, enter the following commands:

Meaning

•

show spanning-tree interface

•

show spanning-tree bridge

Table 289 on page 2493 summarizes the spanning-tree protocol parameters.

Table 289: Summary of Spanning-Tree Protocols Output Fields Field

Values

Bridge Parameters Context ID

An internally generated identifier.

Enabled Protocol

Spanning-tree protocol type enabled.

Root ID

Bridge ID of the elected spanning-tree root bridge. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.

Bridge ID

Locally configured bridge ID.

Hello Time

The time for which the bridge interface remains in the listening or learning state.

Forward Delay

The time for which the bridge interface remains in the listening or learning state before transitioning to the forwarding state.


2493

®


Table 289: Summary of Spanning-Tree Protocols Output Fields (continued) Field

Values

Extended System ID

The system ID.

Inter Instance ID

An internally generated instance identifier.

Maximum Age

Maximum age of received bridge protocol data units (BPDUs).

Number of topology changes

Total number of STP topology changes detected since the switch last booted.

Spanning Tree Interface Details Interface Name

Interface configured to participate in the STP instance.

Port ID

Logical interface identifier configured to participate in the STP instance.

Designated Port ID

Port ID of the designated port for the LAN segment to which the interface is attached.

Designated Bridge ID

ID of the designated bridge to which the interface is attached.

Port Cost

Configured cost for the interface.

Port State

STP port state:

Role

•

Forwarding (FWD)

•

Blocking (BLK)

•

Listening

•

Learning

•

Disabled

MSTP or RSTP port role, Designated (DESG), backup (BKUP), alternate (ALT), or root.

Spanning Tree Statistics of Interface Interface

Interface for which statistics is being displayed.

BPDUs Sent

Total number of BPDUs sent.

BPDUs Received

Total number of BPDUs received.

Next BPDU Transmission

Number of seconds until the next BPDU is scheduled to be sent.


2494

•


•


•

Configuring Spanning-Tree Protocols (J-Web Procedure) on page 2485

•



Chapter 73: Verifying Spanning-Tree Protocols

•


•



2495

®


2496


CHAPTER 74

Configuration Statements for Spanning-Tree Protocols •


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable;


2497

®


immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; }

2498


Chapter 74: Configuration Statements for Spanning-Tree Protocols

vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address;


2499

®


traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost;

2500



disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name {


2501

®


level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count;

2502



frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number;


2503

®


ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds;

2504



hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•



2505

®


•


•


arp-on-stp Syntax Hierarchy Level


arp-on-stp; [edit protocols mstp interface (Spanning Trees) (all | interface-name)], [edit protocols rstp interface (Spanning Trees) (all | interface-name)], [edit protocols stp interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (all |vlan--id | vlan--name) interface (Spanning Trees) (all | interface-name)]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the Address Resolution Protocol (ARP) in a spanning-tree network so that when a spanning-tree protocol topology change notification (TCN) is issued, the VLAN with a broken link can relearn MAC addresses from another, redundant VLAN in the network. The network must include a routed VLAN interface (RVI). When a link fails in a spanning-tree network (RSTP, STP, MSTP, or VSTP), a message called a TCN is issued that causes all affected Ethernet switching table entries to be flushed. The network must then relearn the MAC addresses using flooding. If you have configured an RVI on the network, you have the option of having the VLAN with the broken link relearn MAC addresses from another VLAN using ARP, thereby avoiding excessive flooding on the VLAN with the broken link.


2506

ARP on STP is disabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

Configuring MSTP (CLI Procedure) on page 2488

•

Configuring RSTP (CLI Procedure) on page 2489

•


•




block Syntax Hierarchy Level

Release Information


block; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Configure loop protection on a specific interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•


•



2507

®


bpdu-block Syntax


bpdu-block { interface (BPDU Block) (all | [interface-name]); disable-timeout (Spanning Trees) timeout; } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure BPDU protection on an interface. If the interface receives BPDUs, it is disabled. The statements are explained separately.


2508



•


•

clear ethernet-switching bpdu-error on page 2546

•


•


•


•




bpdu-block-on-edge Syntax Hierarchy Level

Release Information


bpdu-block-on-edge; [edit protocols mstp (Spanning Trees)], [edit protocols rstp (Spanning Trees)], [edit protocols vstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Statement updated in Junos OS Release 11.1 for EX Series switches to change blocking behavior to port shutdown. Configure bridge protocol data unit (BPDU) protection on all edge ports of a switch. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•

clear ethernet-switching bpdu-error on page 2546

•


•


•


•



2509

®


bpdu-timeout-action Syntax

Hierarchy Level

Release Information

Description

bpdu-timeout-action { block (Spanning Trees); log (Spanning Trees); } [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)] [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Configure the BPDU timeout action on a specific interface. You must configure at least one action (log, block, or both). The remaining statements are explained separately.


2510



•


•


•


•


•




bridge-priority Syntax Hierarchy Level

Release Information

Description

Default Options

bridge-priority priority; [edit protocols mstp (Spanning Trees)], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Configure the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. 32,768 priority—Bridge priority. It can be set only in increments of 4096.

Range: 0 through 61,440 Default: 32,768 Required Privilege Level Related Documentation



•


•


•


•



2511

®


configuration-name Syntax Hierarchy Level Release Information Description


2512

configuration-name configuration-name; [edit protocols mstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the configuration name. The configuration name is the MSTP region name carried in the MSTP BPDUs. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•




cost Syntax Hierarchy Level

cost cost; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support.

Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), configure the link cost to control which bridge is the designated bridge and which interface is the designated interface.

Default Options

The link cost is determined by the link speed. cost—Link cost associated with the port.

Range: 1 through 200,000,000 Required Privilege Level Related Documentation



•


•


•


•


•



2513

®


disable Syntax

disable;

Hierarchy Level

[edit protocols mpls], [edit protocols mpls interface (all | interface-name)], [edit protocols mstp (Spanning Trees)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id vlan (Spanning Trees) (vlan-id | vlan-name) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id vlan (Spanning Trees) (vlan-id | vlan-name) interface (Spanning Trees) interface-name arp-on-stp], [edit protocols rstp (Spanning Trees)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)] [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information



2514

Disable STP, MPLS, MSTP, RSTP, or VSTP on the switch or on a specific interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•




disable-timeout Syntax Hierarchy Level Release Information Description

Default Options

disable-timeout timeout; [edit ethernet-switching-options bpdu-block]

Statement introduced in Junos OS Release 9.1 for EX Series switches. For interfaces configured for BPDU protection, specify the amount of time an interface receiving BPDUs is disabled. The disable timeout is not enabled. timeout —Amount of time, in seconds, the interface receiving BPDUs is disabled. Once

the timeout expires, the interface is brought back into service. Range: 10 through 3600 seconds Required Privilege Level Related Documentation



•


•


•


•


•



2515

®


edge Syntax Hierarchy Level

edge; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), configure interfaces as edge interfaces. Edge interfaces immediately transition to a forwarding state.


2516

Edge interfaces are not enabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•




force-version Syntax Hierarchy Level Release Information Description


force-version stp; [edit protocols vstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Force VLAN Spanning Tree Protocol (VSTP) to use the STP protocol instead of the default protocol, RSTP. stp—Spanning Tree Protocol



•


•



2517

®


forward-delay Syntax Hierarchy Level

forward-delay seconds; [edit protocols mstp (Spanning Trees)], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), specify how long a bridge interface remains in the listening and learning states before transitioning to the forwarding state.

Default Options

15 seconds seconds—Number of seconds the bridge interface remains in the listening and learning

states. Range: 4 through 30 seconds Default: 15 seconds Required Privilege Level Related Documentation

2518



•


•


•


•


•


•




hello-time Syntax Hierarchy Level

hello-time seconds; [edit protocols mstp (Spanning Trees)], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), specify the time interval at which the root bridge transmits configuration BPDUs.

Default Options

2 seconds seconds—Number of seconds between transmissions of configuration BPDUs.




•


•


•


•


•


•



2519

®


interface Syntax Hierarchy Level Release Information Description Options

interface (all | [interface-name]); [edit ethernet-switching-options bpdu-block]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Apply BPDU protection to all interfaces or one or more interfaces. all—All interfaces. interface-name —Name of a Gigabit Ethernet interface.


2520



•


•


•


•


•




interface Syntax

Hierarchy Level

interface interface-name { arp-on-stp; bpdu-timeout-action block (Spanning Trees); log (Spanning Trees); cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } [edit protocols mstp (Spanning Trees)], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) all], [edit protocols vstp (Spanning Trees) vlan (vlan-id | vlan-name)],

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Statement introduced in Junos OS Release 11.1 for the QFX Series.

Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), configure an interface. The edge, mode, and no-root-port options are not available at the [edit protocols mstp msti msti-id] hierarchy level.

Options

interface-name—Name of an interface.




•


•


•


•

Example: Configuring Network Regions for VLANs with MSTP

•

Example: Configuring Faster Convergence and Improving Network Stability with RSTP

•



2521

®


•


log Syntax Hierarchy Level

Release Information

Description


2522

log; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) bpdu-timeout-action (Spanning Trees)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. For interfaces configured for loop protection, configure the software to generate a message to be sent to the system log file /var/log/messages to record the loop-protection event. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•


•




max-age Syntax Hierarchy Level

max-age seconds; [edit protocols mstp (Spanning Trees)], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), specify the maximum age of received protocol BPDUs.

Default Options

20 seconds seconds—The maximum age of received protocol BPDUs.




•


•


•


•


•


•



2523

®


max-hops Syntax Hierarchy Level Release Information Description

Default Options

max-hops hops; [edit protocols mstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Multiple Spanning Tree Protocol (MSTP), configure the maximum number of hops a BPDU can be forwarded in the MSTP region. 20 hops hops — Number of hops the BPDU can be forwarded.

Range: 1 through 255 hops Default: 20 hops Required Privilege Level Related Documentation

2524



•


•


•




mode Syntax

mode mode;

Hierarchy Level

[edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name) arp-on-stp], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), configure the link mode to identify point-to-point links.

Default

Options


For a full-duplex link, the default link mode is point-to-point. For a half-duplex link, the default link mode is shared. mode—Link mode: •

point-to-point—Link is point to point.

•

shared—Link is shared media.



•


•


•


•



2525

®


•


msti Syntax


Default Options

msti msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; priority (Spanning Trees) priority; } } [edit protocols mstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the Multiple Spanning Tree Instance (MSTI) identifier for Multiple Spanning Tree Protocol (MSTP). MSTI IDs are local to each region, so you can reuse the same MSTI ID in different regions. MSTI is disabled. msti-id —MSTI identifier.

Range: 1 through 4094. The Common Instance Spanning Tree (CIST) is always MSTI 0. The remaining statements are explained separately. Required Privilege Level Related Documentation

2526



•


•


•




mstp Syntax


mstp { bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; disable (Spanning Trees); forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) ( all | interface-name ){ arp-on-stp; bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Multiple Spanning Tree Protocol (MSTP). MSTP is defined in the IEEE 802.1Q-2003 specification and is used to create a loop-free topology in networks with multiple spanning tree regions. The statements are explained separately.

Default

MSTP is disabled.


2527

®



2528



•


•


•




no-root-port Syntax Hierarchy Level

no-root-port; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information


Description

Configure an interface to be a spanning-tree designated port. If the bridge receives superior STP bridge protocol data units (BPDUs) on a root-protected interface, that interface transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge from being elected the root bridge. When the bridge stops receiving superior STP BPDUs on the root-protected interface, interface traffic is no longer blocked.




•


•


•


•


•



2529

®



priority priority; [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols mstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name], [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id interface (Spanning Trees) interface-name arp-on-stp], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols rstp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name)], [edit protocols stp (Spanning Trees) interface (Spanning Trees) (all | interface-name) arp-on-stp], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id interface (Spanning Trees) (all | interface-name) arp-on-stp]

Release Information


Description

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), or Multiple Spanning Tree Protocol (MSTP), specify the interface priority to control which interface is elected as the root port.

Default Options

The default value is 128. priority—Interface priority. The interface priority must be set in increments of 16.


2530



•


•


•


•


•




revision-level Syntax Hierarchy Level Release Information Description

Default Options

revision-level revision-level; [edit protocols mstp (Spanning Trees)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Multiple Spanning Tree Protocol (MSTP), set the revision number of the MSTP configuration. The revision level is disabled. revision-level —Revision number of the MSTP region configuration.




•


•


•



2531

®


rstp Syntax


rstp { bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; disable (Spanning Trees); forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp; bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Rapid Spanning Tree Protocol (RSTP). RSTP is defined in the IEEE 802.1D-2004 specification and is used to prevent loops in Layer 2 networks, which results in shorter convergence times than those provided by basic Spanning Tree Protocol (STP). VSTP and RSTP can be configured concurrently. You can selectively configure up to 253 VLANs using VSTP; the remaining VLANs will be configured using RSTP. VSTP and RSTP are the only spanning-tree protocols that can be configured concurrently on the switch. See “Configuring VSTP (CLI Procedure)” on page 2491 for more information on configuring VSTP and RSTP concurrently.

BEST PRACTICE: Configure RSTP when you configure VSTP. RSTP overhead is minimal and this configuration ensures that a spanning-tree protocol is running on all VLANs on your switch, even when your switch is supporting more than 253 VLANs.


2532




RSTP is enabled on all Ethernet switching interfaces. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•



2533

®


stp Syntax


stp { bpdu-block-on-edge ; bridge-priority (Spanning Trees) priority; disable (Spanning Trees); forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp; bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Spanning Tree Protocol (STP). When you explicitly configure STP, the switches use the IEEE 802.1D 2004 specification, force version 0. This configuration runs a version of RSTP that is compatible with the classic, basic STP (defined in the IEEE 802.1D 1998 specification). The remaining statements are explained separately.


2534

STP is disabled. By default, RSTP is enabled on all Ethernet switching ports. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•




•



2535

®


traceoptions Syntax

Hierarchy Level

Release Information


traceoptions { file name ; flag flag ; } [edit protocols mpls], [edit protocols mstp (Spanning Trees)], [edit protocols rstp (Spanning Trees)], [edit protocols stp (Spanning Trees)], [edit protocols vstp (Spanning Trees) vlan (Spanning Trees) vlan-id]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated in Junos OS Release 9.4 for EX Series switches to add VSTP support. Set protocol-level tracing options for MPLS, STP, RSTP, MSTP, and VSTP. Traceoptions is disabled. disable—(Optional) Disable the tracing operation. One use of this option is to disable a

single operation when you have defined a broad group of tracing operations, such as all. file name —Name of the file to receive the output of the tracing operation. Enclose the

name in quotation marks. We recommend that you place STP tracing output in the file /var/log/stp-log. files number —(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file .0, then trace-file .1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 1 trace file only flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements: •

all —Trace all operations.

•

all-failures—Trace all failure conditions.

•

bpdu —Trace BPDU reception and transmission. Note that you must also use port-transmit-state-machine in order to log transmit operations.

•

2536

bridge-detection-state-machine —Trace the bridge detection state machine.



•

events —Trace events of the protocol state machine.

•

port-information-state-machine —Trace the port information state machine.

•

port-migration-state-machine —Trace the port migration state machine.

•

port-receive-state-machine —Trace the port receive state machine.

•

port-role-select-state-machine —Trace the port role selection state machine.

•

port-role-transit-state-machine —Trace the port role transit state machine.

•

port-state-transit-state-machine —Trace the port state transit state machine.

•

port-transmit-state-machine —Trace the port transmit state machine

•

ppmd —Trace the state and events for the ppmd process

•

state-machine-variables —Trace when the state machine variables change

•

timers —Trace protocol timers

•

topology-change-state-machine —Trace the topology change state machine.

no-stamp—(Optional) Do not place timestamp information at the beginning of each line

in the trace file. Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output. no-world-readable—(Optional) Prevent aney user from reading the log file. replace—(Optional) Replace an existing trace file if there is one.

Default: If you do not include this option, tracing output is appended to an existing trace file. size size —(Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes

(MB). When a trace file named trace-file reaches this size, it is renamed trace-file .0. When the trace-file again reaches its maximum size, trace-file .0 is renamed trace-file .1 and trace-file is renamed trace-file .0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you must also specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 1 MB world-readable—(Optional) Allow any user to read the log file.


routing—To view this statement in the configuration. routing-control—To add this statement to the configuration.


2537

®



2538

•


•


•


•


•


•


•


•




vlan Syntax

Hierarchy Level

Release Information

Description

vlan (vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) interface-name { bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols mstp (Spanning Trees) msti (Spanning Trees) msti-id] [edit protocols vstp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches. Configure the VLANs for a Multiple Spanning Tree Instance (MSTI) or VSTP instance.

NOTE: When you configure VSTP with the set prototocol vstp vlan all command, vlan-id 1 is excluded to be compatible with Cisco PVST+. If you want vlan-id 1 to be included in VSTP, you must set it separately with the set protocol vstp vlan 1 command.


Default

Not enabled.


2539

®


Options

vlan-id—Numeric VLAN identifier. vlan-name—Name of the VLAN.


2540



•




vlan (VSTP) Syntax


Description

vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } [edit protocols vstp]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches. Option all introduced in Junos OS Release 10.0 for EX Series switches. Configure VSTP VLAN parameters.


Options

all—All VLANs. vlan-id—Numeric VLAN identifier. vlan-name—Name of the VLAN.



2541

®



2542





vstp Syntax


vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp; bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; disable; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } [edit protocols]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure VLAN Spanning Tree Protocol (VSTP). VSTP is used to prevent loops in Layer 2 networks on a per-VLAN basis. VSTP VLANs are limited to 253 on each switch. If the number of VLANs on your switch exceeds the VSTP VLAN limit, you must use the vlan (Spanning Trees) statement to specify which VLANs or VLAN groups should use VSTP. You also cannot use the vlan all option to configure VSTP when your switch has more than the maximum allowed VSTP VLANs. To ensure all VLANs are running a spanning-tree protocol, run RSTP for networks with large numbers of VLANs .

BEST PRACTICE: Configure RSTP when you configure VSTP. RSTP overhead is minimal and this configuration ensures that a spanning-tree protocol is running on all VLANs on your switch, even when your switch is supporting more than the maximum number of allowed VSTP VLANs.


2543

®



2544

VSTP is not enabled by default. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•

Configuring VSTP (CLI Procedure)

•



CHAPTER 75

Operational Commands for Spanning-Tree Protocols


2545

®


clear ethernet-switching bpdu-error Syntax

clear ethernet-switching bpdu-error interface interface-name

Release Information

Command introduced in Junos OS Release 9.1 for EX Series switches. Command updated in Junos OS Release 11.1 for EX Series switches—a BPDU error shuts down the interface and this command brings the interface back up. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Clear bridge protocol data unit (BPDU) errors from an interface and bring up the interface.



interface-name—Clear BPDU errors on the specified interface.

clear

•


•


•

Understanding BPDU Protection for STP, RSTP, and MSTP

clear ethernet-switching bpdu-error interface on page 2546

Sample Output clear ethernet-switching bpdu-error interface

2546

user@switch> clear ethernet-switching bpdu-error interface xe-0/0/1.0


Chapter 75: Operational Commands for Spanning-Tree Protocols

clear spanning-tree statistics Syntax

Syntax (EX Series Switches and the QFX Series) Release Information

Description Options

clear spanning-tree statistics clear spanning-tree statistics

Command introduced in Junos OS Release 8.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear Spanning Tree Protocol statistics. none—Reset STP counters for all interfaces for all routing instances. interface interface-name—(Optional) Clear STP statistics for the specified interface only. logical-system logical-system-name—(Optional) Clear STP statistics on a particular

logical system.

NOTE: The logical-system option is not available on QFabric switches.


clear

•

show spanning-tree statistics on page 2567

clear stp statistics on page 2547

Sample Output clear stp statistics

user@host> clear stp statistics


2547

®


clear spanning-tree statistics Syntax


clear spanning-tree statistics ;

Command introduced in Junos OS Release 9.0 for EX Series switches. Reset STP statistics for the all interfaces or a specified interface. none—Reset STP counters for all interfaces. interface-name —(Optional) The name of the interface for which statistics should be

reset. logical-unit-number —(Optional) The logical unit number of the interface.



clear

•


•


•


clear spanning-tree statistics on page 2548 This command produces no output.

Sample Output clear spanning-tree statistics

2548

user@switch> clear spanning—tree statistics



show spanning-tree bridge Syntax


Options


Command introduced in Junos OS Release 9.0 for EX Series switches. Display the configured or calculated spanning-tree protocol (can be either STP, RSTP, MSTP, or VSTP) parameters. none—(Optional) Display brief spanning-tree protocol bridge information for all Multiple

Spanning Tree Instances (MSTIs). brief | detail—(Optional) Display the specified level of output. msti msti-id—(Optional) Display spanning-tree protocol bridge information for the

specified MSTI or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a value from 1 through 4094 for an MSTI. vlan vlan-id—(Optional) Display spanning-tree protocol bridge information for the specified

VLAN. Specify a VLAN tag identifier from 1 through 4094. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


show spanning-tree bridge on page 2552 show spanning-tree bridge brief on page 2552 show spanning-tree bridge detail on page 2553 Table 290 on page 2549 lists the output fields for the show spanning-tree bridge command. Output fields are listed in the approximate order in which they appear.

Table 290: show spanning-tree bridge Output Fields Field Name Context ID


Field Description

Level of Output


VSTP all, RSTP all, MSTP all, STP all

2549

®


Table 290: show spanning-tree bridge Output Fields (continued) Field Name

2550

Field Description

Level of Output

Enabled protocol

Spanning-tree protocol type enabled.


Root ID

Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.


Root cost

Calculated cost to reach the root bridge from the bridge where the command is entered.

VSTP all

Root port

Interface that is the current elected root port for this bridge.

VSTP all

CIST regional root

Bridge ID of the elected MSTP regional root bridge.

MSTP all

CIST internal root cost

Calculated cost to reach the regional root bridge from the bridge where the command is entered.

MSTP all

Hello time

Configured number of seconds between transmissions of configuration BPDUs.


Maximum age

Maximum age of received protocol BPDUs.


Forward delay

Configured time an STP bridge port remains in the listening and learning states before transitioning to the forwarding state.


Message age

Number of seconds elapsed since the most recent BPDU was received.

VSTP all, RSTP all, STP all

Number of topology changes

Total number of STP topology changes detected since the switch last booted.


Time since last topology change

Number of seconds elapsed since the most recent topology change.

RSTP detail

Topology change initiator

Interface name of the interface that received the topology change request.

RSTP detail



Table 290: show spanning-tree bridge Output Fields (continued) Field Name

Field Description

Level of Output

Topology change last recvd. from

Bridge ID of the bridge that requested the last topology change.

RSTP detail

Bridge ID (local)

Locally configured bridge ID. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.


Extended system ID (local)

Internally generated system identifier.


MSTI regional root

Bridge ID of the elected MSTP regional root bridge.

MSTP detail

Internal instance ID (local)



Hello time (local)

Configured number of seconds between transmissions of configuration BPDUs.

RSTP detail, MSTP detail, STP detail

Maximum age (local)

Maximum age of received protocol BPDUs.

VSTP detail, RSTP detail, MSTP detail, STP detail

Forward delay (local)

Configured time an STP bridge port remains in the listening and learning states before transitioning to the forwarding state.

RSTP detail, MSTP detail, STP detail

Path Cost Method (local)

Bridges supporting 802.1D (legacy) implement only 16-bit values for path cost. Newer versions of this standard support 32-bit values.

VSTP detail, RSTP detail, MSTP detail, STP detail

Maximum Hop count (local)

Configured maximum number of hops a BPDU can be forwarded in the MSTP region.

MSTP detail


2551

®


Sample Output show spanning-tree bridge

user@switch> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age Number of topology changes Time since last topology change Topology change initiator Topology change last recvd. from Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 10 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Number of topology changes Time since last topology change Topology change initiator Topology change last recvd. from Local parameters Bridge ID Extended system ID Internal instance ID

show spanning-tree bridge brief

2552

: : : : : : : : : : : : : :

32768.00:11:f2:56:df:40 0 ge-0/0/1.0 32768.00:11:f2:56:df:40 20000 2 seconds 20 seconds 15 seconds 19 0 1 108 seconds ge-0/0/1.0 00:11:f2:56:df:4c

: 32768.00:11:f2:57:1c:00 : 0 : 0

: : : : : : : : : : :

32778.00:11:f2:56:df:40 20000 ge-0/0/1.0 2 seconds 20 seconds 15 seconds 19 1 108 seconds ge-0/0/1.0 00:11:f2:56:df:41

: 32778.00:11:f2:57:1c:00 : 0 : 1

user@switch> show spanning-tree bridge brief STP bridge parameters Context ID : 0 Enabled protocol : RSTP Root ID : 32768.00:19:e2:50:95:a0 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Message age : 0 Number of topology changes : 0 Local parameters Bridge ID : 32768.00:19:e2:50:95:a0



Extended system ID Internal instance ID

show spanning-tree bridge detail

: 0 : 0

user@switch> show spanning-tree bridge detail STP bridge parameters Context ID : 0 Enabled protocol : RSTP Root ID : 32768.00:19:e2:50:95:a0 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Message age : 0 Number of topology changes : 0 Local parameters Bridge ID : 32768.00:19:e2:50:95:a0 Extended system ID : 0 Internal instance ID : 0 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Path cost method : 32 bit


2553

®


show spanning-tree interface Syntax

Syntax (EX Series Switches and the QFX Series)

Release Information

Description Options

show spanning-tree interface show spanning-tree interface

Command introduced in Junos OS Release 8.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the configured or calculated interface-level STP parameters. none—Display brief STP interface information. brief | detail—(Optional) Display the specified level of output. msti msti-id—(Optional) Display STP interface information for the specified MST instance. routing-instance routing-instance-name—(Optional) Display STP interface information

for the specified routing instance. vlan-id vlan-id—(Optional) Display STP interface information for the specified VLAN.


Output Fields

view

show spanning-tree interface on page 2555 show spanning-tree interface (QFX Series) on page 2556 show spanning-tree interface detail on page 2556 show spanning-tree interface msti on page 2558 show spanning-tree interface vlan-id on page 2558 show spanning-tree interface (VSTP) on page 2558 show spanning-tree interface vlan-id (VSTP) on page 2559 Table 291 on page 2554 lists the output fields for the show spanning-tree Interface command. Output fields are listed in the approximate order in which they appear.

Table 291: show spanning-tree Interface Output Fields

2554

Field Name

Field Description

Interface name

Interface configured to participate in the STP, RSTP, VSTP, or MSTP instance.



Table 291: show spanning-tree Interface Output Fields (continued) Field Name

Field Description

Port ID

Logical interface identifier configured to participate in the MSTP or VSTP instance.

Designated port ID

Port ID of the designated port for the LAN segment to which this interface is attached.


Bridge ID of the designated bridge for the LAN segment to which this interface is attached.

Port Cost


Port State

STP port state: forwarding (FWD), blocking (BLK), listening, learning, or disabled.

Port Role

MSTP, VSTP, or RSTP port role: designated (DESG), backup (BKUP), alternate (ALT), (ROOT), or Root Prevented (Root-Prev).

Link type

MSTP, VSTP, or RSTP link type. Shared or point-to-point (pt-pt) and edge or nonedge.

Alternate

Identifies the interface as an MSTP, VSTP, or RSTP alternate root port (Yes) or nonalternate root port (No).

Boundary Port

Identifies the interface as an MSTP regional boundary port (Yes) or nonboundary port (No).

Sample Output show spanning-tree interface

user@host> show spanning-tree interface routing-instance vs1 detail Spanning tree interface parameters for instance 0 Interface ae1 ge-2/1/2 ge-2/1/5 ge-2/2/1 xe-9/2/0 xe-9/3/0

Port ID 128:1 128:2 128:3 128:4 128:5 128:6


Designated bridge ID 32768.0090690b47d1 32768.0090690b47d1 32768.0090690b47d1 32768.0013c39ec880 32768.0090690b47d1 32768.0090690b47d1

Port Cost 1000 20000 29999 20000 2000 2000

State

Role

FWD FWD FWD FWD FWD FWD

DESG DESG DESG ROOT DESG DESG

Port Cost 1000 20000 29999 20000 2000 2000

State

Role



Spanning tree interface parameters for instance 1 Interface ae1 ge-2/1/2 ge-2/1/5 ge-2/2/1 xe-9/2/0 xe-9/3/0

Port ID 128:1 128:2 128:3 128:4 128:5 128:6



Spanning tree interface parameters for instance 2


2555

®


Interface

Port ID

ae1 ge-2/1/2 ge-2/1/5 ge-2/2/1 xe-9/2/0 xe-9/3/0

show spanning-tree interface (QFX Series)

128:1 128:2 128:3 128:4 128:5 128:6



Port Cost 1000 20000 29999 20000 2000 2000

State

Role



Port Cost 1000 20000 29999 20000 2000 2000

State

Role



Designated Designated Port port ID bridge ID Cost 128:1 32769.0090690b47d1 1000 128:2 32769.0090690b47d1 20000 128:3 32769.0090690b47d1 29999 128:26 32769.0013c39ec880 20000 128:5 32769.0090690b47d1 2000 FWD 128:6 32769.0090690b47d1 2000 FWD

State

Role

FWD FWD FWD FWD DESG DESG

DESG DESG DESG ROOT

State

Role

FWD FWD FWD FWD DESG DESG

DESG DESG DESG ROOT

user@lf0> show spanning-tree interface routing-instance vs1 detail Spanning tree interface parameters for instance 0 Interface

Port ID

ae1 ge-2/1/2 ge-2/1/5 ge-2/2/1 xe-9/2/0 xe-9/3/0

128:1 128:2 128:3 128:4 128:5 128:6




Port ID 128:1 128:2 128:3 128:4 128:5 128:6


show spanning-tree interface detail

2556

Port ID 128:1 128:2 128:3 128:4 128:5 128:6

Designated Designated Port port ID bridge ID Cost 128:1 32770.0090690b47d1 1000 128:2 32770.0090690b47d1 20000 128:3 32770.0090690b47d1 29999 128:26 32770.0013c39ec880 20000 128:5 32770.0090690b47d1 2000 FWD 128:6 32770.0090690b47d1 2000 FWD

user@host> show spanning-tree interface routing-instance vs1 detail Spanning tree interface parameters for instance 0 Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port

: : : : : : : :

ae1 128.1 128.1 1000 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No

Interface name Port identifier Designated port ID Port cost

: : : :

ge-2/1/2 128.2 128.2 20000



Port state Designated bridge ID Port role Link type Boundary port

: : : :

Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No

Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port

: : : : : : : :


: : : : : : : :


: : : : : : : :


: : : : : : : :

ge-2/1/5 128.3 128.3 29999 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No ge-2/2/1 128.4 128.26 20000 Forwarding 32768.00:13:c3:9e:c8:80 Root Pt-Pt/NONEDGE : No xe-9/2/0 128.5 128.5 2000 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No xe-9/3/0 128.6 128.6 2000 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No

Spanning tree interface parameters for instance 1 Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port

: : : : : : : :

Interface name Port identifier

: ge-2/1/2 : 128.2


ae1 128.1 128.1 1000 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No

2557

®


Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port

: : : : : :

128.2 20000 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No


: : : : : : : :


: : : : : : : :

ge-2/1/5 128.3 128.3 29999 Forwarding 32768.00:90:69:0b:47:d1 Designated Pt-Pt/NONEDGE : No ge-2/2/1 128.4 128.26 20000 Forwarding 32768.00:13:c3:9e:c8:80 Root Pt-Pt/NONEDGE : No

...

show spanning-tree interface msti

user@host> show spanning-tree interface msti 1 routing-instance vs1 detail Spanning tree interface parameters for instance 1 Interface xe-7/0/0 ge-5/1/0 ge-5/1/1 ae1 ge-5/1/4 xe-7/2/0

show spanning-tree interface vlan-id

ge-11/0/5 ge-11/0/6 ge-11/1/0 ge-11/1/1 ge-11/1/4 xe-10/0/0 xe-10/2/0

Designated bridge ID 32769.0090690b4fd1 32769.0090690b4fd1 32769.0090690b4fd1 32769.0090690b47d1 32769.0090690b47d1 32769.0090690b47d1

Port Cost 2000 20000 20000 10000 20000 2000

State

Role

FWD FWD FWD BLK BLK FWD

DESG DESG DESG ALT ALT ROOT

Port ID 128:1 128:2 128:3 128:4 128:5 128:6 128:7


Designated bridge ID 32768.0090690b7fd1 32768.0090690b7fd1 32768.0090690b4fd1 32768.0090690b4fd1 32768.0090690b47d1 32768.0090690b4fd1 32768.0090690b47d1

Port Cost 20000 20000 20000 20000 20000 2000 2000

State

Role

FWD BLK BLK BLK BLK BLK FWD

DESG BKUP ALT ALT ALT ALT ROOT

Cost

State

Role

user@host> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface

2558

128:1 128:2 128:3 128:4 128:5 128:6


user@host> show spanning-tree interface vlan-id 101 routing-instance vs1 detail Spanning tree interface parameters for instance 0 Interface

show spanning-tree interface (VSTP)

Port ID

Port ID

Designated port ID




ge-1/0/1 ge-1/0/2

128:1 128:2

128:1 128:2

28672.0090690b3fe0 28672.0090690b3fe0

20000 20000

FWD FWD

DESG DESG

State

Role

FWD FWD

DESG DESG

State

Role

FWD FWD

DESG DESG

State

Role

FWD FWD

DESG DESG

Spanning tree interface parameters for VLAN 10 Interface ge-1/0/1 ge-1/0/2

Port ID 128:1 128:2


Designated bridge ID 28672.0090690b3fe0 28672.0090690b3fe0

Cost 20000 20000

Spanning tree interface parameters for VLAN 20 Interface ge-1/0/1 ge-1/0/2

show spanning-tree interface vlan-id (VSTP)

Port ID 128:1 128:2



Cost 20000 20000

user@host> show spanning-tree interface vlan-id 10 Spanning tree interface parameters for VLAN 10 Interface ge-1/0/1 ge-1/0/2


Port ID 128:1 128:2



Cost 20000 20000

2559

®


show spanning-tree interface Syntax


Options

show spanning-tree interface

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the configured or calculated interface-level spanning-tree protocol (can be either STP, RSTP, or MSTP) parameters. In brief mode, will not display interfaces that are administratively disabled or do not have a physical link. none—(Optional) Display brief STP interface information. brief | detail—(Optional) Display the specified level of output. interface-name interface-name—(Optional) Name of an interface. msti msti-id—(Optional) Display STP bridge information for the specified MSTP instance

ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a value from 1 through 4094 for an MSTI. vlan-id vlan-id—(Optional) For MSTP interfaces, display interface information for the

specified VLAN. Specify a value from 0 through 4094. Required Privilege Level Related Documentation


Output Fields

2560

view

•


•


•


•


•


•


show spanning-tree interface on page 2561 show spanning-tree interface brief on page 2562 show spanning-tree interface detail on page 2562 show spanning-tree interface ge-1/0/0 on page 2563 Table 292 on page 2561 lists the output fields for the show spanning-tree Interface command. Output fields are listed in the approximate order in which they appear.



Table 292: show spanning-tree interface Output Fields Field Name

Field Description

Interface name

Interface configured to participate in the STP, RSTP, or MSTP instance.

Port ID

Logical interface identifier configured to participate in the MSTP instance.

Designated port ID

Port ID of the designated port for the LAN segment this interface is attached to.


Bridge ID of the designated bridge for the LAN segment this interface is attached to.

Port Cost


Port State

STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.

Port Role

MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), (ROOT), or Root Prevented (Root-Prev).

Link type

MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge.

Alternate

Identifies the interface as an MSTP or RSTP alternate root port (yes) or non-alternate root port (no).

Boundary Port

Identifies the interface as an MSTP regional boundary port (yes) or non-boundary port (no).

Edge delay while expiry count

Number of times the edge delay timer expired on that interface.

Rcvd info while expiry count

Number of times the rcvd info timer expired on that interface.

Sample Output show spanning-tree interface

user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0

Port ID 128:513 128:515 128:517 128:536

Designated Designated port ID bridge ID 128:513 8192.0019e2500340 128:515 8192.0019e2500340 128:517 8192.0019e2500340 128:536 8192.0019e2500340

Port Cost 1000 1000 1000 1000

State

Role

FWD BLK FWD FWD

DESG DIS DESG DESG

Port Cost 1000 1000 1000 1000

State

Role

FWD BLK FWD FWD

DESG DIS DESG DESG

Spanning tree interface parameters for instance 1 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0


Port ID 128:513 128:515 128:517 128:536

Designated Designated port ID bridge ID 128:513 8193.0019e2500340 128:515 8193.0019e2500340 128:517 8193.0019e2500340 128:536 8193.0019e2500340

2561

®


Spanning tree interface parameters for instance 2 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0

show spanning-tree interface brief

Port ID 128:513 128:515 128:517 128:536

Designated Designated Port State Role port ID bridge ID Cost 128:1 8194.001b549fd000 1000 FWD ROOT 128:515 32770.0019e2500340 4000 BLK DIS 128:1 16386.001b54013080 1000 BLK ALT 128:536 32770.0019e2500340 1000 FWD DESG

user@switch> show spanning-tree interface brief Spanning tree interface parameters for instance 0 Interface Port ID Designated Designated port ID bridge ID Cost ge-1/0/0.0 128:625 128:625 32768.0019e25095a0 ge-1/0/1.0 128:626 128:626 32768.0019e25095a0 ge-1/0/2.0 128:627 128:627 32768.0019e25095a0 ge-1/0/10.0 128:635 128:635 32768.0019e25095a0 ge-1/0/20.0 128:645 128:645 32768.0019e25095a0 ge-1/0/30.0 128:655 128:655 32768.0019e25095a0

show spanning-tree interface detail

Port 20000 20000 20000 20000 20000 20000

State BLK BLK BLK BLK BLK BLK

Role

DIS DIS DIS DIS DIS DIS

user@switch> show spanning-tree interface detail Spanning tree interface parameters for instance 0 Interface name : ge-1/0/0.0 Port identifier : 128.625 Designated port ID : 128.625 Port cost : 20000 Port state : Blocking Designated bridge ID : 32768.00:19:e2:50:95:a0 Port role : Disabled Link type : Pt-Pt/EDGE Boundary port : NA Edge delay while expiry count : 0 Rcvd info while expiry count : 0 Interface name : ge-1/0/1.0 Port identifier : 128.626 Designated port ID : 128.626 Port cost : 20000 Port state : Blocking Designated bridge ID : 32768.00:19:e2:50:95:a0 Port role : Disabled Link type : Pt-Pt/NONEDGE Boundary port : NA Edge delay while expiry count : 0 Rvcd info while expiry count : 0 Interface name : ge-1/0/2.0 Port identifier : 128.627 Designated port ID : 128.627 Port cost : 20000 Port state : Blocking Designated bridge ID : 32768.00:19:e2:50:95:a0 Port role : Disabled Link type : Pt-Pt/NONEDGE Boundary port : NA Edge delay while expiry count : 0 Rvcd info while expiry count : 0

2562



Interface name : ge-1/0/10.0 Port identifier : 128.635 Designated port ID : 128.635 Port cost : 20000 Port state : Blocking Designated bridge ID : 32768.00:19:e2:50:95:a0 Port role : Disabled Link type : Pt-Pt/NONEDGE Boundary port : NA Edge delay while expiry count : 0 Rvcd info while expiry count : 0 Interface name : ge-1/0/20.0 Port identifier : 128.645 Designated port ID : 128.645 Port cost : 20000 Port state : Blocking Designated bridge ID : 32768.00:19:e2:50:95:a0 Port role : Disabled Link type : Pt-Pt/NONEDGE Boundary port : NA Edge delay while expiry count : 0 Rvcd info while expiry count : 0 [output truncated]

show spanning-tree interface ge-1/0/0

user@switch> show spanning-tree interface ge-1/0/0 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ge-1/0/0.0 128:625 128:625 32768.0019e25095a0 20000 BLK DIS


2563

®


show spanning-tree mstp configuration Syntax

show spanning-tree mstp configuration



Release Information

Command introduced in Junos OS Release 8.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description Options

Display the MSTP configuration. none—Display MSTP configuration information. brief | detail—(Optional) Display the specified level of output. routing-instance routing-instance-name—(Optional) Display MSTP configuration

information for the specified routing instance. Required Privilege Level List of Sample Output

Output Fields

view

show spanning-tree mstp configuration detail on page 2565 show spanning-tree mstp configuration detail (QFX Series) on page 2565 Table 293 on page 2564 lists the output fields for the show spanning-tree mstp configuration command. Output fields are listed in the approximate order in which they appear.

Table 293: show spanning-tree mstp configuration Output Fields

2564

Field Name

Field Description

Context id

Internally generated identifier.

Region name

MSTP region name carried in the MSTP BPDUs.

Revision

Revision number of the MSTP configuration.

Configuration digest

Numerical value derived from the VLAN-to-instance mapping table.

MSTI

MST instance identifier.

Member VLANs

VLAN identifiers associated with the MSTI.



Sample Output show spanning-tree mstp configuration detail

user@host> show spanning-tree mstp configuration routing-instance vs1 detail MSTP configuration information Context identifier : 1 Region name : henry Revision : 3 Configuration digest : 0x6da4b5c4fd587757eef35675365e1

MSTI Member VLANs 0 0-99,101-199,201-4094 1 100 2 200

show spanning-tree mstp configuration detail (QFX Series)

user@lf0> show spanning-tree mstp configuration routing-instance vs1 detail MSTP configuration information Context identifier : 1 Region name : henry Revision : 3 Configuration digest : 0x6da4b5c4fd587757eef35675365e1

MSTI Member VLANs 0 0-99,101-199,201-4094 1 100 2 200


2565

®


show spanning-tree mstp configuration Syntax



Command introduced in Junos OS Release 9.0 for EX Series switches. Display the MSTP configuration. none—Display MSTP configuration information. brief | detail—(Optional) Display the specified level of output.


view

show spanning-tree mstp configuration on page 2566 Table 294 on page 2566 lists the output fields for the show spanning-tree mstp configuration command. Output fields are listed in the approximate order in which they appear.

Table 294: show spanning-tree mstp configuration Output Fields Field Name

Field Description

Context identifier

Internally generated identifier.

Region name

MSTP region name carried in the MSTP BPDUs.

Revision

Revision number of the MSTP configuration.

Configuration digest

Numerical value derived from the VLAN-to-instance mapping table.

MSTI

MSTI instance identifier.

Member VLANs

Identifiers for VLANs associated with the MSTI.

Sample Output show spanning-tree mstp configuration

user@host> show spanning-tree mstp configuration MSTP configuration information Context identifier : 0 Region name : region1 Revision : 0 Configuration digest : 0xc92e7af9febb44d8df928b87f16b

MSTI Member VLANs 0 0-100,105-4094 1 101-102 2 103-104

2566



show spanning-tree statistics Syntax

show spanning-tree statistics


show spanning-tree statistics

Release Information

Command introduced in Junos OS Release 8.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches.

Description Options

Display STP statistics. none—Display brief STP statistics. brief | detail—(Optional) Display the specified level of output. interface interface-name—(Optional) Display STP statistics for the specified interface. routing-instance routing-instance-name—(Optional) Display STP statistics for the specified

routing instance. Required Privilege Level List of Sample Output

Output Fields

view

show spanning-tree statistics routing-instance on page 2568 show spanning-tree statistics interface routing-instance detail on page 2568 Table 295 on page 2567 lists the output fields for the show spanning-tree statistics command. Output fields are listed in the approximate order in which they appear.

Table 295: show spanning-tree statistics Output Fields Field Name

Field Description

Message type

Type of message being counted.

BPDUs sent


BPDUs received


BPDUs sent in last 5 secs

Number of BPDUs sent in the most recent 5-second period.

BPDUs received in last 5 secs

Number of BPDUs received in the most recent 5-second period.

Interface

Interface for which the statistics are being displayed.


2567

®


Table 295: show spanning-tree statistics Output Fields (continued) Field Name

Field Description

Next BPDU transmission


Sample Output show spanning-tree statistics routing-instance

show spanning-tree statistics interface routing-instance detail

2568

user@host> show spanning-tree statistics routing-instance vs1 detail Routing instance level STP statistics Message type : bpdus BPDUs sent : 121 BPDUs received : 537 BPDUs sent in last 5 secs : 5 BPDUs received in last 5 secs : 27 user@host> show spanning-tree statistics interface ge-11/1/4 routing-instance vs1 detail Interface BPDUs sent BPDUs received Next BPDU transmission ge-11/1/4 7 190 0



show spanning-tree statistics Syntax

Release Information

Description Options

show spanning-tree statistics interface interface-name vlan vlan-id

Command introduced in Junos OS Release 9.0 for EX Series switches. Option vlan vlan-id introduced in Junos OS Release 10.1 for EX Series switches. Display STP statistics on an interface, or for a VLAN when VSTP is enabled. none—Display brief STP statistics. brief | detail—(Optional) Display the specified level of output. interface interface-name—(Optional) The name of the interface. vlan vlan-id—(Optional) The name of a VLAN.



view

•


•


•


•


•


•


show spanning-tree statistics interface on page 2570 Table 296 on page 2569 lists the output fields for the show spanning-tree statistics command. Output fields are listed in the approximate order in which they appear.

Table 296: show spanning-tree statistics Output Fields Field Name

Field Description

BPDUs sent


BPDUs received


Interface

Interface for which the statistics are being displayed.

Next BPDU transmission



2569

®


Sample Output show spanning-tree statistics interface

2570

user@switch> show spanning-tree statistics interface ge-0/0/4 Interface BPDUs sent BPDUs received Next BPDU transmission ge-0/0/4 7 190 0


PART 16

Layer 3 Protocols •

Layer 3 Protocols—Overview on page 2573

•

Configuring Layer 3 Protocols on page 2581

•

Verifying Layer 3 Protocols Configuration on page 2605

•

Configuration Statements for Layer 3 Protocols on page 2615

•

Operational Commands for Layer 3 Protocols on page 2935


2571

®


2572


CHAPTER 76

Layer 3 Protocols—Overview •


•


•

Understanding Distributed Periodic Packet Management on EX Series Switches on page 2576

•

Understanding IPsec Authentication for OSPF Packets on EX Series Switches on page 2577

Layer 3 Protocols Supported on EX Series Switches EX Series switches support the Junos OS Layer 3 features and configuration statements listed in Table 22 on page 28:

Table 297: Supported Junos OS Layer 3 Protocol Statements and Features Protocol

Notes


BGP

Fully supported.


BFD

Fully supported.


ICMP

Fully supported.


IGMPv1, v2, and v3

Fully supported.


IS-IS



MLD

Fully supported (MLD versions 1 and 2).


MPLS



OSPFv1, v2 and v3




2573

®


Table 297: Supported Junos OS Layer 3 Protocol Statements and Features (continued) Protocol

Notes


PIM

Fully supported on EX3200, EX3300, EX4200, EX6200, and EX8200 switches.


PPM

Supported. See “EX Series Switch Software Features Overview” on page 3 for specific platform information.


RIP

Fully supported.


RIPng

Fully supported.


SNMP

Fully supported.


VRRP

Fully supported.

See “Understanding VRRP on EX Series Switches” on page 1663. See also Junos OS High Availability Guide.


•


•


Layer 3 Protocols Not Supported on EX Series Switches EX Series switches do not support the Junos OS Layer 3 protocols and features listed in Table 23 on page 29:

Table 298: Junos OS Layer 3 Protocol Statements and Features That Are Not Supported Feature


DVMRP

•

dvmrp and subordinate statements

Flow aggregation (cflowd)

•

cflow and subordinate statements

IPsec

•

[edit services] statements related to IPsec

IS-IS:

•

clns-routing statement

•

ipv6-multicast statement

•

lsp-interval statement

•

label-switched-path statement

•

lsp-lifetime statement

•

te-metric statement

•

logical-routers and subordinate statements

•

ES-IS

•

IPv6 in multicast routing protocols

Logical routers

2574


Chapter 76: Layer 3 Protocols—Overview



MPLS:

•

ldp and all subordinate statements (except on EX8200 switches)

Network Address Translation (NAT)

•

nat and subordinate statements

•

Policy statements related to NAT

OSPF

•

demand-circuit statement

•

label-switched-path and subordinate statements

•

neighbor statement within an OSPF area

•

peer-interface and subordinate statements within an OSPF area

•

sham-link statement

•

te-metric statement

PIM SM

•


PIM SSM

•


PIM DM

•

Not supported on EX2200 or EX4500 switches

PIM:

•

inet6 family (EX2200 and EX4500 switches)

PPM

•

Not supported on EX2200 and EX3300 switches

Routing instances:

•

l2vpn and subordinate statements (except on EX8200 switches)

•

ldp and subordinate statements (except on EX8200 switches)

•

vpls and subordinate statements

•

family mpls statement

•

Fast Reroute (FRR)

•

Label Distribution Protocol (LDP) (except on EX8200 switches)

•

Layer 3 VPNs (except on EX8200 switches)

•

Multiprotocol BGP (MP-BGP) for VPN-IPv4 family

•

Pseudowire emulation (PWE3)

•

Routing policy statements related to Layer 3 VPNs and MPLS (except on EX8200 switches)

•

Virtual Private LAN Service (VPLS)

•

•

IPv6

Routing instance forwarding



2575

®




SAP and SDP

•

sap and all subordinate statements

General routing options in the routing-options hierarchy:

•

auto-export and subordinate statements

•

dynamic-tunnels and subordinate statements

•

•

lsp-next-hop and subordinate statements

•

multicast and subordinate statements

•

p2mp-lsp-next-hop and subordinate statements

•

route-distinguisher-id statement (except on EX8200 switches)

•

accounting and subordinate statements

•

family mpls and family multiservice under hash-key hierarchy

•

Under monitoring group-name family inet output hierarchy:

MPLS and label-switched-paths

Traffic sampling and fowarding in the forwarding-options hierarchy


•

cflowd statement

•

export-format-cflowd-version-5 statement

•

flow-active-timeout statement

•

flow-export-destination statement

•

flow-inactive-timeout statement

•

interface statement

•

port-mirroring statement (On EX Series switches, port mirroring is implemented using the analyzer statement.)

•

sampling and subordinate statements

•


•


Understanding Distributed Periodic Packet Management on EX Series Switches Periodic packet management (PPM) is responsible for processing a variety of time-sensitive periodic tasks for particular processes so that other processes on the Juniper Networks EX Series Ethernet Switch can more optimally direct their resources. PPM is responsible for the periodic transmission of packets on behalf of its various client processes, which include the processes that control the Link Aggregation Control Protocol (LACP) and Bidirectional Forwarding Detection (BFD) protocols, and also for receiving packets on behalf of these client processes. PPM also gathers some statistics and sends process-specific packets. PPM cannot be disabled and is always running on any operational switch. The responsibility for PPM processing on the switch is distributed between the Routing Engine and either the access interfaces (on EX3200, EX4200, and EX4500 switches) or the line cards (on EX6200 and EX8200 switches) for all protocols that use PPM by default. This distributed model provides a faster response time for protocols that use PPM than the response time provided by the nondistributed model. If distributed PPM is disabled, the PPM process runs on the Routing Engine only.

2576



You can disable distributed PPM for all protocols that use PPM. You can also disable distributed PPM for LACP packets only.

BEST PRACTICE: We recommend that, generally, you disable distributed PPM only if Juniper Networks Customer Service advises you to do so. You should disable distributed PPM only if you have a compelling reason to disable it.


•

Configuring Distributed Periodic Packet Management on an EX Series Switch (CLI Procedure) on page 2601

Understanding IPsec Authentication for OSPF Packets on EX Series Switches IP Security (IPsec) provides a secure way to authenticate senders and encrypt IP version 4 (IPv4) traffic between network devices. IPsec offers network administrators for Juniper Networks EX Series Ethernet Switches and their users the benefits of data confidentiality, data integrity, sender authentication, and anti-replay services. IPsec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). IPsec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. You can use IPsec to protect one or more paths between a pair of hosts, between a pair of security gateways (such as switches), or between a security gateway and a host. OSPF version 3 (OSPFv3), unlike OSPF version 2 (OSPFv2), does not have a built-in authentication method and relies on IPsec to provide this functionality. You can secure specific OSPFv3 interfaces and protect OSPFv3 virtual links. •

Authentication Algorithms on page 2577

•

Encryption Algorithms on page 2578

•

IPsec Protocols on page 2578

•

Security Associations on page 2579

•

IPsec Modes on page 2579

Authentication Algorithms Authentication is the process of verifying the identity of the sender. Authentication algorithms use a shared key to verify the authenticity of the IPsec devices. The Juniper Networks Junos operating system (Junos OS) uses the following authentication algorithms: •

Message Digest 5 (MD5) uses a one-way hash function to convert a message of arbitrary length to a fixed-length message digest of 128 bits. Because of the conversion process, it is mathematically infeasible to calculate the original message by computing it


2577

®


backwards from the resulting message digest. Likewise, a change to a single character in the message will cause it to generate a very different message digest number. To verify that the message has not been tampered with, Junos OS compares the calculated message digest against a message digest that is decrypted with a shared key. Junos OS uses the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. MD5 can be used with an authentication header (AH) and Encapsulating Security Payload (ESP). •

Secure Hash Algorithm 1 (SHA-1) uses a stronger algorithm than MD5. SHA-1 takes a message of less than 264 bits in length and produces a 160-bit message digest. The large message digest ensures that the data has not been changed and that it originates from the correct source. Junos OS uses the SHA-1 HMAC variant that provides an additional level of hashing. SHA-1 can be used with AH, ESP, and Internet Key Exchange (IKE).

Encryption Algorithms Encryption encodes data into a secure format so that it cannot be deciphered by unauthorized users. As with authentication algorithms, a shared key is used with encryption algorithms to verify the authenticity of IPsec devices. Junos OS uses the following encryption algorithms: •

Data Encryption Standard cipher-block chaining (DES-CBC) is a symmetric secret-key block algorithm. DES uses a key size of 64 bits, where 8 bits are used for error detection and the remaining 56 bits provide encryption. DES performs a series of simple logical operations on the shared key, including permutations and substitutions. CBC takes the first block of 64 bits of output from DES, combines this block with the second block, feeds this back into the DES algorithm, and repeats this process for all subsequent blocks.

•

Triple DES-CBC (3DES-CBC) is an encryption algorithm that is similar to DES-CBC but provides a much stronger encryption result because it uses three keys for 168-bit (3 x 56-bit) encryption. 3DES works by using the first key to encrypt the blocks, the second key to decrypt the blocks, and the third key to reencrypt the blocks.

IPsec Protocols IPsec protocols determine the type of authentication and encryption applied to packets that are secured by the switch. Junos OS supports the following IPsec protocols:

2578

•

AH—Defined in RFC 2402, AH provides connectionless integrity and data origin authentication for IPv4. It also provides protection against replays. AH authenticates as much of the IP header as possible, as well as the upper-level protocol data. However, some IP header fields might change in transit. Because the value of these fields might not be predictable by the sender, they cannot be protected by AH. In an IP header, AH can be identified with a value of 51 in the Protocol field of an IPv4 packet.

•

ESP—Defined in RFC 2406, ESP can provide encryption and limited traffic flow confidentiality or connectionless integrity, data origin authentication, and an anti-replay service. In an IP header, ESP can be identified with a value of 50 in the Protocol field of an IPv4 packet.



Security Associations An IPsec consideration is the type of security association (SA) that you wish to implement. An SA is a set of IPsec specifications that are negotiated between devices that are establishing an IPsec relationship. These specifications include preferences for the type of authentication, encryption, and IPsec protocol to be used when establishing the IPsec connection. An SA can be either unidirectional or bidirectional, depending on the choices made by the network administrator. An SA is uniquely identified by a Security Parameter Index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP) identifier.

IPsec Modes Junos OS supports the following IPsec modes: •

Tunnel mode is supported for both AH and ESP in Junos OS. In tunnel mode, the SA and associated protocols are applied to tunneled IPv4 or IPv6 packets. For a tunnel mode SA, an outer IP header specifies the IPsec processing destination and an inner IP header specifies the ultimate destination for the packet. The security protocol header appears after the outer IP header and before the inner IP header. In addition, there are slight differences for tunnel mode when you implement it with AH and ESP: •

For AH, portions of the outer IP header are protected, as well as the entire tunneled IP packet.

•

For ESP, only the tunneled packet is protected, not the outer header.

When one side of an SA is a security gateway (such as a switch), the SA must use tunnel mode. However, when traffic (for example, SNMP commands or BGP sessions) is destined for a switch, the system acts as a host. Transport mode is allowed in this case because the system does not act as a security gateway and does not send or receive transit traffic.

NOTE: Tunnel mode is not supported for OSPF v3 control packet authentication.

•


Transport mode provides an SA between two hosts. In transport mode, the protocols provide protection primarily for upper-layer protocols. A transport mode security protocol header appears immediately after the IP header and any options and before any higher-layer protocols (for example, TCP or UDP). There are slight differences for transport mode when you implement it with AH and ESP: •

For AH, selected portions of the IP header are protected, as well as selected portions of the extension headers and selected options within the IPv4 header.

•

For ESP, only the higher-layer protocols are protected, not the IP header or any extension headers preceding the ESP header.

•

Using IPsec to Secure OSPFv3 Networks (CLI Procedure) on page 2602

•

Configuring an OSPF Network (J-Web Procedure) on page 2585


2579

®


2580


CHAPTER 77

Configuring Layer 3 Protocols •

Configuring BGP Sessions (J-Web Procedure) on page 2581

•


•

Configuring a RIP Network (J-Web Procedure) on page 2589

•

Configuring Static Routing (CLI Procedure) on page 2594

•

Configuring Static Routing (J-Web Procedure) on page 2594

•

Configuring Routing Policies (J-Web Procedure) on page 2596

•


•

Using IPsec to Secure OSPFv3 Networks (CLI Procedure) on page 2602

Configuring BGP Sessions (J-Web Procedure) You can use the J-Web interface to create BGP peering sessions on a routing device.

NOTE: To configure BGP sessions, you must have a license for BGP installed on the EX Series switch.

To configure a BGP peering session: 1.

Select Configure > Routing > BGP.



2581

®


2. Click one: •

Add—Adds a BGP group. Enter information into the configuration page as described in Table 299 on page 2582.

•

Edit—Modifies an existing BGP group. Enter information into the configuration page as described in Table 299 on page 2582.

•

Delete—Deletes an existing BGP group.

•

Disable—Disables BGP configuration.

3. To modify BGP global settings, click Edit in the Global Information section. Enter

information as described in Table 300 on page 2584.

Table 299: BGP Routing Configuration Summary Field

Function

Your Action

Group Type

Specifies whether the group is an internal BGP (IBGP) group or an external BGP (EBGP) group.

Select the option: Internal or External.

Group Name

Specifies the name for the group.

Type a new name or select and edit the name.

ASN

Sets the unique numeric identifier of the AS in which the routing device is configured.

Type the routing device’s 32-bit AS number, in dotted decimal notation.

General tab

If you enter an integer, the value is converted to a 32-bit equivalent. For example, if you enter 3, the value assigned to the AS is 0.0.0.3. Preference

Specifies the degree of preference for an external route. The route with the highest local preference value is preferred.

Type or select and edit the value.

Cluster Id

Specifies the cluster identifier to be used by the route reflector cluster in an internal BGP group.

Type or select and edit the IPv6 or IPv4 address to be used as the identifier.

Description

Specifies the text description of the global, group, or neighbor configuration.

Type or select and edit the description.

Damping

Specifies whether route flap damping is enabled or not.

To enable route flap damping, select the check box. To disable route flap damping do not select the check box.

Advertise Inactive Routes

2582

Specifies whether BGP advertises the best route even if the routing table did not select it to be an active route.

To enable advertising inactive routes, select the check box. To disable advertising inactive routes, do not select the check box.


Chapter 77: Configuring Layer 3 Protocols

Table 299: BGP Routing Configuration Summary (continued) Field

Function

Your Action

Advertise Peer AS Routes

Specifies whether to disable the default behavior of suppressing AS routes.

To enable advertising peer AS routes, select the check box. To disable advertising peer AS routes, do not select the check box.

Neighbors tab Dynamic Neighbors

Configures a neighbor (peer).

Type the IPv4 address of the peer.

Static Neighbors

Configures the system’s peers statically.

To configure a static neighbor: 1.

Specify the IP address.

2. Specify the address of the local end of a BGP session. 3. Specify the degree of preference for an external route. 4. Enter a description. 5. Specify the hold-time value to use when negotiating a connection with the peer. 6. Specify how long a route must be present in the routing table before it is exported to BGP. Use this time delay to help bundle routing updates. 7. Select Passive if you do not want to send active open messages to the peer. 8. Select the option to compare the AS path of an incoming advertised route with the AS number of the BGP peer under the group and replace all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer. 9. Specify an import policy and export policy. 10. Click OK.

Policies tab Import Policy

Specifies one or more routing policies to routes being imported into the routing table from BGP.

Click Add to add an import policy. Select the policy and click OK. Click Move up or Move down to move the selected policy up or down the list of policies. Select the policy and click Remove.

Export Policy

Specifies one or more policies to routes being exported from the routing table into BGP.

Click Add to add an export policy. Select the policy and click OK. Click Move up or Move down to move the selected policy up or down the list of policies. Select the policy and click Remove.


2583

®


Table 300: BGP Global Settings Field

Function

Your Action

Router ASN

Specifies the routing device’s AS number.


Router Identifier

Specify the routing device’s IP address.

Type or select and edit the IP address.

BGP Status

Enables or disables BGP.

•

To enable BGP, select Enabled.

•

To disable BGP, select Disabled.

General tab

Description

Describes of the global, group, or neighbor configuration.

Type or select and edit the description.

Confederation Number

Specifies the routing device’s confederation AS number.


Confederation Members

Specifies the AS numbers for the confederation members.

To add a member AS number, click Add and enter the number in the Member ASN box. Click OK. To modify a confederation member’s AS number, select the member click Edit and, enter the number and click OK. To delete a confederation member, select the member and click Remove.

Advance Options

You can configure the following:

Select All or None to configure Keep Routes.

•

Enter a value in the TCP MSS box.

Keep routes—Specifies whether routes learned from a BGP peer must be retained in the routing table even if they contain an AS number that was exported from the local AS.

Click to enable MTU Discovery. Click to enable Remove Private ASN.

•

TCP MSS—Configures the maximum segment size (MSS) for the TCP connection for BGP neighbors.

•

MTU Discovery—Select to configure MTU discovery.

•

Remove Private ASN—Select to have the local system strip private AS numbers from the AS path when advertising AS paths to remote systems.

To configure Multihop, select Nexthop Change to allow unconnected third-party next hops. Enter a TTL value.

•

Graceful Restart—Specifies the time period when the restart is expected to be complete. Specify the maximum time that stale routes are kept during restart.

Select the authentication algorithm. If you select None, specify an authentication key (password).

•

Multihop—Configures the maximum time-to-live (TTL) value for the TTL in the IP header of BGP packets.

•

Authentication Type—Select the authentication algorithm: None, MD5, SHA1, AES.

Enter the time period for a graceful restart and the maximum time that stale routes must be kept.

Policies tab

2584



Table 300: BGP Global Settings (continued) Field

Function

Your Action

Import Policy

Specifies one or more routing policies to routes being imported into the routing table from BGP.

Click Add to add an import policy. Click Move up or Move down to move the selected policy up or down the list of policies. Click Remove to remove an import policy.

Export Policy

Specifies one or more policies to routes being exported from the routing table into BGP.

Click Add to add an export policy. Click Move up or Move down to move the selected policy up or down the list of policies. Click Remove to remove an export policy.

Trace Options tab File Name

Specifies the name of the file to receive the output of the tracing operation.

Type or select and edit the name.

Number of Files

Specifies the maximum number of trace files.


File Size

Specifies the maximum size for each trace file.


World Readable

Specifies whether the trace file can be read by any user or not.

Select True to allow any user to read the file. Select False to disallow all users being able to read the file.

Flags

Specifies the tracing operation to perform.



•

Monitoring BGP Routing Information on page 2605

•


Configuring an OSPF Network (J-Web Procedure) You can use the J-Web interface to create multiarea OSPF networks on an EX Series switch. To configure a multiarea OSPF network:


2585

®


1.

Select Configure > Routing > OSPF.


2. Click one: •

Add—Adds an OSPF area. Enter information into the configuration page as described in Table 301 on page 2586.

•

Edit—Modifies an existing OSPF area. Enter information into the configuration page as described in Table 301 on page 2586.

•

Delete—Deletes an existing OSPF area.

3. To modify OSPF global settings, click Edit. Enter information as described in Table

302 on page 2588. 4. To disable OSPF, click Disable.

Table 301: OSPF Routing Configuration Summary Field

Function

Your Action

Uniquely identifies the area within its AS.

Type a 32-bit numeric identifier for the area. Type an integer or select and edit the value.

General tab Area Id

If you enter an integer, the value is converted to a 32-bit equivalent. For example, if you enter 3, the value assigned to the area is 0.0.0.3. Area Ranges

Specifies a range of IP addresses for an area when sending summary link advertisements (within an area).

To add a range: 1.

Click Add.

2. Type the area range. 3. Specify the subnet mask. 4. To override the metric for the IP address range, type a specific metric value. 5. If you do not want to display the routes that are contained within a summary, select Restrict advertisements of this area range. 6. If you want a summary of a route to be advertised only when an exact match is made with the configured summary range, select Enforce exact match for advertisement of this area range. 7. Click OK. To modify an existing area range, select the area range, click Edit, and edit the value. Click OK. To delete an area range, select the area range and click Delete.

2586



Table 301: OSPF Routing Configuration Summary (continued) Field

Function

Your Action

Area Type

Designates the type of OSPF area.

Select the type of OSPF area you are creating from the list. If you select stub:

•

regular—A regular

OSPF area, including the backbone area •

stub—A stub area

•

nssa—A not-so-stubby

1.

Enter the default metric.

2. To flood summary LSAs into the stub area, select the check box. If you select nssa:

area (NSSA) 1.

Specify the metric type.

2. Enter the default metric. 3. To flood summary LSAs into the nssa area, select the check box. 4. To flood Type-7 LSAs into the nssa area, select the check box.

Interfaces tab Interfaces

Specifies the interfaces to be associated with the OSPF configuration

To associate an interface with the configuration, select the interface from the list, select Associate and click OK. To edit an interface’s configuration: 1.

Select the interface from the list and click Edit.

2. Specify the cost of an OSPF interface. 3. Specify the traffic engineering metric. 4. Specify how often the routing device sends hello packets from the interface. 5. Specify how long the routing device waits to receive a link-state acknowledgment packet before retransmitting link-state advertisements to an interface’s neighbors. 6. To enable OSPF on the interface, select the check box. 7. To inform other protocols about neighbor down events, select the check box. 8. To treat the interface as a secondary interface, select the check box. 9. To only advertise OSPF, select the check box. 10. Click OK.


Specifies one or more policies to control which routes learned from an area are used to generate summary link-state advertisements (LSAs) into other areas.



2587

®


Table 301: OSPF Routing Configuration Summary (continued) Field

Function

Your Action

Export Policy

Specifies one or more policies to control which summary LSAs are flooded into an area.


Table 302: Edit OSPF Global Settings Field

Function

Your Action

Router Id

Specifies the ID for the routing device.


RIB Group

Installs the routes learned from OSPF routing instances into routing tables in the OSPF routing table group.

Select a value.

Internal Route Preference

Specifies the route preference for internal groups.


External Route Preference

Specifies the route preference for external groups.


Graceful Restart

Configures graceful restart for OSPF.

To configure graceful restart:

General tab

1.

Specify the estimated time to send out purged grace LSAs over all the interfaces.

2. Specified the estimated time to reacquire a full OSPF neighbor from each area. 3. To disable No Strict LSA Checking, select the check box. 4. To disable graceful restart helper capability, select the check box. Helper mode is enabled by default. 5. Click OK. SPF Options

Configure options for running the shortest-path-first (SPF) algorithm. You can configure a delay for when to run the SPF algorithm after a network topology change is detected, the maximum number of times the SPF algorithm can run in succession, and a hold-down interval after the SPF algorithm runs the maximum number of times.

To configure SPF: 1.

Specify the time interval between the detection of a topology change and when the SPF algorithm runs.

2. Specify the time interval to hold down, or wait before a subsequent SPF algorithm runs after the SPF algorithm has run the configured maximum number of times in succession. 3. Specify the maximum number of times the SPF algorithm can run in succession. After the maximum is reached, the hold-down interval begins.

Policies tab

2588



Table 302: Edit OSPF Global Settings (continued) Field

Function

Your Action

Import Policy

Specifies one or more policies to control which routes learned from an area are used to generate summary link-state advertisements (LSAs) into other areas.


Export Policy

Specifies one or more policies to control which summary LSAs are flooded into an area.





Number of Files



File Size



World Readable



Flags




•

Monitoring OSPF Routing Information on page 2607

•


Configuring a RIP Network (J-Web Procedure) You can use the J-Web interface to create RIP networks. To configure a RIP network:


2589

®


1.

Select Configure > Routing > RIP.


2. Click one: •

Add—Configures a RIP instance. Enter information into the RIP Configuration page

as described in Table 303 on page 2590. •

Edit—Modifies an existing RIP instance. Enter information into the configuration

page for RIP as described in Table 303 on page 2590. •

Delete—Deletes an existing RIP instance.

4. To modify RIP global settings, click Edit. Enter information in the configuration as

described in Table 304 on page 2591.

Table 303: RIP Routing Configuration Summary Field

Function

Your Action

Routing instance name

Specifies a name for the routing instance.


Preference

Specifies the preference of external routes learned by RIP as compared to those learned from other routing protocols.


Metric Out

Specifies the metric value to add to routes transmitted to the neighbor.


Update interval

Specifies an update time interval to periodically send out routes learned by RIP to neighbors.


Route timeout

Specifies the route timeout interval for RIP.


Applies one or more policies to routes being imported into the local routing device from the neighbors.

Click Add to add an import policy.

General tab


Click Move up or Move down to move the selected policy up or down the list of policies. Click Remove to remove an import policy.

2590



Table 303: RIP Routing Configuration Summary (continued) Field

Function

Your Action

Export Policy

Applies a policy to routes being exported to the neighbors.


Neighbors tab RIP-Enabled Interfaces

Selects the interfaces to be associated with the RIP instance.

To enable RIP on an interface, click the check box next to the interface name. Click Edit if you want to modify an interface’s settings.

Table 304: Edit RIP Global Settings Field

Function

Your Action

Send

Specifies RIP send options.

Select a value.

Receive

Configure RIP receive options.

Select a value.

Route timeout (sec)

Specifies the route timeout interval for RIP.

Type a value.

Update interval (sec)

Specifies the update time interval to periodically send out routes learned by RIP to neighbors.


Hold timeout (sec)

Specifies the time period the expired route is retained in the routing table before being removed.


Metric in

Specifies the metric to add to incoming routes when advertising into RIP routes that were learned from other protocols.


RIB Group

Specifies a routing table group to install RIP routes into multiple routing tables.

Select and edit the name of the routing table group.

Message size

Specifies the number of route entries to be included in every RIP update message.


General tab


2591

®


Table 304: Edit RIP Global Settings (continued) Field

Function

Your Action

Check Zero

Specifies whether the reserved fields in a RIP packet are zero. Options are:

Select a value.

•

check-zero—Discard version 1 packets that have nonzero

values in the reserved fields and version 2 packets that have nonzero values in the fields that must be zero. This default behavior implements the RIP version 1 and version 2 specifications. •

no-check-zero—Receive RIP version 1 packets with

nonzero values in the reserved fields or RIP version 2 packets with nonzero values in the fields that must be zero. This is in spite of the fact that they are being sent in violation of the specifications in RFC 1058 and RFC 2453. Graceful switchover

Configures graceful switchover for OSPF.

To disable graceful restart, select Disable. Type or select and edit the estimated time for the restart to finish, in seconds.

Authentication Type

Specifies the type of authentication for RIP route queries received on an interface. Options are:

Select the authentication type. Enter the authentication key for MD5.

•

None

•

MD5

•

Simple


Applies one or more policies to routes being imported into the local routing device from the neighbors.


Export Policy

Applies a policy to routes being exported to the neighbors.





Number of Files



File Size



2592



Table 304: Edit RIP Global Settings (continued) Field

Function

Your Action

World Readable



Flags




•

Monitoring RIP Routing Information on page 2610

•



2593

®


Configuring Static Routing (CLI Procedure) Static routes are routes that are manually configured and entered into the routing table. Dynamic routes, in contrast, are learned by the EX Series switch and added to the routing table using a protocol such as OSPF or RIP. The switch uses static routes: •

When the switch does not have a route to a destination that has a better (lower) preference value. The preference is an arbitrary value in the range from 0 through 255 that the software uses to rank routes received from different protocols, interfaces, or remote systems. The routing protocol process generally determines the active route by selecting the route with the lowest preference value. In the given range, 0 is the lowest and 255 is the highest.

•

When the switch cannot determine the route to a destination.

•

When the switch is forwarding unroutable packets.

To configure basic static route options using the CLI: •

To configure the switch's default gateway: [edit] user@switch# set routing–options static route 0.0.0.0/0 next-hop 10.0.1.1

•

To configure a static route and specify the next address to be used when routing traffic to the static route: [edit] user@switch# set routing-options static route 20.0.0.0/24 next-hop 10.0.0.2.1

•

To always keep the static route in the forwarding table: [edit] user@switch# set routing-options static route 20.0.0.0/24 retain

•

To prevent the static route from being readvertised: [edit] user@switch# set routing-options static route 20.0.0.0/24 no-readvertise

•

To remove inactive routes from the forwarding table: [edit] user@switch# set routing-options static route 20.0.0.0/24 active


•


•

Monitoring Routing Information on page 2611

Configuring Static Routing (J-Web Procedure) You can use the J-Web interface to configure static routes for EX Series switches. To configure static routes:

2594



1.

Select Configure > Routing > Static Routing. The Static Routing page displays details of the configured routes.


2. Click one: •

Add—To configure a route. Enter information into the routing page as described in Table 305 on page 2595.

•

Edit—To modify an existing route. Enter information into the routing page as described in Table 305 on page 2595.

•

Delete—To delete an existing route.

Table 305: Static Routing Configuration Summary Field

Function

Your Action

Specifies the default gateway for the switch.

To specify an IPv4 address:

Default Route Default Route

1. NOTE: IPv6 is not supported on EX2200 and EX4500 switches.

Select IPv4.

2. Type an IP address—for example, 10.10.10.10. 3. Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. To specify an IPv6 address: 1.

Select IPv6.

2. Type an IP address— for example, 2001:ab8:85a3::8a2e:370:7334.

3. Enter the subnet mask or address prefix.

Static Routes


2595

®


Table 305: Static Routing Configuration Summary (continued) Field

Function

Your Action

Nexthop

Specifies the next-hop address or addresses to be used when routing traffic to the static route.

To add an address: 1.

Click Add.

2. In the IP address dialog, enter the IP address. NOTE: If a route has multiple next-hop addresses, traffic is routed across each address in round-robin fashion. 3. Click OK. To delete a next-hop address, select it from the list and click Delete.


•


•


•


Configuring Routing Policies (J-Web Procedure) All routing protocols use the Junos OS routing table to store the routes that they learn and to determine which routes are advertised in the protocol packets. Routing policy allows you to control which routes the routing protocols store in and retrieve from the routing table on the routing device. To configure routing policies for an EX Series switch using the J-Web interface: 1.

Select Configure > Routing > Policies.


2. Click one:

2596

•

Global Options—Configures global options for policies. Enter information into the configuration page as described in Table 306 on page 2597.

•

Add—Configures a new policy. Select New and specify a policy name. To add terms, enter information into the configuration page as described in Table 307 on page 2597. Select Clone to create a copy of an existing policy.

•

Edit—Edits an existing policy. To modify an existing term, enter information into the configuration page as described in Table 307 on page 2597.



•

Term Up—Moves a term up in the list.

•

Term Down—Moves a term down in the list.

•

Delete—Deletes the selected policy.

•

Test Policy—Tests the policy. Use this option to check whether the policy produces the results that you expect.

Table 306: Policies Global Configuration Parameters Field

Function

Your Action

Prefix List

Specifies a list of IPv4 address prefixes for use in a routing policy statement.

To add a prefix list: 1.

Click Add.

2. Enter a name for the prefix list. 3. To add an IP address, click Add. 4. Enter the IP address and the subnet mask and click OK. 5. Click OK. To edit a prefix list, click Edit. Edit the settings and click OK. To delete a prefix list, select it and click Delete. BGP Community

Specifies a BGP community.

To add a BGP community: 1.

Click Add.

2. Enter a name for the community. 3. To add a community, click Add. 4. Enter the community ID and click OK. 5. Click OK. To edit a BGP community, click Edit. Edit the settings and click OK. To delete a BGP community, select it and click Delete. AS Path

Specifies an AS path. This is applicable to BGP only.

To add an AS path: 1.

Click Add.

2. Enter the AS path name. 3. Enter the regular expression and click OK. 4. Click OK. To edit an AS path, click Edit. Edit the settings and click OK. To delete an AS path, select it and click Delete.

Table 307: Terms Configuration Parameters Field

Function

Your Action

Term Name

Specifies a term name.



2597

®


Table 307: Terms Configuration Parameters (continued) Field

Function

Your Action

Family

Specifies an address family protocol.


Routing Instance

Specifies a routing instance.


RIB

Specifies the name of a routing table.

Select a value from the list

Preference

Specifies the individual preference value for the route.


Metric

Specifies a metric value. You can specify up to four metric values.


Interface

Specifies a name or IP address of one or more routing device interfaces. Do not use this qualifier with protocols that are not interface-specific, such as internal BGP (IBGP).

To add an interface, select Add > Interface. Select the interface from the list.

Source tab

To add an address, select Add > Address. Select the address from the list. To remove an interface, select it and click Remove. Prefix List

Specifies a named list of IP addresses. You can specify an exact match with incoming routes.

Click Add. Select the prefix list from the list and click OK. To remove a prefix list, select it and click Remove.

Protocol

Specifies the name of the protocol from which the route was learned or to which the route is being advertised.

Click Add and select the protocol from the list. To remove a protocol, select it and click Remove.

Policy

Specifies the name of a policy to evaluate as a subroutine.

Click Add. Select the policy from the list. To remove a policy, select it and click Remove.

More

Specifies advanced configuration options for policies.

Click More for advanced configuration.

OSPF Area ID

Specifies the area identifier.

Type the IP address.

BGP Origin

Specifies the origin of the AS path information.


Local Preference

Specifies the BGP local preference.

Type a value.

Route

Specifies the type of route.

Select External. Select the OSPF type from the list.

2598




Function

Your Action

AS Path

Specifies the name of an AS path regular expression.

Click Add. Select the AS path from the list.

Community

Specifies the name of one or more communities.

Click Add. Select the community from the list.

Family



Routing Instance



RIB



Preference


Type a value.

Metric

Specifies a metric value.

Type a value.

Interface



Destination tab

To add an address, select Add > Address. Select the address from the list. To delete an interface, select it and click Remove. Protocol


Click Add and select the protocol from the list. To delete a protocol, select it and click Remove.

Action tab Action

Specifies the action to take if the conditions match.


Default Action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also nonterminating, so that various policy terms can be evaluated before the policy is terminated.


Next

Specifies the default control action if a match occurs, and there are no further terms in the current routing policy.


Priority

Specifies a priority for prefixes included in an OSPF import policy. Prefixes learned through OSPF are installed in the routing table based on the priority assigned to the prefixes.


BGP Origin

Specifies the BGP origin attribute.



2599

®



Function

Your Action

AS Path Prepend

Affixes an AS number at the beginning of the AS path. The AS numbers are added after the local AS number has been added to the path. This action adds an AS number to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS number is placed within a confederation sequence. Otherwise, the affixed AS number is placed with a nonconfederation sequence.

Enter a value.

AS Path Expand

Extracts the last AS number in the existing AS path and affixes that AS number to the beginning of the AS path n times, where n is a number from 1 through 32. The AS number is added before the local AS number has been added to the path. This action adds AS numbers to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS numbers are placed within a confederation sequence. Otherwise, the affixed AS numbers are placed within a nonconfederation sequence. This option is typically used in non-IBGP export policies.

Select the type and type a value.

Load Balance Per Packet

Specifies that all next-hop addresses in the forwarding table must be installed and have the forwarding table perform per-packet load balancing. This policy action allows you to optimize VPLS traffic flows across multiple paths.

Select the check box to enable the option.

Tag

Specifies the tag value. The tag action sets the 32-bit tag field in OSPF external link-state advertisement (LSA) packets.

Select the action and type a value.

Metric

Changes the metric (MED) value by the specified negative or positive offset. This action is useful only in an external BGP (EBGP) export policy.


Route

Specifies whether the route is external.

Select the External check box to enable the option, and select the OSPF type.

Preference

Specifies the preference value.

Select the preference action and type a value.

Local Preference

Specifies the BGP local preference attribute.


Class of Service

Specifies and applies the class-of-service parameters to routes installed into the routing table.

Type the source class. Type the destination class.

•

Source class The value entered here maintains the packet counts for a route passing through your network, based on the source address.

•

Type the forwarding class.

Destination class The value entered here maintains packet counts for a route passing through your network, based on the destination address in the packet.

•

2600

Forwarding class




•


•


•


•


•


Configuring Distributed Periodic Packet Management on an EX Series Switch (CLI Procedure) Periodic packet management (PPM) is responsible for processing a variety of time-sensitive periodic tasks so that other processes on the EX Series switch can more optimally direct their resources. The responsibility for PPM processing on the switch is distributed between the Routing Engine and either the access interfaces (on EX3200, EX4200, and EX4500 switches) or the line cards (on EX6200 and EX8200 switches) for all protocols that use PPM by default. This distributed model provides a faster response time for protocols that use PPM than the response time provided by the nondistributed model. If distributed PPM is disabled, the PPM process runs on the Routing Engine only. You can disable distributed PPM for all protocols that use PPM. You can also disable distributed PPM for LACP packets only.

BEST PRACTICE: We recommend that, generally, you disable distributed PPM only if Juniper Networks Customer Service advises you to do so. You should disable distributed PPM only if you have a compelling reason to disable it.


Disabling or Enabling Distributed Periodic Packet Management Globally on page 2601

•

Disabling or Enabling Distributed Periodic Packet Management for LACP Packets on page 2602

Disabling or Enabling Distributed Periodic Packet Management Globally Distributed PPM is enabled by default. Disable distributed PPM if you need to move all PPM processing to the Routing Engine. Enable distributed PPM if it was previously disabled and you need to run distributed PPM. To disable distributed PPM: [edit routing-options] user@switch# set ppm no-delegate-processing

To enable distributed PPM if it was previously disabled: [edit routing-options]


2601

®


user@switch# delete ppm no-delegate-processing

Disabling or Enabling Distributed Periodic Packet Management for LACP Packets Distributed PPM is enabled by default. Disable distributed PPM for only LACP packets if you need to move all PPM processing for LACP packets to the Routing Engine. To disable distributed PPM for LACP packets: [edit protocols] user@switch# set lacp ppm centralized

To enable distributed PPM for LACP packets if it was previously disabled: [edit protocols] user@switch# delete lacp ppm centralized


•

Understanding Distributed Periodic Packet Management on EX Series Switches on page 2576

•


Using IPsec to Secure OSPFv3 Networks (CLI Procedure) OSPF version 3 (OSPFv3) does not have a built-in authentication method and relies on IP Security (IPsec) to provide this functionality. You can use IPsec to secure OSPFv3 interfaces on EX Series switches. This topic includes: •

Configuring Security Associations on page 2602

•

Securing OPSFv3 Networks on page 2603

Configuring Security Associations When you configure a security association (SA), include your choices for authentication, encryption, direction, mode, protocol, and security parameter index (SPI). To configure a security association: 1.

Specify a name for the security association: [edit security ipsec] user@switch# set security-association sa-name

2. Specify the mode of the security association: [edit security ipsec security-association sa-name] user@switch# set mode transport 3. Specify the type of security association: [edit security ipsec security-association sa-name] user@switch# set type manual 4. Specify the direction of the security association: [edit security ipsec security-association sa-name] user@switch# set direction bidirectional 5. Specify the value of the security parameter index:

2602



[edit security ipsec security-association sa-name] user@switch# set spi spi-value 6. Specify the type of authentication to be used: [edit security ipsec security-association sa-name] user@switch# set authentication algorithm type 7. Specify the encryption algorithm and key: [edit security ipsec security-association sa-name] user@switch# set encryption algorithm algorithm key type

Securing OPSFv3 Networks You can secure the OSPFv3 network by applying the SA to the OSPFv3 configuration. To secure the OSPFv3 network: [edit protocols ospf3 area area-number interface interface-name] user@switch# set ipsec-sa sa-name


•

Understanding IPsec Authentication for OSPF Packets on EX Series Switches on page 2577

•


•



2603

®


2604


CHAPTER 78

Verifying Layer 3 Protocols Configuration •

Monitoring BGP Routing Information on page 2605

•

Monitoring OSPF Routing Information on page 2607

•

Monitoring RIP Routing Information on page 2610

•


Monitoring BGP Routing Information Purpose

Use the monitoring functionality to monitor BGP routing information on the routing device.

Action

To view BGP routing information in the J-Web interface, select Monitor > Routing > BGP Information. To view BGP routing information in the CLI, enter the following commands:

Meaning

•

show bgp summary

•

show bgp neighbor

Table 308 on page 2605 summarizes key output fields in the BGP routing display in the J-Web interface.

Table 308: Summary of Key BGP Routing Output Fields Field

Values


BGP Peer Summary Total Groups

Number of BGP groups.

Total Peers

Number of BGP peers.

Down Peers

Number of unavailable BGP peers.

Unconfigured Peers

Address of each BGP peer.

RIB Summary tab RIB Name

Name of the RIB group.


2605

®


Table 308: Summary of Key BGP Routing Output Fields (continued) Field

Values

Total Prefixes

Total number of prefixes from the peer, both active and inactive, that are in the routing table.

Active Prefixes

Number of prefixes received from the EBGP peers that are active in the routing table.

Suppressed Prefixes

Number of routes received from EBGP peers currently inactive because of damping or other reasons.

History Prefixes

History of the routes received or suppressed.

Dumped Prefixes

Number of routes currently inactive because of damping or other reasons. These routes do not appear in the forwarding table and are not exported by routing protocols.

Pending Prefixes

Number of pending routes.

State

Status of the graceful restart process for this routing table: BGP restart is complete, BGP restart in progress, VPN restart in progress, or VPN restart is complete.


BGP Neighbors Details

Click this button to view the selected BGP neighbor details.

Peer Address

Address of the BGP neighbor.

Autonomous System

AS number of the peer.

2606


Chapter 78: Verifying Layer 3 Protocols Configuration

Table 308: Summary of Key BGP Routing Output Fields (continued) Field

Values


Peer State

Current state of the BGP session:

Generally, the most common states are Active, which indicates a problem establishing the BGP connection, and Established, which indicates a successful session setup. The other states are transition states, and BGP sessions normally do not stay in those states for extended periods of time.

•

Active—BGP is initiating a TCP connection in

an attempt to connect to a peer. If the connection is successful, BGP sends an open message. •

Connect—BGP is waiting for the TCP

connection to become complete. •

Established—The BGP session has been

established, and the peers are exchanging BGP update messages. •

Idle—This is the first stage of a connection.

BGP is waiting for a Start event. •

OpenConfirm—BGP has acknowledged receipt

of an open message from the peer and is waiting to receive a keepalive or notification message. •

OpenSent—BGP has sent an open message

and is waiting to receive an open message from the peer. Elapsed Time

Elapsed time since the peering session was last reset.

Description

Description of the BGP session.


•


•


Monitoring OSPF Routing Information Purpose Action

Use the monitoring functionality to monitor OSPF routing information on routing devices. To view OSPF routing information in the J-Web interface, select Monitor > Routing > OSPF Information. To view OSPF routing information in the CLI, enter the following CLI commands:

Meaning

•

show ospf neighbor

•

show ospf interface

•

show ospf statistics

Table 309 on page 2608 summarizes key output fields in the OSPF routing display in the J-Web interface.


2607

®


Table 309: Summary of Key OSPF Routing Output Fields Field

Values


OSPF Interfaces Interface

Name of the interface running OSPF.

State

State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.

Area

Number of the area that the interface is in.

DR ID

Address of the area's designated device.

BDR ID

Address of the area's backup designated device.

Neighbors

Number of neighbors on this interface.

Adjacency Count

Number of devices in the area using the same area identifier.

Stub Type

The areas into which OSPF does not flood AS external advertisements

Passive Mode

In this mode the interface is present on the network but does not transmit or receive packets.

Authentication Type

The authentication scheme for the backbone or area.

Interface Address

The IP address of the interface.

Address Mask

The subnet mask or address prefix.

MTU

The maximum transmission unit size.

Interface Cost

The path cost used to calculate the root path cost from any given LAN segment is determined by the total cost of each link in the path.

Hello Interval

How often the routing device sends hello packets out of the interface.

Dead Interval

The interval during which the routing device receives no hello packets from the neighbor.

Retransmit Interval

The interval for which the routing device waits to receive a link-state acknowledgment packet before retransmitting link-state advertisements to an interface’s neighbors.

2608

The Down state, indicating that the interface is not functioning, and PtToPt state, indicating that a point-to-point connection has been established, are the most common states.



Table 309: Summary of Key OSPF Routing Output Fields (continued) Field

Values


OSPF Statistics Packets tab Sent

Displays the total number of packets sent.

Received

Displays the total number of packets received.

Details tab Flood Queue Depth

Number of entries in the extended queue.

Total Retransmits

Number of retransmission entries enqueued.

Total Database Summaries

Total number of database description packets.

OSPF Neighbors Address

Address of the neighbor.

Interface

Interface through which the neighbor is reachable.

State

State of the neighbor: Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2way.

ID

ID of the neighbor.

Priority

Priority of the neighbor to become the designated router.

Activity Time

The activity time.

Area

Area that the neighbor is in.

Options

Option bits received in the hello packets from the neighbor.

DR Address

Address of the designated router.

BDR Address

Address of the backup designated router.

Uptime

Length of time since the neighbor came up.


Generally, only the Down state, indicating a failed OSPF adjacency, and the Full state, indicating a functional adjacency, are maintained for more than a few seconds. The other states are transitional states that a neighbor is in only briefly while an OSPF adjacency is being established.

2609

®


Table 309: Summary of Key OSPF Routing Output Fields (continued) Field

Values

Adjacency

Length of time since the adjacency with the neighbor was established.



•


•


Monitoring RIP Routing Information Purpose Action

Use the monitoring functionality to monitor RIP routing on routing devices. To view RIP routing information in the J-Web interface, select Monitor > Routing > RIP Information. To view RIP routing information in the CLI, enter the following CLI commands:

Meaning

•

show rip statistics

•

show rip neighbor

Table 310 on page 2610 summarizes key output fields in the RIP routing display in the J-Web interface.

Table 310: Summary of Key RIP Routing Output Fields Field

Values


RIP Statistics Protocol Name

The RIP protocol name.

Port number

The port on which RIP is enabled.

Hold down time

The interval during which routes are neither advertised nor updated.

Global routes learned

Number of RIP routes learned on the logical interface.

Global routes held down

Number of RIP routes that are not advertised or updated during the hold-down interval.

Global request dropped

Number of requests dropped.

Global responses dropped

Number of responses dropped.

2610



Table 310: Summary of Key RIP Routing Output Fields (continued) Field

Values


Neighbor

Name of the RIP neighbor.

This value is the name of the interface on which RIP is enabled. Click the name to see the details for this neighbor.

State

State of the RIP connection: Up or Dn (Down).

Source Address

Local source address.

This value is the configured address of the interface on which RIP is enabled.

Destination Address

Destination address.

This value is the configured address of the immediate RIP adjacency.

Send Mode

The mode of sending RIP messages.

Receive Mode

The mode in which messages are received.

In Metric

Value of the incoming metric configured for the RIP neighbor.

RIP Neighbors


•


•


Monitoring Routing Information Purpose Action

Use the monitoring functionality to view the inet.0 routing table on the routing device. To view the routing tables in the J-Web interface, select Monitor > Routing > Route Information. Apply a filter or a combination of filters to view messages. You can use filters to display relevant events. To view the routing table in the CLI, enter the following commands in the CLI interface:

Meaning

•

show route terse

•

show route detail

Table 311 on page 2612 describes the different filters, their functions, and the associated actions. Table 312 on page 2612 summarizes key output fields in the routing information display.


2611

®


Table 311: Filtering Route Messages Field

Function

Your Action

Destination Address

Specifies the destination address of the route.

Enter the destination address.

Protocol

Specifies the protocol from which the route was learned.

Enter the protocol name.

Next hop address

Specifies the network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

Enter the next hop address.

Receive protocol

Specifies the dynamic routing protocol using which the routing information was received through a particular neighbor.

Enter the routing protocol.

Best route

Specifies only the best route available.

Select the view details of the best route.

Inactive routes

Specifies the inactive routes.

Select the view details of inactive routes.

Exact route

Specifies the exact route.

Select the view details of the exact route.

Hidden routes

Specifies the hidden routes.

Select the view details of hidden routes.

Search

Applies the specified filter and displays the matching messages.

To apply the filter and display messages, click Search.

Table 312: Summary of Key Routing Information Output Fields Field

Values

Static Route Addresses

The list of static route addresses.

Protocol

Protocol from which the route was learned: Static, Direct, Local, or the name of a particular protocol.

Preference

The preference is the individual preference value for the route.

2612


The route preference is used as one of the route selection criteria.



Table 312: Summary of Key Routing Information Output Fields (continued) Field

Values


Next-Hop

Network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

If a next hop is listed as Discard, all traffic with that destination address is discarded rather than routed. This value generally means that the route is a static route for which the discard attribute has been set. If a next hop is listed as Reject, all traffic with that destination address is rejected. This value generally means that the address is unreachable. For example, if the address is a configured interface address and the interface is unavailable, traffic bound for that address is rejected. If a next hop is listed as Local, the destination is an address on the host (either the loopback address or Ethernet management port 0 address, for example).

Age

How long the route has been active.

State

Flags for this route.

AS Path

AS path through which the route was learned. The letters of the AS path indicate the path origin: •

I—IGP.

•

E—EGP.

•

?—Incomplete. Typically, the AS path was

There are many possible flags.

aggregated.


•


•


•



2613

®


2614


CHAPTER 79

Configuration Statements for Layer 3 Protocols accept-remote-nexthop Syntax Hierarchy Level

Release Information

Description


accept-remote-nexthop; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify that a single-hop EBGP peer accepts a remote next hop with which it does not share a common subnet. Configure a separate import policy on the EBGP peer to specify the remote next hop. You cannot configure multihop and accept-remote-nexthop statements for the same EPBG peer. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring Single-Hop EBGP Peers to Accept Remote Next Hops

•

Understanding Route Advertisement

•

multipath on page 2793


2615

®


active Syntax Hierarchy Level

Release Information

Description

(active | passive); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Determine whether static, aggregate, or generated routes are removed from the routing and forwarding tables when they become inactive. Static routes are only removed from the routing table if the next hop becomes unreachable. This can occur if the local or neighbor interface goes down. Routes that have been configured to remain continually installed in the routing and forwarding tables are marked with reject next hops when they are inactive. •

active—Remove a route from the routing and forwarding tables when it becomes

inactive. •

passive—Have a route remain continually installed in the routing and forwarding tables

even when it becomes inactive. Include the active statement when configuring an individual route in the route portion of the static statement to override a passive option specified in the defaults portion of the statement. Default Required Privilege Level Related Documentation

2616

active


Examples: Configuring Static Routes

•

Example: Summarizing Routes Through Route Aggregation

•

Example: Conditionally Generating Static Routes


Chapter 79: Configuration Statements for Layer 3 Protocols

advertise-external Syntax Hierarchy Level

Release Information

advertise-external {conditional}; [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor neighbor-address]

Statement introduced in Junos OS Release 9.3. Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Specify BGP to advertise the best external route into an IBGP mesh group, a route reflector cluster, or an AS confederation even if the best route is an internal route. In order to configure the advertise-external statement on a route reflector, you must disable intracluster reflection with the no-client-reflect statement. The advertise-external statement is supported at both the group and neighbor level. If you configure the statement at the neighbor level, you must configure it for all neighbors in a group. Otherwise, the group is automatically split into different groups.

Options

conditional—(Optional) Advertise the best external path only if the route selection process

reaches the point at which the multiple exit discriminator (MED) metric is evaluated. As a result, an external path with an AS path worse than that of the active path is not advertised. Required Privilege Level Related Documentation


Example: Configuring BGP Route Advertisement

•


•

advertise-inactive on page 2618


2617

®


advertise-inactive Syntax Hierarchy Level

Release Information

Description


2618

advertise-inactive; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. BGP will be the best advertised route even if the routing table does not select it as an active route. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring the Preference Value for BGP Routes

•

Example: Configuring BGP Route Preference (Administrative Distance)

•


•

advertise-external on page 2617



advertise-peer-as Syntax Hierarchy Level

Release Information


advertise-peer-as; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable the default behavior of suppressing AS routes. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring BGP Route Advertisement

•


•

no-advertise-peer-as


2619

®


aggregate Syntax

Hierarchy Level

Release Information

Description Options

aggregate { defaults { ... aggregate-options ... } route destination-prefix { policy policy-name; ... aggregate-options ... } } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name], [edit logical-systems logical-system-name routing-options], [edit logical-systems logical-system-name routing-options rib routing-table-name], [edit routing-instances routing-instance-name routing-options], [edit routing-instances routing-instance-name routing-options rib routing-table-name], [edit routing-options], [edit routing-options rib routing-table-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure aggregate routes. aggregate-options—Additional information about aggregate routes that is included with

the route when it is installed in the routing table. Specify zero or more of the following options in aggregate-options. Each option is explained separately. •

(active | passive);

•

as-path ;

•

(brief | full);

•

community [ community-ids ];

•

discard;

•

(metric | metric2 | metric3 | metric4) value ;

•

(preference | preference2 | color | color2) preference ;

•

tag string;

defaults—Specify global aggregate route options. These options only set default attributes

inherited by all newly created aggregate routes. These are treated as global defaults and apply to all the aggregate routes you configure in the aggregate statement. This part of the aggregate statement is optional.

2620



route destination-prefix—Configure a nondefault aggregate route: •

default—For the default route to the destination. This is equivalent to specifying an IP

address of 0.0.0.0/0. •

destination-prefix/prefix-length—destination-prefix is the network portion of the IP

address, and prefix-length is the destination prefix length. The policy statement is explained separately. Required Privilege Level Related Documentation



aggregate-label Syntax

Hierarchy Level

Release Information

Description Options

aggregate-label { community community-name; } [edit logical-systems logical-system-name protocols bgp family inet labeled-unicast], [edit logical-systems logical-system-name protocols bgp family inet-vpn labeled-unicast], [edit protocols bgp family inet labeled-unicast], [edit protocols bgp family inet-vpn labeled-unicast], [edit protocols bgp family inet6 labeled-unicast]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable aggregate labels for VPN traffic. community community-name—Specify the name of the community to which to apply the

aggregate label. Required Privilege Level Related Documentation


Configuring Aggregate Labels for VPNs


2621

®


allow Syntax Hierarchy Level

Release Information

Description

allow (all | [ network/mask-length ]); [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Implicitly configure BGP peers, allowing peer connections from any of the specified networks or hosts. To configure multiple BGP peers, configure one or more networks and hosts within a single allow statement or include multiple allow statements.

NOTE: You cannot define a BGP group with dynamic peers with BGP authentication enabled.

Options

all—Allow all addresses, which is equivalent to 0.0.0.0/0 (or ::/0). network/mask-length—IPv6 or IPv4 network number of a single address or a range of

allowable addresses for BGP peers, followed by the number of significant bits in the subnet mask.

NOTE: You cannot define a BGP group with dynamic peers with authentication enabled.


2622


neighbor on page 2794



any-sender Syntax Hierarchy Level

Release Information


any-sender; [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable strict sender address checks. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Disabling Strict Address Checking for RIP Messages


2623

®


area Syntax Hierarchy Level

Release Information

Description

area area-id; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the area identifier for this routing device to use when participating in OSPF routing. All routing devices in an area must use the same area identifier to establish adjacencies. Specify multiple area statements to configure the routing device as an area border router. An area border router does not automatically summarize routes between areas. Use the area-range statement to configure route summarization. By definition, an area border router must be connected to the backbone area either through a physical link or through a virtual link. To create a virtual link, include the virtual-link statement. To specify that the routing device is directly connected to the OSPF backbone, include the area 0.0.0.0 statement. All routing devices on the backbone must be contiguous. If they are not, use the virtual-link statement to create the appearance of connectivity to the backbone.

Options

area-id—Area identifier. The identifier can be up to 32 bits. It is common to specify the

area number as a simple integer or an IP address. Area number 0.0.0.0 is reserved for the OSPF backbone area. Required Privilege Level Related Documentation

2624


OSPF Areas and Router Functionality Overview

•

Understanding Multiple Address Families for OSPFv3

•

virtual-link on page 2933



area-range Syntax Hierarchy Level

Release Information

Description

area-range network/mask-length ; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name routing-instances routing-instance-name realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit protocols (ospf | ospf3) area area-id], [edit protocols (ospf | ospf3) area area-id nssa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit routing-instances routing-instance-name realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. (Area border routers only) For an area, summarize a range of IP addresses when sending summary link advertisements (within an area). To summarize multiple ranges, include multiple area-range statements. For a not-so-stubby area (NSSA), summarize a range of IP addresses when sending NSSA link-state advertisements. The specified prefixes are used to aggregate external routes learned within the area when the routes are advertised to other areas. To specify multiple prefixes, include multiple area-range statements. All external routes learned within the area that do not fall into one of the prefixes are advertised individually to other areas.

Default

Options

By default, area border routers do not summarize routes being sent from one area to other areas, but rather send all routes explicitly. exact—(Optional) Summarization of a route is advertised only when an exact match is

made with the configured summary range. mask-length—Number of significant bits in the network mask. network—IP address. You can specify one or more IP addresses. override-metric metric—(Optional) Override the metric for the IP address range and

configure a specific metric value.


2625

®


restrict—(Optional) Do not advertise the configured summary. This hides all routes that

are contained within the summary, effectively creating a route filter. Range: 1 through 16,777,215 Required Privilege Level Related Documentation

2626


Example: Summarizing Ranges of Routes in OSPF Link-State Advertisements



as-override Syntax Hierarchy Level

Release Information

Description

as-override; [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Compare the AS path of an incoming advertised route with the AS number of the BGP peer under the group and replace all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer.

NOTE: The as-override statement is specific to a particular BGP group. This statement does not affect peers from the same remote AS configured in different groups.

Enabling the AS override feature allows routes originating from an AS to be accepted by a router residing in the same AS. Without AS override enabled, the routing device refuses the route advertisement once the AS path shows that the route originated from its own AS. This is done by default to prevent route loops. The as-override statement overrides this default behavior. Note that enabling the AS override feature may result in routing loops. Use this feature only for specific applications that require this type of behavior, and in situations with strict network control. One application is the IGP protocol between the provider edge routing device and the customer edge routing device in a virtual private network. Required Privilege Level Related Documentation


OBSOLETE - Configuring BGP Groups and Peers

•

Junos OS VPNs Configuration Guide


2627

®


as-path Syntax

Hierarchy Level

Release Information

Description

as-path ; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Associate BGP autonomous system (AS) path information with a static, aggregate, or generated route. In Junos OS Release 9.1 and later, the numeric range for the AS number is extended to provide BGP support for 4-byte AS numbers as defined in RFC 4893, BGP Support for Four-octet AS Number Space. RFC 4893 introduces two new optional transitive BGP attributes, AS4_PATH and AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path information across BGP speakers that do not support 4-byte AS numbers. RFC 4893 also introduces a reserved, well-known, 2-byte AS number, AS 23456. This reserved AS number is called AS_TRANS in RFC 4893. All releases of Junos OS support 2-byte AS numbers. In Junos OS Release 9.2 and later, you can also configure a 4-byte AS number using the AS-dot notation format of two integer values joined by a period: .. For example, the 4-byte AS number of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format. You can specify a value in the range from 0.0 through 65535.65535 in AS-dot notation format.

Default Options

No AS path information is associated with static routes. aggregator—(Optional) Attach the BGP aggregator path attribute to the aggregate route.

You must specify the last AS number that formed the aggregate route (encoded as two octets) for as-number, followed by the IP address of the BGP system that formed the aggregate route for ip-address.

2628



as-path—(Optional) AS path to include with the route. It can include a combination of

individual AS path numbers and AS sets. Enclose sets in brackets ( [ ] ). The first AS number in the path represents the AS immediately adjacent to the local AS. Each subsequent number represents an AS that is progressively farther from the local AS, heading toward the origin of the path. You cannot specify a regular expression for as-path. You must use a complete, valid AS path. atomic-aggregate—(Optional) Attach the BGP atomic-aggregate path attribute to the

aggregate route. This path attribute indicates that the local system selected a less specific route instead of a more specific route. origin egp—(Optional) BGP origin attribute that indicates that the path information

originated in another AS. origin igp—(Optional) BGP origin attribute that indicates that the path information

originated within the local AS. origin incomplete—(Optional) BGP origin attribute that indicates that the path information

was learned by some other means. Required Privilege Level Related Documentation



•


•


•

Understanding a 4-Byte Capable Router AS Path Through a 2-Byte Capable Domain in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview


2629

®


asm-override-ssm Syntax Hierarchy Level

Release Information

Description


2630

asm-override-ssm; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable the routing device to accept any-source multicast join messages (*,G) for group addresses that are within the default or configured range of source-specific multicast groups. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring Source-Specific Multicast Groups with Any-Source Override



authentication-algorithm Syntax Hierarchy Level

Release Information

Description Options

authentication-algorithm algorithm; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure an authentication algorithm type. algorithm—Type of authentication algorithm. Specify md5, hmac-sha-1-96, or aes-128-cmac-96 as the algorithm type.



Understanding Route Authentication

•

Example: Configuring Route Authentication for BGP


2631

®


authentication-key Syntax Hierarchy Level

Release Information

Description

Options

authentication-key key; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure an MD5 authentication key (password). Neighboring routing devices use the same password to verify the authenticity of BGP packets sent from this system. key—Authentication password. It can be up to 126 characters. Characters can include

any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”). Required Privilege Level Related Documentation

2632






Release Information

Description

authentication-key key; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Authentication key (password). Neighboring routing devices use the password to verify the authenticity of packets sent from this interface. For the key to work, you also must include the authentication-type statement. All routing devices must use the same password. If you are using the Junos OS IS-IS software with another implementation of IS-IS, the other implementation must be configured to use the same password for the domain, the area, and all interfaces adjacent to the Juniper Networks routing device.

Default

If you do not include this statement and the authentication-type statement, IS-IS authentication is disabled.

Options

key—Authentication password. The password can be up to 1024 characters long.

Characters can include any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”).

CAUTION: A simple password for authentication is truncated if it exceeds 254 characters.



Configuring IS-IS Authentication


2633

®



Release Information

Description Options

authentication-key password; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Require authentication for RIP route queries received on an interface. password—Authentication password. If the password does not match, the packet is

rejected. The password can be from 1 through 16 contiguous characters long and can include any ASCII strings. Required Privilege Level Related Documentation

2634


Example: Configuring Route Authentication for RIP



authentication-key-chain Syntax Hierarchy Level

Release Information

authentication-key-chain key-chain; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]


Description

Apply and enable an authentication keychain to the routing device. Note that the referenced key chain must be defined. When configuring the authentication key update mechanism for BGP, you cannot commit the 0.0.0.0/allow statement with authentication keys or key chains. The CLI issues a warning and fails to commit such configurations.

Options

key-chain—Authentication keychain name. It can be up to 126 characters. Characters can

include any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”). Required Privilege Level Related Documentation



•

Example: Configuring BFD Authentication for Static Routes

•

Configuring the Authentication Key Update Mechanism for BGP and LDP Routing Protocols


2635

®


authentication-key-chains Syntax

Hierarchy Level

authentication-key-chains { key-chain key-chain-name { description text-string; key key { algorithm (md5 | hmac-sha-1); options (basic | isis-enhanced); secret secret-data; start-time yyyy-mm-dd.hh:mm:ss; } tolerance seconds; } } [edit security]

Release Information

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the BFD protocol introduced in Junos OS Release 9.6. Support for the BFD protocol introduced in Junos OS Release 9.6 for EX Series switches. Support for IS-IS introduced in JUNOS OS Release 11.2. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Configure authentication key updates for the Border Gateway Protocol (BGP), the Label Distribution Protocol (LDP) routing protocols, the Bidirectional Forwarding Detection (BFD) protocol, and the Intermediate System-to-Intermediate System (IS-IS) protocol. When the authentication-key-chains statement is configured at the [edit security] hierarchy level, and is associated with the BGP, LDP, or IS-IS protocols at the [edit protocols] hierarchy level or with the BFD protocol using the bfd-liveness-detection statement, authentication key updates can occur without interrupting routing and signaling protocols such as Open Shortest Path First (OSPF) and Resource Reservation Setup Protocol (RSVP). The remaining statements are explained separately.


2636


Configuring the Authentication Key Update Mechanism for BGP and LDP Routing Protocols

•


•

Example: Configuring Hitless Authentication Key Rollover for IS-IS



authentication-type Syntax Hierarchy Level

Release Information

Description

Default

Options

authentication-type authentication; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable authentication and specify the authentication scheme for IS-IS. If you enable authentication, you must specify a password by including the authentication-key statement. If you do not include this statement and the authentication-key statement, IS-IS authentication is disabled. authentication—Authentication scheme: •

md5—Use HMAC authentication in combination with MD5. HMAC-MD5 authentication

is defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. •

simple—Use a simple password for authentication. The password is included in the

transmitted packet, making this method of authentication relatively insecure. We recommend that you not use this authentication method. Required Privilege Level Related Documentation



•

no-authentication-check on page 2801

•



2637

®


authentication-type Syntax Hierarchy Level

Release Information

Description Default

Options

authentication-type type; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the type of authentication for RIP route queries received on an interface. If you do not include this statement and the authentication-key statement, RIP authentication is disabled. type—Authentication type: •

md5—Use the MD5 algorithm to create an encoded checksum of the packet. The

encoded checksum is included in the transmitted packet. The receiving routing device uses the authentication key to verify the packet, discarding it if the digest does not match. This algorithm provides a more secure authentication scheme. •

none—Disable authentication. If none is configured, the configured authentication key

is ignored. •

simple—Use a simple password. The password is included in the transmitted packet,

which makes this method of authentication relatively insecure. The password can be from 1 through 16 contiguous letters or digits long. Required Privilege Level Related Documentation

2638



•

Example: Configuring Route Authentication for RIP



autonomous-system Syntax

autonomous-system autonomous-system { independent-domain ; }

Hierarchy Level

[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. asdot-notation option introduced in Junos OS Release 9.3. asdot-notation option introduced in Junos OS Release 9.3 for EX Series switches. no-attrset option introduced in Junos OS Release 10.4. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Specify the routing device’s AS number. An autonomous system (AS) is a set of routing devices that are under a single technical administration and that generally use a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routing devices. An AS appears to other ASs to have a single, coherent interior routing plan and presents a consistent picture of what destinations are reachable through it. ASs are identified by a number that is assigned by the Network Information Center (NIC) in the United States (http://www.isi.edu). If you are using BGP on the routing device, you must configure an AS number. The AS path attribute is modified when a route is advertised to an EBGP peer. Each time a route is advertised to an EBGP peer, the local routing device prepends its AS number to the existing path attribute, and a value of 1 is added to the AS number. In Junos OS Release 9.1 and later, the numeric range is extended to provide BGP support for 4-byte AS numbers as defined in RFC 4893, BGP Support for Four-octet AS Number Space. RFC 4893 introduces two new optional transitive BGP attributes, AS4_PATH and AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path information across BGP speakers that do not support 4-byte AS numbers. RFC 4893 also introduces a reserved, well-known, 2-byte AS number, AS 23456. This reserved AS number is called AS_TRANS in RFC 4893. All releases of Junos OS support 2-byte AS numbers. In Junos OS Release 9.3 and later, you can also configure a 4-byte AS number using the AS-dot notation format of two integer values joined by a period: .. For example, the 4-byte AS number of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format.

Options

autonomous-system—AS number. Use a number assigned to you by the NIC. 32

Range: 1 through 4,294,967,295 (2


– 1) in plain-number format for 4-byte AS numbers

2639

®


In this example, the 4-byte AS number 65,546 is represented in plain-number format: [edit] routing-options { autonomous-system 65546; }

Range: 0.0 through 65535.65535 in AS-dot notation format for 4-byte numbers In this example, 1.10 is the AS-dot notation format for 65,546: [edit] routing-options { autonomous-system 1.10; }

Range: 1 through 65,535 in plain-number format for 2-byte AS numbers (this is a subset of the 4-byte range) In this example, the 2-byte AS number 60,000 is represented in plain-number format: [edit] routing-options { autonomous-system 60000; } asdot-notation—(Optional) Display the configured 4-byte autonomous system number

in the AS-dot notation format. Default: Even if a 4-byte AS number is configured in the AS-dot notation format, the default is to display the AS number in the plain-number format. loops number—(Optional) Specify the number of times detection of the AS number in

the AS_PATH attribute causes the route to be discarded or hidden. For example, if you configure loops 1, the route is hidden if the AS number is detected in the path one or more times. This is the default behavior. If you configure loops 2, the route is hidden if the AS number is detected in the path two or more times. Range: 1 through 10 Default: 1

NOTE: When you specify the same AS number in more than one routing instance on the local routing device, you must configure the same number of loops for the AS number in each instance. For example, if you configure a value of 3 for the loops statement in a VRF routing instance that uses the same AS number as that of the master instance, you must also configure a value of 3 loops for the AS number in the master instance. Use the independent-domain option if the loops statement must be enabled only on a subset of routing instances.

The remaining statement is explained separately.

2640





Examples: Configuring External BGP Peering

•

Examples: Configuring Internal BGP Peering

•

4-Byte Autonomous System Numbers Overview in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview

•

Juniper Networks Implementation of 4-Byte Autonomous System Numbers in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview

•

Configuring 4-Byte Autonomous System Numbers in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview

backup-pe-group Syntax

Hierarchy Level

Release Information

Description

Options

backup-pe-group group-name { backups [ addresses ]; local-address address; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a backup provider edge (PE) group for ingress PE redundancy when point-to-multipoint label-switched paths (LSPs) are used for multicast distribution. group-name—Name of the group for PE backups.



Example: Configuring Ingress PE Redundancy


2641

®


backups Syntax Hierarchy Level

Release Information

Description


2642

backups [ addresses ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast backup-pe-group group-name], [edit logical-systems logical-system-name routing-options multicast backup-pe-group group-name], [edit routing-instances routing-instance-name routing-options multicast backup-pe-group group-name], [edit routing-options multicast backup-pe-group group-name]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the address of backup PEs for ingress PE redundancy when point-to-multipoint label-switched paths (LSPs) are used for multicast distribution. addresses—Addresses of other PEs in the backup group.






Release Information

Description Options

bandwidth ( bps | adaptive ); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast flow-map], [edit logical-systems logical-system-name routing-options multicast flow-map], [edit routing-instances routing-instance-name routing-options multicast flow-map], [edit routing-options multicast flow-map]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the bandwidth property for multicast flow maps. adaptive—Specify that the bandwidth is measured for the flows that are matched by the

flow map. bps—Bandwidth, in bits per second, for the flow map.

Range: 0 through any amount of bandwidth Default: 2 Mbps Required Privilege Level Related Documentation


Example: Configuring a Multicast Flow Map


2643

®


bandwidth-based-metrics Syntax

Hierarchy Level

Release Information

Description

Options

bandwidth-based-metrics { bandwidth value; metric number; } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf area area-id interface interface-name topology topology-name], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf area area-id interface interface-name topology topology-name], [edit logical-systems logical-system-name routing-instances routing-instances protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf area area-id interface interface-name topology topology-name], [edit protocols ospf3 realm (ivp4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf area area-id interface interface-name topology topology-name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify a set of bandwidth threshold values and associated metric values for an OSPF interface or for a topology on an OSPF interface. When the bandwidth of an interface changes, Junos OS automatically sets the interface metric to the value associated with the appropriate bandwidth threshold value. bandwidth value—Specify the bandwidth threshold in bits per second.

Range: 9600 through 1,000,000,000,000,000 metric number—Specify a metric value to associate with a specific bandwidth value.

Range: 1 through 65,535

NOTE: You must also configure a static metric value for the OSPF interface or topology with the metric statement. Junos OS uses this value to calculate the cost of a route from the OSPF interface or topology if the bandwidth for the interface is higher than of any bandwidth threshold values configured for bandwidth-based metrics.

2644





Example: Dynamically Adjusting OSPF Interface Metrics Based on Bandwidth

•

metric on page 2780

•

Example: Dynamically Adjusting OSPF Interface Metrics Based on Bandwidth


2645

®


bfd-liveness-detection (BGP) Syntax

Hierarchy Level

Release Information

Description

bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } hold-down-interval milliseconds; minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; session-mode (automatic | multihop | single-hop); transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for logical routers introduced in Junos OS Release 8.3. Support for IBGP and multihop EBGP sessions introduced in Junos OS Release 8.3. Support for BFD on IPv6 interfaces with BGP introduced in Junos OS Release 11.2. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure bidirectional failure detection (BFD) timers and authentication for BGP. For IBGP and multihop EBGP support, configure the bfd-liveness-detection statement at the global [edit bgp protocols] hierarchy level. You can also configure IBGP and multihop support for a routing instance or a logical system.

2646





Example: Configuring BFD for Static Routes

•


•

Example: Configuring BFD on Internal BGP Peer Sessions

•

Example: Configuring BFD Authentication for BGP

•

Understanding BFD for BGP

•

authentication

•

detection-time

•

hold-down-interval

•

multiplier

•

minimum-interval

•

minimum-receive-interval

•

no-adaptation

•

session-mode

•

transmit-interval

•

version


2647

®


bfd-liveness-detection Syntax

bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); }

Hierarchy Level

[edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. detection-time threshold and transmit-interval threshold options added in Junos OS Release 8.2. Support for logical systems introduced in Junos OS Release 8.3. no-adaptation statement introduced in Junos OS Release 9.0. authentication algorithm, authentication key-chain, and authentication loose-check options introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 12.1 for the QFX Series.

Description Options

Configure bidirectional failure detection timers and authentication. authentication algorithm algorithm-name —Configure the algorithm used to authenticate

the specified BFD session: simple-password, keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1. authentication key-chain key-chain-name—Associate a security key with the specified

BFD session using the name of the security keychain. The name you specify must match one of the keychains configured in the authentication-key-chains key-chain statement at the [edit security] hierarchy level. authentication loose-check—(Optional) Configure loose authentication checking on the

BFD session. Use only for transitional periods when authentication may not be configured at both ends of the BFD session.

2648



detection-time threshold milliseconds—Configure a threshold for the adaptation of the

BFD session detection time. When the detection time adapts to a value equal to or greater than the threshold, a single trap and a single system log message are sent. minimum-interval milliseconds—Configure the minimum interval after which the local

routing device transmits a hello packet and then expects to receive a reply from the neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can specify the minimum transmit and receive intervals separately using the transmit-interval minimum-interval and minimum-receive-interval statements. Range: 1 through 255,000 minimum-receive-interval milliseconds—Configure the minimum interval after which the

local routing device expects to receive a reply from a neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum receive interval using the minimum-interval statement. Range: 1 through 255,000 multiplier number—Configure the number of hello packets not received by a neighbor

that causes the originating interface to be declared down. Range: 1 through 255 Default: 3 no-adaptation—Specify that BFD sessions not adapt to changing network conditions.

We recommend that you not disable BFD adaptation unless it is preferable not to have BFD adaptation enabled in your network. transmit-interval threshold milliseconds—Configure the threshold for the adaptation of

the BFD session transmit interval. When the transmit interval adapts to a value greater than the threshold, a single trap and a single system message are sent. The interval threshold must be greater than the minimum transmit interval. 32

Range: 0 through 4,294,967,295 (2

– 1)

transmit-interval minimum-interval milliseconds—Configure a minimum interval after

which the local routing device transmits hello packets to a neighbor. Optionally, instead of using this statement, you can configure the minimum transmit interval using the minimum-interval statement. Range: 1 through 255,000 version—Configure the BFD version to detect: 1 (BFD version 1) or automatic (autodetect

the BFD version) Default: automatic The remaining statements are explained separately. Required Privilege Level



2649

®



2650

•

Example: Configuring BFD for IS-IS

•

Configuring BFD Authentication for IS-IS




Hierarchy Level

Release Information

bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } full-neighbors-only minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. detection-time threshold and transmit-interval threshold options added in Junos OS Release 8.2. Support for logical systems introduced in Junos OS Release 8.3. no-adaptation option introduced in Junos OS Release 9.0. no-adaptation option introduced in Junos OS Release 9.0 for EX Series switches. Support for OSPFv3 introduced in Junos OS Release 9.3. Support for OSPFv3 introduced in Junos OS Release 9.3 for EX Series switches. full-neighbors-only option introduced in Junos OS Release 9.5. full-neighbors-only option introduced in Junos OS Release 9.5 for EX Series switches.


2651

®


authentication algorithm, authentication key-chain, and authentication loose-check options

introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 12.1 for the QFX Series. Description

Configure bidirectional failure detection timers and authentication for OSPF. The remaining statements are explained separately.

2652



Options

authentication algorithm algorithm-name —Configure the algorithm used to authenticate

the specified BFD session: simple-password, keyed-md5, keyed-sha-1, meticulous-keyed-md5, or meticulous-keyed-sha-1. authentication key-chain key-chain-name—Associate a security key with the specified


BFD session. Use only for transitional periods when authentication may not be configured at both ends of the BFD session. detection-time threshold milliseconds—Configure a threshold for the adaptation of the

BFD session detection time. When the detection time adapts to a value equal to or greater than the threshold, a single trap and a single system log message are sent. full-neighbors-only—Establish BFD sessions only for OSPF neighbors in the full state. The

default behavior is to establish BFD sessions for all OSPF neighbors. minimum-interval milliseconds—Configure the minimum interval after which the local

routing device transmits a hello packet and then expects to receive a reply from the neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum transmit and receive intervals separately using the transmit-interval minimum-interval and minimum-receive-interval statements. Range: 1 through 255,000 milliseconds minimum-receive-interval milliseconds—Configure the minimum interval after which the

routing device expects to receive a reply from a neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum receive interval using the minimum-interval statement. Range: 1 through 255,000 milliseconds multiplier number—Configure the number of hello packets not received by a neighbor

that causes the originating interface to be declared down. Range: 1 through 255 Default: 3 no-adaptation—Specify that BFD sessions should not adapt to changing network

conditions. We recommend that you not disable BFD adaptation unless it is preferable not to have BFD adaptation enabled in your network. transmit-interval threshold milliseconds—Configure the threshold for the adaptation of


Range: 0 through 4,294,967,295 (2

– 1)

transmit-interval minimum-interval milliseconds—Configure the minimum interval at which

the routing device transmits hello packets to a neighbor with which it has established


2653

®


a BFD session. Optionally, instead of using this statement, you can configure the minimum transmit interval using the minimum-interval statement. Range: 1 through 255,000 version—Configure the BFD version to detect: 1 (BFD version 1) or automatic (autodetect

the BFD version). Default: automatic Required Privilege Level Related Documentation

2654


Example: Configuring BFD for OSPF

•

Example: Configuring BFD Authentication for OSPF




bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); }

Hierarchy Level

[edit logical-systems logical-system-name protocols rip group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip group group-name], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Release Information

Statement introduced in Junos OS Release 8.0. detection-time threshold and transmit-interval threshold options introduced in Junos OS Release 8.2. Support for logical systems introduced in Junos OS Release 8.3. no-adaptation option introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. authentication algorithm, authentication key-chain, and authentication loose-check options introduced in Junos OS Release 9.6. authentication algorithm, authentication key-chain, and authentication loose-check options introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series.

Description

Configure bidirectional failure detection timers and authentication. The remaining statements are explained separately.

Options



BFD session using the name of the security keychain. The name you specify must


2655

®


match one of the keychains configured in the authentication-key-chains key-chain statement at the [edit security] hierarchy level. authentication loose-check—(Optional) Configure loose authentication checking on the


BFD session detection time. When the detection time adapts to a value equal to or greater than the threshold, a single trap and a single system log message are sent. minimum-interval milliseconds—Configure the minimum interval after which the local

routing device transmits a hello packet and then expects to receive a reply from the neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can specify the minimum transmit and receive intervals separately using the transmit-interval minimum-interval and minimum-receive-interval statements. Range: 1 through 255,000 milliseconds minimum-receive-interval milliseconds—Configure the minimum interval after which the

local routing device expects to receive a reply from a neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum receive interval using the minimum-interval statement. Range: 1 through 255,000 milliseconds multiplier number—Configure the number of hello packets not received by a neighbor

that causes the originating interface to be declared down. Range: 1 through 255 Default: 3 no-adaptation—Configure BFD sessions not to adapt to changing network conditions.



Range: 0 through 4,294,967,295 (2

– 1)

transmit-interval minimum-interval milliseconds—Configure a minimum interval after

which the local routing device transmits hello packets to a neighbor. Optionally, instead of using this statement, you can configure the minimum transmit interval using the minimum-interval statement. Range: 1 through 255,000 version—Configure the BFD version to detect: 1 (BFD version 1) or automatic (autodetect

the BFD version). Default: automatic

2656





Example: Configuring BFD for RIP

•

Example: Configuring BFD Authentication for RIP


2657

®



Hierarchy Level

2658

bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } holddown-interval milliseconds; local-address ip-address; minimum-interval milliseconds; minimum-receive-interval milliseconds; minimum-receive-ttl number; multiplier number; neighbor address; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static route destination-prefix], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static route destination-prefix qualified-next-hop (interface-name | address)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static route destination-prefix], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static route destination-prefix qualified-next-hop (interface-name | address)], [edit logical-systems logical-system-name routing-options rib routing-table-name static route destination-prefix], [edit logical-systems logical-system-name routing-options rib routing-table-name static route destination-prefix qualified-next-hop (interface-name | address)], [edit logical-systems logical-system-name routing-options static route destination-prefix], [edit logical-systems logical-system-name routing-options static route destination-prefix qualified-next-hop (interface-name | address)], [edit routing-instances routing-instance-name routing-options rib routing-table-name static route destination-prefix], [edit routing-instances routing-instance-name routing-options rib routing-table-name static route destination-prefix qualified-next-hop (interface-name | address)], [edit routing-instances routing-instance-name routing-options static route destination-prefix], [edit routing-instances routing-instance-name routing-options static route destination-prefix qualified-next-hop (interface-name | address)], [edit routing-options rib routing-table-name static route destination-prefix], [edit routing-options rib routing-table-name static route destination-prefix qualified-next-hop (interface-name | address)], [edit routing-options static route destination-prefix],



[edit routing-options static route destination-prefix qualified-next-hop (interface-name | address)]

Release Information

Description

Statement introduced before Junos OS Release 7.4. detection-time threshold and transmit-interval threshold options introduced in Junos OS Release 8.2. local-address statement introduced in Junos OS Release 8.2. minimum-receive-ttl statement introduced in Junos OS Release 8.2. Support for logical routers introduced in Junos OS Release 8.3. holddown-interval statement introduced in Junos OS Release 8.5. no-adaptation statement introduced in Junos OS Release 9.0. Support for IPv6 static routes introduced in Junos OS Release 9.1. authentication algorithm, authentication key-chain, and authentication loose-check statements introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure bidirectional failure detection timers and authentication criteria for static routes.


2659

®


Options





BFD session detection time. When the detection time adapts to a value equal to or greater than the threshold, a single trap and a single system log message are sent. holddown-interval milliseconds—Configure an interval specifying how long a BFD session

must remain up before a state change notification is sent. If the BFD session goes down and then comes back up during the hold-down interval, the timer is restarted. Range: 0 through 255,000 Default: 0 local-address ip-address—Enable a multihop BFD session and configure the source address

for the BFD session. minimum-interval milliseconds—Configure the minimum interval after which the local

routing device transmits a hello packet and then expects to receive a reply from the neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum transmit and receive intervals separately using the transmit-interval minimum-interval and minimum-receive-interval statements. Range: 1 through 255,000 minimum-receive-interval milliseconds—Configure the minimum interval after which the

routing device expects to receive a reply from a neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum receive interval using the minimum-interval statement at the [edit routing-options static route destination-prefix bfd-liveness-detection] hierarchy level. Range: 1 through 255,000 minimum-receive-ttl number—Configure the time to live (TTL) for the multihop BFD

session. Range: 1 through 255 Default: 255 multiplier number—Configure number of hello packets not received by the neighbor that

causes the originating interface to be declared down. Range: 1 through 255 Default: 3

2660



neighbor address—Configure a next-hop address for the BFD session for a next hop

specified as an interface name. no-adaptation—Specify for BFD sessions not to adapt to changing network conditions.


the BFD session transmit interval. When the transmit interval adapts to a value greater than the threshold, a single trap and a single system message are sent. The interval threshold must be greater than the minimum transmit interval. Range: 0 through 4,294,967,295 transmit-interval minimum-interval milliseconds—Configure the minimum interval at which

the routing device transmits hello packets to a neighbor with which it has established a BFD session. Optionally, instead of using this statement, you can configure the minimum transmit interval using the minimum-interval statement at the [edit routing-options static route destination-prefix bfd-liveness-detection] hierarchy level. Range: 1 through 255,000 version—Configure the BFD version to detect: 1 (BFD version 1) or automatic (autodetect

the BFD version). Default: automatic Required Privilege Level Related Documentation


Example: Configuring BFD for Static Routes

•



2661

®


bgp Syntax Hierarchy Level

Release Information


2662

bgp { ... } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable BGP on the routing device or for a routing instance. BGP is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Enabling BGP



bgp-orf-cisco-mode Syntax

bgp-orf-cisco-mode;

Hierarchy Level

[edit logical-systems logical-system-name protocols bgp outbound-route-filter], [edit logical-systems logical-system-name protocols bgp group group-name outbound-route-filter], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address outbound-route-filter], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp outbound-route-filter], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name outbound-route-filter, [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address outbound-route-filter], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options outbound-route-filter], [edit logical-systems logical-system-name routing-options outbound-route-filter], [edit protocols bgp outbound-route-filter], [edit protocols bgp group group-name outbound-route-filter], [edit protocols bgp group group-name neighbor address outbound-route-filter], [edit routing-instances routing-instance-name protocols bgp outbound-route-filter], [edit routing-instances routing-instance-name protocols bgp group group-name outbound-route-filter], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address outbound-route-filter], [edit routing-instances routing-instance-name routing-options outbound-route-filter], [edit routing-options outbound-route-filter]

Release Information

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 9.2 for EX Series switches. Support for the BGP group and neighbor hierarchy levels introduced in Junos OS Release 9.2. Support for the BGP group and neighbor hierarchy levels introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Enable interoperability with routing devices that use the vendor-specific outbound route filter compatibility code of 130 and code type of 128.

NOTE: To enable interoperability for all BGP peers configured on the routing device, include the statement at the [edit routing-options outbound-route-filter] hierarchy level.

Default Required Privilege Level

Disabled routing—To view this statement in the configuration. routing-control—To add this statement to the configuration.


2663

®



•

Example: Configuring BGP Prefix-Based Outbound Route Filtering

bmp Syntax


bmp { memory limit bytes; station-address (ip-address | name); station-port port-number; statistics-timeout seconds; } [edit routing-options]


Description

Configure the BGP Monitoring Protocol (BMP), which enables the routing device to collect data from the BGP Adjacency-RIB-In routing tables and periodically send that data to a monitoring station.

Options

memory-limit bytes—(Optional) Specify a threshold at which to stop collecting BMP data

if the limit is exceeded. Default: 10 MB Range: 1,048,576 through 52,428,800 station-address (ip-address | name)—Specify the IP address or a valid URL for the

monitoring where BMP data should be sent. station-port port-number—Specify the port number of the monitoring station to use when

sending BMP data. statistics-timeout seconds—(Optional) Specify how often to send BMP data to the

monitoring station. Required Privilege Level Related Documentation

2664


Example: Configuring the BGP Monitoring Protocol



brief Syntax Hierarchy Level

Release Information

Description

(brief | full); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-options (aggregate | generate) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure all AS numbers from all contributing paths to be included in the aggregate or generated route’s path. •

brief—Include only the longest common leading sequences from the contributing AS

paths. If this results in AS numbers being omitted from the aggregate route, the BGP ATOMIC_ATTRIBUTE path attribute is included with the aggregate route. •

full—Include all AS numbers from all contributing paths in the aggregate or generated

route’s path. Include this option when configuring an individual route in the route portion of the generate statement to override a retain option specified in the defaults portion of the statement. Default Required Privilege Level Related Documentation

full



•


•

aggregate on page 2620

•

generate on page 2703


2665

®


centralized Syntax Hierarchy Level Release Information

Description

centralized; [edit protocols lacp ppm]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable distributed periodic packet management (PPM) processing for Link Aggregation Control Protocol (LACP) packets and run all PPM processing for LACP packets on the Routing Engine. This statement disables distributed PPM processing for only LACP packets. You can disable distributed PPM processing for all packets that use PPM and run all PPM processing on the Routing Engine by configuring the no-delegate-processing statement in the [edit routing-options ppm] hierarchy.

BEST PRACTICE: We generally recommend that you disable distributed PPM only if Juniper Networks Customer Service advises you to do so. You should disable distributed PPM only if you have a compelling reason to disable it.


2666

Distributed PPM processing is enabled for all packets that use PPM. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•

Configuring Distributed Periodic Packet Management

•

Configuring Link Aggregation



check-zero Syntax Hierarchy Level

Release Information

Description

(check-zero | no-check-zero); [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Check whether the reserved fields in a RIP packet are zero: •

check-zero—Discard version 1 packets that have nonzero values in the reserved fields

and version 2 packets that have nonzero values in the fields that must be zero. This default behavior implements the RIP version 1 and version 2 specifications. •

no-check-zero—Receive RIP version 1 packets with nonzero values in the reserved fields

or RIP version 2 packets with nonzero values in the fields that must be zero. This is in spite of the fact that they are being sent in violation of the specifications in RFC 1058 and RFC 2453. Default Required Privilege Level Related Documentation

check-zero


Accepting RIP Packets with Nonzero Values in Reserved Fields


2667

®


checksum Syntax Hierarchy Level

Release Information

Description


2668

checksum; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable checksums for packets on this interface. The checksum cannot be enabled with MD5 hello authentication on the same interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Enabling Packet Checksums on IS-IS Interfaces



cluster Syntax Hierarchy Level

Release Information

Description

cluster cluster-identifier; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the cluster identifier to be used by the route reflector cluster in an internal BGP group.

CAUTION: If you configure both route reflection and VPNs on the same routing device, the following modifications to the route reflection configuration cause current BGP sessions to be reset: •

Adding a cluster ID—If a BGP session shares the same AS number with the group where you add the cluster ID, all BGP sessions are reset regardless of whether the BGP sessions are contained in the same group.

•

Creating a new route reflector—If you have an IBGP group with an AS number and create a new route reflector group with the same AS number, all BGP sessions in the IBGP group and the new route reflector group are reset.

NOTE: If you change the address family specified in the [edit protocols bgp family] hierarchy level, all current BGP sessions on the routing device are dropped and then reestablished.


2669

®



2670

cluster-identifier—IPv6 or IPv4 address to use as the cluster identifier.


Example: Configuring BGP Route Reflectors

•

OBSOLETE - Configuring BGP Route Reflection

•

Understanding External BGP Peering Sessions

•

no-client-reflect on page 2802



community Syntax Hierarchy Level

Release Information


community ([ community-ids ] | no-advertise | no-export | no-export-subconfed | none); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Associate BGP community information with a static, aggregate, or generated route. No BGP community information is associated with static routes. community-ids—One or more community identifiers. The community-ids format varies

according to the type of attribute that you use. The BGP community attribute format is as-number:community-value: •

as-number—AS number of the community member. It can be a value from 1

through 65,535. The AS number can be a decimal or hexadecimal value. •

community-value—Identifier of the community member. It can be a number from 0

through 65,535. For more information about BGP community attributes, see the “Configuring the Extended Communities Attribute” section in the Junos OS Policy Framework Configuration Guide. For specifying the BGP community attribute only, you also can specify community-ids as one of the following well-known community names defined in RFC 1997: •

no-advertise—Routes containing this community name are not advertised to other

BGP peers. •

no-export—Routes containing this community name are not advertised outside a BGP

confederation boundary. •

no-export-subconfed—Routes containing this community name are not advertised to

external BGP peers, including peers in other members’ ASs inside a BGP confederation.


2671

®


NOTE: Extended community attributes are not supported at the [edit routing-options] hierarchy level. You must configure extended communities at the [edit policy-options] hierarchy level. For information about configuring extended communities, see the Junos OS Policy Framework Configuration Guide.


2672



•


•


•


•


•

static on page 2893



confederation Syntax Hierarchy Level

Release Information

Description

confederation confederation-autonomous-system members [ autonomous-systems ]; [edit logical-systems logical-system-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the routing device’s confederation AS number. If you administer multiple ASs that contain a very large number of BGP systems, you can group them into one or more confederations. Each confederation is identified by its own AS number, which is called a confederation AS number. To external ASs, a confederation appears to be a single AS. Thus, the internal topology of the ASs making up the confederation is hidden. The BGP path attributes NEXT_HOP, LOCAL_PREF, and MULTI_EXIT_DISC, which normally are restricted to a single AS, are allowed to be propagated throughout the ASs that are members of the same confederation. Because each confederation is treated as if it were a single AS, you can apply the same routing policy to all the ASs that make up the confederation. Grouping ASs into confederations reduces the number of BGP connections required to interconnect ASs. If you are using BGP, you can enable the local routing device to participate as a member of an AS confederation. To do this, include the confederation statement. Specify the AS confederation identifier, along with the peer AS numbers that are members of the confederation. Note that peer adjacencies do not form if two BGP neighbors disagree about whether an adjacency falls within a particular confederation.

Options

autonomous-systems—AS numbers of the confederation members.

Range: 1 through 65,535 confederation-autonomous-system—Confederation AS number. Use one of the numbers

assigned to you by the NIC. Range: 1 through 65,535 Required Privilege Level Related Documentation


Example: Configuring BGP Confederations


2673

®


csnp-interval Syntax Hierarchy Level

Release Information

Description

Options

csnp-interval (seconds | disable); [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the interval between complete sequence number (CSN) packets on a LAN interface. disable—Do not send CSN packets on this interface. seconds—Number of seconds between the sending of CSN packets.

Range: 1 through 65,535 seconds Default: 10 seconds Required Privilege Level Related Documentation

2674


Configuring the Transmission Frequency for CSNP Packets on IS-IS Interfaces



damping Syntax Hierarchy Level

Release Information

Description


damping; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable route flap damping. BGP route flapping describes the situation in which BGP systems send an excessive number of update messages to advertise network reachability information. Flap damping reduces the number of update messages sent between BGP peers, thereby reducing the load on these peers, without adversely affecting the route convergence time for stable routes. Flap damping is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Examples: Configuring BGP Flap Damping

•

Configuring Flap Damping for BGP Routes

•

Understanding Damping Parameters


2675

®


dead-interval Syntax Hierarchy Level

Release Information

Description

Options

dead-interval seconds; [edit logical-systems logical-system-name protocols ospf area area-id peer-interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols ospf area area-id peer-interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id virtual-link], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify how long OSPF waits before declaring that a neighboring routing device is unavailable. This is an interval during which the routing device receives no hello packets from the neighbor. seconds—Interval to wait.

Range: 1 through 65,535 seconds Default: Four times the hello interval—40 seconds (broadcast and point-to-point networks); 120 seconds (nonbroadcast multiple access (NBMA) networks) Required Privilege Level Related Documentation

2676


Example: Configuring OSPF Timers

•

hello-interval on page 2720



default-lsa Syntax

Hierarchy Level

Release Information

Description

default-lsa { default-metric metric; metric-type type; type-7; } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa], [edit protocols (ospf | ospf3) area area-id nssa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. On area border routers only, for a not-so-stubby area (NSSA), inject a default link-state advertisement (LSA) with a specified metric value into the area. The default route matches any destination that is not explicitly reachable from within the area. The remaining statements are explained separately.




•

nssa on page 2814

•

stub on page 2899

•

Configuring OSPF Areas


2677

®


default-metric Syntax Hierarchy Level

Release Information

Description

Options

default-metric metric; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id stub], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id stub], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id stub], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id stub], [edit protocols (ospf | ospf3) area area-id nssa default-lsa], [edit protocols (ospf | ospf3) area area-id stub], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id stub], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id stub], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id stub]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. On area border routers only, for a stub area, inject a default route with a specified metric value into the area. The default route matches any destination that is not explicitly reachable from within the area. metric—Metric value.


2678



•

nssa on page 2814



•

stub on page 2899


Release Information

Description


description text-description; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Provide a description of the global, group, or neighbor configuration. If the text includes one or more spaces, enclose it in quotation marks (“ “ ). The test is displayed in the output of the show command and has no effect on the configuration. text-description—Text description of the configuration. It is limited to 255 characters.



•

Configuring a Text Description for BGP Groups or Peers

•

Enabling BGP


2679

®


disable (BGP) Syntax Hierarchy Level

Release Information


2680

disable; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit protocols bgp], [edit routing-instances routing-instance-name protocols bgp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable BGP on the system. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Enabling BGP



disable (IS-IS) Syntax Hierarchy Level

Release Information

Description

disable; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name protocols isis traffic-engineering], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis traffic-engineering], [edit protocols isis], [edit protocols isis interface interface-name], [edit protocols isis interface interface-name level level-number], [edit protocols isis traffic-engineering], [edit routing-instances routing-instance-name protocols isis], [edit routing-instances routing-instance-name protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis traffic-engineering]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Disable IS-IS on the routing device, on an interface, or on a level. At the [edit protocols isis traffic-engineering] hierarchy level, disable IS-IS support for traffic engineering. Enabling IS-IS on an interface (by including the interface statement at the [edit protocols isis] or the [edit routing-instances routing-instance-name protocols isis] hierarchy level), disabling it (by including the disable statement), and not actually having IS-IS run on an interface (by including the passive statement) are mutually exclusive states.

Default

IS-IS is enabled for Level 1 and Level 2 routers on all interfaces on which an International Organization for Standardization (ISO) protocol family is enabled. IS-IS support for traffic engineering is enabled.



IS-IS Overview

•

Configuring IS-IS Traffic Engineering Attributes

•

Disabling IS-IS


2681

®


disable (OSPF) Syntax Hierarchy Level

Release Information

Description Default Required Privilege Level

2682

disable; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) virtual-link], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) virtual-link], [edit logical-systems logical-system-name routing-instances routing-instances protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3)], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols (ospf | ospf3) virtual-link], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) virtual-link], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable OSPF, an OSPF interface, or an OSPF virtual link. The configured object is enabled (operational) unless explicitly disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration.




•

OSPF Configuration Overview

disable Syntax Hierarchy Level

Release Information


disable; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options graceful-restart], [edit logical-systems logical-system-name routing-options graceful-restart], [edit routing-instances routing-instance-name routing-options graceful-restart], [edit routing-options graceful-restart]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable graceful restart. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Junos OS High Availability Configuration Guide


2683

®


discard Syntax Hierarchy Level

Release Information

Description

discard; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-options (aggregate | generate) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Do not forward packets addressed to this destination. Instead, drop the packets, do not send ICMP unreachable messages to the packets’ originators, and install a reject route for this destination into the routing table. To propagate static routes into the routing protocols, include the discard statement when you define the route, along with a routing policy.

NOTE: In other vendors’ software, a common way to propagate static routes into routing protocols is to configure the routes so that the next-hop routing device is the loopback address (commonly, 127.0.0.1). However, configuring static routes in this way (by including a statement such as route address/mask-length next-hop 127.0.0.1) does not propagate the static routes, because the forwarding table ignores static routes whose next-hop routing device is the loopback address.

Default


2684

When an aggregate route becomes active, it is installed in the routing table with a reject next hop, which means that ICMP unreachable messages are sent. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•




•


domain-id Syntax Hierarchy Level

Release Information

Description

Options

domain-id domain-id; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a domain ID for a route. The domain ID identifies the OSPF domain from which the route originated. domain-id—You can specify either an IP address or an IP address and a local identifier

using the following format: ip-address:local-identifier. If you do not specify a local identifier with the IP address, the identifier is assumed to have a value of 0. Default: If the router ID is not configured in the routing instance, the router ID is derived from an interface address belonging to the routing instance. Required Privilege Level Related Documentation


OBSOLETE - Configuring OSPF Domain IDs for VPNs

domain-vpn-tag Syntax Hierarchy Level

Release Information

Description


domain-vpn-tag number; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set a virtual private network (VPN) tag for OSPFv2 external routes generated by the provider edge (PE) router. number—VPN tag.




2685

®


explicit-null Syntax Hierarchy Level

Release Information

Description

2686

explicit-null; [edit logical-systems logical-system-name protocols mpls], [edit logical-systems logical-system-name protocols bgp family inet labeled-unicast], [edit logical-systems logical-system-name protocols bgp family inet6 labeled-unicast], [edit logical-systems logical-system-name protocols bgp group group-name family inet labeled-unicast], [edit logical-systems logical-system-name protocols bgp group group-name family inet6 labeled-unicast], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address family inet labeled-unicast], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address family inet6 labeled-unicast], [edit logical-systems logical-system-name protocols ldp], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp family inet labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp family inet6 labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp group group-name family inet labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp group group-name family inet6 labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp group group-name neighbor address family inet labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols bgp group group-name neighbor address family inet6 labeled-unicast], [edit logical-systems logical-system-name routing-instances instance-name protocols ldp], [edit protocols mpls], [edit protocols bgp family inet labeled-unicast], [edit protocols bgp family inet6 labeled-unicast], [edit protocols bgp group group-name family inet labeled-unicast], [edit protocols bgp group group-name family inet6 labeled-unicast], [edit protocols bgp group group-name neighbor address family inet labeled-unicast] [edit protocols bgp group group-name neighbor address family inet6 labeled-unicast], [edit protocols ldp], [edit routing-instances instance-name protocols bgp family inet labeled-unicast], [edit routing-instances instance-name protocols bgp family inet6 labeled-unicast], [edit routing-instances instance-name protocols bgp group group-name family inet labeled-unicast], [edit routing-instances instance-name protocols bgp group group-name family inet6 labeled-unicast], [edit routing-instances instance-name protocols bgp group group-name neighbor address family inet labeled-unicast], [edit routing-instances instance-name protocols bgp group group-name neighbor address family inet6 labeled-unicast], [edit routing-instances instance-name protocols ldp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Advertise label 0 to the egress routing device of an LSP.



Default


If you do not include the explicit-null statement in the configuration, label 3 (implicit null) is advertised. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Advertising Explicit Null Labels to BGP Peers

export Syntax Hierarchy Level

Release Information


export [ policy-names ]; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to routes being exported from the routing table into BGP. policy-names—Name of one or more policies.



•


•

import on page 2728


2687

®



Release Information


2688

export [ policy-names ]; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Apply one or more policies to routes being exported from the routing table into IS-IS. policy-names—Name of one or more policies.


Applying Policies to Routes Exported to IS-IS

•





Release Information


export [ policy-names ]; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to routes being exported from the routing table into OSPF. policy-names—Name of one or more policies.


Understanding OSPF Routing Policy

•

Import and Export Policies for Network Summaries Overview

•

import (Protocols OSPF) on page 2729

•



2689

®



Release Information


export [ policy-names ]; [edit logical-systems logical-system-name protocols rip group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name], [edit protocols rip group group-name], [edit routing-instances routing-instance-name protocols rip group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply a policy to routes being exported to the neighbors. policy-names—Name of one or more policies.


import on page 2730

•

Configuring Group-Specific RIP Properties

•



Release Information


2690

export [ policy-names ]; [edit logical-systems logical-system-name protocols ripng group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name], [edit protocols ripng group group-name], [edit routing-instances routing-instance-name protocols ripng group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Apply a policy or list of policies to routes being exported to the neighbors. policy-names—Name of one or more policies.


import on page 2731

•

OBSOLETE - Configuring Group-Specific RIPng Properties




Release Information

Description


export [ policy-name ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options forwarding-table], [edit logical-systems logical-system-name routing-options forwarding-table], [edit routing-instances routing-instance-name routing-options forwarding-table], [edit routing-options forwarding-table]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to routes being exported from the routing table into the forwarding table. policy-name—Name of one or more policies.


Example: Load Balancing BGP Traffic

•



2691

®


export-rib Syntax Hierarchy Level

Release Information

Description


2692

export-rib routing-table-name; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib-groups group-name], [edit logical-systems logical-system-name routing-options rib-groups group-name], [edit routing-instances routing-instance-name routing-options rib-groups group-name], [edit routing-options rib-groups group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the name of the routing table from which Junos OS should export routing information. routing-table-name—Routing table group name.


Example: Exporting Specific Routes from One Routing Table Into Another Routing Table

•

import-rib on page 2734

•

passive



external-preference Syntax Hierarchy Level

Release Information

Description Options

external-preference preference; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the preference of external routes. preference—Preference value. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: 15 (for Level 1 internal routes), 18 (for Level 2 internal routes), 160 (for Level 1 external routes), 165 (for Level 2 external routes) Required Privilege Level Related Documentation


preference on page 2839

•

Configuring Preference Values for IS-IS Routes


2693

®


external-preference Syntax Hierarchy Level

Release Information

Description Options

external-preference preference; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ip4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast } ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Set the route preference for OSPF external routes. preference—Preference value. 32

Range: 0 through 4,294,967,295 (2

– 1)


2694


Example: Controlling OSPF Route Preferences

•




family Syntax

family { (inet | inet6 | inet-vpn | inet6-vpn | iso-vpn) { (any | flow | labeled-unicast | multicast | unicast) { accepted-prefix-limit { maximum number; teardown idle-timeout (forever | minutes); } add-path { send { path-count number; prefix-policy [ policy-names ]; } receive; } loops number; prefix-limit { maximum number; teardown ; } rib-group group-name; flow { no-validate policy-name; } labeled-unicast { accepted-prefix-limit { maximum number; teardown ; } aggregate-label { community community-name: } explicit-null { connected-only; } prefix-limit { maximum number; teardown ; } resolve-vpn; rib inet.3; rib-group group-name; traffic-statistics { file filename ; interval seconds; } } } route-target { accepted-prefix-limit { maximum number; teardown ; }


2695

®


advertise-default; external-paths number; prefix-limit { maximum number; teardown ; } } (inet-mdt | inet-mvpn | inet6-mvpn | l2vpn) { signaling { accepted-prefix-limit { maximum number; teardown idle-timeout (forever | minutes); } add-path { send { path-count number; prefix-policy [ policy-names ]; } receive; } aigp [disable]; loops number; prefix-limit { maximum number; teardown ; } rib-group group-name; } } }

Hierarchy Level

2696

[edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]



Release Information

Description

Options

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. inet-mvpn and inet6-mpvn statements introduced in Junos OS Release 8.4. inet-mdt statement introduced in Junos OS Release 9.4. Support for the loops statement introduced in Junos OS Release 9.6. Enable multiprotocol BGP (MP-BGP) by configuring BGP to carry network layer reachability information (NLRI) for address families other than unicast IPv4, to specify MP-BGP to carry NLRI for the IPv6 address family, or to carry NLRI for VPNs. any—Configure the family type to be both unicast and multicast. inet—Configure NLRI parameters for IPv4. inet6—Configure NLRI parameters for IPv6. inet-mdt—Configure NLRI parameters for the multicast distribution tree (MDT) subaddress

family identifier (SAFI) for IPv4 traffic in Layer 3 VPNs. inet-mvpn—Configure NLRI parameters for IPv4 for multicast VPNs. inet6-mvpn—Configure NLRI parameters for IPv6 for multicast VPNs. inet-vpn—Configure NLRI parameters for IPv4 for Layer 3 VPNs. inet6-vpn—Configure NLRI parameters for IPv6 for Layer 3 VPNs. iso-vpn—Configure NLRI parameters for IS-IS for Layer 3 VPNs. l2vpn—Configure NLRI parameters for IPv4 for MPLS-based Layer 2 VPNs and VPLS. labeled-unicast—Configure the family type to be labeled-unicast. This means that the

BGP peers are being used only to carry the unicast routes that are being used by labeled-unicast for resolving the labeled-unicast routes. This statement is supported only with inet and inet6. multicast—Configure the family type to be multicast. This means that the BGP peers are

being used only to carry the unicast routes that are being used by multicast for resolving the multicast routes. unicast—Configure the family type to be unicast. This means that the BGP peers only

carry the unicast routes that are being used for unicast forwarding purposes. The default family type is unicast. The remaining statements are explained separately. Required Privilege Level



2697

®



•

autonomous-system on page 2639

•

local-as on page 2762

•

Understanding Multiprotocol BGP

fate-sharing Syntax

Hierarchy Level

Release Information

Description

Options

fate-sharing { group group-name { cost value; from address ; } } [edit logical-systems logical-system-name routing-options], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit routing-options], [edit routing-instances routing-instance-name routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify groups of objects that share characteristics resulting in backup paths to be used if primary paths fail. All objects are treated as /32 host addresses. You specify one or more objects within a group. The objects can be LAN interfaces, router IDs, or point-to-point links. The sequence is insignificant. cost value—Cost assigned to the group.

Range: 1 through 65,535 Default: 1 from address—Address of the router or address of the LAN/NBMA interface. For example,

an Ethernet network with four hosts in the same fate-sharing group would require you to list all four of the separate from addresses in the group. group group-name—Each fate-sharing group must have a name, which can have a

maximum of 32 characters, including letters, numbers, periods (.), and hyphens (-). You can define up to 512 groups. to address—(Optional) Address of egress router. For point-to-point link objects, you must

specify both a from and a to address. Required Privilege Level Related Documentation

2698


Configuring the Ingress Router for MPLS-Signaled LSPs



flow Syntax



flow { route name { match { match-conditions; } term-order (legacy | standard); then { actions; } } validation { traceoptions { file filename ; flag flag ; } } } [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. term-order statement introduced in Junos OS Release 10.0 Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a flow route. legacy actions—An action to take if conditions match. match-conditions—Match packets to these conditions. route name—Name of the flow route. standard—Specify to use version 7 or later of the flow-specification algorithm. term-order (legacy | standard)—Specify the version of the flow-specification algorithm. •

legacy—Use version 6 of the flow-specification algorithm.

•

standard—Use version 7 of the flow-specification algorithm.

then—Actions to take on matching packets.




2699

®



•

Example: Configuring Flow Routes

flow-map Syntax

Hierarchy Level

Release Information

Description Options

flow-map flow-map-name { bandwidth (bps | adaptive); forwarding-cache { timeout (never non-discard-entry-only | minutes); } policy [ policy-names ]; redundant-sources [ addresses ]; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure multicast flow maps. flow-map-name—Name of the flow-map.


2700





forwarding-cache (Flow Maps) Syntax

Hierarchy Level

forwarding-cache { timeout (minutes | never non-discard-entry-only ); } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit logical-systems logical-system-name routing-options multicast flow-map flow-map-name], [edit routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit routing-options multicast flow-map flow-map-name]

Release Information

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Configure multicast forwarding cache properties for the flow map.



forwarding-cache (Multicast) Syntax

Hierarchy Level

Release Information

Description

forwarding-cache { threshold suppress value ; timeout minutes; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure multicast forwarding cache properties. These properties include threshold suppression and reuse limits and timeout values. The remaining statements are explained separately.



Example: Configuring the Multicast Forwarding Cache


2701

®


forwarding-table Syntax

Hierarchy Level

Release Information

Description

forwarding-table { export [ policy-name ]; (indirect-next-hop | no-indirect-next-hop); unicast-reverse-path (active-paths | feasible-paths); } [edit logical-systems logical-system-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure information about the routing device’s forwarding table. The remaining statements are explained separately.


2702





generate Syntax

Hierarchy Level

Release Information

Description Options

generate { defaults { generate-options; } route destination-prefix { policy policy-name; generate-options; } } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name], [edit routing-options], [edit routing-options rib routing-table-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure generated routes, which are used as routes of last resort. defaults—(Optional) Specify global generated route options. These options only set

default attributes inherited by all newly created generated routes. These are treated as global defaults and apply to all the generated routes you configure in the generate statement. generate-options—Additional information about generated routes, which is included with

the route when it is installed in the routing table. Specify zero or more of the following options in generate-options. Each option is explained separately. •

(active | passive);

•

as-path ;

•

(brief | full);

•


•

discard;

•


•


•

tag string;

route destination-prefix—Configure a non-default generated route: •

default—For the default route to the destination. This is equivalent to specifying an IP

address of 0.0.0.0/0.


2703

®


•

destination-prefix/prefix-length—/destination-prefix is the network portion of the IP

address, and prefix-length is the destination prefix length. The policy statement is explained separately. Required Privilege Level Related Documentation

2704





graceful-restart Syntax

Hierarchy Level

Release Information

Description

graceful-restart { disable; restart-time seconds; stale-routes-time seconds; } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable graceful restart for BGP. Graceful restart allows a routing device undergoing a restart to inform its adjacent neighbors and peers of its condition. Graceful restart is disabled by default. To configure the duration of the BGP graceful restart period, include the restart-time statement at the [edit protocols bgp graceful-restart] hierarchy level. To set the length of time the router waits to receive messages from restarting neighbors before declaring them down, include the stale-routes-time statement at the [edit protocols bgp graceful-restart] hierarchy level.

NOTE: If you configure graceful restart after a BGP session has been established, the BGP session restarts and the peers negotiate graceful restart capabilities.



Configuring Graceful Restart Options for BGP

•


•

disable

•

restart-time

•

stale-routes-time


2705

®



Hierarchy Level

Release Information

Description Options

graceful-restart { disable; helper-disable; restart-duration seconds; } [edit logical-systems logical-system-name protocols isis], [edit protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure graceful restart for IS-IS. disable—Disable graceful restart. helper-disable—Disable graceful restart helper capability. Helper mode is enabled by

default. restart-duration seconds—Configure the time period for the restart to last, in seconds.


2706






graceful-restart { disable; helper-disable (standard | restart-signaling | both); no-strict-lsa-checking; notify-duration seconds; restart-duration seconds; }

Hierarchy Level

[edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf]

Release Information

Statement introduced before Junos OS Release 7.4. Support for the no-strict-lsa-checking statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the helper mode standard, restart-signaling, and both options introduced in Junos OS Release 11.4. Statement introduced in Junos OS Release 12.1 for the QFX Series.

Description Options

Configure graceful restart for OSPF. disable—Disable graceful restart for OSPF. helper-disable (standard | restart-signaling| both)—Disable helper mode for graceful

restart. When helper mode is disabled, a device cannot help a neighboring device that is attempting to restart. Beginning with Junos OS Release 11.4, you can configure restart signaling-based helper mode for OSPFv2 graceful restart configurations. The standard, restart-signaling, and both options are only supported for OSPFv2. Specify standard to disable helper mode for standard graceful restart (based on RFC 3623). Specify restart-signaling to disable helper mode for restart signaling-based graceful restart (based on RFC 4811, RFC 4812, and RFC 4813). Specify both to disable helper mode for both standard and restart signaling-based graceful restart. The last committed statement takes precedence over the previously configured statement. Default: Helper mode is enabled by default. For OSPFv2, both standard and restart-signaling based helper modes are enabled by default. no-strict-lsa-checking—Disable strict OSPF link-state advertisement (LSA) checking to

prevent the termination of graceful restart by a helping router. LSA checking is enabled by default.

NOTE: The helper-disable statement and the no-strict-lsa-checking statement cannot be configured at the same time. If you attempt to configure both statements at the same time, the routing device displays a warning message when you enter the show protocols (ospf | ospf3) command.


2707

®


notify-duration seconds—Estimated time needed to send out purged grace LSAs over all

the interfaces. Range: 1 through 3600 seconds Default: 30 seconds restart-duration seconds—Estimated time needed to reacquire a full OSPF neighbor from

each area. Range: 1 through 3600 seconds Default: 180 seconds Required Privilege Level Related Documentation


Example: Configuring Graceful Restart for OSPF

•

Example: Configuring the Helper Capability Mode for OSPFv2 Graceful Restart

•

Example: Configuring the Helper Capability Mode for OSPFv3 Graceful Restart

•

Example: Disabling Strict LSA Checking for OSPF Graceful Restart

•



Hierarchy Level

Release Information

Description Options

graceful-restart { disable; restart-time seconds; } [edit logical-systems logical-system-name protocols rip], [edit protocols rip]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure graceful restart for RIP. disable—Disables graceful restart for RIP. seconds—Estimated time for the restart to finish, in seconds.

Range: 1 through 600 seconds Default: 60 seconds The remaining statements are explained separately. Required Privilege Level Related Documentation

2708






Hierarchy Level

Release Information

Description Options

graceful-restart { disable; restart-time seconds; } [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Configure graceful restart for RIPng. disable—Disables graceful restart for RIPng. seconds—Estimated time period for the restart to finish.





2709

®



Hierarchy Level

Release Information

Description

graceful-restart { disable; restart-duration seconds; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure graceful restart. The remaining statements are explained separately.


2710





group Syntax

group group-name { advertise-inactive; allow [ network/mask-length ]; authentication-key key; cluster cluster-identifier; damping; description text-description; export [ policy-names ]; family { (inet | inet6 | inet-vpn | inet6-vpn | l2-vpn) { (any | multicast | unicast | signaling) { accepted-prefix-limit { maximum number; teardown ; } add-path { send { path-count number; prefix-policy [ policy-names ]; } receive; } prefix-limit { maximum number; teardown ; } rib-group group-name; } flow { no-validate policy-name; } labeled-unicast { accepted-prefix-limit { maximum number; teardown ; } explicit-null { connected-only; } prefix-limit { maximum number; teardown ; } resolve-vpn; rib inet.3; rib-group group-name; } } route-target { accepted-prefix-limit { maximum number; teardown ;


2711

®


} advertise-default; external-paths number; prefix-limit { maximum number; teardown ; } } } hold-time seconds; import [ policy-names ]; ipsec-sa ipsec-sa; keep (all | none); local-address address; local-as autonomous-system ; local-preference local-preference; log-updown; metric-out metric; multihop ; multipath { multiple-as; } no-aggregator-id; no-client-reflect; out-delay seconds; passive; peer-as autonomous-system; preference preference; remove-private; tcp-mss segment-size; traceoptions { file filename ; flag flag ; } type type; neighbor address { ... peer-specific-options ... } }

Hierarchy Level

Release Information

2712

[edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit protocols bgp], [edit routing-instances routing-instance-name protocols bgp]




Description

Define a BGP peer group. BGP peer groups share a common type, peer autonomous system (AS) number, and cluster ID, if present. To configure multiple BGP groups, include multiple group statements. By default, the group’s options are identical to the global BGP options. To override the global options, include group-specific options within the group statement. The group statement is one of the statements you must include in the configuration to run BGP on the routing device. Each group must contain at least one peer.

Options

group-name—Name of the BGP group.





2713

®


group Syntax

2714

group group-name { bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } multiplier number; version (0 | 1 | automatic); } demand-circuit; export policy; max-retrans-time seconds; metric-out metric; preference number; route-timeout seconds; update-interval seconds; neighbor neighbor-name { authentication-key password; authentication-type type; bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } multiplier number; version (0 | 1 | automatic); } (check-zero | no-check-zero); demand-circuit; import policy-name; max-retrans-time seconds; message-size number;



metric-in metric; metric-out metric; receive receive-options; route-timeout seconds; send send-options; update-interval seconds; } }

Hierarchy Level

Release Information

Description

Options

[edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit protocols rip], [edit routing-instances routing-instance-name protocols rip]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure a set of RIP neighbors that share an export policy and metric. The export policy and metric govern what routes to advertise to neighbors in a given group. group-name—Name of a group, up to 16 characters long.





2715

®


group Syntax

Hierarchy Level

Release Information

Description

Options

group group-name { export [ policy-names ]; metric-out metric; neighbor neighbor-name { import policy-name; metric-in metric; receive ; route-timeout seconds; send ; update-interval seconds; } preference number; route-timeout seconds; update-interval seconds; } [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Configure a set of RIPng neighbors that share an export policy and metric. The export policy and metric govern what routes to advertise to neighbors in a given group. group-name—Name of a group, up to 16 characters long.


2716





hello-authentication-key Syntax Hierarchy Level

Release Information

Description

Default

Options

hello-authentication-key password; [edit logical-systems logical-system-name protocols isis interface interface-name level number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level number], [edit protocols isis interface interface-name level number], [edit routing-instances routing-instance-name protocols isis interface interface-name level number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure an authentication key (password) for hello packets. Neighboring routing devices use the password to verify the authenticity of packets sent from an interface. For the key to work, you also must include the hello-authentication-type statement. By default, hello authentication is not configured on an interface. However, if IS-IS authentication is configured, the hello packets are authenticated using the IS-IS authentication type and password. password—Authentication password. The password can be up to 255 characters.

Characters can include any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”). Required Privilege Level Related Documentation



•

authentication-type on page 2637

•

hello-authentication-type on page 2718

•

Configuring Levels on IS-IS Interfaces


2717

®


hello-authentication-type Syntax Hierarchy Level

Release Information

Description

Default

Options

hello-authentication-type (md5 | simple); [edit logical-systems logical-system-name protocols isis interface interface-name level number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level number], [edit protocols isis interface interface-name level number], [edit routing-instances routing-instance-name protocols isis interface interface-name level number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable authentication on an interface for hello packets. If you enable authentication on hello packets, you must specify a password by including the hello-authentication-key statement. By default, hello authentication is not configured on an interface. However, if IS-IS authentication is configured, the hello packets are authenticated using the IS-IS authentication type and password. md5—Specifies Message Digest 5 as the packet verification type. simple—Specifies simple authentication as the packet verification type.


2718



•

authentication-type on page 2637

•

hello-authentication-key on page 2717

•




hello-interval Syntax Hierarchy Level

Release Information

Description

Options

hello-interval seconds; [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Frequency with which the routing device sends hello packets out of an interface, in seconds. seconds—Frequency of transmission for hello packets.

Range: 1 through 20,000 seconds Default: 3 seconds (for designated intermediate system [DIS] routers), 9 seconds (for non-DIS routers) Required Privilege Level Related Documentation


hold-time

•



2719

®



Release Information

Description

Options

hello-interval seconds; [edit logical-systems logical-system-name protocols ospf area area-id peer-interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols ospf area area-id peer-interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id virtual-link], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify how often the routing device sends hello packets out the interface. The hello interval must be the same for all routing devices on a shared logical IP network. seconds—Time between hello packets, in seconds.

Range: 1 through 255 seconds Default: 10 seconds (broadcast and point-to-point networks); 30 seconds (nonbroadcast multiple access [NBMA] networks) Required Privilege Level Related Documentation

2720



•

dead-interval on page 2676



hello-padding Syntax Hierarchy Level

Release Information

Description

Options

hello-padding (adaptive | loose | strict); [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure padding on hello packets to accommodate asymmetrical maximum transfer units (MTUs) from different hosts. adaptive—Configure padding until the state of the neighbor adjacency is up. loose—Configure padding until the state of the adjacency is initialized. strict—Configure padding for all adjacency states.



Enabling Padding of IS-IS Hello Packets


2721

®


holddown Syntax Hierarchy Level

Release Information

Description

holddown seconds; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit protocols rip], [edit routing-instances routing-instance-name protocols rip]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure how long the expired route is retained in the routing table before being removed. When the hold-down timer runs on RIP demand circuits, routes are advertised as unreachable on other interfaces. When the hold-down timer expires, the route is removed from the routing table if all destinations detect that the route is unreachable or the remaining destinations are down.

Options

seconds—Estimated time to wait before making updates to the routing table.


2722


Example: Configuring RIP Timers

•

RIP Demand Circuits Overview



holddown Syntax Hierarchy Level

Release Information

holddown seconds; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0.

Description

Configure how long the expired route is retained in the routing table before being removed.

Options

seconds—Estimated time to wait before removing expired routes from the routing table.

Default: 180 seconds Range: 10 through 180 seconds Required Privilege Level Related Documentation


Example: Configuring RIPng Timers

hold-time Syntax Hierarchy Level



hold-time seconds; [edit interfaces interface-name unit logical-unit-number family inet6 address address vrrp-inet6-group group-id]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Configure the time in seconds after which a backup router with the highest priority preempts the master router. seconds—Hold-time period.




2723

®


hold-time (BGP) Syntax Hierarchy Level

Release Information

Description

hold-time seconds; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the hold-time value to use when negotiating a connection with the peer. The hold-time value is advertised in open packets and indicates to the peer the length of time that it should consider the sender valid. If the peer does not receive a keepalive, update, or notification message within the specified hold time, the BGP connection to the peer is closed and routing devices through that peer become unavailable. The hold time is three times the interval at which keepalive messages are sent. BGP on the local routing device uses the smaller of either the local hold-time value or the peer’s hold-time value received in the open message as the hold time for the BGP connection between the two peers.

Options

seconds—Hold time.

Range: 10 through 65,535 seconds Default: 90 seconds

TIP: When you set a hold-time value of less than 20 seconds, we recommend that you also configure the BGP precision-timers statement. The precision-timers statement ensures that if scheduler slip messages occur, the routing device continues to send keepalive messages. When the precision-timers statement is included, keepalive message generation is performed in a dedicated kernel thread, which helps to prevent BGP session flaps.

2724





BGP Messages Overview

•

precision-timers

hold-time (IS-IS) Syntax Hierarchy Level

Release Information

Description

Options

hold-time seconds; [edit logical-systems logical-system-name protocols isis interface interface-namelevel level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Set the length of time a neighbor considers this router to be operative (up) after receiving a hello packet. If the neighbor does not receive another hello packet within the specified time, it marks this routing device as inoperative (down). The hold time itself is advertised in the hello packets. seconds—Hold-time value, in seconds.

Range: 3 through 65,535 seconds, or 1 to send out hello packets every 333 milliseconds Default: 9 seconds (for designated intermediate system [DIS] routers), 27 seconds (for non-DIS routers; three times the default hello interval) Required Privilege Level Related Documentation


hello-interval on page 2719

•



2725

®


idle-after-switch-over Syntax Hierarchy Level

Release Information

Description

Options

idle-after-switch-over (forever | seconds); [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device so that it does not automatically reestablish BGP peer sessions after a nonstop active routing (NSR) switchover. This feature is particularly useful if you are using dynamic routing policies because the dynamic database is not synchronized with the backup Routing Engine when NSR is enabled. forever—Do not reestablish a BGP peer session after an non-stop routing switchover until

the clear bgp neighbor command is issued. seconds—Do not reestablish a BGP peer session after an non-stop routing switchover

until after the specified period. 32

Range: 1 through 4,294,967,295 (2 Required Privilege Level Related Documentation

2726

– 1)


Preventing Automatic Reestablishment of BGP Peer Sessions After NSR Switchovers

•


•




ignore-attached-bit Syntax Hierarchy Level

Release Information

Description


ignore-attached-bit; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Ignore the attached bit on IS-IS Level 1 routers. Configuring this statement enables the routing device to ignore the attached bit on incoming Level 1 LSPs. If the attached bit is ignored, no default route, which points to the routing device which has set the attached bit, is installed. The ignore-attached-bit statement is disabled by default. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Configuring IS-IS

ignore-lsp-metrics Syntax Hierarchy Level

Release Information


ignore-lsp-metrics; [edit logical-systems logical-system-name protocols ospf traffic-engineering shortcuts], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf traffic-engineering shortcuts], [edit protocols ospf traffic-engineering shortcuts], [edit routing-instances routing-instance-name protocols ospf traffic-engineering shortcuts]

Statement introduced in Junos OS Release 7.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for (OSPFv3) introduced in Junos OS Release 9.4. Support for (OSPFv3) introduced in Junos OS Release 9.4 for EX Series switches. Ignore RSVP LSP metrics in OSPF traffic engineering shortcut calculations. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Enabling OSPF Traffic Engineering Support


2727

®


import Syntax Hierarchy Level

Release Information

Description


2728

import [ policy-names ]; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more routing policies to routes being imported into the Junos OS routing table from BGP. policy-names—Name of one or more policies.


Example: Configuring BGP Interactions with IGPs

•


•

OBSOLETE Understanding Routing Policies

•


•

export on page 2687




Release Information


import [ policy-names ]; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Filter OSPF routes from being added to the routing table. policy-names—Name of one or more policies.


Understanding OSPF Routing Policy

•


•

export (Protocols OSPF) on page 2689

•



2729

®



Release Information

Description


2730

import [ policy-names ]; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Apply one or more policies to routes being imported by the local routing device from neighbors. policy-names—Name of one or more policies.


export on page 2690

•

Example: Applying Policies to RIP Routes Imported from Neighbors

•





Release Information

Description


import [ policy-names ]; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name protocols ripng group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name], [edit protocols ripng], [edit protocols ripng group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols ripng], [edit routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Apply one or more policies to routes being imported into the local routing device from neighbors. policy-names—Name of one or more policies.


export on page 2690

•

Example: Applying Policies to RIPng Routes Imported from Neighbors


2731

®



Release Information


2732

import [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options resolution rib], [edit logical-systems logical-system-name routing-options resolution rib], [edit routing-instances routing-instance-name routing-options resolution rib], [edit routing-options resolution rib]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify one or more import policies to use for route resolution. policy-names—Name of one or more import policies.


Example: Configuring Route Resolution on PE Routers



import-policy Syntax Hierarchy Level

Release Information

Description

import-policy [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib-groups group-name], [edit logical-systems logical-system-name routing-options rib-groups group-name], [edit routing-instances routing-instance-name routing-options rib-groups group-name], [edit routing-options rib-groups group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to routes imported into the routing table group. The import-policy statement complements the import-rib statement and cannot be used unless you first specify the routing tables to which routes are being imported.

NOTE: On EX Series switches, only dynamically learned routes can be imported from one routing table group to another.


policy-names—Name of one or more policies.



•

export-rib on page 2692

•

passive


2733

®


import-rib Syntax Hierarchy Level

Release Information

Description

import-rib [ routing-table-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib-groups group-name], [edit logical-systems logical-system-name routing-options rib-groups group-name], [edit routing-instances routing-instance-name routing-options rib-groups group-name], [edit routing-options rib-groups group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the name of the routing table into which Junos OS should import routing information. The first routing table name you enter is the primary routing table. Any additional names you enter identify secondary routing tables. When a protocol imports routes, it imports them into the primary and any secondary routing tables. If the primary route is deleted, the secondary route also is deleted. For IPv4 import routing tables, the primary routing table must be inet.0 or routing-instance-name.inet.0. For IPv6 import routing tables, the primary routing table must be inet6.0. In Junos OS Release 9.5 and later, you can configure an IPv4 import routing table that includes both IPv4 and IPv6 routing tables. Including both types of routing tables permits you, for example, to populate an IPv6 routing table with IPv6 addresses that are compatible with IPv4. In releases prior to Junos OS Release 9.5, you could configure an import routing table with only either IPv4 or IPv6 routing tables.



2734

routing-table-names—Name of one or more routing tables.



•

export-rib on page 2692

•

passive



include-mp-next-hop Syntax Hierarchy Level

Release Information


include-mp-next-hop; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable multiprotocol updates to contain next-hop reachability information. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Examples: Configuring Multiprotocol BGP


2735

®


indirect-next-hop Syntax Hierarchy Level

Release Information

Description

(indirect-next-hop | no-indirect-next-hop); [edit logical-systems logical-system-name routing-options forwarding-table], [edit routing-options forwarding-table]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable indirectly connected next hops for route convergence. This statement is implemented on the Packet Forward Engine to speed up forwarding information base (FIB) updates. Configuring this statement significantly speeds convergence times. The only downside of configuring this statement is that some additional FIB memory overhead is required. Unless routes have an extremely high number of next hops, this increased memory usage should not be noticeable.

NOTE:

Default Options

•

When virtual private LAN service (VPLS) is configured on the routing device, the indirect-next-hop statement is configurable at the [edit routing-options forwarding-table] hierarchy level. However, this configuration is not applicable to indirect nexthops specific to VPLS routing instances.

•

By default, the Junos Trio Modular Port Concentrator (MPC) chipset on MX Series routers is enabled with indirectly connected next hops, and this cannot be disabled using the no-indirect-next-hop statement.

Disabled. indirect-next-hop—Enable indirectly connected next hops. no-indirect-next-hop—Explicitly disable indirect next hops.


2736


Example: Optimizing Route Reconvergence by Enabling Indirect Next Hops on the Packet Forwarding Engine



install Syntax Hierarchy Level

Release Information

(install | no-install); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-options static (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit routing-instances routing-instance-name routing-options static (defaults | route)], [edit routing-options rib routing-table-name static (defaults | route)] [edit routing-options static (defaults | route)]


Description

Configure whether Junos OS installs all static routes into the forwarding table. Even if you configure a route so it is not installed in the forwarding table, the route is still eligible to be exported from the routing table to other protocols.

Options

install—Explicitly install all static routes into the forwarding table. Include this statement

when configuring an individual route in the route portion of the static statement to override a no-install option specified in the defaults portion of the statement. no-install—Do not install the route into the forwarding table, even if it is the route with

the lowest preference. Default: install Required Privilege Level Related Documentation



•

static on page 2893


2737

®


instance-export Syntax Hierarchy Level

Release Information


instance-export [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply one or more policies to routes being exported from a routing instance. policy-names—Name of one or more export policies.


Example: Configuring and Verifying the Auto Export Feature

•


instance-import Syntax Hierarchy Level

Release Information


2738

instance-import [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply one or more policies to routes being imported into a routing instance. policy-names—Name of one or more import policies.


Example: Configuring and Verifying the Auto Export Feature

•




inter-area-prefix-export Syntax Hierarchy Level

Release Information

Description

Options

inter-area-prefix-export [ policy-names ]; [edit logical-systems logical-system-name protocols ospf3 area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ip4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit protocols ospf3 area area-id], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit routing-instances routing-instance-name protocols ospf3 area area-id], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-muticast | ipv6-multicast) area area-id]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Apply an export policy for OSPFv3 to specify which interarea prefix link-state advertisements (LSAs) are flooded into an area. policy-name—Name of a policy configured at the [edit policy-options policy-statement policy-name term term-name] hierarchy level.




•

inter-area-prefix-import on page 2740

•



2739

®


inter-area-prefix-import Syntax Hierarchy Level

Release Information

Description

Options

inter-area-prefix-import [ policy-names ]; [edit logical-systems logical-system-name protocols ospf3 area area-id], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit protocols ospf3 area area-id], [edit protocols ospf3 realm (ip4-unicast | ipv4-multicast | ipv6-multicast)], area area-id], [edit routing-instances routing-instance-name protocols ospf3 area area-id], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Apply an import policy for OSPFv3 to specify which routes learned from an area are used to generate interarea prefixes into other areas. policy-name—Name of a policy configured at the [edit policy-options policy-statement policy-name term term-name] hierarchy level.


2740



•

inter-area-prefix-export on page 2739

•




interface Syntax

interface (all | interface-name) { disable; bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } multiplier number; } checksum; csnp-interval (seconds | disable); hello-padding (adaptive | loose | strict); ldp-synchronization { disable; hold-time seconds; } lsp-interval milliseconds; mesh-group (value | blocked); no-adjacency-holddown; no-ipv4-multicast; no-ipv6-multicast; no-ipv6-unicast; no-unicast-topology; passive; point-to-point; level level-number { disable; hello-authentication-key key; hello-authentication-key-chain key-chain-name; hello-authentication-type authentication; hello-interval seconds; hold-time seconds; ipv4-multicast-metric number; ipv6-multicast-metric number; ipv6-unicast-metric number; metric metric; passive; priority number; te-metric metric; } }


2741

®


Hierarchy Level

Release Information

Description

[edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure interface-specific IS-IS properties. To configure more than one interface, include the interface statement multiple times. Enabling IS-IS on an interface (by including the interface statement at the [edit protocols isis] or the [edit routing-instances routing-instance-name protocols isis] hierarchy level), disabling it (by including the disable statement), and not actually having IS-IS run on an interface (by including the passive statement) are mutually exclusive states.

Options

all—Have Junos OS create IS-IS interfaces automatically. interface-name—Name of an interface. Specify the full interface name, including the

physical and logical address components. The remaining statements are explained separately. Required Privilege Level Related Documentation

2742


OBSOLETE - Configuring of Interface-Specific IS-IS Properties



interface Syntax

Hierarchy Level

interface interface-name { disable; authentication key ; bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } multiplier number; } dead-interval seconds; demand-circuit; hello-interval seconds; ipsec-sa name; interface-type type; ldp-synchronization { disable; hold-time seconds; } metric metric; neighbor address ; no-interface-state-traps; passive; poll-interval seconds; priority number; retransmit-interval seconds; te-metric metric; topology (ipv4-multicast | name) { metric metric; } transit-delay seconds; transmit-interval seconds; } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit protocols (ospf | ospf3) area area-id],


2743

®


[edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id]

Release Information

Description

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the topology statement introduced in Junos OS Release 9.0. Support for the topology statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Support for the no-interface-state-traps statement introduced in Junos OS Release 10.3. This statement is supported only for OSPFv2. Enable OSPF routing on a routing device interface. You must include at least one interface statement in the configuration to enable OSPF on the routing device.

Options

interface-name—Name of the interface. Specify the interface by IP address or interface

name for OSPFv2, or only the interface name for OSPFv3. Using both the interface name and IP address of the same interface produces an invalid configuration. To configure all interfaces, you can specify all. Specifying a particular interface and all produces an invalid configuration.

NOTE: For nonbroadcast interfaces, specify the IP address of the nonbroadcast interface as interface-name.


NOTE: You cannot run both OSPF and ethernet-tcc encapsulation between two Juniper Networks routing devices.


2744



•

OBSOLETE - Configuring Multitopology Routing in OSPF

•

Example: Configuring Multiple Address Families for OSPFv3

•

neighbor



interface (Routing Options) Syntax

Hierarchy Level

Release Information

Description

interface interface-names { maximum-bandwidth bps; no-qos-adjust; reverse-oif-mapping { no-qos-adjust; } subscriber-leave-timer seconds; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable multicast traffic on an interface.

TIP: You cannot enable multicast traffic on an interface by using the routing-options multicast interface statement and configure PIM on the interface.

Options

interface-name—Names of the physical or logical interface.



Example: Defining Interface Bandwidth Maximums

•

Example: Configuring Multicast with Subscriber VLANs


2745

®


interface (Multicast Static Routes) Syntax

Hierarchy Level

Release Information

Description

interface interface-names { disable; maximum-bandwidth bps; no-qos-adjust; reverse-oif-mapping { no-qos-adjust; } subscriber-leave-timer seconds; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable multicast traffic on an interface. By default, multicast packets are forwarded by enabling Protocol Independent Multicast (PIM) on an interface. PIM adds multicast routes into the routing table. You can also configure multicast packets to be forwarded over a static route, such as a static route associated with an LSP next hop. Multicast packets are accepted on an interface and forwarded over a static route in the forwarding table. This is useful when you want to enable multicast traffic on a specific interface without configuring PIM on the interface. You cannot enable multicast traffic on an interface and configure PIM on the same interface simultaneously. Static routes must be configured before you can enable multicast on an interface. Configuring the interface statement alone does not install any routes into the routing table. This feature relies on the static route configuration.

Options

interface-names—Name of one or more interfaces on which to enable multicast traffic.


2746



•




interface-routes Syntax

Hierarchy Level

Release Information

interface-routes { family (inet | inet6) { export { lan; point-to-point; } } rib-group group-name; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]



Description

Associate a routing table group with the routing device’s interfaces, and specify routing table groups into which interface routes are imported. By default, IPv4 interface routes (also called direct routes) are imported into routing table inet.0, and IPv6 interface routes are imported into routing table inet6.0. If you are configuring alternate routing tables for use by some routing protocols, it might be necessary to import the interface routes into the alternate routing tables. To define the routing tables into which interface routes are imported, you create a routing table group and associate it with the routing device’s interfaces. To create the routing table groups, include the passive statement at the [edit routing-options] hierarchy level. If you have configured a routing table, configure the OSPF primary instance at the [edit protocols ospf] hierarchy level with the statements needed for your network so that routes are installed in inet.0 and in the forwarding table. Make sure to include the routing table group. To export local routes, include the export statement. To export LAN routes, include the lan option. To export point-to-point routes, include the point-to-point option.


2747

®


Only local routes on point-to-point interfaces configured with a destination address are exportable. Options

inet—Specify the IPv4 address family. inet6—Specify the IPv6 address family. lan—Export LAN routes. point-to-point—Export point-to-point routes.


2748


Example: Importing Direct and Static Routes Into a Routing Instance

•

Example: Configuring Multiple Routing Instances of OSPF

•

passive



interface-type Syntax

interface-type (nbma | p2mp | p2p);

Hierarchy Level

[edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-multicast | ipv4-unicast | ipv6-multicast) area area-id interface interface-name]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for OSPFv3 for interface type p2p only introduced in Junos OS Release 9.4. You cannot configure other interface types for OSPFv3. Support for OSPFv3 for interface type p2p only introduced in Junos OS Release 9.4 for EX Series switches.

Description

Specify the type of interface. By default, the software chooses the correct interface type based on the type of physical interface. Therefore, you should never have to set the interface type. The exception to this is for NBMA interfaces, which default to an interface type of point-to-multipoint. To have these interfaces explicitly run in Nonbroadcast multiaccess (NBMA) mode, configure the nbma interface type, using the IP address of the local ATM interface. In Junos OS Release 9.3 and later, a point-to-point interface can be an Ethernet interface without a subnet.

Default Options

The software chooses the correct interface type based on the type of physical interface. nbma (OSPFv2 only)—Nonbroadcast multiaccess (NBMA) interface. p2mp (OSPFv2 only)—Point-to-multipoint interface. p2p—Point-to-point interface.




2749

®



•

About OSPF Interfaces

•

Example: Configuring an OSPFv2 Interface on a Nonbroadcast Multiaccess Network

ipv4-multicast Syntax Hierarchy Level

Release Information


2750

ipv4-multicast; [edit logical-systems logical-system-name protocols isis topologies], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis topologies], [edit protocols isis topologies], [edit routing-instances routing-instance-name protocols isis topologies]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure alternate IPv4 multicast topologies. Multicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring IS-IS Multicast Topology



ipv4-multicast-metric Syntax Hierarchy Level

Release Information

Description Options

ipv4-multicast-metric metric; [edit logical-systems logical-system-name protocols isis interface interface-namelevel level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the multicast topology metric value for the level. metric—Metric value.




ipv6-multicast Syntax Hierarchy Level

Release Information


ipv6-multicast; [edit logical-systems logical-system-name protocols isis topologies], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis topologies], [edit protocols isis topologies], [edit routing-instances routing-instance-name protocols isis topologies]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure alternate IPv6 multicast topologies. Multicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



2751

®


ipv6-multicast-metric Syntax Hierarchy Level

Release Information

Description Options

ipv6-multicast-metric metric; [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the IPv6 alternate multicast topology metric value for the level. metric—Metric value.




ipv6-unicast Syntax Hierarchy Level

Release Information


2752

ipv6-unicast; [edit logical-systems logical-system-name protocols isis topologies], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis topologies], [edit protocols isis topologies], [edit routing-instances routing-instance-name protocols isis topologies]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure alternate IPv6 unicast topologies. IPv6 unicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring IS-IS IPv6 Unicast Topologies



ipv6-unicast-metric Syntax Hierarchy Level

Release Information

Description Options

ipv6-unicast-metric metric; [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the IPv6 unicast topology metric value for the level. metric—Metric value.





2753

®


isis Syntax Hierarchy Level

Release Information

Description

isis { ... } [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable IS-IS routing on the routing device or for a routing instance. The isis statement is the one statement you must include in the configuration to run IS-IS on the routing device or in a routing instance.


2754

IS-IS is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Minimum IS-IS Configuration



keep Syntax Hierarchy Level

Release Information

Description

Default Options

keep (all | none); [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify whether routes learned from a BGP peer are retained in the routing table even if they contain an AS number that was exported from the local AS. If you do not include this statement, most routes are retained in the routing table. all—Retain all routes. none—Retain none of the routes. When keep none is configured for the BGP session and

the inbound policy changes, Junos OS forces readvertisement of the full set of routes advertised by the peer. Required Privilege Level Related Documentation



•

out-delay on page 2818


2755

®


labeled-unicast Syntax

Hierarchy Level

Release Information

Description

labeled-unicast { accepted-prefix-limit { maximum number; teardown ; } aggregate-label { community community-name; } explicit-null { connected-only; } prefix-limit { maximum number; teardown ; } resolve-vpn; rib inet.3; rib-group group-name; } [edit logical-systems logical-system-name protocols bgp family (inet | inet6)], [edit logical-systems logical-system-name protocols bgp group group-name family (inet | inet6)], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address family (inet | inet6)], [edit protocols bgp family (inet | inet6)], [edit protocols bgp group group-name family (inet | inet6)], [edit protocols bgp group group-name neighbor address family (inet | inet6)], [edit routing-instances routing-instance-name protocols bgp family (inet | inet6)], [edit routing-instances routing-instance-name protocols bgp group group-name family (inet | inet6)], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address family (inet | inet6)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the family type to be labeled-unicast. The remaining statements are explained separately.


2756





•


level (Global IS-IS) Syntax

Hierarchy Level

Release Information

Description Options

level level-number { authentication-key key; authentication-key-chain (Protocols IS-IS) key-chain-name; authentication-type type; external-preference preference; no-csnp-authentication; no-hello-authentication; no-psnp-authentication; preference preference; wide-metrics-only; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the global-level properties. level-number—IS-IS level number.

Values: 1 or 2 The remaining statements are explained separately. Required Privilege Level Related Documentation




2757

®


link-protection Syntax Hierarchy Level

Release Information

Description


2758

link-protection; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable link protection on the specified IS-IS interface. Junos OS creates a backup loop-free alternate path to the primary next hop for all destination routes that traverse the protected interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

node-link-protection on page 2813

•

OBSOLETE - Configuring Loop-Free Alternate Routes for IS-IS



local-address (BGP) Syntax Hierarchy Level

Release Information

Description

local-address address; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the address of the local end of a BGP session. This address is used to accept incoming connections to the peer and to establish connections to the remote peer. When none of the operational interfaces are configured with the specified local address, a session with a BGP peer is placed in the idle state. You generally configure a local address to explicitly configure the system’s IP address from BGP’s point of view. This IP address can be either an IPv6 or IPv4 address. Typically, an IP address is assigned to a loopback interface, and that IP address is configured here. For internal BGP (IBGP) peering sessions, generally the loopback interface (lo0) is used to establish connections between the IBGP peers. The loopback interface is always up as long as the device is operating. If there is a route to the loopback address, the IBGP peering session stays up. If a physical interface address is used instead and that interface goes up and down, the IBGP peering session also goes up and down. Thus, the loopback interface provides fault tolerance in case the physical interface or the link goes down, if the device has link redundancy. When a device peers with a remote device’s loopback interface address, the local device expects BGP update messages to come from (be sourced by) the remote device’s loopback interface address. The local-address statement enables you to specify the source information in BGP update messages. If you omit the local-address statement, the expected source of BGP update messages is based on the device’s source address selection rules, which normally result in the egress interface address being the expected source of update messages. When this happens, the peering session is not established because a mismatch exists between the expected source address (the egress interface


2759

®


of the peer) and the actual source (the loopback interface of the peer). To ensure that the expected source address matches the actual source address, specify the loopback interface address in the local-address statement.

NOTE: A BGP session can still be established when only one of the paired routers has a local address configured.

If you include the default-address-selection statement in the configuration, the software chooses the system default address as the source for most locally generated IP packets. For protocols in which the local address is unconstrained by the protocol specification, for example IBGP and multihop EBGP, if you do not configure a specific local address when configuring the protocol, the local address is chosen using the same methods as other locally generated IP packets. Default


2760

If you do not configure a local address, BGP uses the routing device’s source address selection rules to set the local address. address—IPv6 or IPv4 address of the local end of the connection.


Example: Configuring Internal BGP Peering Sessions on Logical Systems

•

Example: Configuring Internal BGP Peer Sessions

•

Understanding Internal BGP Peering Sessions

•

router-id on page 2880



local-address Syntax Hierarchy Level

Release Information

Description


local-address address; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast backup-pe-group group-name], [edit logical-systems logical-system-name routing-options multicast backup-pe-group group-name], [edit routing-instances routing-instance-name routing-options multicast backup-pe-group group-name], [edit routing-options multicast backup-pe-group group-name]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the address of the local PE for ingress PE redundancy when point-to-multipoint LSPs are used for multicast distribution. address—Address of local PEs in the backup group.




2761

®


local-as Syntax Hierarchy Level

Release Information

Description

local-as autonomous-system ; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. alias option introduced in Junos OS Release 9.5. no-prepend-global-as option introduced in Junos OS Release 9.6. Specify the local autonomous system (AS) number. An AS is a set of routing devices that are under a single technical administration and generally use a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routing devices. Internet service providers (ISPs) sometimes acquire networks that belong to a different AS. When this occur, there is no seamless method for moving the BGP peers of the acquired network to the AS of the acquiring ISP. The process of configuring the BGP peers with the new AS number can be time-consuming and cumbersome. In this case, it might not be desirable to modify peer arrangements or configuration. During this kind of transition period, it can be useful to configure BGP-enabled devices in the new AS to use the former AS number in BGP updates. This former AS number is called a local AS.

NOTE: If you are using BGP on the routing device, you must configure an AS number before you specify the local as number. In Junos OS Release 9.1 and later, the AS numeric range in plain-number format is extended to provide BGP support for 4-byte AS numbers, as defined in RFC 4893, BGP Support for Four-octet AS Number Space. In Junos OS Release 9.3 and later, you can also configure a 4-byte AS number using the AS-dot notation format of two integer values joined by a period: .. For

2762



example, the 4-byte AS number of 65546 in plain-number format is represented as 1.10 in the AS-dot notation format.

Options

alias—(Optional) Configure the local AS as an alias of the global AS number configured

for the router at the [edit routing-options] hierarchy level. As a result, a BGP peer considers any local AS to which it is assigned as equivalent to the primary AS number configured for the routing device. When you use the alias option, only the AS (global or local) used to establish the BGP session is prepended in the AS path sent to the BGP neighbor. autonomous-system—AS number. 32

Range: 1 through 4,294,967,295 (2

– 1) in plain-number format

Range: 0.0 through 65535.65535 in AS-dot notation format loops number—(Optional) Specify the number of times detection of the AS number in

the AS_PATH attribute causes the route to be discarded or hidden. For example, if you configure loops 1, the route is hidden if the AS number is detected in the path one or more times. This is the default behavior. If you configure loops 2, the route is hidden if the AS number is detected in the path two or more times.

NOTE: If you configure the local AS values for any BGP group, the detection of routing loops is performed using both the AS and the local AS values for all BGP groups. If the local AS for the EBGP or IBGP peer is the same as the current AS, do not use the local-as statement to specify the local AS number. When you configure the local AS within a VRF, this impacts the AS path loop-detection mechanism. All of the local-as statements configured on the device are part of a single AS domain. The AS path loop-detection mechanism is based on looking for a matching AS present in the domain. Range: 1 through 10 Default: 1 no-prepend-global-as—(Optional) Specify to strip the global AS and to prepend only the

local AS in AS paths sent to external peers. private—(Optional) Configure to use the local AS only during the establishment of the

BGP session with a BGP neighbor but to hide it in the AS path sent to external BGP peers. Only the global AS is included in the AS path sent to external peers.

NOTE: The private and alias options are mutually exclusive. You cannot configure both options with the same local-as statement.


2763

®




Examples: Configuring BGP Local AS

•

Example: Configuring a Local AS for EBGP Sessions

•

autonomous-system on page 2639

•

family on page 2695

local-interface (IPv6) Syntax Hierarchy Level

Release Information

Description


2764

local-interface interface-name; [edit logical-systems logical-system-name protocols bgp group group-name neighbor ipv6-link-local-address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor ipv6-link-local-address], [edit protocols bgp group group-name neighbor ipv6-link-local-address], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor ipv6-link-local-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the interface name of the EBGP peer that uses IPv6 link-local addresses. This peer is link-local in scope. interface-name—Interface name of the EBGP IPv6 peer.


Example: Configuring Internal BGP Peering Sessions on Logical Systems

•

Example: Configuring Internal BGP Peer Sessions

•

Configuring EBGP Peer Using IPv6 Link-Local Addresses

•




local-preference Syntax Hierarchy Level

Release Information

Description

local-preference local-preference; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Modify the value of the LOCAL_PREF path attribute, which is a metric used by IBGP sessions to indicate the degree of preference for an external route. The route with the highest local preference value is preferred. The LOCAL_PREF path attribute always is advertised to internal BGP peers and to neighboring confederations. It is never advertised to external BGP peers.

Default Options

If you omit this statement, the LOCAL_PREF path attribute, if present, is not modified. local-preference—Preference to assign to routes learned from BGP or from the group or

peer. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: If the LOCAL_PREF path attribute is present, do not modify its value. If a BGP route is received without a LOCAL_PREF attribute, the route is handled locally (it is stored in the routing table and advertised by BGP) as if it were received with a LOCAL_PREF value of 100. By default, non-BGP routes that are advertised by BGP are advertised with a LOCAL_PREF value of 100. Required Privilege Level Related Documentation


Example: Configuring the Local Preference Value for BGP Routes

•



2765

®


•


log-updown Syntax Hierarchy Level

Release Information

Description


2766

log-updown; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify to generate a log a message whenever a BGP peer makes a state transition. Messages are logged using the system logging mechanism located at the [edit system syslog] hierarchy level. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Preventing BGP Session Resets

•

Configuring System Logging of BGP Peer State Transitions

•


•

traceoptions on page 2908



loose-authentication-check Syntax Hierarchy Level

Release Information


loose-authentication-check; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Allow the use of MD5 authentication without requiring network-wide deployment. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Enabling Authentication for IS-IS Without Network-Wide Deployment

lsp-interval Syntax Hierarchy Level

Release Information

Description Options

lsp-interval milliseconds; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the link-state PDU interval time. milliseconds—Number of milliseconds between the sending of link-state PDUs. Specifying

a value of 0 blocks all link-state PDU transmission. Range: 0 through 1000 milliseconds Default: 100 milliseconds Required Privilege Level Related Documentation


Configuring the Transmission Frequency for Link-State PDUs on IS-IS Interfaces


2767

®


lsp-lifetime Syntax Hierarchy Level

Release Information

Description

Options

lsp-lifetime seconds; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify how long a link-state PDU originating from the routing device should persist in the network. The routing device sends link-state PDUs often enough so that the link-state PDU lifetime never expires. seconds—link-state PDU lifetime, in seconds.


2768


Configuring the Link-State PDU Lifetime for IS-IS



lsp-metric-into-summary Syntax Hierarchy Level

Release Information


lsp-metric-into-summary; [edit logical-systems logical-system-name protocols (ospf | ospf3) traffic-engineering shortcuts], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) traffic-engineering shortcuts], [edit protocols (ospf | ospf3) traffic-engineering shortcuts], [edit routing-instances routing-instance-name protocols (ospf | ospf3) traffic-engineering shortcuts]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4 for EX Series switches. Advertise the LSP metric in summary LSAs. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OSPF Support for Traffic Engineering

•



2769

®


martians Syntax

Hierarchy Level

Release Information

Description Options

martians { destination-prefix match-type ; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name], [edit logical-systems logical-system-name routing-options], [edit logical-systems logical-system-name routing-options rib routing-table-name], [edit routing-instances routing-instance-name routing-options], [edit routing-instances routing-instance-name routing-options rib routing-table-name], [edit routing-options], [edit routing-options rib routing-table-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure martian addresses. allow—(Optional) Explicitly allow a subset of a range of addresses that has been

disallowed. The allow option is the only supported action. destination-prefix—Destination route you are configuring: •


address, and prefix-length is the destination prefix length. •

default—Default route to use when routing packets do not match a network or host in

the routing table. This is equivalent to specifying the IP address 0.0.0.0/0. match-type—Criteria that the destination must match: •

exact—Exactly match the route’s mask length.

•

longer—The route’s mask length is greater than the specified mask length.

•

orlonger—The route’s mask length is equal to or greater than the specified mask length.

•

through destination-prefix—The route matches the first prefix, the route matches the

second prefix for the number of bits in the route, and the number of bits in the route is less than or equal to the number of bits in the second prefix. •

upto prefix-length—The route’s mask length falls between the two destination prefix

lengths, inclusive. Required Privilege Level

2770





•

Example: Configuring Martian Addresses

max-areas Syntax Hierarchy Level

Release Information

Description Options

max-areas number; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis] [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Modify the maximum number of IS-IS areas advertised. number—Maximum number of areas to include in the IS-IS hello (IIH) PDUs and link-state

PDUs. Range: 3 through 36 Default: 3 Required Privilege Level Related Documentation


Limiting the Number of Advertised IS-IS Areas


2771

®


maximum-bandwidth Syntax Hierarchy Level

Release Information

Description Options

maximum-bandwidth bps; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-options multicast interface interface-name], [edit routing-instances routing-instance-name routing-options multicast interface interface-name], [edit routing-options multicast interface interface-name]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the multicast bandwidth for the interface. bps—Bandwidth rate, in bits per second, for the multicast interface.

Range: 0 through any amount of bandwidth Required Privilege Level Related Documentation

2772





maximum-paths Syntax Hierarchy Level

Release Information

Description

maximum-paths path-limit ; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a limit for the number of routes installed in a routing table based upon the route path.

NOTE: The maximum-paths statement is similar to the maximum-prefixes statement. The maximum-prefixes statement limits the number of unique destinations in a routing instance. For example, suppose a routing instance has the following routes: OSPF 10.10.10.0/24 ISIS 10.10.10.0/24

These are two routes, but only one destination (prefix). The maximum-paths limit applies the total number of routes (two). The maximum-prefixes limit applies to the total number of unique prefixes (one).

Options

log-interval seconds—(Optional) Minimum time interval (in seconds) between log

messages. Range: 5 through 86,400 log-only—(Optional) Sets the route limit as an advisory limit. An advisory limit triggers

only a warning, and additional routes are not rejected. path-limit—Maximum number of routes. If this limit is reached, a warning is triggered and

additional routes are rejected. 32

Range: 1 through 4,294,967,295 (2

– 1)

Default: No default threshold value—(Optional) Percentage of the maximum number of routes that starts

triggering a warning. You can configure a percentage of the path-limit value that starts triggering the warnings. Range: 1 through 100


2773

®


NOTE: When the number of routes reaches the threshold value, routes are still installed into the routing table while warning messages are sent. When the number of routes reaches the path-limit value, then additional routes are rejected.


2774


OBSOLETE - Configuring Route Limits for Routing Tables



maximum-prefixes Syntax Hierarchy Level

Release Information

Description

maximum-prefixes prefix-limit ; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a limit for the number of routes installed in a routing table based upon the route prefix.

NOTE: The maximum-prefixes statement is similar to the maximum-paths statement. The maximum-prefixes statement limits the number of unique destinations in a routing instance. For example, suppose a routing instance has the following routes: OSPF 10.10.10.0/24 ISIS 10.10.10.0/24

These are two routes, but only one destination (prefix). The maximum-paths limit applies the total number of routes (two). The maximum-prefixes limit applies to the total number of unique prefixes (one).

Options

log-interval seconds—(Optional) Minimum time interval (in seconds) between log

messages. Range: 5 through 86,400 log-only—(Optional) Sets the prefix limit as an advisory limit. An advisory limit triggers

only a warning, and additional routes are not rejected. prefix-limit—Maximum number of route prefixes. If this limit is reached, a warning is

triggered and any additional routes are rejected. Range: 1 through 4,294,967,295 Default: No default threshold value—(Optional) Percentage of the maximum number of prefixes that starts

triggering a warning. You can configure a percentage of the prefix-limit value that starts triggering the warnings. Range: 1 through 100


2775

®


NOTE: When the number of routes reaches the threshold value, routes are still installed into the routing table while warning messages are sent. When the number of routes reaches the prefix-limit value, then additional routes are rejected.



OBSOLETE - Configuring Route Limits for Routing Tables

med-igp-update-interval Syntax Hierarchy Level Release Information

Description

Options

med-igp-update-interval minutes; [edit routing-options]

Statement introduced in Junos OS Release 9.0 Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a timer for how long to delay updates for the multiple exit discriminator (MED) path attribute for BGP groups and peers configured with the metric-out igp offset delay-med-update statement. The timer delays MED updates for the interval configured unless the MED is lower than the previously advertised attribute or another attribute associated with the route has changed or if the BGP peer is responding to a refresh route request. minutes—Interval to delay MED updates.

Range: 10 through 600 Default: 10 minutes Required Privilege Level Related Documentation

2776


Example: Associating the MED Path Attribute with the IGP Metric and Delaying MED Updates

•

metric-out on page 2784



mesh-group Syntax Hierarchy Level

Release Information

Description Options

mesh-group (blocked | value); [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure an interface to be part of a mesh group, which is a set of fully connected nodes. blocked—Configure the interface so that it does not flood link-state PDU packets. value—Number that identifies the mesh group. 32


– 1; 32 bits are allocated to identify a mesh group)


Configuring Mesh Groups of IS-IS Interfaces


2777

®


message-size Syntax Hierarchy Level

Release Information

Description

Options

message-size number; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the number of route entries to be included in every RIP update message. To ensure interoperability with other vendors’ equipment, use the standard of 25 route entries per message. number—Number of route entries per update message.

Range: 25 through 255 entries Default: 25 entries Required Privilege Level Related Documentation

2778


Configuring the Number of Route Entries in RIP Update Messages



metric Syntax Hierarchy Level

Release Information

Description Options

metric metric; [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the metric value for the level. metric—Metric value.

Range: 1 through 63, or 1 through 16,777,215 (if you have configured wide metrics) Default: 10 (for all interfaces except lo0), 0 (for the lo0 interface) Required Privilege Level Related Documentation


te-metric

•

wide-metrics-only on page 2934

•



2779

®


metric Syntax Hierarchy Level

Release Information

Description

metric metric; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf area area-id interface interface-name topology (ipv4-multicast | name)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id sham-link-remote], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id interface interface-name topology (ipv4-multicast | name)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf area area-id interface interface-name topology (ipv4-multicast | name)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf area area-id sham-link-remote], [edit routing-instances routing-instance-name protocols ospf area area-id interface interface-name topology (ipv4-multicast | name)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for Multitopology Routing introduced in Junos OS Release 9.0. Support for Multitopology Routing introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify the cost of an OSPF interface. The cost is a routing metric that is used in the link-state calculation. To set the cost of routes exported into OSPF, configure the appropriate routing policy.

Options

metric—Cost of the route.

Range: 1 through 65,535 Default: By default, the cost of an OSPF route is calculated by dividing the reference-bandwidth value by the bandwidth of the physical interface. Any specific value you configure for the metric overrides the default behavior of using the reference-bandwidth value to calculate the cost of the route for that interface.

2780





Example: Controlling the Cost of Individual OSPF Network Segments

•

Example: Configuring OSPFv2 Sham Links

•


•

bandwidth-based-metrics on page 2644

•

reference-bandwidth on page 2857

metric (Aggregate, Generated, or Static Route) Syntax Hierarchy Level

Release Information

Description

Options

(metric | metric2 | metric3 | metric4) metric ; [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the metric value for an aggregate, generated, or static route. You can specify up to four metric values, starting with metric (for the first metric value) and continuing with metric2, metric3, and metric4. metric—Metric value. 32

Range: 0 through 4,294,967,295 (2

– 1)

type type—(Optional) Type of route.

When routes are exported to OSPF, type 1 routes are advertised in type 1 externals, and routes of any other type are advertised in type 2 externals. Note that if a qualified-next-hop metric value is configured, this value overrides the route metric. Range: 1 through 16 Required Privilege Level Related Documentation


Example: Summarizing Static Routes Through Route Aggregation

•


•


•


•

static on page 2893


2781

®


metric-in Syntax Hierarchy Level

Release Information

Description

Options

metric-in metric; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the metric to add to incoming routes when the routing device advertises into RIP routes that were learned from other protocols. Use this statement to configure the routing device to prefer RIP routes learned through a specific neighbor. metric—Metric value.


2782


Example: Configuring the Metric Value Added to Imported RIP Routes



metric-in Syntax Hierarchy Level

Release Information

Description

Options

metric-in metric; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name protocols ripng group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name], [edit protocols ripng], [edit protocols ripng group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols ripng], [edit routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Specify the metric to add to incoming routes when advertising into RIPng routes that were learned from other protocols. Use this statement to configure the routing device to prefer RIPng routes learned through a specific neighbor. metric—Metric value.



Example: Configuring the Metric Value Added to Imported RIPng Routes


2783

®


metric-out Syntax Hierarchy Level

Release Information

Description

metric-out (metric | minimum-igp offset | igp (delay-med-update | offset); [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Option delay-med-update introduced in Junos OS Release 9.0. Specify the metric for all routes sent using the multiple exit discriminator (MED, or MULTI_EXIT_DISC) path attribute in update messages. This path attribute is used to discriminate among multiple exit points to a neighboring AS. If all other factors are equal, the exit point with the lowest metric is preferred. You can specify a constant metric value by including the metric option. For configurations in which a BGP peer sends third-party next hops that require the local system to perform next-hop resolution—IBGP configurations, configurations within confederation peers, or EBGP configurations that include the multihop command—you can specify a variable metric by including the minimum-igp or igp option. You can increase or decrease the variable metric calculated from the IGP metric (either from the igp or minimum-igp statement) by specifying a value for offset. The metric is increased by specifying a positive value for offset, and decreased by specifying a negative value for offset. In Junos OS Release 9.0 and later, you can specify that a BGP group or peer not advertise updates for the MED path attributes used to calculate IGP costs for BGP next hops unless the MED is lower. You can also configure an interval to delay when MED updates are sent by including the med-igp-update-interval minutes statement at the [edit routing-options] hierarchy level.

Options

delay-med-update—Specify that a BGP group or peer configured with the metric-out igp

statement not advertise MED updates unless the current MED value is lower than

2784



the previously advertised MED value, or another attribute associated with the route has changed, or the BGP peer is responding to a refresh route request.

NOTE: You cannot configure the delay-med–update statement at the global BGP level.

igp—Set the metric to the most recent metric value calculated in the IGP to get to the

BGP next hop. Routes learned from an EBGP peer usually have a next hop on a directly connected interface and thus the IGP value is equal to zero. This is the value advertised. metric—Primary metric on all routes sent to peers. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: No metric is sent. minimum-igp—Set the metric to the minimum metric value calculated in the IGP to get

to the BGP next hop. If a newly calculated metric is greater than the minimum metric value, the metric value remains unchanged. If a newly calculated metric is lower, the metric value is lowered to that value. When you change a neighbor’s export policy from any configuration to a configuration that sets the minimum IGP offset on an exported route, the advertised MED is not updated if the value would increase as a result, even if the previous configuration does not use a minimum IGP-based MED value. This behavior helps to prevent unnecessary route flapping when an IGP cost changes, by not forcing a route update if the metric value increases past the previous lowest known value. offset—Increases or decreases the metric by this value. 31

31

Range: –2 through 2 – 1 Default: None Required Privilege Level Related Documentation


Example: Associating the MED Path Attribute with the IGP Metric and Delaying MED Updates

•

Examples: Configuring BGP MED

•

Example: Configuring the MED Attribute Directly

•

Understanding the MED Attribute

•

med-igp-update-interval on page 2776


2785

®



Release Information

Description

Options

metric-out metric; [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the metric value to add to routes transmitted to the neighbor. Use this statement to control how other routing devices prefer RIP routes sent from this neighbor. metric—Metric value.


2786






Release Information

Description

Options

metric-out metric; [edit logical-systems logical-system-name protocols ripng group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name], [edit protocols ripng group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Specify the metric value to add to routes transmitted to the neighbor. Use this statement to control how other routing devices prefer RIPng routes sent from this neighbor. metric—Metric value.





2787

®


metric-type Syntax Hierarchy Level

Release Information

Description

metric-type type; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id nssadefault-lsa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id nssa default-lsa], [edit protocols (ospf | ospf3) area area-id nssa default-lsa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id nssa default-lsa], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit routing-instances routing-instances protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id nssa default-lsa]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify the external metric type for the default LSA. The configured metric determines the method used to compute the cost to a destination:


2788

•

The Type 1 external metric is equivalent to the link-state metric. The path cost uses the advertised external path cost and the path cost to the AS boundary router (the route is equal to the sum of all internal costs and the external cost).

•

The Type 2 external metric uses the cost assigned by the AS boundary router (the route is equal to the external cost alone). By default, OSPF uses the Type 2 external metric.

type—Metric type: 1 or 2



•

Example: Configuring OSPF Not-So-Stubby Areas



mtu-discovery Syntax Hierarchy Level

Release Information

Description

mtu-discovery; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure TCP path maximum transmission unit (MTU) discovery. TCP path MTU discovery enables BGP to automatically discover the best TCP path MTU for each BGP session. In Junos OS, TCP path MTU discovery is disabled by default for all BGP neighbor sessions. When MTU discovery is disabled, TCP sessions that are not directly connected transmit packets of 512-byte maximum segment size (MSS). These small packets minimize the chances of packet fragmentation at a device along the path to the destination. However, because most links use an MTU of at least 1500 bytes, 512-byte packets do not result in the most efficient use of link bandwidth. For directly connected EBGP sessions, MTU mismatches prevent the BGP session from being established. As a workaround, enable path MTU discovery within the EBGP group. Path MTU discovery dynamically determines the MTU size on the network path between the source and the destination, with the goal of avoiding IP fragmentation. Path MTU discovery works by setting the Don’t Fragment (DF) bit in the IP headers of outgoing packets. When a device along the path has an MTU that is smaller than the packet, the device drops the packet. The device also sends back an ICMP Fragmentation Needed (Type 3, Code 4) message that contains the device’s MTU, thus allowing the source to reduce its path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation.




2789

®



2790

•

Example: Limiting TCP Segment Size for BGP

•


•




multicast Syntax

Hierarchy Level

Release Information

Description

multicast { forwarding-cache { threshold suppress value ; } interface interface-name { enable; } scope scope-name { interface [ interface-names ]; prefix destination-prefix; } ssm-groups { address; } } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure generic multicast properties.

NOTE: You cannot apply a scoping policy to a specific routing instance. All scoping policies are applied to all routing instances. However, you can apply the scope statement to a specific routing instance.



Examples: Configuring Administrative Scoping

•


•

Examples: Configuring the Multicast Forwarding Cache

•


•

(indirect-next-hop on page 2736 | no-indirect-next-hop)


2791

®


multihop Syntax

Hierarchy Level

Release Information

Description

multihop { no-nexthop-change; ttl ttl-value; } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure an EBGP multihop session. An external confederation peer is a special case that allows unconnected third-party next hops. You do not need to configure multihop sessions explicitly in this particular case because multihop behavior is implied. If you have external BGP confederation peer-to-loopback addresses, you still need the multihop configuration.

NOTE: You cannot configure the accept-remote-nexthop statement at the same time.

Default

If you omit this statement, all EBGP peers are assumed to be directly connected (that is, you are establishing a nonmultihop, or “regular,” BGP session), and the default time-to-live (TTL) value is 1. The remaining statements are explained separately.


2792





•

Example: Configuring EBGP Multihop

•

accept-remote-nexthop on page 2615

•

no-nexthop-change

•

ttl

multipath Syntax

Hierarchy Level

Release Information

Description

Options

multipath { multiple-as; vpn-unequal-cost equal-external-internal; } [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Allow load sharing among multiple EBGP paths and multiple IBGP paths. A path is considered a BGP equal-cost path (and will be used for forwarding) if a tie-break is performed. The tie-break is performed after the BGP route path selection step that chooses the next-hop path that is resolved through the IGP route with the lowest metric. All paths with the same neighboring AS, learned by a multipath-enabled BGP neighbor, are considered. multiple-as—Disable the default check requiring that paths accepted by BGP multipath

must have the same neighboring AS. vpn-unequal-cost equal-external-internal—Enable load-balancing in a Layer 3 VPN with

unequal cost paths. Required Privilege Level Related Documentation


Understanding BGP Path Selection

•



2793

®


neighbor Syntax

2794

neighbor address { accept-remote-nexthop; advertise-external ; advertise-inactive; (advertise-peer-as | no-advertise-peer-as); as-override; authentication-algorithm algorithm; authentication-key key; authentication-key-chain key-chain; cluster cluster-identifier; damping; description text-description; export [ policy-names ]; family { (inet | inet6 | inet-mvpn | inet6-mpvn | inet-vpn | inet6-vpn | iso-vpn | l2-vpn) { (any | flow | multicast | unicast | signaling) { accepted-prefix-limit { maximum number; teardown ; } prefix-limit { maximum number; teardown ; } rib-group group-name; } flow { no-validate policy-name; } labeled-unicast { accepted-prefix-limit { maximum number; teardown ; } aggregate-label { community community-name: } explicit-null { connected-only; } prefix-limit { maximum number; teardown ; } resolve-vpn; rib inet.3; rib-group group-name; } } route-target { advertise-default; external-paths number;



accepted-prefix-limit { maximum number; teardown ; } prefix-limit { maximum number; teardown ; } } signaling { prefix-limit { maximum number; teardown ; } } } graceful-restart { disable; restart-time seconds; stale-routes-time seconds; } hold-time seconds; import [ policy-names ]; ipsec-sa ipsec-sa; keep (all | none); local-address address; local-as autonomous-system ; local-interface interface-name; local-preference preference; log-updown; metric-out (metric | minimum-igp | igp ); mtu-discovery; multihop ; multipath { multiple-as; } no-aggregator-id; no-client-reflect; out-delay seconds; passive; peer-as autonomous-system; preference preference; tcp-mss segment-size; traceoptions { file filename ; flag flag ; } vpn-apply-export; }

Hierarchy Level

[edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name]


2795

®


Release Information

Description

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Explicitly configure a neighbor (peer). To configure multiple BGP peers, include multiple neighbor statements. By default, the peer’s options are identical to those of the group. You can override these options by including peer-specific option statements within the neighbor statement. The neighbor statement is one of the statements you can include in the configuration to define a minimal BGP configuration on the routing device. (You can include an allow all statement in place of a neighbor statement.)

Options

address—IPv6 or IPv4 address of a single peer.


2796


Minimum BGP Configuration

•




neighbor Syntax

Hierarchy Level

Release Information

neighbor neighbor-name { authentication-key password; authentication-type type; bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } multiplier number; version (0 | 1 | automatic); } (check-zero | no-check-zero); demand-circuit; import policy-name; max-retrans-time seconds; message-size number; metric-in metric; metric-out metric; receive receive-options; route-timeout seconds; send send-options; update-interval seconds; } [edit logical-systems logical-system-name protocols rip group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name], [edit protocols rip group group-name], [edit routing-instances routing-instance-name protocols rip group group-name]


Description

Configure neighbor-specific RIP parameters, thereby overriding the defaults set for the routing device.

Options

neighbor-name—Name of an interface over which a routing device communicates to its

neighbors. The remaining statements are explained separately.


2797

®




OBSOLETE - Overview of RIP Neighbor Properties

neighbor Syntax

Hierarchy Level

Release Information

Description

Options

neighbor neighbor-name { import [ policy-names ]; metric-in metric; receive ; route-timeout seconds; send ; update-interval seconds; } [edit logical-systems logical-system-name protocols ripng group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name], [edit protocols ripng group group-name], [edit routing-instances routing-instance-name protocols ripng group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Configure neighbor-specific RIPng parameters, thereby overriding the defaults set for the routing device. neighbor-name—Name of an interface over which a routing device communicates to its

neighbors. The remaining statements are explained separately. Required Privilege Level Related Documentation

2798


OBSOLETE - Overview of RIPng Neighbor Properties



no-adjacency-holddown Syntax Hierarchy Level

Release Information


no-adjacency-holddown; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Disable the hold-down timer for IS-IS adjacencies. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring Quicker Advertisement of IS-IS Adjacency State Changes


2799

®


no-aggregator-id Syntax Hierarchy Level

Release Information

Description

no-aggregator-id; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Prevent different routers within an AS from creating aggregate routes that contain different AS paths. Junos OS performs route aggregation, which is the process of combining the characteristics of different routes so that only a single route is advertised. Aggregation reduces the amount of information that BGP must store and exchange with other BGP systems. When aggregation occurs, the local routing device adds the local AS number and the router ID to the aggregator path attiribute. The no-aggregator-id statement causes Junos OS to place a 0 in the router ID field and thus eliminate the possibility of having multiple aggregate advertisements in the network, each with different path information.


2800

If you omit this statement, the router ID is included in the BGP aggregator path attribute. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

BGP Messages Overview



no-authentication-check Syntax Hierarchy Level

Release Information

Description


no-authentication-check; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Generate authenticated packets and check the authentication on received packets, but do not reject packets that cannot be authenticated. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

csnp-interval on page 2674

•


•



2801

®


no-client-reflect Syntax Hierarchy Level

Release Information

Description


2802

no-client-reflect; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable intracluster route redistribution by the system acting as the route reflector. Include this statement when the client cluster is fully meshed to prevent the sending of redundant route advertisements. Route reflection provides a way to decrease BGP control traffic and minimizing the number of update messages sent within the AS. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Configuring BGP Route Reflection

•

cluster on page 2669



no-csnp-authentication Syntax Hierarchy Level

Release Information


no-csnp-authentication; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Suppress authentication check on complete sequence number PDU (CSNP) packets. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

csnp-interval on page 2674

•


no-eligible-backup Syntax Hierarchy Level

Release Information

Description


no-eligible-backup; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Exclude the specified interface as a backup interface for IS-IS interfaces on which link protection or node-link protection is enabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

link-protection on page 2758

•

node-link-protection on page 2813

•



2803

®


no-hello-authentication Syntax Hierarchy Level

Release Information


no-hello-authentication; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Suppress authentication check on complete sequence number hello packets. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


no-ipv4-multicast Syntax Hierarchy Level

Release Information


2804

no-ipv4-multicast; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Exclude an interface from IPv4 multicast topologies. Multicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •




no-ipv4-routing Syntax Hierarchy Level

Release Information


no-ipv4-routing; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Disable IP version 4 (IPv4) routing. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Disabling IPv4 Routing for IS-IS

no-ipv6-multicast Syntax Hierarchy Level

Release Information


no-ipv6-multicast; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Exclude an interface from the IPv6 multicast topologies. Multicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



2805

®


no-ipv6-routing Syntax Hierarchy Level

Release Information


no-ipv6-routing; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable IP version 6 (IPv6) routing. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Disabling IPv6 Routing for IS-IS

no-ipv6-unicast Syntax Hierarchy Level

Release Information


2806

no-ipv6-unicast; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Exclude an interface from the IPv6 unicast topologies. IPv6 unicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •




no-nssa-abr Syntax Hierarchy Level

Release Information

Description


no-nssa-abr; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable exporting Type 7 link-state advertisements into not-so-stubby-areas (NSSAs) for an autonomous system boundary router (ASBR) or an area border router (ABR). routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



2807

®


no-psnp-authentication Syntax Hierarchy Level

Release Information


2808

no-psnp-authentication; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Suppress authentication check on partial sequence number PDU (PSNP) packets. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •




no-qos-adjust Syntax Hierarchy Level

Release Information

no-qos-adjust; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name reverse-oif-mapping], [edit logical-systems logical-system-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-options multicast interface interface-name reverse-oif-mapping], [edit routing-instances routing-instance-name routing-options multicast interface interface-name], [edit routing-instances routing-instance-name routing-options multicast interface interface-name reverse-oif-mapping], [edit routing-options multicast interface interface-name], [edit routing-options multicast interface interface-name reverse-oif-mapping]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement added to [edit routing-instances routing-instance-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name],

and [edit routing-options multicast interface interface-name] hierarchy levels in Junos OS Release 9.6. Statement introduced in Junos OS Release 11.3 for the QFX Series. Description


Disable hierarchical bandwidth adjustment for all subscriber interfaces that are identified by their MLD or IGMP request from a specific multicast interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



2809

®


no-rfc-1583 Syntax Hierarchy Level

Release Information

Description


2810

no-rfc-1583; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Disable compatibility with RFC 1583, OSPF Version 2. If the same external destination is advertised by AS boundary routers that belong to different OSPF areas, disabling compatibility with RFC 1583 can prevent routing loops. Compatibility with RFC 1583 is enabled by default. routing—To view this statement in the configuration. routing-control-level—To add this statement to the configuration. •

Example: Disabling OSPFv2 Compatibility with RFC 1583



no-unicast-topology Syntax Hierarchy Level

Release Information


no-unicast-topology; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Exclude an interface from the IPv4 unicast topologies. IPv4 unicast topologies are disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



2811

®


no-validate Syntax Hierarchy Level

Release Information

Description

no-validate policy-name; [edit protocols bgp group group-name family (inet | inet flow)], [edit protocols bgp group group-name neighbor address family (inet | inet flow)], [edit routing-instances routing-instance-name protocols bgp group group-name family (inet | inet flow)], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address family (inet | inet flow)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. When BGP is carrying flow-specification network layer reachability information (NLRI) messages, the no-validate statement omits the flow route validation procedure after packets are accepted by a policy. The receiving BGP-enabled device accepts a flow route if it passes the following criteria: •

The originator of a flow route matches the originator of the best match unicast route for the destination address that is embedded in the route.

•

There are no more specific unicast routes, when compared to the destination address of the flow route, for which the active route has been received from a different next-hop autonomous system.

The first criterion ensures that the filter is being advertised by the next-hop used by unicast forwarding for the destination address embedded in the flow route. For example, if a flow route is given as 10.1.1.1, proto=6, port=80, the receiving BGP-enabled device selects the more specific unicast route in the unicast routing table that matches the destination prefix 10.1.1.1/32. On a unicast routing table containing 10.1/16 and 10.1.1/24, the latter is chosen as the unicast route to compare against. Only the active unicast route entry is considered. This follows the concept that a flow route is valid if advertised by the originator of the best unicast route. The second criterion addresses situations in which a given address block is allocated to different entities. Flows that resolve to a best-match unicast route that is an aggregate route are only accepted if they do not cover more specific routes that are being routed to different next-hop autonomous systems. You can bypass the validation process and use your own specific import policy. To disable the validation procedure and use an import policy instead, include the no-validate statement in the configuration. Flow routes configured for VPNs with family inet-vpn are not automatically validated, so the no-validate statement is not supported at the [edit protocols bgp group group-name family inet-vpn] hierarchy level. No validation is needed if the flow routes are configured locally between devices in a single AS.

2812




policy-name—Import policy to match NLRI messages.


Example: Configuring Flow Routes

node-link-protection Syntax Hierarchy Level

Release Information

Description


node-link-protection; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-routers logical-router-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable node-link protection on the specified IS-IS interface. Junos OS creates an alternate loop-free path to the primary next hop for all destination routes that traverse a protected interface. This alternate path avoids the primary next-hop routing device altogether and establishes a path through a different routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

link-protection on page 2758

•



2813

®


nssa Syntax

Hierarchy Level

Release Information

Description

nssa { area-range network/mask-length ; default-lsa { default-metric metric; metric-type type; type-7; } (no-summaries | summaries); } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3) area area-id], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Configure a not-so-stubby area (NSSA). An NSSA allows external routes to be flooded within the area. These routes are then leaked into other areas. You cannot configure an area as being both a stub area and an NSSA. The remaining statements are explained separately.


2814



•


•

stub on page 2899



options Syntax

Hierarchy Level

Release Information

options { syslog (level level | upto level level); } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]


Description

Configure the types of system logging messages sent about the routing protocols process to the system message logging file. These messages are also displayed on the system console. You can log messages at a particular level, or up to and including a particular level.

Options

level level—Severity of the message. It can be one or more of the following levels, in order

of decreasing urgency: •

alert—Conditions that should be corrected immediately, such as a corrupted system

database. •

critical—Critical conditions, such as hard drive errors.

•

debug—Software debugging messages.

•

emergency—Panic or other conditions that cause the system to become unusable.

•

error—Standard error conditions.

•

info—Informational messages.

•

notice—Conditions that are not error conditions, but might warrant special handling.

•

warning—System warning messages.

upto level level—Log all messages up to a particular level.



syslog in the Junos OS System Basics Configuration Guide


2815

®


ospf Syntax Hierarchy Level

Release Information

Description

ospf { ... } [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable OSPF routing on the routing device. You must include the ospf statement to enable OSPF on the routing device.


2816

OSPF is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•

[edit protocols ospf] Hierarchy Level



ospf3 Syntax Hierarchy Level

Release Information

Description

ospf3 { ... } [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable OSPFv3 routing on the routing device. You must include the ospf3 statement to enable OSPFv3.


OSPFv3 is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•

[edit protocols ospf3] Hierarchy Level


2817

®


out-delay Syntax Hierarchy Level

Release Information

Description

Default

Options

out-delay seconds; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify how long a route must be present in the Junos OS routing table before it is exported to BGP. Use this time delay to help bundle routing updates. If you omit this statement, routes are exported to BGP immediately after they have been added to the routing table. seconds—Output delay time.


2818





outbound-route-filter Syntax

Hierarchy Level

Release Information

outbound-route-filter { bgp-orf-cisco-mode; prefix-based { accept { (inet | inet6); } } } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]


Description

Configure a BGP peer to accept outbound route filters from a remote peer.

Options

accept—Specify that outbound route filters from a BGP peer be accepted. inet—Specify that IPv4 prefix-based outbound route filters be accepted. inet6—Specify that IPv6 prefix-based outbound route filters be accepted.

NOTE: You can specify that both IPv4 and IPv6 outbound route filters be accepted.

prefix-based—Specify that prefix-based filters be accepted.

The bgp-orf-cisco-mode statement is explained separately. Required Privilege Level



2819

®



2820

•

Example: Configuring BGP Prefix-Based Outbound Route Filtering



overload Syntax

Hierarchy Level

Release Information

Description

overload { advertise-high-metrics; allow-route-leaking; timeout seconds; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the local routing device so that it appears to be overloaded. You might want to do this when you want the routing device to participate in IS-IS routing, but do not want it to be used for transit traffic. Note that traffic to immediately attached interfaces continues to transit the routing device. You can also advertise maximum link metrics in network layer reachability information (NLRI) instead of setting the overload bit.

NOTE: If the time elapsed after the IS-IS instance is enabled is less than the specified timeout, overload mode is set.

Options

advertise-high-metrics—Advertise maximum link metrics in NLRIs instead of setting the

overload bit. Default: With advertise-high-metrics configured, the routing device in overload mode stops leaking route information into the network. allow-route-leaking—Enable leaking of route information into the network even if the

overload bit is set.

NOTE: The allow-route-leaking option does not work if the routing device is in dynamic overload mode. Dynamic overload can occur if the device has exceeded its resource limits, such as the prefix limit.

timeout seconds—Number of seconds at which the overloading is reset.

Default: 0 seconds Range: 60 through 1800 seconds


2821

®



2822


Configuring IS-IS to Make Routing Devices Appear Overloaded



overload Syntax

Hierarchy Level

Release Information

Description

overload { timeout seconds; } [edit logical-systems logical-system-name protocols (oospf | ospf3)], [edit logical-systems logical-system-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical systems logical-system-name routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf topology (default | ipv4-multicast | name)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)],

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for Multitopology Routing introduced in Junos OS Release 9.0. Support for Multitopology Routing introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the local routing device so that it appears to be overloaded. You might do this when you want the routing device to participate in OSPF routing, but do not want it to be used for transit traffic.

NOTE: Traffic destined to directly attached interfaces continues to reach the routing device.

Options

timeout seconds—(Optional) Number of seconds at which the overloading is reset. If no

timeout interval is specified, the routing device remains in overload state until the overload statement is deleted or a timeout is set. Range: 60 through 1800 seconds Default: 0 seconds


2823

®


NOTE: Multitopology Routing does not support the timeout option.



Example: Configuring OSPF to Make Routing Devices Appear Overloaded

•


passive Syntax Hierarchy Level

Release Information

Description

Default


2824

passive; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the router so that active open messages are not sent to the peer. Once you configure the routing device to be passive, the routing device will wait for the peer to issue an open request before a message is sent. If you omit this statement, all explicitly configured peers are active, and each peer periodically sends open requests until its peer responds. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Preventing BGP Session Flaps When VPN Families Are Configured



passive Syntax Hierarchy Level

Release Information

Description

passive; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Advertise the direct interface addresses on an interface or into a level on the interface without actually running IS-IS on that interface or level. This statement effectively prevents IS-IS from running on the interface. To enable IS-IS on an interface, include the interface statement at the [edit protocols isis] or the [edit routing-instances routing-instance-name protocols isis] hierarchy level. To disable it, include the disable statement at those hierarchy levels. The three states—enabling, disabling, or not running IS-IS on an interface—are mutually exclusive.



disable

•



2825

®


passive Syntax

Hierarchy Level

Release Information

Description

passive { traffic-engineering { remote-node-id address; } } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. traffic-engineering and remote-node-id address statements introduced in Junos OS Release 8.0. traffic-engineering and remote-node-id address statements introduced in Junos OS Release 8.0 for EX Series switches. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Advertise the direct interface addresses on an interface without actually running OSPF on that interface. A passive interface is one for which the address information is advertised as an internal route in OSPF, but on which the protocol does not run. To configure an interface in OSPF passive traffic engineering mode, include the traffic-engineering statement. Configuring OSPF passive traffic engineering mode enables the dynamic discovery of OSPF AS boundary routers. Enable OSPF on an interface by including the interface statement at the [edit protocols (ospf | ospf3) area area-id] or the [edit routing-instances routing-instance-name protocols ospf area area-id] hierarchy levels. Disable it by including the disable statement, To prevent OSPF from running on an interface, include the passive statement. These three states are mutually exclusive.


2826





•

Example: Configuring a Passive OSPF Interface

•

Example: Configuring OSPF Passive Traffic Engineering Mode

•

disable on page 2682


2827

®


peer-as Syntax Hierarchy Level

Release Information

Description

peer-as autonomous-system; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the neighbor (peer) autonomous system (AS) number. For EBGP, the peer is in another AS, so the AS number you specify in the peer-as statement must be different from the local router’s AS number, which you specify in the autonomous-system statement. For IBGP, the peer is in the same AS, so the two AS numbers that you specify in the autonomous-system and peer-as statements must be the same. The AS numeric range in plain-number format has been extended in Junos OS Release 9.1 to provide BGP support for 4-byte AS numbers, as defined in RFC 4893, BGP Support for Four-octet AS Number Space. RFC 4893 introduces two new optional transitive BGP attributes, AS4_PATH and AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path information across BGP speakers that do not support 4-byte AS numbers. RFC 4893 also introduces a reserved, well-known, 2-byte AS number, AS 23456. This reserved AS number is called AS_TRANS in RFC 4893. All releases of the Junos OS support 2-byte AS numbers. In Junos OS Release 9.2 and later, you can also configure a 4-byte AS number using the AS-dot notation format of two integer values joined by a period: .. For example, the 4-byte AS number of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format. With the introduction of 4-byte AS numbers, you might have a combination of routers that support 4-byte AS numbers and 2-byte AS numbers. For more information about what happens when establishing BGP peer relationships between 4-byte and 2-byte capable routers, see the following topics:

2828



Options

•

Establishing a Peer Relationship Between a 4-Byte Capable Router and a 2-Byte Capable Router Using a 2-Byte AS Number in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview.

•

Establishing a Peer Relationship Between a 4-Byte Capable Router and a 2-Byte Capable Router Using a 4-Byte AS Number in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview.

autonomous-system—AS number. 32

Range: 1 through 4,294,967,295 (2

– 1) in plain-number format for 4-byte AS numbers

Range: 1 through 65,535 in plain-number format for 2-byte AS numbers (this is a subset of the 4-byte range) Range: 0.0 through 65535.65535 in AS-dot notation format for 4-byte AS numbers Required Privilege Level Related Documentation



•

4-Byte Autonomous System Numbers Overview in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview

•

Juniper Networks Implementation of 4-Byte Autonomous System Numbers in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview


2829

®


pim-to-igmp-proxy Syntax

Hierarchy Level

Release Information

Description

pim-to-igmp-proxy { upstream-interface [ interface-names ]; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the rendezvous point (RP) routing device that resides between a customer edge-facing Protocol Independent Multicast (PIM) domain and a core-facing PIM domain to translate PIM join or prune messages into corresponding Internet Group Management Protocol (IGMP) report or leave messages. The routing device then transmits the report or leave messages by proxying them to one or two upstream interfaces that you configure on the RP routing device. Including the pim-to-igmp-proxy statement enables you to use IGMP to forward IPv4 multicast traffic across the PIM sparse mode domains. The remaining statement is explained separately.


2830


Configuring PIM-to-IGMP Message Translation



pim-to-mld-proxy Syntax

Hierarchy Level

Release Information

Description

pim-to-mld-proxy { upstream-interface [ interface-names ]; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 9.6 for EX Series switches. Configure the rendezvous point (RP) routing device that resides between a customer edge–facing Protocol Independent Multicast (PIM) domain and a core-facing PIM domain to translate PIM join or prune messages into corresponding Multicast Listener Discovery (MLD) report or leave messages. The routing device then transmits the report or leave messages by proxying them to one or two upstream interfaces that you configure on the RP routing device. Including the pim-to-mld-proxy statement enables you to use MLD to forward IPv6 multicast traffic across the PIM sparse mode domains. The remaining statement is explained separately.



Configuring PIM-to-MLD Message Translation


2831

®


point-to-point Syntax Hierarchy Level

Release Information


2832

point-to-point; [edit logical-systems logical-system-name protocols isis interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name], [edit protocols isis interface interface-name], [edit routing-instances routing-instance-name protocols isis interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure an IS-IS interface to behave like a point-to-point connection. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring Point-to-Point Interfaces for IS-IS



policy Syntax Hierarchy Level

Release Information

Description

policy policy-name; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate) (defaults | route)], [edit routing-options (aggregate | generate) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Associate a routing policy when configuring an aggregate or generated route’s destination prefix in the routes part of the aggregate or generate statement. This provides the equivalent of an import routing policy filter for the destination prefix. That is, each potential contributor to an aggregate route, along with any aggregate options, is passed through the policy filter. The policy then can accept or reject the route as a contributor to the aggregate route. If the contributor is accepted, the policy can modify the default preferences. The contributor with the numerically smallest prefix becomes the most preferred, or primary, contributor. A rejected contributor still can contribute to a less specific aggregate route. If you do not specify a policy filter, all candidate routes contribute to an aggregate route. The following algorithm is used to compare two generated contributing routes in order to determine which one is the primary or preferred contributor: 1.

Compare the protocol’s preference of the contributing routes. The lower the preference, the better the route. This is similar to the comparison that is done while determining the best route for the routing table.

2. Compare the protocol’s preference2 of the contributing routes. The lower preference2

value is better. If only one route has preference2, then this route is preferred. 3. The preference values are the same. Proceed with a numerical comparison of the

prefixes’ values. a. The primary contributor is the numerically smallest prefix value. b. If the two prefixes are numerically equal, the primary contributor is the route that has the smallest prefix length value.


2833

®


At this point, the two routes are the same. The primary contributor does not change. An additional next hop is available for the existing primary contributor. A rejected contributor still can contribute to less specific generated route. If you do not specify a policy filter, all candidate routes contribute to a generated route. Options Required Privilege Level Related Documentation

policy-name—Name of a routing policy.



•


•


•


policy (Flow Maps) Syntax Hierarchy Level

Release Information

Description Options Required Privilege Level

2834

policy [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit logical-systems logical-system-name routing-options multicast flow-map flow-map-name], [edit routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit routing-options multicast flow-map flow-map-name]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a flow map policy. policy-names—Name of one or more policies for flow mapping.

routing—To view this statement in the configuration.



policy (SSM Maps) Syntax Hierarchy Level

Release Information


policy [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast ssm-map ssm-map-name], [edit logical-systems logical-system-name routing-options multicast ssm-map ssm-map-name], [edit routing-instances routing-instance-name routing-options multicast ssm-map ssm-map-name], [edit routing-options multicast ssm-map ssm-map-name]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Apply one or more policies to an SSM map. policy-names—Name of one or more policies for SSM mapping.

routing—To view this statement in the configuration. routing-control—To view this statement in the configuration. •

Example: Configuring SSM Mapping


2835

®


ppm Syntax


Description

ppm { centralized; } [edit protocols lacp]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Statement introduced in Junos OS Release 12.1 for T Series devices. Configure PPM processing options for Link Aggregation Control Protocol (LACP) packets. This command configures the PPM processing options for LACP packets only. You can disable distributed PPM processing for all packets that use PPM and run all PPM processing on the Routing Engine by configuring the no-delegate-processing configuration statement in the [edit routing-options ppm] statement hierarchy.


2836

Distributed PPM processing is enabled for all packets that use PPM. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•




ppm Syntax

Hierarchy Level

Release Information

Description

ppm { no-delegate-processing; } [edit logical-systems logical-system-name routing-options], [edit routing-options]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 10.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. no-delegate-processing statement introduced in Junos OS Release 9.4. no-delegate-processing statement introduced in Junos OS Release 10.2 for EX Series switches. (M120, M320, MX Series, T Series, TX Matrix routers, M7i and M10i routers with Enhanced CFEB [CFEB-E], EX Series switches, and QFX Series only) Disable distributed periodic packet management (PPM) to the Packet Forwarding Engine (on routers), to access ports (on EX3200 and EX4200 switches, and QFX Series), or to line cards (on EX6200 and EX8200 switches). After you disable PPM, PPM processing continues to run on the Routing Engine.

Default Options

Distributed PPM processing is enabled for all protocols that use PPM. no-delegate-processing—Disable PPM to the Packet Forwarding Engine, access ports, or

line cards. Distributed PPM is enabled by default. Required Privilege Level Related Documentation



•



2837

®


preference Syntax Hierarchy Level

Release Information

Description

preference preference; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the preference for routes learned from BGP. At the BGP global level, the preference statement sets the preference for routes learned from BGP. You can override this preference in a BGP group or peer preference statement. At the group or peer level, the preference statement sets the preference for routes learned from the group or peer. Use this statement to override the preference set in the BGP global preference statement when you want to favor routes from one group or peer over those of another.

Options

preference—Preference to assign to routes learned from BGP or from the group or peer. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: 170 for the primary preference Required Privilege Level Related Documentation

2838


local-preference on page 2765

•

Example: Configuring the Preference Value for BGP Routes




Release Information

Description Options

preference preference; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the preference of internal routes. preference—Preference value. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: 15 (for Level 1 internal routes), 18 (for Level 2 internal routes), 160 (for Level 1 external routes), 165 (for Level 2 external routes) Required Privilege Level Related Documentation


external-preference on page 2693

•



2839

®



Release Information

Description Options

preference preference; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Set the route preference for OSPF internal routes. preference—Preference value. 32

Range: 0 through 4,294,967,295 (2

– 1)


2840


Example: Controlling OSPF Route Preferences

•

external-preference on page 2694




Release Information

Description

Options

preference preference; [edit logical-systems logical-system-name protocols rip group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name], [edit protocols rip group group-name], [edit routing-instances routing-instance-name protocols rip group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the preference of external routes learned by RIP as compared to those learned from other routing protocols. preference—Preference value. A lower value indicates a more preferred route. 32

Range: 0 through 4,294,967,295 (2

– 1)





2841

®



Release Information

Description

Options

preference preference; [edit logical-systems logical-system-name protocols ripng group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name], [edit protocols ripng group group-name], [edit routing-instances routing-instance-name protocols ripng group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Specify the preference of external routes learned by RIPng as compared to those learned from other routing protocols. preference—Preference value. A lower value indicates a more preferred route. 32

Range: 0 through 4,294,967,295 (2

– 1)


2842






Release Information

Description

(preference | preference2 | color | color2) preference ; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Preference value for a static, aggregate, or generated route. You also can specify a secondary preference value (preference2), as well as colors, which are even finer-grained preference values (color and color2). If the Junos OS routing table contains a dynamic route to a destination that has a better (lower) preference value than the static, aggregate, or generated route, the dynamic route is chosen as the active route and is installed in the forwarding table.

Options

preference—Preference value. A lower number indicates a more preferred route. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: 5 (for static routes), 130 (for aggregate and generated routes) type type—(Optional) Type of route.




•


•


•


•


•

static on page 2893


2843

®


prefix Syntax Hierarchy Level

Release Information


prefix destination-prefix; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast scope scope-name], [edit logical-systems logical-system-name routing-options multicast scope scope-name], [edit routing-instances routing-instance-name routing-options multicast scope scope-name], [edit routing-options multicast scope scope-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the prefix for multicast scopes. destination-prefix—Address range for the multicast scope.


Examples: Configuring Administrative Scoping

•

multicast on page 2791

prefix-export-limit Syntax Hierarchy Level

Release Information

Description Options

prefix-export-limit number; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure a limit to the number of prefixes exported into IS-IS. number—Prefix limit. 32


2844

– 1)


Limiting the Number of Prefixes Exported to IS-IS



prefix-export-limit Syntax Hierarchy Level

Release Information

Description Options

prefix-export-limit number; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf topology (default | ipv4-multicast | name)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for Multitopology Routing introduced in Junos OS Release 9.0. Support for Multitopology Routing introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a limit to the number of prefixes exported into OSPF. number—Prefix limit. 32

Range: 0 through 4,294,967,295 (2

– 1)

Default: None Required Privilege Level Related Documentation


Example: Limiting the Number of Prefixes Exported to OSPF

•



2845

®


prefix-limit Syntax

Hierarchy Level

Release Information

Description

Options

prefix-limit { maximum number; teardown ; } [edit logical-systems logical-system-name protocols bgp family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit logical-systems logical-system-name protocols bgp group group-name family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit protocols bgp family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit protocols bgp group group-name family (inet | inet6) (any | labeled-unicast | multicast | unicast)], [edit protocols bgp group group-name neighbor address family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit routing-instances routing-instance-name protocols bgp family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit routing-instances routing-instance-name protocols bgp group group-name family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address family (inet | inet6) (any | flow | labeled-unicast | multicast | unicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Limit the number of prefixes received on a BGP peer session and a rate-limit logging when injected prefixes exceed a set limit. maximum number—When you set the maximum number of prefixes, a message is logged

when that number is exceeded. 32

Range: 1 through 4,294,967,295 (2

– 1)

teardown —If you include the teardown statement, the session is torn down

when the maximum number of prefixes is reached. If you specify a percentage, messages are logged when the number of prefixes exceeds that percentage. After the session is torn down, it is reestablished in a short time unless you include the idle-timeout statement. Then the session can be kept down for a specified amount of time, or forever. If you specify forever, the session is reestablished only after you issue a clear bgp neighbor command. Range: 1 through 100

2846



idle-timeout (forever | timeout-in-minutes)—(Optional) If you include the idle-timeout

statement, the session is torn down for a specified amount of time, or forever. If you specify a period of time, the session is allowed to reestablish after this timeout period. If you specify forever, the session is reestablished only after you intervene with a clear bgp neighbor command. Range: 1 through 2400 Required Privilege Level Related Documentation


accepted-prefix-limit

•



Release Information

Description

priority number; [edit logical-systems logical-system-name protocols isis interface interface-name level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis interface interface-name level level-number], [edit protocols isis interface interface-name level level-number], [edit routing-instances routing-instance-name protocols isis interface interface-name level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. The interface’s priority for becoming the designated router. The interface with the highest priority value becomes that level’s designated router. The priority value is meaningful only on a multiaccess network. It has no meaning on a point-to-point interface.

Options

number—Priority value.





2847

®



Release Information

Description

Options

priority number; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify the routing device’s priority for becoming the designated routing device. The routing device that has the highest priority value on the logical IP network or subnet becomes the network’s designated router. You must configure at least one routing device on each logical IP network or subnet to be the designated router. You also should specify a routing device’s priority for becoming the designated router on point-to-point interfaces. number—Routing device’s priority for becoming the designated router. A priority value

of 0 means that the routing device never becomes the designated router. A value of 1 means that the routing device has the least chance of becoming a designated router. Range: 0 through 255 Default: 128 Required Privilege Level Related Documentation

2848


OSPF Designated Router Overview

•

Example: Controlling OSPF Designated Router Election



qualified-next-hop Syntax

qualified-next-hop (address | interface-name) { bfd-liveness-detection { authentication { algorithm (keyed-md5 | keyed-sha-1 | meticulous-keyed-md5 | meticulous-keyed-sha-1 | simple-password); key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } holddown-interval milliseconds; minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); } interface interface-name; metric metric; preference preference; }

Hierarchy Level

[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static route destination-prefix], [edit logical-systems logical-system-name routing-options rib inet6.0 static route destination-prefix], [edit logical-systems logical-system-name routing-options static route destination-prefix], [edit routing-instances routing-instance-name routing-options static route destination-prefix], [edit routing-options rib inet6.0 static route destination-prefix], [edit routing-options static route destination-prefix]

Release Information

Description

Options

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a static route with multiple possible next hops, each of which can have its own preference value, IGP metric that is used when the route is exported into an IGP, and Bidirectional Forwarding Detection (BFD) settings. If multiple links are operational, the one with the most preferred next hop is used. The most preferred next hop is the one with the lowest preference value. address—IPv4, IPv6, or ISO network address of the next hop. interface-name—Name of the interface on which to configure an independent metric or

preference for a static route. To configure an unnumbered Ethernet interface as the


2849

®


next-hop interface for a static route, specify qualified-next-hop interface-name, where interface-name is the name of the IPv4 or IPv6 unnumbered Ethernet interface. The remaining statements are explained separately. Required Privilege Level Related Documentation

2850


Example: Configuring Static Route Preferences and Qualified Next Hops

•

Example: Enabling BFD on Qualified Next Hops in Static Routes



readvertise Syntax Hierarchy Level

Release Information

Description

(readvertise | no-readvertise); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-options static (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit routing-instances routing-instance-name routing-options static (defaults | route)], [edit routing-options rib routing-table-name static (defaults | route)], [edit routing-options static (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure whether static routes are eligible to be readvertised by routing protocols:

Default

Static routes are eligible to be readvertised (that is, exported from the routing table into dynamic routing protocols) if a policy to do so is configured. To mark an IPv4 static route as being ineligible for readvertisement, include the no-readvertise statement.

Options

readvertise—Readvertise static routes. Include the readvertise statement when configuring

an individual route in the route portion of the static statement to override a no-readvertise option specified in the defaults portion of the statement. no-readvertise—Mark a static route as being ineligible for readvertisement. Include the no-readvertise option when configuring the route.



Example: Controlling Static Routes in Routing and Forwarding Tables

•

static on page 2893


2851

®


realm Syntax

Hierarchy Level

Release Information

Description

Options

realm (ipv4-unicast | ipv4-multicast | ipv6-unicast) { area area-id { interface interface-name; } } [edit logical-systems logical-system-name protocols ospf3], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3], [edit protocols ospf3], [edit routing-instances routing-instance-name protocols ospf3]

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 9.2 for EX Series switches. Configure OSPFv3 to advertise address families other than unicast IPv6. Junos OS maps each address family you configure to a separate realm with its own set of neighbors and link-state database. ipv4-unicast—Configure a realm for IPv4 unicast routes. ipv4-multicast—Configure a realm for IPv4 multicast routes. ipv6-multicast—Configure a realm for IPv6 multicast routes.


2852


Example: Configuring Multiple Address Families for OSPFv3



receive Syntax Hierarchy Level

Release Information

Description Options

receive receive-options; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure RIP receive options. receive-options—One of the following: •

both—Accept both RIP version 1 and version 2 packets.

•

none—Do not receive RIP packets.

•

version-1—Accept only RIP version 1 packets.

•

version-2—Accept only RIP version 2 packets.

Default: both Required Privilege Level Related Documentation


send on page 2884

•

Example: Configuring the Sending and Receiving of RIPv1 and RIPv2 Packets


2853

®


receive Syntax Hierarchy Level

Release Information

Description Options

receive ; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name protocols ripng group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name], [edit protocols ripng], [edit protocols ripng group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols ripng], [edit routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Enable or disable receiving of update messages. none—(Optional) Disable receiving update messages.

Default: Enabled Required Privilege Level Related Documentation

2854


send on page 2885

•

OBSOLETE - Configuring RIPng Update Messages



redundant-sources Syntax Hierarchy Level

Release Information

Description Options

redundant-sources [ addresses ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit logical-systems logical-system-name routing-options multicast flow-map flow-map-name], [edit routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit routing-options multicast flow-map flow-map-name]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a list of redundant sources for multicast flows defined by a flow map. addresses—List of IPv4 or IPv6 addresses for use as redundant (backup) sources for

multicast flows defined by a flow map. Required Privilege Level Related Documentation




2855

®


reference-bandwidth Syntax Hierarchy Level

Release Information

Description

reference-bandwidth reference-bandwidth; [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Set the reference bandwidth used in calculating the default interface cost. The cost is calculated using the following formula: cost = reference-bandwidth/bandwidth

Options

reference-bandwidth—Reference bandwidth value in bits per second.

Default: None Range: 9600 through 1,000,000,000,000 bps Required Privilege Level Related Documentation

2856


Configuring the Reference Bandwidth Used in IS-IS Metric Calculations



reference-bandwidth Syntax Hierarchy Level

Release Information

Description

reference-bandwidth reference-bandwidth; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Set the reference bandwidth used in calculating the default interface cost. The cost is calculated using the following formula: cost = ref-bandwidth/bandwidth

Options

reference-bandwidth—Reference bandwidth, in bits per second.

Range: 9600 through 1,000,000,000,000 bits Default: 100 Mbps (100,000,000 bits)

NOTE: The default behavior is to use the reference-bandwidth value to calculate the cost of OSPF interfaces. You can override this behavior for any OSPF interface by configuring a specific cost with the metric statement.



Example: Controlling the Cost of Individual OSPF Network Segments

•

metric on page 2780


2857

®


remove-private Syntax Hierarchy Level

Release Information

Description

remove-private; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. When advertising AS paths to remote systems, have the local system strip private AS numbers from the AS path. The numbers are stripped from the AS path starting at the left end of the AS path (the end where AS paths have been most recently added). The routing device stops searching for private ASs when it finds the first nonprivate AS or a peer’s private AS. If the AS path contains the AS number of the external BGP (EBGP) neighbor, BGP does not remove the private AS number.

NOTE: As of Junos OS 10.0R2 and higher, if there is a need to send prefixes to an EBGP peer that has an AS number that matches an AS number in the AS path, consider using the as-override statement instead of the remove-private statement.

The operation takes place after any confederation member ASs have already been removed from the AS path, if applicable. The Junos OS recognizes the set of AS numbers that is considered private, a range that is defined in the Internet Assigned Numbers Authority (IANA) assigned numbers document. The set of reserved AS numbers is in the range from 64,512 through 65,535. Required Privilege Level

2858





•

Example: Removing Private AS Numbers from AS Paths

resolution Syntax

Hierarchy Level

Release Information

Description

resolution { rib routing-table-name { import [ policy-names ]; resolution-ribs [ routing-table-names ]; } } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure route resolution. The remaining statements are explained separately.





2859

®


resolution-ribs Syntax Hierarchy Level

Release Information


2860

resolution-ribs [ routing-table-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options resolution rib], [edit logical-systems logical-system-name routing-options resolution rib], [edit routing-instances routing-instance-name routing-options resolution rib], [edit routing-options resolution rib]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify one or more routing tables to use for route resolution. routing-table-names—Name of one or more routing tables.





resolve Syntax Hierarchy Level

Release Information

Description


resolve; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-options static (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit routing-instances routing-instance-name routing-options static (defaults | route)], [edit routing-options rib routing-table-name static (defaults | route)], [edit routing-options static (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Statically configure routes to be resolved to a next hop that is not directly connected. The route is resolved through the inet.0 and inet.3 routing tables. Static routes can point only to a directly connected next hop. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

static on page 2893


2861

®


restart-duration Syntax Hierarchy Level

Release Information

Description Options

restart-duration seconds; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options graceful-restart], [edit logical-systems logical-system-name routing-options graceful-restart], [edit routing-instances routing-instance-name routing-options graceful-restart], [edit routing-options graceful-restart]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the restart timer for graceful restart. seconds—Configure the time period for the restart to last.


2862





retain Syntax Hierarchy Level

Release Information

(no-retain | retain); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options static (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name static (defaults | route)], [edit logical-systems logical-system-name routing-options static (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name static (defaults | route)], [edit routing-instances routing-instance-name routing-options static (defaults | route)], [edit routing-options rib routing-table-name static (defaults | route)], [edit routing-options static (defaults | route)]


Description

Configure statically configured routes to be deleted from or retained in the forwarding table when the routing protocol process shuts down normally:

Default

Statically configured routes are deleted from the forwarding table when the routing protocol process shuts down normally. Doing this greatly reduces the time required to restart a system that has a large number of routes in its routing table.

Options

no-retain—Delete statically configured routes from the forwarding table when the routing

protocol process shuts down normally. To explicitly specify that routes be deleted from the forwarding table, include the no-retain statement. Include this statement when configuring an individual route in the route portion of the static statement to override a retain option specified in the defaults portion of the statement. retain—Have a static route remain in the forwarding table when the routing protocol

process shuts down normally. Doing this greatly reduces the time required to restart a system that has a large number of routes in its routing table. Required Privilege Level Related Documentation



•

static on page 2893


2863

®


retransmit-interval Syntax Hierarchy Level

Release Information

Description

Options

retransmit-interval seconds; [edit logical-systems logical-system-name protocols ospf area area-id peer-interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols ospf area area-id peer-interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id virtual-link], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id interface interface-name], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id virtual-link], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify how long the routing device waits to receive a link-state acknowledgment packet before retransmitting link-state advertisements (LSAs) to an interface’s neighbors. seconds—Interval to wait.

Range: 1 through 65,535 seconds Default: 5 seconds

NOTE: You must configure LSA retransmit intervals to be equal to or greater than 3 seconds to avoid triggering a retransmit trap, because Junos OS delays LSA acknowledgments by up to 2 seconds.

2864






reverse-oif-mapping Syntax

Hierarchy Level

Release Information

Description

reverse-oif-mapping { no-qos-adjust; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-options multicast interface interface-name], [edit routing-instances routing-instance-name routing-options multicast interface interface-name], [edit routing-options multicast interface interface-name]

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 9.2 for EX Series switches. The no-qos-adjust statement added in Junos OS Release 9.5. The no-qos-adjust statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable the routing device to identify a subscriber VLAN or interface based on an IGMP or MLD request it receives over the multicast VLAN. The remaining statement is explained separately.





2865

®


rib (General) Syntax

Hierarchy Level

Release Information

Description

rib routing-table-name { aggregate { defaults { ... aggregate-options ... } route destination-prefix { policy policy-name; ... aggregate-options ... } generate { defaults { generate-options; } route destination-prefix { policy policy-name; generate-options; } } martians { destination-prefix match-type ; } } static { defaults { static-options; } rib-group group-name; route destination-prefix { next-hop; static-options; } } } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Create a routing table. Explicitly creating a routing table with routing-table-name is optional if you are not adding any static, martian, aggregate, or generated routes to the routing table and if you also are creating a routing table group.

2866



NOTE: The IPv4 multicast routing table (inet.1) and the IPv6 multicast routing table (inet6.1) are not supported for this statement.

Default

Options

If you do not specify a routing table name with the routing-table-name option, the software uses the default routing tables, which are inet.0 for unicast routes and inet.1 for the multicast cache. routing-table-name—Name of the routing table, in the following format: protocol [.identifier].

In a routing instance, the routing table name must include the routing instance name. For example, if the routing instance name is link0, the routing table name might be link0.inet6.0. •

protocol is the protocol family. It can be inet6 for the IPv6 family, inet for the IPv4 family, iso for the ISO protocol family, or instance-name.iso.0 for an ISO routing instance.

•

identifier is a positive integer that specifies the instance of the routing table.

Default: inet.0 The remaining statements are explained separately. Required Privilege Level Related Documentation


Example: Creating Routing Tables

•

passive


2867

®


rib (Route Resolution) Syntax

Hierarchy Level

Release Information

Description

rib routing-table-name { import [ policy-names ]; resolution-ribs [ routing-table-names ]; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options resolution], [edit logical-systems logical-system-name routing-options resolution], [edit routing-instances routing-instance-name routing-options resolution], [edit routing-options resolution]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify a routing table name for route resolution. The remaining statements are explained separately.


2868





rib-group Syntax Hierarchy Level

Release Information

Description Options

rib-group group-name; [edit logical-systems logical-system-name protocols bgp family inet (any | labeled-unicast | unicast | multicast)], [edit logical-systems logical-system-name protocols bgp group group-name family inet (any | labeled-unicast | unicast | multicast)], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address family inet (any | labeled-unicast | unicast | multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp family inet (any | labeled-unicast | unicast | multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name family inet (any | labeled-unicast | unicast | multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address family inet (any | labeled-unicast | unicast | multicast)], [edit protocols bgp family inet (any | labeled-unicast | unicast | multicast)], [edit protocols bgp group group-name family inet (any | labeled-unicast | unicast | multicast)], [edit protocols bgp group group-name neighbor address family inet (any | labeled-unicast | unicast | multicast)], [edit routing-instances routing-instance-name protocols bgp family inet (any | labeled-unicast | unicast | multicast)], [edit routing-instances routing-instance-name protocols bgp group group-name family inet (any | labeled-unicast | unicast | multicast)], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address family inet (any | labeled-unicast | unicast | multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Add unicast prefixes to unicast and multicast tables. group-name—Name of the routing table group. The name must start with a letter and

can include letters, numbers, and hyphens. You generally specify only one routing table group. Required Privilege Level Related Documentation


interface-routes on page 2747

•

rib-group on page 2873

•


•


•



2869

®


rib-group Syntax

Hierarchy Level

Release Information

Description

rib-group { inet group-name; inet6 group-name; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Install routes learned from IS-IS routing instances into routing tables in the IS-IS routing table group. You can install IPv4 routes or IPv6 routes. Support for IPv6 routing table groups in IS-IS enables IPv6 routes that are learned from IS-IS routing instances to be installed into other routing tables defined in an IS-IS routing table group.

Options

group-name—Name of the routing table group. inet—Install IPv4 IS-IS routes. inet6—Install IPv6 IS-IS routes.


2870



•


•





Release Information

Description


rib-group group-name; [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Install routes learned from OSPF routing instances into routing tables in the OSPF routing table group. group-name—Name of the routing table group.



•


•


•


•



2871

®



Release Information


2872

rib-group group-name; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit protocols rip], [edit routing-instances routing-instance-name protocols rip]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Install RIP routes into multiple routing tables by configuring a routing table group. group-name—Name of the routing table group.


Example: Redistributing Routes Between Two RIP Instances




Release Information

Description Options

rib-group group-name; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options interface-routes], [edit logical-systems logical-system-name routing-options interface-routes], [edit logical-systems logical-system-name routing-options rib routing-table-name static], [edit logical-systems logical-system-name routing-options static], [edit routing-instances routing-instance-name routing-options interface-routes], [edit routing-options interface-routes], [edit routing-options rib routing-table-name static], [edit routing-options static]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure which routing table groups interface routes are imported into. group-name—Name of the routing table group. The name must start with a letter and

can include letters, numbers, and hyphens. It generally does not make sense to specify more than a single routing table group. Required Privilege Level Related Documentation



•


•


•

rib-groups on page 2874


2873

®


rib-groups Syntax

Hierarchy Level

Release Information

Description

rib-groups { group-name { export-rib group-name; import-policy [ policy-names ]; import-rib [ group-names ]; } } [edit logical-systems logical-system-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Group one or more routing tables to form a routing table group. A routing protocol can import routes into all the routing tables in the group and can export routes from a single routing table. Each routing table group must contain one or more routing tables that Junos OS uses when importing routes (specified in the import-rib statement) and optionally can contain one routing table group that Junos OS uses when exporting routes to the routing protocols (specified in the export-rib statement). The first routing table you specify is the primary routing table, and any additional routing tables are the secondary routing tables. The primary routing table determines the address family of the routing table group. To configure an IP version 4 (IPv4) routing table group, specify inet.0 as the primary routing table. To configure an IP version 6 (IPv6) routing table group, specify inet6.0 as the primary routing table. If you configure an IPv6 routing table group, the primary and all secondary routing tables must be IPv6 routing tables (inet6.x). In Junos OS Release 9.5 and later, you can include both IPv4 and IPv6 routing tables in an IPv4 import routing table group using the import-rib statement. In releases prior to Junos OS Release 9.5, you can only include either IPv4 or IPv6 routing tables in the same import-rib statement. The ability to configure an import routing table group with both IPv4 and IPv6 routing tables enables you, for example, to populate the inet6.3 routing table with IPv6 addresses that are compatible with IPv4. Specify inet.0 as the primary routing table, and specify inet6.3 as a secondary routing table.


2874



NOTE: If you configure an import routing table group that includes both IPv4 and IPv6 routing tables, any corresponding export routing table group must include only IPv4 routing tables.

If you have configured a routing table, configure the OSPF primary instance at the [edit protocols ospf] hierarchy level with the statements needed for your network so that routes are installed in inet.0 and in the forwarding table. Make sure to include the routing table group. For more information, see Example: Configuring Multiple Routing Instances of OSPF. After specifying the routing table from which to import routes, you can apply one or more policies to control which routes are installed in the routing table group. To apply a policy to routes being imported into the routing table group, include the import-policy statement. Options

group-name—Name of the routing table group. The name must start with a letter and

can include letters, numbers, and hyphens. The remaining statements are explained separately. Required Privilege Level Related Documentation



•



2875

®


rip Syntax Hierarchy Level

Release Information


rip {...} [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable RIP routing on the routing device. RIP is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Minimum RIP Configuration

ripng Syntax Hierarchy Level

Release Information


2876

ripng {...} [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Enable RIPng routing on the routing device. RIPng is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

OBSOLETE - Minimum RIPng Configuration



route-distinguisher-id Syntax Hierarchy Level

Release Information

Description


route-distinguisher-id address; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a route distinguisher identifier for a routing instance, specifying an IP address. If a route distinguisher is configured for a particular routing instance, that value supersedes the route distinguisher configured by this statement. address—IP address.


Example: BGP Route Target Filtering for VPNs

route-record Syntax Hierarchy Level

Release Information

Description

route-record; [edit logical-systems logical-system-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Export the AS path and routing information to the traffic sampling process. Before you can perform flow aggregation, the routing protocol process must export the AS path and routing information to the sampling process.



Enabling Flow Aggregation

•



2877

®


route-timeout Syntax Hierarchy Level

Release Information

Description Options

route-timeout seconds; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name], [edit protocols rip], [edit protocols rip group group-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the route timeout interval for RIP. seconds—Estimated time to wait before making updates to the routing table.


2878



•

RIP Demand Circuits Overview



route-timeout Syntax Hierarchy Level

Release Information

Description Options

route-timeout seconds; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Configure the route timeout interval for RIPng. seconds—Estimated time to wait before making updates to the routing table.



Example: Configuring RIPng Timers

route-type-community Syntax Hierarchy Level

Release Information

Description

Options

route-type-community (iana | vendor); [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify an extended community value to encode the OSPF route type. Each extended community is coded as an eight-octet value. This statement sets the most significant bit to either an IANA or vendor-specific route type. iana—Encode a route type with the value 0x0306. This is the default value. vendor—Encode the route type with the value 0x8000.





2879

®


router-id Syntax Hierarchy Level

Release Information

Description

router-id address; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances routing-instance-name routing-options], [edit routing-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the routing device’s IP address. The router identifier is used by BGP and OSPF to identify the routing device from which a packet originated. The router identifier usually is the IP address of the local routing device. If you do not configure a router identifier, the IP address of the first interface to come online is used. This is usually the loopback interface. Otherwise, the first hardware interface with an IP address is used.

NOTE: We strongly recommend that you configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

Options

address—IP address of the routing device.

Default: Address of the first interface encountered by Junos OS Required Privilege Level Related Documentation

2880


Examples: Configuring External BGP Peering

•

Examples: Configuring Internal BGP Peering



routing-options Syntax Hierarchy Level

Release Information


routing-options { ... } [edit], [edit logical-systems logical-system-name], [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure protocol-independent routing properties. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Protocol-Independent Routing Properties Configuration Statements

rpf-check-policy Syntax Hierarchy Level

Release Information

Description


rpf-check-policy [ policy-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply policies for disabling RPF checks on arriving multicast packets. The policies must be correctly configured. policy-names—Name of one or more multicast RPF check policies.


Example: Configuring RPF Policies


2881

®


scope Syntax

Hierarchy Level

Release Information

Description Options

scope scope-name { interface [ interface-names ]; prefix destination-prefix; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure multicast scoping. scope-name—Name of the multicast scope.


2882


Example: Creating a Named Scope for Multicast Scoping



scope-policy Syntax Hierarchy Level

scope-policy [ policy-names ]; [edit logical-systems logical-system-name routing-options multicast], [edit routing-options multicast]

NOTE: You can configure a scope policy at these two hierarchy levels only. You cannot apply a scope policy to a specific routing instance, because all scoping policies are applied to all routing instances. However, you can apply the scope statement to a specific routing instance at the [edit routing-instances routing-instance-name routing-options multicast] or [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast] hierarchy level.

Release Information

Description


Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply policies for scoping. The policy must be correctly configured at the edit policy-options policy-statement hierarchy level. policy-names—Name of one or more multicast scope policies.


scope on page 2882

•

Example: Using a Scope Policy for Multicast Scoping


2883

®


send Syntax Hierarchy Level

Release Information

Description Options

send send-options; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name protocols rip group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name], [edit protocols rip], [edit protocols rip group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols rip], [edit routing-instances routing-instance-name protocols rip group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure RIP send options. send-options—One of the following: •

broadcast—Broadcast RIP version 2 packets (RIP version 1 compatible).

•

multicast—Multicast RIP version 2 packets. This is the default.

•

none—Do not send RIP updates.

•

version-1—Broadcast RIP version 1 packets.

Default: multicast Required Privilege Level Related Documentation

2884


receive on page 2853

•

Example: Configuring the Sending and Receiving of RIPv1 and RIPv2 Packets



send Syntax Hierarchy Level

Release Information

Description Options

send ; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name protocols ripng group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instances-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name], [edit protocols ripng], [edit protocols ripng group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols ripng], [edit routing-instances routing-instance-name protocols ripng group group-name neighbor neighbor-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Enable or disable sending of update messages. none—(Optional) Disable sending of update messages.

Default: Enabled Required Privilege Level Related Documentation


receive on page 2854

•

OBSOLETE - Configuring RIPng Update Messages


2885

®


shortcuts Syntax

Hierarchy Level

shortcuts { lsp-metric-into-summary; } [edit logical-systems logical-system-name protocols (ospf | ospf3) traffic-engineering], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) traffic-engineering], [edit protocols (ospf | ospf3) traffic-engineering], [edit routing-instances routing-instance-name protocols (ospf | ospf3)traffic-engineering]

Release Information

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4 for EX Series switches.

Description

Configure OSPF to use MPLS label-switched paths (LSPs) as shortcut next hops. By default, shortcut routes calculated through OSPFv2 are installed in the inet.3 routing table, and shortcut routes calculated through OSPFv3 are installed in the inet6.3 routing table.


2886





source Syntax Hierarchy Level

Release Information


source [ addresses ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast ssm-map ssm-map-name], [edit logical-systems logical-system-name routing-options multicast ssm-map ssm-map-name], [edit routing-instances routing-instance-name routing-options multicast ssm-map ssm-map-name], [edit routing-options multicast ssm-map ssm-map-name]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify IPv4 or IPv6 source addresses for an SSM map. addresses—IPv4 or IPv6 source addresses.

routing—To view this statement in the configuration. routing-control—To view this statement in the configuration. •



2887

®


source-routing Syntax


Description

source-routing { (ip | ipv6) } [edit routing-options]

Statement for IPv6 introduced in Junos OS Release 8.2. Statement for IPv4 introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable source routing. Source routing allows a sender of a packet to partially or completely specify the route the packet takes through the network. In contrast, in non-source routing protocols, routers in the network determine the path based on the packet's destination.

NOTE: We recommend that you not use source routing. Instead, we recommend that you use policy-based routing or filter-based forwarding to route packets based on source addresses.


2888

Disabled routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring Filter-Based Forwarding on the Source Address



spf-options Syntax

Hierarchy Level

Release Information

spf-options { delay milliseconds; holddown milliseconds; rapid-runs number; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]


Description

Configure options for running the shortest-path-first (SPF) algorithm. You can configure a delay for when to run the SPF algorithm after a network topology change is detected, the maximum number of times the SPF algorithm can run in succession, and a holddown interval after SPF algorithm runs the maximum number of times.

Options

delay milliseconds—Time interval between the detection of a topology change and when

the SPF algorithm runs. Range: 50 through 1000 milliseconds Default: 200 milliseconds holddown milliseconds—Time interval to hold down, or wait before a subsequent SPF

algorithm runs after the SPF algorithm has run the configured maximum number of times in succession. Range: 2000 through 10,000 milliseconds Default: 5000 milliseconds rapid-runs number—Maximum number of times the SPF algorithm can run in succession.

After the maximum is reached, the holddown interval begins. Range: 1 through 5 Default: 3 Required Privilege Level Related Documentation


Configuring SPF Options for IS-IS


2889

®


spf-options Syntax

Hierarchy Level

Release Information

Description

Options

spf-options { delay milliseconds; holddown milliseconds; rapid-runs number; } [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf topology (default | ipv4-multicast | name)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf topology (default | ipv4-multicast | name)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for Multitopology Routing introduced in Junos OS Release 9.0. Support for Multitopology Routing introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure options for running the shortest-path-first (SPF) algorithm. You can configure the following: •

A delay for when to run the SPF algorithm after a network topology change is detected.

•

The maximum number of times the SPF algorithm can run in succession.

•

A hold-down interval after the SPF algorithm runs the maximum number of times.

delay milliseconds—Time interval between the detection of a topology change and when

the SPF algorithm runs. Range: 50 through 8000 milliseconds Default: 200 milliseconds

2890



holddown milliseconds—Time interval to hold down, or to wait before a subsequent SPF

algorithm runs after the SPF algorithm has run the configured maximum number of times in succession. Range: 2000 through 20,000 milliseconds Default: 5000 milliseconds rapid-runs number—Maximum number of times the SPF algorithm can run in succession.

After the maximum is reached, the hold down interval begins. Range: 1 through 5 Default: 3 Required Privilege Level Related Documentation


Example: Configuring SPF Algorithm Options for OSPF

•


ssm-groups Syntax Hierarchy Level

Release Information

Description

ssm-groups [ ip-addresses ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure source-specific multicast (SSM) groups. By default, the SSM group multicast address is limited to the IP address range from 232.0.0.0 through 232.255.255.255. However, you can extend SSM operations into another Class D range by including the ssm-groups statement in the configuration. The default SSM address range from 232.0.0.0 through 232.255.255.255 cannot be used in the ssm-groups statement. This statement is for adding other multicast addresses to the default SSM group addresses. This statement does not override the default SSM group address range.


ip-addresses—List of one or more additional SSM group addresses separated by a space.




2891

®


ssm-map (Multicast Routing Options) Syntax

Hierarchy Level

Release Information

Description Options

ssm-map ssm-map-name { policy [ policy-names ]; source [ addresses ]; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options multicast]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure SSM mapping. ssm-map-name—Name of the SSM map.


2892





static Syntax

static { defaults { static-options; } rib-group group-name; route destination-prefix { bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } local-address ip-address; minimum-interval milliseconds; minimum-receive-interval milliseconds; minimum-receive-ttl number; multiplier number; neighbor address; no-adaptation; transmit-interval { threshold milliseconds; minimum-interval milliseconds; } version (1 | automatic); } next-hop address; next-hop options; qualified-next-hop address { bfd-liveness-detection { authentication { algorithm (keyed-md5 | keyed-sha-1 | meticulous-keyed-md5 | meticulous-keyed-sha-1 | simple-password); key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } holddown-interval milliseconds; minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (1 | automatic); }


2893

®


metric metric; preference preference; } static-options; } }

Hierarchy Level

Release Information

Description

2894

[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit logical-systems logical-system-name routing-options rib routing-table-name], [edit routing-instances routing-instance-name routing-options], [edit routing-options], [edit routing-options rib routing-table-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for BFD authentication introduced in Junos 9.6. Support for BFD authentication introduced in Junos 9.6 for EX Series switches. Configure static routes to be installed in the routing table. You can specify any number of routes within a single static statement, and you can specify any number of static options in the configuration.



Options

defaults—(Optional) Specify global static route options. These options only set default

attributes inherited by all newly created static routes. These are treated as global defaults and apply to all the static routes you configure in the static statement.

NOTE: Specifying the global static route options does not create default routes. These options only set default attributes inherited by all newly created static routes.

route—Configure individual static routes. In this part of the static statement, you optionally

can configure static route options. These options apply to the individual destination only and override any options you configured in the defaults part of the static statement. •


address, and prefix-length is the destination prefix length. When you configure an individual static route in the route part of the static statement, specify the destination of the route (in route destination-prefix) in one of the following ways: •

network/mask-length, where network is the network portion of the IP address and mask-length is the destination prefix length.

•

default if this is the default route to the destination. This is equivalent to specifying an

IP address of 0.0.0.0/0.

NOTE: IPv4 packets with a destination of 0.0.0.0 (the obsoleted limited broadcast address) and IPv6 packets with a destination of 0::0 are discarded by default. To forward traffic destined to these addresses, you can add a static route to 0.0.0.0/32 for IPv4 or 0::0/128 for IPv6.

•

nsap-prefix—nsap-prefix is the network service access point (NSAP) address for ISO.

•

next-hop address—Reach the next-hop routing device by specifying an IP address, an

interface name, or an ISO network entity title (NET). IPv4 or IPv6 address of the next hop to the destination, specified as: •

IPv4 or IPv6 address of the next hop

•

Interface name (for point-to-point interfaces only)

•

address or interface-name to specify an IP address of a multipoint interface or an

interface name of a point-to-point interface.

NOTE: If an interface becomes unavailable, all configured static routes on that interface are withdrawn from the routing table.


2895

®


NOTE: Load balancing is not supported on management and internal Ethernet (fxo) interfaces because this type of interface cannot handle the routing process. On fxp interfaces, you cannot configure multiple next hops and enable load balancing.

next-hop options—Additional information for how to manage forwarding of packets to

the next hop. •

discard—Do not forward packets addressed to this destination. Instead, drop the

packets, do not send ICMP (or ICMPv6) unreachable messages to the packets’ originators, and install a reject route for this destination into the routing table. •

2896

iso-net—Reach the next-hop routing device by specifying an ISO NSAP.



•

next-table routing-table-name—Name of the next routing table to the destination.

If you use the next-table action, the configuration must include a term qualifier that specifies a different table than the one specified in the next-table action. In other words, the term qualifier in the from statement must exclude the table in the next-table action. In the following example, the first term contains rib vrf-customer2.inet.0 as a matching condition. The action specifies a next-hop in a different routing table, vrf-customer1.inet.0. The second term does the opposite by using rib vrf-customer1.inet.0 in the match condition and vrf-customer2.inet.0 In the next-table action. term 1 { from { protocol bgp; rib vrf-customer2.inet.0; community customer; } then { next-hop next-table vrf-customer1.inet.0; } } term 2 { from { protocol bgp; rib vrf-customer1.inet.0; community customer; } then { next-hop next-table vrf-customer2.inet.0; } }

NOTE: Within a routing instance, you cannot configure a static route with the next-table inet.0 statement if any static route in the main routing instance is already configured with the next-table statement to point to the inet.0 routing table of the routing instance. For example, if you configure on the main routing instance a static route 192.168.88.88/32 with the next-table test.inet.0 statement and the routing instance test is also configured with a static route 192.168.88.88/32 with the next-table inet.0 statement, the commit operation fails. Instead, you must configure a routing table group both on the main instance and on the routing instance, which enables you to install the static route into both routing tables.


2897

®


•

receive—Install a route for this next-hop destination into the routing table.

The receive option forces the packet to be sent to the Routing Engine. The receive option can be useful in the following cases:

•

•

For receiving MPLS packets destined to a VRF instance's loopback address

•

For receiving packets on a link's subnet address, with zeros in the host portion of the address

reject—Do not forward packets addressed to this destination. Instead, drop the packets,

send ICMP (or ICMPv6) unreachable messages to the packets’ originators, and install a reject route for this destination into the routing table. static-options—(Optional under route) Additional information about static routes, which

is included with the route when it is installed in the routing table. You can specify one or more of the following in static-options. Each of the options is explained separately. •

(active | passive);

•

as-path ;

•


•

(install | no-install);

•


•


•

(readvertise | no-readvertise);

•

(resolve | no-resolve);

•

(retain | no-retain);

•

tag string;


2898





stub Syntax Hierarchy Level

Release Information

Description

stub ; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3) area area-id], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Specify that this area not be flooded with AS external link-state advertisements (LSAs). You must include the stub statement when configuring all routing devices that are in the stub area. The backbone cannot be configured as a stub area. You cannot configure an area to be both a stub area and a not-so-stubby area (NSSA).

Options

no-summaries—(Optional) Do not advertise routes into the stub area. If you include the default-metric option, only the default route is advertised. summaries—(Optional) Flood summary LSAs into the stub area.




•

Example: Configuring OSPF Stub and Totally Stubby Areas

•

nssa on page 2814


2899

®


subscriber-leave-timer Syntax Hierarchy Level

Release Information

subscriber-leave-timer seconds; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast interface interface-name], [edit logical-systems logical-system-name routing-options multicast interface interface-name], [edit routing-instances routing-instance-name routing-options multicast interface interface-name], [edit routing-options multicast interface interface-name]


Description

Length of time before the multicast VLAN updates QoS data (for example, available bandwidth) for subscriber interfaces after it receives an IGMP leave message.

Options

seconds—Length of time before the multicast VLAN updates QoS data (for example,

available bandwidth) for subscriber interfaces after it receives an IGMP leave message. Specifying a value of 0 results in an immediate update. This is the same as if the statement were not configured. Range: 0 through 30 Default: 0 seconds Required Privilege Level Related Documentation

2900





summaries Syntax Hierarchy Level

Release Information

Description

(summaries | no-summaries); [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa], [edit protocols (ospf | ospf3) area area-id nssa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id nssa], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Configure whether or not area border routers advertise summary routes into an not-so-stubby area (NSSA): •

summaries—Flood summary link-state advertisements (LSAs) into the NSSA.

•

no-summaries—Prevent area border routers from advertising summaries into an NSSA.

If default-metric is configured for an NSSA, a Type 3 LSA is injected into the area by default. Required Privilege Level Related Documentation



•


•

nssa on page 2814

•

stub on page 2899

•

Configuring OSPF Areas


2901

®


tag Syntax Hierarchy Level

Release Information


2902

tag string; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options (aggregate | generate | static) (defaults | route)], [edit logical-systems logical-system-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options aggregate | generate | static) (defaults | route)], [edit routing-instances routing-instance-name routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)], [edit routing-options (aggregate | generate | static) (defaults | route)], [edit routing-options rib routing-table-name (aggregate | generate | static) (defaults | route)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Associate an OSPF tag with a static, aggregate, or generated route. No OSPF tag strings are associated with static routes. string—OSPF tag string.



•


•


•


•


•

static on page 2893



tcp-mss Syntax Hierarchy Level

Release Information


tcp-mss segment-size; [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor neighbor-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor neighbor-name], [edit protocols bgp], [edit protocol bgp group group-name], [edit protocols bgp group group-name neighbor neighbor-name], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor neighbor-name]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the maximum segment size (MSS) for the TCP connection for BGP neighbors. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Limiting TCP Segment Size for BGP


2903

®


threshold Syntax Hierarchy Level

Release Information

Description Options

threshold suppress value ; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast forwarding-cache], [edit logical-systems logical-system-name routing-options multicast forwarding-cache], [edit routing-instances routing-instance-name routing-options multicast forwarding-cache], [edit routing-options multicast forwarding-cache]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the suppression and reuse thresholds for multicast forwarding cache limits. reuse value—(Optional) Value at which to begin creating new multicast forwarding cache

entries. If configured, this number should be less than the suppress value. Range: 1 through 200,000 suppress value—Value at which to begin suppressing new multicast forwarding cache

entries. This value is mandatory. This number should be greater than the reuse value. Range: 1 through 200,000 Required Privilege Level Related Documentation

2904


Examples: Configuring the Multicast Forwarding Cache



timeout (Flow Maps) Syntax Hierarchy Level

Release Information

Description

Options

timeout (never non-discard-entry-only | minutes); [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit logical-systems logical-system-name routing-options multicast flow-map flow-map-name], [edit routing-instances routing-instance-name routing-options multicast flow-map flow-map-name], [edit routing-options multicast flow-map flow-map-name]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the timeout value for multicast forwarding cache entries associated with the flow map. minutes—Length of time that the forwarding cache entry remains active.

Range: 1 through 720 never non-discard-entry-only—Specify that the forwarding cache entry always remain

active. If you omit the non-discard-entry-only option, all multicast forwarding entries, including those in forwarding and pruned states, are kept forever. If you include the non-discard-entry-only option, entries with forwarding states are kept forever, and entries with pruned states time out. Required Privilege Level



2905

®


timeout (Multicast) Syntax Hierarchy Level

Release Information

Description Options

timeout minutes; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast forwarding-cache], [edit logical-systems logical-system-name routing-options multicast forwarding-cache], [edit routing-instances routing-instance-name routing-options multicast forwarding-cache], [edit routing-options multicast forwarding-cache]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the timeout value for multicast forwarding cache entries. minutes—Length of time that the forwarding cache limit remains active.


2906


Example: Configuring the Multicast Forwarding Cache



topologies Syntax

Hierarchy Level

Release Information

Description

topologies { ipv4-multicast; ipv6-multicast; ipv6-unicast; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure alternate IS-IS topologies. The remaining statements are explained separately.





2907

®


traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols bgp], [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name protocols bgp group group-name neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name neighbor address], [edit protocols bgp], [edit protocols bgp group group-name], [edit protocols bgp group group-name neighbor address], [edit routing-instances routing-instance-name protocols bgp], [edit routing-instances routing-instance-name protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name neighbor address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. 4byte-as statement introduced in Junos OS Release 9.2. 4byte-as statement introduced in Junos OS Release 9.2 for EX Series switches. Configure BGP protocol-level tracing options. To specify more than one tracing operation, include multiple flag statements.

NOTE: The traceoptions statement is not supported on QFabric systems.

Default

Options

The default BGP protocol-level tracing options are inherited from the routing protocols traceoptions statement included at the [edit routing-options] hierarchy level. The default group-level trace options are inherited from the BGP protocol-level traceoptions statement. The default peer-level trace options are inherited from the group-level traceoptions statement. disable—(Optional) Disable the tracing operation. You can use this option to disable a


name within quotation marks. All files are placed in the directory /var/log. We recommend that you place BGP tracing output in the file bgp-log.

2908



files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements. BGP Tracing Flags •

4byte-as—4-byte AS events.

•

bfd—BFD protocol events.

•

damping—Damping operations.

•

graceful-restart—Graceful restart events.

•

keepalive—BGP keepalive messages. If you enable the the BGP update flag only, received

keepalive messages do not generate a trace message. •

nsr-synchronization—Nonstop routing synchronization events.

•

open—Open packets. These packets are sent between peers when they are establishing

a connection. •

packets—All BGP protocol packets.

•

refresh—BGP refresh packets.

•

update—Update packets. These packets provide routing updates to BGP systems. If

you enable only this flag, received keepalive messages do not generate a trace message. Use the keepalive flag to generate a trace message for keepalive messages. Global Tracing Flags •


•

general—A combination of the normal and route trace operations

•

normal—All normal operations

Default: If you do not specify this option, only unusual or abnormal operations are traced. •

policy—Policy operations and actions

•

route—Routing table changes

•

state—State transitions

•

task—Routing protocol task processing

•

timer—Routing protocol timer processing


2909

®


flag-modifier—(Optional) Modifier for the tracing flag. You can specify one or more of

these modifiers: •

detail—Provide detailed trace information.

•

filter—Provide filter trace information. Applies only to route and damping tracing flags.

•

receive—Trace the packets being received.

•

send—Trace the packets being transmitted.

no-world-readable—(Optional) Prevent any user from reading the log file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.


2910


log-updown on page 2766 statement

•

Understanding Trace Operations for BGP Protocol Traffic

•

Configuring OSPF Refresh and Flooding Reduction in Stable Topologies



traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file name ; flag flag ; } [edit logical-systems logical-system-name protocols isis], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis], [edit protocols isis], [edit routing-instances routing-instance-name protocols isis]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure IS-IS protocol-level tracing options. To specify more than one tracing operation, include multiple flag statements.


Default

The default IS-IS protocol-level tracing options are those inherited from the routing protocols traceoptions statement included at the [edit routing-options] hierarchy level.

Options

disable—(Optional) Disable the tracing operation. You can use this option to disable a


name within quotation marks (“ ”). All files are placed in the directory /var/log. We recommend that you place IS-IS tracing output in the file isis-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag flag—Tracing operation to perform. To specify more than one flag, include multiple flag statements. IS-IS Protocol-Specific Tracing Flags


2911

®


•

csn—Complete sequence number PDU (CSNP) packets

•

error—Errored IS-IS packets

•

graceful-restart—Graceful restart operation

•

hello—Hello packets

•

ldp-synchronization—Synchronization between IS-IS and LDP

•

lsp—Link-state PDU packets

•

lsp-generation—Link-state PDU generation packets

•

packets—All IS-IS protocol packets

•

psn—Partial sequence number PDU (PSNP) packets

•

spf—Shortest-path-first calculations

Global Tracing Flags •


•


•

normal—All normal operations, including adjacency changes



•


•


•


•





•


•


no-world-readable—(Optional) Prevent any user from reading the log file.

2912




or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. Note that if you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.



Tracing IS-IS Protocol Traffic


2913

®


traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit protocols (ospf | ospf3)], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure OSPF protocol-level tracing options. To specify more than one tracing operation, include multiple flag statements.


Default

The default OSPF protocol-level tracing options are those inherited from the routing protocols traceoptions statement included at the [edit routing-options] hierarchy level.

Options

disable—(Optional) Disable the tracing operation. You can use this option to disable a

single operation when you have defined a broad group of tracing operations, such as all. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. We recommend that you place OSPF tracing output in the file ospf-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten.

2914



If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. OSPF Tracing Flags •

database-description—Database description packets, which are used in synchronizing

the OSPF and OSPFv3 topological database. •

error—OSPF and OSPFv3 error packets.

•

event—OSPF and OSPFv3 state transitions.

•

flooding—Link-state flooding packets.

•

graceful-restart—Graceful-restart events.

•

hello—Hello packets, which are used to establish neighbor adjacencies and to determine

whether neighbors are reachable. •

ldp-synchronization—Synchronization events between OSPF and LDP.

•

lsa-ack—Link-state acknowledgment packets, which are used in synchronizing the

OSPF topological database. •

lsa-analysis—Link-state analysis. Specific to the Juniper Networks implementation of

OSPF, Junos OS performs LSA analysis before running the shortest-path-first (SPF) algorithm. LSA analysis helps to speed the calculations performed by the SPF algorithm. •

lsa-request—Link-state request packets, which are used in synchronizing the

OSPF topological database. •

lsa-update—Link-state updates packets, which are used in synchronizing the OSPF

topological database. •

nsr-synchronization—Nonstop routing synchronization events.

•

on-demand—Trace demand circuit extensions.

•

packet-dump—Content of selected packet types.

•

packets—All OSPF packets.

•

restart-signaling—(OSPFv2 only) Restart-signaling graceful restart events.

•

spf—Shortest-path-first (SPF) calculations.

Global Tracing Flags


2915

®


•


•

general—A combination of the normal and route trace operations.

•

normal—All normal operations. If you do not specify this option, only unusual or

abnormal operations are traced. •

policy—Policy operations and actions.

•

route—Routing table changes.

•

state—State transitions.

•

task—Routing protocol task processing.

•

timer—Routing protocol timer processing.



detail—Detailed trace information.

•

receive—Packets being received.

•

send—Packets being transmitted.


or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.


2916


Example: Tracing OSPF Protocol Traffic



traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit protocols rip], [edit routing-instances routing-instance-name protocols rip]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Set RIP protocol-level tracing options.


Default

The default RIP protocol-level trace options are inherited from the global traceoptions statement.

Options

disable—(Optional) Disable the tracing operation. One use of this option is to disable a


name in quotation marks. We recommend that you place RIP tracing output in the file /var/log/rip-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements. RIP Tracing Options •

auth—RIP authentication

•

error—RIP error packets


2917

®


•

expiration—RIP route expiration processing

•

holddown—RIP hold-down processing

•

nsr-synchronization—Nonstop routing synchronization events

•

packets—All RIP packets

•

request—RIP information packets such as request, poll, and poll entry packets

•

trigger—RIP triggered updates

•

update—RIP update packets

Global Tracing Options •


•


•




•


•


•


•





•


•

receive-detail—Provide detailed trace information for packets being received.

•


•

send-detail—Provide detailed trace information for packets being transmitted.

no-world-readable—(Optional) Prevent any user from reading the log file.

2918



size size—(Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes

(MB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum file size, you must also specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.



Example: Tracing RIP Protocol Traffic


2919

®


traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0. Set RIPng protocol-level tracing options.

Default

The default RIPng protocol-level trace options are inherited from the global traceoptions statement.

Options

disable—(Optional) Disable the tracing operation. One use of this option is to disable a


name in quotation marks. We recommend that you place RIPng tracing output in the file /var/log/ripng-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. RIPng Tracing Options

2920

•

error—RIPng error packets

•

expiration—RIPng route expiration processing

•

holddown—RIPng hold-down processing

•

nsr-synchronization—Nonstop routing synchronization events

•

packets—All RIPng packets



•

request—RIPng information packets such as request, poll, and poll entry packets

•

trigger—RIPng triggered updates

•

update—RIPng update packets

Global Tracing Options •


•


•




•


•


•


•





•


•

receive-detail—Provide detailed trace information for packets being received.

•


•

send-detail—Provide detailed trace information for packets being transmitted.

no-world-readable—(Optional) Do not allow any user to read the log file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. If you specify a maximum file size, you must also specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.




2921

®



2922

•

Example: Tracing RIPng Protocol Traffic



traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast], [edit logical-systems logical-system-name routing-options], [edit logical-systems logical-system-name routing-options multicast], [edit routing-instances routing-instance-name routing-options], [edit routing-instances routing-instance-name routing-options multicast], [edit routing-options], [edit routing-options flow], [edit routing-options multicast]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Define tracing operations that track all routing protocol functionality in the routing device. To specify more than one tracing operation, include multiple flag statements.

Default

If you do not include this statement, no global tracing operations are performed.

Options

Values: disable—(Optional) Disable the tracing operation. You can use this option to disable a


name within quotation marks. All files are placed in the directory /var/log. We recommend that you place global routing protocol tracing output in the file routing-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. Note that if you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 files Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. These are the global routing protocol tracing options:


2923

®


•


•

condition-manager—Condition-manager events

•

config-internal—Configuration internals

•

general—All normal operations and routing table changes (a combination of the normal

and route trace operations) •

graceful-restart—Graceful restart operations

•


•

nsr-synchronization—Nonstop active routing synchronization

•

parse—Configuration parsing

•

policy—Routing policy operations and actions

•

regex-parse—Regular-expression parsing

•


•


•

task—Interface transactions and processing

•

timer—Timer usage


or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then, the oldest trace file is overwritten. Note that if you specify a maximum file size, you also must specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 128 KB world-readable—(Optional) Allow any user to read the log file.


2924


Example: Tracing Global Routing Protocol Operations



traffic-engineering (OSPF) Syntax

Hierarchy Level

Release Information


traffic-engineering { ; ; ignore-lsp-metrics; multicast-rpf-routes; no-topology; shortcuts { lsp-metric-into-summary; } } [edit logical-systems logical-system-name protocols (ospf | ospf3)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3)], [edit protocols (ospf | ospf3)], [edit routing-instances routing-instance-name protocols (ospf | ospf3)]

Statement introduced before Junos OS Release 7.4. multicast-rpf-routes option introduced in Junos OS Release 7.5. advertise-unnumbered-interfaces option introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4. Support for OSPFv3 (ospf3) introduced in Junos OS Release 9.4 for EX Series switches. credibility-protocol-preference statement introduced in Junos OS Release 9.4. credibility-protocol-preference statement introduced in Junos OS Release 9.4 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable the OSPF traffic engineering features. Traffic engineering support is disabled. advertise-unnumbered-interfaces—(Optional) (OSPFv2 only) Include the link-local

identifier in the link-local traffic-engineering link-state advertisement. This statement must be included on both ends of an unnumbered link to allow an ingress LER to update the link in its traffic engineering database and use it for CSPF calculations. The link-local identifier is then used by RSVP to signal unnumbered interfaces as defined in RFC 3477. credibility-protocol-preference—(Optional) (OSPFv2 only) Use the configured preference

value for OSPF routes to calculate the traffic engineering database credibility value used to select IGP routes. Use this statement to override the default behavior, in which the traffic engineering database prefers IS-IS routes even if OSPF routes are configured with a lower, that is, preferred, preference value. For example, OSPF routes have a default preference value of 10, whereas IS-IS Level 1 routes have a default preference value of 15. When protocol preference is enabled, the credibility value is determined by deducting the protocol preference value from a base value of 512. Using default protocol preference values, OSPF has a credibility value of 502,


2925

®


whereas IS-IS has a credibility value of 497. Because the traffic engineering database prefers IGP routes with the highest credibility value, OSPF routes are now preferred. multicast-rpf-routes—(Optional) (OSPFv2 only) Install routes for multicast RPF checks

into the inet.2 routing table. The inet.2 routing table consists of unicast routes used for multicast RPF lookup. RPF is an antispoofing mechanism used to check whether the packet is coming in on an interface that is also sending data back to the packet source.

NOTE: You must enable OSPF traffic engineering shortcuts to use the multicast-rpf-routes statement. You must not allow LSP advertisements into OSPF when configuring the multicast-rpf-routes statement.

no-topology—(Optional) (OSPFv2 only) Disable the dissemination of the link-state

topology information. The remaining statements are explained separately. Required Privilege Level Related Documentation

2926





transit-delay Syntax Hierarchy Level

Release Information

Description

transit-delay seconds; [edit logical-systems logical-system-name protocols ospf area area-id peer-interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id interface interface-name], [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id virtual-link], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id virtual-link], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name], [edit protocols ospf area area-id peer-interface interface-name], [edit protocols (ospf | ospf3) area area-id interface interface-name], [edit protocols (ospf | ospf3) area area-id virtual-link], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast)] area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf area area-id interface interface-name], [edit routing-instances routing-instance-name protocols ospf area area-id virtual-link], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Set the estimated time required to transmit a link-state update on the interface. When calculating this time, make sure to account for transmission and propagation delays. You should never have to modify the transit delay time.

Options

seconds—Estimated time, in seconds.

Range: 1 through 65,535 seconds Default: 1 second Required Privilege Level Related Documentation




2927

®


type Syntax Hierarchy Level

Release Information

Description

type type; [edit logical-systems logical-system-name protocols bgp group group-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name], [edit protocols bgp group group-name], [edit routing-instances routing-instance-name protocols bgp group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the type of BGP peer group. When configuring a BGP group, you can indicate whether the group is an IBGP group or an EBGP group. All peers in an IBGP group are in the same AS, while peers in an EBGP group are in different ASs and normally share a subnet.

Options


2928

type—Type of group: •

external—External group, which allows inter-AS BGP routing

•

internal—Internal group, which allows intra-AS BGP routing





type-7 Syntax Hierarchy Level

Release Information

Description

type-7; [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit logical-systems logical-system-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit protocols (ospf | ospf3) area area-id nssa default-lsa], [edit protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa], [edit routing-instances routing-instance-name protocols (ospf | ospf3) area area-id nssa default-lsa], [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-multicast) area area-id nssa default-lsa]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for the realm statement introduced in Junos OS Release 9.2. Support for the realm statement introduced in Junos OS Release 9.2 for EX Series switches. Flood Type 7 default link-state advertisements (LSAs) if the no-summaries statement is configured. By default, when the no-summaries statement is configured, a Type 3 LSA is injected into not-so-stubby areas (NSSAs) for Junos OS Release 5.0 and later. To support backward compatibility with earlier Junos OS releases, include the type-7 statement. This statement enables NSSA ABRs to advertise a Type 7 default LSA into the NSSA if you have also included the no-summaries statement in the configuration.




•


•

no-summaries on page 2901


2929

®


update-interval Syntax Hierarchy Level

Release Information

Description Options

update-interval seconds; [edit logical-systems logical-system-name protocols rip], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols rip], [edit protocols rip], [edit routing-instances routing-instance-name protocols rip]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure the interval at which routes learned by RIP are sent to neighbors. seconds—Estimated time to wait before making updates to the routing table.


2930





update-interval Syntax Hierarchy Level

Release Information

update-interval seconds; [edit logical-systems logical-system-name protocols ripng], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ripng], [edit protocols ripng], [edit routing-instances routing-instance-name protocols ripng]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for routing instances introduced in Junos OS Release 9.0.

Description

Configure the interval at which routes learned by RIPng are sent to neighbors.

Options

seconds—Estimated time to wait before making updates to the routing table.





2931

®


upstream-interface Syntax Hierarchy Level

Release Information

Description

Options

upstream-interface [ interface-names ]; [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast pim-to-igmp-proxy], [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options multicast pim-to-mld-proxy], [edit logical-systems logical-system-name routing-options multicast pim-to-igmp-proxy], [edit logical-systems logical-system-name routing-options multicast pim-to-mld-proxy], [edit routing-instances routing-instance-name routing-options multicast pim-to-igmp-proxy], [edit routing-instances routing-instance-name routing-options multicast pim-to-mld-proxy], [edit routing-options multicast pim-to-igmp-proxy], [edit routing-options multicast pim-to-mld-proxy]

Statement introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure at least one, but not more than two, upstream interfaces on the rendezvous point (RP) routing device that resides between a customer edge–facing Protocol Independent Multicast (PIM) domain and a core-facing PIM domain. The RP routing device translates PIM join or prune messages into corresponding IGMP report or leave messages (if you include the pim-to-igmp-proxy statement), or into corresponding MLD report or leave messages (if you include the pim-to-mld-proxy statement). The routing device then proxies the IGMP or MLD report or leave messages to one or both upstream interfaces to forward IPv4 multicast traffic (for IGMP) or IPv6 multicast traffic (for MLD) across the PIM domains. interface-names—Names of one or two upstream interfaces to which the RP routing

device proxies IGMP or MLD report or leave messages for transmission of multicast traffic across PIM domains. You can specify a maximum of two upstream interfaces on the RP routing device. To configure a set of two upstream interfaces, specify the full interface names, including all physical and logical address components, within square brackets ( [ ] ). Required Privilege Level Related Documentation

2932


Configuring PIM-to-IGMP Message Translation

•

Configuring PIM-to-MLD Message Translation



virtual-link Syntax

Hierarchy Level

Release Information

Description

Options

virtual-link neighbor-id router-id transit-area area-id { disable; authentication key ; dead-interval seconds; hello-interval seconds; ipsec-sa name; retransmit-interval seconds; transit-delay seconds; } [edit logical-systems logical-system-name protocols (ospf | ospf3) area area-id], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id], [edit protocols (ospf | ospf3) area area-id], [edit routing-instances routing-instance-name protocols ospf area area-id]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. For backbone areas only, create a virtual link to use in place of an actual physical link. All area border routers and other routing devices on the backbone must be contiguous. If this is not possible and there is a break in OSPF connectivity, use virtual links to create connectivity to the OSPF backbone. When configuring virtual links, you must configure links on the two routing devices that form the end points of the link, and both of these routing devices must be area border routers. You cannot configure links through stub areas. neighbor-id router-id—IP address of the routing device at the remote end of the virtual

link. transit-area area-id—Area identifier of the area through which the virtual link transits.

Virtual links are not allowed to transit the backbone area. The remaining statements are explained separately. Required Privilege Level Related Documentation



•

Example: Configuring OSPF Virtual Links


2933

®


wide-metrics-only Syntax Hierarchy Level

Release Information


2934

wide-metrics-only; [edit logical-systems logical-system-name protocols isis level level-number], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols isis level level-number], [edit protocols isis level level-number], [edit routing-instances routing-instance-name protocols isis level level-number]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure IS-IS to generate metric values greater than 63 on a per IS-IS level basis. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

te-metric

•

Enabling Wide IS-IS Metrics for Traffic Engineering


CHAPTER 80

Operational Commands for Layer 3 Protocols


2935

®


clear (ospf | ospf3) database Syntax

Syntax (EX Series Switch and QFX Series)

Release Information

2936

clear (ospf | ospf3) database clear (ospf | ospf3) database

Command introduced before Junos OS Release 7.4. advertising-router router-id, area area-id, asbrsummary, external, inter-area-prefix, inter-area-router, intra-area-prefix, link-local, lsa-id lsa-id, netsummary, network, nssa, opaque-area, and router options added in Junos OS Release 8.3. You must use the purge command with these options. Command introduced in Junos OS Release 9.0 for EX Series switches. realm option added in Junos OS Release 9.2. advertising-router (router-id | self) option added in Junos OS Release 9.5. advertising-router (router-id | self) option introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.


Chapter 80: Operational Commands for Layer 3 Protocols

Description

With the master Routing Engine, delete entries in the Open Shortest Path First (OSPF) link-state advertisement (LSA) database. With the backup Routing Engine, delete the OSPF LSA database and sync the new database with the master Routing Engine. You can also use the purge command with any of the options to discard rather than delete the specified LSA entries.

CAUTION: This command is useful only for testing. Use it with care, because it causes significant network disruption.

Options

none—Delete all LSAs other than the system’s own LSAs, which are regenerated. To

resynchronize the database, the system destroys all adjacent neighbors that are in the state EXSTART or higher. The neighbors are then reacquired and the databases are synchronized. advertising-router (router-id | self)—(Optional) Discard entries for the LSA entries

advertised by the specified routing device or by this routing device. area area-id—(Optional) Discard entries for the LSAs in the specified area. asbrsummary—(Optional) Discard summary AS boundary router LSA entries. external—(Optional) Discard external LSAs. instance instance-name—(Optional) Delete or discard entries for the specified routing

instance only. inter-area-prefix—(OSPFv3 only) (Optional) Discard interarea prefix LSAs. inter-area-router—(OSPFv3 only) (Optional) Discard interarea router LSAs. intra-area-prefix—(OSPFv3 only) (Optional) Discard intra-area prefix LSAs. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. link-local—(Optional) Delete link-local LSAs. lsa-id lsa-id—(Optional) Discard the LSA entries with the specified LSA identifier. netsummary—(Optional) Discard summary network LSAs. network—(Optional) Discard network LSAs. nssa—(Optional) Discard not-so-stubby area (NSSA) LSAs. opaque-area—(Optional) Discard opaque area-scope LSAs. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(OSPFv3 only) (Optional) Delete

the entries for the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default.


2937

®


router—(Optional) Discard router LSAs. purge—(Optional) Discard all entries in the link-state advertisement database. All

link-state advertisements are set to MAXAGE and are flooded. The database is repopulated when the originators of the link-state advertisements receive the MAXAGE link-state advertisements and reissue them. Required Privilege Level Related Documentation


clear

•

show ospf database on page 3082

•

show ospf3 database on page 3072

clear ospf database on page 2938 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ospf database

2938

user@host> clear ospf database



clear (ospf | ospf3) io-statistics Syntax

Syntax (EX Series Switch and QFX Series) Release Information

Description Options

clear (ospf | osfp3) io-statistics clear (ospf | osfp3) io-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Clear Open Shortest Path First (OSPF) input and output statistics. none—Clear OSPF input and output statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level List of Sample Output Output Fields

clear

clear ospf io-statistics on page 2939 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ospf io-statistics

user@host> clear ospf io-statistics


2939

®


clear (ospf | ospf3) neighbor Syntax


Release Information

Description Options

clear (ospf | ospf3) neighbor clear (ospf | ospf3) neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. realm option introduced in Junos OS Release 9.2. Command introduced in Junos OS Release 11.3 for the QFX Series. Tear down Open Shortest Path First (OSPF) neighbor connections. none—Tear down OSPF connections with all neighbors for all routing instances. area area-id—(Optional) Tear down neighbor connections for the specified area only. instance instance-name—(Optional) Tear down neighbor connections for the specified

routing instance only. interface interface-name—(Optional) Tear down neighbor connections for the specified

interface only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. neighbor—(Optional) Clear the state of the specified neighbor only. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) (OSPFv3 only) Clear

the state of the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default. Required Privilege Level Related Documentation List of Sample Output Output Fields

2940

clear

•

show (ospf | ospf3) neighbor on page 2974

clear ospf neighbor on page 2941 When you enter this command, you are provided feedback on the status of your request.



Sample Output clear ospf neighbor

user@host> clear ospf neighbor


2941

®


clear (ospf | ospf3) statistics Syntax


Description Options

clear (ospf | osfp3) statistics clear (ospf | osfp3) statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. realm option introduced in Junos OS Release 9.2. Command introduced in Junos OS Release 11.3 for the QFX Series. Clear Open Shortest Path First (OSPF) statistics. none—Clear OSPF statistics. instance instance-name—(Optional) Clear statistics for the specified routing instance

only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) (OSPFv3 only) Clear

statistics for the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•

show (ospf | ospf3) statistics on page 2990

clear ospf statistics on page 2942 See show (ospf | ospf3) statistics for an explanation of output fields.

Sample Output clear ospf statistics

The following sample output displays OSPF statistics before and after the clear ospf statistics command is entered: user@host> show ospf statistics Packet type Hello DbD LSReq LSUpdate

2942

Total Sent 3254 41 8 212

Received 2268 46 7 154

Last 5 seconds Sent Received 3 1 0 0 0 0 0 0



LSAck DBDs LSAs LSAs LSAs LSAs LSAs LSAs

65

98

0

retransmitted : flooded : flooded high-prio : retransmitted : transmitted to nbr: requested : acknowledged :

Flood queue depth Total rexmit entries db summaries lsreq entries

: : : :

3, 12, 0, 0, 3, 5, 19,

last last last last last last last

0 5 5 5 5 5 5 5

seconds seconds seconds seconds seconds seconds seconds

: : : : : : :

0 0 0 0 0 0 0

0 0 0 0

Receive errors: 626 subnet mismatches

user@host> clear ospf statistics

user@host> show ospf statistics Packet type Total Sent Received Hello 3 1 DbD 0 0 LSReq 0 0 LSUpdate 0 0 LSAck 0 0 DBDs LSAs LSAs LSAs LSAs LSAs LSAs

Last 5 seconds Sent Received 3 1 0 0 0 0 0 0 0 0

retransmitted : flooded : flooded high-prio : retransmitted : transmitted to nbr: requested : acknowledged :

Flood queue depth Total rexmit entries db summaries lsreq entries

: : : :

0, 0, 0, 0, 0, 0, 0,

last last last last last last last

5 5 5 5 5 5 5

seconds seconds seconds seconds seconds seconds seconds

: : : : : : :

0 0 0 0 0 0 0

0 0 0 0

Receive errors: None


2943

®


clear bgp damping Syntax


Description Options

clear bgp damping clear bgp damping

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Clear BGP route flap damping information. none—Clear all BGP route flap damping information. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. prefix—(Optional) Clear route flap damping information for only the specified destination

prefix. Required Privilege Level Related Documentation


clear

•

show policy damping on page 3090

•

show route damping on page 3127

clear bgp damping on page 2944 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear bgp damping

2944

user@host> clear bgp damping



clear bgp neighbor Syntax


Release Information

Description

Options

clear bgp neighbor clear bgp neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Perform one of the following tasks: •

Change the state of one or more BGP neighbors to IDLE. For neighbors in the ESTABLISHED state, this command drops the TCP connection to the neighbors and then reestablishes the connection.

•

(soft or soft-inbound keyword only) Reapply export policies or import policies, respectively, and send refresh updates to one or more BGP neighbors without changing their state.

none—Change the state of all BGP neighbors to IDLE. as as-number—(Optional) Apply this command only to neighbors in the specified

autonomous system (AS). instance instance-name—(Optional) Apply this command only to neighbors for the

specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. neighbor—(Optional) IP address of a BGP peer. Apply this command only to the specified

neighbor. soft—(Optional) Reapply any export policies and send refresh updates to neighbors

without clearing the state. soft-inbound—(Optional) Reapply any import policies and send refresh updates to

neighbors without clearing the state.


2945

®


soft-minimum-igp—(Optional) Provides soft refresh of the outbound state when the

interior gateway protocol (IGP) metric is reset. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•

show bgp neighbor on page 3009

clear bgp neighbor on page 2946 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear bgp neighbor

2946

user@host> clear bgp neighbor



clear bgp table Syntax


Description Options

clear bgp table table-name clear bgp table table-name

Command introduced in Junos OS Release 9.0. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Request that BGP refresh routes in a specified routing table. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. table-name—Request that BGP refresh routes in the specified table.



Output Fields

In some cases, a prefix limit is associated with a routing table for a VPN instance. When this limit is exceeded (for example, because of a network misconfiguration), some routes might not be inserted in the table. Such routes need to be added to the table after the network issue is resolved. Use the clear bgp table command to request that BGP refresh routes in a VPN instance table. clear

clear bgp table private.inet.0 on page 2947 clear bgp table inet.6 logical-system all on page 2947 clear bgp table private.inet.6 logical-system ls1 on page 2947 clear bgp table logical-system all inet.0 on page 2947 clear bgp table logical-system ls2 private.inet.0 on page 2948 This command produces no output.

Sample Output clear bgp table private.inet.0 clear bgp table inet.6 logical-system all

user@host> clear bgp table private.inet.0

user@host> clear bgp table inet.6 logical-system all

clear bgp table private.inet.6 logical-system ls1

user@host> clear bgp table private.inet.6 logical-system ls1

clear bgp table logical-system all inet.0

user@host> clear bgp table logical-system all inet.0


2947

®


clear bgp table logical-system ls2 private.inet.0

2948

user@host> clear bgp table logical-system ls2 private.inet.0



clear ipv6 neighbors Syntax

Release Information

Description Options

clear ipv6 neighbors

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.3 for EX Series switches. Clear IPv6 neighbor cache information. none—Clear all IPv6 neighbor cache information. all—(Optional) Clear all IPv6 neighbor cache information. host hostname—(Optional) Clear the information for the specified IPv6 neighbors.


view

•

show ipv6 neighbors on page 2063

clear ipv6 neighbors on page 2949 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ipv6 neighbors

user@host> clear ipv6 neighbors


2949

®


clear isis adjacency Syntax


Release Information

Description

Options

clear isis adjacency clear isis adjacency

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Remove entries from the Intermediate System-to-Intermediate System (IS-IS) adjacency database. none—Remove all entries from the adjacency database. instance instance-name—(Optional) Clear all adjacencies for the specified routing instance

only. interface interface-name—(Optional) Clear all adjacencies for the specified interface only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. neighbor—(Optional) Clear adjacencies for the specified neighbor only.


clear

•

show isis adjacency on page 3030

clear isis adjacency on page 2950 See show isis adjacency for an explanation of output fields.

Sample Output clear isis adjacency

The following sample output displays IS-IS adjacency database information before and after the clear isis adjacency command is entered: user@host> show isis adjacency IS-IS adjacency database: Interface System L State so-1/0/0.0 karakul 3 Up so-1/1/3.0 1921.6800.5080 3 Up

2950

Hold (secs) SNPA 26 23



so-5/0/0.0

1921.6800.5080 3 Up

19

user@host> clear isis adjacency karakul

user@host> show isis adjacency IS-IS adjacency database: Interface System so-1/0/0.0 karakul so-1/1/3.0 1921.6800.5080 so-5/0/0.0 1921.6800.5080


L 3 3 3

State Hold (secs) SNPA Initializing 26 Up 24 Up 21

2951

®


clear isis database Syntax


Release Information

Description

clear isis database clear isis database

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. purge option introduced in Junos OS Release 9.0. Command introduced in Junos OS Release 12.1 for the QFX Series. Remove the entries from the Intermediate System-to-Intermediate System (IS-IS) link-state database, which contains prefixes and topology information. You can also use purge with any of the options to initiate a network-wide purge of link-state PDUs (LSPs) rather than the local deletion of entries from the IS-IS link-state database.

CAUTION: In a production network, the purge command option may cause short-term network-wide traffic disruptions. Use with caution!

Options

none—Remove all entries from the IS-IS link-state database for all routing instances. entries—(Optional) Name of the database entry. instance instance-name—(Optional) Clear all entries for the specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. purge—(Optional) Discard all entries in the IS-IS link-state database.


2952

clear

•

show isis database on page 3044

clear isis database on page 2953 See show isis database for an explanation of output fields.



Sample Output clear isis database

The following sample output displays IS-IS link-state database information before and after the clear isis database command is entered: user@host> show isis database IS-IS level 1 link-state database: LSP ID Sequence Checksum Lifetime (secs) crater.00-00 0x12 0x84dd 1139 1 LSPs IS-IS level 2 link-state database: LSP ID Sequence Checksum Lifetime (secs) crater.00-00 0x19 0xe92c 1134 badlands.00-00 0x16 0x1454 985 carlsbad.00-00 0x33 0x220b 1015 ranier.00-00 0x2e 0xfc31 1007 1921.6800.5066.00-00 0x11 0x7313 566 1921.6800.5067.00-00 0x14 0xd9d4 939 6 LSPs

user@host> clear isis database

user@host> show isis database IS-IS level 1 link-state database: LSP ID Sequence Checksum Lifetime (secs) IS-IS level 2 link-state database: LSP ID Sequence Checksum Lifetime (secs)


2953

®


clear isis overload Syntax


Description

Options

clear isis overload clear isis overload

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Reset the Intermediate System-to-Intermediate System (IS-IS) dynamic overload bit. This command can appear to not work, continuing to display overload after execution. The bit is reset only if the root cause is corrected by configuration remotely or locally. none—Reset the IS-IS dynamic overload bit. instance instance-name—(Optional) Reset the IS-IS dynamic overload bit for the specified

routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•

show isis database on page 3044

clear isis overload on page 2954 See show isis database for an explanation of output fields.

Sample Output clear isis overload

The following sample output displays IS-IS database information before and after the clear isis overload command is entered: user@host> show isis database IS-IS level 1 link-state database: LSP ID Sequence Checksum Lifetime Attributes pro3-c.00-00 0x4 0x10db 1185 L1 L2 Overload 1 LSPs IS-IS level 2 link-state database: LSP ID Sequence Checksum Lifetime Attributes pro3-c.00-00 0x5 0x429f 1185 L1 L2 Overload

pro2-a.00-00 pro2-a.02-00

2954

0x91e 0x1

0x2589 0xcbc

874 L1 L2 874 L1 L2



3 LSPs

user@host> clear isis overload

user@host> show isis database IS-IS level 1 link-state database: LSP ID Sequence Checksum Lifetime Attributes pro3-c.00-00 0xa 0x429e 1183 L1 L2 1 LSPs IS-IS level 2 link-state database: LSP ID Sequence Checksum Lifetime Attributes pro3-c.00-00 0xc 0x9c39 1183 L1 L2 pro2-a.00-00 0x91e 0x2589 783 L1 L2 pro2-a.02-00 0x1 0xcbc 783 L1 L2 3 LSPs


2955

®


clear isis statistics Syntax


Description Options

clear isis statistics clear isis statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Set statistics about Intermediate System-to-Intermediate System (IS-IS) traffic to zero. none—Set IS-IS traffic statistics to zero for all routing instances. instance instance-name—(Optional) Set IS-IS traffic statistics to zero for the specified

routing instance only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

show isis statistics on page 3069

clear isis statistics on page 2956 See show isis statistics for an explanation of output fields.

Sample Output clear isis statistics

The following sample output displays IS-IS statistics before and after the clear isis statistics command is entered: user@host> show isis statistics IS-IS statistics for merino: PDU type LSP IIH CSNP PSNP Unknown Totals

Received 12793 116751 203956 7356 0 340856

Processed 12793 116751 203956 7350 0 340850

Drops 0 0 0 6 0 6

Sent 8666 118834 204080 8635 0 340215

Rexmit 719 0 0 0 0 719

Total packets received: 340856 Sent: 340934 SNP queue length: LSP queue length:

2956

0 Drops: 0 Drops:

0 0



SPF runs: Fragments rebuilt: LSP regenerations: Purges initiated:

1064 1087 436 0

user@host> clear isis statistics

user@host> show isis statistics IS-IS statistics for merino: PDU type LSP IIH CSNP PSNP Unknown Totals

Received 0 3 2 0 0 5

Processed 0 3 2 0 0 5

Drops 0 0 0 0 0 0

Sent 0 3 4 0 0 7

Rexmit 0 0 0 0 0 0

Total packets received: 5 Sent: 7 SNP queue length: LSP queue length:

0 Drops: 0 Drops:

SPF runs: Fragments rebuilt: LSP regenerations: Purges initiated:

0 0 0 0


0 0

2957

®


clear (ospf | ospf3) overload Syntax

Syntax (EX Series Switches) Release Information

Description

Options

clear (ospf | ospf3) overload clear (ospf | ospf3) overload

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Clear the Open Shortest Path First (OSPF) overload bit and rebuild link-state advertisements (LSAs). none—Clear the overload bit and rebuild LSAs for all routing instances. instance instance-name—(Optional) Clear the overload bit and rebuild LSAs for the

specified routing instance only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

clear ospf overload on page 2958 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ospf overload

2958

user@host> clear ospf overload



clear rip general-statistics Syntax


Description Options

clear rip general-statistics clear rip general-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear Routing Information Protocol (RIP) general statistics. none—Clear RIP general statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

•

show rip general-statistics on page 3092

clear rip general-statistics on page 2959 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear rip general-statistics

user@host> clear rip general-statistics


2959

®


clear rip statistics Syntax

Syntax (EX Series Switches and QFX Series) Release Information

Description Options

clear rip statistics clear rip statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear RIP statistics. none—Reset RIP counters for all neighbors for all routing instances. instance (all | instance-name)—(Optional) Clear RIP statistics for all instances or for the

specified routing instance only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. neighbor—(Optional) Clear RIP statistics for the specified neighbor only. peer (all | address)—(Optional) Clear RIP statistics for a single peer or all peers.


clear

•

show rip statistics on page 3096

clear rip statistics on page 2960 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear rip statistics

2960

user@host> clear rip statistics



clear ripng general-statistics Syntax

Syntax (EX Series Switch) Release Information

Description Options

clear ripng general-statistics clear ripng general-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Clear Routing Information Protocol next generation (RIPng) general statistics. none—Clear RIPng general statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

•

show ripng general-statistics on page 3099

clear ripng general-statistics on page 2961 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ripng general-statistics

user@host> clear ripng general-statistics


2961

®


clear ripng statistics Syntax

Syntax (EX Series Switch)

clear ripng statistics clear ripng statistics

Release Information


Description

Clear Routing Information Protocol next-generation (RIPng) statistics.

Options

none—Reset RIPng counters for all neighbors for all routing instances. instance—(Optional) Reset RIPng counters for the specified instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Reset RIPng counters for the specified neighbor.


clear

•

show ripng statistics on page 3102

clear ripng statistics on page 2962 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear ripng statistics

2962

user@host> clear ripng statistics



show (ospf | ospf3) interface Syntax


Release Information

Description Options

show (ospf | ospf3) interface show (ospf | ospf3) interface

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. area option introduced in Junos OS Release 9.2. area option introduced in Junos OS Release 9.2 for EX Series switches. realm option introduced in Junos OS Release 9.2. Command introduced in Junos OS Release 11.3 for the QFX Series. Display the status of Open Shortest Path First (OSPF) interfaces. none—Display standard information about the status of all OSPF interfaces for all routing

instances brief | detail | extensive—(Optional) Display the specified level of output. area area-id—(Optional) Display information about the interfaces that belong to the

specified area. interface-name—(Optional) Display information for the specified interface. instance instance-name—(Optional) Display all OSPF interfaces under the named routing

instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) (OSPFv3 only) Display

information about the interfaces for the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default. Required Privilege Level List of Sample Output

view

show ospf interface brief on page 2966 show ospf interface detail on page 2966 show ospf3 interface detail on page 2966


2963

®


show ospf interface detail(When Multiarea Adjacency Is Configured) on page 2966 show ospf interface area area-id on page 2967 show ospf interface extensive (When Flooding Reduction Is Enabled) on page 2967 show ospf interface extensive (When LDP Synchronization Is Configured) on page 2968 Output Fields

Table 313 on page 2964 lists the output fields for the show (ospf | ospf3) interface command. Output fields are listed in the approximate order in which they appear.

Table 313: show (ospf | ospf3) interface Output Fields Field Name

Field Description

Level of Output

Interface

Name of the interface running OSPF version 2 or OSPF version 3.

All levels

State

State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.

All levels

Area

Number of the area that the interface is in.

All levels

DR ID

Address of the area's designated router.

All levels

BDR ID

Backup designated router for a particular subnet.

All levels

Nbrs

Number of neighbors on this interface.

All levels

Type

Type of interface: LAN, NBMA, P2MP, P2P, or Virtual.

detail extensive

Address

IP address of the neighbor.

detail extensive

Mask

Netmask of the neighbor.

detail extensive

Prefix-length

(OSPFv3) IPv6 prefix length, in bits.

detail extensive

OSPF3-Intf-Index

(OSPFv3) OSPF version 3 interface index.

detail extensive

MTU

Interface maximum transmission unit (MTU).

detail extensive

Cost

Interface cost (metric).

detail extensive

DR addr


detail extensive

BDR addr


detail extensive

Adj count

Number of adjacent neighbors.

detail extensive

Secondary

Indicates that this interface is configured as a secondary interface for this area. This interface can belong to more than one area, but can be designated as a primary interface for only one area.

detail extensive

Flood Reduction

Indicates that this interface is configured with flooding reduction. All self-originated LSAs from this interface are initially sent with the DoNotAge bit set. As a result, LSAs are refreshed only when a change occurs.

extensive

2964



Table 313: show (ospf | ospf3) interface Output Fields (continued) Field Name

Field Description

Level of Output

Priority

Router priority used in designated router (DR) election on this interface.

detail extensive

Flood list

List of link-state advertisements (LSAs) that might be about to flood this interface.

extensive

Ack list

Acknowledgment list. List of pending acknowledgments on this interface.

extensive

Descriptor list

List of packet descriptors.

extensive

Hello

Configured value for the hello timer.

detail extensive

Dead

Configured value for the dead timer.

detail extensive

Auth type

(OSPFv2) Authentication mechanism for sending and receiving OSPF protocol packets:

detail extensive

•

MD5—The MD5 mechanism is configured in accordance with RFC 2328.

•

None—No authentication method is configured.

•

Password—A simple password (RFC 2328) is configured.

Topology

(Multiarea adjacency) Name of topology: default or name.

LDP sync state

(OSPFv2 and LDP synchronization) Current state of LDP synchronization: in sync, in holddown, and not supported.

extensive

reason

(OSPFv2 and LDP synchronization) Reason for the current state of LDP synchronization. The LDP session might be up or down, or adjacency might be up or down.

extensive

config holdtime

(OSPFv2 and LDP synchronization) Configured value of the hold timer.

extensive

If the state is not synchronized, and the hold time is not infinity, the remaining field displays the number of seconds that remain until the configured hold timer expires. IPSec SA name

(OSPFv2) Name of the IPSec security association name.

detail extensive

Active key ID

(OSPFv2 and MD5) Number from 0 to 255 that uniquely identifies an MD5 key.

detail extensive

Start time

(OSPFv2 and MD5) Time at which the routing device starts using an MD5 key to authenticate OSPF packets transmitted on the interface on which this key is configured. To authenticate received OSPF protocol packets, the key becomes effective immediately after the configuration is committed. If the start time option is not configured, the key is effective immediately for send and receive and is displayed as Start time 1970 Jan 01 00:00:00 PST.

detail extensive

ReXmit

Configured value for the Retransmit timer.

detail extensive

Stub, Not Stub, or Stub NSSA

Type of area.

detail extensive


2965

®


Sample Output show ospf interface brief

user@host> show ospf interface brief Intf State Area at-5/1/0.0 PtToPt 0.0.0.0 ge-2/3/0.0 DR 0.0.0.0 lo0.0 DR 0.0.0.0 so-0/0/0.0 Down 0.0.0.0 so-6/0/1.0 PtToPt 0.0.0.0 so-6/0/2.0 Down 0.0.0.0 so-6/0/3.0 PtToPt 0.0.0.0

show ospf interface detail

user@host> show ospf interface detail Interface State Area DR ID BDR ID Nbrs fe-0/0/1.0 BDR 0.0.0.0 192.168.37.12 10.255.245.215 1 Type LAN, address 192.168.37.11, Mask 255.255.255.248, MTU 4460, Cost 40 DR addr 192.168.37.12, BDR addr 192.168.37.11, Adj count 1, Priority 128 Hello 10, Dead 40, ReXmit 5, Not Stub t1-0/2/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0 Type P2P, Address 0.0.0.0, Mask 0.0.0.0, MTU 1500, Cost 2604 Adj count 0 Hello 10, Dead 40, ReXmit 5, Not Stub Auth type: MD5, Active key ID 3, Start time 2002 Nov 19 10:00:00 PST IPsec SA Name: sa

show ospf3 interface detail

show ospf interface detail (When Multiarea Adjacency Is Configured)

DR ID 0.0.0.0 192.168.4.16 192.168.4.16 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

BDR ID 0.0.0.0 192.168.4.15 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

user@host> show ospf3 interface so-0/0/3.0 detail Interface State Area DR-ID BDR-ID so-0/0/3.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 Address fe80::2a0:a5ff:fe28:1dfc, Prefix-length 64 OSPF3-Intf-index 1, Type P2P, MTU 4470, Cost 12, Adj-count 1 Hello 10, Dead 40, ReXmit 5, Not Stub user@host> show ospf interface detail regress@router> show ospf interface detail Interface State Area lo0.0 DR 0.0.0.0

DR ID 10.255.245.2

Nbrs 1 1 0 0 1 0 1

Nbrs 1

BDR ID 0.0.0.0

Nbrs 0

Type: LAN, Address: 127.0.0.1, Mask: 255.255.255.255, MTU: 65535, Cost: 0 DR addr: 127.0.0.1, Adj count: 0, Priority: 128 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 0 lo0.0 DR 0.0.0.0 10.255.245.2 0.0.0.0

0

Type: LAN, Address: 10.255.245.2, Mask: 255.255.255.255, MTU: 65535, Cost: 0 DR addr: 10.255.245.2, Adj count: 0, Priority: 128 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 0 so-0/0/0.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1 Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1 so-0/0/0.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0

0

Type: P2P, Address: 192.168.37.46, Mask: 255.255.255.254, MTU: 4470, Cost: 1

2966



Adj count: 0, , Passive Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Passive, Cost: 1 so-1/0/0.0 PtToPt 0.0.0.0 0.0.0.0

0.0.0.0

1

Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1 so-1/0/0.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0

0

Type: P2P, Address: 192.168.37.54, Mask: 255.255.255.254, MTU: 4470, Cost: 1 Adj count: 0, , Passive Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Passive, Cost: 1 so-0/0/0.0 PtToPt 1.1.1.1 0.0.0.0 0.0.0.0 1 Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1, Secondary Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1 so-1/0/0.0 PtToPt 1.1.1.1 0.0.0.0 0.0.0.0

1

Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1, Secondary Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1 so-0/0/0.0 PtToPt 2.2.2.2 0.0.0.0 0.0.0.0

1

Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1, Secondary Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1 so-1/0/0.0 PtToPt 2.2.2.2 0.0.0.0 0.0.0.0

1

Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 1 Adj count: 1, Secondary Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Topology default (ID 0) -> Cost: 1

show ospf interface area area-id

user@host> show ospf interface area 1.1.1.1 Interface State Area so-0/0/0.0 PtToPt 1.1.1.1 so-1/0/0.0 PtToPt 1.1.1.1

DR ID 0.0.0.0 0.0.0.0

BDR ID 0.0.0.0 0.0.0.0

Nbrs 1 1

show ospf interface extensive (When Flooding Reduction Is Enabled)

user@host> show ospf interface extensive Interface State Area fe-0/0/0.0 PtToPt 0.0.0.0

DR ID 0.0.0.0

BDR ID 0.0.0.0

Nbrs 0

Type: P2P, Adj count: Secondary, Hello: 10, Auth type:


Address: 10.10.10.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1 0 Flood Reduction Dead: 40, ReXmit: 5, Not Stub None

2967

®


Topology default (ID 0) -> Cost: 1

show ospf interface extensive (When LDP Synchronization Is Configured)

2968

user@host> show ospf interface extensive Interface State Area DR ID BDR ID Nbrs so-1/0/3.0 Down 0.0.0.0 0.0.0.0 0.0.0.0 0 Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 4470, Cost: 65535 Adj count: 0 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None LDP sync state: in holddown, for: 00:00:08, reason: LDP down during config config holdtime: 10 seconds, remaining: 1



show (ospf | ospf3) io-statistics Syntax


Description Options

show (ospf | ospf3) io-statistics show (ospf | ospf3) io-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display Open Shortest Path First (OSPF) input and output statistics. none—Display OSPF input and output statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

clear (ospf | ospf3) statistics on page 2942

show ospf io-statistics on page 2969 Table 314 on page 2969 lists the output fields for the show ospf io-statistics command. Output fields are listed in the approximate order in which they appear.

Table 314: show (ospf | ospf3) io-statistics Output Fields Field Name

Field Description

Packets read

Number of OSPF packets read since the last time the routing protocol was started.

average per run

Total number of packets divided by the total number of times the OSPF read operation is scheduled to run.

max run

Maximum number of packets for a given run among all scheduled runs.

Receive errors

Number of faulty packets received with errors.

Sample Output show ospf io-statistics

user@host> show ospf io-statistics Packets read: 7361, average per run: 1.00, max run: 1


2969

®


Receive errors: None

2970



show (ospf | ospf3) log Syntax


show (ospf | osfp3) log show (ospf | osfp3) log

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. topology option introduced in Junos OS Release 9.0. topology option introduced in Junos OS Release 9.0 for EX Series switches. realm option introduced in Junos OS Release 9.2. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Display the entries in the Open Shortest Path First (OSPF) log of SPF calculations.

Options

none—Display entries in the OSPF log of SPF calculations for all routing instances. instance instance-name—(Optional) Display entries for the specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. topology topology-name—(Optional) (OSPFv2 only) Display entries for the specified

topology. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(OSPFv3 only) (Optional) Display

entries for the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default. Required Privilege Level List of Sample Output

Output Fields

view

show ospf log on page 2972 show ospf log topology voice on page 2972 Table 315 on page 2971 lists the output fields for the show (ospf | ospf3) log command. Output fields are listed in the approximate order in which they appear.

Table 315: show (ospf | ospf3) log Output Fields Field Name

Field Description

When

Time, in weeks (w) and days (d), since the SPF calculation was made.


2971

®


Table 315: show (ospf | ospf3) log Output Fields (continued) Field Name

Field Description

Type

Type of calculation: Cleanup, External, Interarea, NSSA, Redist, SPF, Stub, Total, or Virtuallink.

Elapsed

Amount of time, in seconds, that elapsed during the operation, or the time required to complete the SPF calculation. The start time is the time displayed in the When field.

Sample Output show ospf log

user@host> show ospf log When Type 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d 1w4d ...

show ospf log topology voice

17:25:58 17:25:58 17:25:58 17:25:58 17:25:58 17:25:58 17:25:58 17:24:48 17:24:48 17:24:48 17:24:48 17:24:48 17:24:48 17:24:48 17:24:48

Stub SPF Stub Interarea External Cleanup Total SPF Stub SPF Stub Interarea External Cleanup Total

Elapsed 0.000017 0.000070 0.000019 0.000054 0.000005 0.000203 0.000537 0.000125 0.000017 0.000100 0.000016 0.000056 0.000005 0.000238 0.000600

user@host> show ospf log topology voice Topology voice SPF log: Last instance of each event type When Type Elapsed 00:06:11 SPF 0.000116 00:06:11 Stub 0.000114 00:06:11 Interarea 0.000126 00:06:11 External 0.000067 00:06:11 NSSA 0.000037 00:06:11 Cleanup 0.000186 Maximum length of each event type When Type Elapsed 00:13:43 SPF 0.000140 00:13:33 Stub 0.000116 00:13:43 Interarea 0.000128 00:13:33 External 0.000075 00:13:38 NSSA 0.000039 00:13:53 Cleanup 0.000657

2972

Last 100 events When Type

Elapsed

00:13:53

0.000090

SPF



00:13:53 00:13:53 00:13:53 00:13:53 00:13:53 00:13:53 . . 00:06:11 00:06:11 00:06:11 00:06:11 00:06:11 00:06:11 00:06:11


Stub Interarea External NSSA Cleanup Total

0.000041 0.000123 0.000040 0.000038 0.000657 0.001252

SPF Stub Interarea External NSSA Cleanup Total

0.000116 0.000114 0.000126 0.000067 0.000037 0.000186 0.000818

2973

®


show (ospf | ospf3) neighbor Syntax


Release Information

Description Options

show (ospf | ospf3) neighbor show (ospf | ospf3) neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. instance all option introduced in Junos OS Release 9.1. instance all option introduced in Junos OS Release 9.1 for EX Series switches. area, interface, and realm options introduced in Junos OS Release 9.2. area and interface options introduced in Junos OS Release 9.2 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display information about Open Shortest Path First (OSPF) neighbors. none—Display standard information about all OSPF neighbors for all routing instances. brief | detail | extensive—(Optional) Display the specified level of output. area area-id—(Optional) Display information about the OSPF neighbors for the specified

area. instance (all | instance-name—(Optional) Display all OSPF interfaces for all routing

instances or under the named routing instance. interface interface-name—(Optional) Display information about OSPF neighbors for the

specified logical interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. neighbor—(Optional) Display information about the specified OSPF neighbor. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) (OSPFv3 only) Display

information about the OSPF neighbors for the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default.

2974




Output Fields

view

•

clear (ospf | ospf3) neighbor on page 2940

show ospf neighbor brief on page 2976 show ospf neighbor detail on page 2977 show ospf neighbor extensive on page 2977 show ospf3 neighbor detail on page 2978 show ospf neighbor area area-id on page 2978 show ospf neighbor interface interface-name on page 2978 show ospf3 neighbor instance all (OSPFv3 Multiple Family Address Support Enabled) on page 2978 Table 316 on page 2975 lists the output fields for the show (ospf | ospf3) neighbor command. Output fields are listed in the approximate order in which they appear.

Table 316: show (ospf | ospf3) neighbor Output Fields Field Name

Field Description

Level of Output

Address

Address of the neighbor.

All levels

Interface


All levels

State

State of the neighbor:

All levels

•

Attempt—Valid only for neighbors attached to nonbroadcast networks. It

indicates that no recent information has been received from the neighbor, but that a more concerted effort must be made to contact the neighbor. •

Down—Initial state of a neighbor conversation. It indicates that no recent

information has been received from the neighbor. Hello packets might continue to be sent to neighbors in the Down state, although at a reduced frequency. •

Exchange—Routing device is describing its entire link-state database by

sending database description packets to the neighbor. Each packet has a sequence number and is explicitly acknowledged. •

ExStart—First step in creating an adjacency between the two neighboring

routing devices. The goal of this step is to determine which routing device is the master, and to determine the initial sequence number. •

Full—Neighboring routing devices are fully adjacent. These adjacencies appear

in router link and network link advertisements. •

Init—A hello packet has recently been sent by the neighbor. However,

bidirectional communication has not yet been established with the neighbor. This state may occur, for example, because the routing device itself did not appear in the neighbor's hello packet. •

Loading—Link-state request packets are sent to the neighbor to acquire more

recent advertisements that have been discovered (but not yet received) in the Exchange state. •

2Way—Communication between the two routing devices is bidirectional. This

state has been ensured by the operation of the Hello Protocol. This is the most advanced state short of beginning adjacency establishment. The (backup) designated router is selected from the set of neighbors in state 2Way or greater.


2975

®


Table 316: show (ospf | ospf3) neighbor Output Fields (continued) Field Name

Field Description

Level of Output

ID

Router ID of the neighbor.

All levels

Pri

Priority of the neighbor to become the designated router.

All levels

Dead

Number of seconds until the neighbor becomes unreachable.

All levels

Link state acknowledgment list

Number of link-state acknowledgments received.

extensive

Link state retransmission list

Total number of link-state advertisements retransmitted. For extensive output only, the following information is also displayed:

detail extensive

•

Type—Type of link advertisement: ASBR, Sum, Extern, Network, NSSA, OpaqArea, Router, or Summary.

•

LSA ID—LSA identifier included in the advertisement. An asterisk preceding

the identifier marks database entries that originated from the local routing device. •

Adv rtr—Address of the routing device that sent the advertisement.

•

Seq—Link sequence number of the advertisement.

Neighbor-address

(OSPFv3 only) If the neighbor uses virtual links, the Neighbor-address is the site-local, local, or global address. If the neighbor uses a physical interface, the Neighbor-address is an IPv6 link-local address.

detail extensive

area

Area that the neighbor is in.

detail extensive

OSPF3-Intf-Index

(OSPFv3 only) Displays the OSPFv3 interface index.

detail extensive

opt

Option bits received in the hello packets from the neighbor.

detail extensive

DR or DR-ID


detail extensive

BDR or BDR-ID


detail extensive

Up

Length of time since the neighbor came up.

detail extensive

adjacent

Length of time since the adjacency with the neighbor was established.

detail extensive

Sample Output show ospf neighbor brief

2976

user@host> show ospf neighbor brief Address Intf 192.168.254.225 fxp3.0 192.168.254.230 fxp3.0 192.168.254.229 fxp3.0 10.1.1.129 fxp2.0 10.1.1.131 fxp2.0

State 2Way Full Full Full Full

ID 10.250.240.32 10.250.240.8 10.250.240.35 10.250.240.12 10.250.240.11

Pri 128 128 128 128 128

Dead 36 38 33 37 38



10.1.2.1 10.1.2.81

show ospf neighbor detail

fxp1.0 fxp0.0

Full Full

user@host> show ospf neighbor detail Address Interface State ID 10.5.1.2 ge-1/2/0.1 Full 10.5.1.2 area 0.0.0.1, opt 0x42, DR 10.5.1.2, BDR 10.5.1.1 Up 06:09:28, adjacent 05:17:36 Link state acknowledgment list: 3 entries

128 128

32 33

Pri 128

Dead 37

10.5.10.2 ge-1/2/0.10 ExStart 10.5.1.38 area 0.0.0.1, opt 0x42, DR 10.5.10.2, BDR 10.5.10.1 Up 06:09:28 master, seq 0xac1530f8, rexmit DBD in 3 sec rexmit LSREQ in 0 sec 10.5.11.2 ge-1/2/0.11 Full 10.5.1.42 area 0.0.0.1, opt 0x42, DR 10.5.11.2, BDR 10.5.11.1 Up 06:09:28, adjacent 05:26:46 Link state retransmission list: 1 entries

128

34

128

38

10.5.12.2 ge-1/2/0.12 ExStart 10.5.1.46 area 0.0.0.1, opt 0x42, DR 10.5.12.2, BDR 10.5.12.1 Up 06:09:28 master, seq 0xac188a68, rexmit DBD in 2 sec rexmit LSREQ in 0 sec

128

33

Pri 128

Dead 33

Link state retransmission list:

show ospf neighbor extensive

10.250.240.9 10.250.240.10

9 entries

user@host> show ospf neighbor extensive Address Interface State ID 10.5.1.2 ge-1/2/0.1 Full 10.5.1.2 area 0.0.0.1, opt 0x42, DR 10.5.1.2, BDR 10.5.1.1 Up 06:09:42, adjacent 05:17:50 Link state retransmission list: Type

LSA ID

Adv rtr

Seq

Summary

10.8.56.0

172.25.27.82

0x8000004d

Router

10.5.1.94

10.5.1.94

0x8000005c

Network

10.5.24.2

10.5.1.94

0x80000036

Summary

10.8.57.0

172.25.27.82

0x80000024

Extern

1.10.90.0

10.8.1.2

0x80000041

Extern

1.4.109.0

10.6.1.2

0x80000041

Router

10.5.1.190

10.5.1.190

0x8000005f

Network

10.5.48.2

10.5.1.190

0x8000003d

Summary

10.8.58.0

172.25.27.82

0x8000004d

Extern

1.10.91.0

10.8.1.2

0x80000041

Extern

1.4.110.0

10.6.1.2

0x80000041

Router

10.5.1.18

10.5.1.18

0x8000005f


2977

®


Network

10.5.5.2

10.5.1.18

0x80000033

Summary

10.8.59.0

172.25.27.82

0x8000003a

Summary

10.8.62.0

172.25.27.82

0x80000025

10.5.10.2 ge-1/2/0.10 ExStart 10.5.1.38 area 0.0.0.1, opt 0x42, DR 10.5.10.2, BDR 10.5.10.1 Up 06:09:42 master, seq 0xac1530f8, rexmit DBD in 2 sec rexmit LSREQ in 0 sec 10.5.11.2 ge-1/2/0.11 Full 10.5.1.42 area 0.0.0.1, opt 0x42, DR 10.5.11.2, BDR 10.5.11.1 Up 06:09:42, adjacent 05:27:00 Link state retransmission list: Type

show ospf3 neighbor detail

show ospf neighbor area area-id

show ospf neighbor interface interface-name

show ospf3 neighbor instance all (OSPFv3 Multiple Family

2978

LSA ID

Adv rtr

38

128

33

Seq

Summary

10.8.58.0

172.25.27.82

0x8000004d

Extern

1.10.91.0

10.8.1.2

0x80000041

Extern

1.1.247.0

10.5.1.2

0x8000003f

Extern

1.4.110.0

10.6.1.2

0x80000041

Router

10.5.1.18

10.5.1.18

0x8000005f

Network

10.5.5.2

10.5.1.18

0x80000033

Summary

10.8.59.0

172.25.27.82

0x8000003a

user@host> show ospf3 neighbor detail ID Interface State 10.255.71.13 fe-0/0/2.0 Full Neighbor-address fe80::290:69ff:fe9b:e002 area 0.0.0.0, opt 0x13, OSPF3-Intf-Index 2 DR-ID 10.255.71.13, BDR-ID 10.255.71.12 Up 02:51:43, adjacent 02:51:43 user@host >show ospf neighbor area 1.1.1.1 Address Interface 192.168.37.47 so-0/0/0.0 Area 1.1.1.1 192.168.37.55 so-1/0/0.0 Area 1.1.1.1

128

Pri 128

Dead 30

State Full

ID 10.255.245.4

Pri 128

Dead 33

Full

10.255.245.5

128

37

ID 10.255.245.4

Pri 128

Dead 37

10.255.245.4

128

33

10.255.245.4

128

32

user@host >show ospf neighbor interface so-0/0/0.0 Address Interface State 192.168.37.47 so-0/0/0.0 Full Area 0.0.0.0 192.168.37.47 so-0/0/0.0 Full Area 1.1.1.1 192.168.37.47 so-0/0/0.0 Full Area 2.2.2.2 user @host > show ospf3 neighbor instance all Instance: ina Realm: ipv6-unicast ID Interface

State

Pri

Dead



Address Support Enabled)

100.1.1.1 fe-0/0/2.0 Full Neighbor-address fe80::217:cb00:c87c:8c03 Instance: inb Realm: ipv4-unicast ID Interface State 100.1.2.1 fe-0/0/2.1 Full Neighbor-address fe80::217:cb00:c97c:8c03


128

37

Pri 128

Dead 33

2979

®


show (ospf | ospf3) overview Syntax


Description Options

show (ospf | ospf3) overview show (ospf | ospf3) overview

Command introduced in Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. realm option introduced in Junos OS Release 9.2. Database protection introduced in Junos 10.2. Command introduced in Junos OS Release 11.3 for the QFX Series. Display Open Shortest Path First (OSPF) overview information. none—Display standard information about all OSPF neighbors for all routing instances. brief | extensive—(Optional) Display the specified level of output. instance instance-name—(Optional) Display all OSPF interfaces under the named routing


systems or on a particular logical system. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) (OSPFv3 only) Display

information about the specified OSPFv3 realm, or address family. Use the realm option to specify an address family for OSPFv3 other than IPv6 unicast, which is the default. Required Privilege Level List of Sample Output

Output Fields

view

show ospf overview on page 2982 show ospf overview (With Database Protection) on page 2982 show ospf3 overview (With Database Protection) on page 2983 show ospf overview extensive on page 2983 Table 317 on page 2980 lists the output fields for the show ospf overview command. Output fields are listed in the approximate order in which they appear.

Table 317: show ospf overview Output Fields Field name

Field Description

Level of Output

Instance

OSPF routing instance.

All levels

2980



Table 317: show ospf overview Output Fields (continued) Field name

Field Description

Level of Output

Router ID

Router ID of the routing device.

All levels

Route table index

Route table index.

All levels

Configured overload

Overload capability is enabled. If the overload timer is also configured, display the time that remains before it is set to expire. This field is not displayed after the timer expires.

All levels

Toplogy

Topology identifier.

All levels

Prefix export count

Number of prefixes exported into OSPF.

All levels

Full SPF runs

Number of complete Shortest Path First calculations.

All levels

SPF delay

Delay before performing consecutive Shortest Path First calculations.

All levels

SPF holddown

Delay before performing additional Shortest Path First (SPF) calculations after the maximum number of consecutive SPF calculations is reached.

All levels

SPF rapid runs

Maximum number of Shortest Path First calculations that can be performed in succession before the hold-down timer begins.

All levels

LSA refresh time

Refresh period for link-state advertisement (in minutes).

All levels

Database protection state

Current state of database protection.

All levels

Warning threshold

Threshold at which a warning message is logged (percentage of maximum LSA count).

All levels

Non self-generated LSAs

Number of LSAs whose router ID is not equal to the local router ID: Current, Warning (threshold), and Allowed.

All levels

Ignore time

How long the database has been in the ignore state.

All levels

Reset time

How long the database must stay out of the ignore or isolated state before it returns to normal operations.

All levels

Ignore count

Number of times the database has been in the ignore state: Current and Allowed.

All levels

Restart

Graceful restart capability: enabled or disabled.

All levels

Restart duration

Time period for complete reacquisition of OSPF neighbors.

All levels

Restart grace period

Time period for which the neighbors should consider the restarting routing device as part of the topology.

All levels


2981

®


Table 317: show ospf overview Output Fields (continued) Field name

Field Description

Level of Output

Graceful restart helper mode

(OSPFv2) Standard graceful restart helper capability (based on RFC 3623): enabled or disabled.

All levels

Restart-signaling helper mode

(OSPFv2) Restart signaling-based graceful restart helper capability (based on RFC 4811, RFC 4812, and RFC 4813): enabled or disabled.

All levels

Helper mode

(OSPFv3) Graceful restart helper capability: enabled or disabled.

All levels

Trace options

OSPF-specific trace options.

extensive

Trace file

Name of the file to receive the output of the tracing operation.

extensive

Area

Area number. Area 0.0.0.0 is the backbone area.

All levels

Stub type

Stub type of area: Normal Stub, Not Stub, or Not so Stubby Stub.

All levels

Authentication Type

Type of authentication: None, Password, or MD5.

All levels

Area border routers

Number of area border routers.

All levels

Neighbors

Number of autonomous system boundary routers.

All levels

Sample Output show ospf overview

user@host> show ospf overview Instance: master Router ID: 10.255.245.6 Route table index: 0 Configured overload, expires in 118 seconds LSA refresh time: 50 minutes Restart: Enabled Restart duration: 20 sec Restart grace period: 40 sec Helper mode: enabled Area: 0.0.0.0 Stub type: Not Stub Authentication Type: None Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 0 Topology: default (ID 0) Prefix export count: 0 Full SPF runs: 1 SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3

show ospf overview (With Database Protection)

user@host> show ospf overview Instance: master Router ID: 10.255.112.218 Route table index: 0

2982



LSA refresh time: 50 minutes Traffic engineering Restart: Enabled Restart duration: 180 sec Restart grace period: 210 sec Graceful restart helper mode: Enabled Restart-signaling helper mode: Enabled Database protection state: Normal Warning threshold: 70 percent Non self-generated LSAs: Current 582, Warning 700, Allowed 1000 Ignore time: 30, Reset time: 60 Ignore count: Current 0, Allowed 1 Area: 0.0.0.0 Stub type: Not Stub Authentication Type: None Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 160 Topology: default (ID 0) Prefix export count: 0 Full SPF runs: 70 SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3 Backup SPF: Not Needed

show ospf3 overview (With Database Protection)

show ospf overview extensive

user@host> show ospf3 overview Instance: master Router ID: 10.255.112.128 Route table index: 0 LSA refresh time: 50 minutes Database protection state: Normal Warning threshold: 80 percent Non self-generated LSAs: Current 3, Warning 8, Allowed 10 Ignore time: 30, Reset time: 60 Ignore count: Current 0, Allowed 2 Area: 0.0.0.0 Stub type: Not Stub Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 1 Topology: default (ID 0) Prefix export count: 0 Full SPF runs: 7 SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3 Backup SPF: Not Needed user@host> show ospf overview extensive Instance: master Router ID: 1.1.1.103 Route table index: 0 Full SPF runs: 13, SPF delay: 0.200000 sec LSA refresh time: 50 minutes Restart: Disabled Trace options: lsa Trace file: /var/log/ospf size 131072 files 10 Area: 0.0.0.0 Stub type: Not Stub Authentication Type: None Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 1


2983

®


2984



show (ospf | ospf3) route Syntax


Release Information

Description Options

show (ospf | ospf3) route show (ospf | ospf3) route show bgp neighbor Peer: 1.1.1.4+179 AS 2 Local: 1.1.1.2+62084 AS 2 Type: Internal State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Options: Address families configured: inet-vpn-unicast Local Address: 1.1.1.2 Holdtime: 90 Preference: 170 Number of flaps: 0 Peer ID: 1.1.1.4 Local ID: 1.1.1.2 Active Holdtime: 90 Keepalive Interval: 30 Peer index: 0 BFD: disabled, down NLRI for restart configured on peer: inet-vpn-unicast NLRI advertised by peer: inet-vpn-unicast NLRI for this session: inet-vpn-unicast Peer supports Refresh capability (2) Stale routes from peer are kept for: 300 Peer does not support Restarter functionality Peer does not support Receiver functionality NLRI that restart is negotiated for: inet-vpn-unicast NLRI of received end-of-rib markers: inet-vpn-unicast NLRI of all end-of-rib markers sent: inet-vpn-unicast Peer supports 4 byte AS extension (peer-as 2) Peer does not support Addpath Table bgp.l3vpn.0 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: not advertising Active prefixes: 2



Received prefixes: 2 Accepted prefixes: 2 Suppressed due to damping: 0 Table red.inet.0 Bit: 20001 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: in sync Active prefixes: 2 Received prefixes: 2 Accepted prefixes: 2 Suppressed due to damping: 0 Advertised prefixes: 2 Last traffic (seconds): Received 16 Sent 11 Checked 10 Input messages: Total 193 Updates 3 Refreshes 0 Output messages: Total 196 Updates 2 Refreshes 0 Output Queue[0]: 0 Output Queue[1]: 0

Octets 3816 Octets 3932

show bgp neighbor (CLNS)

user@host> show bgp neighbor Peer: 10.245.245.1+179 AS 200 Local: 10.245.245.3+3770 AS 100 Type: External State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Options: Address families configured: iso-vpn-unicast Local Address: 10.245.245.3 Holdtime: 90 Preference: 170 Number of flaps: 0 Peer ID: 10.245.245.1 Local ID: 10.245.245.3 Active Holdtime: 90 Keepalive Interval: 30 Peer index: 0 NLRI advertised by peer: iso-vpn-unicast NLRI for this session: iso-vpn-unicast Peer supports Refresh capability (2) Table bgp.isovpn.0 Bit: 10000 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: in sync Active prefixes: 3 Received prefixes: 3 Suppressed due to damping: 0 Advertised prefixes: 3 Table aaaa.iso.0 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: not advertising Active prefixes: 3 Received prefixes: 3 Suppressed due to damping: 0 Last traffic (seconds): Received 6 Sent 5 Checked 5 Input messages: Total 1736 Updates 4 Refreshes 0 Octets 33385 Output messages: Total 1738 Updates 3 Refreshes 0 Octets 33305 Output Queue[0]: 0 Output Queue[1]: 0

show bgp neighbor (Layer 2 VPN)

user@host> show bgp neighbor Peer: 10.69.103.2 AS 65100 Local: 10.69.103.1 AS 65103 Type: External State: Active Flags: Last State: Idle Last Event: Start Last Error: None Export: [ BGP-INET-import ]


3017

®


Options: Address families configured: inet-unicast Local Address: 10.69.103.1 Holdtime: 90 Preference: 170 Number of flaps: 0 Peer: 10.69.104.2 AS 65100 Local: 10.69.104.1 AS 65104 Type: External State: Active Flags: Last State: Idle Last Event: Start Last Error: None Export: [ BGP-L-import ] Options: Address families configured: inet-labeled-unicast Local Address: 10.69.104.1 Holdtime: 90 Preference: 170 Number of flaps: 0 Peer: 10.255.14.182+179 AS 69 Local: 10.255.14.176+2131 AS 69 Type: Internal State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Options: Address families configured: inet-vpn-unicast l2vpn Local Address: 10.255.14.176 Holdtime: 90 Preference: 170 Number of flaps: 0 Peer ID: 10.255.14.182 Local ID: 10.255.14.176 Active Holdtime: 90 Keepalive Interval: 30 NLRI for restart configured on peer: inet-vpn-unicast l2vpn NLRI advertised by peer: inet-vpn-unicast l2vpn NLRI for this session: inet-vpn-unicast l2vpn Peer supports Refresh capability (2) Restart time configured on the peer: 120 Stale routes from peer are kept for: 300 Restart time requested by this peer: 120 NLRI that peer supports restart for: inet-vpn-unicast l2vpn NLRI peer can save forwarding state: inet-vpn-unicast l2vpn NLRI that peer saved forwarding for: inet-vpn-unicast l2vpn NLRI that restart is negotiated for: inet-vpn-unicast l2vpn NLRI of received end-of-rib markers: inet-vpn-unicast l2vpn Table bgp.l3vpn.0 Bit: 10000 RIB State: BGP restart in progress RIB State: VPN restart in progress Send state: in sync Active prefixes: 10 Received prefixes: 10 Suppressed due to damping: 0 Table bgp.l2vpn.0 Bit: 20000 RIB State: BGP restart in progress RIB State: VPN restart in progress Send state: in sync Active prefixes: 1 Received prefixes: 1 Suppressed due to damping: 0 Table BGP-INET.inet.0 Bit: 30000 RIB State: BGP restart in progress RIB State: VPN restart in progress Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Table BGP-L.inet.0 Bit: 40000 RIB State: BGP restart in progress

3018



RIB State: VPN restart in progress Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Table LDP.inet.0 Bit: 50000 RIB State: BGP restart is complete RIB State: VPN restart in progress Send state: in sync Active prefixes: 1 Received prefixes: 1 Suppressed due to damping: 0 Table OSPF.inet.0 Bit: 60000 RIB State: BGP restart is complete RIB State: VPN restart in progress Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Table RIP.inet.0 Bit: 70000 RIB State: BGP restart is complete RIB State: VPN restart in progress Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Table STATIC.inet.0 Bit: 80000 RIB State: BGP restart is complete RIB State: VPN restart in progress Send state: in sync Active prefixes: 1 Received prefixes: 1 Suppressed due to damping: 0 Table L2VPN.l2vpn.0 Bit: 90000 RIB State: BGP restart is complete RIB State: VPN restart in progress Send state: in sync Active prefixes: 1 Received prefixes: 1 Suppressed due to damping: 0 Last traffic (seconds): Received 0 Sent 0 Input messages: Total 14 Updates 13 Output messages: Total 3 Updates 0 Output Queue[0]: 0 Output Queue[1]: 0 Output Queue[2]: 0 Output Queue[3]: 0 Output Queue[4]: 0 Output Queue[5]: 0 Output Queue[6]: 0 Output Queue[7]: 0 Output Queue[8]: 0

show bgp neighbor (Layer 3 VPN)

Checked 0 Refreshes 0 Refreshes 0

Octets 1053 Octets 105

user@host> show bgp neighbor Peer: 4.4.4.4+179 AS 10045 Local: 5.5.5.5+1214 AS 10045 Type: Internal State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Export: [ match-all ] Import: [ match-all ] Options:


3019

®


Address families configured: inet-vpn-unicast Local Address: 5.5.5.5 Holdtime: 90 Preference: 170 Flags for NLRI inet-labeled-unicast: TrafficStatistics Traffic Statistics: Options: all File: /var/log/bstat.log size 131072 files 10 Traffic Statistics Interval: 60 Number of flaps: 0 Peer ID: 192.168.1.110 Local ID: 192.168.1.111 Active Holdtime: 90 Keepalive Interval: 30 NLRI for restart configured on peer: inet-vpn-unicast NLRI advertised by peer: inet-vpn-unicast NLRI for this session: inet-vpn-unicast Peer supports Refresh capability (2) Restart time configured on the peer: 120 Stale routes from peer are kept for: 300 Restart time requested by this peer: 120 NLRI that peer supports restart for: inet-vpn-unicast NLRI peer can save forwarding state: inet-vpn-unicast NLRI that peer saved forwarding for: inet-vpn-unicast NLRI that restart is negotiated for: inet-vpn-unicast NLRI of received end-of-rib markers: inet-vpn-unicast NLRI of all end-of-rib markers sent: inet-vpn-unicast Table bgp.l3vpn.0 Bit: 10000 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Table vpn-green.inet.0 Bit: 20001 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: in sync Active prefixes: 2 Received prefixes: 2 Suppressed due to damping: 0 Last traffic (seconds): Received 15 Sent 20 Checked 20 Input messages: Total 40 Updates 2 Refreshes 0 Octets 856 Output messages: Total 44 Updates 2 Refreshes 0 Octets 1066 Output Queue[0]: 0 Output Queue[1]: 0 Trace options: detail packets Trace file: /var/log/bgpgr.log size 131072 files 10

show bgp neighbor neighbor-address

3020

user@host> show bgp neighbor 192.168.1.111 Peer: 10.255.245.12+179 AS 35 Local: 10.255.245.13+2884 AS 35 Type: Internal State: Established (route reflector client)Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Options: Address families configured: inet-vpn-unicast inet-labeled-unicast Local Address: 10.255.245.13 Holdtime: 90 Preference: 170 Flags for NLRI inet-vpn-unicast: AggregateLabel Flags for NLRI inet-labeled-unicast: AggregateLabel Number of flaps: 0 Peer ID: 10.255.245.12 Local ID: 10.255.245.13 Active Holdtime: 90 Keepalive Interval: 30 BFD: disabled NLRI advertised by peer: inet-vpn-unicast inet-labeled-unicast NLRI for this session: inet-vpn-unicast inet-labeled-unicast



Peer supports Refresh capability (2) Restart time configured on the peer: 300 Stale routes from peer are kept for: 60 Restart time requested by this peer: 300 NLRI that peer supports restart for: inet-unicast inet6-unicast NLRI that restart is negotiated for: inet-unicast inet6-unicast NLRI of received end-of-rib markers: inet-unicast inet6-unicast NLRI of all end-of-rib markers sent: inet-unicast inet6-unicast Table inet.0 Bit: 10000 RIB State: restart is complete Send state: in sync Active prefixes: 4 Received prefixes: 6 Suppressed due to damping: 0 Table inet6.0 Bit: 20000 RIB State: restart is complete Send state: in sync Active prefixes: 0 Received prefixes: 2 Suppressed due to damping: 0 Last traffic (seconds): Received 3 Sent 3 Checked 3 Input messages: Total 9 Updates 6 Refreshes 0 Octets 403 Output messages: Total 7 Updates 3 Refreshes 0 Octets 365 Output Queue[0]: 0 Output Queue[1]: 0 Trace options: detail packets Trace file: /var/log/bgpgr size 131072 files 10

show bgp neighbor neighbor-address

user@host> show bgp neighbor 192.168.4.222 Peer: 192.168.4.222+4902 AS 65501 Local: 192.168.4.221+179 AS 65500 Type: External State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: Cease Export: [ export-policy ] Import: [ import-policy ] Options: Address families configured: inet-unicast inet-multicast Holdtime: 60000 Preference: 170 Number of flaps: 4 Last flap event: RecvUpdate Error: 'Cease' Sent: 5 Recv: 0 Peer ID: 10.255.245.6 Local ID: 10.255.245.5 Active Holdtime: 60000 Keepalive Interval: 20000 Peer index: 0 BFD: disabled, down Local Interface: fxp0.0 NLRI advertised by peer: inet-unicast inet-multicast NLRI for this session: inet-unicast inet-multicast Peer supports Refresh capability (2) Table inet.0 Bit: 10000 RIB State: BGP restart is complete Send state: in sync Active prefixes: 8 Received prefixes: 10 Accepted prefixes: 10 Suppressed due to damping: 0 Advertised prefixes: 3 Table inet.2 Bit: 20000 RIB State: BGP restart is complete Send state: in sync Active prefixes: 0 Received prefixes: 0 Accepted prefixes: 0


3021

®


Suppressed due to damping: 0 Advertised prefixes: 0 Last traffic (seconds): Received 357 Sent 357 Checked 357 Input messages: Total 4 Updates 2 Refreshes 0 Octets 211 Output messages: Total 4 Updates 1 Refreshes 0 Octets 147 Output Queue[0]: 0 Output Queue[1]: 0 Trace options: all Trace file: /var/log/bgp size 10485760 files 10

show bgp neighbor orf neighbor-address detail

user@host > show bgp neighbor orf 192.168.165.56 detail Peer: 192.168.165.56+179 Type: External Group: ext1 inet-unicast Filter updates recv: 1 Immediate: 1 Filter: prefix-based receive Received filter entries: seq 1: prefix 2.2.2.2/32: minlen 32: maxlen 32: match deny: inet6-unicast Filter updates recv: 0 Immediate: Filter: prefix-based receive Received filter entries: *:*

3022

1



show bgp summary Syntax


Description Options

show bgp summary show bgp summary

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. exact-instance option introduced in Junos OS Release 11.4. Display BGP summary information. none—Display BGP summary information for all routing instances. exact-instance instance-name—(Optional) Display information for the specified instance

only. instance instance-name—(Optional) Display information for all routing instances whose

name begins with this string (for example, cust1, cust11, and cust111 are all displayed when you run the show bgp summary instance cust1 command). The instance name can be master for the main instance, or any valid configured instance name or its prefix. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level List of Sample Output

Output Fields

view

show bgp summary (When a Peer Is Not Established) on page 3026 show bgp summary (When a Peer Is Established) on page 3026 show bgp summary (CLNS) on page 3026 show bgp summary (Layer 2 VPN) on page 3026 show bgp summary (Layer 3 VPN) on page 3027 Table 326 on page 3023 describes the output fields for the show bgp summary command. Output fields are listed in the approximate order in which they appear.

Table 326: show bgp summary Output Fields Field Name

Field Description

Groups

Number of BGP groups.

Peers

Number of BGP peers.


3023

®


Table 326: show bgp summary Output Fields (continued) Field Name

Field Description

Down peers

Number of down BGP peers.

Table

Name of routing table.

Tot Paths

Total number of paths.

Act Paths

Number of active routes.

Suppressed

Number of routes currently inactive because of damping or other reasons. These routes do not appear in the forwarding table and are not exported by routing protocols.

History

Number of withdrawn routes stored locally to keep track of damping history.

Damp State

Number of routes with a figure of merit greater than zero, but still active because the value has not reached the threshold at which suppression occurs.

Pending

Routes in process by BGP import policy.

Peer

Address of each BGP peer. Each peer has one line of output.

AS

Peer's AS number.

InPkt

Number of packets received from the peer.

OutPkt

Number of packets sent to the peer.

OutQ

Number of BGP packets that are queued to be transmitted to a particular neighbor. It normally is 0 because the queue usually is emptied quickly.

Flaps

Number of times the BGP session has gone down and then come back up.

Last Up/Down

Last time since the neighbor transitioned to or from the established state.

3024



Table 326: show bgp summary Output Fields (continued) Field Name

Field Description

State|#Active /Received/Accepted /Damped

Multipurpose field that displays information about BGP peer sessions. The field’s contents depend upon whether a session is established and whether it was established on the main routing device or in a routing instance. •

If a peer is not established, the field shows the state of the peer session: Active, Connect, or Idle.

•

If a BGP session is established on the main routing device, the field shows the number of active, received, accepted, and damped routes that are received from a neighbor and appear in the inet.0 (main) and inet.2 (multicast) routing tables. For example, 8/10/10/2 and 2/4/4/0 indicate the following:

•

•

8 active routes, 10 received routes, 10 accepted routes, and 2 damped routes from a BGP peer appear in the inet.0 routing table.

•

2 active routes, 4 received routes, 4 accepted routes, and no damped routes from a BGP peer appear in the inet.2 routing table.

If a BGP session is established in a routing instance, the field indicates the established (Establ) state, identifies the specific routing table that receives BGP updates, and shows the number of active, received, and damped routes that are received from a neighbor. For example, Establ VPN-AB.inet.0: 2/4/0 indicates the following: •

The BGP session is established.

•

Routes are received in the VPN-AB.inet.0 routing table.

•

The local routing device has two active routes, four received routes, and no damped routes from a BGP peer.

When a BGP session is established, the peers are exchanging update messages.


3025

®


Sample Output show bgp summary (When a Peer Is Not Established)

user@host> show bgp summary Groups: 2 Peers: 4 Down peers: 1 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 6 4 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Damped... 10.0.0.3 65002 86 90 0 2 42:54 0/0/0 0/0/0 10.0.0.4

65002

90

91

0

1

42:54 0/2/0

0/0/0 10.0.0.6 10.1.12.1

65002 65001

87 89

90 89

0 0

3 1

3 Active 42:54 4/4/0

0/0/0

show bgp summary (When a Peer Is Established)

user@host> show bgp summary Groups: 1 Peers: 3 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 6 4 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Damped... 10.0.0.2 65002 88675 88652 0 2 42:38 2/4/0 0/0/0 10.0.0.3

65002

54528

54532

0

1

2w4d22h 0/0/0

0/0/0 10.0.0.4

65002

51597

51584

0

0

2w3d22h 2/2/0

OutPkt

OutQ

1737

0

0/0/0

show bgp summary (CLNS)

show bgp summary (Layer 2 VPN)

3026

user@host> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Peer AS InPkt State|#Active/Received/Damped... 10.245.245.1 200 1735 bgp.isovpn.0: 3/3/0 aaaa.iso.0: 3/3/0

Flaps Last Up/Dwn 0

14:26:12 Establ

user@host> show bgp summary Groups: 1 Peers: 5 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State bgp.l2vpn.0 1 1 0 0 0 inet.0 0 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Damped... 10.255.245.35 65299 72 74 0 1 19:00 bgp.l2vpn.0: 1/1/0 frame-vpn.l2vpn.0: 1/1/0 10.255.245.36 65299 2164 2423 0 4 19:50 bgp.l2vpn.0: 0/0/0 frame-vpn.l2vpn.0: 0/0/0 10.255.245.37 65299 36 37 0 4 17:07 inet.0: 0/0/0 10.255.245.39 65299 138 168 0 6 53:48

Pending 0 0

Establ

Establ

Establ Establ



bgp.l2vpn.0: 0/0/0 frame-vpn.l2vpn.0: 0/0/0 10.255.245.69 65299 inet.0: 0/0/0

show bgp summary (Layer 3 VPN)

134

140

0

6

53:42 Establ

user@host> show bgp summary Groups: 2 Peers: 2 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending bgp.l3vpn.0 2 2 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Damped... 10.39.1.5 2 21 22 0 0 6:26 Establ VPN-AB.inet.0: 1/1/0 10.255.71.15 1 19 21 0 0 6:17 Establ bgp.l3vpn.0: 2/2/0 VPN-A.inet.0: 1/1/0 VPN-AB.inet.0: 2/2/0 VPN-B.inet.0: 1/1/0


3027

®


show ipv6 neighbors Syntax Release Information


Output Fields

show ipv6 neighbors

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.3 for EX Series switches. Display information about the IPv6 neighbor cache. This command has no options. view

•

clear ipv6 neighbors on page 1978

show ipv6 neighbors on page 3028 show ipv6 neighbors on page 3028 Table 236 on page 2063 describes the output fields for the show ipv6 neighbors command. Output fields are listed in the approximate order in which they appear.

Table 327: show ipv6 neighbors Output Fields Field Name

Field Description

IPv6 Address

Name of the IPv6 interface.

Linklayer Address

Link-layer address.

State

State of the link: up, down, incomplete, reachable, stale, or unreachable.

Exp

Number of seconds until the entry expires.

Rtr

Whether the neighbor is a routing device: yes or no.

Secure

Whether this entry was created using the Secure Neighbor Discovery (SEND) protocol: yes or no.

Interface


Sample Output show ipv6 neighbors

show ipv6 neighbors

3028

user@host> show ipv6 neighbors IPv6 Address Linklayer Address fe80::2a0:c9ff:fe5b:4c1e 00:a0:c9:5b:4c:1e

State reachable

Exp 15

Rtr yes

Interface fxp0.0

user@host > show ipv6 neighbors



IPv6 Address Interface fe80::14fb:5dcf:54bd:ff76 ge-3/2/0.0


Linklayer Address

State

Exp Rtr Secure

00:90:69:a0:a8:bc

stale

1113 yes yes

3029

®


show isis adjacency Syntax


Release Information

Description Options

show isis adjacency show isis adjacency

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about Intermediate System-to-Intermediate System (IS-IS) neighbors. none—Display standard information about IS-IS neighbors for all routing instances. system id—(Optional) Display information about IS-IS neighbors for the specified

intermediate system. brief | detail | extensive—(Optional) Display standard information about IS-IS neighbors

with the specified level of output. instance instance-name—(Optional) Display information about IS-IS neighbors for the

specified routing instance. logical-system (all | logical-system-name)—(Optional) Display information about IS-IS

neighbors for all logical systems or for a particular logical system. Required Privilege Level Related Documentation List of Sample Output

Output Fields

view

•

clear isis adjacency on page 2950

show isis adjacency on page 3032 show isis adjacency brief on page 3032 show isis adjacency detail on page 3032 show isis adjacency extensive on page 3033 Table 328 on page 3030 describes the output fields for the show isis adjacency command. Output fields are listed in the approximate order in which they appear.

Table 328: show isis adjacency Output Fields Field Name

Field Description

Level of Output

Interface


All levels

3030



Table 328: show isis adjacency Output Fields (continued) Field Name

Field Description

Level of Output

System

System identifier (sysid), displayed as a name, if possible.

brief

L or Level

Level:

All levels

•

1—Level 1 only

•

2—Level 2 only

•

3—Level 1 and Level 2

An exclamation point (!) preceding the level number indicates that the adjacency is missing an IP address. State

State of the adjacency: Up, Down, New, One-way, Initializing, or Rejected.

All levels

Hold (secs)

Remaining hold time of the adjacency.

brief

SNPA

Subnetwork point of attachment (MAC address of the next hop).

brief

Expires in

How long until the adjacency expires, in seconds.

detail

Priority

Priority to become the designated intermediate system.

detail extensive

Up/Down transitions

Count of adjacency status changes from Up to Down or from Down to Up.

detail

Last transition

Time of the last Up/Down transition.

detail

Circuit type

Bit mask of levels on this interface: 1=Level 1 router; 2=Level 2 router; 3=both Level 1 and Level 2 router.

detail

Speaks

Protocols supported by this neighbor.

detail extensive

MAC address

MAC address of the interface.

detail extensive

Topologies

Supported topologies.

detail extensive

Restart capable

Whether a neighbor is capable of graceful restart: Yes or No.

detail extensive

Adjacency advertisement: Advertise

This router has signaled to advertise this interface to its neighbors in their label-switched paths (LSPs).

detail extensive

Adjacency advertisement: Suppress

This neighbor has signaled not to advertise the interface in the router's outbound LSPs.

detail extensive

IP addresses

IP address of this neighbor.

detail extensive


3031

®


Table 328: show isis adjacency Output Fields (continued) Field Name

Field Description

Level of Output

Transition log

List of recent transitions, including:

extensive

•

When—Time at which an IS-IS adjacency transition occurred.

•

State—Current state of the IS-IS adjacency (up, down, or rejected).

•

•

•

Up—Adjacency is up and operational.

•

Down—Adjacency is down and not available.

•

Rejected—Adjacency has been rejected.

Event—Type of transition that occurred. •

Seenself—Possible routing loop has been detected.

•

Interface down—IS-IS interface has gone down and is no longer available.

•

Error—Adjacency error.

Down reason—Reason that an IS-IS adjacency is down: •

3-Way Handshake Failed—Connection establishment failed.

•

Address Mismatch—Address mismatch caused link failure.

•

Aged Out—Link expired.

•

ISO Area Mismatch—IS-IS area mismatch caused link failure.

•

Bad Hello—Unacceptable hello message caused link failure.

•

BFD Session Down—Bidirectional failure detection caused link failure.

•

Interface Disabled—IS-IS interface is disabled.

•

Interface Down—IS-IS interface is unavailable.

•

Interface Level Disabled—IS-IS level is disabled.

•

Level Changed—IS-IS level has changed on the adjacency.

•

Level Mismatch—Levels on adjacency are not compatible.

•

MPLS LSP Down—Label-switched path (LSP) is unavailable.

•

MT Topology Changed—IS-IS topology has changed.

•

MT Topology Mismatch—IS-IS topology is mismatched.

•

Remote System ID Changed—Adjacency peer system ID changed.

•

Protocol Shutdown—IS-IS protocol is disabled.

•

CLI Command—Adjacency brought down by user.

•

Unknown—Unknown.

Sample Output show isis adjacency

user@host> show isis adjacency Interface System at-2/3/0.0 ranier

L State 3 Up

Hold (secs) SNPA 23

show isis adjacency brief

The output for the show isis adjacency brief command is identical to that for the show isis adjacency command. For sample output, see show isis adjacency on page 3032.

show isis adjacency detail

user@host> show isis adjacency detail ranier Interface: at-2/3/0.0, Level: 3, State: Up, Expires in 21 secs Priority: 0, Up/Down transitions: 1, Last transition: 00:01:09 ago Circuit type: 3, Speaks: IP, IPv6

3032



Topologies: Unicast Restart capable: Yes IP addresses: 11.1.1.2

show isis adjacency extensive

user@host> show isis adjacency extensive ranier Interface: at-2/3/0.0, Level: 3, State: Up, Expires in 22 secs Priority: 0, Up/Down transitions: 1, Last transition: 00:01:16 ago Circuit type: 3, Speaks: IP, IPv6 Topologies: Unicast Restart capable: Yes IP addresses: 11.1.1.2 Transition log: When State Event Down reason Wed Nov 8 21:24:25 Up Seenself


3033

®


show isis authentication Syntax


Description

Options

show isis authentication show isis authentication

Command introduced in Junos OS Release 7.5. Command introduced in Junos OS Release 9.0 for EX Series switches. Support for hitless authentication key rollover introduced in Junos OS Release 11.2. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about Intermediate System-to-Intermediate System (IS-IS) authentication. none—Display information about IS-IS authentication. instance instance-name—(Optional) Display IS-IS authentication for the specified routing



Output Fields

view

show isis authentication on page 3035 show isis authentication (With Hitless Authentication Key Rollover Configured) on page 3035 Table 329 on page 3034 describes the output fields for the show isis authentication command. Output fields are listed in the approximate order in which they appear.

Table 329: show isis authentication Output Fields Field Name

Field Description

Interface

Interface name.

Level

IS-IS level.

IIH Auth

IS-IS Hello (IIH) packet authentication type. Displays the name of the active keychain if hitless authentication key rollover is configured.

3034

CSN Auth

Complete sequence number authentication type.

PSN Auth

Partial sequence number authentication type.



Table 329: show isis authentication Output Fields (continued) Field Name

Field Description

L1 LSP Authentication

Layer 1 link-state PDU authentication type.

L2 LSP Authentication

Layer 2 link-state PDU authentication type.

Sample Output show isis authentication

user@host> show isis authentication Interface Level IIH Auth at-2/3/0.0 1 Simple 2 MD5

CSN Auth Simple MD5

PSN Auth Simple MD5

user@host> show isis authentication Interface Level IIH Auth CSN Auth so-0/1/3.0 2 hakrhello MD5

PSN Auth MD5

L1 LSP Authentication: Simple L2 LSP Authentication: MD5

show isis authentication (With Hitless Authentication Key Rollover Configured)

L2 LSP Authentication: MD5


3035

®


show isis backup coverage Syntax


Description Options

show isis backup coverage show isis backup coverage

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about the level of backup coverage available. none—Display information about the level of backup coverage available for all the nodes

and prefixes in the network. instance instance-name—(Optional) Display information about the level of backup

coverage for a specific IS-IS routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

show isis backup label-switched-path on page 3038

show isis backup coverage on page 3037 Table 330 on page 3036 lists the output fields for the show isis backup coverage command. Output fields are listed in the approximate order in which they appear.

Table 330: show isis backup coverage Output Fields

3036

Field Name

Field Description

Topology

Type of topology or address family: IPV4 Unicast or IPV6 Unicast.

Level

IS-IS level: •

1—Level 1

•

2—Level 2

Node

By topology, the percentage of all routes configured on the node that are protected through backup coverage.

IPv4

Percentage of IPv4 unicast routes that are protected through backup coverage.



Table 330: show isis backup coverage Output Fields (continued) Field Name

Field Description

IPv6

Percentage of IPv6 unicast routes that are protected through backup coverage.

CLNS

Percentage of Connectionless Network Service (CLNS) routes that are protected through backup coverage.

Sample Output show isis backup coverage

user@host> show isis backup coverage Backup Coverage: Topology Level Node IPV4 Unicast 2 28.57% IPV6 Unicast 2 0.00%


IPv4 22.22% 0.00%

IPv6 0.00% 0.00%

CLNS 0.00% 0.00%

3037

®


show isis backup label-switched-path Syntax

show isis backup label-switched-path


show isis backup label-switched-path

Release Information


Description

Display information about MPLS label-switched-paths (LSPs) designated as backup routes for IS-IS routes.

Options

none—Display information about MPLS LSPs designated as backup routes for IS-IS

routes. logical-system (all | logical-system-name—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level

view


•


show isis backup coverage on page 3036

show isis backup label-switched-path on page 3039

Output Fields

Table 331 on page 3038 lists the output fields for the show isis backup label-switched-path command. Output fields are listed in the approximate order in which they appear.

Table 331: show isis backup label-switched-path Output Fields Field Name

Field Description

Backup MPLS LSPs

List of MPLS LSPs designated as backup paths for IS-IS routes.

Egress

IP address of the egress routing device for the LSP.

Status

State of the LSP: •

Up—The router can detect RSVP hello messages from the neighbor.

•

Down—The router has received one of the following indications:

•

Last change

3038

•

Communication failure from the neighbor.

•

Communication from IGP that the neighbor is unavailable.

•

Change in the sequence numbers in the RSVP hello messages sent by the neighbor.

Deleted—LSP is no longer available as a backup path.

Time elapsed since the neighbor state changed either from up to down or from down to up. The format is hh:mm:ss.



Table 331: show isis backup label-switched-path Output Fields (continued) Field Name

Field Description

TE-metric

Configured traffic engineering metric.

Metric

Configured metric.

Sample Output show isis backup label-switched-path

user@host> show isis backup label-switched-path Backup MPLS LSPs: f-to-g, Egress: 192.168.1.4, Status: up, Last change: 06:12:03 TE-metric: 9, Metric: 0


3039

®


show isis backup spf results Syntax



show isis backup spf results show isis backup spf results

Command introduced in Junos OS Release 9.5. Display information about IS-IS shortest-path-first (SPF) calculations for backup paths. none—Display information about IS-IS shortest-path-first (SPF) calculations for all

backup paths for all destination nodes. instance instance-name—(Optional) Display SPF calculations for backup paths for the

specified routing instance. level (1 | 2)—(Optional) Display SPF calculations for the backup paths for the specified

IS-IS level. logical-system logical-system-name—(Optional) Display SPF calculations for the backup

paths for all logical systems or on a particular logical system. no-coverage—(Optional) Display SPF calculations only for destinations that do not have

backup coverage. topology (ipv4-multicast | ipv6-multicast | ipv6-unicast | unicast)—(Optional) Display

SPF calculations for backup paths for the specified topology only. Required Privilege Level Related Documentation List of Sample Output

Output Fields

3040

view

•

show isis backup coverage on page 3036

show isis backup spf results on page 3041 show isis backup spf results no-coverage on page 3042 Table 332 on page 3041 lists the output fields for the show isis backup spf results command. Output fields are listed in the approximate order in which they appear.



Table 332: show isis backup spf results Output Fields Field Name

Field Description

node-name

Name of the destination node.

Address

Address of the destination node.

Primary next-hop

Interface and name of the node of the primary next hop to reach the destination.

Root

Name of the next-hop neighbor.

Metric

Metric to the node.

Eligible

Indicates that the next-hop neighbor has been designated as a backup path to the destination node.

Backup next-hop

Name of the interface of the backup next hop.

SNPA


LSP

Name of the MPLS LSP designated as a backup path.

Not eligible

Indicates that the next-hop neighbor cannot function as a backup path to the destination.

Reason

Describes why the next-hop neighbor is designated as Not eligible as a backup path.

Sample Output show isis backup spf results

user@host> show isis backup spf results IS-IS level 1 SPF results: 0 nodes IS-IS level 2 SPF results: banff.00 Primary next-hop: so-6/0/0.0, IPV4, olympic Primary next-hop: ae0.0, IPV4, camaro, SNPA: 0:90:69:f:67:f0 Primary next-hop: so-6/0/0.0, IPV6, olympic Primary next-hop: ae0.0, IPV6, camaro, SNPA: 0:90:69:f:67:f0 Root: camaro, Root Metric: 10, Metric: 10 Not eligible, Reason: Primary next-hop multipath Root: olympic, Root Metric: 10, Metric: 10 Not eligible, Reason: Primary next-hop multipath Root: glacier, Root Metric: 10, Metric: 25 Not eligible, Reason: Primary next-hop multipath crater.00 Primary next-hop: so-6/0/0.0, IPV4, olympic Primary next-hop: so-6/0/0.0, IPV6, olympic Root: olympic, Root Metric: 10, Metric: 10 Not eligible, Reason: Primary next-hop link fate sharing Root: glacier, Root Metric: 10, Metric: 15


3041

®


Eligible, Backup next-hop: as0.0, IPV4, glacier Eligible, Backup next-hop: as0.0, IPV6, glacier Root: camaro, Root Metric: 10, Metric: 20 Not eligible, Reason: Interface is already covered olympic.00 Primary next-hop: so-6/0/0.0, IPV4, olympic Primary next-hop: so-6/0/0.0, IPV6, olympic Root: olympic, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: camaro, Root Metric: 10, Metric: 20 track-item: olympic.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: glacier, Root Metric: 10, Metric: 20 track-item: olympic.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops camaro.00 Primary next-hop: ae0.0, IPV4, camaro, SNPA: 0:90:69:f:67:f0 Primary next-hop: ae0.0, IPV6, camaro, SNPA: 0:90:69:f:67:f0 Root: camaro, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: glacier, Root Metric: 10, Metric: 20 track-item: camaro.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: olympic, Root Metric: 10, Metric: 20 track-item: camaro.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops glacier.00 Primary next-hop: as0.0, IPV4, glacier Primary next-hop: as0.0, IPV6, glacier Root: glacier, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: camaro, Root Metric: 10, Metric: 20 track-item: glacier.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: olympic, Root Metric: 10, Metric: 20 track-item: glacier.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops 5 nodes

show isis backup spf results no-coverage

user@host> show isis backup spf results no-coverage IS-IS level 1 SPF results: 0 nodes IS-IS level 2 SPF results: olympic.00 Primary next-hop: so-6/0/0.0, IPV4, olympic Primary next-hop: so-6/0/0.0, IPV6, olympic Root: olympic, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: camaro, Root Metric: 10, Metric: 20 track-item: olympic.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: glacier, Root Metric: 10, Metric: 20

3042



track-item: olympic.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops camaro.00 Primary next-hop: ae0.0, IPV4, camaro, SNPA: 0:90:69:f:67:f0 Primary next-hop: ae0.0, IPV6, camaro, SNPA: 0:90:69:f:67:f0 Root: camaro, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: glacier, Root Metric: 10, Metric: 20 track-item: camaro.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: olympic, Root Metric: 10, Metric: 20 track-item: camaro.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops glacier.00 Primary next-hop: as0.0, IPV4, glacier Primary next-hop: as0.0, IPV6, glacier Root: glacier, Root Metric: 10, Metric: 0 Not eligible, Reason: Primary next-hop link fate sharing Root: camaro, Root Metric: 10, Metric: 20 track-item: glacier.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops Root: olympic, Root Metric: 10, Metric: 20 track-item: glacier.00-00 track-item: kobuk.00-00 Not eligible, Reason: Path loops 3 nodes


3043

®


show isis database Syntax


Release Information

show isis database show isis database


Description

Display the entries in the Intermediate System-to-Intermediate System (IS-IS) link-state database, which contains data about PDU packets.

Options

none—Display standard information about IS-IS link-state database entries for all routing

instances. brief | detail | extensive—(Optional) Display the specified level of output. instance instance-name—(Optional) Display entries for the specified routing instance. level (1 | 2)—(Optional) Display entries for the specified IS-IS level. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level Related Documentation List of Sample Output

Output Fields

3044

view

•

clear isis database on page 2952

show isis database on page 3046 show isis database brief on page 3046 show isis database detail on page 3047 show isis database extensive on page 3047 Table 333 on page 3045 describes the output fields for the show isis database command. Output fields are listed in the approximate order in which they appear. Fields that contain internal IS-IS information useful only in troubleshooting obscure problems are not described in the table. For more details about these fields, contact your customer support representative.



Table 333: show isis database Output Fields Field Name

Field Description

Level of Output

Interface name

Name of the interface on which the LSP has been received; always IS-IS for this command.

All levels

level

Level of intermediate system:

All levels

•

1—Intermediate system routes within an area; when the destination is outside

an area, it routes toward a Level 2 system. •

2—Intermediate system routes between areas and toward other ASs.

LSP ID

Link-state PDU identifier.

All levels

Sequence

Sequence number of the link-state PDU.

All levels

Checksum

Checksum value of the link-state PDU.

All levels

Lifetime (secs)

Remaining lifetime of the link-state PDU, in seconds.

All levels

Attributes

Attributes of the specified database: L1, L2, Overload, or Attached (L1 only).

none brief

# LSPs

Total number of LSPs in the specified link-state database.

none brief

IP prefix

Prefix advertised by this link-state PDU.

detail extensive

IS neighbor

IS-IS neighbor of the advertising system.

detail extensive

ES neighbor

(J Series routers only) An ES-IS neighbor of the advertising system.

detail extensive

IP prefix

IPv4 prefix advertised by this link-state PDU.

detail extensive

V6 prefix

IPv6 prefix advertised by this link-state PDU.

detail extensive

Metric


detail extensive

Header

•

LSP ID—Link state PDU identifier of the header.

extensive

•

Length—Header length.

•

Allocated Length—Amount of length available for the header.

•

Router ID—Address of the local routing device.

•

Remaining Lifetime—Remaining lifetime of the link-state PDU, in seconds.


3045

®


Table 333: show isis database Output Fields (continued) Field Name

Field Description

Level of Output

Packet

•

LSP ID—The identifier for the link-state packet.

extensive

•

Length—Packet length.

•

Lifetime—Remaining lifetime, in seconds.

•

Checksum—The checksum of the LSP.

•

Sequence—The sequence number of the LSP. Every time the LSP is updated,

this number increments.

TLVs

•

Attributes—Packet attributes.

•

NLPID—Network layer protocol identifier.

•

Fixed length—Specifies the set length for the packet.

•

Area Address—Area addresses that the routing device can reach.

•

Speaks—Supported routing protocols.

•

IP router id—ID of the routing device (usually the IP address).

•

IP address—IPv4 address.

•

Hostname—Assigned name of the routing device.

•

IP prefix—IP prefix of the routing device.

•

Metric—IS-IS metric that measures the cost of the adjacency between the

extensive

originating routing device and the advertised routing device. •

IP extended prefix—Extended IP prefix of the routing device.

•

IS neighbor—Directly attached neighbor’s name and metric.

•

IS extended neighbor—Directly attached neighbor’s name, metric, and IP

address.

Sample Output show isis database

user@host> show isis database IS-IS level 1 link-state database: LSP ID Sequence Checksum Lifetime Attributes kobuk.00-00 0x3 0x3167 1057 L1 L2 camaro.00-00 0x5 0x770e 1091 L1 L2 ranier.00-00 0x4 0xaa95 1091 L1 L2 glacier.00-00 0x4 0x206f 1089 L1 L2 glacier.02-00 0x1 0xd141 1089 L1 L2 badlands.00-00 0x3 0x87a2 1093 L1 L2 6 LSPs IS-IS level 2 link-state database: LSP ID Sequence Checksum Lifetime Attributes kobuk.00-00 0x6 0x8d6b 1096 L1 L2 camaro.00-00 0x9 0x877b 1101 L1 L2 ranier.00-00 0x8 0x855d 1103 L1 L2 glacier.00-00 0x7 0xf892 1098 L1 L2 glacier.02-00 0x1 0xd141 1089 L1 L2 badlands.00-00 0x6 0x562 1105 L1 L2 6 LSPs

show isis database brief

3046

The output for the show isis database brief command is identical to that for the show isis database command. For sample output, see show isis database on page 3046.



show isis database detail

user@host> show isis database logical-system CE3 sisira.00-00 detail IS-IS level 1 link-state database: sisira.00-00 Sequence: 0x11, Checksum: 0x10fc, Lifetime: 975 secs IS neighbor: hemantha-CE3.02 Metric: 10 ES neighbor: 0015.0015.0015 Metric: 10 Down ES neighbor: 0025.0025.0025 Metric: 10 Down ES neighbor: 0030.0030.0030 Metric: 10 Down ES neighbor: 0040.0040.0040 Metric: 10 Down ES neighbor: sisira Metric: 0 IP prefix: 1.0.0.0/24 Metric: 10 External IP prefix: 3.0.0.0/24 Metric: 10 External IP prefix: 4.0.0.0/24 Metric: 10 External IP prefix: 5.0.0.0/24 Metric: 10 Internal IP prefix: 15.15.15.15/32 Metric: 10 External IP prefix: 25.25.25.25/32 Metric: 10 External IP prefix: 30.30.30.30/32 Metric: 10 External IP prefix: 40.40.40.40/32 Metric: 10 External IP prefix: 60.60.60.60/32 Metric: 0 Internal

Down Down Down Up Down Down Down Down Up

IS-IS level 2 link-state database: sisira.00-00 Sequence: 0x13, Checksum: 0x69ac, Lifetime: 993 secs IS neighbor: hemantha-CE3.02 Metric: 10 IP prefix: 1.0.0.0/24 Metric: 10 External IP prefix: 3.0.0.0/24 Metric: 10 External IP prefix: 4.0.0.0/24 Metric: 10 External IP prefix: 5.0.0.0/24 Metric: 10 Internal IP prefix: 15.15.15.15/32 Metric: 10 External IP prefix: 25.25.25.25/32 Metric: 10 External IP prefix: 30.30.30.30/32 Metric: 10 External IP prefix: 40.40.40.40/32 Metric: 10 External IP prefix: 50.50.50.50/32 Metric: 10 Internal IP prefix: 60.60.60.60/32 Metric: 0 Internal ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0015.0015.0015/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0025.0025.0025/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0030.0030.0030/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0040.0040.0040/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0060.0060.0060/152 Metric: 0 Internal

show isis database extensive

Down Down Down Up Down Down Down Down Up Up Down Down Down Down Up

user@host> show isis database logical-system CE3 sisira.00-00 extensive IS-IS level 1 link-state database: sisira.00-00 Sequence: 0x11, Checksum: 0x10fc, Lifetime: 970 secs IS neighbor: hemantha-CE3.02 Metric: 10 Two-way fragment: hemantha-CE3.02-00, Two-way first fragment: hemantha-CE3.02-00 ES neighbor: 0015.0015.0015 Metric: 10 Down ES neighbor: 0025.0025.0025 Metric: 10 Down ES neighbor: 0030.0030.0030 Metric: 10 Down ES neighbor: 0040.0040.0040 Metric: 10 Down ES neighbor: sisira Metric: 0 IP prefix: 1.0.0.0/24 Metric: 10 External Down IP prefix: 3.0.0.0/24 Metric: 10 External Down


3047

®


IP IP IP IP IP IP IP

prefix: prefix: prefix: prefix: prefix: prefix: prefix:

4.0.0.0/24 5.0.0.0/24 15.15.15.15/32 25.25.25.25/32 30.30.30.30/32 40.40.40.40/32 60.60.60.60/32

Metric: Metric: Metric: Metric: Metric: Metric: Metric:

10 10 10 10 10 10 0

External Internal External External External External Internal

Down Up Down Down Down Down Up

Header: LSP ID: sisira.00-00, Length: 336 bytes Allocated length: 336 bytes, Router ID: 0.0.0.0 Remaining lifetime: 970 secs, Level: 1, Interface: 333 Estimated free bytes: 144, Actual free bytes: 0 Aging timer expires in: 970 secs Protocols: IP, IPv6, CLNS Packet: LSP ID: sisira.00-00, Length: 336 bytes, Lifetime : 1198 secs Checksum: 0x10fc, Sequence: 0x11, Attributes: 0xb L1 L2 Attached NLPID: 0x83, Fixed length: 27 bytes, Version: 1, Sysid length: 0 bytes Packet type: 18, Packet version: 1, Max area: 0 TLVs: Area address: 60.0006.80ff.f800.0000.0108.0001 (13) Speaks: IP Speaks: IPV6 Speaks: CLNP Hostname: sisira ES neighbor TLV: Internal, Metric: default 0, Up ES: sisira IS neighbor: hemantha-CE3.02, Internal, Metric: default 10 IS extended neighbor: hemantha-CE3.02, Metric: default 10 ES neighbor TLV: External, Metric: default 10, Down ES: 0040.0040.0040 ES neighbor TLV: External, Metric: default 10, Down ES: 0025.0025.0025 ES neighbor TLV: External, Metric: default 10, Down ES: 0015.0015.0015 ES neighbor TLV: External, Metric: default 10, Down ES: 0030.0030.0030 IP external prefix: 3.0.0.0/24, Internal, Metric: default 10, IP external prefix: 40.40.40.40/32, Internal, Metric: default IP external prefix: 4.0.0.0/24, Internal, Metric: default 10, IP external prefix: 25.25.25.25/32, Internal, Metric: default IP external prefix: 15.15.15.15/32, Internal, Metric: default IP external prefix: 1.0.0.0/24, Internal, Metric: default 10, IP external prefix: 30.30.30.30/32, Internal, Metric: default IP extended prefix: 3.0.0.0/24 metric 10 down IP extended prefix: 40.40.40.40/32 metric 10 down IP extended prefix: 4.0.0.0/24 metric 10 down IP extended prefix: 25.25.25.25/32 metric 10 down IP extended prefix: 15.15.15.15/32 metric 10 down IP extended prefix: 1.0.0.0/24 metric 10 down IP extended prefix: 30.30.30.30/32 metric 10 down IP prefix: 60.60.60.60/32, Internal, Metric: default 0, Up IP prefix: 5.0.0.0/24, Internal, Metric: default 10, Up IP extended prefix: 60.60.60.60/32 metric 0 up IP extended prefix: 5.0.0.0/24 metric 10 up No queued transmissions

Down 10, Down Down 10, Down 10, Down Down 10, Down

IS-IS level 2 link-state database: sisira.00-00 Sequence: 0x13, Checksum: 0x69ac, Lifetime: 988 secs

3048



IS neighbor: hemantha-CE3.02 Metric: 10 Two-way fragment: hemantha-CE3.02-00, Two-way first fragment: hemantha-CE3.02-00 IP prefix: 1.0.0.0/24 Metric: 10 External IP prefix: 3.0.0.0/24 Metric: 10 External IP prefix: 4.0.0.0/24 Metric: 10 External IP prefix: 5.0.0.0/24 Metric: 10 Internal IP prefix: 15.15.15.15/32 Metric: 10 External IP prefix: 25.25.25.25/32 Metric: 10 External IP prefix: 30.30.30.30/32 Metric: 10 External IP prefix: 40.40.40.40/32 Metric: 10 External IP prefix: 50.50.50.50/32 Metric: 10 Internal IP prefix: 60.60.60.60/32 Metric: 0 Internal ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0015.0015.0015/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0025.0025.0025/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0030.0030.0030/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0040.0040.0040/152 Metric: 10 External ISO prefix: 60.0006.80ff.f800.0000.0108.0001.0060.0060.0060/152 Metric: 0 Internal

Down Down Down Up Down Down Down Down Up Up Down Down Down Down Up

Header: LSP ID: sisira.00-00, Length: 427 bytes Allocated length: 427 bytes, Router ID: 0.0.0.0 Remaining lifetime: 988 secs, Level: 2, Interface: 333 Estimated free bytes: 130, Actual free bytes: 0 Aging timer expires in: 988 secs Protocols: IP, IPv6, CLNS Packet: LSP ID: sisira.00-00, Length: 427 bytes, Lifetime : 1198 secs Checksum: 0x69ac, Sequence: 0x13, Attributes: 0x3 L1 L2 NLPID: 0x83, Fixed length: 27 bytes, Version: 1, Sysid length: 0 bytes Packet type: 20, Packet version: 1, Max area: 0 TLVs: Area address: 60.0006.80ff.f800.0000.0108.0001 (13) Speaks: IP Speaks: IPV6 Speaks: CLNP Hostname: sisira IS neighbor: hemantha-CE3.02, Internal, Metric: default 10 IS extended neighbor: hemantha-CE3.02, Metric: default 10 IP external prefix: 3.0.0.0/24, Internal, Metric: default 10, Down IP external prefix: 40.40.40.40/32, Internal, Metric: default 10, Down IP external prefix: 4.0.0.0/24, Internal, Metric: default 10, Down IP external prefix: 25.25.25.25/32, Internal, Metric: default 10, Down IP external prefix: 15.15.15.15/32, Internal, Metric: default 10, Down IP external prefix: 1.0.0.0/24, Internal, Metric: default 10, Down IP external prefix: 30.30.30.30/32, Internal, Metric: default 10, Down IP extended prefix: 3.0.0.0/24 metric 10 down IP extended prefix: 40.40.40.40/32 metric 10 down IP extended prefix: 4.0.0.0/24 metric 10 down IP extended prefix: 25.25.25.25/32 metric 10 down IP extended prefix: 15.15.15.15/32 metric 10 down IP extended prefix: 1.0.0.0/24 metric 10 down IP extended prefix: 30.30.30.30/32 metric 10 down ISO prefix-neighbor TLV: Internal, Metric: default 0, Up Prefix : 60.0006.80ff.f800.0000.0108.0001.0060.0060.0060/152 ISO prefix-neighbor TLV: External, Metric: default 10, Down


3049

®


Prefix : 60.0006.80ff.f800.0000.0108.0001.0040.0040.0040/152 ISO prefix-neighbor TLV: External, Metric: default 10, Down Prefix : 60.0006.80ff.f800.0000.0108.0001.0025.0025.0025/152 ISO prefix-neighbor TLV: External, Metric: default 10, Down Prefix : 60.0006.80ff.f800.0000.0108.0001.0015.0015.0015/152 ISO prefix-neighbor TLV: External, Metric: default 10, Down Prefix : 60.0006.80ff.f800.0000.0108.0001.0030.0030.0030/152 IP prefix: 60.60.60.60/32, Internal, Metric: default 0, Up IP prefix: 5.0.0.0/24, Internal, Metric: default 10, Up IP prefix: 50.50.50.50/32, Internal, Metric: default 10, Up IP extended prefix: 60.60.60.60/32 metric 0 up IP extended prefix: 5.0.0.0/24 metric 10 up IP extended prefix: 50.50.50.50/32 metric 10 up No queued transmissions

3050



show isis hostname Syntax


Description

Options

show isis hostname show isis hostname

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display Intermediate System-to-Intermediate System (IS-IS) hostname database information. none—Display IS-IS hostname database information. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show isis hostname on page 3051 Table 334 on page 3051 describes the output fields for the show isis hostname command. Output fields are listed in the approximate order in which they appear.

Table 334: show isis hostname Output Fields Field Name

Field Description

System Id

System identifier mapped to the hostname.

Hostname

Hostname mapped to the system identifier.

Type

Type of mapping between system identifier and hostname. •

Dynamic—Hostname mapping determined as described in

RFC 2763, Dynamic Hostname Exchange Mechanism for IS-IS. •

Static—Hostname mapping configured by user.

Sample Output show isis hostname

user@host> show isis hostname IS-IS hostname database: System Id Hostname 1921.6800.4201 isis1 1921.6800.4202 isis2 1921.6800.4203 isis3


Type Dynamic Static Dynamic

3051

®


show isis interface Syntax


Description

show isis interface show isis interface

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display status information about Intermediate System-to-Intermediate System (IS-IS)-enabled interfaces.

NOTE: If the configured metric for an IS-IS level is above 63, and the wide-metrics-only statement is not configured, the show isis interface detail command and the show isis interface extensive command display 63 as the metric value for that level. Configure the wide-metrics-only statement to generate metric values greater than 63 on a per IS-IS level basis. The show isis interface command displays the configured metric value for an IS-IS level irrespective of whether is configured or not. For information about how to configure the wide-metrics-only statement, see the Junos OS Routing Protocols Configuration Guide.

Options

none—Display standard information about all IS-IS-enabled interfaces. brief | detail | extensive—(Optional) Display the specified level of output. interface-name—(Optional) Display information about the specified interface only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


3052

view

show isis interface on page 3054 show isis interface brief on page 3055 show isis interface detail on page 3055 show isis interface extensive on page 3055 show isis interface extensive (With LDP) on page 3055



Output Fields

Table 335 on page 3053 describes the output fields for the show isis interface command. Output fields are listed in the approximate order in which they appear.

Table 335: show isis interface Output Fields Field Name

Field Description

Level of Output

interface-name


detail

Designated router

Routing device selected by other routers that is responsible for sending link-state advertisements that describe the network. Used only on broadcast networks.

detail

Index

Interface index assigned by the Junos OS kernel.

detail

State

Internal implementation information.

detail

Circuit id

Circuit identifier.

detail

Circuit type

Circuit type:

detail

•

1—Level 1 only

•

2—Level 2 only

•


LSP interval

Interval between link-state PDUs sent from the interface.

detail

CSNP interval

Interval between complete sequence number PDUs sent from the interface.

detail extensive

Sysid

System identifier.

detail

Interface

Interface through which the adjacency is made.

none brief

L or Level

Level:

All levels

•

1—Level 1 only

•

2—Level 2 only

•


CirID

Circuit identifier.

none brief

Level 1 DR

Level 1 designated intermediate system.

none brief

Level 2 DR

Level 2 designated intermediate system.

none brief

L1/L2 Metric

Interface's metric for Level 1 and Level 2. If there is no information, the metric is 0.

none brief

Adjacency advertisement: Advertise

This routing device has signaled to advertise this interface to its neighbors in their label-switched paths (LSPs).

detail extensive


3053

®


Table 335: show isis interface Output Fields (continued) Field Name

Field Description

Level of Output

Adjacency advertisement: Suppress

This neighbor has signaled not to advertise this interface in the routing device’s outbound LSPs.

detail extensive

Adjacencies

Number of adjacencies established on this interface.

detail

Priority

Priority value for this interface.

detail

Metric

Metric value for this interface.

detail

Hello(s) / Hello Interval

Interface's hello interval.

detail extensive

Hold(s) / Hold Time

Interface's hold time.

detail extensive

Designated Router

Router responsible for sending network link-state advertisements, which describe all the routers attached to the network.

detail

Hello padding

Type of hello padding:

extensive

•

Adaptive—On point-to-point connections, the hello packets are padded from

the initial detection of a new neighbor until the neighbor verifies the adjacency as Up in the adjacency state TLV. If the neighbor does not support the adjacency state TLV, then padding continues. On LAN connections, padding starts from the initial detection of a new neighbor until there is at least one active adjacency on the interface. •

Loose—(Default) The hello packet is padded from the initial detection of a

new neighbor until the adjacency transitions to the Up state. •

Strict—Padding is performed on all interface types and for all adjacency

states, and is continuous. LDP sync state

Current LDP synchronization state: in sync, in holddown, or not supported.

extensive

reason

Reason for being in the LDP sync state.

extensive

config holdtime

Configured value of the hold timer.

extensive

remaining

If the state is not in sync and the hold time is not infinity, then this field displays the remaining hold time in seconds.

extensive

Sample Output show isis interface

3054

user@host> show isis interface IS-IS interface database: Interface L CirID Level 1 DR at-2/3/0.0 3 0x1 Point to Point lo0.0 0 0x1 Passive

Level 2 DR Point to Point Passive

L1/L2 Metric 10/10 0/0



show isis interface brief

The output for the show isis interface brief command is identical to that for the show isis interface command. For sample output, see show isis interface on page 3054.

show isis interface detail

user@host> show isis interface detail IS-IS interface database: at-2/3/0.0 Index: 66, State: 0x6, Circuit id: 0x1, Circuit type: 3 LSP interval: 100 ms, CSNP interval: 5 s Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router 1 1 64 10 9.000 27 2 1 64 10 9.000 27 lo0.0 Index: 64, State: 0x6, Circuit id: 0x1, Circuit type: 0 LSP interval: 100 ms, CSNP interval: disabled Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router 1 0 64 0 Passive 2 0 64 0 Passive

show isis interface extensive

user@host> show isis interface extensive IS-IS interface database: at-2/3/0.0 Index: 66, State: 0x6, Circuit id: 0x1, Circuit type: 3 LSP interval: 100 ms, CSNP interval: 5 s, Loose Hello padding Level 1 Adjacencies: 1, Priority: 64, Metric: 10 Hello Interval: 9.000 s, Hold Time: 27 s Level 2 Adjacencies: 1, Priority: 64, Metric: 10 Hello Interval: 9.000 s, Hold Time: 27 s lo0.0 Index: 64, State: 0x6, Circuit id: 0x1, Circuit type: 0 LSP interval: 100 ms, CSNP interval: disabled, Loose Hello padding Level 1 Adjacencies: 0, Priority: 64, Metric: 0 Passive Level 2 Adjacencies: 0, Priority: 64, Metric: 0 Passive

show isis interface extensive (With LDP)

user@host> show isis interface extensive IS-IS interface database: so-1/1/2.0 Index: 114, State: 0x6, Circuit id: 0x1, Circuit type: 2 LSP interval: 100 ms, CSNP interval: 20 s, Loose Hello padding Adjacency advertisement: Advertise LDP sync state: in sync, for: 00:01:28, reason: LDP up during config config holdtime: 20 seconds Level 2 Adjacencies: 1, Priority: 64, Metric: 11 Hello Interval: 9.000 s, Hold Time: 27 s IPV4 MulticastMetric: 10 IPV6 UnicastMetric: 10


3055

®


show isis overview Syntax


Description Options

show isis overview show isis overview

Command introduced in Junos OS Release 8.5. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display Intermediate System-to Intermediate System (IS-IS) overview information. none—Display standard overview information about IS-IS for all routing instances. instance instance-name—(Optional) Display overview information for the specified routing



view

show isis overview on page 3057 Table 336 on page 3056 lists the output fields for the show isis overview command. Output fields are listed in the approximate order in which they appear.

Table 336: show isis overview Output Fields Field Name

Field Description

Instance

IS-IS routing intance.

Router ID

Router ID of the routing device.

Adjacency holddown

Adjacency holddown capability: enabled or disabled.

Maximum Areas

Maximum number of IS-IS areas advertised by the routing device.

LSP life time

Lifetime of the link-state PDU, in seconds.

Attached bit evaluation

Attached bit capability: enabled or disabled.

SPF delay

Delay before performing consecutive Shortest Path First calculations.

SPF holddown

Delay before performing additional Shortest Path First (SPF) calculations after the maximum number of consecutive SPF calculations is reached.

3056



Table 336: show isis overview Output Fields (continued) Field Name

Field Description

SPF rapid runs

Maximum number of Shortest Path First calculations that can be performed in succession before the holddown timer begins.

Overload bit at startup is set

Overload bit capability is enabled.

Overload high metrics

Overload high metrics capability: enabled or disabled.

Overload timeout

Time period after which overload is reset and the time that remains before the timer is set to expire.

Traffic engineering

Traffic engineering capability: enabled or disabled.

Restart

Graceful restart capability: enabled or disabled.

Restart duration

Time period for complete reacquisition of IS-IS neighbors.

Helper mode

Graceful restart helper capability: enalbed or disabled.

Level

IS-IS level: •

1—Level 1 information

•

2—Level 2 information

IPv4 is enabled

IP Protocol version 4 capability is enabled.

IPv6 is enabled

IP Protocol version 6 capability is enabled.

CLNS is enabled

(J Series routers only) OSI CLNP Protocol capability is enabled.

Internal route preference

Preference value of internal routes.

External route preference

Preference value of external routes.

Wide area metrics are enabled

Wide area metrics capability is enabled.

Narrow metrics are enabled

Narrow metrics capability is enabled.

Sample Output show isis overview

user@host> show isis overview

Sample Output Instance: master Router ID: 192.168.1.220


3057

®


Adjacency holddown: enabled Maximum Areas: 3 LSP life time: 65535 Attached bit evaluation: enabled SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3 Overload bit at startup is set Overload high metrics: disabled Overload timeout: 300 sec, expires in 295 seconds IPv4 is enabled, IPv6 is enabled Traffic engineering: enabled Restart: Enabled Restart duration: 210 sec Helper mode: Enabled Level 1 Internal route preference: 15 External route preference: 160 Wide metrics are enabled, Narrow metrics are enabled Level 2 Internal route preference: 18 External route preference: 165 Wide metrics are enabled

3058



show isis route Syntax

show isis route


show isis route

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display the routes in the Intermediate System-to-Intermediate System (IS-IS) routing table. none—Display all routes in the IS-IS routing table for all supported address families for

all routing instances. destination—(Optional) Destination address for the route. inet | inet6—(Optional) Display inet (IPv4) or inet6 (IPv6) routes, respectively. instance instance-name—(Optional) Display routes for the specified routing instance only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. topology (ipv4-multicast | ipv6-multicast | ipv6-unicast | unicast)—(Optional) Display

routes for the specified topology only, or use unicast to display information, if available, for both IPv4 and IPv6 unicast topologies. Required Privilege Level List of Sample Output

Output Fields

view

show isis route logical-system on page 3060 show isis route (CLNS) on page 3060 show isis route on page 3061 Table 337 on page 3059 describes the output fields for the show isis route command. Output fields are listed in the approximate order in which they appear.

Table 337: show isis route Output Fields Field Name

Field Description

Current version

Number of the current version of the IS-IS routing table.


3059

®


Table 337: show isis route Output Fields (continued) Field Name

Field Description

L1

Version of Level 1 SPF that was run.

L2

Version of Level 2 SPF that was run.

Prefix

Destination of the route.

L

IS-IS level: •

1—Level 1 only

•

2—Level 2 only

•


Version

Version of SPF that generated the route.

Metric

Metric value associated with the route.

Type

Metric type: int (internal) or ext (external).

Interface

Interface to the next hop.

Via

System identifier of the next hop, displayed as a name if possible.

ISO Routes

ISO routing table entries.

snpa

MAC address.

Sample Output show isis route logical-system

show isis route (CLNS)

3060

user@host> show isis route logical-system ls1 IS-IS routing table Current version: L1: 8 L2: 11 Prefix L Version Metric Type Interface Via 10.9.7.0/30 2 11 20 int gr-0/2/0.0 h 10.9.201.1/32 2 11 60 int gr-0/2/0.0 h IPV6 Unicast IS-IS routing table Current version: L1: 9 L2: 11 Prefix L Version Metric Type Interface Via 8009:3::a09:3200/126 2 11 20 int gr-0/2/0.0 h user@host> show isis route IS-IS routing table Current version: L1: 10 L2: 8 IPv4/IPv6 Routes Prefix L Version Metric Type Interface Via 0.0.0.0/0 1 10 10 int fe-0/0/1.0 ISIS.0 ISO Routes Prefix L Version Metric Type Interface Via snpa 0/0 1 10 10 int fe-0/0/1.0 isis.0 0:12:0:34:0:56 47.0005.80ff.f800.0000.0108.0001/104 1 10 0 int 47.0005.80ff.f800.0000.0108.0001.1921.6800.4001/152 1 10 10 int fe-0/0/1.0 isis.0 0:12:0:34:0:56



47.0005.80ff.f800.0000.0108.0001.1921.6800.4002/152 1 10 20 int fe-0/0/1.0 isis.0 0:12:0:34:0:56 47.0005.80ff.f800.0000.0108.0002/104 1 10 0 int 47.0005.80ff.f800.0000.0108.0002.1921.6800.4001/152 1 10 10 int fe-0/0/1.0 isis.0 0:12:0:34:0:56

show isis route

user@host> show isis route IS-IS routing table IPv4/IPv6 Routes ---------------Prefix 10.255.71.52/32

L 2

Version 13

10.255.71.238/32

2

13

10.255.71.239/32

Current version: L1: 4 L2: 13

2

13

Metric Type Interface 10 int ae0.0 20

20

int

int

NH Via IPV4 camaro

so-6/0/0.0

IPV4 olympic

as0.0

IPV4 glacier

so-6/0/0.0

IPV4 olympic

ae0.0

IPV4 camaro

10.255.71.242/32

2

13

10

int

as0.0

IPV4 glacier

10.255.71.243/32

2

13

10

int

so-6/0/0.0

IPV4 olympic

12.13.0.0/30

2

13

20

int

so-6/0/0.0

IPV4 olympic

12.15.0.0/30

2

13

20

int

so-6/0/0.0

IPV4 olympic

13.15.0.0/30

2

13

30

int

ae0.0

IPV4 camaro

so-6/0/0.0

IPV4 olympic

as0.0

IPV4 glacier

13.16.0.0/30

2

13

25

int

as0.0

IPV4 glacier

14.15.0.0/30

2

13

20

int

ae0.0

IPV4 camaro

192.2.1.0/30

2

13

30

int

so-6/0/0.0

IPV4 olympic

as0.0

IPV4 glacier

so-6/0/0.0

IPV6 olympic

as0.0

IPV6 glacier

1eee::/64

2

13

30

int

abcd::10:255:71:52/128

2

13

10

int

ae0.0

IPV6 camaro

abcd::10:255:71:238/128

2

13

20

int

so-6/0/0.0

IPV6 olympic

as0.0

IPV6 glacier

so-6/0/0.0

IPV6 olympic

ae0.0

IPV6 camaro

as0.0

IPV6 glacier

abcd::10:255:71:239/128

abcd::10:255:71:242/128


2

2

13

13

20

10

int

int

3061

®


abcd::10:255:71:243/128

3062

2

13

10

int

so-6/0/0.0

IPV6 olympic



show isis spf Syntax

show isis spf (brief | log | results)


show isis spf (brief | log | results)

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about Intermediate System-to-Intermediate System (IS-IS) shortest-path-first (SPF) calculations. brief—Display an overview of SPF calculations. log—Display the log of SPF calculations. results—Display the results of SPF calculations. instance instance instance-name—(Optional) Display SPF calculations for the specified

routing instance. level (1 | 2)—(Optional) Display SPF calculations for the specified IS-IS level. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. topology (ipv4-multicast | ipv6-multicast | ipv6-unicast | unicast)—(Optional) Display

SPF calculations for the specified topology only. Required Privilege Level List of Sample Output

Output Fields

view

show isis spf log on page 3064 show isis spf results on page 3065 show isis spf results (CLNS) on page 3066 show isis spf results on page 3067 Table 338 on page 3063 describes the output fields for the show isis spf command. Output fields are listed in the approximate order in which they appear.

Table 338: show isis spf Output Fields Field Name

Field Description

Node

System ID of a node.


3063

®


Table 338: show isis spf Output Fields (continued) Field Name

Field Description

Metric

Metric to the node.

Interface

Interface of the next hop.

Via

System ID of the next hop.

SNPA


Start time

(log option only) Time that the SPF computation started.

Elapsed (secs)

(log option only) Length of time, in seconds, required to complete the SPF computation.

Count

(log option only) Number of times the SPF was triggered.

Reason

(log option only) Reason that the SPF computation was completed.

Sample Output show isis spf log

3064

user@host> show isis spf log logical-system lsl IS-IS level 1 SPF log: Start time Elapsed (secs) Count Fri Oct 31 12:41:18 0.000069 1 Fri Oct 31 12:41:18 0.000107 3 Fri Oct 31 12:41:18 0.000050 3 Fri Oct 31 12:41:23 0.000033 1 Fri Oct 31 12:41:28 0.000178 5 Fri Oct 31 12:41:59 0.000060 1 Fri Oct 31 12:42:30 0.000161 2 Fri Oct 31 12:56:58 0.000198 1 Fri Oct 31 13:10:29 0.000209 1 IS-IS level 2 SPF log:

Reason Reconfig Updated LSP fix.00-00 Address change on so-1/2/2.0 Updated LSP fix.00-00 New adjacency scat on ge-1/1/0.0 Updated LSP fix.00-00 Multi area attachment change Periodic SPF Periodic SPF

Start time Elapsed (secs) Count Fri Oct 31 12:41:18 0.000035 1 Fri Oct 31 12:41:18 0.000047 2 Fri Oct 31 12:41:18 0.000043 5 Fri Oct 31 12:41:23 0.000022 1 Fri Oct 31 12:41:59 0.000144 3 Fri Oct 31 12:42:30 0.000257 3 Fri Oct 31 12:54:37 0.000195 1 Fri Oct 31 12:55:50 0.000178 1 Fri Oct 31 12:55:55 0.000174 1 Fri Oct 31 12:55:58 0.000176 1 Fri Oct 31 13:08:14 0.000198 1 IPV6 Unicast IS-IS level 1 SPF log:

Reason Reconfig Updated LSP fix.00-00 Address change on gr-0/2/0.0 Updated LSP fix.00-00 New adjacency h on gr-0/2/0.0 New LSP skag.00-00 Periodic SPF Updated LSP fix.00-00 Updated LSP h.00-00 Updated LSP skag.00-00 Periodic SPF

Start time Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31

Reason Reconfig Updated LSP fix.00-00 Updated LSP fix.00-00 Updated LSP fix.00-00

12:41:18 12:41:18 12:41:18 12:41:23

Elapsed (secs) Count 0.000028 1 0.000043 3 0.000112 4 0.000059 1



Fri Oct 31 12:41:25 Fri Oct 31 12:41:28 Fri Oct 31 12:41:59 Fri Oct 31 12:42:30 Fri Oct 31 12:56:08 Fri Oct 31 13:11:07 IPV6 Unicast IS-IS level 2 Start time Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 Fri Oct 31 ...

show isis spf results

12:41:18 12:41:18 12:41:18 12:41:23 12:41:25 12:41:59 12:42:30 12:55:50 12:55:55 12:55:58 13:09:46

0.000041 0.000103 0.000040 0.000118 0.000289 0.000214 SPF log:

1 5 1 2 1 1

Elapsed (secs) Count 0.000027 1 0.000039 2 0.000049 6 0.000025 1 0.000023 1 0.000087 3 0.000123 3 0.000121 1 0.000121 1 0.000121 1 0.000201 1

Updated LSP fix.00-00 New adjacency scat on ge-1/1/0.0 Updated LSP fix.00-00 Multi area attachment change Periodic SPF Periodic SPF

Reason Reconfig Updated LSP fix.00-00 Updated LSP fix.00-00 Updated LSP fix.00-00 Updated LSP fix.00-00 New adjacency h on gr-0/2/0.0 New LSP skag.00-00 Updated LSP fix.00-00 Updated LSP h.00-00 Updated LSP skag.00-00 Periodic SPF

user@host> show isis spf results logical-system ls1 IS-IS level 1 SPF results: Node Metric Interface scat.00 10 ge-1/1/0.0 20 10.9.1.0/30 fix.02 10 fix.00 0 10 10.9.1.0/30 10 10.9.5.0/30 10 10.9.6.0/30 20 10.9.7.0/30 60 10.9.201.1/32 3 nodes IS-IS level 2 SPF results: Node Metric skag.00 20 30 skag.02 20 h.00 10 20 20 60 fix.00 0 10 10 10 4 nodes

Interface gr-0/2/0.0 10.9.7.0/30 gr-0/2/0.0 gr-0/2/0.0 10.9.6.0/30 10.9.7.0/30 10.9.201.1/32

Via scat

Via

SNPA

h h h

10.9.1.0/30 10.9.5.0/30 10.9.6.0/30

IPV6 Unicast IS-IS level 1 SPF results: Node Metric Interface Via scat.00 10 ge-1/1/0.0 scat ge-1/1/0.0 scat 20 8009:1::a09:1400/126 fix.02 10 fix.00 0 10 8009:1::a09:1400/126 10 8009:2::a09:1e00/126 20 8009:3::a09:3200/126


SNPA 0:90:69:a6:48:9d

SNPA 0:90:69:a6:48:9d 0:90:69:a6:48:9d

3065

®


10

8009:4::a09:2800/126

3 nodes IPV6 Unicast IS-IS level 2 SPF results: Node Metric Interface Via skag.00 20 gr-0/2/0.0 h gr-0/2/0.0 h 30 8009:3::a09:3200/126 skag.02 20 gr-0/2/0.0 h gr-0/2/0.0 h h.00 10 gr-0/2/0.0 h gr-0/2/0.0 h 20 8009:3::a09:3200/126 20 8009:4::a09:2800/126 fix.00 0 10 8009:1::a09:1400/126 10 8009:2::a09:1e00/126 10 8009:4::a09:2800/126 4 nodes Multicast IS-IS level 1 SPF results: Node Metric Interface scat.00 10 ge-1/1/0.0 fix.02 10 fix.00 0 3 nodes Multicast IS-IS level 2 SPF results: Node Metric Interface skag.00 20 gr-0/2/0.0 skag.02 20 gr-0/2/0.0 h.00 10 gr-0/2/0.0 fix.00 0 4 nodes ...

show isis spf results (CLNS)

Via scat

SNPA 0:90:69:a6:48:9d

Via

SNPA

h h h

user@host> show isis spf results IS-IS level 1 SPF results: Node Metric Interface Via skag.00 10 fe-0/0/1.0 toothache fe-0/0/1.0 toothache 20 192.168.37.64/29 10 1921.6800.4001 20 1921.6800.4002 pro1-a.02 10 pro1-a.00 0 0 10.255.245.1/32 10 192.168.37.64/29 0 1921.6800.4211 3 nodes IS-IS level 2 SPF results: Node Metric skag.00 10

pro1-a.02 pro1-a.00

3066

SNPA

20 20 20 10 0 0

SNPA 0:12:0:34:0:56 0:12:0:34:0:56

Interface Via SNPA fe-0/0/1.0 toothache 0:12:0:34:0:56 fe-0/0/1.0 toothache 0:12:0:34:0:56 10.255.245.1/32 192.168.37.64/29 47.0005.80ff.f800.0000.0109.0010/104

10.255.245.1/32



10

192.168.37.64/29

3 nodes

show isis spf results

user@host> show isis spf results IS-IS level 1 SPF results: Node Metric Interface NH Via kobuk.00 0 0 10.255.70.103/32 0 abcd::10:255:70:103/128 1 nodes

SNPA

IS-IS level 2 SPF results: Node Metric Interface glacier.02 25 as0.0 as0.0 banff.00 20 so-6/0/0.0 ae0.0

NH Via IPV4 glacier IPV6 glacier IPV4 olympic IPV4 camaro

0:90:69:f:67:f0

so-6/0/0.0 ae0.0

IPV6 olympic IPV6 camaro

0:90:69:f:67:f0

10.255.71.239/32 12.15.0.0/30 13.15.0.0/30 14.15.0.0/30 abcd::10:255:71:239/128 so-6/0/0.0 IPV4 olympic so-6/0/0.0 IPV6 olympic 10.255.71.238/32 12.13.0.0/30 13.15.0.0/30 13.16.0.0/30 192.2.1.0/30 1eee::/64 abcd::10:255:71:238/128 so-6/0/0.0 IPV4 olympic so-6/0/0.0 IPV6 olympic ae0.0 IPV4 camaro

0:90:69:f:67:f0

crater.00

20 30 30 30 20 20

olympic.02

20 30 30 35 30 30 20 20

camaro.03

20

olympic.00

10

camaro.00

10 20 20 20 10 10

glacier.00

10 20 20 10 10 10 20 25


SNPA

ae0.0 IPV6 camaro so-6/0/0.0 IPV4 olympic so-6/0/0.0 IPV6 olympic 10.255.71.243/32 11.12.0.0/30 12.13.0.0/30 12.15.0.0/30 abcd::10:255:71:243/128 ae0.0 IPV4 camaro

0:90:69:f:67:f0

ae0.0

0:90:69:f:67:f0

IPV6 camaro

0:90:69:f:67:f0

10.255.71.52/32 11.14.10.0/24 14.15.0.0/30 abcd::10:255:71:52/128 as0.0 IPV4 glacier as0.0 IPV6 glacier 10.255.71.242/32 11.16.10.0/30 13.16.0.0/30

3067

®


kobuk.00

10 0 0 10 10 10 0

abcd::10:255:71:242/128 10.255.70.103/32 11.12.0.0/30 11.14.10.0/24 11.16.10.0/30 abcd::10:255:70:103/128

9 nodes

3068



show isis statistics Syntax


Description Options

show isis statistics show isis statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display statistics about Intermediate System-to-Intermediate System (IS-IS) traffic. none—Display IS-IS traffic statistics for all routing instances. instance instance-name—(Optional) Display statistics for the specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

clear isis statistics on page 2956

show isis statistics on page 3071 Table 339 on page 3070 describes the output fields for the show isis statistics command. Output fields are listed in the approximate order in which they appear.


3069

®


Table 339: show isis statistics Output Fields Field Name

Field Description

PDU type

Protocol data unit type: •

CSNP—Complete sequence number PDUs contain a complete list of all link-state PDUs in the IS-IS

database. CSNPs are sent periodically on all links, and the receiving systems use the information in the CSNP to update and synchronize their link-state PDU databases. The designated router multicasts CSNPs on broadcast links in place of sending explicit acknowledgments for each link-state PDU. •

IIH—IS-IS hello packets are broadcast to discover the identity of neighboring IS-IS systems and to

determine whether the neighbors are Level 1 or Level 2 intermediate systems. •

LSP—Link-state PDUs contain information about the state of adjacencies to neighboring IS-IS

systems. Link-state PDUs are flooded periodically throughout an area. •

PSNP—Partial sequence number PDUs are sent multicast by a receiver when it detects that it is

missing a link-state PDU; that is, when its link-state PDU database is out of date. The receiver sends a PSNP to the system that transmitted the CSNP, effectively requesting that the missing link-state PDU be transmitted. That routing device, in turn, forwards the missing link-state PDU to the requesting routing device. •

Unknown—The PDU type is unknown.

Received

Number of PDUs received since IS-IS started or since the statistics were set to zero.

Processed

Number of PDUs received less the number dropped.

Drops

Number of PDUs dropped.

Sent

Number of PDUs transmitted since IS-IS started or since the statistics were set to zero.

Rexmit

Number of PDUs retransmitted since IS-IS started or since the statistics were set to zero.

Total packets received/sent

Total number of PDUs received and transmitted since IS-IS started or since the statistics were set to zero.

SNP queue length

Number of CSPN and PSNP packets currently waiting in the queue for processing. This value is almost always 0.

LSP queue length

Number of link-state PDUs waiting in the queue for processing. This value is almost always 0.

SPF runs

Number of shortest-path-first (SPF) calculations that have been performed. If this number is incrementing rapidly, it indicates that the network is unstable.

Fragments rebuilt

Number of link-state link-state PDU fragments that the local system has computed.

LSP regenerations

Number of link-state PDUs that have been regenerated. A link state PDU is regenerated when it is nearing the end of its lifetime and it has not changed.

Purges initiated

Number of purges that the system initiated. A purge is initiated if the software decides that a link-state PDU must be removed from the network.

3070



Sample Output show isis statistics

user@host> show isis statistics IS-IS statistics for merino: PDU type LSP IIH CSNP PSNP Unknown Totals

Received 12227 113808 198868 6985 0 331888

Processed 12227 113808 198868 6979 0 331882

Drops 0 0 0 6 0 6

Sent 8184 115817 198934 8274 0 331209

Rexmit 683 0 0 0 0 683

Total packets received: 331888 Sent: 331892 SNP queue length: LSP queue length: SPF runs: Fragments rebuilt: LSP regenerations: Purges initiated:


0 Drops: 0 Drops:

0 0

1014 1038 425 0

3071

®


show ospf3 database Syntax


show ospf3 database show ospf3 database

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. realm option introduced in Junos OS Release 9.2. advertising-router (address | self) option introduced in Junos Relase 9.5. advertising-router (address | self) option introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Display the entries in the Open Shortest Path First version 3 (OSPFv3) link-state database, which contains data about link-state advertisement (LSA) packets.

Options

none—Display standard information about all entries in the OSPFv3 link-state database. brief | detail | extensive | summary—(Optional) Display the specified level of output. advertising-router (address | self)—(Optional) Display the LSAs advertised either by a

particular routing device or by this routing device.

3072



area area-id—(Optional) Display the LSAs in a particular area. external—(Optional) Display external LSAs. instance instance-name—(Optional) Display all OSPF database information under the

named routing instance. inter-area-prefix—(Optional) Display information about interarea-prefix LSAs. inter-area-router—(Optional) Display information about interarea-router LSAs. intra-area-prefix—(Optional) Display information about intra-area-prefix LSAs. link—(Optional) Display information about link LSAs. link-local—(Optional) Display information about link-local LSAs. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. lsa-id lsa-id—(Optional) Display the LSA with the specified LSA identifier. network—(Optional) Display information about network LSAs. nssa—(Optional) Display information about not-so-stubby area (NSSA) LSAs. realm (ipv4-multicast | ipv4-unicast | ipv6-multicast)—(Optional) Display information

about the specified OSPFv3 realm, or address family. Use the realm option to specify an address family other than IPv6 unicast, which is the default. router—(Optional) Display information about router LSAs.


Output Fields

view

•

clear (ospf | ospf3) database on page 2936

show ospf3 database brief on page 3078 show ospf3 database extensive on page 3078 show ospf3 database summary on page 3081 Table 340 on page 3073 lists the output fields for the show ospf3 database command. Output fields are listed in the approximate order in which they appear.

Table 340: show ospf3 database Output Fields Field Name

Field Description

Level of Output

OSPF link state database, area area-number

Entries in the link-state database for this area.


OSPF AS SCOPE link state database

Entries in the AS scope link-state database.



3073

®


Table 340: show ospf3 database Output Fields (continued) Field Name

Field Description

Level of Output

OSPF Link-Local link state database, interface interface-name

Entries in the link-local link-state database for this interface.


area


All levels

Type

Type of link advertisement: Extern, InterArPfx, InterArRtr, IntraArPrx , Link, Network, NSSA, or Router.


ID

Link identifier included in the advertisement. An asterisk (*) preceding the identifier marks database entries that originated from the local routing device.


Adv Rtr

Address of the routing device that sent the advertisement.


Seq

Link sequence number of the advertisement.


Age

Time elapsed since the LSA was originated, in seconds.


Cksum

Checksum value of the LSA.


Len

Length of the advertisement, in bytes.


Router (Router Link-State Advertisements) bits

Flags describing the routing device that generated the LSP.

detail extensive

Options

Option bits carried in the router LSA.

detail extensive

For Each Router Link Type

Type of interface. The value of all other output fields describing a routing device interface depends on the interface’s type: •

PointToPoint (1)—Point-to-point connection to another routing device.

•

Transit (2)—Connection to a transit network.

•

Virtual (4)—Virtual link.

detail extensive

Loc-if-id

Local interface ID assigned to the interface that uniquely identifies the interface with the routing device.

detail extensive

Nbr-if-id

Interface ID of the neighbor's interface for this routing device link.

detail extensive

Nbr-rtr-id

Router ID of the neighbor routing device (for type 2 interfaces, the attached link’s designated router).

detail extensive

Metric

Cost of the router link.

detail extensive

Gen timer

How long until the LSA is regenerated, in the format hours:minutes:seconds.

extensive

3074




Field Description

Level of Output

Aging timer

How long until the LSA expires, in the format hours:minutes:seconds.

extensive

Installed nn:nn:nn ago

How long ago the route was installed, in the format hours:minutes:seconds.

extensive

expires in nn:nn:nn

How long until the route expires, in the format hours:minutes:seconds.

extensive

sent nn:nn:nn ago

Time elapsed since the LSA was last transmitted or flooded to an adjacency or an interface, respectively, in the format hours:minutes:seconds.

extensive

Ours

Indicates that this is a local advertisement.

extensive

Network (Network Link-State Advertisements) Options

Option bits carried in the network LSA.

detail extensive

Attached Router

Router IDs of each of the routing devices attached to the link. Only routing devices that are fully adjacent to the designated router are listed. The designated router includes itself in this list.

detail extensive

InterArPfx (Interarea-Prefix Link-State Advertisements) Prefix

IPv6 address prefix.

detail extensive

Prefix-options

Option bit associated with the prefix.

detail extensive

Metric

Cost of this route. Expressed in the same units as the interface costs in the router LSAs. When the interarea-prefix LSA is describing a route to a range of addresses, the cost is set to the maximum cost to any reachable component of the address range.

detail extensive

Gen timer


extensive

Aging timer


extensive



extensive

expires in nn:nn:nn


extensive

sent nn:nn:nn ago


extensive

Ours


extensive

InterArRtr (Interarea-Router Link-State Advertisements) Dest-router-id

Router ID of the routing device described by the LSA.

detail extensive

options

Optional capabilities supported by the routing device.

detail extensive


3075

®



Field Description

Level of Output

Metric

Cost of this route. Expressed in the same units as the interface costs in the router LSAs. When the interarea-prefix LSA is describing a route to a range of addresses, the cost is set to the maximum cost to any reachable component of the address range.

detail extensive

Prefix


extensive

Prefix-options


extensive

Extern (External Link-State Advertisements) Prefix


detail extensive

Prefix-options


detail extensive

Metric

Cost of the route, which depends on the value of Type.

detail extensive

Type n

Type of external metric: Type 1 or Type 2.

detail extensive

Aging timer


extensive



extensive

expires in nn:nn:nn


extensive

sent nn:nn:nn ago


extensive

Link (Link-State Advertisements) IPv6-Address

IPv6 link-local address on the link for which this link LSA originated.

detail extensive

Options

Option bits carried in the link LSA.

detail extensive

priority

Router priority of the interface attaching the originating routing device to the link.

detail extensive

Prefix-count

Number of IPv6 address prefixes contained in the LSA. The rest of the link LSA contains a list of IPv6 prefixes to be associated with the link.

detail extensive

Prefix


detail extensive

Prefix-options


detail extensive

Gen timer


extensive

Aging timer


extensive

3076




Field Description

Level of Output



extensive

expires in nn:nn:nn


extensive

sent nn:nn:nn ago


extensive

Ours


extensive

IntraArPfx (Intra-Area-Prefix Link-State Advertisements) Ref-lsa-type

LSA type of the referenced LSA. •

Router—Address prefixes are associated with a router LSA.

•

Network—Address prefixes are associated with a network LSA.

detail extensive

Ref-lsa-id

Link-state ID of the referenced LSA.

detail extensive

Ref-router-id

Advertising router ID of the referenced LSA.

detail extensive

Prefix-count

Number of IPv6 address prefixes contained in the LSA. The rest of the link LSA contains a list of IPv6 prefixes to be associated with the link.

detail extensive

Prefix


detail extensive

Prefix-options


detail extensive

Metric

Cost of this prefix. Expressed in the same units as the interface costs in the router LSAs.

detail extensive

Gen timer


extensive

Aging timer


extensive

Installed hh:mm:ss ago


extensive

expires in hh:mm:ss


extensive

sent hh:mm:ss ago


extensive

n Router LSAs

Number of router LSAs in the link-state database.

summary

n Network LSAs

Number of network LSAs in the link-state database.

summary

n InterArPfx LSAs

Number of interarea-prefix LSAs in the link-state database.

summary


3077

®



Field Description

Level of Output

n InterArRtr LSAs

Number of interarea-router LSAs in the link-state database.

summary

n IntraArPfx LSAs

Number of intra-area-prefix LSAs in the link-state database.

summary

Externals

Display of the external LSA database.

summary

n Extern LSAs

Number of external LSAs in the link-state database.

summary

Interface interface-name

Name of the interface for which link-local LSA information is displayed.

summary

n Link LSAs

Number of link LSAs in the link-state database.

summary

Sample Output show ospf3 database brief

show ospf3 database extensive

3078

user@host> show ospf3 database brief OSPF3 link state database, area 0.0.0.0 Type ID Adv Rtr Router 0.0.0.1 10.255.4.85 Router *0.0.0.1 10.255.4.93 InterArPfx *0.0.0.2 10.255.4.93 InterArRtr *0.0.0.1 10.255.4.93 IntraArPfx *0.0.0.1 10.255.4.93

Seq 0x80000003 0x80000002 0x80000001 0x80000001 0x80000002

Age 885 953 910 910 432

Cksum Len 0xa697 40 0xc677 40 0xb96f 44 0xe159 32 0x788f 72

OSPF3 link state database, area 0.0.0.1 Type ID Adv Rtr Router *0.0.0.1 10.255.4.93 Router 0.0.0.1 10.255.4.97 Network 0.0.0.2 10.255.4.97 InterArPfx *0.0.0.1 10.255.4.93 InterArPfx *0.0.0.2 10.255.4.93 NSSA 0.0.0.1 10.255.4.97 IntraArPfx 0.0.0.1 10.255.4.97

Seq 0x80000003 0x80000006 0x80000002 0x80000002 0x80000002 0x80000002 0x80000006

Age 916 851 916 117 62 362 851

Cksum Len 0xea40 40 0xc95b 40 0x4598 32 0xa980 44 0xd47e 44 0x45ee 44 0x2f77 52

OSPF3 AS SCOPE link state database Type ID Adv Rtr Extern 0.0.0.1 10.255.4.85 Extern *0.0.0.1 10.255.4.93

Seq 0x80000002 0x80000001

Age 63 910

Cksum Len 0x9b86 44 0x59c9 44

OSPF3 Link-Local link state database, interface ge-1/3/0.0 Type ID Adv Rtr Seq Age Link *0.0.0.2 10.255.4.93 0x80000003 916

Cksum Len 0x4dab 64

user@host> show ospf3 database extensive OSPF3 link state database, area 0.0.0.0 Type ID Adv Rtr Seq Age Cksum Len Router 0.0.0.1 10.255.4.85 0x80000003 1028 0xa697 40 bits 0x2, Options 0x13 Type PointToPoint (1), Metric 10 Loc-If-Id 2, Nbr-If-Id 3, Nbr-Rtr-Id 10.255.4.93 Aging timer 00:42:51 Installed 00:17:05 ago, expires in 00:42:52, sent 02:37:54 ago Router *0.0.0.1 10.255.4.93 0x80000002 1096 0xc677 40



bits 0x3, Options 0x13 Type PointToPoint (1), Metric 10 Loc-If-Id 3, Nbr-If-Id 2, Nbr-Rtr-Id 10.255.4.85 Gen timer 00:00:40 Aging timer 00:41:44 Installed 00:18:16 ago, expires in 00:41:44, sent 00:18:14 ago Ours InterArPfx *0.0.0.2 10.255.4.93 0x80000001 1053 0xb96f 44 Prefix feee::10:10:2:0/126 Prefix-options 0x0, Metric 10 Gen timer 00:17:02 Aging timer 00:42:26 Installed 00:17:33 ago, expires in 00:42:27, sent 00:17:31 ago Ours InterArPfx *0.0.0.3 10.255.4.93 0x80000001 1053 0x71d3 44 Prefix feee::10:255:4:97/128 Prefix-options 0x0, Metric 10 Gen timer 00:21:07 Aging timer 00:42:26 Installed 00:17:33 ago, expires in 00:42:27, sent 00:17:31 ago Ours InterArRtr *0.0.0.1 10.255.4.93 0x80000001 1053 0xe159 32 Dest-router-id 10.255.4.97, Options 0x19, Metric 10 Gen timer 00:29:18 Aging timer 00:42:26 Installed 00:17:33 ago, expires in 00:42:27, sent 00:17:31 ago Ours IntraArPfx 0.0.0.1 10.255.4.85 0x80000002 1028 0x2403 72 Ref-lsa-type Router, Ref-lsa-id 0.0.0.0, Ref-router-id 10.255.4.85 Prefix-count 2 Prefix feee::10:255:4:85/128 Prefix-options 0x2, Metric 0 Prefix feee::10:10:1:0/126 Prefix-options 0x0, Metric 10 Aging timer 00:42:51 Installed 00:17:05 ago, expires in 00:42:52, sent 02:37:54 ago IntraArPfx *0.0.0.1 10.255.4.93 0x80000002 575 0x788f 72 Ref-lsa-type Router, Ref-lsa-id 0.0.0.0, Ref-router-id 10.255.4.93 Prefix-count 2 Prefix feee::10:255:4:93/128 Prefix-options 0x2, Metric 0 Prefix feee::10:10:1:0/126 Prefix-options 0x0, Metric 10 Gen timer 00:33:23 Aging timer 00:50:24 Installed 00:09:35 ago, expires in 00:50:25, sent 00:09:33 ago OSPF3 link state database, area 0.0.0.1 Type ID Adv Rtr Seq Age Cksum Len Router *0.0.0.1 10.255.4.93 0x80000003 1059 0xea40 40 bits 0x3, Options 0x19 Type Transit (2), Metric 10 Loc-If-Id 2, Nbr-If-Id 2, Nbr-Rtr-Id 10.255.4.97 Gen timer 00:08:51 Aging timer 00:42:20 Installed 00:17:39 ago, expires in 00:42:21, sent 00:17:37 ago Router 0.0.0.1 10.255.4.97 0x80000006 994 0xc95b 40 bits 0x2, Options 0x19 Type Transit (2), Metric 10 Loc-If-Id 2, Nbr-If-Id 2, Nbr-Rtr-Id 10.255.4.97 Aging timer 00:43:25 Installed 00:16:31 ago, expires in 00:43:26, sent 02:37:54 ago


3079

®


Network 0.0.0.2 10.255.4.97 0x80000002 1059 0x4598 32 Options 0x11 Attached router 10.255.4.97 Attached router 10.255.4.93 Aging timer 00:42:20 Installed 00:17:36 ago, expires in 00:42:21, sent 02:37:54 ago InterArPfx *0.0.0.1 10.255.4.93 0x80000002 260 0xa980 44 Prefix feee::10:10:1:0/126 Prefix-options 0x0, Metric 10 Gen timer 00:45:39 Aging timer 00:55:39 Installed 00:04:20 ago, expires in 00:55:40, sent 00:04:18 ago Ours InterArPfx *0.0.0.2 10.255.4.93 0x80000002 205 0xd47e 44 Prefix feee::10:255:4:93/128 Prefix-options 0x0, Metric 0 Gen timer 00:46:35 Aging timer 00:56:35 Installed 00:03:25 ago, expires in 00:56:35, sent 00:03:23 ago Ours InterArPfx *0.0.0.3 10.255.4.93 0x80000001 1089 0x9bbb 44 Prefix feee::10:255:4:85/128 Prefix-options 0x0, Metric 10 Gen timer 00:04:46 Aging timer 00:41:51 Installed 00:18:09 ago, expires in 00:41:51, sent 00:17:43 ago Ours NSSA 0.0.0.1 10.255.4.97 0x80000002 505 0x45ee 44 Prefix feee::200:200:1:0/124 Prefix-options 0x8, Metric 10, Type 2, Aging timer 00:51:35 Installed 00:08:22 ago, expires in 00:51:35, sent 02:37:54 ago IntraArPfx 0.0.0.1 10.255.4.97 0x80000006 994 0x2f77 52 Ref-lsa-type Router, Ref-lsa-id 0.0.0.0, Ref-router-id 10.255.4.97 Prefix-count 1 Prefix feee::10:255:4:97/128 Prefix-options 0x2, Metric 0 Aging timer 00:43:25 Installed 00:16:31 ago, expires in 00:43:26, sent 02:37:54 ago IntraArPfx 0.0.0.3 10.255.4.97 0x80000002 1059 0x4446 52 Ref-lsa-type Network, Ref-lsa-id 0.0.0.2, Ref-router-id 10.255.4.97 Prefix-count 1 Prefix feee::10:10:2:0/126 Prefix-options 0x0, Metric 0 Aging timer 00:42:20 Installed 00:17:36 ago, expires in 00:42:21, sent 02:37:54 ago OSPF3 AS SCOPE link state database Type ID Adv Rtr Seq Age Cksum Len Extern 0.0.0.1 10.255.4.85 0x80000002 206 0x9b86 44 Prefix feee::100:100:1:0/124 Prefix-options 0x0, Metric 20, Type 2, Aging timer 00:56:34 Installed 00:03:23 ago, expires in 00:56:34, sent 02:37:54 ago Extern *0.0.0.1 10.255.4.93 0x80000001 1053 0x59c9 44 Prefix feee::200:200:1:0/124 Prefix-options 0x0, Metric 10, Type 2, Gen timer 00:25:12 Aging timer 00:42:26 Installed 00:17:33 ago, expires in 00:42:27, sent 00:17:31 ago OSPF3 Link-Local link state database, interface ge-1/3/0.0

3080



Type ID Adv Rtr Seq Age Cksum Len Link *0.0.0.2 10.255.4.93 0x80000003 1059 0x4dab 64 fe80::290:69ff:fe39:1cdb Options 0x11, priority 128 Prefix-count 1 Prefix feee::10:10:2:0/126 Prefix-options 0x0 Gen timer 00:12:56 Aging timer 00:42:20 Installed 00:17:39 ago, expires in 00:42:21, sent 00:17:37 ago Link 0.0.0.2 10.255.4.97 0x80000003 205 0xa87d 64 fe80::290:69ff:fe38:883e Options 0x11, priority 128 Prefix-count 1 Prefix feee::10:10:2:0/126 Prefix-options 0x0 Aging timer 00:56:35 Installed 00:03:22 ago, expires in 00:56:35, sent 02:37:54 ago OSPF3 Link-Local link state database, interface so-2/2/0.0 Type ID Adv Rtr Seq Age Cksum Len Link 0.0.0.2 10.255.4.85 0x80000002 506 0x42bb 64 fe80::280:42ff:fe10:f169 Options 0x13, priority 128 Prefix-count 1 Prefix feee::10:10:1:0/126 Prefix-options 0x0 Aging timer 00:51:34 Installed 00:08:23 ago, expires in 00:51:34, sent 02:37:54 ago Link *0.0.0.3 10.255.4.93 0x80000002 505 0x6b7a 64 fe80::280:42ff:fe10:f177 Options 0x13, priority 128 Prefix-count 1 Prefix feee::10:10:1:0/126 Prefix-options 0x0 Gen timer 00:37:28 Aging timer 00:51:35 Installed 00:08:25 ago, expires in 00:51:35, sent 00:08:23 ago Ours

show ospf3 database summary

user@host> show ospf3 database summary Area 0.0.0.0: 2 Router LSAs 1 InterArPfx LSAs 1 InterArRtr LSAs 1 IntraArPfx LSAs Area 0.0.0.1: 2 Router LSAs 1 Network LSAs 2 InterArPfx LSAs 1 NSSA LSAs 1 IntraArPfx LSAs Externals: 2 Extern LSAs Interface ge-1/3/0.0: 1 Link LSAs Interface lo0.0: Interface so-2/2/0.0: 1 Link LSAs


3081

®


show ospf database Syntax


Release Information

show ospf database show ospf database

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. advertising-router self (address | self) option introduced in Junos OS Release 9.5. advertising-router self (address | self) option introduced in Junos OS Release 9.5 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Display the entries in the Open Shortest Path First version 2 (OSPFv2) link-state database, which contains data about link-state advertisement (LSA) packets.

Options

none—Display standard information about entries in the OSPFv2 link-state database for

all routing instances. brief | detail | extensive | summary—(Optional) Display the specified level of output. advertising-router (address | self)—(Optional) Display the LSAs advertised either by a

particular routing device or by this routing device. area area-id—(Optional) Display the LSAs in a particular area.

3082



asbrsummary—(Optional) Display summary AS boundary router LSA entries. external—(Optional) Display external LSAs. instance instance-name—(Optional) Display all OSPF database information under the

named routing instance. link-local—(Optional) Display information about link-local LSAs. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. lsa-id lsa-id—(Optional) Display the LSA with the specified LSA identifier. netsummary—(Optional) Display summary network LSAs. network—(Optional) Display information about network LSAs. nssa—(Optional) Display information about not-so-stubby area (NSSA) LSAs. opaque-area—(Optional) Display opaque area-scope LSAs. router—(Optional) Display information about router LSAs.


Output Fields

view

•

clear (ospf | ospf3) database on page 2936

show ospf database on page 3085 show ospf database brief on page 3085 show ospf database detail on page 3085 show ospf database extensive on page 3087 show ospf database summary on page 3089 Table 341 on page 3083 describes the output fields for the show ospf database command. Output fields are listed in the approximate order in which they appear.

Table 341: show ospf database Output Fields Field Name

Field Description

Level of Output

area


All levels

Type

Type of link advertisement: ASBRSum, Extern, Network, NSSA, OpaqArea, Router, or Summary.

All levels

ID

LSA identifier included in the advertisement. An asterisk preceding the identifier marks database entries that originated from the local routing device.

All levels

Adv Rtr

Address of the routing device that sent the advertisement.

All levels

Seq

Link sequence number of the advertisement.

All levels


3083

®


Table 341: show ospf database Output Fields (continued) Field Name

Field Description

Level of Output

Age

Time elapsed since the LSA was originated, in seconds.

All levels

Opt

Optional OSPF capabilities associated with the LSA.

All levels

Cksum

Checksum value of the LSA.

All levels

Len

Length of the advertisement, in bytes.

All levels

Router

Router link-state advertisement information:

detail extensive

•

bits—Flags describing the routing device that generated the LSP.

•

link count—Number of links in the advertisement.

•

id—ID of a routing device or subnet on the link.

•

data—For stub networks, the subnet mask; otherwise, the IP address of the

routing device that generated the LSP.

Network

Summary

•

type—Type of link. It can be PointToPoint, Transit, Stub, or Virtual.

•

TOS count—Number of type-of-service (ToS) entries in the advertisement.

•

TOS 0 metric—Metric for ToS 0.

•

TOS—Type-of-service (ToS) value.

•

metric—Metric for the ToS.

Network link-state advertisement information: •

mask—Network mask.

•

attached router—ID of the attached neighbor.

Summary link-state advertisement information: •

mask—Network mask.

•

TOS—Type-of-service (ToS) value.

•

metric—Metric for the ToS.

detail extensive

detail extensive

Gen timer

How long until the LSA is regenerated.

extensive

Aging timer

How long until the LSA expires.

extensive

Installed hh:mm:ss ago

How long ago the route was installed.

extensive

expires in hh:mm:ss

How long until the route expires.

extensive

sent hh:mm:ss ago

How long ago the LSA was sent.

extensive

Last changed hh:mm:ss ago

How long ago the route was changed.

extensive

Change count

Number of times the route has changed.

extensive

3084



Table 341: show ospf database Output Fields (continued) Field Name

Field Description

Level of Output

Ours


extensive

Router LSAs

Number of router link-state advertisements in the link-state database.

summary

Network LSAs

Number of network link-state advertisements in the link-state database.

summary

Summary LSAs

Number of summary link-state advertisements in the link-state database.

summary

NSSA LSAs

Number of not-so-stubby area link-state advertisements in the link-state database.

summary

Sample Output show ospf database

user@host> show ospf database OSPF link state database, Area 0.0.0.1 Type ID Adv Rtr Router 10.255.70.103 10.255.70.103 Router *10.255.71.242 10.255.71.242 Summary *23.1.1.0 10.255.71.242 Summary *24.1.1.0 10.255.71.242 NSSA *33.1.1.1 10.255.71.242

Seq 0x80000002 0x80000002 0x80000002 0x80000002 0x80000002

Age 215 214 172 177 217

Opt 0x20 0x20 0x20 0x20 0x28

Cksum Len 0x4112 48 0x11b1 48 0x6d72 28 0x607e 28 0x73bd 36

OSPF link state database, Area 0.0.0.2 Type ID Adv Rtr Router 10.255.71.52 10.255.71.52 Router *10.255.71.242 10.255.71.242 Network *23.1.1.1 10.255.71.242 Summary *12.1.1.0 10.255.71.242 Summary *24.1.1.0 10.255.71.242 NSSA *33.1.1.1 10.255.71.242

Seq 0x80000004 0x80000003 0x80000002 0x80000001 0x80000002 0x80000001

Age 174 173 173 217 177 222

Opt 0x20 0x20 0x20 0x20 0x20 0x28

Cksum Len 0xd021 36 0xe191 36 0x9c76 32 0xfeec 28 0x607e 28 0xe047 36

OSPF link state database, Area 0.0.0.3 Type ID Adv Rtr Router 10.255.71.238 10.255.71.238 Router *10.255.71.242 10.255.71.242 Network *24.1.1.1 10.255.71.242 Summary *12.1.1.0 10.255.71.242 Summary *23.1.1.0 10.255.71.242 NSSA *33.1.1.1 10.255.71.242

Seq 0x80000003 0x80000003 0x80000002 0x80000001 0x80000002 0x80000001

Age 179 177 177 217 172 222

Opt 0x20 0x20 0x20 0x20 0x20 0x28

Cksum Len 0x3942 36 0xf37d 36 0xc591 32 0xfeec 28 0x6d72 28 0xeb3b 36

show ospf database brief

The output for the show ospf database brief command is identical to that for the show ospf database command. For sample output, see show ospf database on page 3085.

show ospf database detail

user@host> show ospf database detail OSPF link state database, Area 0.0.0.1 Type ID Adv Rtr Seq Age Router 10.255.70.103 10.255.70.103 0x80000002 261 bits 0x0, link count 2 id 10.255.71.242, data 12.1.1.1, Type PointToPoint (1) TOS count 0, TOS 0 metric 1 id 12.1.1.0, data 255.255.255.0, Type Stub (3) TOS count 0, TOS 0 metric 1


Opt Cksum Len 0x20 0x4112 48

3085

®


Router *10.255.71.242 10.255.71.242 0x80000002 260 bits 0x3, link count 2 id 10.255.70.103, data 12.1.1.2, Type PointToPoint (1) TOS count 0, TOS 0 metric 1 id 12.1.1.0, data 255.255.255.0, Type Stub (3) TOS count 0, TOS 0 metric 1 Summary *23.1.1.0 10.255.71.242 0x80000002 218 mask 255.255.255.0 TOS 0x0, metric 1 Summary *24.1.1.0 10.255.71.242 0x80000002 223 mask 255.255.255.0 TOS 0x0, metric 1 NSSA *33.1.1.1 10.255.71.242 0x80000002 263 mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 12.1.1.2, tag 0.0.0.0 OSPF link state database, Area 0.0.0.2 Type ID Adv Rtr Seq Age Router 10.255.71.52 10.255.71.52 0x80000004 220 bits 0x0, link count 1 id 23.1.1.1, data 23.1.1.2, Type Transit (2) TOS count 0, TOS 0 metric 1 Router *10.255.71.242 10.255.71.242 0x80000003 219 bits 0x3, link count 1 id 23.1.1.1, data 23.1.1.1, Type Transit (2) TOS count 0, TOS 0 metric 1 Network *23.1.1.1 10.255.71.242 0x80000002 219 mask 255.255.255.0 attached router 10.255.71.242 attached router 10.255.71.52 Summary *12.1.1.0 10.255.71.242 0x80000001 263 mask 255.255.255.0 TOS 0x0, metric 1 Summary *24.1.1.0 10.255.71.242 0x80000002 223 mask 255.255.255.0 TOS 0x0, metric 1 NSSA *33.1.1.1 10.255.71.242 0x80000001 268 mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 23.1.1.1, tag 0.0.0.0 OSPF link state database, Area 0.0.0.3 Type ID Adv Rtr Router 10.255.71.238 10.255.71.238 bits 0x0, link count 1 id 24.1.1.1, data 24.1.1.2, Type Transit TOS count 0, TOS 0 metric 1 Router *10.255.71.242 10.255.71.242 bits 0x3, link count 1 id 24.1.1.1, data 24.1.1.1, Type Transit TOS count 0, TOS 0 metric 1 Network *24.1.1.1 10.255.71.242 mask 255.255.255.0 attached router 10.255.71.242 attached router 10.255.71.238 Summary *12.1.1.0 10.255.71.242 mask 255.255.255.0 TOS 0x0, metric 1 Summary *23.1.1.0 10.255.71.242 mask 255.255.255.0 TOS 0x0, metric 1 NSSA *33.1.1.1 10.255.71.242

3086

Seq 0x80000003

0x20 0x11b1

48

0x20 0x6d72

28

0x20 0x607e

28

0x28 0x73bd

36

Opt Cksum Len 0x20 0xd021 36

0x20 0xe191

36

0x20 0x9c76

32

0x20 0xfeec

28

0x20 0x607e

28

0x28 0xe047

36

Age 225


223

0x20 0xf37d

36

0x80000002

223

0x20 0xc591

32

0x80000001

263

0x20 0xfeec

28

0x80000002

218

0x20 0x6d72

28

0x80000001

268

0x28 0xeb3b

36

(2) 0x80000003 (2)



mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 24.1.1.1, tag 0.0.0.0

show ospf database extensive

user@host> show ospf database extensive OSPF link state database, Area 0.0.0.1 Type ID Adv Rtr Seq Age Router 10.255.70.103 10.255.70.103 0x80000002 286 bits 0x0, link count 2 id 10.255.71.242, data 12.1.1.1, Type PointToPoint (1) TOS count 0, TOS 0 metric 1 id 12.1.1.0, data 255.255.255.0, Type Stub (3) TOS count 0, TOS 0 metric 1 Aging timer 00:55:14 Installed 00:04:43 ago, expires in 00:55:14 Last changed 00:04:43 ago, Change count: 2 Router *10.255.71.242 10.255.71.242 0x80000002 285 bits 0x3, link count 2 id 10.255.70.103, data 12.1.1.2, Type PointToPoint (1) TOS count 0, TOS 0 metric 1 id 12.1.1.0, data 255.255.255.0, Type Stub (3) TOS count 0, TOS 0 metric 1 Gen timer 00:45:15 Aging timer 00:55:15 Installed 00:04:45 ago, expires in 00:55:15, sent 00:04:43 Last changed 00:04:45 ago, Change count: 2, Ours Summary *23.1.1.0 10.255.71.242 0x80000002 243 mask 255.255.255.0 TOS 0x0, metric 1 Gen timer 00:45:57 Aging timer 00:55:57 Installed 00:04:03 ago, expires in 00:55:57, sent 00:04:01 Last changed 00:04:48 ago, Change count: 1, Ours Summary *24.1.1.0 10.255.71.242 0x80000002 248 mask 255.255.255.0 TOS 0x0, metric 1 Gen timer 00:45:52 Aging timer 00:55:52 Installed 00:04:08 ago, expires in 00:55:52, sent 00:04:06 Last changed 00:04:48 ago, Change count: 1, Ours NSSA *33.1.1.1 10.255.71.242 0x80000002 288 mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 12.1.1.2, tag 0.0.0.0 Gen timer 00:45:12 Aging timer 00:55:12 Installed 00:04:48 ago, expires in 00:55:12, sent 00:04:48 Last changed 00:04:48 ago, Change count: 2, Ours OSPF link state database, Area 0.0.0.2 Type ID Adv Rtr Seq Router 10.255.71.52 10.255.71.52 0x80000004 bits 0x0, link count 1 id 23.1.1.1, data 23.1.1.2, Type Transit (2) TOS count 0, TOS 0 metric 1 Aging timer 00:55:55 Installed 00:04:02 ago, expires in 00:55:55 Last changed 00:04:02 ago, Change count: 2 Router *10.255.71.242 10.255.71.242 0x80000003 bits 0x3, link count 1 id 23.1.1.1, data 23.1.1.1, Type Transit (2) TOS count 0, TOS 0 metric 1 Gen timer 00:45:56



0x20 0x11b1

48

ago 0x20 0x6d72

28

ago 0x20 0x607e

28

ago 0x28 0x73bd

36

ago

Age 245

Opt Cksum Len 0x20 0xd021 36

244

0x20 0xe191

36

3087

®


Aging timer 00:55:56 Installed 00:04:04 ago, expires in 00:55:56, sent 00:04:02 Last changed 00:04:04 ago, Change count: 2, Ours Network *23.1.1.1 10.255.71.242 0x80000002 244 mask 255.255.255.0 attached router 10.255.71.242 attached router 10.255.71.52 Gen timer 00:45:56 Aging timer 00:55:56 Installed 00:04:04 ago, expires in 00:55:56, sent 00:04:02 Last changed 00:04:04 ago, Change count: 1, Ours Summary *12.1.1.0 10.255.71.242 0x80000001 288 mask 255.255.255.0 TOS 0x0, metric 1 Gen timer 00:45:12 Aging timer 00:55:12 Installed 00:04:48 ago, expires in 00:55:12, sent 00:04:04 Last changed 00:04:48 ago, Change count: 1, Ours Summary *24.1.1.0 10.255.71.242 0x80000002 248 mask 255.255.255.0 TOS 0x0, metric 1 Gen timer 00:45:52 Aging timer 00:55:52 Installed 00:04:08 ago, expires in 00:55:52, sent 00:04:04 Last changed 00:04:48 ago, Change count: 1, Ours NSSA *33.1.1.1 10.255.71.242 0x80000001 293 mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 23.1.1.1, tag 0.0.0.0 Gen timer 00:45:07 Aging timer 00:55:07 Installed 00:04:53 ago, expires in 00:55:07, sent 00:04:04 Last changed 00:04:53 ago, Change count: 1, Ours OSPF link state database, Area 0.0.0.3 Type ID Adv Rtr Seq Age Router 10.255.71.238 10.255.71.238 0x80000003 250 bits 0x0, link count 1 id 24.1.1.1, data 24.1.1.2, Type Transit (2) TOS count 0, TOS 0 metric 1 Aging timer 00:55:50 Installed 00:04:07 ago, expires in 00:55:50 Last changed 00:04:07 ago, Change count: 2 Router *10.255.71.242 10.255.71.242 0x80000003 248 bits 0x3, link count 1 id 24.1.1.1, data 24.1.1.1, Type Transit (2) TOS count 0, TOS 0 metric 1 Gen timer 00:45:52 Aging timer 00:55:52 Installed 00:04:08 ago, expires in 00:55:52, sent 00:04:06 Last changed 00:04:08 ago, Change count: 2, Ours Network *24.1.1.1 10.255.71.242 0x80000002 248 mask 255.255.255.0 attached router 10.255.71.242 attached router 10.255.71.238 Gen timer 00:45:52 Aging timer 00:55:52 Installed 00:04:08 ago, expires in 00:55:52, sent 00:04:06 Last changed 00:04:08 ago, Change count: 1, Ours Summary *12.1.1.0 10.255.71.242 0x80000001 288 mask 255.255.255.0 TOS 0x0, metric 1

3088

ago 0x20 0x9c76

32

ago 0x20 0xfeec

28

ago 0x20 0x607e

28

ago 0x28 0xe047

36

ago


0x20 0xf37d

36

ago 0x20 0xc591

32

ago 0x20 0xfeec

28



Gen timer 00:45:12 Aging timer 00:55:12 Installed 00:04:48 ago, expires in 00:55:12, sent 00:04:13 Last changed 00:04:48 ago, Change count: 1, Ours Summary *23.1.1.0 10.255.71.242 0x80000002 243 mask 255.255.255.0 TOS 0x0, metric 1 Gen timer 00:45:57 Aging timer 00:55:57 Installed 00:04:03 ago, expires in 00:55:57, sent 00:04:01 Last changed 00:04:48 ago, Change count: 1, Ours NSSA *33.1.1.1 10.255.71.242 0x80000001 293 mask 255.255.255.255 Type 2, TOS 0x0, metric 0, fwd addr 24.1.1.1, tag 0.0.0.0 Gen timer 00:45:07 Aging timer 00:55:07 Installed 00:04:53 ago, expires in 00:55:07, sent 00:04:13 Last changed 00:04:53 ago, Change count: 1, Ours

show ospf database summary

ago 0x20 0x6d72

28

ago 0x28 0xeb3b

36

ago

user@host> show ospf database summary Area 0.0.0.1: 2 Router LSAs 2 Summary LSAs 1 NSSA LSAs Area 0.0.0.2: 2 Router LSAs 1 Network LSAs 2 Summary LSAs 1 NSSA LSAs Area 0.0.0.3: 2 Router LSAs 1 Network LSAs 2 Summary LSAs 1 NSSA LSAs Externals: Interface fe-2/2/1.0: Interface ge-0/3/2.0: Interface so-0/1/2.0: Interface so-0/1/2.0:


3089

®


show policy damping Syntax


Description Options

show policy damping show policy damping

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display information about BGP route flap damping parameters. none—Display information about BGP route flap damping parameters. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Additional Information



In the output from this command, figure-of-merit values correlate with the probability of future instability of a routing device. Routes with higher figure-of-merit values are suppressed for longer periods of time. The figure-of-merit value decays exponentially over time. A figure-of-merit value of zero is assigned to each new route. The value is increased each time the route is withdrawn or readvertised, or when one of its path attributes changes. view

•

“Configuring BGP Flap Damping Parameters” in the Junos OS Policy Framework Configuration Guide

•

clear bgp damping on page 2944

•

show route damping on page 3127

show policy damping on page 3091 Table 342 on page 3090 describes the output fields for the show policy damping command. Output fields are listed in the approximate order in which they appear.

Table 342: show policy damping Output Fields Field Name

Field Description

Halflife

Decay half-life, in minutes. The value represents the period during which the accumulated figure-of-merit value is reduced by half if the route remains stable. If a route has flapped, but then becomes stable, the figure-of-merit value for the route decays exponentially. For example, for a route with a figure-of-merit value of 1500, if no incidents occur, its figure-of-merit value is reduced to 750 after 15 minutes and to 375 after another 15 minutes.

3090



Table 342: show policy damping Output Fields (continued) Field Name

Field Description

Reuse merit

Figure-of-merit value below which a suppressed route can be used again. A suppressed route becomes reusable when its figure-of-merit value decays to a value below a reuse threshold, and the route once again is considered usable and can be installed in the forwarding table and exported from the routing table.

Suppress/cutoff merit

Figure-of-merit value above which a route is suppressed for use or inclusion in advertisements. When a route's figure-of-merit value reaches a particular level, called the cutoff or suppression threshold, the route is suppressed. When a route is suppressed, the routing table no longer installs the route into the forwarding table and no longer exports this route to any of the routing protocols.

Maximum suppress time

Maximum hold-down time, in minutes. The value represents the maximum time that a route can be suppressed no matter how unstable it has been before this period of stability.

Computed values

•

Merit ceiling—Maximum merit that a flapping route can collect.

•

Maximum decay—Maximum decay half-life, in minutes.

Sample Output show policy damping

user@host> show policy damping Default damping information: Halflife: 15 minutes Reuse merit: 750 Suppress/cutoff merit: 3000 Maximum suppress time: 60 minutes Computed values: Merit ceiling: 12110 Maximum decay: 6193 Damping information for "standard-damping": Halflife: 10 minutes Reuse merit: 4000 Suppress/cutoff merit: 8000 Maximum suppress time: 30 minutes Computed values: Merit ceiling: 32120 Maximum decay: 12453


3091

®


show rip general-statistics Syntax


Description Options

show rip general-statistics show rip general-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display brief Routing Information Protocol (RIP) statistics. none—Display brief RIP statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

clear rip general-statistics on page 2959

show rip general-statistics on page 3092 Table 343 on page 3092 lists the output fields for the show rip general-statistics command. Output fields are listed in the approximate order in which they appear.

Table 343: show rip general-statistics Output Fields Field Name

Field Description

bad msgs

Number of invalid messages received.

no recv intf

Number of packets received with no matching interface.

curr memory

Amount of memory currently used by RIP.

max memory

Most memory used by RIP.

Sample Output show rip general-statistics

3092

user@host> show rip general-statistics RIPv2 I/O info: bad msgs : 0 no recv intf : 0



curr memory max memory


: :

0 0

3093

®


show rip neighbor Syntax


Description Options

show rip neighbor show rip neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display information about RIP neighbors. none—Display information about all RIP neighbors for all instances. instance (all | instance-name)—(Optional) Display RIP neighbor information for all

instances or for only the specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Display detailed information about only the specified RIP neighbor.


Output Fields

view

show rip neighbor on page 3095 show rip neighbor (With Demand Circuits Configured) on page 3095 Table 344 on page 3094 lists the output fields for the show rip neighbor command. Output fields are listed in the approximate order in which they appear.

Table 344: show rip neighbor Output Fields Field Name

Field Description

Neighbor

Name of the RIP neighbor. NOTE: Beginning with Junos OS Release 11.1, when you configure demand circuits, the output displays a demand circuit (DC) flag next to neighbor interfaces configured for demand circuits. If you configure demand circuits at the [edit protocols rip group group-name neighbor neighbor-name] hierarchy level, the output shows only the neighboring interface that you specifically configured as a demand circuit. If you configure demand circuits at the [edit protocols rip group group-name] hierarchy level, all of the interfaces in the group are configured as demand circuits. Therefore, the output shows all of the interfaces in that group as demand circuits.

3094



Table 344: show rip neighbor Output Fields (continued) Field Name

Field Description

State

State of the connection: Up or Dn (Down).

Source Address

Source address.

Destination Address


Send Mode

Send options: broadcast, multicast, none, or version 1.

Receive Mode

Type of packets to accept: both, none, version 1, or version 2.

In Met

Metric added to incoming routes when advertising into RIP routes that were learned from other protocols.

Sample Output show rip neighbor

show rip neighbor (With Demand Circuits Configured)

user@host> show rip neighbor Local Source Neighbor State Address ------------ ------ge-2/3/0.0 Up 192.168.9.105 at-5/1/1.42 Dn (null) at-5/1/0.42 Dn (null) at-5/1/0.0 Up 20.0.0.1 so-0/0/0.0 Up 192.168.9.97

Destination Address ----------192.168.9.107 (null) (null) 224.0.0.9 224.0.0.9

Send Mode ---bcast mcast mcast mcast mcast

user@host# show rip neighbor Local Source Neighbor State Address ------------ ------so-0/1/0.0(DC) Up 10.10.10.2 so-0/2/0.0(DC) Up 13.13.13.2

Destination Address ----------224.0.0.9 224.0.0.9

Send Mode ---mcast mcast


Receive Mode ------both v2 only both both both

Receive Mode ------both both

In Met --1 3 3 3 3

In Met --1 1

3095

®


show rip statistics Syntax


Description

Options

show rip statistics show rip statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display RIP statistics about messages sent and received on an interface, as well as information received from advertisements from other routing devices. none—Display RIP statistics for all routing instances. instance (all | instance-name)—(Optional) Display RIP statistics for all instances or for

only the specified routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Display detailed information about only the specified RIP neighbor. peer (all | address)—(Optional) Display RIP statistics for a single peer or all peers.


3096

view

•

clear rip statistics on page 2960

show rip statistics on page 3097 Table 345 on page 3097 lists the output fields for the show rip statistics command. Output fields are listed in the approximate order in which they appear.



Table 345: show rip statistics Output Fields Field Name

Field Description

RIP info

Information about RIP on the specified interface: •

port—UDP port number used for RIP.

•

update interval—Interval between routing table updates, in seconds.

•

holddown—Hold-down interval, in seconds.

•

timeout—Timeout interval, in seconds.

•

restart in progress—Graceful restart status. Displayed when RIP is or has been in the process of

graceful restart.

logical-interface

Counter

•

restart time—Estimated time for the graceful restart to finish, in seconds.

•

restart will complete in—Remaining time for the graceful restart to finish, in seconds.

•

rts learned—Number of routes learned through RIP.

•

rts held down—Number of routes held down by RIP.

•

rqsts dropped—Number of received request packets that were dropped.

•

resps dropped—Number of received response packets that were dropped.

Name of the logical interface and its statistics: •

routes learned—Number of routes learned on the logical interface.

•

routes advertised—Number of routes advertised by the logical interface.

List of counter types: •

Updates Sent—Number of update messages sent.

•

Triggered Updates Sent—Number of triggered update messages sent.

•

Responses Sent—Number of response messages sent.

•

Bad Messages—Number of invalid messages received.

•

RIPv1 Updates Received—Number of RIPv1 update messages received.

•

RIPv1 Bad Route Entries—Number of RIPv1 invalid route entry messages received.

•

RIPv1 Updates Ignored—Number of RIPv1 update messages ignored.

•

RIPv2 Updates Received—Number of RIPv2 update messages received.

•

RIPv2 Bad Route Entries—Number of RIPv2 invalid route entry messages received.

•

RIPv2 Updates Ignored—Number of RIPv2 update messages that were ignored.

•

Authentication Failures—Number of received update messages that failed authentication.

•

RIP Requests Received—Number of RIP request messages received.

•

RIP Requests Ignored—Number of RIP request messages ignored.

Total

Total number of packets for the selected counter.

Last 5 min

Number of packets for the selected counter in the most recent 5-minute period.

Last minute


Sample Output show rip statistics

user@host> show rip statistics so-0/0/0.0 RIP info: port 520; update interval: 30s; holddown 180s; timeout 120s restart in progress: restart time 60s; restart will complete in 55s


3097

®


rts learned rts held down rqsts dropped resps dropped 0 0 0 0 so-0/0/0.0: 0 routes learned; 501 routes advertised Counter Total Last 5 min Last minute ----------------- ----------- ----------Updates Sent 0 0 0 Triggered Updates Sent 0 0 0 Responses Sent 0 0 0 Bad Messages 0 0 0 RIPv1 Updates Received 0 0 0 RIPv1 Bad Route Entries 0 0 0 RIPv1 Updates Ignored 0 0 0 RIPv2 Updates Received 0 0 0 RIPv2 Bad Route Entries 0 0 0 RIPv2 Updates Ignored 0 0 0 Authentication Failures 0 0 0 RIP Requests Received 0 0 0 RIP Requests Ignored 0 0 0

3098



show ripng general-statistics Syntax


Description Options

show ripng general-statistics show ripng general-statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display general Routing Information Protocol next-generation (RIPng) statistics. none—Display general RIPng statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

•

clear ripng general-statistics on page 2961

show ripng general-statistics on page 3099 Table 346 on page 3099 lists the output fields for the show ripng general-statistics command. Output fields are listed in the approximate order in which they appear.

Table 346: show ripng general-statistics Output Fields Field Name

Field Description

bad msgs

Number of invalid messages received.

no recv intf

Number of packets received with no matching interface.

curr memory

Amount of memory currently used by RIPng.

max memory

Most memory used by RIPng.

Sample Output show ripng general-statistics

user@host> show ripng general-statistics RIPng I/O info: bad msgs : 0 no recv intf : 0 curr memory : 0 max memory : 0


3099

®


show ripng neighbor Syntax


Description

Options

show ripng neighbor show ripng neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about Routing Information Protocol next-generation (RIPng) neighbors. none—Display information about all RIPng neighbors. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Display detailed information about a specific RIPng neighbor.


view

show ripng neighbor on page 3101 Table 347 on page 3100 lists the output fields for the show ripng neighbor command. Output fields are listed in the approximate order in which they appear.

Table 347: show ripng neighbor Output Fields

3100

Field Name

Field Description

Neighbor

Name of RIPng neighbor.

State

State of the connection: Up or Dn (Down).

Source Address

Source address.

Destination Address


Send

Send options: broadcast, multicast, none, version 1, or yes.

Recv

Type of packets to accept: both, none, version 1, or yes.

In Met

Metric added to incoming routes when advertising into RIPng routes that were learned from other protocols.



Sample Output show ripng neighbor

user@host> show ripng neighbor Source Neighbor State Address ------------ ------fe-0/0/2.0 Up fe80::290:69ff:fe68:b002


Dest Address ------ff02::9

In Send Recv Met ---- ---- --yes yes 1

3101

®


show ripng statistics Syntax


Description

Options

show ripng statistics show ripng statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display Routing Information Protocol next generation (RIPng) statistics about messages sent and received on an interface, as well as information received from advertisements from other routing devices. none—Display RIPng statistics for all neighbors. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Display detailed information about a specific RIPng neighbor.


view

•

clear ripng statistics on page 2962

show ripng statistics on page 3103 Table 348 on page 3102 lists the output fields for the show ripng statistics command. Output fields are listed in the approximate order in which they appear.

Table 348: show ripng statistics Output Fields Field Name

Field Description

RIPng info

Information about RIPng on the specified interface:

3102

•

port—UDP port number used for RIP.

•

holddown—Hold-down interval, in seconds.

•

rts learned—Number of routes learned through RIP.

•

rts held down—Number of routes held down by RIP.

•

rqsts dropped—Number of received request packets that were dropped.

•

resps dropped—Number of received response packets that were dropped.

•

restart—Graceful restart status. Displayed when RIPng is or has been in the process of graceful restart.



Table 348: show ripng statistics Output Fields (continued) Field Name

Field Description

logical-interface

Name of the logical interface and its statistics:

Counter

•

routes learned—Number of routes learned on the logical interface.

•

routes advertised—Number of routes advertised by the logical interface.

•

timeout—Timeout interval, in seconds.

•

update interval—Interval between routing table updates, in seconds.

List of counter types: •

Updates Sent—Number of update messages sent.

•

Triggered Updates Sent—Number of triggered update messages sent.

•

Responses Sent—Number of response messages sent.

•

Bad Messages—Number of invalid messages received.

•

Updates Received—Number of RIPng update messages received.

•

Bad Route Entries—Number of RIPng invalid route entry messages received.

•

Updates Ignored—Number of RIPng update messages ignored.

•

RIPng Requests Received—Number of RIPng request messages received.

•

RIPng Requests Ignored—Number of RIPng request messages ignored.

Total

Total number of packets for the selected counter.

Last 5 min


Last minute


Sample Output show ripng statistics

user@host> show ripng statistics RIPng info: port 521; holddown 120s; rts learned rts held down rqsts dropped 0 0 0

resps dropped 0

so-0/1/3.0: 0 routes learned; 1 routes advertised; timeout 180s; update interval 20s Counter Total Last 5 min Last minute ----------------- ----------- ----------Updates Sent 934 16 4 Triggered Updates Sent 1 0 0 Responses Sent 0 0 0 Bad Messages 0 0 0 Updates Received 0 0 0 Bad Route Entries 0 0 0 Updates Ignored 0 0 0 RIPng Requests Received 0 0 0 RIPng Requests Ignored 0 0 0


3103

®


show route Syntax


Release Information

Description Options

show route show route

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. private option introduced in Junos OS Release 9.5. private option introduced in Junos OS Release 9.5 for EX Series switches. Display the active entries in the routing tables. none—Display brief information about all active entries in the routing tables. all—(Optional) Display information about all routing tables, including private, or internal,

routing tables. destination-prefix—(Optional) Display active entries for the specified address or range

of addresses. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. private—(Optional) Display information only about all private, or internal, routing tables.


Output Fields

view

show route on page 3106 show route destination-prefix on page 3107 show route extensive on page 3107 Table 349 on page 3104 describes the output fields for the show route command. Output fields are listed in the approximate order in which they appear.

Table 349: show route Output Fields Field Name

Field Description

routing-table-name

Name of the routing table (for example, inet.0).

number destinations

Number of destinations for which there are routes in the routing table.

3104



Table 349: show route Output Fields (continued) Field Name

Field Description

number routes

Number of routes in the routing table and total number of routes in the following states: •

active (routes that are active).

•

holddown (routes that are in the pending state before being declared inactive). A holddown route

was once the active route and is no longer the active route. The route is in the holddown state because a protocol still has interest in the route, meaning that the interest bit is set. A protocol might have its interest bit set on the previously active route because the protocol is still advertising the route. The route will be deleted after all protocols withdraw their advertisement of the route and remove their interest bit. A persistent holddown state often means that the interested protocol is not releasing its interest bit properly. However, if you have configured advertisement of multiple routes (with the add-path or advertise-inactive statement), the holddown bit is most likely set because BGP is advertising the route as an active route. In this case, you can ignore the holddown state because nothing is wrong. •

destination-prefix

hidden (routes that are not used because of a routing policy).

Route destination (for example:10.0.0.1/24). Sometimes the route information is presented in another format, such as: •

MPLS-label (for example, 80001).

•

interface-name (for example, ge-1/0/2).

•

neighbor-address:control-word-status:encapsulation type:vc-id :source (Layer 2 circuit only; for example, 10.1.1.195:NoCtrlWord:1:1:Local/96): •

neighbor-address—Address of the neighbor.

•

control-word-status—Whether the use of the control word has been negotiated for this virtual circuit: NoCtrlWord or CtrlWord.

•

encapsulation type—Type of encapsulation, represented by a number: (1) Frame Relay DLCI, (2)

ATM AAL5 VCC transport, (3) ATM transparent cell transport, (4) Ethernet, (5) VLAN Ethernet, (6) HDLC, (7) PPP, (8) ATM VCC cell transport, (10) ATM VPC cell transport.

[ protocol, preference ]

•

vc-id—Virtual circuit identifier.

•

source—Source of the advertisement: Local or Remote.

Protocol from which the route was learned and the preference value for the route. •

+—A plus sign indicates the active route, which is the route installed from the routing table into the

forwarding table. •

- —A hyphen indicates the last active route.

•

*—An asterisk indicates that the route is both the active and the last active route. An asterisk before a to line indicates the best subpath to the route.

In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2 value. weeks:days hours:minutes:seconds

How long the route been known (for example, 2w4d 13:11:14, or 2 weeks, 4 days, 13 hours, 11 minutes, and 14 seconds).

metric

Cost value of the indicated route. For routes within an AS, the cost is determined by IGP and the individual protocol metrics. For external routes, destinations, or routing domains, the cost is determined by a preference value.


3105

®


Table 349: show route Output Fields (continued) Field Name

Field Description

localpref

Local preference value included in the route.

from

Interface from which the route was received.

AS path

AS path through which the route was learned. The letters at the end of the AS path indicate the path origin, providing an indication of the state of the route at the point at which the AS path originated: •

I—IGP.

•

E—EGP.

•

?—Incomplete; typically, the AS path was aggregated.

When AS path numbers are included in the route, the format is as follows: •

[ ]—Brackets enclose the local AS number associated with the AS path if more than one AS number

is configured on the routing device, or if AS path prepending is configured. •

{ }—Braces enclose AS sets, which are groups of AS numbers in which the order does not matter.

A set commonly results from route aggregation. The numbers in each AS set are displayed in ascending order. •

( )—Parentheses enclose a confederation.

•

( [ ] )—Parentheses and brackets enclose a confederation set.

NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have not configured an independent domain in any routing instance. to

Next hop to the destination. An angle bracket (>) indicates that the route is the selected route.

via

Interface used to reach the next hop. If there is more than one interface available to the next hop, the interface that is actually used is followed by the word Selected. This field can also contain the following information: •

Weight—Value used to distinguish primary, secondary, and fast reroute backup routes. Weight

information is available when MPLS label-switched path (LSP) link protection, node-link protection, or fast reroute is enabled, or when the standby state is enabled for secondary paths. A lower weight value is preferred. Among routes with the same weight value, load balancing is possible. •

Balance—Balance coefficient indicating how traffic of unequal cost is distributed among next hops

when a routing device is performing unequal-cost load balancing. This information is available when you enable BGP multipath load balancing. •

lsp-path-name—Name of the LSP used to reach the next hop.

•

label-action—MPLS label and operation occurring at the next hop. The operation can be pop (where a label is removed from the top of the stack), push (where another label is added to the label stack), or swap (where a label is replaced by another label).

Sample Output show route

3106

user@host> show route inet.0: 10 destinations, 10 routes (9 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1w5d 20:30:29 Discard 10.255.245.51/32 *[Direct/0] 2w4d 13:11:14 > via lo0.0



172.16.0.0/12 192.168.0.0/18 192.168.40.0/22 192.168.64.0/18 192.168.164.0/22 192.168.164.51/32 207.17.136.192/32

*[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Static/5] 1w5d 20:30:29 > to 192.168.167.254 via *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Direct/0] 2w4d 13:11:14 > via fxp0.0 *[Local/0] 2w4d 13:11:14 Local via fxp0.0 *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via

fxp0.0 fxp0.0 fxp0.0 fxp0.0

fxp0.0

green.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 100.101.0.0/16 *[Direct/0] 1w5d 20:30:28 > via fe-0/0/3.0 100.101.2.3/32 *[Local/0] 1w5d 20:30:28 Local via fe-0/0/3.0 224.0.0.5/32 *[OSPF/10] 1w5d 20:30:29, metric 1 MultiRecv red.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.10.10.10/32 *[Direct/0] 01:08:46 > via lo0.1 10.255.245.212/32 *[BGP/170] 00:01:40, localpref 100, from 10.255.245.204 AS path: 300 I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix 10.255.245.213/32 *[BGP/170] 00:40:47, localpref 100 AS path: 100 I > to 100.1.1.1 via so-0/0/1.0

show route destination-prefix

user@host> show route 172.16.0.0/12 inet.0: 10 destinations, 10 routes (9 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 172.16.0.0/12

show route extensive

*[Static/5] 2w4d 12:54:27 > to 192.168.167.254 via fxp0.0

user@host> show route extensive inet.0: 335844 destinations, 335845 routes (335395 active, 0 holddown, 450 hidden) 1.9.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 1.9.0.0/16 -> {indirect(342)} Page 0 idx 1 Type 1 val db31a80 Nexthop: Self AS path: [69] 10458 14203 2914 4788 4788 I Communities: 2914:410 2914:2403 2914:3400 Path 1.9.0.0 from 192.168.69.71 Vector len 4. Val: 1 *BGP Preference: 170/-101 Next hop type: Indirect Next-hop reference count: 1006553 Source: 192.168.69.71 Next hop type: Router, Next hop index: 324 Next hop: 192.168.167.254 via fxp0.0, selected Protocol next hop: 192.168.69.71 Indirect next hop: 8e166c0 342


3107

®


State: Local AS: 69 Peer AS: 10458 Age: 6d 10:58:10 Metric2: 0 Task: BGP_10458.192.168.69.71+179 Announcement bits (3): 0-KRT 2-BGP RT Background 3-Resolve tree 1 AS path: 10458 14203 2914 4788 4788 I Communities: 2914:410 2914:2403 2914:3400 Accepted Localpref: 100 Router ID: 207.17.136.192 Indirect next hops: 1 Protocol next hop: 192.168.69.71 Indirect next hop: 8e166c0 342 Indirect path forwarding next hops: 1 Next hop type: Router Next hop: 192.168.167.254 via fxp0.0 192.168.0.0/16 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1 Nexthop: 192.168.167.254 via fxp0.0

3108



show route active-path Syntax


Description

Options

show route active-path show route active-path

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. Display all active routes for destinations. An active route is a route that is selected as the best path. Inactive routes are not displayed. none—Display all active routes. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route active-path on page 3109 show route active-path brief on page 3110 show route active-path detail on page 3110 show route active-path extensive on page 3111 show route active-path terse on page 3112 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route active-path

user@host> show route active-path inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 10.255.70.19/32 10.255.71.50/32 100.1.2.0/24 100.1.2.2/32 192.168.64.0/21


*[Direct/0] 21:33:52 > via lo0.0 *[IS-IS/15] 00:18:13, metric 10 > to 100.1.2.1 via so-2/1/3.0 *[Direct/0] 00:18:36 > via so-2/1/3.0 *[Local/0] 00:18:41 Local via so-2/1/3.0 *[Direct/0] 21:33:52 > via fxp0.0

3109

®


192.168.70.19/32

*[Local/0] 21:33:52 Local via fxp0.0

show route active-path brief

The output for the show route active-path brief command is identical to that for the show route active-path command. For sample output, see show route active-path on page 3109.

show route active-path detail

user@host> show route active-path detail inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden) 10.255.70.19/32 (1 entry, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via lo0.0, selected State: ‹Active Int› Local AS: 200 Age: 21:37:10 Task: IF Announcement bits (3): 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I 10.255.71.50/32 (1 entry, 1 announced) *IS-IS Preference: 15 Level: 1 Next hop type: Router, Next hop index: 397 Next-hop reference count: 4 Next hop: 100.1.2.1 via so-2/1/3.0, selected State: ‹Active Int› Local AS: 200 Age: 21:31 Metric: 10 Task: IS-IS Announcement bits (4): 0-KRT 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I 100.1.2.0/24 (1 entry, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via so-2/1/3.0, selected State: ‹Active Int› Local AS: 200 Age: 21:54 Task: IF Announcement bits (3): 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I 100.1.2.2/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 11 Interface: so-2/1/3.0 State: ‹Active NoReadvrt Int› Local AS: 200 Age: 21:59 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3

3110



AS path: I 192.168.64.0/21 (1 entry, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via fxp0.0, selected State: ‹Active Int› Local AS: 200 Age: 21:37:10 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3 AS path: I 192.168.70.19/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 11 Interface: fxp0.0 State: ‹Active NoReadvrt Int› Local AS: 200 Age: 21:37:10 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3 AS path: I

show route active-path extensive

user@host> show route active-path extensive inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden) 10.255.70.19/32 (1 entry, 1 announced) TSI: IS-IS level 1, LSP fragment 0 IS-IS level 2, LSP fragment 0 *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via lo0.0, selected State: ‹Active Int› Local AS: 200 Age: 21:39:47 Task: IF Announcement bits (3): 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I 10.255.71.50/32 (1 entry, 1 announced) TSI: KRT in-kernel 10.255.71.50/32 -> {100.1.2.1} IS-IS level 2, LSP fragment 0 *IS-IS Preference: 15 Level: 1 Next hop type: Router, Next hop index: 397 Next-hop reference count: 4 Next hop: 100.1.2.1 via so-2/1/3.0, selected State: ‹Active Int› Local AS: 200 Age: 24:08 Metric: 10 Task: IS-IS Announcement bits (4): 0-KRT 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I


3111

®


100.1.2.0/24 (1 entry, 1 announced) TSI: IS-IS level 1, LSP fragment 0 IS-IS level 2, LSP fragment 0 *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via so-2/1/3.0, selected State: ‹Active Int› Local AS: 200 Age: 24:31 Task: IF Announcement bits (3): 2-IS-IS 5-Resolve tree 2 6-Resolve tree 3 AS path: I 100.1.2.2/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 11 Interface: so-2/1/3.0 State: ‹Active NoReadvrt Int› Local AS: 200 Age: 24:36 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3 AS path: I 192.168.64.0/21 (1 entry, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 3 Next hop: via fxp0.0, selected State: ‹Active Int› Local AS: 200 Age: 21:39:47 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3 AS path: I 192.168.70.19/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 11 Interface: fxp0.0 State: ‹Active NoReadvrt Int› Local AS: 200 Age: 21:39:47 Task: IF Announcement bits (2): 5-Resolve tree 2 6-Resolve tree 3 AS path: I

show route active-path terse

user@host> show route active-path terse inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A Destination * 10.255.70.19/32

3112

P Prf D 0

Metric 1

Metric 2

Next hop >lo0.0

AS path



* * * * *

10.255.71.50/32 100.1.2.0/24 100.1.2.2/32 192.168.64.0/21 192.168.70.19/32


I D L D L

15 0 0 0 0

10

>100.1.2.1 >so-2/1/3.0 Local >fxp0.0 Local

3113

®


show route all Syntax


Description

Options

show route all show route all

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about all routes in all routing tables, including private, or internal, tables. none—Display information about all routes in all routing tables, including private, or

internal, tables. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show route all on page 3114 In Junos OS Release 9.5 and later, only the output fields for the show route all command display all routing tables, including private, or hidden, routing tables. The output field table of the show route command does not display entries for private, or hidden, routing tables in Junos OS Release 9.5 and later.

Sample Output show route all

The following example displays a snippet of output from the show route command and then displays the same snippet of output from the show route all command: user@host> show route mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 2d 02:24:39, metric 1 Receive 1 *[MPLS/0] 2d 02:24:39, metric 1 Receive 2 *[MPLS/0] 2d 02:24:39, metric 1 Receive 800017 *[VPLS/7] 1d 14:00:16 > via vt-3/2/0.32769, Pop 800018 *[VPLS/7] 1d 14:00:26 > via vt-3/2/0.32772, Pop user@host> show route all mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 2d 02:19:12, metric 1

3114



1 2 800017 800018 vt-3/2/0.32769 vt-3/2/0.32772


Receive *[MPLS/0] 2d 02:19:12, Receive *[MPLS/0] 2d 02:19:12, Receive *[VPLS/7] 1d 13:54:49 > via vt-3/2/0.32769, *[VPLS/7] 1d 13:54:59 > via vt-3/2/0.32772, [VPLS/7] 1d 13:54:49 Unusable [VPLS/7] 1d 13:54:59 Unusable

metric 1 metric 1

Pop Pop

3115

®


show route aspath-regex Syntax


Description

Options

show route aspath-regex regular-expression show route aspath-regex regular-expression

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the entries in the routing table that match the specified autonomous system (AS) path regular expression. regular-expression—Regular expression that matches an entire AS path. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


You can specify a regular expression as: •

An individual AS number

•

A period wildcard used in place of an AS number

•

An AS path regular expression that is enclosed in parentheses

You also can include the operators described in the table of AS path regular expression operators in the Junos Policy Framework Configuration Guide. The following list summarizes these operators: •

{m,n}—At least m and at most n repetitions of the AS path term.

•

{m}—Exactly m repetitions of the AS path term.

•

{m,}—m or more repetitions of the AS path term.

•

*—Zero or more repetitions of an AS path term.

•

+—One or more repetitions of an AS path term.

•

?—Zero or one repetition of an AS path term.

•

aspath_term | aspath_term—Match one of the two AS path terms.

When you specify more than one AS number or path term, or when you include an operator in the regular expression, enclose the entire regular expression in quotation marks. For example, to match any path that contains AS number 234, specify the following command: show route aspath-regex ".* 234 .*"


3116

view




Output Fields

show route aspath-regex (Matching a Specific AS Number) on page 3117 show route aspath-regex (Matching Any Path with Two AS Numbers) on page 3117 For information about output fields, see the output field table for the show route command.

Sample Output show route aspath-regex (Matching a Specific AS Number)

user@host> show route aspath-regex 65477 inet.0: 46411 destinations, 46411 routes (46409 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both 111.222.1.0/25

111.222.1.128/25

*[BGP/170] 00:08:48, localpref 100, from 111.222.2.24 AS Path: [65477] ({65488 65535}) IGP to 111.222.18.225 via fpa0.0(111.222.18.233) *[IS-IS/15] 09:15:37, metric 37, tag 1 to 111.222.18.225 via fpa0.0(111.222.18.233) [BGP/170] 00:08:48, localpref 100, from 111.222.2.24 AS Path: [65477] ({65488 65535}) IGP to 111.222.18.225 via fpa0.0(111.222.18.233)

...

show route aspath-regex (Matching Any Path with Two AS Numbers)

user@host> show route aspath-regex ?.* 234 3561 .*? inet.0: 46351 destinations, 46351 routes (46349 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both 9.20.0.0/17

12.10.231.0/24

24.64.32.0/19

*[BGP/170] 01:35:00, localpref 100, from 131.103.20.49 AS Path: [666] 234 3561 2685 2686 Incomplete to 192.156.169.1 via 192.156.169.14(so-0/0/0) *[BGP/170] 01:35:00, localpref 100, from 131.103.20.49 AS Path: [666] 234 3561 5696 7369 IGP to 192.156.169.1 via 192.156.169.14(so-0/0/0) *[BGP/170] 01:34:59, localpref 100, from 131.103.20.49 AS Path: [666] 234 3561 6327 IGP to 192.156.169.1 via 192.156.169.14(so-0/0/0)

...


3117

®


show route best Syntax


Description

Options

show route best destination-prefix show route best destination-prefix

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the route in the routing table that is the best route to the specified address or range of addresses. The best route is the longest matching route. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. destination-prefix—Address or range of addresses. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route best on page 3118 show route best detail on page 3119 show route best extensive on page 3119 show route best terse on page 3120 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route best

user@host> show route best 10.255.70.103 inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.255.70.103/32 *[OSPF/10] 1d 13:19:20, metric 2 > to 10.31.1.6 via ge-3/1/0.0 via so-0/3/0.0 inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.255.70.103/32 *[RSVP/7] 1d 13:20:13, metric 2 > via so-0/3/0.0, label-switched-path green-r1-r3 private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.0.0/8 *[Direct/0] 2d 01:43:34

3118



> via fxp2.0 [Direct/0] 2d 01:43:34 > via fxp1.0

show route best detail

user@host> show route best 10.255.70.103 detail inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete 10.255.70.103/32 (1 entry, 1 announced) *OSPF Preference: 10 Next-hop reference count: 9 Next hop: 10.31.1.6 via ge-3/1/0.0, selected Next hop: via so-0/3/0.0 State: Local AS: 69 Age: 1d 13:20:06 Metric: 2 Area: 0.0.0.0 Task: OSPF Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103/32 (1 entry, 1 announced) State: *RSVP Preference: 7 Next-hop reference count: 5 Next hop: via so-0/3/0.0 weight 0x1, selected Label-switched-path green-r1-r3 Label operation: Push 100016 State: Local AS: 69 Age: 1d 13:20:59 Metric: 2 Task: RSVP Announcement bits (1): 1-Resolve tree 2 AS path: I private1__inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) 10.0.0.0/8 (2 entries, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via fxp2.0, selected State: Age: 2d 1:44:20 Task: IF AS path: I Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via fxp1.0, selected State: Inactive reason: No difference Age: 2d 1:44:20 Task: IF AS path: I

show route best extensive

The output for the show route best extensive command is identical to that for the show route best detail command. For sample output, see show route best detail on page 3119.


3119

®


show route best terse

user@host> show route best 10.255.70.103 terse inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A Destination * 10.255.70.103/32

P Prf O 10

Metric 1 2

Metric 2

Next hop >10.31.1.6 so-0/3/0.0

AS path

inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A Destination * 10.255.70.103/32

P Prf R 7

Metric 1 2

Metric 2

Next hop >so-0/3/0.0

AS path

private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination * 10.0.0.0/8

3120

P Prf D 0 D 0

Metric 1

Metric 2

Next hop >fxp2.0 >fxp1.0

AS path



show route brief Syntax


show route brief show route brief

Release Information


Description

Display brief information about the active entries in the routing tables.

Options

none—Display all active entries in the routing table. destination-prefix—(Optional) Display active entries for the specified address or range



view

show route brief on page 3121 For information about output fields, see the Output Field table of the show route command.

Sample Output show route brief

user@host> show route brief inet.0: 10 destinations, 10 routes (9 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 10.255.245.51/32 172.16.0.0/12 192.168.0.0/18 192.168.40.0/22 192.168.64.0/18 192.168.164.0/22 192.168.164.51/32 207.17.136.192/32


*[Static/5] 1w5d 20:30:29 Discard *[Direct/0] 2w4d 13:11:14 > via lo0.0 *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Static/5] 1w5d 20:30:29 > to 192.168.167.254 via *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via *[Direct/0] 2w4d 13:11:14 > via fxp0.0 *[Local/0] 2w4d 13:11:14 Local via fxp0.0 *[Static/5] 2w4d 13:11:14 > to 192.168.167.254 via

fxp0.0 fxp0.0 fxp0.0 fxp0.0

fxp0.0

3121

®


green.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 100.101.0.0/16 *[Direct/0] 1w5d 20:30:28 > via fe-0/0/3.0 100.101.2.3/32 *[Local/0] 1w5d 20:30:28 Local via fe-0/0/3.0 224.0.0.5/32 *[OSPF/10] 1w5d 20:30:29, metric 1 MultiRecv

3122



show route community Syntax

show route community as-number:community-value


show route community as-number:community-value

Release Information


Description

Display the route entries in each routing table that are members of a Border Gateway Protocol (BGP) community.

Options

as-number:community-value—One or more community identifiers. as-number is the AS

number, and community-value is the community identifier. When you specify more than one community identifier, enclose the identifiers in double quotation marks. Community identifiers can include wildcards. brief | detail | extensive | terse—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical



Specifying the community option displays all routes matching the community found within the routing table. The community option does not limit the output to only the routes being advertised to the neighbor after any egress routing policy. view

•

show route detail on page 3132

show route community on page 3123 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route community

user@host> show route community 234:80 inet.0: 46511 destinations, 46511 routes (46509 active, 0 holddown, 2 hidden) + = Active Route, - = Last Active, * = Both 4.0.0.0/8

6.0.0.0/8


*[BGP/170] 03:33:07, localpref 100, from 131.103.20.49 AS Path: {666} 234 2548 1 IGP to 192.156.169.1 via 192.156.169.14(so-0/0/0) *[BGP/170] 03:33:07, localpref 100, from 131.103.20.49 AS Path: {666} 234 2548 568 721 Incomplete

3123

®


9.2.0.0/16

3124

to 192.156.169.1 via 192.156.169.14(so-0/0/0) *[BGP/170] 03:33:06, localpref 100, from 131.103.20.49 AS Path: {666} 234 2548 1673 1675 1747 IGP to 192.156.169.1 via 192.156.169.14(so-0/0/0)



show route community-name Syntax

show route community-name community-name


show route community-name community-name

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the route entries in each routing table that are members of a Border Gateway Protocol (BGP) community, specified by a community name. community-name—Name of the community. brief | detail | extensive | terse—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show route community-name on page 3125 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route community-name

user@host> show route community-name red-com inet.0: 17 destinations, 17 routes (16 active, 0 holddown, 1 hidden) inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) instance1.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) red.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.255.245.212/32

20.20.20.20/32

100.1.4.0/24

*[BGP/170] 00:04:40, localpref 100, from 10.255.245.204 AS path: 300 I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix *[BGP/170] 00:04:40, localpref 100, from 10.255.245.204 AS path: I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix *[BGP/170] 00:04:40, localpref 100, from 10.255.245.204 AS path: I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)


3125

®


mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) bgp.l3vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.255.245.204:10:10.255.245.212/32 *[BGP/170] 00:06:40, localpref 100, from 10.255.245.204 AS path: 300 I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix 10.255.245.204:10:20.20.20.20/32 *[BGP/170] 00:36:02, localpref 100, from 10.255.245.204 AS path: I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix 10.255.245.204:10:100.1.4.0/24 *[BGP/170] 00:36:02, localpref 100, from 10.255.245.204 AS path: I > to 100.1.2.2 via ge-1/1/0.0, label-switched-path to_fix inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) instance1.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

3126



show route damping Syntax

show route damping (decayed | history | suppressed)


show route damping (decayed | history | suppressed)

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display the BGP routes for which updates might have been reduced because of route flap damping. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. decayed—Display route damping entries that might no longer be valid, but are not

suppressed. history—Display entries that have already been withdrawn, but have been logged. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. suppressed—Display entries that have been suppressed and are no longer being installed

into the forwarding table or exported by routing protocols. Required Privilege Level Related Documentation


Output Fields

view

•

clear bgp damping on page 2944

•


show route damping decayed detail on page 3130 show route damping history on page 3130 show route damping history detail on page 3131 Table 350 on page 3127 lists the output fields for the show route damping command. Output fields are listed in the approximate order in which they appear.

Table 350: show route damping Output Fields Field Name

Field Description

Level of Output

routing-table-name

Name of the routing table—for example, inet.0.

All levels

destinations


All levels


3127

®


Table 350: show route damping Output Fields (continued) Field Name

Field Description

Level of Output

number routes

Number of routes in the routing table and total number of routes in the following states:

All levels

•

active

•

holddown (routes that are in a pending state before being declared inactive)

•

hidden (the routes are not used because of a routing policy)

destination-prefix (entry, announced)

Destination prefix. The entry value is the number of routes for this destination, and the announced value is the number of routes being announced for this destination.

detail extensive

[protocol, preference]

Protocol from which the route was learned and the preference value for the route.

All levels

•

+—A plus sign indicates the active route, which is the route installed from the

routing table into the forwarding table. •


•


In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2 value. Next-hop reference count

Number of references made to the next hop.

detail extensive

Source

IP address of the route source.

detail extensive

Next hop

Network layer address of the directly reachable neighboring system.

detail extensive

via

Interface used to reach the next hop. If there is more than one interface available to the next hop, the interface that is actually used is followed by the word Selected.

detail extensive

Protocol next hop

Network layer address of the remote routing device that advertised the prefix. This address is used to derive a forwarding next hop.

detail extensive

Indirect next hop

Index designation used to specify the mapping between protocol next hops, tags, kernel export policy, and the forwarding next hops.

detail extensive

State

Flags for this route. For a description of possible values for this field, see the output field table for the show route detail command.

detail extensive

Local AS

AS number of the local routing device.

detail extensive

Peer AS

AS number of the peer routing device.

detail extensive

3128




Field Description

Level of Output

Age

How long the route has been known.

detail extensive

Metric

Metric for the route.

detail extensive

Task

Name of the protocol that has added the route.

detail extensive

Announcement bits

List of protocols that announce this route. n-Resolve inet indicates that the route is used for route resolution for next hops found in the routing table. n is an index used by Juniper Networks customer support only.

detail extensive

AS path

AS path through which the route was learned. The letters at the end of the AS path indicate the path origin, providing an indication of the state of the route at the point at which the AS path originated:

All levels

•

I—IGP.

•

E—EGP.

•



[ ]—Brackets enclose the local AS number associated with the AS path if

more than one AS number is configured on the routing device or if AS path prepending is configured. •

{ }—Braces enclose AS sets, which are groups of AS numbers in which the

order does not matter. A set commonly results from route aggregation. The numbers in each AS set are displayed in ascending order. •


•


NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have not configured an independent domain in any routing instance. to


brief none

via

Interface used to reach the next hop. If there is more than one interface available to the next hop, the interface that is actually used is followed by the word Selected.

brief none

Communities

Community path attribute for the route. See the output field table for the show route detail command.

detail extensive

Localpref


All levels

Router ID

BGP router ID as advertised by the neighbor in the open message.

detail extensive

Merit (last update/now)

Last updated and current figure-of-merit value.

detail extensive


3129

®



Field Description

Level of Output

damping-parameters

Name that identifies the damping parameters used, which is defined in the damping statement at the [edit policy-options] hierarchy level.

detail extensive

Last update

Time of most recent change in path attributes.

detail extensive

First update

Time of first change in path attributes, which started the route damping process.

detail extensive

Flaps

Number of times the route has gone up or down or its path attributes have changed.

detail extensive

Suppressed

(suppressed keyword only) This route is currently suppressed. A suppressed route does not appear in the forwarding table and routing protocols do not export it.

All levels

Reusable in

(suppressed keyword only) Time when a suppressed route will again be available.

All levels

Preference will be

(suppressed keyword only) Preference value that will be applied to the route when it is again active.

All levels

Sample Output show route damping decayed detail

user@host> show route damping decayed detail inet.0: 173319 destinations, 1533668 routes (172625 active, 4 holddown, 108083 hidden) 10.0.111.0/24 (7 entries, 1 announced) *BGP Preference: 170/-101 Next-hop reference count: 151973 Source: 172.23.2.129 Next hop: via so-1/2/0.0 Next hop: via so-5/1/0.0, selected Next hop: via so-6/0/0.0 Protocol next hop: 172.23.2.129 Indirect next hop: 89a1a00 264185 State: Local AS: 65000 Peer AS: 65490 Age: 3:28 Metric2: 0 Task: BGP_65490.172.23.2.129+179 Announcement bits (6): 0-KRT 1-RT 4-KRT 5-BGP.0.0.0.0+179 6-Resolve tree 2 7-Resolve tree 3 AS path: 65490 65520 65525 65525 65525 65525 I () Communities: 65501:390 65501:2000 65501:3000 65504:701 Localpref: 100 Router ID: 172.23.2.129 Merit (last update/now): 1934/1790 damping-parameters: damping-high Last update: 00:03:28 First update: 00:06:40 Flaps: 2

show route damping history

3130

user@host> show route damping history inet.0: 173320 destinations, 1533529 routes (172624 active, 6 holddown, 108122 hidden)



+ = Active Route, - = Last Active, * = Both 10.108.0.0/15

show route damping history detail

[BGP ] 2d 22:47:58, localpref 100 AS path: 65220 65501 65502 I > to 192.168.60.85 via so-3/1/0.0

user@host> show route damping history detail inet.0: 173319 destinations, 1533435 routes (172627 active, 2 holddown, 108105 hidden) 10.108.0.0/15 (3 entries, 1 announced) BGP /-101 Next-hop reference count: 69058 Source: 192.168.60.85 Next hop: 192.168.60.85 via so-3/1/0.0, selected State: Inactive reason: Unusable path Local AS: 65000 Peer AS: 65220 Age: 2d 22:48:10 Task: BGP_65220.192.168.60.85+179 AS path: 65220 65501 65502 I () Communities: 65501:390 65501:2000 65501:3000 65504:3561 Localpref: 100 Router ID: 192.168.80.25 Merit (last update/now): 1000/932 damping-parameters: set-normal Last update: 00:01:05 First update: 00:01:05 Flaps: 1


3131

®


show route detail Syntax

show route detail


show route detail

Release Information


Description

Display detailed information about the active entries in the routing tables.

Options

none—Display all active entries in the routing table on all systems. destination-prefix—(Optional) Display active entries for the specified address or range



view


show route detail on page 3141 show route detail (with BGP Multipath) on page 3146

Output Fields

Table 351 on page 3132 describes the output fields for the show route detail command. Output fields are listed in the approximate order in which they appear.

Table 351: show route detail Output Fields Field Name

Field Description

routing-table-name


number destinations


number routes

Number of routes in the routing table and total number of routes in the following states:

3132

•

active (routes that are active)

•

holddown (routes that are in the pending state before being declared inactive)

•

hidden (routes that are not used because of a routing policy)



Table 351: show route detail Output Fields (continued) Field Name

Field Description

route-destination (entry, announced)

Route destination (for example:10.0.0.1/24). The entry value is the number of routes for this destination, and the announced value is the number of routes being announced for this destination. Sometimes the route destination is presented in another format, such as: •

MPLS-label (for example, 80001).

•

interface-name (for example, ge-1/0/2).

•

neighbor-address:control-word-status:encapsulation type:vc-id:source (Layer 2 circuit only; for example, 10.1.1.195:NoCtrlWord:1:1:Local/96).

•


•


•


ATM AAL5 VCC transport, (3) ATM transparent cell transport, (4) Ethernet, (5) VLAN Ethernet, (6) HDLC, (7) PPP, (8) ATM VCC cell transport, (10) ATM VPC cell transport

label stacking

•


•


(Next-to-the-last-hop routing device for MPLS only) Depth of the MPLS label stack, where the

label-popping operation is needed to remove one or more labels from the top of the stack. A pair of routes is displayed, because the pop operation is performed only when the stack depth is two or more labels. •

S=0 route indicates that a packet with an incoming label stack depth of 2 or more exits this routing

device with one fewer label (the label-popping operation is performed). •


If there is no S= information, the route is a normal MPLS route, which has a stack depth of 1 (the label-popping operation is not performed).





•


In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2 value. Level

(IS-IS only). In IS-IS, a single AS can be divided into smaller groups called areas. Routing between areas is organized hierarchically, allowing a domain to be administratively divided into smaller areas. This organization is accomplished by configuring Level 1 and Level 2 intermediate systems. Level 1 systems route within an area; when the destination is outside an area, they route toward a Level 2 system. Level 2 intermediate systems route between areas and toward other ASs.

Route Distinguisher

IP subnet augmented with a 64-bit prefix.

Next-hop type

Type of next hop. For a description of possible values for this field, see Table 352 on page 3136.


3133

®



Field Description

Next-hop reference count


Flood nexthop branches exceed maximum

Indicates that the number of flood next-hop branches exceeded the system limit of 32 branches, and only a subset of the flood next-hop branches were installed in the kernel.

message Source


Next hop


via

Interface used to reach the next hop. If there is more than one interface available to the next hop, the name of the interface that is actually used is followed by the word Selected. This field can also contain the following information: •

Weight—Value used to distinguish primary, secondary, and fast reroute backup routes. Weight information is available when MPLS label-switched path (LSP) link protection, node-link protection, or fast reroute is enabled, or when the standby state is enabled for secondary paths. A lower weight value is preferred. Among routes with the same weight value, load balancing is possible.

•

Balance—Balance coefficient indicating how traffic of unequal cost is distributed among next hops when a routing device is performing unequal-cost load balancing. This information is available when you enable BGP multipath load balancing.

Label-switched-path lsp-path-name

Name of the LSP used to reach the next hop.

Label operation

MPLS label and operation occurring at this routing device. The operation can be pop (where a label is removed from the top of the stack), push (where another label is added to the label stack), or swap (where a label is replaced by another label).

Interface

(Local only) Local interface name.

Protocol next hop

Network layer address of the remote routing device that advertised the prefix. This address is used to derive a forwarding next hop.

Indirect next hop

Index designation used to specify the mapping between protocol next hops, tags, kernel export policy, and the forwarding next hops.

State

State of the route (a route can be in more than one state). See Table 353 on page 3138.

Local AS

AS number of the local routing device.

Age


AIGP

Accumulated interior gateway protocol (AIGP) BGP attribute.

Metricn


3134




Field Description

MED-plus-IGP

Metric value for BGP path selection to which the IGP cost to the next-hop destination has been added.

TTL-Action

For MPLS LSPs, state of the TTL propagation attribute. Can be enabled or disabled for all RSVP-signaled and LDP-signaled LSPs or for specific VRF routing instances. For sample output, see show route table.

Task


Announcement bits


AS path


I—IGP.

•

E—EGP.

•



[ ]—Brackets enclose the number that precedes the AS path. This number represents the number

of ASs present in the AS path, when calculated as defined in RFC 4271. This value is used in the AS-path merge process, as defined in RFC 4893. •

[ ]—If more than one AS number is configured on the routing device, or if AS path prepending is

configured, brackets enclose the local AS number associated with the AS path. •




•


NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have not configured an independent domain in any routing instance. VC Label

MPLS label assigned to the Layer 2 circuit virtual connection.

MTU

Maximum transmission unit (MTU) of the Layer 2 circuit.

VLAN ID

VLAN identifier of the Layer 2 circuit.

Prefixes bound to route

Forwarding Equivalent Class (FEC) bound to this route. Applicable only to routes installed by LDP.

Communities

Community path attribute for the route. See Table 354 on page 3140 for all possible values for this field.

Layer2-info: encaps

Layer 2 encapsulation (for example, VPLS).

control flags

Control flags: none or Site Down.


3135

®



Field Description

mtu

Maximum transmission unit (MTU) information.

Label-Base, range

First label in a block of labels and label block size. A remote PE routing device uses this first label when sending traffic toward the advertising PE routing device.

status vector

Layer 2 VPN and VPLS network layer reachability information (NLRI).

Accepted Multipath

Current active path when BGP multipath is configured.

Accepted MultipathContrib

Path currently contributing to BGP multipath.

Localpref


Router ID


Primary Routing Table

In a routing table group, the name of the primary routing table in which the route resides.

Secondary Tables

In a routing table group, the name of one or more secondary tables in which the route resides.

Table 352 on page 3136 describes all possible values for the Next-hop Types output field.

Table 352: Next-hop Types Output Field Values

3136

Next-Hop Type

Description

Broadcast (bcast)

Broadcast next hop.

Deny

Deny next hop.

Discard

Discard next hop.

Flood

Flood next hop. Consists of components called branches, up to a maximum of 32 branches. Each flood next-hop branch sends a copy of the traffic to the forwarding interface. Used by P2MP RSVP, P2MP LDP, P2MP CCC, and multicast.

Hold

Next hop is waiting to be resolved into a unicast or multicast type.

Indexed (idxd)

Indexed next hop.

Indirect (indr)

Used with applications that have a protocol next hop address that is remote. You are likely to see this next-hop type for internal BGP (IBGP) routes when the BGP next hop is a BGP neighbor that is not directly connected.



Table 352: Next-hop Types Output Field Values (continued) Next-Hop Type

Description

Interface

Used for a network address assigned to an interface. Unlike the router next hop, the interface next hop does not reference any specific node on the network.

Local (locl)

Local address on an interface. This next-hop type causes packets with this destination address to be received locally.

Multicast (mcst)

Wire multicast next hop (limited to the LAN).

Multicast discard (mdsc)

Multicast discard.

Multicast group (mgrp)

Multicast group member.

Receive (recv)

Receive.

Reject (rjct)

Discard. An ICMP unreachable message was sent.

Resolve (rslv)

Resolving next hop.

Routed multicast (mcrt)

Regular multicast next hop.

Router

A specific node or set of nodes to which the routing device forwards packets that match the route prefix. To qualify as next-hop type router, the route must meet the following criteria: •

Must not be a direct or local subnet for the routing device.

•

Must have a next hop that is directly connected to the routing device.

Table

Routing table next hop.

Unicast (ucst)

Unicast.

Unilist (ulst)

List of unicast next hops. A packet sent to this next hop goes to any next hop in the list.


3137

®


Table 353 on page 3138 describes all possible values for the State output field. A route can be in more than one state (for example, ).

Table 353: State Output Field Values

3138

Value

Description

Accounting

Route needs accounting.

Active

Route is active.

Always Compare MED

Path with a lower multiple exit discriminator (MED) is available.

AS path

Shorter AS path is available.

Clone

Route is a clone.

Cisco Non-deterministic MED selection

Cisco nondeterministic MED is enabled and a path with a lower MED is available.

Cluster list length

Length of cluster list sent by the route reflector.

Delete

Route has been deleted.

Ex

Exterior route.

Ext

BGP route received from an external BGP neighbor.

FlashAll

Forces all protocols to be notified of a change to any route, active or inactive, for a prefix. When not set, protocols are informed of a prefix only when the active route changes.

Hidden

Route not used because of routing policy.

IfCheck

Route needs forwarding RPF check.

IGP metric

Path through next hop with lower IGP metric is available.

Inactive reason

Flags for this route, which was not selected as best for a particular destination.

Initial

Route being added.

Int

Interior route.

Int Ext

BGP route received from an internal BGP peer or a BGP confederation peer.

Interior > Exterior > Exterior via Interior

Direct, static, IGP, or EBGP path is available.



Table 353: State Output Field Values (continued) Value

Description

Local Preference

Path with a higher local preference value is available.

Martian

Route is a martian (ignored because it is obviously invalid).

MartianOK

Route exempt from martian filtering.

Next hop address

Path with lower metric next hop is available.

No difference

Path from neighbor with lower IP address is available.

NoReadvrt

Route not to be advertised.

NotBest

Route not chosen because it does not have the lowest MED.

Not Best in its group

Incoming BGP AS is not the best of a group (only one AS can be the best).

NotInstall

Route not to be installed in the forwarding table.

Number of gateways

Path with a greater number of next hops is available.

Origin

Path with a lower origin code is available.

Pending

Route pending because of a hold-down configured on another route.

Release

Route scheduled for release.

RIB preference

Route from a higher-numbered routing table is available.

Route Distinguisher

64-bit prefix added to IP subnets to make them unique.

Route Metric or MED comparison

Route with a lower metric or MED is available.

Route Preference

Route with lower preference value is available

Router ID

Path through a neighbor with lower ID is available.

Secondary

Route not a primary route.

Unusable path

Path is not usable because of one of the following conditions:

Update source


•

The route is damped.

•

The route is rejected by an import policy.

•

The route is unresolved.

Last tiebreaker is the lowest IP address value.

3139

®


Table 354 on page 3140 describes the possible values for the Communities output field.

Table 354: Communities Output Field Values Value

Description

area-number

4 bytes, encoding a 32-bit area number. For AS-external routes, the value is 0. A nonzero value identifies the route as internal to the OSPF domain, and as within the identified area. Area numbers are relative to a particular OSPF domain.

bandwidth: local AS number:link-bandwidth-number

Link-bandwidth community value used for unequal-cost load balancing. When BGP has several candidate paths available for multipath purposes, it does not perform unequal-cost load balancing according to the link-bandwidth community unless all candidate paths have this attribute.

domain-id

Unique configurable number that identifies the OSPF domain.

domain-id-vendor

Unique configurable number that further identifies the OSPF domain.

link-bandwidth-number

Link-bandwidth number: from 0 through 4,294,967,295 (bytes per second).

local AS number

Local AS number: from 1 through 65,535.

options

1 byte. Currently this is only used if the route type is 5 or 7. Setting the least significant bit in the field indicates that the route carries a type 2 metric.

origin

(Used with VPNs) Identifies where the route came from.

ospf-route-type

1 byte, encoded as 1 or 2 for intra-area routes (depending on whether the route came from a type 1 or a type 2 LSA); 3 for summary routes; 5 for external routes (area number must be0); 7 for NSSA routes; or 129 for sham link endpoint addresses.

rte-type

Displays the area number, OSPF route type, and option of the route. This is configured using the BGP extended community attribute 0x0306. The format is area-number:ospf-route-type:options.

route-type-vendor

Displays the area number, OSPF route type, and option of the route. This is configured using the BGP extended community attribute 0x8000. The format is area-number:ospf-route-type:options.

target

Defines which VPN the route participates in; target has the format 32-bit IP address:16-bit number. For example, 10.19.0.0:100.

unknown IANA

Incoming IANA codes with a value between 0x1 and 0x7fff. This code of the BGP extended community attribute is accepted, but it is not recognized.

unknown OSPF vendor community

Incoming IANA codes with a value above 0x8000. This code of the BGP extended community attribute is accepted, but it is not recognized.

3140



Sample Output show route detail

user@host> show route detail inet.0: 22 destinations, 23 routes (21 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 29 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 1:31:43 Task: RT Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I 10.31.1.0/30 (2 entries, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 2 Next hop: via so-0/3/0.0, selected State: Local AS: 69 Age: 1:30:17 Task: IF Announcement bits (1): 3-Resolve tree 2 AS path: I OSPF Preference: 10 Next-hop reference count: 1 Next hop: via so-0/3/0.0, selected State: Inactive reason: Route Preference Local AS: 69 Age: 1:30:17 Metric: 1 Area: 0.0.0.0 Task: OSPF AS path: I 10.31.1.1/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 7 Interface: so-0/3/0.0 State: Local AS: 69 Age: 1:30:20 Task: IF Announcement bits (1): 3-Resolve tree 2 AS path: I ...


3141

®


10.31.2.0/30 (1 entry, 1 announced) *OSPF Preference: 10 Next-hop reference count: 9 Next hop: via so-0/3/0.0 Next hop: 10.31.1.6 via ge-3/1/0.0, selected State: Local AS: 69 Age: 1:29:56 Metric: 2 Area: 0.0.0.0 Task: OSPF Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I ... 224.0.0.2/32 (1 entry, 1 announced) *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:31:45 Task: PIM Recv Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I ... 224.0.0.22/32 (1 entry, 1 announced) *IGMP Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:31:43 Task: IGMP Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 10.255.70.103/32 (1 entry, 1 announced) State: *RSVP Preference: 7 Next-hop reference count: 6 Next hop: 10.31.1.6 via ge-3/1/0.0 weight 0x1, selected Label-switched-path green-r1-r3 Label operation: Push 100096 State: Local AS: 69 Age: 1:25:49 Metric: 2 Task: RSVP Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2 AS path: I 10.255.71.238/32 (1 entry, 1 announced) State: *RSVP Preference: 7 Next-hop reference count: 6 Next hop: via so-0/3/0.0 weight 0x1, selected Label-switched-path green-r1-r2 State: Local AS: 69

3142



Age: 1:25:49 Metric: 1 Task: RSVP Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2 AS path: I private__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 47.0005.80ff.f800.0000.0108.0001.0102.5507.1052/152 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:31:44 Task: IF AS path: I mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) 0 (1 entry, 1 announced) *MPLS Preference: 0 Next hop type: Receive Next-hop reference count: 6 State: Local AS: 69 Age: 1:31:45 Metric: 1 Task: MPLS Announcement bits (1): 0-KRT AS path: I ... mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) 299776 (1 entry, 1 announced) TSI: KRT in-kernel 299776 /52 -> {Flood} *RSVP Preference: 7 Next hop type: Flood Next-hop reference count: 130 Flood nexthop branches exceed maximum Address: 0x8ea65d0 ... 800010 (1 entry, 1 announced) *VPLS Preference: 7 Next-hop reference count: 2 Next hop: via vt-3/2/0.32769, selected Label operation: Pop State: Age: 1:29:30 Task: Common L2 VC Announcement bits (1): 0-KRT AS path: I vt-3/2/0.32769 (1 entry, 1 announced) *VPLS Preference: 7 Next-hop reference count: 2 Next hop: 10.31.1.6 via ge-3/1/0.0 weight 0x1, selected Label-switched-path green-r1-r3


3143

®


Label operation: Push 800012, Push 100096(top) Protocol next hop: 10.255.70.103 Push 800012 Indirect next hop: 87272e4 1048574 State: Age: 1:29:30 Metric2: 2 Task: Common L2 VC Announcement bits (2): 0-KRT 1-Common L2 VC AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) abcd::10:255:71:52/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:31:44 Task: IF AS path: I fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:31:44 Task: IF AS path: I ff02::2/128 (1 entry, 1 announced) *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:31:45 Task: PIM Recv6 Announcement bits (1): 0-KRT AS path: I ff02::d/128 (1 entry, 1 announced) *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:31:45 Task: PIM Recv6 Announcement bits (1): 0-KRT AS path: I ff02::16/128 (1 entry, 1 announced) *MLD Preference: 0 Next-hop reference count: 18 State: Local AS: 69

3144



Age: 1:31:43 Task: MLD Announcement bits (1): 0-KRT AS path: I private.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.16385, selected State: Age: 1:31:44 Task: IF AS path: I green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) 10.255.70.103:1:3:1/96 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 1:25:49 Metric2: 1 AIGP 210 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-green-l2vpn AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0 10.255.71.52:1:1:1/96 (1 entry, 1 announced) *L2VPN Preference: 170/-1 Next-hop reference count: 5 Protocol next hop: 10.255.71.52 Indirect next hop: 0 State: Age: 1:31:40 Metric2: 1 Task: green-l2vpn Announcement bits (1): 1-BGP.0.0.0.0+179 AS path: I Communities: Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8, status-vector: 0x9F 10.255.71.52:1:5:1/96 (1 entry, 1 announced) *L2VPN Preference: 170/-101 Next-hop reference count: 5 Protocol next hop: 10.255.71.52 Indirect next hop: 0 State: Age: 1:31:40 Metric2: 1


3145

®


Task: green-l2vpn Announcement bits (1): 1-BGP.0.0.0.0+179 AS path: I Communities: Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8, status-vector: 0x9F ... l2circuit.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 10.245.255.63:CtrlWord:4:3:Local/96 (1 entry, 1 announced) *L2CKT Preference: 7 Next hop: via so-1/1/2.0 weight 1, selected Label-switched-path my-lsp Label operation: Push 100000[0] Protocol next hop: 10.245.255.63 Indirect next hop: 86af000 296 State: Local AS: 99 Age: 10:21 Task: l2 circuit Announcement bits (1): 0-LDP AS path: I VC Label 100000, MTU 1500, VLAN ID 512

show route detail (with BGP Multipath)

user@host> show route detail 10.1.1.8/30 (2 entries, 1 announced) *BGP Preference: 170/-101 Next hop type: Router, Next hop index: 262142 Address: 0x901a010 Next-hop reference count: 2 Source: 10.1.1.2 Next hop: 10.1.1.2 via lt-0/3/0.1, selected Next hop: 10.1.1.6 via lt-0/3/0.5 State: Local AS: 1 Peer AS: 2 Age: 5:04:43 Task: BGP_2.10.1.1.2+59955 Announcement bits (1): 0-KRT AS path: 2 I Accepted Multipath Localpref: 100 Router ID: 1.1.1.2 BGP Preference: 170/-101 Next hop type: Router, Next hop index: 678 Address: 0x8f97520 Next-hop reference count: 9 Source: 10.1.1.6 Next hop: 10.1.1.6 via lt-0/3/0.5, selected State: Inactive reason: Not Best in its group - Active preferred Local AS: 1 Peer AS: 2 Age: 5:04:43 Task: BGP_2.10.1.1.6+58198 AS path: 2 I Accepted MultipathContrib Localpref: 100 Router ID: 1.1.1.3

3146



show route exact Syntax


Description Options

show route exact destination-prefix show route exact destination-prefix

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display only the routes that exactly match the specified address or range of addresses. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. destination-prefix—Address or range of addresses. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route exact on page 3147 show route exact detail on page 3147 show route exact extensive on page 3148 show route exact terse on page 3148 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route exact

user@host> show route exact 207.17.136.0/24 inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 207.17.136.0/24 *[Static/5] 2d 03:30:22 > to 192.168.71.254 via fxp0.0

show route exact detail

user@host> show route exact 207.17.136.0/24 detail inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete 207.17.136.0/24 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 29 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69


3147

®


Age: 2d 3:30:26 Task: RT Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I

show route exact extensive

show route exact terse

user@host> show route exact 207.17.136.0/24 extensive inet.0: 22 destinations, 23 routes (21 active, 0 holddown, 1 hidden) 207.17.136.0/24 (1 entry, 1 announced) TSI: KRT in-kernel 207.17.136.0/24 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 29 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 1:25:18 Task: RT Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I user@host> show route exact 207.17.136.0/24 terse inet.0: 22 destinations, 23 routes (21 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A Destination P Prf Metric 1 Metric 2 Next hop AS path * 207.17.136.0/24 S 5 >192.168.71.254

3148



show route export Syntax

show route export


show route export

Release Information

Description

Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display policy-based route export information. Policy-based export simplifies the process of exchanging route information between routing instances. none—(Same as brief.) Display standard information about policy-based export for all

instances and routing tables on all systems. brief | detail—(Optional) Display the specified level of output. instance —(Optional) Display a particular routing instance for which

policy-based export is currently enabled. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. routing-table-name—(Optional) Display information about policy-based export for all

routing tables whose name begins with this string (for example, inet.0 and inet6.0 are both displayed when you run the show route export inet command). Required Privilege Level List of Sample Output

Output Fields

view

show route export on page 3150 show route export detail on page 3150 show route export instance detail on page 3150 Table 355 on page 3149 lists the output fields for the show route export command. Output fields are listed in the approximate order in which they appear.

Table 355: show route export Output Fields Field Name

Field Description

Level of Output

Table or table-name

Name of the routing tables that either import or export routes.

All levels

Routes

Number of routes exported from this table into other tables. If a particular route is exported to different tables, the counter will only increment by one.

brief none

Export

Whether the table is currently exporting routes to other tables: Y or N (Yes or No).

brief none


3149

®


Table 355: show route export Output Fields (continued) Field Name

Field Description

Level of Output

Import

Tables currently importing routes from the originator table. (Not displayed for tables that are not exporting any routes.)

detail

Flags

(instance keyword only) Flags for this feature on this instance:

detail

•

config auto-policy—The policy was deduced from the configured IGP export

policies.

Options

•

cleanup—Configuration information for this instance is no longer valid.

•

config—The instance was explicitly configured.

(instance keyword only) Configured option displays the type of routing tables the feature handles: •

unicast—Indicates instance.inet.0.

•

multicast—Indicates instance.inet.2.

•

unicast multicast—Indicates instance.inet.0 and instance.inet.2.

detail

Import policy

(instance keyword only) Policy that route export uses to construct the import-export matrix. Not displayed if the instance type is vrf.

detail

Instance

(instance keyword only) Name of the routing instance.

detail

Type

(instance keyword only) Type of routing instance: forwarding, non-forwarding, or vrf.

detail

Sample Output show route export

show route export detail

show route export instance detail

3150

user@host> show route export Table inet.0 black.inet.0 red.inet.0 user@host> show route export detail inet.0 black.inet.0 Import: [ inet.0 ] red.inet.0 Import: [ inet.0 ]

Export N Y Y

Routes 0 3 4

Routes: Routes:

0 3

Routes:

4

user@host> show route export instance detail Instance: master Type: forwarding Flags: Options: Import policy: [ (ospf-master-from-red || isis-master-from-black) ] Instance: black Type: non-forwarding Instance: red Type: non-forwarding



show route extensive Syntax




Release Information


Description

Display extensive information about the active entries in the routing tables.

Options

none—Display all active entries in the routing table. destination-prefix—(Optional) Display active entries for the specified address or range



view


show route extensive on page 3156 show route extensive (Access Route) on page 3163 show route extensive (Route Reflector) on page 3164

Output Fields

Table 356 on page 3151 describes the output fields for the show route extensive command. Output fields are listed in the approximate order in which they appear.

Table 356: show route extensive Output Fields Field Name

Field Description

routing-table-name


number destinations


number routes


active (routes that are active).

•

holddown (routes that are in the pending state before being declared inactive).

•

hidden (routes that are not used because of a routing policy).


3151

®


Table 356: show route extensive Output Fields (continued) Field Name

Field Description

route-destination (entry, announced)

Route destination (for example:10.0.0.1/24). The entry value is the number of route for this destination, and the announced value is the number of routes being announced for this destination. Sometimes the route destination is presented in another format, such as: •

MPLS-label (for example, 80001 ).

•

interface-name (for example, ge-1/0/2 ).

•

neighbor-address:control-word-status:encapsulation type:vc-id:source (Layer 2 circuit only; for example, 10.1.1.195:NoCtrlWord:1:1:Local/96).

•


•


•


ATM AAL5 VCC transport, (3) ATM transparent cell transport, (4) Ethernet, (5) VLAN Ethernet, (6) HDLC, (7) PPP, (8) ATM VCC cell transport, (10) ATM VPC cell transport. •


•


TSI

Protocol header information.

label stacking

(Next-to-the-last-hop routing device for MPLS only) Depth of the Multiprotocol Label Switching (MPLS) label stack, where the label-popping operation is needed to remove one or more labels from the top of the stack. A pair of routes is displayed, because the pop operation is performed only when the stack depth is two or more labels. •

S=0 route indicates that a packet with an incoming label stack depth of two or more exits this router

with one fewer label (the label-popping operation is performed). •


If there is no S= information, the route is a normal MPLS route, which has a stack depth of 1 (the label-popping operation is not performed).





•


In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2 value. Level

3152

(IS-IS only). In IS-IS, a single autonomous system (AS) can be divided into smaller groups called areas. Routing between areas is organized hierarchically, allowing a domain to be administratively divided into smaller areas. This organization is accomplished by configuring Level 1 and Level 2 intermediate systems. Level 1 systems route within an area; when the destination is outside an area, they route toward a Level 2 system. Level 2 intermediate systems route between areas and toward other ASs.




Field Description

Route Distinguisher

IP subnet augmented with a 64-bit prefix.

Next-hop type

Type of next hop. For a description of possible values for this field, see the Output Field table in the show route detail command.

Next-hop reference count


Flood nexthop branches exceed maximum

Indicates that the number of flood next-hop branches exceeded the system limit of 32 branches, and only a subset of the flood next-hop branches were installed in the kernel.

message Source


Next hop


via

Interface used to reach the next hop. If there is more than one interface available to the next hop, the name of the interface that is actually used is followed by the word Selected. This field can also contain the following information: •

Weight—Value used to distinguish primary, secondary, and fast reroute backup routes. Weight information is available when Multiprotocol Label Switching (MPLS) label-switched path (LSP) link protection, node-link protection, or fast reroute is enabled, or when the standby state is enabled for secondary paths. A lower weight value is preferred. Among routes with the same weight value, load balancing is possible.

•

Balance—Balance coefficient indicating how traffic of unequal cost is distributed among next hops when a routing device is performing unequal-cost load balancing. This information is available when you enable Border Gateway Protocol (BGP) multipath load balancing.

Label-switched-path lsp-path-name

Name of the label-switched path (LSP) used to reach the next hop.

Label operation


Offset

Whether the metric has been increased or decreased by an offset value.

Interface

(Local only) Local interface name.

Protocol next hop

Network layer address of the remote routing device that advertised the prefix. This address is used to recursively derive a forwarding next hop.

label-operation


Indirect next hops

When present, a list of nodes that are used to resolve the path to the next-hop destination, in the order that they are resolved.


3153

®



Field Description

State

State of the route (a route can be in more than one state). See the Output Field table in the show route detail command.

Inactive reason

If the route is inactive, the reason for its current state is indicated. Typical reasons include: •

Active preferred—Currently active route was selected over this route.

•

Always compare MED—Path with a lower multiple exit discriminator (MED) is available.

•

AS path—Shorter AS path is available.

•

Cisco Non-deterministic MED selection—Cisco nondeterministic MED is enabled and a path with a

lower MED is available. •

Cluster list length—Path with a shorter cluster list length is available.

•

Forwarding use only—Path is only available for forwarding purposes.

•

IGP metric—Path through the next hop with a lower IGP metric is available.

•

IGP metric type—Path with a lower OSPF link-state advertisement type is available.

•

Interior > Exterior > Exterior via Interior—Direct, static, IGP, or EBGP path is available.

•

Local preference—Path with a higher local preference value is available.

•

Next hop address—Path with a lower metric next hop is available.

•

No difference—Path from a neighbor with a lower IP address is available.

•

Not Best in its group—Occurs when multiple peers of the same external AS advertise the same

prefix and are grouped together in the selection process. When this reason is displayed, an additional reason is provided (typically one of the other reasons listed). •

Number of gateways—Path with a higher number of next hops is available.

•

Origin—Path with a lower origin code is available.

•

OSPF version—Path does not support the indicated OSPF version.

•

RIB preference—Route from a higher-numbered routing table is available.

•

Route destinguisher—64-bit prefix added to IP subnets to make them unique.

•

Route metric or MED comparison—Route with a lower metric or MED is available.

•

Route preference—Route with a lower preference value is available.

•

Router ID—Path through a neighbor with a lower ID is available.

•

Unusable path—Path is not usable because of one of the following conditions: the route is damped,

the route is rejected by an import policy, or the route is unresolved. •

Update source—Last tiebreaker is the lowest IP address value.

Local AS

Autonomous system (AS) number of the local routing device.

Age


AIGP


Metric


MED-plus-IGP

Metric value for BGP path selection to which the IGP cost to the next-hop destination has been added.

3154




Field Description

TTL-Action

For MPLS LSPs, state of the TTL propagation attribute. Can be enabled or disabled for all RSVP-signalled and LDP-signalled LSPs or for specific VRF routing instances. For sample output, see show route table.

Task


Announcement bits


AS path


I—IGP.

•

E—EGP.

•



[ ]—Brackets enclose the local AS number associated with the AS path if more than one AS number

is configured on the routing device, or if AS path prepending is configured. •




•


NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have not configured an independent domain in any routing instance. AS path: I

(For route reflected output only) Originator ID attribute set by the route reflector.

VC Label

MPLS label assigned to the Layer 2 circuit virtual connection.

MTU


VLAN ID

VLAN identifier of the Layer 2 circuit.

Cluster list

(For route reflected output only) Cluster ID sent by the route reflector.

Originator ID

(For route reflected output only) Address of router that originally sent the route to the route reflector.

Prefixes bound to route

Forwarding Equivalent Class (FEC) bound to this route. Applicable only to routes installed by LDP.

Communities

Community path attribute for the route. See the Output Field table in the show route detail command for all possible values for this field.

Layer2-info: encaps



3155

®



Field Description

control flags


mtu

Maximum transmission unit (MTU) information.

Label-Base, range

First label in a block of labels and label block size. A remote PE routing device uses this first label when sending traffic toward the advertising PE routing device.

status vector

Layer 2 VPN and VPLS network layer reachability information (NLRI).

Localpref


Router ID


Primary Routing Table

In a routing table group, the name of the primary routing table in which the route resides.

Secondary Tables

In a routing table group, the name of one or more secondary tables in which the route resides.

Originating RIB

Name of the routing table whose active route was used to determine the forwarding next-hop entry in the resolution database. For example, in the case of inet.0 resolving through inet.0 and inet.3, this field indicates which routing table, inet.0 or inet.3, provided the best path for a particular prefix.

Node path count

Number of nodes in the path.

Forwarding nexthops

Number of forwarding next hops. The forwarding next hop is the network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

Sample Output show route extensive

user@host> show route extensive inet.0: 22 destinations, 23 routes (21 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.10.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 29 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 1:34:06 Task: RT Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I 10.31.1.0/30 (2 entries, 1 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 2 Next hop: via so-0/3/0.0, selected State: Local AS: 69 Age: 1:32:40

3156



Task: IF Announcement bits (1): 3-Resolve tree 2 AS path: I


3157

®


OSPF

Preference: 10 Next-hop reference count: 1 Next hop: via so-0/3/0.0, selected State: Inactive reason: Route Preference Local AS: 69 Age: 1:32:40 Metric: 1 Area: 0.0.0.0 Task: OSPF AS path: I

10.31.1.1/32 (1 entry, 1 announced) *Local Preference: 0 Next hop type: Local Next-hop reference count: 7 Interface: so-0/3/0.0 State: Local AS: 69 Age: 1:32:43 Task: IF Announcement bits (1): 3-Resolve tree 2 AS path: I ... 10.31.2.0/30 (1 entry, 1 announced) TSI: KRT in-kernel 10.31.2.0/30 -> {10.31.1.6} *OSPF Preference: 10 Next-hop reference count: 9 Next hop: via so-0/3/0.0 Next hop: 10.31.1.6 via ge-3/1/0.0, selected State: Local AS: 69 Age: 1:32:19 Metric: 2 Area: 0.0.0.0 Task: OSPF Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I ... 224.0.0.2/32 (1 entry, 1 announced) TSI: KRT in-kernel 224.0.0.2/32 -> {} *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:34:08 Task: PIM Recv Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I ... 224.0.0.22/32 (1 entry, 1 announced) TSI: KRT in-kernel 224.0.0.22/32 -> {} *IGMP Preference: 0 Next-hop reference count: 18

3158



State: Local AS: 69 Age: 1:34:06 Task: IGMP Announcement bits (2): 0-KRT 3-Resolve tree 2 AS path: I inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 10.255.70.103/32 (1 entry, 1 announced) State: *RSVP Preference: 7 Next-hop reference count: 6 Next hop: 10.31.1.6 via ge-3/1/0.0 weight 0x1, selected Label-switched-path green-r1-r3 Label operation: Push 100096 State: Local AS: 69 Age: 1:28:12 Metric: 2 Task: RSVP Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2 AS path: I 10.255.71.238/32 (1 entry, 1 announced) State: *RSVP Preference: 7 Next-hop reference count: 6 Next hop: via so-0/3/0.0 weight 0x1, selected Label-switched-path green-r1-r2 State: Local AS: 69 Age: 1:28:12 Metric: 1 Task: RSVP Announcement bits (2): 1-Resolve tree 1 2-Resolve tree 2 AS path: I private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) ... iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 47.0005.80ff.f800.0000.0108.0001.0102.5507.1052/152 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:34:07 Task: IF AS path: I mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) 0 (1 entry, 1 announced) TSI: KRT in-kernel 0 /36 -> {} *MPLS Preference: 0 Next hop type: Receive Next-hop reference count: 6


3159

®


State: Local AS: 69 Age: 1:34:08 Metric: 1 Task: MPLS Announcement bits (1): 0-KRT AS path: I ... mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) 299776 (1 entry, 1 announced) TSI: KRT in-kernel 299776 /52 -> {Flood} *RSVP Preference: 7 Next hop type: Flood Next-hop reference count: 130 Flood nexthop branches exceed maximum Address: 0x8ea65d0 ... 800010 (1 entry, 1 announced) TSI: KRT in-kernel 800010 /36 -> {vt-3/2/0.32769} *VPLS Preference: 7 Next-hop reference count: 2 Next hop: via vt-3/2/0.32769, selected Label operation: Pop State: Age: 1:31:53 Task: Common L2 VC Announcement bits (1): 0-KRT AS path: I vt-3/2/0.32769 (1 entry, 1 announced) TSI: KRT in-kernel vt-3/2/0.32769.0 /16 -> {indirect(1048574)} *VPLS Preference: 7 Next-hop reference count: 2 Next hop: 10.31.1.6 via ge-3/1/0.0 weight 0x1, selected Label-switched-path green-r1-r3 Label operation: Push 800012, Push 100096(top) Protocol next hop: 10.255.70.103 Push 800012 Indirect next hop: 87272e4 1048574 State: Age: 1:31:53 Metric2: 2 Task: Common L2 VC Announcement bits (2): 0-KRT 1-Common L2 VC AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Indirect next hops: 1 Protocol next hop: 10.255.70.103 Metric: 2 Push 800012 Indirect next hop: 87272e4 1048574 Indirect path forwarding next hops: 1 Next hop: 10.31.1.6 via ge-3/1/0.0 weight 0x1 10.255.70.103/32 Originating RIB: inet.3 Metric: 2 Node path count: 1 Forwarding nexthops: 1

3160



Nexthop: 10.31.1.6 via ge-3/1/0.0 inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) abcd::10:255:71:52/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:34:07 Task: IF AS path: I fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Local AS: 69 Age: 1:34:07 Task: IF AS path: I ff02::2/128 (1 entry, 1 announced) TSI: KRT in-kernel ff02::2/128 -> {} *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:34:08 Task: PIM Recv6 Announcement bits (1): 0-KRT AS path: I ff02::d/128 (1 entry, 1 announced) TSI: KRT in-kernel ff02::d/128 -> {} *PIM Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:34:08 Task: PIM Recv6 Announcement bits (1): 0-KRT AS path: I ff02::16/128 (1 entry, 1 announced) TSI: KRT in-kernel ff02::16/128 -> {} *MLD Preference: 0 Next-hop reference count: 18 State: Local AS: 69 Age: 1:34:06 Task: MLD Announcement bits (1): 0-KRT AS path: I


3161

®


private.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) fe80::280:42ff:fe10:f179/128 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.16385, selected State: Age: 1:34:07 Task: IF AS path: I green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) 10.255.70.103:1:3:1/96 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 1:28:12 Metric2: 1 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-green-l2vpn AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0 10.255.71.52:1:1:1/96 (1 entry, 1 announced) TSI: Page 0 idx 0 Type 1 val 8699540 *L2VPN Preference: 170/-1 Next-hop reference count: 5 Protocol next hop: 10.255.71.52 Indirect next hop: 0 State: Age: 1:34:03 Metric2: 1 Task: green-l2vpn Announcement bits (1): 1-BGP.0.0.0.0+179 AS path: I Communities: Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8, status-vector: 0x9F 10.255.71.52:1:5:1/96 (1 entry, 1 announced) TSI: Page 0 idx 0 Type 1 val 8699528 *L2VPN Preference: 170/-101 Next-hop reference count: 5 Protocol next hop: 10.255.71.52 Indirect next hop: 0 State: Age: 1:34:03 Metric2: 1 Task: green-l2vpn

3162



Announcement bits (1): 1-BGP.0.0.0.0+179 AS path: I Communities: Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8, status-vector: 0x9F ... l2circuit.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) TSI: 10.245.255.63:CtrlWord:4:3:Local/96 (1 entry, 1 announced) *L2CKT Preference: 7 Next hop: via so-1/1/2.0 weight 1, selected Label-switched-path my-lsp Label operation: Push 100000[0] Protocol next hop: 10.245.255.63 Indirect next hop: 86af000 296 State: Local AS: 99 Age: 10:21 Task: l2 circuit Announcement bits (1): 0-LDP AS path: I VC Label 100000, MTU 1500, VLAN ID 512

55.0.0.0/24 (1 entry, 1 announced) TSI: KRT queued (pending) add 55.0.0.0/24 -> {Push 300112} *BGP Preference: 170/-101 Next hop type: Router Address: 0x925c208 Next-hop reference count: 2 Source: 10.0.0.9 Next hop: 10.0.0.9 via lt-1/2/0.15, selected Label operation: Push 300112 Label TTL action: prop-ttl State: Local AS: 7019 Peer AS: 13979 Age: 1w0d 23:06:56 AIGP: 25 Task: BGP_13979.10.0.0.9+56732 Announcement bits (1): 0-KRT AS path: 13979 7018 I Accepted Route Label: 300112 Localpref: 100 Router ID: 10.9.9.1

show route extensive (Access Route)

user@host> show route 13.160.0.102 extensive inet.0: 39256 destinations, 39258 routes (39255 active, 0 holddown, 1 hidden) 13.160.0.102/32 (1 entry, 1 announced) TSI: KRT in-kernel 13.160.0.102/32 -> {13.160.0.2} OSPF area : 0.0.0.0, LSA ID : 13.160.0.102, LSA type : Extern *Access Preference: 13 Next-hop reference count: 78472 Next hop: 13.160.0.2 via fe-0/0/0.0, selected State: Age: 12


3163

®


Task: RPD Unix Domain Server./var/run/rpd_serv.local Announcement bits (2): 0-KRT 1-OSPFv2 AS path: I

show route extensive (Route Reflector)

user@host> show route extensive 1.0.0.0/8 (1 entry, 1 announced) TSI: KRT in-kernel 1.0.0.0/8 -> {indirect(40)} *BGP Preference: 170/-101 Source: 192.168.4.214 Protocol next hop: 207.17.136.192 Indirect next hop: 84ac908 40 State: Local AS: 10458 Peer AS: 10458 Age: 3:09 Metric: 0 Metric2: 0 Task: BGP_10458.192.168.4.214+1033 Announcement bits (2): 0-KRT 4-Resolve inet.0 AS path: 3944 7777 I Cluster list: 1.1.1.1 Originator ID: 10.255.245.88 Communities: 7777:7777 Localpref: 100 Router ID: 4.4.4.4 Indirect next hops: 1 Protocol next hop: 207.17.136.192 Metric: 0 Indirect next hop: 84ac908 40 Indirect path forwarding next hops: 0 Next hop type: Discard

3164



show route flow validation Syntax


Release Information

Description Options

show route flow validation show route flow validation

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display flow route information. none—Display flow route information. brief | detail—(Optional) Display the specified level of output. If you do not specify a level

of output, the system defaults to brief. ip-prefix—(Optional) IP address for the flow route. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. table table-name—(Optional) Display flow route information for all routing tables whose

name begins with this string (for example, inet.0 and inet6.0 are both displayed when you run the show route flow validation inet command). Required Privilege Level List of Sample Output Output Fields

view

show route flow validation on page 3166 Table 357 on page 3165 lists the output fields for the show route flow validation command. Output fields are listed in the approximate order in which they appear.

Table 357: show route flow validation Output Fields Field Name

Field Description

Level of Output

routing-table-name


All levels

prefix

Route address.

All levels

Active unicast route

Active route in the routing table.

All levels

Dependent flow destinations

Number of flows for which there are routes in the routing table.

All levels


3165

®


Table 357: show route flow validation Output Fields (continued) Field Name

Field Description

Level of Output

Origin

Source of the route flow.

All levels

Neighbor AS

Autonomous system identifier of the neighbor.

All levels

Flow destination

Number of entries and number of destinations that match the route flow.

All levels

Unicast best match

Destination that is the best match for the route flow.

All levels

Flags

Information about the route flow.

All levels

Sample Output show route flow validation

3166

user@host> show route flow validation inet.0: 10.0.5.0/24Active unicast route Dependent flow destinations: 1 Origin: 192.168.224.218, Neighbor AS: 65001 Flow destination (3 entries, 1 match origin) Unicast best match: 10.0.5.0/24 Flags: SubtreeApex Consistent



show route inactive-path Syntax


Description

Options

show route inactive-path show route inactive-path

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display routes for destinations that have no active route. An inactive route is a route that was not selected as the best path. none—Display all inactive routes. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do



Output Fields

view

show route inactive-path on page 3167 show route inactive-path detail on page 3168 show route inactive-path extensive on page 3169 show route inactive-path terse on page 3169 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route inactive-path

user@host> show route inactive-path inet.0: 25 destinations, 26 routes (24 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.12.100.12/30

[OSPF/10] 03:57:28, metric 1 > via so-0/3/0.0

private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.0.0/8

[Direct/0] 04:39:56 > via fxp1.0

red.inet.0: 6 destinations, 8 routes (4 active, 0 holddown, 3 hidden) Restart Complete


3167

®


+ = Active Route, - = Last Active, * = Both 10.12.80.0/30

[BGP/170] 04:38:17, localpref 100 AS path: 100 I > to 10.12.80.1 via ge-6/3/2.0

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete bgp.l3vpn.0: 3 destinations, 3 routes (0 active, 0 holddown, 3 hidden) Restart Complete inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

show route inactive-path detail

user@host> show route inactive-path detail inet.0: 25 destinations, 26 routes (24 active, 0 holddown, 1 hidden) Restart Complete 10.12.100.12/30 (2 entries, 1 announced) OSPF Preference: 10 Next-hop reference count: 1 Next hop: via so-0/3/0.0, selected State: Inactive reason: Route Preference Local AS: 1 Age: 3:58:24 Metric: 1 Area: 0.0.0.0 Task: OSPF AS path: I private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) 10.0.0.0/8 (2 entries, 0 announced) Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via fxp1.0, selected State: Inactive reason: No difference Age: 4:40:52 Task: IF AS path: I red.inet.0: 6 destinations, 8 routes (4 active, 0 holddown, 3 hidden) Restart Complete 10.12.80.0/30 (2 entries, 1 announced) BGP Preference: 170/-101 Next-hop reference count: 6 Source: 10.12.80.1 Next hop: 10.12.80.1 via ge-6/3/2.0, selected State: Inactive reason: Route Preference Peer AS: 100

3168



Age: 4:39:13 Task: BGP_100.10.12.80.1+179 AS path: 100 I Localpref: 100 Router ID: 10.0.0.0

show route inactive-path extensive show route inactive-path terse

The output for the show route inactive-path extensive command is identical to that of the show route inactive-path detail command. For sample output, see show route inactive-path detail on page 3168. user@host> show route inactive-path terse inet.0: 25 destinations, 26 routes (24 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A Destination 10.12.100.12/30

P Prf O 10

Metric 1 1

Metric 2

Next hop >so-0/3/0.0

AS path

private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination 10.0.0.0/8

P Prf D 0

Metric 1

Metric 2

Next hop >fxp1.0

AS path

red.inet.0: 6 destinations, 8 routes (4 active, 0 holddown, 3 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A Destination 10.12.80.0/30

P Prf B 170

Metric 1 100

Metric 2

Next hop >10.12.80.1

AS path 100 I

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete bgp.l3vpn.0: 3 destinations, 3 routes (0 active, 0 holddown, 3 hidden) Restart Complete inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)


3169

®


show route inactive-prefix Syntax


Description Options

show route inactive-prefix show route inactive-prefix

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display inactive route destinations in each routing table. none—Display all inactive route destination. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do



Output Fields

view

show route inactive-prefix on page 3170 show route inactive-prefix detail on page 3170 show route inactive-prefix extensive on page 3171 show route inactive-prefix terse on page 3171 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route inactive-prefix

user@host> show route inactive-prefix inet.0: 14 destinations, 14 routes (13 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 127.0.0.1/32

show route inactive-prefix detail

[Direct/0] 00:04:54 > via lo0.0

user@host> show route inactive-prefix detail inet.0: 14 destinations, 14 routes (13 active, 0 holddown, 1 hidden) 127.0.0.1/32 (1 entry, 0 announced) Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Age: 4:51

3170



Task: IF AS path: I00:04:54 > via lo0.0

show route inactive-prefix extensive show route inactive-prefix terse

The output for the show route inactive-prefix extensive command is identical to that of the show route inactive-path detail command. For sample output, see show route inactive-prefix detail on page 3170. user@host> show route inactive-prefix terse inet.0: 18 destinations, 18 routes (17 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A Destination 127.0.0.1/32


P Prf D 0

Metric 1

Metric 2

Next hop >lo0.0

AS path

3171

®


show route instance Syntax


Release Information

Description Options

show route instance show route instance

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display routing instance information. none—(Same as brief) Display standard information about all routing instances. brief | detail | summary—(Optional) Display the specified level of output. If you do not

specify a level of output, the system defaults to brief. (These options are not available with the operational keyword.) instance-name—(Optional) Display information for all routing instances whose name

begins with this string (for example, cust1, cust11, and cust111 are all displayed when you run the show route instance cust1 command). logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. operational—(Optional) Display operational routing instances.


Output Fields

view

show route instance on page 3173 show route instance detail (Graceful Restart Complete) on page 3174 show route instance detail (Graceful Restart Incomplete) on page 3175 show route instance detail (VPLS Routing Instance) on page 3177 show route instance operational on page 3177 show route instance summary on page 3178 Table 358 on page 3172 lists the output fields for the show route instance command. Output fields are listed in the approximate order in which they appear.

Table 358: show route instance Output Fields Field Name

Field Description

Level of Output

Instance or instance-name

Name of the routing instance.

All levels

3172



Table 358: show route instance Output Fields (continued) Field Name

Field Description

Level of Output

Operational Routing Instances

(operational keyword only) Names of all operational routing instances.

—

Type

Type of routing instance: forwarding, l2vpn, no-forwarding, vpls, virtual-router, or vrf.

All levels

State

State of the routing instance: active or inactive.

brief detail none

Interfaces

Name of interfaces belonging to this routing instance.

brief detail none

Restart State

Status of graceful restart for this instance: Pending or Complete.

detail

Path selection timeout

Maximum amount of time, in seconds, remaining until graceful restart is declared complete. The default is 300.

detail

Tables

Tables (and number of routes) associated with this routing instance.

brief detail none

Route-distinguisher

Unique route distinguisher associated with this routing instance.

detail

Vrf-import

VPN routing and forwarding instance import policy name.

detail

Vrf-export

VPN routing and forwarding instance export policy name.

detail

Vrf-import-target

VPN routing and forwarding instance import target community name.

detail

Vrf-export-target

VPN routing and forwarding instance export target community name.

detail

Fast-reroute-priority

Fast reroute priority setting for a VPLS routing instance: high, medium, or low. The default is low.

detail

Restart State

Restart state:

detail

•

Pending:protocol-name—List of protocols that have not yet

completed graceful restart for this routing table. •

Complete—All protocols have restarted for this routing table.

Primary rib

Primary table for this routing instance.

brief none summary

Active/holddown/hidden

Number of active, hold-down, and hidden routes.

All levels

Sample Output show route instance

user@host> show route instance Instance Type Primary RIB master forwarding inet.0 iso.0 mpls.0 inet6.0


Active/holddown/hidden 16/0/1 1/0/0 0/0/0 2/0/0

3173

®


l2circuit.0 __juniper_private1__ forwarding __juniper_private1__.inet.0 __juniper_private1__.inet6.0

show route instance detail (Graceful Restart Complete)

3174

0/0/0 12/0/0 1/0/0

user@host> show route instance detail master: Router ID: 10.255.14.176 Type: forwarding State: Active Restart State: Complete Path selection timeout: 300 Tables: inet.0 : 17 routes (15 active, 0 holddown, Restart Complete inet.3 : 2 routes (2 active, 0 holddown, 0 Restart Complete iso.0 : 1 routes (1 active, 0 holddown, 0 Restart Complete mpls.0 : 19 routes (19 active, 0 holddown, Restart Complete bgp.l3vpn.0 : 10 routes (10 active, 0 holddown, Restart Complete inet6.0 : 2 routes (2 active, 0 holddown, 0 Restart Complete bgp.l2vpn.0 : 1 routes (1 active, 0 holddown, 0 Restart Complete BGP-INET: Router ID: 10.69.103.1 Type: vrf State: Active Restart State: Complete Path selection timeout: 300 Interfaces: t3-0/0/0.103 Route-distinguisher: 10.255.14.176:103 Vrf-import: [ BGP-INET-import ] Vrf-export: [ BGP-INET-export ] Tables: BGP-INET.inet.0 : 4 routes (4 active, 0 holddown, 0 Restart Complete BGP-L: Router ID: 10.69.104.1 Type: vrf State: Active Restart State: Complete Path selection timeout: 300 Interfaces: t3-0/0/0.104 Route-distinguisher: 10.255.14.176:104 Vrf-import: [ BGP-L-import ] Vrf-export: [ BGP-L-export ] Tables: BGP-L.inet.0 : 4 routes (4 active, 0 holddown, 0 Restart Complete BGP-L.mpls.0 : 3 routes (3 active, 0 holddown, 0 Restart Complete L2VPN: Router ID: 0.0.0.0 Type: l2vpn State: Active Restart State: Complete Path selection timeout: 300 Interfaces: t3-0/0/0.512 Route-distinguisher: 10.255.14.176:512 Vrf-import: [ L2VPN-import ] Vrf-export: [ L2VPN-export ] Tables:

1 hidden) hidden) hidden) 0 hidden) 0 hidden) hidden) hidden)

hidden)

hidden) hidden)



L2VPN.l2vpn.0 Restart Complete

: 2 routes (2 active, 0 holddown, 0 hidden)

LDP: Router ID: 10.69.105.1 Type: vrf State: Active Restart State: Complete Path selection Interfaces: t3-0/0/0.105 Route-distinguisher: 10.255.14.176:105 Vrf-import: [ LDP-import ] Vrf-export: [ LDP-export ] Tables: LDP.inet.0 : 5 routes (4 Restart Complete OSPF: Router ID: 10.69.101.1 Type: vrf State: Active Restart State: Complete Path selection Interfaces: t3-0/0/0.101 Route-distinguisher: 10.255.14.176:101 Vrf-import: [ OSPF-import ] Vrf-export: [ OSPF-export ] Vrf-import-target: [ target:11111 Tables: OSPF.inet.0 : 8 routes (7 Restart Complete RIP: Router ID: 10.69.102.1 Type: vrf State: Active Restart State: Complete Path selection Interfaces: t3-0/0/0.102 Route-distinguisher: 10.255.14.176:102 Vrf-import: [ RIP-import ] Vrf-export: [ RIP-export ] Tables: RIP.inet.0 : 6 routes (6 Restart Complete STATIC: Router ID: 10.69.100.1 Type: vrf State: Active Restart State: Complete Path selection Interfaces: t3-0/0/0.100 Route-distinguisher: 10.255.14.176:100 Vrf-import: [ STATIC-import ] Vrf-export: [ STATIC-export ] Tables: STATIC.inet.0 : 4 routes (4 Restart Complete

show route instance detail (Graceful Restart Incomplete)

timeout: 300

active, 0 holddown, 0 hidden)

timeout: 300


timeout: 300


timeout: 300


user@host> show route instance detail master: Router ID: 10.255.14.176 Type: forwarding State: Active Restart State: Pending Path selection timeout: 300 Tables: inet.0 : 17 routes (15 active, 1 holddown, 1 hidden) Restart Pending: OSPF LDP inet.3 : 2 routes (2 active, 0 holddown, 0 hidden)


3175

®


Restart Pending: OSPF LDP iso.0 : 1 routes (1 active, 0 holddown, 0 Restart Complete mpls.0 : 23 routes (23 active, 0 holddown, Restart Pending: LDP VPN bgp.l3vpn.0 : 10 routes (10 active, 0 holddown, Restart Pending: BGP VPN inet6.0 : 2 routes (2 active, 0 holddown, 0 Restart Complete bgp.l2vpn.0 : 1 routes (1 active, 0 holddown, 0 Restart Pending: BGP VPN BGP-INET: Router ID: 10.69.103.1 Type: vrf State: Active Restart State: Pending Path selection timeout: 300 Interfaces: t3-0/0/0.103 Route-distinguisher: 10.255.14.176:103 Vrf-import: [ BGP-INET-import ] Vrf-export: [ BGP-INET-export ] Tables: BGP-INET.inet.0 : 6 routes (5 active, 0 holddown, 0 Restart Pending: VPN BGP-L: Router ID: 10.69.104.1 Type: vrf State: Active Restart State: Pending Path selection timeout: 300 Interfaces: t3-0/0/0.104 Route-distinguisher: 10.255.14.176:104 Vrf-import: [ BGP-L-import ] Vrf-export: [ BGP-L-export ] Tables: BGP-L.inet.0 : 6 routes (5 active, 0 holddown, 0 Restart Pending: VPN BGP-L.mpls.0 : 2 routes (2 active, 0 holddown, 0 Restart Pending: VPN L2VPN: Router ID: 0.0.0.0 Type: l2vpn State: Active Restart State: Pending Path selection timeout: 300 Interfaces: t3-0/0/0.512 Route-distinguisher: 10.255.14.176:512 Vrf-import: [ L2VPN-import ] Vrf-export: [ L2VPN-export ] Tables: L2VPN.l2vpn.0 : 2 routes (2 active, 0 holddown, 0 Restart Pending: VPN L2VPN LDP: Router ID: 10.69.105.1 Type: vrf State: Active Restart State: Pending Path selection timeout: 300 Interfaces: t3-0/0/0.105 Route-distinguisher: 10.255.14.176:105 Vrf-import: [ LDP-import ] Vrf-export: [ LDP-export ] Tables: LDP.inet.0 : 5 routes (4 active, 1 holddown, 0 Restart Pending: OSPF LDP VPN

3176

hidden) 0 hidden) 0 hidden) hidden) hidden)

hidden)

hidden) hidden)

hidden)

hidden)



OSPF: Router ID: 10.69.101.1 Type: vrf State: Active Restart State: Pending Path selection Interfaces: t3-0/0/0.101 Route-distinguisher: 10.255.14.176:101 Vrf-import: [ OSPF-import ] Vrf-export: [ OSPF-export ] Tables: OSPF.inet.0 : 8 routes (7 Restart Pending: OSPF VPN RIP: Router ID: 10.69.102.1 Type: vrf State: Active Restart State: Pending Path selection Interfaces: t3-0/0/0.102 Route-distinguisher: 10.255.14.176:102 Vrf-import: [ RIP-import ] Vrf-export: [ RIP-export ] Tables: RIP.inet.0 : 8 routes (6 Restart Pending: RIP VPN STATIC: Router ID: 10.69.100.1 Type: vrf State: Active Restart State: Pending Path selection Interfaces: t3-0/0/0.100 Route-distinguisher: 10.255.14.176:100 Vrf-import: [ STATIC-import ] Vrf-export: [ STATIC-export ] Tables: STATIC.inet.0 : 4 routes (4 Restart Pending: VPN

show route instance detail (VPLS Routing Instance)

show route instance operational

timeout: 300


timeout: 300


timeout: 300


user@host> show route instance detail test-vpls test-vpls: Router ID: 0.0.0.0 Type: vpls State: Active Interfaces: lsi.1048833 lsi.1048832 fe-0/1/0.513 Route-distinguisher: 10.255.37.65:1 Vrf-import: [ __vrf-import-test-vpls-internal__ ] Vrf-export: [ __vrf-export-test-vpls-internal__ ] Vrf-import-target: [ target:300:1 ] Vrf-export-target: [ target:300:1 ] Fast-reroute-priority: high Tables: test-vpls.l2vpn.0 : 3 routes (3 active, 0 holddown, 0 hidden) user@host> show route instance operational Operational Routing Instances: master default


3177

®


show route instance summary

3178

user@host> show route instance summary Instance Type Primary rib master forwarding inet.0 iso.0 mpls.0 l3vpn.0 inet6.0 l2vpn.0 l2circuit.0 BGP-INET vrf BGP-INET.inet.0 BGP-INET.iso.0 BGP-INET.inet6.0 BGP-L vrf BGP-L.inet.0 BGP-L.iso.0 BGP-L.mpls.0 BGP-L.inet6.0 L2VPN l2vpn L2VPN.inet.0 L2VPN.iso.0 L2VPN.inet6.0 L2VPN.l2vpn.0 LDP vrf LDP.inet.0 LDP.iso.0 LDP.mpls.0 LDP.inet6.0 LDP.l2circuit.0 OSPF vrf OSPF.inet.0 OSPF.iso.0 OSPF.inet6.0 RIP vrf RIP.inet.0 RIP.iso.0 RIP.inet6.0 STATIC vrf STATIC.inet.0 STATIC.iso.0 STATIC.inet6.0

Active/holddown/hidden 15/0/1 1/0/0 35/0/0 0/0/0 2/0/0 0/0/0 0/0/0 5/0/0 0/0/0 0/0/0 5/0/0 0/0/0 4/0/0 0/0/0 0/0/0 0/0/0 0/0/0 2/0/0 4/0/0 0/0/0 0/0/0 0/0/0 0/0/0 7/0/0 0/0/0 0/0/0 6/0/0 0/0/0 0/0/0 4/0/0 0/0/0 0/0/0



show route label Syntax


Description

Options

show route label label show route label label

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display the routes based on a specified Multiprotocol Label Switching (MPLS) label value. label—Value of the MPLS label. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do



Output Fields

view

show route label on page 3179 show route label detail on page 3179 show route label extensive on page 3180 show route label terse on page 3180 For information about output fields, see the output field table for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route label

user@host> show route label 100016 mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 100016 *[VPN/170] 03:25:41 > to 10.12.80.1 via ge-6/3/2.0, Pop

show route label detail

user@host> show route label 100016 detail mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete 100016 (1 entry, 1 announced) *VPN Preference: 170 Next-hop reference count: 2 Source: 10.12.80.1


3179

®


Next hop: 10.12.80.1 via ge-6/3/2.0, selected Label operation: Pop State: Local AS: 1 Age: 3:23:31 Task: BGP.0.0.0.0+179 Announcement bits (1): 0-KRT AS path: 100 I Ref Cnt: 2

show route label extensive show route label terse

The output for the show route label extensive command is identical to that of the show route label detail command. For sample output, see show route label detail on page 3179. user@host> show route label 100016 terse mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A Destination * 100016

3180

P Prf V 170

Metric 1

Metric 2

Next hop >10.12.80.1

AS path



show route label-switched-path Syntax


Description Options

show route label-switched-path path-name show route label-switched-path path-name

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display the routes used in an MPLS label-switched path (LSP). brief | detail | extensive | terse—(Optional) Display the specified level of output. path-name—LSP tunnel name. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show route label-switched-path on page 3181 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route label-switched-path

user@host> show route label-switched-path sf-to-ny inet.0: 29 destinations, 29 routes (29 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1.1.1.1/32 3.3.3.3/32

[MPLS/7] 00:00:06, metric 0 > to 111.222.1.9 via s0-0/0/0, label-switched-path sf-to-ny *[MPLS/7] 00:00:06, metric 0 > to 111.222.1.9 via s0-0/0/0, label-switched-path sf-to-ny

inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 2.2.2.2/32 4.4.4.4/32

111.222.1.9/32

*[MPLS/7] 00:00:06, metric 0 > to 111.222.1.9 via s0-0/0/0, *[MPLS/7] 00:00:06, metric 0 to 111.222.1.9 via s0-0/0/0, > to 111.222.1.9 via s0-0/0/0, to 111.222.1.9 via s0-0/0/0, [MPLS/7] 00:00:06, metric 0 > to 111.222.1.9 via s0-0/0/0,

label-switched-path sf-to-ny label-switched-path abc label-switched-path xyz label-switched-path sf-to-ny label-switched-path sf-to-ny

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both


3181

®


mpls.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

3182



show route martians Syntax


Description Options

show route martians

show route martians

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the martian (invalid and ignored) entries associated with each routing table. none—Display standard information about route martians for all routing tables. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. table routing-table-name—(Optional) Display information about route martians for all

routing tables whose name begins with this string (for example, inet.0 and inet6.0 are both displayed when you run the show route martians table inet command). Required Privilege Level Related Documentation List of Sample Output Output Fields

view

•

Example: Configuring Martian Addresses

show route martians on page 3183 Table 359 on page 3183 lists the output fields for the show route martians command. Output fields are listed in the approximate order in which they appear

Table 359: show route martians Output Fields Field Name

Field Description

table-name

Name of the route table in which the route martians reside.

destination-prefix

Route destination.

match value

Route match parameter.

status

Status of the route: allowed or disallowed.

Sample Output show route martians

user@host> show route martians inet.0: 0.0.0.0/0 exact -- allowed


3183

®


0.0.0.0/8 orlonger -- disallowed 127.0.0.0/8 orlonger -- disallowed 192.0.0.0/24 orlonger -- disallowed 240.0.0.0/4 orlonger -- disallowed 224.0.0.0/4 exact -- disallowed 224.0.0.0/24 exact -- disallowed inet.1: 0.0.0.0/0 exact -- allowed 0.0.0.0/8 orlonger -- disallowed 127.0.0.0/8 orlonger -- disallowed 192.0.0.0/24 orlonger -- disallowed 240.0.0.0/4 orlonger -- disallowed inet.2: 0.0.0.0/0 exact -- allowed 0.0.0.0/8 orlonger -- disallowed 127.0.0.0/8 orlonger -- disallowed 192.0.0.0/24 orlonger -- disallowed 240.0.0.0/4 orlonger -- disallowed 224.0.0.0/4 exact -- disallowed 224.0.0.0/24 exact -- disallowed inet.3: 0.0.0.0/0 exact -- allowed 0.0.0.0/8 orlonger -- disallowed 127.0.0.0/8 orlonger -- disallowed 192.0.0.0/24 orlonger -- disallowed 240.0.0.0/4 orlonger -- disallowed 224.0.0.0/4 exact -- disallowed 224.0.0.0/24 exact -- disallowed ... inet6.0: ::1/128 exact -- disallowed ff00::/8 exact -- disallowed ff02::/16 exact -- disallowed inet6.1: ::1/128 exact -- disallowed inet6.2: ::1/128 exact -- disallowed ff00::/8 exact -- disallowed ff02::/16 exact -- disallowed inet6.3: ::1/128 exact -- disallowed ff00::/8 exact -- disallowed ff02::/16 exact -- disallowed ...

3184



show route next-hop Syntax


Description

Options

show route next-hop next-hop show route next-hop next-hop

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the entries in the routing table that are being sent to the specified next-hop address. brief | detail | extensive | terse—(Optional) Display the specified level of ouput. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. next-hop—Next-hop address.


Output Fields

view

show route next-hop on page 3185 show route next-hop detail on page 3186 show route next-hop extensive on page 3187 show route next-hop terse on page 3189 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route next-hop

user@host> show route next-hop 192.168.71.254 inet.0: 18 destinations, 18 routes (17 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.10.0.0/16 10.209.0.0/16 172.16.0.0/12 192.168.0.0/16 192.168.102.0/23 207.17.136.0/24


*[Static/5] 06:26:25 > to 192.168.71.254 *[Static/5] 06:26:25 > to 192.168.71.254 *[Static/5] 06:26:25 > to 192.168.71.254 *[Static/5] 06:26:25 > to 192.168.71.254 *[Static/5] 06:26:25 > to 192.168.71.254 *[Static/5] 06:26:25 > to 192.168.71.254

via fxp0.0 via fxp0.0 via fxp0.0 via fxp0.0 via fxp0.0 via fxp0.0

3185

®


207.17.136.192/32

*[Static/5] 06:26:25 > to 192.168.71.254 via fxp0.0

private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) red.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden) Restart Complete iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

show route next-hop detail

user@host> show route next-hop 192.168.71.254 detail inet.0: 18 destinations, 18 routes (17 active, 0 holddown, 1 hidden) Restart Complete 10.10.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 10.209.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 172.16.0.0/12 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 192.168.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State:

3186



Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 192.168.102.0/23 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 207.17.136.0/24 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I 207.17.136.192/32 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 36 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 1 Age: 6:27:41 Task: RT Announcement bits (3): 0-KRT 3-Resolve tree 1 5-Resolve tree 2 AS path: I private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) red.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden) Restart Complete iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

show route next-hop extensive

user@host> show route next-hop 192.168.71.254 extensive inet.0: 18 destinations, 18 routes (17 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.10.0.0/16 -> {192.168.71.254}


3187

®


*Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I 10.209.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.209.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I 172.16.0.0/12 (1 entry, 1 announced) TSI: KRT in-kernel 172.16.0.0/12 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I 192.168.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 192.168.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I 192.168.102.0/23 (1 entry, 1 announced) TSI: KRT in-kernel 192.168.102.0/23 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I

3188



207.17.136.0/24 (1 entry, 1 announced) TSI: KRT in-kernel 207.17.136.0/24 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I 207.17.136.192/32 (1 entry, 1 announced) TSI: KRT in-kernel 207.17.136.192/32 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:02:28 Task: RT Announcement bits (1): 0-KRT AS path: I private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) mpls.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) green.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) red.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

show route next-hop terse

user@host> show route next-hop 192.168.71.254 terse inet.0: 25 destinations, 26 routes (24 active, 0 holddown, 1 hidden) Restart Complete + = Active Route, - = Last Active, * = Both A * * * * * * *

Destination 10.10.0.0/16 10.209.0.0/16 172.16.0.0/12 192.168.0.0/16 192.168.102.0/23 207.17.136.0/24 207.17.136.192/32

P Prf S 5 S 5 S 5 S 5 S 5 S 5 S 5

Metric 1

Metric 2

Next hop >192.168.71.254 >192.168.71.254 >192.168.71.254 >192.168.71.254 >192.168.71.254 >192.168.71.254 >192.168.71.254

AS path

private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) red.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden) Restart Complete


3189

®


iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

3190



show route no-community Syntax


Description Options

show route no-community show route no-community

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the route entries in each routing table that are not associated with any community. none—(Same as brief) Display the route entries in each routing table that are not

associated with any community. brief | detail | extensive | terse—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route no-community on page 3191 show route no-community detail on page 3192 show route no-community extensive on page 3192 show route no-community terse on page 3193 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route no-community

user@host> show route no-community inet.0: 28 destinations, 30 routes (27 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 10.10.0.0/16 10.209.0.0/16 10.255.71.52/32 10.255.71.63/32 10.255.71.64/32 10.255.71.240/32

10.255.71.241/32


*[Static/5] 00:36:27 > to 192.168.71.254 via fxp0.0 *[Static/5] 00:36:27 > to 192.168.71.254 via fxp0.0 *[Direct/0] 00:36:27 > via lo0.0 *[OSPF/10] 00:04:39, metric 1 > to 35.1.1.2 via ge-3/1/0.0 *[OSPF/10] 00:00:08, metric 2 > to 35.1.1.2 via ge-3/1/0.0 *[OSPF/10] 00:05:04, metric 2 via so-0/1/2.0 > via so-0/3/2.0 *[OSPF/10] 00:05:14, metric 1

3191

®


10.255.71.242/32 12.1.1.0/24 14.1.1.0/24

16.1.1.0/24

> via so-0/1/2.0 *[OSPF/10] 00:05:19, metric 1 > via so-0/3/2.0 *[OSPF/10] 00:05:14, metric 2 > via so-0/3/2.0 *[OSPF/10] 00:00:08, metric 3 > to 35.1.1.2 via ge-3/1/0.0 via so-0/1/2.0 via so-0/3/2.0 *[OSPF/10] 00:05:14, metric 2 > via so-0/1/2.0

.....

show route no-community detail

user@host> show route no-community detail inet.0: 28 destinations, 30 routes (27 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 38:08 Task: RT Announcement bits (1): 0-KRT AS path: I 10.209.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 38:08 Task: RT Announcement bits (1): 0-KRT AS path: I ....

show route no-community extensive

user@host> show route no-community extensive inet.0: 18 destinations, 18 routes (17 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.10.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69 Age: 2:03:33 Task: RT Announcement bits (1): 0-KRT AS path: I 10.209.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.209.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Local AS: 69

3192



Age: 2:03:33 Task: RT Announcement bits (1): 0-KRT AS path: I

show route no-community terse

user@host> show route no-community terse inet.0: 28 destinations, 30 routes (27 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A * * * * * *

Destination 10.10.0.0/16 10.209.0.0/16 10.255.71.52/32 10.255.71.63/32 10.255.71.64/32 10.255.71.240/32

P Prf S 5 S 5 D 0 O 10 O 10 O 10

* * * *

10.255.71.241/32 10.255.71.242/32 12.1.1.0/24 14.1.1.0/24

O O O O

10 10 10 10

1 1 2 3

O

10

2

* 16.1.1.0/24 ...


Metric 1

1 2 2

Metric 2

Next hop >192.168.71.254 >192.168.71.254 >lo0.0 >35.1.1.2 >35.1.1.2 so-0/1/2.0 >so-0/3/2.0 >so-0/1/2.0 >so-0/3/2.0 >so-0/3/2.0 >35.1.1.2 so-0/1/2.0 so-0/3/2.0 >so-0/1/2.0

AS path

3193

®


show route protocol Syntax


show route protocol protocol show route protocol protocol

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Options opsf2 and ospf3 introduced in Junos OS Release 9.2. Options opsf2 and ospf3 introduced in Junos OS Release 9.2 for EX Series switches. Option flow introduced in Junos OS Release 10.0. Option flow introduced in Junos OS Release 10.0 for EX Series switches.

Description

Display the route entries in the routing table that were learned from a particular protocol.

Options

brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do


systems or on a particular logical system. protocol—Protocol from which the route was learned:

3194

•

access—Access route for use by DHCP application

•

access-internal—Access-internal route for use by DHCP application

•

aggregate—Locally generated aggregate route

•

atmvpn—Asynchronous Transfer Mode virtual private network

•

bgp—Border Gateway Protocol

•

ccc—Circuit cross-connect

•

direct—Directly connected route

•

dvmrp—Distance Vector Multicast Routing Protocol

•

esis—End System-to-Intermediate System

•

flow—Locally defined flow-specification route.

•

isis—Intermediate System-to-Intermediate System

•

ldp—Label Distribution Protocol

•

l2circuit—Layer 2 circuit

•

l2vpn—Layer 2 virtual private network

•

local—Local address

•

mpls—Multiprotocol Label Switching



•

msdp—Multicast Source Discovery Protocol

•

ospf—Open Shortest Path First versions 2 and 3

•

ospf2—Open Shortest Path First version 2 only

•

ospf3—Open Shortest Path First version 3 only

•

pim—Protocol Independent Multicast

•

rip—Routing Information Protocol

•

ripng—Routing Information Protocol next generation

•

rsvp—Resource Reservation Protocol

•

rtarget—Local route target virtual private network

•

static—Statically defined route

•

tunnel—Dynamic tunnel

•

vpn—Virtual private network

NOTE: EX Series switches run a subset of these protocols. See the switch CLI for details.


Output Fields

view

show route protocol access on page 3196 show route protocol access-internal extensive on page 3196 show route protocol bgp on page 3196 show route protocol bgp detail on page 3196 show route protocol bgp extensive on page 3197 show route protocol bgp terse on page 3197 show route protocol direct on page 3197 show route protocol l2circuit detail on page 3198 show route protocol l2vpn extensive on page 3199 show route protocol ldp on page 3199 show route protocol ldp extensive on page 3200 show route protocol ospf (Layer 3 VPN) on page 3201 show route protocol ospf detail on page 3201 show route protocol rip on page 3201 show route protocol rip detail on page 3202 show route protocol ripng table inet6 on page 3202 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.


3195

®


Sample Output show route protocol access

user@host> show route protocol access inet.0: 30380 destinations, 30382 routes (30379 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 13.160.0.3/32 13.160.0.4/32 13.160.0.5/32

*[Access/13] 00:00:09 > to 13.160.0.2 via fe-0/0/0.0 *[Access/13] 00:00:09 > to 13.160.0.2 via fe-0/0/0.0 *[Access/13] 00:00:09 > to 13.160.0.2 via fe-0/0/0.0

show route protocol access-internal extensive

user@host> show route protocol access-internal 13.160.0.19 extensive inet.0: 100020 destinations, 100022 routes (100019 active, 0 holddown, 1 hidden) 13.160.0.19/32 (1 entry, 1 announced) TSI: KRT in-kernel 13.160.0.19/32 -> {13.160.0.2} *Access-internal Preference: 12 Next-hop reference count: 200000 Next hop: 13.160.0.2 via fe-0/0/0.0, selected State: Age: 36 Task: RPD Unix Domain Server./var/run/rpd_serv.local Announcement bits (1): 0-KRT AS path: I

show route protocol bgp

user@host> show route protocol bgp 192.168.64.0/21 inet.0: 335832 destinations, 335833 routes (335383 active, 0 holddown, 450 hidden) + = Active Route, - = Last Active, * = Both 192.168.64.0/21

show route protocol bgp detail

3196

*[BGP/170] 6d 10:41:16, localpref 100, from 192.168.69.71 AS path: 10458 14203 2914 4788 4788 I > to 192.168.167.254 via fxp0.0

show route protocol bgp 66.117.63.0/24 exact detail inet.0: 335805 destinations, 335806 routes (335356 active, 0 holddown, 450 hidden) 66.117.63.0/24 (1 entry, 1 announced) *BGP Preference: 170/-101 Next hop type: Indirect Next-hop reference count: 1006436 Source: 192.168.69.71 Next hop type: Router, Next hop index: 324 Next hop: 192.168.167.254 via fxp0.0, selected Protocol next hop: 192.168.69.71 Indirect next hop: 8e166c0 342 State: Local AS: 69 Peer AS: 10458 Age: 6d 10:42:42 Metric2: 0 Task: BGP_10458.192.168.69.71+179 Announcement bits (3): 0-KRT 2-BGP RT Background 3-Resolve tree 1 AS path: 10458 14203 2914 4788 4788 I Communities: 2914:410 2914:2403 2914:3400 Accepted Localpref: 100 Router ID: 207.17.136.192



show route protocol bgp extensive

user@host> show route protocol bgp 192.168.64.0/21 extensive inet.0: 335827 destinations, 335828 routes (335378 active, 0 holddown, 450 hidden) 192.168.64.0/21 (1 entry, 1 announced) TSI: KRT in-kernel 1.9.0.0/16 -> {indirect(342)} Page 0 idx 1 Type 1 val db31a80 Nexthop: Self AS path: [69] 10458 14203 2914 4788 4788 I Communities: 2914:410 2914:2403 2914:3400 Path 1.9.0.0 from 192.168.69.71 Vector len 4. Val: 1 *BGP Preference: 170/-101 Next hop type: Indirect Next-hop reference count: 1006502 Source: 192.168.69.71 Next hop type: Router, Next hop index: 324 Next hop: 192.168.167.254 via fxp0.0, selected Protocol next hop: 192.168.69.71 Indirect next hop: 8e166c0 342 State: Local AS: 69 Peer AS: 10458 Age: 6d 10:44:45 Metric2: 0 Task: BGP_10458.192.168.69.71+179 Announcement bits (3): 0-KRT 2-BGP RT Background 3-Resolve tree 1 AS path: 10458 14203 2914 4788 4788 I Communities: 2914:410 2914:2403 2914:3400 Accepted Localpref: 100 Router ID: 207.17.136.192 Indirect next hops: 1 Protocol next hop: 192.168.69.71 Indirect next hop: 8e166c0 342 Indirect path forwarding next hops: 1 Next hop type: Router Next hop: 192.168.167.254 via fxp0.0 192.168.0.0/16 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1 Nexthop: 192.168.167.254 via fxp0.0

show route protocol bgp terse

user@host> show route protocol bgp 192.168.64.0/21 terse inet.0: 24 destinations, 32 routes (23 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A Destination 192.168.64.0/21

show route protocol direct

P Prf B 170

Metric 1 100

Metric 2

Next hop >100.1.3.2

AS path 10023 21 I

user@host> show route protocol direct inet.0: 335843 destinations, 335844 routes (335394 active, 0 holddown, 450 hidden) + = Active Route, - = Last Active, * = Both 8.8.8.0/24 10.255.165.1/32 30.30.30.0/24


*[Direct/0] 17w0d 10:31:49 > via fe-1/3/1.0 *[Direct/0] 25w4d 04:13:18 > via lo0.0 *[Direct/0] 17w0d 23:06:26 > via fe-1/3/2.0

3197

®


192.168.164.0/22

*[Direct/0] 25w4d 04:13:20 > via fxp0.0

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 47.0005.80ff.f800.0000.0108.0001.0102.5516.5001/152 *[Direct/0] 25w4d 04:13:21 > via lo0.0 inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both abcd::10:255:165:1/128 *[Direct/0] 25w4d 04:13:21 > via lo0.0 fe80::2a0:a5ff:fe12:ad7/128 *[Direct/0] 25w4d 04:13:21 > via lo0.0

show route protocol l2circuit detail

user@host> show route protocol l2circuit detail mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) 100000 (1 entry, 1 announced) *L2CKT Preference: 7 Next hop: via ge-2/0/0.0, selected Label operation: Pop Offset: 4 State: Local AS: 99 Age: 9:52 Task: Common L2 VC Announcement bits (1): 0-KRT AS path: I ge-2/0/0.0 (1 entry, 1 announced) *L2CKT Preference: 7 Next hop: via so-1/1/2.0 weight 1, selected Label-switched-path my-lsp Label operation: Push 100000, Push 100000(top)[0] Offset: -4 Protocol next hop: 10.245.255.63 Push 100000 Offset: -4 Indirect next hop: 86af0c0 298 State: Local AS: 99 Age: 9:52 Task: Common L2 VC Announcement bits (2): 0-KRT 1-Common L2 VC AS path: I l2circuit.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 10.245.255.63:CtrlWord:4:3:Local/96 (1 entry, 1 announced) *L2CKT Preference: 7 Next hop: via so-1/1/2.0 weight 1, selected Label-switched-path my-lsp Label operation: Push 100000[0] Protocol next hop: 10.245.255.63 Indirect next hop: 86af000 296 State: Local AS: 99 Age: 10:21 Task: l2 circuit

3198



Announcement bits (1): 0-LDP AS path: I VC Label 100000, MTU 1500, VLAN ID 512

show route protocol l2vpn extensive

user@host> show route protocol l2vpn extensive inet.0: 14 destinations, 15 routes (13 active, 0 holddown, 1 hidden) inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) 800001 (1 entry, 1 announced) TSI: KRT in-kernel 800001 /36 -> {so-0/0/0.0} *L2VPN Preference: 7 Next hop: via so-0/0/0.0 weight 49087 balance 97%, selected Label operation: Pop Offset: 4 State: Local AS: 69 Age: 7:48 Task: Common L2 VC Announcement bits (1): 0-KRT AS path: I so-0/0/0.0 (1 entry, 1 announced) TSI: KRT in-kernel so-0/0/0.0.0 /16 -> {indirect(288)} *L2VPN Preference: 7 Next hop: via so-0/0/1.0, selected Label operation: Push 800000 Offset: -4 Protocol next hop: 10.255.14.220 Push 800000 Offset: -4 Indirect next hop: 85142a0 288 State: Local AS: 69 Age: 7:48 Task: Common L2 VC Announcement bits (2): 0-KRT 1-Common L2 VC AS path: I Communities: target:69:1 Layer2-info: encaps:PPP, control flags:2, mtu: 0

show route protocol ldp

user@host> show route protocol ldp inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.16.1/32 192.168.17.1/32

*[LDP/9] 1d 23:03:35, metric 1 > via t1-4/0/0.0, Push 100000 *[LDP/9] 1d 23:03:35, metric 1 > via t1-4/0/0.0

private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) mpls.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 100064


*[LDP/9] 1d 23:03:35, metric 1

3199

®


100064(S=0) 100080

show route protocol ldp extensive

> via t1-4/0/0.0, Pop *[LDP/9] 1d 23:03:35, metric 1 > via t1-4/0/0.0, Pop *[LDP/9] 1d 23:03:35, metric 1 > via t1-4/0/0.0, Swap 100000

user@host> show route protocol ldp extensive 192.168.16.1/32 (1 entry, 1 announced) State: *LDP Preference: 9 Next-hop reference count: 3 Next hop: via t1-4/0/0.0, selected Label operation: Push 100000 State: Local AS: 65500 Age: 1d 23:03:58 Metric: 1 Task: LDP Announcement bits (2): 0-Resolve tree 1 2-Resolve tree 2 AS path: I 192.168.17.1/32 (1 entry, 1 announced) State: *LDP Preference: 9 Next-hop reference count: 3 Next hop: via t1-4/0/0.0, selected State: Local AS: 65500 Age: 1d 23:03:58 Metric: 1 Task: LDP Announcement bits (2): 0-Resolve tree 1 2-Resolve tree 2 AS path: I private1__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) mpls.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) 100064 (1 entry, 1 announced) TSI: KRT in-kernel 100064 /36 -> {t1-4/0/0.0} *LDP Preference: 9 Next-hop reference count: 2 Next hop: via t1-4/0/0.0, selected State: Local AS: 65500 Age: 1d 23:03:58 Metric: 1 Task: LDP Announcement bits (1): 0-KRT AS path: I Prefixes bound to route: 192.168.17.1/32 100064(S=0) (1 entry, 1 announced) TSI: KRT in-kernel 100064 /40 -> {t1-4/0/0.0} *LDP Preference: 9 Next-hop reference count: 2 Next hop: via t1-4/0/0.0, selected Label operation: Pop State: Local AS: 65500 Age: 1d 23:03:58 Metric: 1 Task: LDP

3200



Announcement bits (1): 0-KRT AS path: I 100080 (1 entry, 1 announced) TSI: KRT in-kernel 100080 /36 -> {t1-4/0/0.0} *LDP Preference: 9 Next-hop reference count: 2 Next hop: via t1-4/0/0.0, selected Label operation: Swap 100000 State: Local AS: 65500 Age: 1d 23:03:58 Metric: 1 Task: LDP Announcement bits (1): 0-KRT AS path: I Prefixes bound to route: 192.168.16.1/32

show route protocol ospf (Layer 3 VPN)

user@host> show route protocol ospf inet.0: 40 destinations, 40 routes (39 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 10.39.1.4/30 10.39.1.8/30 10.255.14.171/32 10.255.14.179/32 224.0.0.5/32

*[OSPF/10] 00:05:18, > via t3-3/2/0.0 [OSPF/10] 00:05:18, > via t3-3/2/0.0 *[OSPF/10] 00:05:18, > via t3-3/2/0.0 *[OSPF/10] 00:05:18, > via t3-3/2/0.0 *[OSPF/10] 20:25:55,

metric 4 metric 2 metric 4 metric 2 metric 1

VPN-AB.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.39.1.16/30 10.255.14.173/32 224.0.0.5/32

show route protocol ospf detail

[OSPF/10] 00:05:43, metric 1 > via so-0/2/2.0 *[OSPF/10] 00:05:43, metric 1 > via so-0/2/2.0 *[OSPF/10] 20:26:20, metric 1

user@host> show route protocol ospf detail VPN-AB.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.39.1.16/30 (2 entries, 0 announced) OSPF Preference: 10 Nexthop: via so-0/2/2.0, selected State: Inactive reason: Route Preference Age: 6:25 Metric: 1 Area: 0.0.0.0 Task: VPN-AB-OSPF AS path: I Communities: Route-Type:0.0.0.0:1:0 ...

show route protocol rip

user@host> show route protocol rip


3201

®


inet.0: 26 destinations, 27 routes (25 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both VPN-AB.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.255.14.177/32 *[RIP/100] 20:24:34, metric 2 > to 10.39.1.22 via t3-0/2/2.0 224.0.0.9/32 *[RIP/100] 00:03:59, metric 1

show route protocol rip detail

user@host> show route protocol rip detail inet.0: 26 destinations, 27 routes (25 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both VPN-AB.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.255.14.177/32 (1 entry, 1 announced) *RIP Preference: 100 Nexthop: 10.39.1.22 via t3-0/2/2.0, selected State: Age: 20:25:02 Metric: 2 Task: VPN-AB-RIPv2 Announcement bits (2): 0-KRT 2-BGP.0.0.0.0+179 AS path: I Route learned from 10.39.1.22 expires in 96 seconds

show route protocol ripng table inet6

user@host> show route protocol ripng table inet6 inet6.0: 4215 destinations, 4215 routes (4214 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 1111::1/128 1111::2/128 1111::3/128 1111::4/128 1111::5/128 1111::6/128

3202

*[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via *[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via *[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via *[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via *[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via *[RIPng/100] 02:13:33, metric 2 > to fe80::2a0:a5ff:fe3d:56 via

t3-0/2/0.0 t3-0/2/0.0 t3-0/2/0.0 t3-0/2/0.0 t3-0/2/0.0 t3-0/2/0.0



show route range Syntax


Release Information

Description Options

show route range show route range

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display routing table entries using a prefix range. none—Display standard information about all routing table entries using a prefix range. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. destination-prefix—(Optional) Destination and prefix mask for the range. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route range on page 3203 show route range destination-prefix on page 3204 show route range detail on page 3204 show route range extensive on page 3205 show route range terse on page 3206 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route range

user@host> show route range inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 10.10.0.0/16 10.209.0.0/16 10.255.71.14/32 172.16.0.0/12


*[Static/5] 00:30:01 > to 192.168.71.254 via fxp0.0 *[Static/5] 00:30:01 > to 192.168.71.254 via fxp0.0 *[Direct/0] 00:30:01 > via lo0.0 *[Static/5] 00:30:01

3203

®


192.168.0.0/16 192.168.64.0/21 192.168.71.14/32 192.168.102.0/23

> to 192.168.71.254 via fxp0.0 *[Static/5] 00:30:01 > to 192.168.71.254 via fxp0.0 *[Direct/0] 00:30:01 > via fxp0.0 *[Local/0] 00:30:01 Local via fxp0.0 *[Static/5] 00:30:01 > to 192.168.71.254 via fxp0.0

...

show route range destination-prefix

user@host> show route range 192.168.0.0 inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 192.168.0.0/16 192.168.64.0/21 192.168.71.14/32 192.168.102.0/23

show route range detail

*[Static/5] 00:31:14 > to 192.168.71.254 via fxp0.0 *[Direct/0] 00:31:14 > via fxp0.0 *[Local/0] 00:31:14 Local via fxp0.0 *[Static/5] 00:31:14 > to 192.168.71.254 via fxp0.0

user@host> show route range detail inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:05 Task: RT Announcement bits (1): 0-KRT AS path: I 10.209.0.0/16 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:05 Task: RT Announcement bits (1): 0-KRT AS path: I 10.255.71.14/32 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Age: 30:05 Task: IF AS path: I 172.16.0.0/12 (1 entry, 1 announced) *Static Preference: 5 Next-hop reference count: 22

3204



Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:05 Task: RT Announcement bits (1): 0-KRT AS path: I ...

show route range extensive

user@host> show route range extensive inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden) 10.10.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.10.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:17 Task: RT Announcement bits (1): 0-KRT AS path: I 10.209.0.0/16 (1 entry, 1 announced) TSI: KRT in-kernel 10.209.0.0/16 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:17 Task: RT Announcement bits (1): 0-KRT AS path: I 10.255.71.14/32 (1 entry, 0 announced) *Direct Preference: 0 Next hop type: Interface Next-hop reference count: 1 Next hop: via lo0.0, selected State: Age: 30:17 Task: IF AS path: I 172.16.0.0/12 (1 entry, 1 announced) TSI: KRT in-kernel 172.16.0.0/12 -> {192.168.71.254} *Static Preference: 5 Next-hop reference count: 22 Next hop: 192.168.71.254 via fxp0.0, selected State: Age: 30:17 Task: RT Announcement bits (1): 0-KRT AS path: I ...


3205

®


show route range terse

user@host> show route range terse inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A * * * * * * * * * *

Destination 10.10.0.0/16 10.209.0.0/16 10.255.71.14/32 172.16.0.0/12 192.168.0.0/16 192.168.64.0/21 192.168.71.14/32 192.168.102.0/23 207.17.136.0/24 207.17.136.192/32

P Prf S 5 S 5 D 0 S 5 S 5 D 0 L 0 S 5 S 5 S 5

Metric 1

Metric 2

Next hop >192.168.71.254 >192.168.71.254 >lo0.0 >192.168.71.254 >192.168.71.254 >fxp0.0 Local >192.168.71.254 >192.168.71.254 >192.168.71.254

AS path

__juniper_private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination * 10.0.0.0/8 * 10.0.0.4/32

P Prf D 0 D 0 L 0

Metric 1

Metric 2

Next hop >fxp2.0 >fxp1.0 Local

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination P Prf Metric 1 Metric 2 Next hop 47.0005.80ff.f800.0000.0108.0001.0102.5507.1014/152 * D 0 >lo0.0

AS path

AS path

inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination P Prf Metric 1 abcd::10:255:71:14/128 * D 0 fe80::280:42ff:fe11:226f/128 * D 0

Metric 2

Next hop

AS path

>lo0.0 >lo0.0

__juniper_private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both A Destination P Prf Metric 1 fe80::280:42ff:fe11:226f/128 * D 0

3206

Metric 2

Next hop

AS path

>lo0.16385



show route receive-protocol Syntax

show route receive-protocol protocol neighbor-address ) indicates that the route is the selected route.

All levels

Localpref or Lclpref


All levels

3208



Table 360: show route receive-protocol Output Fields (continued) Field Name

Field Description

Level of Output

AS path

Autonomous system (AS) path through which the route was learned. The letters at the end of the AS path indicate the path origin, providing an indication of the state of the route at the point at which the AS path originated:

All levels

•

I—IGP.

•

E—EGP.

•



[ ]—Brackets enclose the number that precedes the AS path. This number

represents the number of ASs present in the AS path, when calculated as defined in RFC 4271. This value is used the AS-path merge process, as defined in RFC 4893. •

[ ]—If more than one AS number is configured on the router, or if AS path

prepending is configured, brackets enclose the local AS number associated with the AS path. •

{ }—Braces enclose AS sets, which are groups of AS numbers in which the

order does not matter. A set commonly results from route aggregation. The numbers in each AS set are displayed in ascending order. •


•


NOTE: In Junos OS Release 10.3 and later, the AS path field displays an unrecognized attribute and associated hexadecimal value if BGP receives attribute 128 (attribute set) and you have not configured an independent domain in any routing instance. Cluster list

(For route reflected output only) Cluster ID sent by the route reflector.

detail extensive

Originator ID

(For route reflected output only) Address of routing device that originally sent the route to the route reflector.

detail extensive

Communities

Community path attribute for the route. See the Output Field table in the show route detail command for all possible values for this field.

detail extensive

AIGP


detail extensive

Attrset AS

Number, local preference, and path of the AS that originated the route. These values are stored in the Attrset attribute at the originating routing device.

detail extensive

Layer2-info: encaps


detail extensive

control flags


detail extensive

mtu


detail extensive


3209

®


Sample Output show route receive-protocol bgp

user@host> show route receive-protocol bgp 10.255.245.215 inet.0: 28 destinations, Prefix 10.22.1.0/24 10.22.2.0/24

33 routes (27 active, 0 holddown, 1 hidden) Next hop MED Lclpref AS path 10.255.245.215 0 100 I 10.255.245.215 0 100 I

show route receive-protocol bgp extensive

user@host> show route receive-protocol bgp 10.255.245.63 extensive inet.0: 244 destinations, 244 routes (243 active, 0 holddown, 1 hidden) Prefix Next hop MED Lclpref AS path 1.1.1.0/24 (1 entry, 1 announced) Next hop: 10.0.50.3 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.45 165.3.0.0/16 (1 entry, 1 announced) Next hop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.68 165.4.0.0/16 (1 entry, 1 announced) Next hop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.45 195.1.2.0/24 (1 entry, 1 announced) Next hop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.68 inet.2: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden) Prefix Next hop MED Lclpref AS path inet.3: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) Prefix Next hop MED Lclpref AS path iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Next hop MED Lclpref AS path mpls.0: 48 destinations, 48 routes (48 active, 0 holddown, 0 hidden)

show route receive-protocol bgp extensive

user@host> show route receive–protocol bgp 207.17.136.192 table inet.0 66.117.68.0/24 extensive inet.0: 227315 destinations, 227316 routes (227302 active, 0 holddown, 13 hidden) * 66.117.63.0/24 (1 entry, 1 announced) Nexthop: 207.17.136.29 Localpref: 100 AS path: AS2 PA[6]: 14203 2914 3356 29748 33437 AS_TRANS AS path: AS4 PA[2]: 33437 393219 AS path: Merged[6]: 14203 2914 3356 29748 33437 393219 I Communities: 2914:420 user@host> show route receive-protocol bgp 10.0.0.9 logical-system PE4 extensive inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) * 10.0.0.0/30 (1 entry, 1 announced) Accepted Route Label: 3

3210



Nexthop: 10.0.0.9 AS path: 13979 I * 10.0.0.4/30 (1 entry, 1 announced) Accepted Route Label: 3 Nexthop: 10.0.0.9 AS path: 13979 I 10.0.0.8/30 (2 entries, 1 announced) Accepted Route Label: 3 Nexthop: 10.0.0.9 AS path: 13979 I * 10.9.9.1/32 (1 entry, 1 announced) Accepted Route Label: 3 Nexthop: 10.0.0.9 AS path: 13979 I * 10.100.1.1/32 (1 entry, 1 announced) Accepted Route Label: 3 Nexthop: 10.0.0.9 AS path: 13979 I * 44.0.0.0/24 (1 entry, 1 announced) Accepted Route Label: 300096 Nexthop: 10.0.0.9 AS path: 13979 I AIGP: 203 * 55.0.0.0/24 (1 entry, 1 announced) Accepted Route Label: 300112 Nexthop: 10.0.0.9 AS path: 13979 7018 I AIGP: 25 * 66.0.0.0/24 (1 entry, 1 announced) Accepted Route Label: 300144 Nexthop: 10.0.0.9 AS path: 13979 7018 I * 99.0.0.0/24 (1 entry, 1 announced) Accepted Route Label: 300160 Nexthop: 10.0.0.9 AS path: 13979 7018 I

show route receive-protocol bgp detail (Layer 2 VPN)

user@host> show route receive-protocol bgp 10.255.14.171 detail inet.0: 68 destinations, 68 routes (67 active, 0 holddown, 1 hidden) Prefix Nexthop MED Lclpref AS path inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path mpls.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)


3211

®


Prefix Nexthop MED Lclpref AS path frame-vpn.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.245.35:1:5:1/96 (1 entry, 1 announced) Route Distinguisher: 10.255.245.35:1 Label-base : 800000, range : 4, status-vector : 0x0 Nexthop: 10.255.245.35 Localpref: 100 AS path: I Communities: target:65299:100 Layer2-info: encaps:FRAME RELAY, control flags: 0, mtu: 0 bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.245.35:1:5:1/96 (1 entry, 0 announced) Route Distinguisher: 10.255.245.35:1 Label-base : 800000, range : 4, status-vector : 0x0 Nexthop: 10.255.245.35 Localpref: 100 AS path: I Communities: target:65299:100 Layer2-info: encaps:FRAME RELAY, control flags:0, mtu: 0

show route receive-protocol bgp extensive (Layer 2 VPN)

user@host> show route receive-protocol bgp 10.255.14.171 extensive inet.0: 68 destinations, 68 routes (67 active, 0 holddown, 1 hidden) Prefix Nexthop MED Lclpref AS path inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path mpls.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path frame-vpn.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.245.35:1:5:1/96 (1 entry, 1 announced) Route Distinguisher: 10.255.245.35:1 Label-base : 800000, range : 4, status-vector : 0x0 Nexthop: 10.255.245.35 Localpref: 100 AS path: I Communities: target:65299:100 Layer2-info: encaps:FRAME RELAY, control flags:0, mtu: 0 bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.245.35:1:5:1/96 (1 entry, 0 announced) Route Distinguisher: 10.255.245.35:1 Label-base : 800000, range : 4, status-vector : 0x0 Nexthop: 10.255.245.35 Localpref: 100 AS path: I Communities: target:65299:100 Layer2-info: encaps:FRAME RELAY, control flags:0, mtu: 0

show route receive-protocol bgp (Layer 3 VPN)

user@host> show route receive-protocol bgp 10.255.14.171 inet.0: 33 destinations, 33 routes (32 active, 0 holddown, 1 hidden) Prefix Nexthop MED Lclpref AS path inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path VPN-A.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.14.175/32 10.255.14.171 100 2 I

3212



10.255.14.179/32 10.255.14.171 2 100 I VPN-B.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.14.175/32 10.255.14.171 100 2 I 10.255.14.177/32 10.255.14.171 100 I iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path bgp.l3vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.255.14.171:300:10.255.14.177/32 10.255.14.171 100 I 10.255.14.171:100:10.255.14.179/32 10.255.14.171 2 100 I 10.255.14.171:200:10.255.14.175/32 10.255.14.171 100 2 I

show route receive-protocol bgp detail (Layer 3 VPN)

user@host> show route receive-protocol bgp 10.255.14.174 detail inet.0: 16 destinations, 17 routes (15 active, 0 holddown, 1 hidden) inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) vpna.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) * 10.49.0.0/30 (1 entry, 1 announced) Route Distinguisher: 10.255.14.176:2 VPN Label: 101264 Nexthop: 10.255.14.174 Localpref: 100 AS path: I Communities: target:200:100 AttrSet AS: 100 Localpref: 100 AS path: I * 10.255.14.172/32 (1 entry, 1 announced) Route Distinguisher: 10.255.14.176:2 VPN Label: 101280 Nexthop: 10.255.14.174 Localpref: 100 AS path: I Communities: target:200:100 AttrSet AS: 100 Localpref: 100 AS path: I iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) * 10.255.14.174:2:10.49.0.0/30 (1 entry, 0 announced) Route Distinguisher: 10.255.14.174:2 VPN Label: 101264 Nexthop: 10.255.14.174 Localpref: 100 AS path: I Communities: target:200:100 AttrSet AS: 100 Localpref: 100 AS path: I * 10.255.14.174:2:10.255.14.172/32 (1 entry, 0 announced) Route Distinguisher: 10.255.14.174:2 VPN Label: 101280 Nexthop: 10.255.14.174 Localpref: 100 AS path: I


3213

®


Communities: target:200:100 AttrSet AS: 100 Localpref: 100 AS path: I inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

show route receive-protocol bgp extensive (Layer 3 VPN)

3214

user@host> show route receive-protocol bgp 10.255.245.63 extensive inet.0: 244 destinations, 244 routes (243 active, 0 holddown, 1 hidden) Prefix Nexthop MED Lclpref AS path 1.1.1.0/24 (1 entry, 1 announced) Nexthop: 10.0.50.3 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.45 165.3.0.0/16 (1 entry, 1 announced) Nexthop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.68 165.4.0.0/16 (1 entry, 1 announced) Nexthop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.45 195.1.2.0/24 (1 entry, 1 announced) Nexthop: 111.222.5.254 Localpref: 100 AS path: I Cluster list: 10.2.3.1 Originator ID: 10.255.245.68 inet.2: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path inet.3: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path mpls.0: 48 destinations, 48 routes (48 active, 0 holddown, 0 hidden)



show route resolution Syntax


Release Information

Description

Options

show route resolution

show route resolution

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the entries in the next-hop resolution database. This database provides for recursive resolution of next hops through other prefixes in the routing table. none—Display standard information about all entries in the next-hop resolution database. brief | detail | extensive | summary—(Optional) Display the specified level of output. index index—(Optional) Show the index of the resolution tree. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. prefix network/destination-prefix—(Optional) Display database entries for the specified

address. table routing-table-name—(Optional) Display information about a particular routing table

(for example, inet.0) where policy-based export is currently enabled. unresolved—(Optional) Display routes that could not be resolved.


view

•


show route resolution detail on page 3216 show route resolution summary on page 3217 show route resolution unresolved on page 3217


3215

®


Output Fields

Table 361 on page 3216 describes the output fields for the show route resolution command. Output fields are listed in the approximate order in which they appear.

Table 361: show route resolution Output Fields Field Name

Field Description

routing-table-name

Name of the routing table whose prefixes are resolved using the entries in the route resolution database. For routing table groups, this is the name of the primary routing table whose prefixes are resolved using the entries in the route resolution database.

Tree index

Tree index identifier.

Nodes

Number of nodes in the tree.

Reference count


Contributing routing tables

Routing tables used for next-hop resolution.

Originating RIB

Name of the routing table whose active route was used to determine the forwarding next-hop entry in the resolution database. For example, in the case of inet.0 resolving through inet.0 and inet.3, this field indicates which routing table, inet.0 or inet.3, provided the best path for a particular prefix.

Metric

Metric associated with the forwarding next hop.

Node path count

Number of nodes in the path.

Forwarding next hops

Number of forwarding next hops. The forwarding next hop is the network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

Sample Output show route resolution detail

3216

user@host> show route resolution detail Tree Index: 1, Nodes 0, Reference Count 1 Contributing routing tables: inet.3 Tree Index: 2, Nodes 23, Reference Count 1 Contributing routing tables: inet.0 inet.3 10.10.0.0/16 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1 10.31.1.0/30 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1 10.31.1.1/32 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 0 10.31.1.4/30 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1 10.31.1.5/32 Originating RIB: inet.0 Node path count: 1



Forwarding nexthops: 0 10.31.2.0/30 Originating RIB: inet.0 Metric: 2 Node path count: 1 Forwarding nexthops: 2 10.31.11.0/24 Originating RIB: inet.0 Node path count: 1 Forwarding nexthops: 1

show route resolution summary

user@host> show route resolution summary Tree Index: 1, Nodes 24, Reference Count 1 Contributing routing tables: :voice.inet.0 :voice.inet.3 Tree Index: 2, Nodes 2, Reference Count 1 Contributing routing tables: inet.3 Tree Index: 3, Nodes 43, Reference Count 1 Contributing routing tables: inet.0 inet.3

show route resolution unresolved

user@host> show route resolution unresolved Tree Index 1 vt-3/2/0.32769.0 /16 Protocol Nexthop: 10.255.71.238 Push 800000 Indirect nexthop: 0 vt-3/2/0.32772.0 /16 Protocol Nexthop: 10.255.70.103 Push 800008 Indirect nexthop: 0 Tree Index 2


3217

®


show route snooping Syntax

Release Information

Description Options

show route snooping

Command introduced in Junos OS Release 8.5. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the entries in the routing table that were learned from snooping. none—Display the entries in the routing table that were learned from snooping. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. all—(Optional) Display all entries, including hidden entries. best address/prefix—(Optional) Display the longest match for the provided address and

optional prefix. exact address/prefix—(Optional) Display exact matches for the provided address and

optional prefix. range prefix-range—(Optional) Display information for the provided address range. summary—(Optional) Display route snooping summary statisitics. table table-name—(Optional) Display information for the named table.


view

show route snooping detail on page 3218 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route snooping detail

3218

user@host> show route snooping detail __+domainAll__.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 224.0.0.2/32 (1 entry, 1 announced) *IGMP Preference: 0 Next hop type: MultiRecv Next-hop reference count: 4 State: Age: 2:24



Task: IGMP Announcement bits (1): 0-KRT AS path: I 224.0.0.22/32 (1 entry, 1 announced) *IGMP Preference: 0 Next hop type: MultiRecv Next-hop reference count: 4 State: Age: 2:24 Task: IGMP Announcement bits (1): 0-KRT AS path: I __+domainAll__.inet.1: 36 destinations, 36 routes (36 active, 0 holddown, 0 hidden) 224.0.0.0.0.0.0.0/24 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4), Next hop index: 1048584 Next-hop reference count: 4 State: Age: 2:24 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.2.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:13 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.3.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.4.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:17 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.5.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State:


3219

®


Age: 1:58 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.6.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:14 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.7.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:12 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.9.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:13 Task: MC Announcement bits (1): 0-KRT AS path: I 225.0.0.10.11.11.11.100.3.9.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 226.0.0.1.11.11.11.100.3.10.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:09 Task: MC Announcement bits (1): 0-KRT AS path: I 226.0.0.2.11.11.11.100.3.10.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 8

3220



Task: MC Announcement bits (1): 0-KRT AS path: I 226.0.0.4.11.11.11.100.3.10.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:10 Task: MC Announcement bits (1): 0-KRT AS path: I 226.0.0.8.11.11.11.100.3.10.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:12 Task: MC Announcement bits (1): 0-KRT AS path: I 226.0.0.10.11.11.11.100.3.10.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 1:56 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.1.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:10 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.2.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:13 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.3.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:16 Task: MC


3221

®


Announcement bits (1): 0-KRT AS path: I 227.0.0.4.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.5.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 1:57 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.7.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 1:57 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.8.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:10 Task: MC Announcement bits (1): 0-KRT AS path: I 227.0.0.10.11.11.11.100.3.11.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 228.0.0.1.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:09 Task: MC Announcement bits (1): 0-KRT

3222



AS path: I 228.0.0.2.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:18 Task: MC Announcement bits (1): 0-KRT AS path: I 228.0.0.7.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:11 Task: MC Announcement bits (1): 0-KRT AS path: I 228.0.0.8.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:17 Task: MC Announcement bits (1): 0-KRT AS path: I 228.0.0.9.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 8 Task: MC Announcement bits (1): 0-KRT AS path: I 228.0.0.10.11.11.11.100.3.12.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:12 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.3.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:09 Task: MC Announcement bits (1): 0-KRT AS path: I


3223

®


229.0.0.4.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:12 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.5.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 9 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.6.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.7.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.8.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:15 Task: MC Announcement bits (1): 0-KRT AS path: I 229.0.0.9.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:14 Task: MC Announcement bits (1): 0-KRT AS path: I

3224



229.0.0.10.11.11.11.100.3.13.0.0/80 (1 entry, 1 announced) *Multicast Preference: 180 Next hop type: Multicast (IPv4) Next-hop reference count: 113 State: Age: 2:13 Task: MC Announcement bits (1): 0-KRT AS path: I


3225

®


show route source-gateway Syntax


Description

Options

show route source-gateway address show route source-gateway address

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the entries in the routing table that were learned from a particular address. The Source field in the show route detail command output lists the source for each route, if known. brief | detail | extensive | terse—(Optional) Display the specified level of output. If you do

not specify a level of output, the system defaults to brief. address—IP address of the system. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show route source-gateway on page 3226 show route source-gateway detail on page 3227 show route source-gateway extensive on page 3229 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route source-gateway

user@host> show route source-gateway 10.255.70.103 inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) Restart Complete

3226



private1__.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.255.70.103:1:3:1/96 *[BGP/170] 12:12:24, localpref 100, from 10.255.70.103 AS path: I > via so-0/3/0.0, label-switched-path green-r1-r3 red.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.255.70.103:2:3:1/96 *[BGP/170] 12:12:24, localpref 0, from 10.255.70.103 AS path: I > via so-0/3/0.0, label-switched-path green-r1-r3 bgp.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 10.255.70.103:1:3:1/96 *[BGP/170] 12:12:24, localpref 100, from 10.255.70.103 AS path: I > via so-0/3/0.0, label-switched-path green-r1-r3 10.255.70.103:2:3:1/96 *[BGP/170] 12:12:24, localpref 0, from 10.255.70.103 AS path: I > via so-0/3/0.0, label-switched-path green-r1-r3

show route source-gateway detail

user@host> show route source-gateway 10.255.70.103 detail inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) Restart Complete green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:1:3:1/96 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103


3227

®


Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:14:00 Metric2: 1 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-green-l2vpn AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0 red.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:2:3:1/96 (1 entry, 1 announced) *BGP Preference: 170/-1 Route Distinguisher: 10.255.70.103:2 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:14:00 Metric2: 1 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-red-l2vpn AS path: I Communities: target:11111:2 Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8 Localpref: 0 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0 bgp.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:1:3:1/96 (1 entry, 0 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:14:00 Metric2: 1 Task: BGP_69.10.255.70.103+179 AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Secondary Tables: green.l2vpn.0 10.255.70.103:2:3:1/96 (1 entry, 0 announced) *BGP Preference: 170/-1 Route Distinguisher: 10.255.70.103:2

3228



Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:14:00 Metric2: 1 Task: BGP_69.10.255.70.103+179 AS path: I Communities: target:11111:2 Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8 Localpref: 0 Router ID: 10.255.70.103 Secondary Tables: red.l2vpn.0

show route source-gateway extensive

user@host> show route source-gateway 10.255.70.103 extensive inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete private1__.inet.0: 2 destinations, 3 routes (2 active, 0 holddown, 0 hidden) iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) Restart Complete green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:1:3:1/96 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:15:24 Metric2: 1 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-green-l2vpn AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0 red.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:2:3:1/96 (1 entry, 1 announced)


3229

®


*BGP

Preference: 170/-1 Route Distinguisher: 10.255.70.103:2 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:15:24 Metric2: 1 Task: BGP_69.10.255.70.103+179 Announcement bits (1): 0-red-l2vpn AS path: I Communities: target:11111:2 Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8 Localpref: 0 Router ID: 10.255.70.103 Primary Routing Table bgp.l2vpn.0

bgp.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete 10.255.70.103:1:3:1/96 (1 entry, 0 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.70.103:1 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:15:24 Metric2: 1 Task: BGP_69.10.255.70.103+179 AS path: I Communities: target:11111:1 Layer2-info: encaps:VPLS, control flags:, mtu: 0 Label-base: 800008, range: 8 Localpref: 100 Router ID: 10.255.70.103 Secondary Tables: green.l2vpn.0 Indirect next hops: 1 Protocol next hop: 10.255.70.103 Metric: 2 Indirect next hop: 2 no-forward Indirect path forwarding next hops: 1 Next hop: via so-0/3/0.0 weight 0x1 10.255.70.103/32 Originating RIB: inet.3 Metric: 2 Node path count: 1 Forwarding nexthops: 1 Nexthop: via so-0/3/0.0 10.255.70.103:2:3:1/96 (1 entry, 0 announced) *BGP Preference: 170/-1 Route Distinguisher: 10.255.70.103:2 Next-hop reference count: 7 Source: 10.255.70.103 Protocol next hop: 10.255.70.103 Indirect next hop: 2 no-forward State: Local AS: 69 Peer AS: 69 Age: 12:15:24 Metric2: 1 Task: BGP_69.10.255.70.103+179

3230



AS path: I Communities: target:11111:2 Layer2-info: encaps:VPLS, control flags:Site-Down, mtu: 0 Label-base: 800016, range: 8 Localpref: 0 Router ID: 10.255.70.103 Secondary Tables: red.l2vpn.0 Indirect next hops: 1 Protocol next hop: 10.255.70.103 Metric: 2 Indirect next hop: 2 no-forward Indirect path forwarding next hops: 1 Next hop: via so-0/3/0.0 weight 0x1 10.255.70.103/32 Originating RIB: inet.3 Metric: 2 Node path count: 1 Forwarding nexthops: 1 Nexthop: via so-0/3/0.0


3231

®


show route summary Syntax


Description

show route summary show route summary

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display summary statistics about the entries in the routing table. CPU utilization might increase while the device learns routes. We recommend that you use the show route summary command after the device learns and enters the routes into the routing table. Depending on the size of your network, this might take several minutes. If you receive a “timeout communicating with routing daemon” error when using the show route summary command, wait several minutes before attempting to use the command again. This is not a critical system error, but you might experience a delay in using the command-line interface (CLI).

Options

none—Display summary statistics about the entries in the routing table. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show route summary on page 3233 Table 362 on page 3232 lists the output fields for the show route summary command. Output fields are listed in the approximate order in which they appear.

Table 362: show route summary Output Fields Field Name

Field Description

routing-table-name


destinations


routes

Number of routes in the routing table: •

active—Number of routes that are active.

•

holddown—Number of routes that are in the hold-down state before

being declared inactive. •

3232

hidden—Number of routes that are not used because of routing policy.

Direct

Routes on the directly connected network.

Local

Local routes.



Table 362: show route summary Output Fields (continued) Field Name

Field Description

protocol-name

Name of the protocol from which the route was learned. For example, OSPF, RSVP, and Static.

Sample Output show route summary

user@host> show route summary Autonomous system number: 69 Router ID: 10.255.71.52 Maximum-ECMP: 32 inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden) Restart Complete Direct: 6 routes, 5 active Local: 4 routes, 4 active OSPF: 5 routes, 4 active Static: 7 routes, 7 active IGMP: 1 routes, 1 active PIM: 2 routes, 2 active inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) Restart Complete RSVP: 2 routes, 2 active iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete Direct: 1 routes, 1 active mpls.0: 7 destinations, 7 routes (5 active, 0 holddown, 2 hidden) Restart Complete MPLS: 3 routes, 3 active VPLS: 4 routes, 2 active inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) Restart Complete Direct: 2 routes, 2 active PIM: 2 routes, 2 active MLD: 1 routes, 1 active green.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete BGP: 2 routes, 2 active L2VPN: 2 routes, 2 active red.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Restart Complete BGP: 2 routes, 2 active L2VPN: 1 routes, 1 active bgp.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Restart Complete BGP: 4 routes, 4 active


3233

®


show route table Syntax


Description Options

show route table routing-table-name show route table routing-table-name

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the route entries in a particular routing table. brief | detail | extensive | terse—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. routing-table-name—Display route entries for all routing tables whose name begins with

this string (for example, inet.0 and inet6.0 are both displayed when you run the show route table inet command). Required Privilege Level Related Documentation List of Sample Output

3234

view

•

show route summary on page 3232

show route table bgp.l2.vpn on page 3235 show route table bgp.l3vpn.0 on page 3235 show route table bgp.l3vpn.0 detail on page 3235 show route table inet.0 on page 3236 show route table inet6.0 on page 3237 show route table inet6.3 on page 3237 show route table l2circuit.0 on page 3237 show route table mpls on page 3238 show route table mpls extensive on page 3238 show route table mpls.0 on page 3238 show route table mpls.0 (RSVP Route—Transit LSP) on page 3239 show route table vpls_1 detail on page 3239 show route table vpn-a on page 3239 show route table vpn-a.mdt.0 on page 3240 show route table VPN-AB.inet.0 on page 3240 show route table VPN_blue.mvpn-inet6.0 on page 3240 show route table VPN-A detail on page 3241 show route table inetflow detail on page 3241



Output Fields

For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output show route table bgp.l2.vpn

user@host> show route table bgp.l2.vpn bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.24.1:1:4:1/96 *[BGP/170] 01:08:58, localpref 100, from 192.168.24.1 AS path: I > to 10.0.16.2 via fe-0/0/1.0, label-switched-path am

show route table bgp.l3vpn.0

user@host> show route table bgp.l3vpn.0 bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.255.71.15:100:10.255.71.17/32 *[BGP/170] 00:03:59, MED 1, localpref 100, from 10.255.71.15 AS path: I > via so-2/1/0.0, Push 100020, Push 100011(top) 10.255.71.15:200:10.255.71.18/32 *[BGP/170] 00:03:59, MED 1, localpref 100, from 10.255.71.15 AS path: I > via so-2/1/0.0, Push 100021, Push 100011(top)

show route table bgp.l3vpn.0 detail

user@host> show route table bgp.l3vpn.0 detail bgp.l3vpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) 10.255.245.12:1:4.0.0.0/8 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.245.12:1 Source: 10.255.245.12 Next hop: 192.168.208.66 via fe-0/0/0.0, selected Label operation: Push 182449 Protocol next hop: 10.255.245.12 Push 182449 Indirect next hop: 863a630 297 State: Local AS: 35 Peer AS: 35 Age: 12:19 Metric2: 1 Task: BGP_35.10.255.245.12+179 Announcement bits (1): 0-BGP.0.0.0.0+179 AS path: 30 10458 14203 2914 3356 I (Atomic) Aggregator: 3356 4.68.0.11 Communities: 2914:420 target:11111:1 origin:56:78 VPN Label: 182449 Localpref: 100 Router ID: 10.255.245.12 10.255.245.12:1:4.17.225.0/24 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.245.12:1 Source: 10.255.245.12 Next hop: 192.168.208.66 via fe-0/0/0.0, selected


3235

®


Label operation: Push 182465 Protocol next hop: 10.255.245.12 Push 182465 Indirect next hop: 863a8f0 305 State: Local AS: 35 Peer AS: 35 Age: 12:19 Metric2: 1 Task: BGP_35.10.255.245.12+179 Announcement bits (1): 0-BGP.0.0.0.0+179 AS path: 30 10458 14203 2914 11853 11853 11853 6496 6496 6496 6496 6496 6496 I Communities: 2914:410 target:12:34 target:11111:1 origin:12:34 VPN Label: 182465 Localpref: 100 Router ID: 10.255.245.12 10.255.245.12:1:4.17.226.0/23 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.245.12:1 Source: 10.255.245.12 Next hop: 192.168.208.66 via fe-0/0/0.0, selected Label operation: Push 182465 Protocol next hop: 10.255.245.12 Push 182465 Indirect next hop: 86bd210 330 State: Local AS: 35 Peer AS: 35 Age: 12:19 Metric2: 1 Task: BGP_35.10.255.245.12+179 Announcement bits (1): 0-BGP.0.0.0.0+179 AS path: 30 10458 14203 2914 11853 11853 11853 6496 6496 6496 6496 6496 6496 I Communities: 2914:410 target:12:34 target:11111:1 origin:12:34 VPN Label: 182465 Localpref: 100 Router ID: 10.255.245.12 10.255.245.12:1:4.17.251.0/24 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.245.12:1 Source: 10.255.245.12 Next hop: 192.168.208.66 via fe-0/0/0.0, selected Label operation: Push 182465 Protocol next hop: 10.255.245.12 Push 182465 Indirect next hop: 86bd210 330 State: Local AS: 35 Peer AS: 35 Age: 12:19 Metric2: 1 Task: BGP_35.10.255.245.12+179 Announcement bits (1): 0-BGP.0.0.0.0+179 AS path: 30 10458 14203 2914 11853 11853 11853 6496 6496 6496 6496 6496 6496 I Communities: 2914:410 target:12:34 target:11111:1 origin:12:34 VPN Label: 182465 Localpref: 100

show route table inet.0

3236

user@host> show route table inet.0 inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both



0.0.0.0/0 1.0.0.1/32 1.0.0.2/32 12.12.12.21/32 13.13.13.13/32 13.13.13.14/32 13.13.13.21/32 13.13.13.22/32 127.0.0.1/32 111.222.5.0/24 111.222.5.81/32

show route table inet6.0

*[Static/5] 00:51:57 > to 111.222.5.254 via fxp0.0 *[Direct/0] 00:51:58 > via at-5/3/0.0 *[Local/0] 00:51:58 Local *[Local/0] 00:51:57 Reject *[Direct/0] 00:51:58 > via t3-5/2/1.0 *[Local/0] 00:51:58 Local *[Local/0] 00:51:58 Local *[Direct/0] 00:33:59 > via t3-5/2/0.0 [Direct/0] 00:51:58 > via lo0.0 *[Direct/0] 00:51:58 > via fxp0.0 *[Local/0] 00:51:58 Local

user@host> show route table inet6.0 inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Route, * = Both fec0:0:0:3::/64 *[Direct/0] 00:01:34 >via fe-0/1/0.0 fec0:0:0:3::/128 *[Local/0] 00:01:34 >Local fec0:0:0:4::/64 *[Static/5] 00:01:34 >to fec0:0:0:3::ffff via fe-0/1/0.0

show route table inet6.3

user@router> show route table inet6.3 inet6.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ::10.255.245.195/128 *[LDP/9] 00:00:22, metric 1 > via so-1/0/0.0 ::10.255.245.196/128 *[LDP/9] 00:00:08, metric 1 > via so-1/0/0.0, Push 100008

show route table l2circuit.0

user@host> show route table l2circuit.0 l2circuit.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.195:NoCtrlWord:1:1:Local/96 *[L2CKT/7] 00:50:47 > via so-0/1/2.0, Push 100049 via so-0/1/3.0, Push 100049 10.1.1.195:NoCtrlWord:1:1:Remote/96 *[LDP/9] 00:50:14 Discard 10.1.1.195:CtrlWord:1:2:Local/96


3237

®


*[L2CKT/7] 00:50:47 > via so-0/1/2.0, Push 100049 via so-0/1/3.0, Push 100049 10.1.1.195:CtrlWord:1:2:Remote/96 *[LDP/9] 00:50:14 Discard

show route table mpls

user@host> show route table mpls mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 1 2 1024

show route table mpls extensive

show route table mpls.0

user@host> show route table mpls extensive 100000 (1 entry, 1 announced) TSI: KRT in-kernel 100000 /36 -> {so-1/0/0.0} *LDP Preference: 9 Next hop: via so-1/0/0.0, selected Pop State: Age: 29:50 Metric: 1 Task: LDP Announcement bits (1): 0-KRT AS path: I Prefixes bound to route: 10.0.0.194/32 user@host> show route table mpls.0 mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 1 2 100000 100001 100002

100002(S=0)

100003

100004

3238

*[MPLS/0] 00:13:55, metric 1 Receive *[MPLS/0] 00:13:55, metric 1 Receive *[MPLS/0] 00:13:55, metric 1 Receive *[VPN/0] 00:04:18 to table red.inet.0, Pop

*[MPLS/0] 00:45:09, metric 1 Receive *[MPLS/0] 00:45:09, metric 1 Receive *[MPLS/0] 00:45:09, metric 1 Receive *[L2VPN/7] 00:43:04 > via so-0/1/0.1, Pop *[L2VPN/7] 00:43:03 > via so-0/1/0.2, Pop Offset: 4 *[LDP/9] 00:43:22, metric 1 via so-0/1/2.0, Pop > via so-0/1/3.0, Pop *[LDP/9] 00:43:22, metric 1 via so-0/1/2.0, Pop > via so-0/1/3.0, Pop *[LDP/9] 00:43:22, metric 1 > via so-0/1/2.0, Swap 100002 via so-0/1/3.0, Swap 100002 *[LDP/9] 00:43:16, metric 1 via so-0/1/2.0, Swap 100049 > via so-0/1/3.0, Swap 100049



so-0/1/0.1

so-0/1/0.2

show route table mpls.0 (RSVP Route—Transit LSP)

100001, Push 100049(top) 100001, Push 100049(top) 100000, Push 100049(top) Offset: -4 100000, Push 100049(top) Offset: -4

user@host> show route table mpls.0 mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0 1 2 13 300352 300352(S=0) 300384 300384(S=0)

show route table vpls_1 detail

*[L2VPN/7] 00:43:04 > via so-0/1/2.0, Push via so-0/1/3.0, Push *[L2VPN/7] 00:43:03 via so-0/1/2.0, Push > via so-0/1/3.0, Push

*[MPLS/0] 00:37:31, metric 1 Receive *[MPLS/0] 00:37:31, metric 1 Receive *[MPLS/0] 00:37:31, metric 1 Receive *[MPLS/0] 00:37:31, metric 1 Receive *[RSVP/7/1] 00:08:00, metric 1 > to 8.64.0.106 via ge-1/0/1.0, *[RSVP/7/1] 00:08:00, metric 1 > to 8.64.0.106 via ge-1/0/1.0, *[RSVP/7/2] 00:05:20, metric 1 > to 8.64.1.106 via ge-1/0/0.0, *[RSVP/7/2] 00:05:20, metric 1 > to 8.64.1.106 via ge-1/0/0.0,

label-switched-path lsp1_p2p label-switched-path lsp1_p2p Pop Pop

user@host> show route table vpls_1 detail vpls_1.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Restart Complete 1.1.1.11:1000:1:1/96 (1 entry, 1 announced) *L2VPN Preference: 170/-1 Receive table: vpls_1.l2vpn.0 Next-hop reference count: 2 State: Age: 4:29:47 Metric2: 1 Task: vpls_1-l2vpn Announcement bits (1): 1-BGP.0.0.0.0+179 AS path: I Communities: Layer2-info: encaps:VPLS, control flags:Site-Down Label-base: 800000, range: 8, status-vector: 0xFF

show route table vpn-a

user@host> show route table vpn-a vpn-a.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.16.1:1:1:1/96 *[VPN/7] 05:48:27 Discard 192.168.24.1:1:2:1/96 *[BGP/170] 00:02:53, localpref 100, from 192.168.24.1 AS path: I > to 10.0.16.2 via fe-0/0/1.0, label-switched-path am 192.168.24.1:1:3:1/96 *[BGP/170] 00:02:53, localpref 100, from 192.168.24.1


3239

®


AS path: I > to 10.0.16.2 via fe-0/0/1.0, label-switched-path am

show route table vpn-a.mdt.0

user@host> show route table vpn-a.mdt.0 vpn-a.mdt.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1:1:0:10.255.14.216:232.1.1.1/144 *[MVPN/70] 01:23:05, metric2 1 Indirect 1:1:1:10.255.14.218:232.1.1.1/144 *[BGP/170] 00:57:49, localpref 100, from 10.255.14.218 AS path: I > via so-0/0/0.0, label-switched-path r0e-to-r1 1:1:2:10.255.14.217:232.1.1.1/144 *[BGP/170] 00:57:49, localpref 100, from 10.255.14.217 AS path: I > via so-0/0/1.0, label-switched-path r0-to-r2

show route table VPN-AB.inet.0

user@host> show route table VPN-AB.inet.0 VPN-AB.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.39.1.0/30 10.39.1.4/30 10.39.1.6/32 10.255.71.16/32 10.255.71.17/32 10.255.71.15

10.255.71.18/32 10.255.71.15

10.255.245.245/32

10.255.245.246/32

show route table VPN_blue.mvpn-inet6.0

*[OSPF/10] 00:07:24, metric 1 > via so-7/3/1.0 *[Direct/0] 00:08:42 > via so-5/1/0.0 *[Local/0] 00:08:46 Local *[Static/5] 00:07:24 > via so-2/0/0.0 *[BGP/170] 00:07:24, MED 1, localpref 100, from AS path: I > via so-2/1/0.0, Push 100020, Push 100011(top) *[BGP/170] 00:07:24, MED 1, localpref 100, from AS path: I > via so-2/1/0.0, Push 100021, Push 100011(top) *[BGP/170] 00:08:35, localpref 100 AS path: 2 I > to 10.39.1.5 via so-5/1/0.0 *[OSPF/10] 00:07:24, metric 1 > via so-7/3/1.0

user@host> show route table VPN_blue.mvpn-inet6.0 vpn_blue.mvpn-inet6.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 1:10.255.2.202:65535:10.255.2.202/432 *[BGP/170] 00:02:37, localpref 100, from 10.255.2.202 AS path: I > via so-0/1/3.0 1:10.255.2.203:65535:10.255.2.203/432 *[BGP/170] 00:02:37, localpref 100, from 10.255.2.203 AS path: I > via so-0/1/0.0 1:10.255.2.204:65535:10.255.2.204/432 *[MVPN/70] 00:57:23, metric2 1 Indirect

3240



5:10.255.2.202:65535:128:::192.168.90.2:128:ffff::1/432 *[BGP/170] 00:02:37, localpref 100, from 10.255.2.202 AS path: I > via so-0/1/3.0 6:10.255.2.203:65535:65000:128:::10.12.53.12:128:ffff::1/432 *[PIM/105] 00:02:37 Multicast (IPv6) 7:10.255.2.202:65535:65000:128:::192.168.90.2:128:ffff::1/432 *[MVPN/70] 00:02:37, metric2 1 Indirect

show route table VPN-A detail

user@host> show route table VPN-A detail VPN-AB.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) 10.255.179.9/32 (1 entry, 1 announced) *BGP Preference: 170/-101 Route Distinguisher: 10.255.179.13:200 Next hop type: Indirect Next-hop reference count: 5 Source: 10.255.179.13 Next hop type: Router, Next hop index: 732 Next hop: 10.39.1.14 via fe-0/3/0.0, selected Label operation: Push 299824, Push 299824(top) Protocol next hop: 10.255.179.13 Push 299824 Indirect next hop: 8f275a0 1048574 State: (Secondary Active Int Ext) Local AS: 1 Peer AS: 1 Age: 3:41:06 Metric: 1 Metric2: 1 Task: BGP_1.10.255.179.13+64309 Announcement bits (2): 0-KRT 1-BGP RT Background AS path: I Communities: target:1:200 rte-type:0.0.0.0:1:0 Import Accepted VPN Label: 299824 TTL Action: vrf-ttl-propagate Localpref: 100 Router ID: 10.255.179.13 Primary Routing Table bgp.l3vpn.0

show route table inetflow detail

user@host> show route table inetflow detail inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) 10.12.44.1,*/48 (1 entry, 1 announced) *BGP Preference: 170/-101 Next-hop reference count: 2 State: **Active Ext> Local AS: 65002 Peer AS: 65000 Age: 4 Task: BGP_65000.10.12.99.5+3792 Announcement bits (1): 0-Flow AS path: 65000 I Communities: traffic-rate:0:0 Validation state: Accept, Originator: 10.12.99.5 Via: 10.12.44.0/24, Active Localpref: 100 Router ID: 10.255.71.161 10.12.56.1,*/48 (1 entry, 1 announced) *Flow Preference: 5 Next-hop reference count: 2 State: **Active> Local AS: 65002 Age: 6:30


3241

®


Task: RT Flow Announcement bits (2): 0-Flow 1-BGP.0.0.0.0+179 AS path: I Communities: 1:1

3242



show route terse Syntax

show route terse


show route terse

Release Information


Description

Display a high-level summary of the routes in the routing table.

NOTE: For BGP routes, the show route terse command displays the local preference attribute and MED instead of metric1 and metric2 values. This is mostly due to historical reasons. To display the metric1 and metric2 value of a BGP route, use the show route extensive command.

Options

none—Display a high-level summary of the routes in the routing table. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view


show route terse on page 3245

Output Fields

Table 363 on page 3243 describes the output fields for the show route terse command. Output fields are listed in the approximate order in which they appear.

Table 363: show route terse Output Fields Field Name

Field Description

routing-table-name


number destinations


number routes


active (routes that are active)

•

holddown (routes that are in the pending state before being declared inactive)

•

hidden (routes that are not used because of a routing policy)


3243

®


Table 363: show route terse Output Fields (continued) Field Name

Field Description

route key

Key for the state of the route: •




•


A

Active route. An asterisk (*) indicates this is the active route.

Destination


P

Protocol through which the route was learned: •

A—Aggregate

•

B—BGP

•

C—CCC

•

D—Direct

•

G—GMPLS

•

I—IS-IS

•

L—L2CKT, L2VPN, LDP, Local

•

K—Kernel

•

M—MPLS, MSDP

•

O—OSPF

•

P—PIM

•

R—RIP, RIPng

•

S—Static

•

T—Tunnel

Prf

Preference value of the route. In every routing metric except for the BGP LocalPref attribute, a lesser value is preferred. In order to use common comparison routines, Junos OS stores the 1's complement of the LocalPref value in the Preference2 field. For example, if the LocalPref value for Route 1 is 100, the Preference2 value is -101. If the LocalPref value for Route 2 is 155, the Preference2 value is -156. Route 2 is preferred because it has a higher LocalPref value and a lower Preference2 value.

Metric 1

First metric value in the route. For routes learned from BGP, this is the MED metric.

Metric 2

Second metric value in the route. For routes learned from BGP, this is the IGP metric.

Next hop


AS path

AS path through which the route was learned. The letters at the end of the AS path indicate the path origin, providing an indication of the state of the route at the point at which the AS path originated:

3244

•

I—IGP.

•

E—EGP.

•




Sample Output show route terse

user@host> show route terse inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both A * * * * * * * *

Destination 0.0.0.0/0 1.0.0.1/32 1.0.0.2/32 12.12.12.21/32 13.13.13.13/32 13.13.13.14/32 13.13.13.21/32 13.13.13.22/32 127.0.0.1/32 * 111.222.5.0/24 * 111.222.5.81/32 * 224.0.0.5/32


P Prf Metric 1 Metric 2 S 5 D 0 L 0 L 0 D 0 L 0 L 0 D 0 D 0 D 0 L 0 O 10 1

Next hop >111.222.5.254 >at-5/3/0.0 Local Reject >t3-5/2/1.0 Local Local >t3-5/2/0.0 >lo0.0 >fxp0.0 Local MultiRecv

AS path

3245

®


3246


PART 17

Multicast •

Understanding Multicast on page 3249

•

Examples: Multicast Configuration on page 3269

•

Configuring Multicast on page 3281

•

Verifying Multicast on page 3305

•

Configuration Statements for Multicast on page 3313

•

Operational Commands for Multicast on page 3409


3247

®


3248


CHAPTER 81

Understanding Multicast •


•

Understanding Multicast VLAN Registration on EX Series Switches on page 3257

•


IGMP Snooping on EX Series Switches Overview Internet Group Management Protocol (IGMP) snooping constrains the flooding of IPv4 multicast traffic on VLANs on a switch. When IGMP snooping is enabled on a VLAN, a Juniper Networks EX Series Ethernet Switch examines IGMP messages between hosts and multicast routers and learns which hosts are interested in receiving traffic for a multicast group. Based on what it learns, the switch then forwards multicast traffic only to those interfaces in the VLAN that are connected to interested receivers instead of flooding the traffic to all interfaces. IGMP snooping on EX Series switches supports IGMP version 1 (IGMPv1), IGMPv2, and IGMPv3. For details on IGMP, see the following standards: •

IGMPv1—See RFC 1112, Host extensions for IP multicasting.

•

IGMPv2—See RFC 2236, Internet Group Management Protocol, Version 2.

•

For IGMPv3—See RFC 3376, Internet Group Management Protocol, Version 3.


How IGMP Snooping Works on page 3249

•

IGMP Message Types on page 3250

•

How Hosts Join and Leave Multicast Groups on page 3251

•

Support for IGMPv3 Multicast Sources on page 3251

•

IGMP Snooping and Forwarding Interfaces on page 3252

•

General Forwarding Rules on page 3252

•

Examples of IGMP Snooping Multicast Forwarding on page 3253

How IGMP Snooping Works A Layer 2 switch usually learns unicast media access control (MAC) addresses by checking the source address field of the frames it receives. However, a multicast MAC address can


3249

®


never be the source address for a packet. As a result, the switch floods multicast traffic on the VLAN, consuming significant amounts of bandwidth. You can enable IGMP snooping on a switch to avoid this flooding. When IGMP snooping is enabled, the switch monitors IGMP messages between receivers and multicast routers and uses the content of the messages to build an IPv4 multicast forwarding table—a database of multicast groups and the interfaces that are connected to members of the groups. When the switch receives multicast traffic for a multicast group, it uses the forwarding table to forward the traffic only to interfaces that are connected to receivers that belong to the multicast group. Figure 80 on page 3250 shows an example of multicast traffic flow with IGMP snooping enabled.

Figure 80: Multicast Traffic Flow with IGMP Snooping Enabled Host A

Host B

Multicast router

Group 1 Group 2 multicast traffic multicast traffic

EX Ser Switch ies

Host 1

Host 4

IGMPgroup 1

IGMPgroup 2

IGMPgroup 2

Host 3

IGMPgroup 1

g020079

Host 2

IGMP Message Types Multicast routers use IGMP to learn, for each of their attached physical networks, which groups have interested listeners. In any given subnet, one multicast router acts as an IGMP querier. The IGMP querier sends out the following types of queries to hosts:

3250

•

General query—Asks whether any host is listening to any group.

•

Group-specific query—(IGMPv2 and IGMPv3 only) Asks whether any host is listening to a specific multicast group. This query is sent in response to a host leaving the multicast group and allows the router to quickly determine if any remaining hosts are interested in the group.

•

Group-and-source-specific query—(IGMPv3 only) Asks whether any host is listening to group multicast traffic from a specific multicast source. This query is sent in response to a host indicating that it is not longer interested in receiving group multicast traffic


Chapter 81: Understanding Multicast

from the multicast source and allows the router to quickly determine any remaining hosts are interested in receiving group multicast traffic from that source. Hosts that are multicast listeners send the following kinds of messages: •

Membership report—Indicates that the host wants to join a particular multicast group.

•

Leave report—(IGMPv2 and IGMPv3 only) Indicates that the host wants to leave a particular multicast group.

How Hosts Join and Leave Multicast Groups Hosts can join multicast groups in either of two ways: •

By sending an unsolicited IGMP join message to a multicast router that specifies the IP multicast group that the host is attempting to join.

•

By sending an IGMP join message in response to a general query from a multicast router.

A multicast router continues to forward multicast traffic to a VLAN provided that at least one host on that VLAN responds to the periodic general IGMP queries. For a host to remain a member of a multicast group, therefore, it must continue to respond to the periodic general IGMP queries. Hosts can leave a multicast group in either of two ways: •

By not responding to periodic queries within a set interval of time. This results in what is known as a “silent leave.” This is the only method available to IGMPv1 hosts.

•

By sending a leave report. This method can be used by IGMPv2 and IGMPv3 hosts.

NOTE: If a host is connected to the switch through a hub, the host does not automatically leave the multicast group if it disconnects from the hub. The host remains a member of the group until group membership times out and a silent leave occurs. If another host connects to the hub port before the silent leave occurs, the new host might receive the group multicast traffic until the silent leave, even though it never sent an membership report.

Support for IGMPv3 Multicast Sources In IGMPv3, a host can send a membership report that includes a list of source addresses. When the host sends a membership report in INCLUDE mode, the host is interested in group multicast traffic only from those sources in the source address list. If host sends a membership report in EXCLUDE mode, the host is interested in group multicast traffic from any source except the sources in the source address list. A host can also send an EXCLUDE report in which the source-list parameter is empty, which is known as an EXCLUDE NULL report. An EXCLUDE NULL report indicates that the host wants to join the multicast group and receive packets from all sources.


3251

®


EX Series switches support IGMPv3 membership reports that are in INCLUDE and EXCLUDE mode. However, EX Series switches do not support forwarding on a per-source basis. Instead, a switch consolidates all INCLUDE and EXCLUDE mode reports it receives on a VLAN for a specified group into a single route that includes all multicast sources for that group, with the next hop being all interfaces that have interested receivers for the group. As a result, interested receivers on the VLAN can receive traffic from a source that they did not include in their INCLUDE report or from a source they excluded in their EXCLUDE report. For example, if Host 1 wants traffic for G from Source A and Host 2 wants traffic for G from Source B, they both receive traffic for G regardless of whether A or B sends the traffic.

IGMP Snooping and Forwarding Interfaces To determine how to forward multicast traffic, a switch with IGMP snooping enabled maintains information about the following interfaces in its multicast forwarding table: •

Multicast-router interfaces—These interfaces lead toward multicast routers or IGMP queriers.

•

Group-member interfaces—These interfaces lead toward hosts that are members of multicast groups.

The switch learns about these interfaces by monitoring IGMP traffic. If an interface receives IGMP queries or Protocol Independent Multicast (PIM) updates, the switch adds the interface to its multicast forwarding table as a multicast-router interface. If an interface receives membership reports for a multicast group, the switch adds the interface to its multicast forwarding table as a group-member interface. Table entries for interfaces that the switch learns about are subject to aging. For example, if a learned multicast-router interface does not receive IGMP queries or PIM hellos within a certain interval, the switch removes the entry for that interface from its multicast forwarding table.

NOTE: For a switch to learn multicast-router interfaces and group-member interfaces, an IGMP querier must exist in the network. For the switch itself to function as an IGMP querier, IGMP must be enabled on the switch.

You can statically configure an interface to be a multicast-router interface or a group-member interface. The switch adds a static interface to its multicast forwarding table without having to learn about the interface, and the entry in the table is not subject to aging. You can have a mix of statically configured and dynamically learned interfaces on a switch.

General Forwarding Rules Multicast traffic received on a switch interface in a VLAN on which IGMP snooping is enabled is forwarded according to the following rules.

3252



IGMP traffic is forwarded as follows: •

IGMP general queries received on a multicast-router interface are forwarded to all other interfaces in the VLAN.

•

IGMP group-specific queries received on a multicast-router interface are forwarded to only those interfaces in the VLAN that are members of the group.

•

IGMP reports received on a host interface are forwarded to multicast-router interfaces in the same VLAN, but not to the other host interfaces in the VLAN.

Multicast traffic that is not IGMP traffic is forwarded as follows: •

A multicast packet with a destination address of 224.0.0.0/24 is flooded to all other interfaces on the VLAN.

•

An unregistered multicast packet—that is, a packet for a group that has no current members—is forwarded to all multicast-router interfaces in the VLAN.

•

A registered multicast packet is forwarded only to those host interfaces in the VLAN that are members of the multicast group and to all multicast-router interfaces in the VLAN.

Examples of IGMP Snooping Multicast Forwarding The following examples are provided to illustrate how IGMP snooping forwards multicast traffic in different topologies: •

Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts on page 3253

•

Scenario 2: Switch Forwarding Multicast Traffic to Another Switch on page 3254

•

Scenario 3: Switch Connected to Hosts Only (No IGMP Querier) on page 3255

•

Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs on page 3256

Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts In the topology shown in Figure 81 on page 3254, a switch acting as a Layer 2 device receives multicast traffic belonging to multicast group 239.10.1.1 from Source A, which is connected to the multicast router. It also receives multicast traffic belonging to multicast group 225.100.100.1 from Source B, which is connected directly to the switch. All interfaces on the switch belong to the same VLAN. Because the switch receives IGMP queries from the multicast router on interface P1, IGMP snooping learns that interface P1 is a multicast-router interface and adds the interface to its multicast cache table. It forwards any IGMP general queries it receives on this interface to all host interfaces on the switch, and, in turn, forwards membership reports it receives from hosts to the multicast-router interface. In the example, Hosts A and C have responded to the membership queries with membership reports for group 239.10.1.1. IGMP snooping adds interfaces P2 and P4 to its


3253

®


multicast cache table as member interfaces for group 239.10.1.1. It forwards the group multicast traffic received from Source A to Hosts A and C, but not to Hosts B and D. Host B has responded to the membership queries with a membership report for group 225.100.100.1. The switch adds interface P3 to its multicast cache table as a member interface for group 225.100.100.1 and forwards multicast traffic it receives from Source B to Host B. The switch also forwards the multicast traffic it receives from Source B to the multicast-router interface P1.

Figure 81: Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts Multicast Router

Multicast-router Interface

Source A 239.10.1.1

P1

P6 Source B 225.100.100.1 P3

P4

P5

Host A

Host B

Host C

Receiver 239.10.1.1

Receiver 225.100.100.1

Receiver 239.10.1.1

Host D

g040707

P2

Scenario 2: Switch Forwarding Multicast Traffic to Another Switch In the topology show in Figure 82 on page 3255, a multicast source is connected to Switch A. Switch A in turn is connected to another switch, Switch B. Hosts on both Switch A and B are potential members of the multicast group. Both switches are acting as Layer 2 devices and all interfaces on the switches are members of the same VLAN. Switch A receives IGMP queries from the multicast router on interface P1, making interface P1 a multicast-router interface for Switch A. Switch A forwards all general IGMP queries it receives on this interface to the other interfaces on the switch, including the interface connecting Switch B. Because Switch B receives the forwarded IGMP queries on interface P6, P6 is the multicast-router interface for Switch B. Switch B forwards the group membership report it receives from Host C to Switch A through its multicast-router interface. Switch A forwards the membership report to its multicast-router interface, includes interface P5 in its multicast cache table as a group-member interface, and forwards multicast traffic from the source to Switch B.

3254



Figure 82: Scenario 2: Switch Forwarding Multicast Traffic to Another Switch Multicast Router



P1

P2

Switch A

P5

Switch B

P6

Source 239.100.1.1 P4

P7

Host A

Host B

Host C

Receiver

Receiver 239.100.1.1

Receiver 239.100.1.1

P8

Host D

g040708

P3

In certain implementations, you might have to configure P6 on Switch B as a static multicast-router interface to avoid a delay in a host receiving multicast traffic. For example, if Switch B receives unsolicited membership reports from its hosts before it learns which interface is its multicast-router interface, it does not forward those reports to Switch A. If Switch A then receives multicast traffic, it does not forward the traffic to Switch B, because it has not received any membership reports on interface P5. This issue will resolve when the multicast router sends out its next general query; however, it can cause a delay in the host receiving multicast traffic. You can statically configure interface P6 as a multicast-router interface to solve this issue.

Scenario 3: Switch Connected to Hosts Only (No IGMP Querier) In the topology shown in Figure 83 on page 3256, a switch is connected to a multicast source and to hosts. There is no multicast router in this topology—hence there is no IGMP querier. Without an IGMP querier to respond to, a host does not send periodic membership reports. As a result, even if the host sends an unsolicited join to join a multicast group, its membership in the multicast group times out. For IGMP snooping to work correctly in this network so that the switch forwards multicast traffic to Hosts A and C only, you can either: •

Configure interfaces P2 and P4 as static group-member interfaces.

•

Configure a routed VLAN interface (RVI) on the VLAN and enable IGMP on it. In this case, the switch itself acts as an IGMP querier, and the hosts can dynamically join the multicast group and refresh their group membership by responding to the queries.


3255

®


Figure 83: Scenario 3: Switch Connected to Hosts Only (No IGMP Querier)

Source 239.10.1.1

P1

P3

P4

P5

Host A

Host B

Host C

Receiver 239.10.1.1

Receiver

Receiver 239.10.1.1

Host D

g040709

P2

Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs In the topology shown in Figure 84 on page 3257, a multicast source, Multicast Router A, and Hosts A and B are connected to the switch and are in VLAN 10. Multicast Router B and Hosts C and D are also connected to the switch and are in VLAN 20. In a pure Layer 2 environment, traffic is not forwarded between VLANs. For Host C to receive the multicast traffic from the source on VLAN 10, RVIs must be created on VLAN 10 and VLAN 20 to permit routing of the multicast traffic between the VLANs. In addition, PIM must be enabled on the switch to perform the multicast routing.

3256



Figure 84: Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs Multicast Router A

Multicast Router B


Multicast-router Interface P1

P7

RVI vlan.10

RVI vlan.20

P2 Source 239.10.1.1

P3

P4

P5

P6

Host D

Host A

Host B


VLAN 10

Receiver 239.10.1.1

VLAN 20

g040710

Receiver 239.10.1.1

Host C

•


•

Example: Configuring IGMP Snooping on EX Series Switches on page 3269

•

Configuring IGMP Snooping (CLI Procedure) on page 3281

•


Understanding Multicast VLAN Registration on EX Series Switches Multicast VLAN registration (MVR) allows you to efficiently distribute IPTV multicast streams across an Ethernet ring-based Layer 2 network and reduce the amount of bandwidth consumed by this multicast traffic. In a standard Layer 2 network, a multicast stream received on one VLAN is never distributed to interfaces outside that VLAN. If hosts in multiple VLANs request the same multicast stream, a separate copy of that multicast stream is distributed to the requesting VLANs. MVR introduces the concept of a multicast source VLAN (MVLAN), which is created by MVR and becomes the only VLAN over which IPTV multicast traffic flows throughout the Layer 2 network. The Juniper Networks EX Series Ethernet Switch that is enabled for MVR selectively forward IPTV multicast traffic from interfaces on the MVLAN (source interfaces) to hosts that are connected to interfaces that are not part of the MVLAN.


3257

®


These interfaces are known as MVR receiver ports. The MVR receiver ports can receive traffic from a port on the MVLAN but cannot send traffic onto the MVLAN, and they remain in their own VLANs for bandwidth and security reasons. This topic includes: •

How MVR Works on page 3258

How MVR Works In many ways, MVR is similar to IGMP snooping. Both monitor IGMP join and leave messages and build forwarding tables based on the media access control (MAC) addresses of the hosts sending those IGMP messages. Whereas IGMP snooping operates within a given VLAN to regulate multicast traffic, MVR can operate with hosts on different VLANs in a Layer 2 network to selectively deliver IPTV multicast traffic to requesting hosts, thereby reducing the amount of bandwidth needed to forward multicast traffic. When you configure an MVLAN, you assign a range of multicast group addresses to it. You then configure other VLANs to be MVR receiver VLANs, which receive multicast streams from the MVLAN. The MVR receiver ports comprise all the interfaces that exist on any of the MVR receiver VLANs. Interfaces that are on the MVLAN itself cannot be MVR receiver ports for that MVLAN.

NOTE: MVR is supported on VLANs running IGMP version 2 (IGMPv2) only.

MVR Modes MVR operates in two modes: MVR transparent mode and MVR proxy mode. Both modes allow MVR to forward only one copy of a multicast stream to the Layer 2 network. •

MVR Transparent Mode on page 3258

•

MVR Proxy Mode on page 3259

MVR Transparent Mode In MVR transparent mode (the default mode), the switch receives one copy of each IPTV multicast stream and then replicates the stream only to those hosts that want to receive it, while forwarding all other types of multicast traffic without modification. Transparent mode is the default mode. The switch handles IGMP packets destined for both the multicast source VLAN and multicast receiver VLANs in the same way that it handles them when MVR is not being used. That is, when a host on a VLAN sends IGMP join and leave messages, the switch floods the messages to all router interfaces in the VLAN. Similarly, when a VLAN receives IGMP queries from its router interfaces, it floods the queries to all interfaces in the VLAN. If a host on a multicast receiver port joins an MVR group on the multicast receiver VLAN, the appropriate bridging entry is added and the MVLAN forwards that group’s IPTV multicast traffic on that port (even though that port is not in the MVLAN). Likewise, if a host on a multicast receiver port leaves an MVR group on the multicast receiver VLAN, the appropriate bridging entry is deleted and the MVLAN stops forwarding that group’s

3258



IPTV multicast traffic on that port. In addition, you can configure the switch to statically install the bridging entries on the multicast receiver VLAN. MVR Proxy Mode When you use MVR in proxy mode, the switch acts as a proxy for any MVR group in both the upstream and downstream directions. In the downstream direction, the switch acts as the querier for the groups in the MVR receiver VLANs. In the upstream direction, the switch originates the IGMP reports and leaves and answers IGMP queries from multicast routers. When the MVR receiver VLANs receive IGMP joins and leaves, the switch creates bridging entries on the MVLAN as needed, as it does in MVR transparent mode. In addition, the switch sends out IGMP joins and leaves on the MVLAN based on these bridging entries. Configuring MVR proxy mode on the MVLAN automatically enables IGMP snooping proxy mode on all MVR receiver VLANs as well as on the MVLAN. Related Documentation

•

Example: Configuring Multicast VLAN Registration on EX Series Switches on page 3272

•

Configuring Multicast VLAN Registration (CLI Procedure) on page 3291

Understanding MLD Snooping on EX Series Switches Multicast Listener Discovery (MLD) snooping constrains the flooding of IPv6 multicast traffic on VLANs on a switch. When MLD snooping is enabled on a VLAN, a Juniper Networks EX Series Ethernet Switch examines MLD messages between hosts and multicast routers and learns which hosts are interested in receiving traffic for a multicast group. Based on what it learns, the switch then forwards multicast traffic only to those interfaces in the VLAN that are connected to interested receivers instead of flooding the traffic to all interfaces. MLD snooping on EX Series switches supports MLD version 1 (MLDv1) and MLDv2. For details on MLDv1 and MLDv2, see the following standards: •

MLDv1—See RFC 2710, Multicast Listener Discovery (MLD) for IPv6.

•

MLDv2—See RFC 3810, Multicast Listener Discovery Version 2 (MLDv2) for IPv6.


How MLD Snooping Works on page 3260

•

MLD Message Types on page 3261

•

How Hosts Join and Leave Multicast Groups on page 3261

•

Support for MLDv2 Multicast Sources on page 3262

•

MLD Snooping and Forwarding Interfaces on page 3262

•

General Forwarding Rules on page 3263

•

Examples of MLD Snooping Multicast Forwarding on page 3263


3259

®


How MLD Snooping Works By default, a switch floods Layer 2 multicast traffic on all interfaces on a switch, except for the interface that is the source of the multicast traffic. This behavior can consume significant amounts of bandwidth. You can enable MLD snooping to avoid this flooding. When you enable MLD snooping, the switch monitors MLD messages between receivers and multicast routers and uses the content of the messages to build an IPv6 multicast forwarding table—a database of IPv6 multicast groups and the interfaces that are connected to members of the groups. When the switch receives multicast traffic for a multicast group, it uses the forwarding table to forward the traffic only to interfaces that are connected to receivers that belong to the multicast group. Figure 85 on page 3260 shows an example of multicast traffic flow with MLD snooping enabled.

Figure 85: Multicast Traffic Flow with MLD Snooping Enabled Host A

Host B

Multicast router

Group 1 Group 2 multicast traffic multicast traffic

EX Se Switchries

Host 1

Host 4

MLD group 1

MLD group 2

MLD group 2

3260

Host 3

MLD group 1

g041194

Host 2



MLD Message Types Multicast routers use MLD to learn, for each of their attached physical networks, which groups have interested listeners. In any given subnet, one multicast router is elected to act as an MLD querier. The MLD querier sends out the following types of queries to hosts: •

General query—Asks whether any host is listening to any group.

•

Group-specific query—Asks whether any host is listening to a specific multicast group. This query is sent in response to a host leaving the multicast group and allows the router to quickly determine if any remaining hosts are interested in the group.

•

Group-and-source-specific query—(MLD version 2 only) Asks whether any host is listening to group multicast traffic from a specific multicast source. This query is sent in response to a host indicating that it is not longer interested in receiving group multicast traffic from the multicast source and allows the router to quickly determine any remaining hosts are interested in receiving group multicast traffic from that source.

Hosts that are multicast listeners send the following kinds of messages: •

Membership report—Indicates that the host wants to join a particular multicast group.

•

Leave report—Indicates that the host wants to leave a particular multicast group.

Strictly speaking, only MLDv1 hosts use two different kinds of reports to indicate whether they want to join or leave a group. MLDv2 hosts send only one kind of report, the contents of which indicate whether they want to join or leave a group. However, for simplicity’s sake, the MLD snooping documentation uses the term membership report for a report that indicates that a host wants to join a group and uses the term leave report for a report that indicates a host wants to leave a group.

How Hosts Join and Leave Multicast Groups Hosts can join multicast groups in either of two ways: •

By sending an unsolicited membership report that specifies the multicast group that the host is attempting to join.

•

By sending an membership report in response to a query from a multicast router.

A multicast router continues to forward multicast traffic to a VLAN provided that at least one host on that VLAN responds to the periodic general queries. For a host to remain a member of a multicast group, therefore, it must continue to respond to the periodic general queries. Hosts can leave multicast groups in either of two ways: •

By not responding to periodic queries within a set interval of time. This results in what is known as a “silent leave.”

•

By sending a leave report.


3261

®


NOTE: If a host is connected to the switch through a hub, the host does not automatically leave the multicast group if it disconnects from the hub. The host remains a member of the group until group membership times out and a silent leave occurs. If another host connects to the hub port before the silent leave occurs, the new host might receive the group multicast traffic until the silent leave, even though it never sent an membership report.

Support for MLDv2 Multicast Sources In MLDv2, a host can send a membership report that includes a list of source addresses. When the host sends a membership report in INCLUDE mode, the host is interested in group multicast traffic only from those sources in the source address list. If host sends a membership report in EXCLUDE mode, the host is interested in group multicast traffic from any source except the sources in the source address list. A host can also send an EXCLUDE report in which the source-list parameter is empty, which is known as an EXCLUDE NULL report. An EXCLUDE NULL report indicates that the host wants to join the multicast group and receive packets from all sources. EX Series switches support MLDv2 membership reports that are in INCLUDE and EXCLUDE mode. However, EX Series switches do not support forwarding on a per-source basis. Instead, a switch consolidates all INCLUDE and EXCLUDE mode reports it receives on a VLAN for a specified group into a single route that includes all multicast sources for that group, with the next hop being all interfaces that have interested receivers for the group. As a result, interested receivers on the VLAN can receive traffic from a source that they did not include in their INCLUDE report or from a source they excluded in their EXCLUDE report. For example, if Host 1 wants traffic for G from Source A and Host 2 wants traffic for G from Source B, they both receive traffic for G regardless of whether A or B sends the traffic.

MLD Snooping and Forwarding Interfaces To determine how to forward multicast traffic, a switch with MLD snooping enabled maintains information about the following interfaces in its multicast forwarding table: •

Multicast-router interfaces—These interfaces lead toward multicast routers or MLD queriers.

•

Group-member interfaces—These interfaces lead toward hosts that are members of multicast groups.

The switch learns about these interfaces by monitoring MLD traffic. If an interface receives MLD queries or Protocol Independent Multicast (PIM) updates, the switch adds the interface to its multicast forwarding table as a multicast-router interface. If an interface receives membership reports for a multicast group, the switch adds the interface to its multicast forwarding table as a group-member interface. Table entries for interfaces that the switch learns about are subject to aging. For example, if a learned multicast-router interface does not receive MLD queries or PIM hellos within a certain interval, the switch removes the entry for that interface from its multicast forwarding table.

3262



NOTE: For a switch to learn multicast-router interfaces and group-member interfaces, an MLD querier must exist in the network. For the switch itself to function as an MLD querier, MLD must be enabled on the switch.

You can statically configure an interface to be a multicast-router interface or a group-member interface. The switch adds a static interface to its multicast forwarding table without having to learn about the interface, and the entry in the table is not subject to aging. You can have a mix of statically configured and dynamically learned interfaces on a switch.

General Forwarding Rules Multicast traffic received on a switch interface in a VLAN on which MLD snooping is enabled is forwarded according to the following rules. MLD protocol traffic is forwarded as follows: •

MLD general queries received on a multicast-router interface are forwarded to all other interfaces in the VLAN.

•

MLD group-specific queries received on a multicast-router interface are forwarded to only those interfaces in the VLAN that are members of the group.

•

MLD reports received on a host interface are forwarded to multicast-router interfaces in the same VLAN, but not to the other host interfaces in the VLAN.

Multicast traffic that is not MLD protocol traffic is forwarded as follows: •

An unregistered multicast packet—that is, a packet for a group that has no current members—is forwarded to all multicast-router interfaces in the VLAN.

•

A registered multicast packet is forwarded only to those host interfaces in the VLAN that are members of the multicast group and to all multicast-router interfaces in the VLAN.

Examples of MLD Snooping Multicast Forwarding The following examples are provided to illustrate how MLD snooping forwards multicast traffic in different topologies: •

Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts on page 3263

•

Scenario 2: Switch Forwarding Multicast Traffic to Another Switch on page 3264

•

Scenario 3: Switch Connected to Hosts Only (No MLD Querier) on page 3266

•

Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs on page 3266

Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts In the topology shown in Figure 86 on page 3264, a switch acting as a Layer 2 device receives multicast traffic belonging to multicast group ff1e::2010 from Source A, which is connected


3263

®


to the multicast router. It also receives multicast traffic belonging to multicast group ff15::2 from Source B, which is connected directly to the switch. All interfaces on the switch belong to the same VLAN. Because the switch receives MLD queries from the multicast router on interface P1, MLD snooping learns that interface P1 is a multicast-router interface and adds the interface to its multicast forwarding table. It forwards any MLD general queries it receives on this interface to all host interfaces on the switch, and, in turn, forwards membership reports it receives from hosts to the multicast-router interface. In the example, Hosts A and C have responded to the general queries with membership reports for group ff1e::2010. MLD snooping adds interfaces P2 and P4 to its multicast forwarding table as member interfaces for group ff1e::2010. It forwards the group multicast traffic received from Source A to Hosts A and C, but not to Hosts B and D. Host B has responded to the general queries with a membership report for group ff15::2. The switch adds interface P3 to its multicast forwarding table as a member interface for group ff15::2 and forwards multicast traffic it receives from Source B to Host B. The switch also forwards the multicast traffic it receives from Source B to the multicast-router interface P1.

Figure 86: Scenario 1: Switch Forwarding Multicast Traffic to a Multicast Router and Hosts Multicast Router


Source A ff1e::2010

P1

P6 Source B ff15::2 P3

P4

P5

Host A

Host B

Host C

Receiver ff1e::2010

Receiver ff15::2

Receiver ff1e::2010

Host D

g041195

P2

Scenario 2: Switch Forwarding Multicast Traffic to Another Switch In the topology show in Figure 87 on page 3265, a multicast source is connected to Switch A. Switch A in turn is connected to another switch, Switch B. Hosts on both Switch A and

3264



B are potential members of the multicast group. Both switches are acting as Layer 2 devices, and all interfaces on the switches are members of the same VLAN. Switch A receives MLD queries from the multicast router on interface P1, making interface P1 a multicast-router interface for Switch A. Switch A forwards all general queries it receives on this interface to the other interfaces on the switch, including the interface connecting Switch B. Because Switch B receives the forwarded MLD queries on interface P6, P6 is the multicast-router interface for Switch B. Switch B forwards the membership report it receives from Host C to Switch A through its multicast-router interface. Switch A forwards the membership report to its multicast-router interface, includes interface P5 in its multicast forwarding table as a group-member interface, and forwards multicast traffic from the source to Switch B.

Figure 87: Scenario 2: Switch Forwarding Multicast Traffic to Another Switch Multicast Router



P1

P2

Switch A

P5

P6

Switch B

Source ff1e::2010 P4

P7

Host A

Host B

Host C

Receiver

Receiver ff1e::2010

Receiver ff1e::2010

P8

Host D

g041197

P3

In certain implementations, you might have to configure P6 on Switch B as a static multicast-router interface to avoid a delay in a host receiving multicast traffic. For example, if Switch B receives unsolicited membership reports from its hosts before it learns which interface is its multicast-router interface, it does not forward those reports to Switch A. If Switch A then receives multicast traffic, it does not forward the traffic to Switch B, because it has not received any membership reports on interface P5. This issue will resolve when the multicast router sends out its next general query; however, it can cause a delay in the host receiving multicast traffic. You can statically configure interface P6 as a multicast-router interface to solve this issue.


3265

®


Scenario 3: Switch Connected to Hosts Only (No MLD Querier) In the topology shown in Figure 88 on page 3266, a switch is connected to a multicast source and to hosts. There is no multicast router in this topology—hence there is no MLD querier. Without an MLD querier to respond to, a host does not send periodic membership reports. As a result, even if the host sends an unsolicited membership report to join a multicast group, its membership in the multicast group will time out. For MLD snooping to work correctly in this network so that the switch forwards multicast traffic to Hosts A and C only, you can either: •

Configure interfaces P2 and P4 as static group-member interfaces.

•

Configure a routed VLAN interface (RVI) on the VLAN and enable MLD on it. In this case, the switch itself acts as an MLD querier, and the hosts can dynamically join the multicast group and refresh their group membership by responding to the queries.

Figure 88: Scenario 3: Switch Connected to Hosts Only (No MLD Querier)

Source

ff1e::2010

P1

P3

P4

P5

Host A

Host B

Host C

Receiver ff1e::2010

Receiver

Receiver ff1e::2010

Host D

g041196

P2

Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs In the topology shown in Figure 89 on page 3267, a multicast source, Multicast Router A, and Hosts A and B are connected to the switch and are in VLAN 10. Multicast Router B and Hosts C and D are also connected to the switch and are in VLAN 20. In a pure Layer 2 environment, traffic is not forwarded between VLANs. For Host C to receive the multicast traffic from the source on VLAN 10, RVIs must be created on VLAN

3266



10 and VLAN 20 to permit routing of the multicast traffic between the VLANs. In addition, PIM must be enabled on the switch to perform the multicast routing.

Figure 89: Scenario 4: Layer 2/Layer 3 Switch Forwarding Multicast Traffic Between VLANs Multicast Router A

Multicast Router B


Multicast-router Interface P1

P7

RVI vlan.10

RVI vlan.20

P2 Source ff1e::2010

P3

P4

P5

P6

Host D

Host A

Host B


VLAN 10

Receiver ff1e::2010

VLAN 20

g041198

Receiver ff1e::2010

Host C

•

Example: Configuring MLD Snooping on EX Series Switches on page 3276

•

Configuring MLD Snooping on a VLAN (CLI Procedure) on page 3292

•

Verifying MLD Snooping (CLI Procedure) on page 3306


3267

®


3268


CHAPTER 82

Examples: Multicast Configuration •


•


•


Example: Configuring IGMP Snooping on EX Series Switches You can enable IGMP snooping on a VLAN to constrain the flooding of IPv4 multicast traffic on a VLAN. When IGMP snooping is enabled, a switch examines IGMP messages between hosts and multicast routers and learns which hosts are interested in receiving multicast traffic for a multicast group. Based on what it learns, the switch then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding the traffic to all interfaces. This example describes how to configure IGMP snooping: •


•


•


•

Verifying IGMP Snooping Operation on page 3271



•


Before you configure IGMP snooping, be sure you have: •

Configured the vlan100 VLAN on the switch

•

Assigned interfaces ge-0/0/0, ge-0/0/1, ge-0/0/2, and ge-0/0/12 to vlan100

•

Configured ge-0/0/12 as a trunk interface.

See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.


3269

®


Overview and Topology In this example, interfaces ge-0/0/0, ge-0/0/1, and ge-0/0/2 on the switch are in vlan100 and are connected to hosts that are potential multicast receivers. Interface ge-0/0/12, a trunk interface also in vlan100, is connected to a multicast router. The router acts as the IGMP querier and forwards multicast traffic for group 255.100.100.100 to the switch from a multicast source. The example topology is illustrated in Figure 90 on page 3270.

Figure 90: Example IGMP Snooping Topology Multicast Router

Multicast Source for Group 225.100.100.100 ge-0/0/12 vlan100 EX Series Switch ge-0/0/2 vlan100

ge-0/0/0 vlan100 ge-0/0/1 vlan100

Host A Host B

g041213

Host C

In this example topology, the multicast router forwards multicast traffic to the switch from the source when it receives a memberhsip report for group 255.100.100.100 from one of the hosts—for example, Host B. If IGMP snooping is not enabled on vlan100, the switch floods the multicast traffic on all interfaces in vlan100 (except for interface ge-0/0/12). If IGMP snooping is enabled on vlan100, the switch monitors the IGMP messages between the hosts and router, allowing it to determine that only Host B is interested in receiving the multicast traffic. The switch then forwards the multicast traffic only to interface ge-0/0/1. IGMP snooping is enabled on all VLANs in the default factory configuration. For many implementations, IGMP snooping requires no additional configuration. This example shows how to perform the following optional configurations, which can reduce group join and leave latency: •

3270

Configure immediate leave on the VLAN. When immediate leave is configured, the switch stops forwarding multicast traffic on an interface when it detects that the last member of the multicast group has left the group. If immediate leave is not configured, the switch waits until the group-specific queries time out before it stops forwarding traffic.


Chapter 82: Examples: Multicast Configuration

Immediate leave is supported by IGMP version 2 (IGMPv2) and IGMPv3. With IGMPv2, we recommend that you configure immediate leave only when there is only one IGMP host on an interface. In IGMPv2, only one host on a interface sends a membership report in response to a group-specifc query—any other interested hosts suppress their reports to avoid a flood of reports for the same group. This report-suppression feature means that the switch only knows about one interested host at any given time. •

Configure ge-0/0/12 as a static multicast-router interface. In this topology, ge-0/0/12 always leads to the multicast router. By statically configuring ge-0/0/12 as a multicast-router interface, you avoid any delay imposed by the switch having to learn that ge-0/0/12 is a multicast-router interface.

Configuration To configure IGMP snooping on a switch: CLI Quick Configuration

To quickly configure IGMP snooping, copy the following commands and paste them into the switch terminal window: [edit] set protocols igmp-snooping vlan vlan100 immediate-leave set protocols igmp-snooping vlan vlan100 interface ge-0/0/12 multicast-router-interface


To configure IGMP snooping on vlan100: 1.

Configure the switch to immediately remove a group membership from an interface when it receives a leave report from the last member of the group on the interface: [edit protocols] user@switch# set igmp-snooping vlan vlan100 immediate-leave

2.

Statically configure interface ge-0/0/12 as a multicast-router interface: [edit protocols] user@switch# set igmp-snooping vlan vlan100 interface ge-0/0/12 multicast-router-interface

Results

Check the results of the configuration: [edit protocols] user@switch# show igmp-snooping vlan all; vlan vlan100 { immediate-leave; interface ge-0/0/12.0 { multicast-router-interface; } }

Verifying IGMP Snooping Operation To verify that IGMP snooping is operating as configured, perform the following task: •

Displaying IGMP Snooping Information for VLAN vlan100 on page 3272


3271

®


Displaying IGMP Snooping Information for VLAN vlan100 Purpose

Action

Verify that IGMP snooping is enabled on vlan100 and that ge-0/0/12 is recognized as a multicast-router interface. Enter the following command: user@switch> show igmp-snooping vlans vlan vlan100 detail VLAN: vlan100, Tag: 100 Interface: ge-0/0/12.0, tagged, Groups: 0, Router

Meaning


By showing information for vlan100, the command output confirms that IGMP snooping is configured on the VLAN. Interface ge-0/0/12.0 is listed as multicast-router interface, as configured. Because none of the host interfaces are listed, none of the hosts are currently receivers for the multicast group.

•


•

Verifying IGMP Snooping (CLI Procedure) on page 3309

•


Example: Configuring Multicast VLAN Registration on EX Series Switches Multicast VLAN registration (MVR) allows hosts that are not part of a multicast VLAN (MVLAN) to receive multicast streams from the MVLAN, allowing the MVLAN to be shared across the Layer 2 network and eliminating the need to send duplicate multicast streams to each requesting VLAN in the network. Hosts remain in their own VLANs for bandwidth and security reasons. This example describes how to configure MVR on EX Series switches: •


•


•




•


Before you configure MVR, be sure you have:

3272

•

Configured two or more VLANs on the switch. See “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124.

•

Connected the EX Series switch to a network that can transmit IPTV multicast streams from a video server.



•

Connected a host that is capable of receiving IPTV multicast streams to an interface in one of the VLANs.

Overview and Topology In a standard Layer 2 network, a multicast stream received on one VLAN is never distributed to interfaces outside that VLAN. If hosts in multiple VLANs request the same multicast stream, a separate copy of that multicast stream is distributed to the requesting VLANs. MVR introduces the concept of a multicast source VLAN (MVLAN), which is created by MVR and becomes the only VLAN over which multicast traffic flows throughout the Layer 2 network. Multicast traffic can then be selectively forwarded from interfaces on the MVLAN (source ports) to hosts that are connected to interfaces (multicast receiver ports) that are not part of the multicast source VLAN. When you configure an MVLAN, you assign a range of multicast group addresses to it. You then configure other VLANs to be MVR receiver VLANs, which receive multicast streams from the MVLAN. The MVR receiver ports comprise all the interfaces that exist on any of the MVR receiver VLANs. You can configure MVR to operate in one of two modes: transparent mode (the default mode) or proxy mode. Both modes allow MVR to forward only one copy of a multicast stream to the Layer 2 network. In transparent mode, the switch receives one copy of each IPTV multicast stream and then replicates the stream only to those hosts that want to receive it, while forwarding all other types of multicast traffic without modification. Figure 91 on page 3274 shows how MVR operates in transparent mode. In proxy mode, the switch acts as a proxy for the IGMP multicast router in the MVLAN for MVR group memberships established in the MVR receiver VLANs and generates and sends IGMP packets into the MVLAN as needed. Figure 92 on page 3275 shows how MVR operates in proxy mode. This example shows how to configure MVR in both transparent mode and proxy mode on an EX Series switch. The topology includes a video server that is connected to a multicast router, which in turn forwards the IPTV multicast traffic in the MVLAN to the Layer 2 network. Figure 91 on page 3274 shows the MVR topology in transparent mode. Interfaces P1 and P2 on Switch C belong to service VLAN s0 and MVLAN mv0. Interface P4 of Switch C also belongs to service VLAN s0. In the upstream direction of the network, only non-IPTV traffic is being carried in individual customer VLANs of service VLAN s0. VLAN c0 is an example of this type of customer VLAN. IPTV traffic is being carried on MVLAN mv0. If any host on any customer VLAN connected to port P4 requests an MVR stream, switch C takes the stream from VLAN mv0 and replicates that stream onto port P4 with tag mv0. IPTV traffic, along with other network traffic, flows form port P4 out to the Digital Subscriber Line Access Multiplexer (DSLAM) D1.


3273

®


Figure 91: MVR Topology in Transparent Mode

Figure 92 on page 3275 shows the MVR topology in proxy mode. Interfaces P1 and P2 on switch C belong to MVLAN mv0 and customer VLAN c0. Interface P4 on switch C is an access port of customer VLAN c0. In the upstream direction of the network, only non-IPTV traffic is being carried on customer VLAN c0. Any IPTV traffic requested by hosts on VLAN c0 is replicated untagged to port P4 based on streams received in MVLAN mv0. IPTV traffic flows from port P4 out to an IPTV-enabled device in Host 1. Other traffic, such as data and voice traffic, also flows from port P4 to other network devices in Host 1.

3274



Figure 92: MVR Topology in Proxy Mode

For information on VLAN tagging, see “Understanding Bridging and VLANs on EX Series Switches” on page 2073.

Configuration To configure MVR perform these tasks: CLI Quick Configuration

To quickly configure MVR in proxy mode, copy the following commands and paste them into the switch terminal window. To quickly configure MVR in transparent mode (the default mode), do not copy and paste the final command line in the following block of lines: [edit protocols igmp-snooping] set vlan mv0 data-forwarding source groups 225.10.0.0/16 set vlan v2 data-forwarding receiver source-vlans mv0 set vlan v2 data-forwarding receiver install set vlan mv0 proxy source-address 10.1.1.1


To configure MVR, perform these tasks: 1.

Configure mv0 to be an MVLAN: [edit protocols igmp-snooping] user@switch# set vlan mv0 data-forwarding source groups 225.10.0.0/16

2.

Configure v2 to be a multicast receiver VLAN with mv0 as its source: [edit protocols igmp-snooping]


3275

®


user@switch# set vlan v2 data-forwarding receiver source-vlans mv0 3.

(Optional) Install forwarding entries in the multicast receiver VLAN v2: [edit protocols igmp-snooping] user@switch# set vlan v2 data-forwarding receiver install

4.

(Optional) Configure MVR in proxy mode: [edit protocols igmp-snooping] user@switch# set vlan mv0 proxy source-address 10.1.1.1

Results

Check the results of the configuration: [edit protocols igmp-snooping] user@switch# show vlan mv0 { proxy { source-address 10.1.1.1; } data-forwarding { source { groups 225.10.0.0/16; } } } vlan v2 { data-forwarding { receiver { source-vlans mv0; install; } } }


•


•


Example: Configuring MLD Snooping on EX Series Switches You can enable MLD snooping on a VLAN to constrain the flooding of IPv6 multicast traffic on a VLAN. When MLD snooping is enabled, a switch examines MLD messages between hosts and multicast routers and learns which hosts are interested in receiving multicast traffic for a multicast group. Based on what it learns, the switch then forwards IPv6 multicast traffic only to those interfaces connected to interested receivers instead of flooding the traffic to all interfaces. This example describes how to configure MLD snooping:

3276

•


•


•


•

Verifying MLD Snooping Operation on page 3279





•


Before you configure MLD snooping, be sure you have: •

Configured the vlan100 VLAN on the switch

•

Assigned interfaces ge-0/0/0, ge-0/0/1, ge-0/0/2, and ge-0/0/12 to vlan100

•

Configured ge-0/0/12 as a trunk interface.

See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

Overview and Topology In this example, interfaces ge-0/0/0, ge-0/0/1, and ge-0/0/2 on the switch are in vlan100 and are connected to hosts that are potential multicast receivers. Interface ge-0/0/12, a trunk interface also in vlan100, is connected to a multicast router. The router acts as the MLD querier and forwards multicast traffic for group ff1e::2010 to the switch from a multicast source. The example topology is illustrated in Figure 93 on page 3277.

Figure 93: Example MLD Snooping Topology Multicast Router

Multicast Source for Group ff1e::2010 ge-0/0/12 vlan100 EX Series Switch ge-0/0/2 vlan100

ge-0/0/0 vlan100 ge-0/0/1 vlan100

Host A Host B

g041199

Host C

In this example topology, the multicast router forwards multicast traffic to the switch from the source when it receives a memberhsip report for group ff1e::2010 from one of the hosts—for example, Host B. If MLD snooping is not enabled on vlan100, the switch floods the multicast traffic on all interfaces in vlan100 (except for interface ge-0/0/12).


3277

®


If MLD snooping is enabled on vlan100, the switch monitors the MLD messages between the hosts and router, allowing it to determine that only Host B is interested in receiving the multicast traffic. The switch then forwards the multicast traffic only to interface ge-0/0/1. This example shows how to enable MLD snooping on vlan100. It also shows how to perform the following optional configurations, which can reduce group join and leave latency: •

Configure immediate leave on the VLAN. When immediate leave is configured, the switch stops forwarding multicast traffic on an interface when it detects that the last member of the multicast group has left the group. If immediate leave is not configured, the switch waits until the group-specific queries time out before it stops forwarding traffic.

•

Configure ge-0/0/12 as a static multicast-router interface. In this topology, ge-0/0/12 always leads to the multicast router. By statically configuring ge-0/0/12 as a multicast-router interface, you avoid any delay imposed by the switch having to learn that ge-0/0/12 is a multicast-router interface.

Configuration To configure MLD snooping on a switch: CLI Quick Configuration

To quickly configure MLD snooping, copy the following commands and paste them into the switch terminal window: [edit] set protocols mld-snooping vlan vlan100 set protocols mld-snooping vlan vlan100 immediate-leave set protocols mld-snooping vlan vlan100 interface ge-0/0/12 multicast-router-interface


To configure MLD snooping: 1.

Enable MLD snooping on VLAN vlan100: [edit protocols] user@switch# set mld-snooping vlan vlan100

2.

Configure the switch to immediately remove a group membership from an interface when it receives a leave report from the last member of the group on the interface: [edit protocols] user@switch# set mld-snooping vlan vlan100 immediate-leave

3.

Statically configure interface ge-0/0/12 as a multicast-router interface: [edit protocols] user@switch# set mld-snooping vlan vlan100 interface ge-0/0/12 multicast-router-interface (IGMP Snooping)

Results

Check the results of the configuration: [edit protocols] user@switch# show mld-snooping vlan vlan100 { immediate-leave; interface ge-0/0/12.0 { multicast-router-interface;

3278



} }

Verifying MLD Snooping Operation To verify that MLD snooping is operating as configured, perform the following task: •

Displaying MLD Snooping Information for VLAN vlan100 on page 3279

Displaying MLD Snooping Information for VLAN vlan100 Purpose

Action

Verify that MLD snooping is enabled on vlan100 and that ge-0/0/12 is recognized as a multicast-router interface. Enter the following command: user@switch> show mld-snooping vlans vlan vlan100 detail VLAN: vlan100, Tag: 100 Interface: ge-0/0/12.0, tagged, Groups: 0, Router

Meaning


By showing information for vlan100, the command output confirms that MLD snooping is configured on the VLAN. Interface ge-0/0/12.0 is listed as multicast-router interface, as configured. Because none of the host interfaces are listed, none of the hosts are currently receivers for the multicast group.

•


•


•



3279

®


3280


CHAPTER 83

Configuring Multicast •


•

Configuring IGMP Snooping (J-Web Procedure) on page 3288

•


•


•

Configuring MLD Snooping Tracing Operations (CLI Procedure) on page 3299

•

Configuring IGMP Snooping Tracing Operations (CLI Procedure) on page 3301

Configuring IGMP Snooping (CLI Procedure) IGMP snooping constrains the flooding of IPv4 multicast traffic on a VLAN. When IGMP snooping is enabled, a switch examines IGMP messages between hosts and multicast routers and learns which hosts are interested in receiving multicast traffic for a multicast group. Based on what it learns, the switch then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding the traffic to all interfaces. The factory default configuration enables IGMP snooping on all VLANs. For many networks, IGMP snooping requires no further configuration. You can perform the following optional configurations per VLAN: •

Selectively enable IGMP snooping on specific VLANs.

NOTE: You cannot configure IGMP snooping on a secondary VLAN.

•

Specify the IGMP version for the general query that the switch sends on an interface when the interface comes up.

•

Enable immediate leave on a VLAN or all VLANs. Immediate leave reduces the length of time it takes the switch to stop forwarding multicast traffic when the last member host on the interface leaves the group.

•

Configure an interface as a static multicast-router interface for a VLAN or for all VLANs so that the switch does not need to dynamically learn that the interface is a multicast-router interface.


3281

®


•

Configure an interface as a static member of a multicast group so that the switch does not need to dynamically learn the interface’s membership.

•

Change the value for certain timers and counters to match the values configured on the multicast router serving as the IGMP querier.

•

Configure multicast VLAN registration (MVR). MVR allows hosts that are not part of a multicast source VLAN (MVLAN) to still receive multicast streams from the MVLAN, allowing an MVLAN to be shared across a Layer 2 network. See “Configuring Multicast VLAN Registration (CLI Procedure)” on page 3291 for more information.

TIP: When you configure IGMP snooping using the vlan all statement, any VLAN that is not individually configured for IGMP snooping inherits the vlan all configuration. Any VLAN that is individually configured for IGMP snooping, on the other hand, inherits none of its configuration from vlan all. Any parameters that are not explicitly defined for the individual VLAN assume their default values, not the values specified in the vlan all configuration. For example, in the following configuration: protocols { igmp-snooping { vlan all { robust-count 8; } vlan employee { interface ge-0/0/8.0 { static { group 225.0.0.1; } } } } }

all VLANs, except employee, have a robust count of 8. Because employee has been individually configured, its robust count value is not determined by the value set under vlan all. Instead, its robust count is the default value of 2.


Enabling or Disabling IGMP Snooping on VLANs on page 3282

•

Configuring the IGMP Version on page 3283

•

Enabling Immediate Leave on page 3284

•

Configuring an Interface as a Multicast-Router Interface on page 3285

•

Configuring Static Group Membership on an Interface on page 3286

•

Changing the Timer and Counter Values on page 3286

Enabling or Disabling IGMP Snooping on VLANs The factory default configuration on EX Series switches enables IGMP snooping on all VLANs by including the following configuration:

3282


Chapter 83: Configuring Multicast

protocols { igmp-snooping { vlan all; }

This topic describes how you can selectively enable or disable IGMP snooping on VLANs. It assumes you are starting from the factory default configuration. •

To disable IGMP snooping on a VLAN: [edit protocols igmp-snooping] user@switch# set vlan vlan-name disable

•

To enable IGMP snooping on only a few VLANs: 1.

Disable IGMP snooping on all VLANs: [edit protocols igmp-snooping] user@switch# set vlan all disable

2. Enable IGMP snooping on each individual VLAN:

[edit protocols igmp-snooping] user@switch# set vlan vlan-name

For example, to enable IGMP snooping only on VLANs sales and support: [edit protocols igmp-snooping] user@switch# set vlan all disable [edit protocols igmp-snooping] user@switch# set vlan sales [edit protocols igmp-snooping] user@switch# set vlan support

You can also deactivate the IGMP snooping protocol on the switch without changing the IGMP snooping VLAN configurations: [edit] user@switch# deactivate protocols igmp-snooping

Configuring the IGMP Version You can configure the version of IGMP queries sent by a switch when IGMP snooping is enabled. By default, the switch uses IGMP version 2 (IGMPv2). If you are using Protocol-Independent Multicast source-specific Multicast (PIM-SSM), we recommend that you configure the switch to use IGMPv3. Typically, a switch passively monitors IGMP messages sent between multicast routers and hosts and does not send IGMP queries. The exception is when a switch detects that an interface has come up. When an interface comes up, the switch sends an immediate general membership query to all hosts on the interface. By doing so, the switch enables the multicast routers to learn group memberships more quickly than they would if they had to wait until the IGMP querier sent its next general query. The IGMP version of the general query determines the IGMP version of the host membership reports as follows:


3283

®


•

IGMP version 1 (IGMPv1) general query—IGMPv1, IGMPv2, and IGMPv3 hosts respond with an IGMPv1 membership report.

•

IGMPv2 general query—IGMPv2 and IGMPv3 hosts respond with an IGMPv2 membership report, while IGMPv1 hosts respond with a IGMPv1 membership report.

•

IGMPv3 general query—IGMPv3 hosts respond with an IGMPv3 membership report, while IGMPv1 and IGMPv2 hosts are unable to respond to the query.

By default, the switch sends IGMPv2 queries. If your VLAN contains IGMPv3 multicast routers and hosts and the routers are running PIM-SSM, we recommend that you configure IGMP snooping for IGMPv3. Doing so enables the routers to quickly learn which multicast sources the hosts on the interface want to receive traffic from.

NOTE: Configuring the IGMP version does not limit the version of IGMP messages that the switch can snoop. A switch can snoop both IGMPv1, IGMPv2,, and IGMPv3 messages regardless of the IGMP version configured.

To configure the IGMP version on a switch: [edit protocols] user@switch# set igmp-snooping vlan vlan-name version number

For example, to set the IGMP version to version 3 for VLAN marketing: [edit protocols] user@switch# set igmp-snooping vlan marketing version 3

Enabling Immediate Leave By default, when a switch with IGMP snooping enabled receives an IGMP leave report on a member interface, it waits for hosts on the interface to respond to IGMP group-specific queries to determine whether there still are hosts on the interface interested in receiving the group multicast traffic. If the switch does not see any membership reports for the group within a set interval of time, it removes the interface’s group membership from the multicast forwarding table and stops forwarding multicast traffic for the group to the interface. You can decrease the leave latency created by this default behavior by enabling immediate leave on a VLAN. When you enable immediate leave on a VLAN, host tracking is also enabled, allowing the switch to keep track of the hosts on a interface that have joined a multicast group. When the switch receives a leave report from the last member of the group, it immediately stops forwarding traffic to the interface and does not wait for the interface group membership to time out. Immediate leave is supported for both IGMP version 2 (IGMPv2) and IGMPv3. However, with IGMPv2, we recommend that you configure immediate leave only when there is only one IGMP host on an interface. In IGMPv2, only one host on a interface sends a membership report in response to a group-specifc query—any other interested hosts suppress their reports to avoid a flood of reports for the same group. This

3284



report-suppression feature means that the switch only knows about one interested host at any given time. To enable immediate leave on a VLAN: [edit protocols] user@switch# set igmp-snooping vlan vlan-name immediate-leave

To enable immediate leave on all VLANs: [edit protocols] user@switch# set igmp-snooping vlan all immediate-leave

Configuring an Interface as a Multicast-Router Interface When IGMP snooping is enabled on a switch, the switch determines which interfaces face a multicast router by monitoring interfaces for IGMP queries or Protocol Independent Multicast (PIM) updates. If the switch receives these messages on an interface, it adds the interface to its multicast forwarding table as a multicast-router interface. In addition to dynamically learned interfaces, the multicast forwarding table can include interfaces that you explicitly configure to be multicast router interfaces. Unlike the table entries for dynamically learned interfaces, table entries for statically configured interfaces are not subject to aging and deletion from the forwarding table. Examples of when you might want to configure a static multicast-router interface include: •

You have an unusual network configuration that prevents IGMP snooping from reliably learning about a multicast-router interface through monitoring IGMP queries or PIM updates.

•

Your implementation does not require an IGMP querier.

•

You have a stable topology and want to avoid the delay the dynamic learning process entails.

NOTE: If the interface you are configuring as a multicast-router interface is a trunk port, the interface becomes a multicast-router interface for all VLANs configured on the trunk port even if you have not explicitly configured it for all the VLANs. In addition, all unregistered multicast packets, whether they are IPv4 or IPv6 packets, are forwarded to the multicast-router interface, even if the interface is configured as a multicast-router interface only for IGMP snooping.

To configure an interface as a static multicast-router interface: [edit protocols] user@switch# set igmp-snooping vlan vlan-name interface interface-name multicast-router-interface

For example, to configure ge-0/0/5.0 as a multicast-router interface for all VLANs on the switch:


3285

®


[edit protocols] user@switch# set igmp-snooping vlan all interface ge-0/0/5.0 multicast-router-interface

Configuring Static Group Membership on an Interface To determine how to forward multicast packets, a switch with IGMP snooping enabled maintains a multicast forwarding table containing a list of host interfaces that have interested listeners for a specific multicast group. The switch learns which host interfaces to add or delete from this table by examining IGMP membership reports as they arrive on interfaces on which IGMP snooping is enabled. In addition to such dynamically learned interfaces, the multicast forwarding table can include interfaces that you statically configure to be members of multicast groups. When you configure a static group interface, the switch adds the interface to the forwarding table as a host interface for the group. Unlike an entry for a dynamically learned interface, a static interface entry is not subject to aging and deletion from the forwarding table. Examples of when you might want to configure static group membership on an interface include: •

You want to simulate an attached multicast receiver for testing purposes.

•

The interface has receivers that cannot send IGMP membership reports.

•

You want the multicast traffic for a specific group to be immediately available to a receiver without any delay imposed by the dynamic join process.

You cannot configure multicast source addresses for a static group interface.

NOTE: The switch does not simulate IGMP membership reports on behalf of a statically configured interface. Thus a multicast router might be unaware that the switch has an interface that is a member of the multicast group. You can configure a static group interface on the router to ensure that the switch receives the group multicast traffic.

To configure a host interface as a static member of a multicast group: [edit protocols] user@switch# set igmp-snooping vlan vlan-name interface interface-name static group ip-address

For example, to configure interface ge-0/0/11.0 in VLAN ip-camera-vlan as a static member of multicast group 225.0.0.1: [edit protocols] user@switch# set igmp-snooping vlan ip-camera-vlan interface ge-0/0/11.0 static group 225.0.0.1

Changing the Timer and Counter Values IGMP uses various timers and counters to determine how often an IGMP querier sends out membership queries and when group memberships time out. On Juniper Networks

3286



EX Series Ethernet Switches, the IGMP and IGMP snooping timers and counters default values are set to the values recommended in RFC 2236, Internet Group Management Protocol, Version 2. These values work well for most multicast implementations. There might be cases, however, where you might want to adjust the timer and counter values—for example, to reduce burstiness, to reduce leave latency, or to adjust for expected packet loss on a subnet. If you change a timer or counter value for the IGMP querier on a VLAN, we recommend that you change the value for all multicast routers and switches on the VLAN so that all devices time out group memberships at approximately the same time. The following timers and counters are configurable on a switch: •

query-interval—The length of time the IGMP querier waits between sending general

queries (the default is 125 seconds). You can change this interval to tune the number of IGMP messages on the subnet; larger values cause general queries to be sent less often. You cannot configure this value directly for IGMP snooping. IGMP snooping inherits the value from the IGMP value configured on the switch, which is applied to all VLANs on the switch. To configure the IGMP query-interval: [edit protocols] user@switch# set igmp query-interval seconds •

query-response-interval—The maximum length of time the host can wait until it

responds (the default is 10 seconds). You can change this interval to adjust the burst peaks of IGMP messages on the subnet. Set a larger interval to make the traffic less bursty. You cannot configure this value directly for IGMP snooping. IGMP snooping inherits the value from the IGMP value configured on the switch, which is applied to all VLANs on the switch. To configure the IGMP query-response-interval: [edit protocols] user@switch# set igmp query-response-interval seconds •

query-last-member-interval—The length of time the IGMP querier waits between sending

group-specific membership queries (the default is 1 second). The IGMP querier sends a group-specific query after receiving a leave report from a host. You can decrease this interval to reduce the amount of time it takes for multicast traffic to stop forwarding after the last member leaves a group. You cannot configure this value directly for IGMP snooping. IGMP snooping inherits the value from the IGMP value configured on the switch, which is applied to all VLANs on the switch. To configure the IGMP query-last-member-interval: [edit protocols] user@switch# set igmp query-last-member-interval seconds


3287

®


•

robust-count—The number of times the querier resends a general membership query

or a group-specific membership query (the default is 2 times). You can increase this count to tune for higher expected packet loss. For IGMP snooping, you can configure robust-count for a specific VLAN. If a VLAN does not have robust-count configured, the robust-count value is inherited from the value configured for IGMP. To configure robust-count for IGMP snooping on a VLAN: [edit protocols] user@switch# set igmp-snooping vlan vlan-name robust-count number

The values configured for query-interval, query-response-interval, and robust-count determine the multicast listener interval—the length of time the switch waits for a group membership report after a general query before removing a multicast group from its multicast forwarding table. The switch calculates the multicast listener interval by multiplying query-interval by robust-count and then adding query-response-interval: (query-interval x robust-count) + query-response-interval = multicast listener interval For example, the multicast listener interval is 260 seconds when the default settings for query-interval, query-response-interval, and robust-count are used: (125 x 2) + 10 = 260 You can display the time remaining in the multicast listener interval before a group times out by using the show igmp-snooping membership command. Related Documentation

•


•


•


•


•


Configuring IGMP Snooping (J-Web Procedure) IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping enabled, the EX Series switch monitors the IGMP transmissions between a host (a network device) and a multicast router, keeping track of the multicast groups and associated member interfaces. The switch uses that information to make intelligent multicast-forwarding decisions and forward traffic to the intended destination interfaces. You can configure IGMP snooping on one or more VLANs to allow the switch to examine IGMP packets and make forwarding decisions based on packet content. By default, IGMP snooping is enabled on EX Series switches. To enable IGMP snooping and configure individual options using the J-Web interface: 1.

3288

Select Configure > Switching > IGMP Snooping.




2. Click one: •

Add—Creates an IGMP snooping configuration for the VLAN.

•

Edit—Modifies an IGMP snooping configuration for the VLAN.

•

Delete—Deletes a selected VLAN from the IGMP snooping configuration.

When you are adding or editing an IGMP snooping configuration, enter information as described in Table 364 on page 3289. 3. Click OK to apply changes to the configuration or click Cancel to cancel without saving

changes. To disable IGMP snooping on a VLAN, select the VLAN from the list and click Disable.

Table 364: IGMP Snooping Configuration Fields Field

Function

Your Action

VLAN Name

Specifies the VLAN on which to enable IGMP snooping.

Select a VLAN from the list to add it to the snooping configuration.

Immediate Leave

Immediately removes a multicast group membership from an interface when it receives a leave message from that interface without waiting for any other IGMP messages to be exchanged (IGMP version 2 and IGMP version 3 only).


Specifies the number of timeout intervals the switch waits before timing out a multicast group.

Type a value.

Robust Count


To disable the option, clear the check box.

3289

®


Table 364: IGMP Snooping Configuration Fields (continued) Field

Function

Your Action

Interfaces List

Statically configures an interface as a switching interface toward a multicast router or as a member of a multicast group.

Click one: •

Add—Adds an interface to the IGMP snooping configuration. 1.

Select an interface from the list.

2. Select Multicast Router Interface. 3. Type the maximum number of groups an interface can join. 4. In Static, choose one:


3290

•

Click Add, type a group IP address, and click OK.

•

Select a group and click Remove to remove the group membership.

•

Edit—Edits the interface settings for the IGMP snooping configuration.

•

Remove—Deletes an interface configured for IGMP snooping.

•


•


•




Configuring Multicast VLAN Registration (CLI Procedure) Multicast VLAN registration (MVR) allows hosts that are not part of a multicast source VLAN (MVLAN) to still receive multicast streams from the MVLAN, allowing an MVLAN to be shared across a Layer 2 network. Hosts remain in their own VLANs for bandwidth and security reasons but are able to receive multicast streams from the MVLAN. You can configure one or more VLANs on a switch to be MVLANs or MVR receiver VLANs. By default, MVR is not configured on EX Series switches.

NOTE: MVR is supported on VLANs running IGMP version 2 (IGMPv2) only.

NOTE: When configuring MVR, the following restrictions apply: •

You cannot enable multicast protocols on VLAN interfaces that are members of MVLANs.

•

If you configure an MVLAN in proxy mode, IGMP snooping proxy mode will be automatically enabled on all MVR receiver VLANs of this MVLAN. If a VLAN is an MVR receiver VLAN for multiple MVLANs, all of the MVLANs must have proxy mode enabled or all must have proxy mode disabled. You can enable proxy mode only on VLANs that are configured as MVR source VLANs and that are not configured for Q-in-Q tunneling.

•

After you configure a VLAN as an MVLAN, that VLAN is no longer available for other uses.

To configure MVR: 1.

Configure the VLAN named mv0 to be an MVLAN: [edit protocols] user@switch# set igmp-snooping vlan mv0 data-forwarding source groups 225.10.0.0/16

2. Configure the MVLAN mv0 to be a proxy VLAN: [edit protocols] user@switch# set igmp-snooping vlan mv0 proxy (Multicast VLAN Registration) source–address 10.0.0.1 3. Configure the VLAN named v2 to be an MVR receiver VLAN: [edit protocols] user@switch# set igmp-snooping vlan v2 data-forwarding receiver source-vlans mv0 4. Install forwarding entries in the MVR receiver VLAN: [edit protocols] user@switch# set igmp-snooping vlan mv0 data-forwarding receiver install


•


•



3291

®


Configuring MLD Snooping on a VLAN (CLI Procedure) You can enable MLD snooping on a VLAN to constrain the flooding of IPv6 multicast traffic on a VLAN. When MLD snooping is enabled, a switch examines MLD messages between hosts and multicast routers and learns which hosts are interested in receiving multicast traffic for a multicast group. Based on what it learns, the switch then forwards IPv6 multicast traffic only to those interfaces connected to interested receivers instead of flooding the traffic to all interfaces. MLD snooping is not enabled on the switch by default. To enable MLD snooping on all VLANs: [edit] user@switch# set protocols mld-snooping vlan all

For many networks, MLD snooping requires no further configuration. You can perform the following optional configurations per VLAN: •

Selectively enable MLD snooping on specific VLANs.

NOTE: You cannot configure MLD snooping on a secondary VLAN.

•

Specify the MLD version for the general query that the switch sends on an interface when the interface comes up.

•

Enable immediate leave on a VLAN or all VLANs. Immediate leave reduces the length of time it takes the switch to stop forwarding multicast traffic when the last member host on the interface leaves the group.

•

Configure an interface as a static multicast-router interface for a VLAN or for all VLANs so that the switch does not need to dynamically learn that the interface is a multicast-router interface.

•

Configure an interface as a static member of a multicast group so that the switch does not need to dynamically learn the interface’s membership.

•

Change the value for certain timers and counters to match the values configured on the multicast router serving as the MLD querier.

TIP: When you configure MLD snooping using the vlan all statement, any VLAN that is not individually configured for MLD snooping inherits the vlan all configuration. Any VLAN that is individually configured for MLD snooping, on the other hand, inherits none of its configuration from vlan all. Any parameters that are not explicitly defined for the individual VLAN assume their default values, not the values specified in the vlan all configuration. For example, in the following configuration: protocols { mld-snooping {

3292



vlan all { robust-count 8; } vlan employee { interface ge-0/0/8.0 { static { group ff1e::1; } } } } }



Enabling or Disabling MLD Snooping on VLANs on page 3293

•

Configuring the MLD Version on page 3294

•

Enabling Immediate Leave on page 3295

•

Configuring an Interface as a Multicast-Router Interface on page 3296

•

Configuring Static Group Membership on an Interface on page 3296

•

Changing the Timer and Counter Values on page 3297

Enabling or Disabling MLD Snooping on VLANs MLD snooping is not enabled on any VLAN by default. You must explicitly configure a VLAN or all VLANs for MLD snooping. This topic describes how you can enable or disable MLD snooping on specific VLANs or on all VLANs on the switch. •

To enable MLD snooping on all VLANs: [edit protocols mld-snooping] user@switch# set vlan all

•

To enable MLD snooping on a specific VLAN: [edit protocols mld-snooping] user@switch# set vlan vlan-name

NOTE: You cannot configure MLD snooping on a secondary VLAN.

For example, to enable MLD snooping on VLAN education: [edit protocols mld-snooping] user@switch# set vlan education •

To enable MLD snooping on all VLANs except a few VLANs:


3293

®


1.

Enable MLD snooping on all VLANs: [edit protocols mld-snooping] user@switch# set vlan all

2. Disable MLD snooping on individual VLANs:

[edit protocols mld-snooping] user@switch# set vlan vlan-name disable

For example, to enable MLD snooping on all VLANs except vlan100 and vlan200: [edit protocols mld-snooping] user@switch# set vlan all [edit protocols mld-snooping] user@switch# set vlan vlan100 disable [edit protocols mld-snooping] user@switch# set vlan vlan200 disable

You can also deactivate the MLD snooping protocol on the switch without changing the MLD snooping VLAN configurations: [edit] user@switch# deactivate protocols mld-snooping

Configuring the MLD Version You can configure the version of MLD queries sent by a switch when MLD snooping is enabled. By default, the switch uses MLD version 1 (MLDv1). If you are using Protocol-Independent Multicast source-specific multicast (PIM-SSM), we recommend that you configure the switch to use MLDv2. Typically, a switch passively monitors MLD messages sent between multicast routers and hosts and does not send MLD queries. The exception is when a switch detects that an interface has come up. When an interface comes up, the switch sends an immediate general membership query to all hosts on the interface. By doing so, the switch enables the multicast routers to learn group memberships more quickly than they would if they had to wait until the MLD querier sent its next general query. The MLD version of the general query determines the MLD version of the host membership reports as follows: •

MLD version 1 (MLDv1) general query—Both MLDv1 and MLDv2 hosts respond with an MLDv1 membership report.

•

MLDv2 general query—MLDv2 hosts respond with an MLDv2 membership report, while MLDv1 hosts are unable to respond to the query.

By default, the switch sends MLDv1 queries. This ensures compatibility with hosts and multicast routers that support MLDv1 only and cannot process MLDv2 reports. However, if your VLAN contains MLDv2 multicast routers and hosts and the routers are running PIM-SSM, we recommend that you configure MLD snooping for MLDv2. Doing so enables the routers to quickly learn which multicast sources the hosts on the interface want to receive traffic from.

3294



NOTE: Configuring the MLD version does not limit the version of MLD messages that the switch can snoop. A switch can snoop both MLDv1 and MLDv2 messages regardless of the MLD version configured.

To configure the MLD version on a switch: [edit protocols] user@switch# set mld-snooping vlan vlan-name version number

For example, to set the MLD version to version 2 for VLAN marketing: [edit protocols] user@switch# set mld-snooping vlan marketing version 2

Enabling Immediate Leave By default, when a switch with MLD snooping enabled receives an MLD leave report on a member interface, it waits for hosts on the interface to respond to MLD group-specific queries to determine whether there still are hosts on the interface interested in receiving the group multicast traffic. If the switch does not see any membership reports for the group within a set interval of time, it removes the interface’s group membership from the multicast forwarding table and stops forwarding multicast traffic for the group to the interface. You can decrease the leave latency created by this default behavior by enabling immediate leave on a VLAN. When you enable immediate leave on a VLAN, host tracking is also enabled, allowing the switch to keep track of the hosts on a interface that have joined a multicast group. When the switch receives a leave report from the last member of the group, it immediately stops forwarding traffic to the interface and does not wait for the interface group membership to time out. Immediate leave is supported for both MLD version 1 (MLDv1) and MLDv2. However, with MLDv1, we recommend that you configure immediate leave only when there is only one MLD host on an interface. In MLDv1, only one host on a interface sends a membership report in response to a group-specifc query—any other interested hosts suppress their reports. This report-suppression feature means that the switch only knows about one interested host at any given time. To enable immediate leave on a VLAN: [edit protocols] user@switch# set mld-snooping vlan vlan-name immediate-leave

To enable immediate leave on all VLANs: [edit protocols] user@switch# set mld-snooping vlan all immediate-leave


3295

®


Configuring an Interface as a Multicast-Router Interface When MLD snooping is enabled on a switch, the switch determines which interfaces face a multicast router by monitoring interfaces for MLD queries or Protocol Independent Multicast (PIM) updates. If the switch receives these messages on an interface, it adds the interface to its multicast forwarding table as a multicast-router interface. In addition to dynamically learned interfaces, the multicast forwarding table can include interfaces that you explicitly configure to be multicast router interfaces. Unlike the table entries for dynamically learned interfaces, table entries for statically configured interfaces are not subject to aging and deletion from the forwarding table. Examples of when you might want to configure a static multicast-router interface include: •

You have an unusual network configuration that prevents MLD snooping from reliably learning about a multicast-router interface through monitoring MLD queries or PIM updates.

•

Your implementation does not require an MLD querier.

•

You have a stable topology and want to avoid the delay the dynamic learning process entails.

NOTE: If the interface you are configuring as a multicast-router interface is a trunk port, the interface becomes a multicast-router interface for all VLANs configured on the trunk port even if you have not explicitly configured it for all the VLANs. In addition, all unregistered multicast packets, whether they are IPv4 or IPv6 packets, are forwarded to the multicast-router interface, even if the interface is configured as a multicast-router interface only for MLD snooping.

To configure an interface as a static multicast-router interface: [edit protocols] user@switch# set mld-snooping vlan vlan-name interface interface-name multicast-router-interface

For example, to configure ge-0/0/5.0 as a multicast-router interface for all VLANs on the switch: [edit protocols] user@switch# set mld-snooping vlan all interface ge-0/0/5.0 multicast-router-interface

Configuring Static Group Membership on an Interface To determine how to forward multicast packets, a switch with MLD snooping enabled maintains a multicast forwarding table containing a list of host interfaces that have interested listeners for a specific multicast group. The switch learns which host interfaces to add or delete from this table by examining MLD membership reports as they arrive on interfaces on which MLD snooping is enabled.

3296



In addition to such dynamically learned interfaces, the multicast forwarding table can include interfaces that you statically configure to be members of multicast groups. When you configure a static group interface, the switch adds the interface to the forwarding table as a host interface for the group. Unlike an entry for a dynamically learned interface, a static interface entry is not subject to aging and deletion from the forwarding table. Examples of when you might want to configure static group membership on an interface include: •

You want to simulate an attached multicast receiver for testing purposes.

•

The interface has receivers that cannot send MLD membership reports.

•

You want the multicast traffic for a specific group to be immediately available to a receiver without any delay imposed by the dynamic join process.

You cannot configure multicast source addresses for a static group interface. The MLD version of a static group interface is always MLD version 1.

NOTE: The switch does not simulate MLD membership reports on behalf of a statically configured interface. Thus a multicast router might be unaware that the switch has an interface that is a member of the multicast group. You can configure a static group interface on the router to ensure that the switch receives the group multicast traffic.

To configure a host interface as a static member of a multicast group: [edit protocols] user@switch# set mld-snooping vlan vlan-name interface interface-name static group ip-address

For example, to configure interface ge-0/0/11.0 in VLAN ip-camera-vlan as a static member of multicast group ff1e::1: [edit protocols] user@switch# set mld-snooping vlan ip-camera-vlan interface ge-0/0/11.0 static group ff1e::1

Changing the Timer and Counter Values MLD uses various timers and counters to determine how often an MLD querier sends out membership queries and when group memberships time out. On Juniper Networks EX Series switches, the MLD and MLD snooping timers and counters default values are set to the values recommended in RFC 2710, Multicast Listener Discovery (MLD) for IPv6. These values work well for most multicast implementations. There might be cases, however, where you might want to adjust the timer and counter values—for example, to reduce burstiness, to reduce leave latency, or to adjust for expected packet loss on a subnet. If you change a timer or counter value for the MLD querier on a VLAN, we recommend that you change the value for all multicast routers and switches on the VLAN so that all devices time out group memberships at approximately the same time.


3297

®


The following timers and counters are configurable on a switch: •

query-interval—The length of time the MLD querier waits between sending general

queries (the default is 125 seconds). You can change this interval to tune the number of MLD messages on the subnet; larger values cause general queries to be sent less often. You cannot configure this value directly for MLD snooping. MLD snooping inherits the value from the MLD value configured on the switch, which is applied to all VLANs on the switch. To configure the MLD query-interval: [edit protocols] user@switch# set mld query-interval seconds •

query-response-interval—The maximum length of time the host can wait until it

responds (the default is 10 seconds). You can change this interval to adjust the burst peaks of MLD messages on the subnet. Set a larger interval to make the traffic less bursty. You cannot configure this value directly for MLD snooping. MLD snooping inherits the value from the MLD value configured on the switch, which is applied to all VLANs on the switch. To configure the MLD query-response-interval: [edit protocols] user@switch# set mld query-response-interval seconds •

query-last-member-interval—The length of time the MLD querier waits between sending

group-specific membership queries (the default is 1 second). The MLD querier sends a group-specific query after receiving a leave report from a host. You can decrease this interval to reduce the amount of time it takes for multicast traffic to stop forwarding after the last member leaves a group. You cannot configure this value directly for MLD snooping. MLD snooping inherits the value from the MLD value configured on the switch, which is applied to all VLANs on the switch. To configure the MLD query-last-member-interval: [edit protocols] user@switch# set mld query-last-member-interval seconds •

robust-count—The number of times the querier resends a general membership query

or a group-specific membership query (the default is 2 times). You can increase this count to tune for higher expected packet loss. For MLD snooping, you can configure robust-count for a specific VLAN. If a VLAN does not have robust-count configured, the robust-count value is inherited from the value configured for MLD. To configure robust-count for MLD snooping on a VLAN: [edit protocols] user@switch# set mld-snooping vlan vlan-name robust-count number

3298



The values configured for query-interval, query-response-interval, and robust-count determine the multicast listener interval—the length of time the switch waits for a group membership report after a general query before removing a multicast group from its multicast forwarding table. The switch calculates the multicast listener interval by multiplying query-interval by robust-count and then adding query-response-interval: (query-interval x robust-count) + query-response-interval = multicast listener interval For example, the multicast listener interval is 260 seconds when the default settings for query-interval, query-response-interval, and robust-count are used: (125 x 2) + 10 = 260 You can display the time remaining in the multicast listener interval before a group times out by using the show mld-snooping membership command. Related Documentation

•


•

Examples: Configuring MLD

•


•


Configuring MLD Snooping Tracing Operations (CLI Procedure) By enabling tracing operations for MLD snooping, you can record detailed messages about the operation of the protocol, such as the various types of protocol packets sent and received. Table 365 on page 3299 describes the tracing operations you can enable and the flags used to specify them in the tracing configuration.

Table 365: Supported Tracing Operations for MLD Snooping Tracing Operation

Flag

Trace all (equivalent of including all flags).

all

Trace general MLD snooping protocol events.

general

Trace communication over routing socket events.

krt

Trace leave reports.

leave

Trace nexthop-related events.

nexthop

Trace normal MLD snooping protocol events. If you do not specify this flag, only unusual or abnormal operations are traced.

normal

Trace all MLD packets.

packets

Trace policy processing.

policy


3299

®


Table 365: Supported Tracing Operations for MLD Snooping (continued) Tracing Operation

Flag

Trace MLD membership query messages.

query

Trace membership reports

report

Trace routing information.

route

Trace state transitions.

state

Trace routing protocol task processing.

task

Trace timer processing.

timer

Trace VLAN-related events.

vlan


Configuring Tracing Operations on page 3300

•

Viewing, Stopping, and Restarting Tracing Operations on page 3301

Configuring Tracing Operations To configure tracing operations for MLD snooping: 1.

Configure the filename for the trace file: [edit protocols mld-snooping ] user@switch# set traceoptions file filename

For example: [edit protocols mld-snooping ] user@switch# set traceoptions file mld-snoop-trace 2. (Optional) Configure the maximum number of trace files and size of the trace files:

[edit protocols mld-snooping ] user@switch # set file files number size size

For example: [edit protocols mld-snooping ] user@switch # set traceoptions file files 5 size 1m

causes the contents of the trace file to be emptied and archived in a .gz file when the file reaches 1 MB. Four archive files are maintained, the contents of which are rotated whenever the current active trace file is archived. If you omit this step, the maximum number of trace files defaults to 10, with the maximum file size defaulting to 128 K. 3. Specify one of the tracing flags shown in Table 365 on page 3299:

[edit protocols mld-snooping ]

3300



user@switch # set traceoptions flag flagname

For example, to perform trace operations on VLAN-related events and MLD query messages: [edit protocols mld-snooping ] user@switch# set traceoptions flag vlan [edit protocols mld-snooping ] user@switch# set traceoptions flag query

Viewing, Stopping, and Restarting Tracing Operations When you commit the configuration, tracing operations begin. You can view the trace file in the /var/log directory. For example: user@switch> file show /var/log/mld-snoop-trace

You can stop and restart tracing operations by deactivating and reactivating the configuration: [edit] user@switch# deactivate protocols mld-snooping traceoptions [edit] user@switch# activate protocols mld-snooping traceoptions


•


•

Junos OS Tracing and Logging Operations

Configuring IGMP Snooping Tracing Operations (CLI Procedure) By enabling tracing operations for IGMP snooping, you can record detailed messages about the operation of the protocol, such as the various types of protocol packets sent and received. Table 366 on page 3301 describes the tracing operations you can enable and the flags used to specify them in the tracing configuration.

Table 366: Supported Tracing Operations for IGMP Snooping Tracing Operation

Flag

Trace all (equivalent of including all flags).

all

Trace general IGMP snooping protocol events.

general

Trace communication over routing socket events.

krt

Trace leave reports (IGMPv2 and IGMPv3 only).

leave

Trace nexthop-related events.

nexthop

Trace normal IGMP snooping protocol events. If you do not specify this flag, only unusual or abnormal operations are traced.

normal


3301

®


Table 366: Supported Tracing Operations for IGMP Snooping (continued) Tracing Operation

Flag

Trace all IGMP packets.

packets

Trace policy processing.

policy

Trace IGMP membership query messages.

query

Trace membership reports

report

Trace routing information.

route

Trace state transitions.

state

Trace routing protocol task processing.

task

Trace timer processing.

timer

Trace VLAN-related events.

vlan


Configuring Tracing Operations on page 3302

•

Viewing, Stopping, and Restarting Tracing Operations on page 3303

Configuring Tracing Operations To configure tracing operations for IGMP snooping: 1.

Configure the filename for the trace file: [edit protocols igmp-snooping ] user@switch# set traceoptions file filename

For example: [edit protocols igmp-snooping ] user@switch# set traceoptions file mld-snoop-trace 2. (Optional) Configure the maximum number of trace files and size of the trace files:

[edit protocols igmp-snooping ] user@switch # set file files number size size

For example: [edit protocols igmp-snooping ] user@switch # set traceoptions file files 5 size 1m

causes the contents of the trace file to be emptied and archived in a .gz file when the file reaches 1 MB. Four archive files are maintained, the contents of which are rotated whenever the current active trace file is archived.

3302



If you omit this step, the maximum number of trace files defaults to 10, with the maximum file size defaulting to 128 K. 3. Specify one of the tracing flags shown in Table 366 on page 3301:

[edit protocols igmp-snooping ] user@switch # set traceoptions flag flagname

For example, to perform trace operations on VLAN-related events and IGMP query messages: [edit protocols igmp-snooping ] user@switch# set traceoptions flag vlan [edit protocols igmp-snooping ] user@switch# set traceoptions flag query

Viewing, Stopping, and Restarting Tracing Operations When you commit the configuration, tracing operations begin. You can view the trace file in the /var/log directory. For example: user@switch> file show /var/log/igmp-snoop-trace

You can stop and restart tracing operations by deactivating and reactivating the configuration: [edit] user@switch# deactivate protocols igmp-snooping traceoptions [edit] user@switch# activate protocols igmp-snooping traceoptions


•


•

Junos OS Tracing and Logging Operations


3303

®


3304


CHAPTER 84

Verifying Multicast •

Monitoring IGMP Snooping on page 3305

•


•


Monitoring IGMP Snooping Purpose

Action

Use the monitoring feature to view status and information about IGMP snooping configuration on your EX Series switch. To display IGMP snooping details in the J-Web interface, select Monitor > Switching > IGMP Snooping. To display IGMP snooping details in the CLI, enter the following commands:

Meaning

•

show igmp-snooping route

•

show igmp-snooping statistics

•

show igmp-snooping vlans

Table 367 on page 3305 summarizes the IGMP snooping details displayed.

Table 367: Summary of IGMP Snooping Output Fields Field

Values

IGMP Snooping Monitor VLAN

The VLAN for which IGMP snooping is enabled.

Interfaces

Indicates the interfaces configured as switching interfaces that are associated with the multicast router.

Groups

Indicates the number of the multicast groups learned by the VLAN.

MRouters

Specifies the multicast router.

Receivers

Specifies the multicast receiver.

IGMP Route Information


3305

®


Table 367: Summary of IGMP Snooping Output Fields (continued) Field

Values

VLAN

The VLAN for which IGMP snooping is enabled.

Group

Indicates the multicast groups learned by the VLAN.

Next-Hop

Specifies the next hop assigned by the switch after performing the route lookup.


•

show igmp-snooping route on page 3453

•

show igmp-snooping statistics on page 3455

•

show igmp-snooping vlans on page 3457

•


•


Verifying MLD Snooping (CLI Procedure) Multicast Listener Discovery (MLD) snooping constrains the flooding of IPv6 multicast traffic on VLANs on a switch. This topic describes how to verify MLD snooping operation on the switch. It covers: •

Verifying MLD Snooping Memberships on page 3306

•

Verifying MLD Snooping VLANs on page 3307

•

Viewing MLD Snooping Statistics on page 3308

•

Viewing MLD Snooping Routing Information on page 3308

Verifying MLD Snooping Memberships Purpose

Action

Determine group memberships, multicast-router interfaces, host MLD versions, and the current values of timeout counters. Enter the following command: user@switch> show mld-snooping membership detail VLAN: mld-vlan Tag: 100 (Index: 3) Router interfaces: ge-1/0/0.0 dynamic Uptime: 00:14:24 timeout: 253 Group: ff1e::2010 ge-1/0/30.0 Timeout: 180 Flags: Last reporter: fe80::2020:1:1:3 Include source: 2020:1:1:1::2 Include source: 2020:1:1:1::5

3306


Chapter 84: Verifying Multicast

Meaning

The switch has multicast membership information for one VLAN on the switch, mld-vlan. MLD snooping might be enabled on other VLANs, but the switch does not have any multicast membership information for them. The following information is provided: •

Information on the multicast-router interfaces for the VLAN—in this case, ge-1/0/0.0. The multicast-router interface has been learned by MLD snooping, as indicated by dynamic. The timeout value shows how many seconds from now the interface will be removed from the multicast forwarding table if the switch does not receive MLD queries or Protocol Independent Multicast (PIM) updates on the interface.

•

Information about the group memberships for the VLAN: •

Currently, the VLAN has membership in only one multicast group, ff1e::2010.

•

The host or hosts that have reported membership in the group are on interface ge-1/0/30.0. The interface group membership will time out in 180 seconds if no hosts respond to membership queries during this interval. The flags field shows the lowest version of MLD used by a host that is currently a member of the group, which in this case is MLD version 2 (MLDv2).

•

The last host that reported membership in the group has address fe80::2020:1:1:3.

•

Because interface has MLDv2 hosts on it, the source addresses from which the MLDv2 hosts want to receive group multicast traffic are shown (addresses 2020:1:1:1::2 and 2020:1:1:1::5). The timeout value for the interface group membership is derived from the largest timeout value for all sources addresses for the group.

Verifying MLD Snooping VLANs Purpose

Action

Verify that MLD snooping is enabled on a VLAN and display MLD snooping information for each VLAN on which MLD snooping is enabled. Enter the following command: user@switch> show mld-snooping vlans detail VLAN: v10, Tag: 10 Interface: ge-1/0/0.0, tagged, Groups: 0, Router Interface: ge-1/0/30.0, untagged, Groups: 1 Interface: ge-12/0/30.0, untagged, Groups: 0 VLAN: v20, Tag: 20 Interface: ge-1/0/0.0, tagged, Groups: 0, Router Interface: ge-1/0/31.0, untagged, Groups: 0 Interface: ge-12/0/31.0, untagged, Groups: 1

Meaning

MLD snooping is configured on two VLANs on the switch: v10 and v20. Each interface in each VLAN is listed and the following information is provided: •

Whether the interface is a trunk (tagged) or access (untagged) interface.

•

How many multicast groups the interface belongs to.

•

Whether the interface is a multicast-router interface (Router).


3307

®


Viewing MLD Snooping Statistics Purpose

Action

Display MLD snooping statistics, such as number of MLD queries, reports, and leaves received and how many of these MLD messages contained errors. Enter the following command: user@switch> show mld-snooping statistics Bad length: 0 Bad checksum: 0 Invalid interface: 0 Not local: 0 Receive unknown: 0 Timed out: 0 MLD Type Queries: Reports: Leaves: Other:

Meaning

Received 74295 18148423 0 0

Transmitted 0 0 0 0

Recv Errors 0 16333523 0 0

The output shows how many MLD messages of each type—Queries, Reports, Leaves—the switch received or transmitted on interfaces on which MLD snooping is enabled. For each message type, it also shows the number of MLD packets the switch received that had errors—for example, packets that do not conform to the MLDv1 or MLDv2 standards. If the Recv Errors count increases, verify that the hosts are compliant with MLDv1 or MLDv2 standards. If the switch is unable to recognize the MLD message type for a packet, it counts the packet under Receive unknown.

Viewing MLD Snooping Routing Information Purpose Action

Display the next-hop information maintained in the multicast forwarding table. Enter the following command: user@switch> show mld-snooping route detail VLAN Group Next-hop mld-vlan ::0000:2010 1323 Interfaces: ge-1/0/30.0, ge-1/0/33.0 VLAN Group Next-hop mld-vlan ff00:: 1317 Interfaces: ge-1/0/0.0, ge-1/0/33.0 VLAN Group Next-hop mld-vlan ::0000:0000 1317 Interfaces: ge-1/0/0.0 VLAN Group Next-hop mld-vlan1 ::0000:2010 1324 Interfaces: ge-12/0/31.0 VLAN Group Next-hop mld-vlan1 ff00:: 1318 Interfaces: ae200.0 VLAN Group Next-hop mld-vlan1 ::0000:0000 1318 Interfaces: ae200.0

Meaning

3308

The output shows the next-hop interfaces for a given multicast group on a VLAN. Only the last 32 bits of the group address are shown because the switch uses only these bits in determining multicast routes. For example, route ::0000:2010 on mld-vlan has next-hop interfaces ge-1/0/30.0 and ge-1/0/33.0.




•

clear mld-snooping membership on page 3417

•

clear mld-snooping statistics on page 3418

•


•


Verifying IGMP Snooping (CLI Procedure) Internet Group Management Protocol (IGMP) snooping constrains the flooding of IPv4 multicast traffic on VLANs on a switch. This topic describes how to verify IGMP snooping operation on the switch. It covers: •

Verifying IGMP Snooping Memberships on page 3309

•

Verifying IGMP Snooping VLANs on page 3310

•

Viewing IGMP Snooping Statistics on page 3310

•

Viewing IGMP Snooping Routing Information on page 3311

Verifying IGMP Snooping Memberships Purpose

Action

Determine group memberships, multicast-router interfaces, host IGMP versions, and the current values of timeout counters. Enter the following command: user@switch> show igmp-snooping membership detail VLAN: vlan2 Tag: 2 (Index: 3) Router interfaces: ge-1/0/0.0 dynamic Uptime: 00:14:24 timeout: 253 Group: 225.0.0.1 ge-1/0/17.0 timeout: 259 Last reporter: 13.0.0.90 Receiver count: 1, Flags: Include source: 10.2.11.5, 10.2.11.12

Meaning

The switch has multicast membership information for one VLAN on the switch, vlan2. IGMP snooping might be enabled on other VLANs, but the switch does not have any multicast membership information for them. The following information is provided: •

Information on the multicast-router interfaces for the VLAN—in this case, ge-1/0/0.0. The multicast-router interface has been learned by IGMP snooping, as indicated by dynamic. The timeout value shows how many seconds from now the interface will be removed from the multicast forwarding table if the switch does not receive IGMP queries or Protocol Independent Multicast (PIM) updates on the interface.

•

Information about the group memberships for the VLAN:


3309

®


•

Currently, the VLAN has membership in only one multicast group, 225.0.0.1.

•

The host or hosts that have reported membership in the group are on interface ge-1/0/17.0. The interface group membership will time out in 259 seconds if no hosts respond to membership queries during this interval.

•

The last host that reported membership in the group has address 13.0.0.90. The number of hosts belonging to the group on the interface is shown in the Receiver count field, which is displayed only when host tracking is enabled because immediate leave has been configured on the VLAN. The flags field shows the lowest version of IGMP used by a host that is currently a member of the group, which in this case is IGMP version 3 (IGMPv3)..

•

Because interface has IGMPv3 hosts on it, the source addresses from which the IGMPv3 hosts want to receive group multicast traffic are shown (addresses 10.2.11.5 and 10.2.11.12). The timeout value for the interface group membership is derived from the largest timeout value for all sources addresses for the group.

Verifying IGMP Snooping VLANs Purpose

Action

Verify that IGMP snooping is enabled on a VLAN and display IGMP snooping information for each VLAN on which IGMP snooping is enabled. Enter the following command: user@switch> show igmp-snooping vlans detail VLAN: v10, Tag: 10 Interface: ge-1/0/0.0, tagged, Groups: 0, Router Interface: ge-1/0/30.0, untagged, Groups: 1 Interface: ge-12/0/30.0, untagged, Groups: 0 VLAN: v20, Tag: 20 Interface: ge-1/0/0.0, tagged, Groups: 0, Router Interface: ge-1/0/31.0, untagged, Groups: 0, Reporters: 0 Interface: ge-12/0/31.0, untagged, Groups: 1, Reporters: 1

Meaning

IGMP snooping is configured on two VLANs on the switch: v10 and v20. Each interface in each VLAN is listed and the following information is provided: •

Whether the interface is a trunk (tagged) or access (untagged) interface.

•

How many multicast groups the interface belongs to.

•

Whether the interface is a multicast-router interface (Router).

•

How many hosts are reporting membership in the group on the interface. The Reporters field is included only if immediate leave is configured on the VLAN.

Viewing IGMP Snooping Statistics Purpose

Action

3310

Display IGMP snooping statistics, such as number of IGMP queries, reports, and leaves received and how many of these IGMP messages contained errors. Enter the following command:



user@switch> show igmp-snooping statistics Bad length: 0 Bad checksum: 0 Invalid interface: 0 Not local: 0 Receive unknown: 0 Timed out: 0 IGMP Type Queries: Reports: Leaves: Other:

Meaning

Received 74295 18148423 0 0

Transmitted 0 0 0 0

Recv Errors 0 16333523 0 0

The output shows how many IGMP messages of each type—Queries, Reports, Leaves—the switch received or transmitted on interfaces on which IGMP snooping is enabled. For each message type, it also shows the number of IGMP packets the switch received that had errors—for example, packets that do not conform to the IGMPv1, IGMPv2, or IGMPv3 standards. If the Recv Errors count increases, verify that the hosts are compliant with IGMP standards. If the switch is unable to recognize the IGMP message type for a packet, it counts the packet under Receive unknown.

Viewing IGMP Snooping Routing Information Purpose Action

Display the next-hop information maintained in the multicast forwarding table. Enter the following command: user@switch> show igmp-snooping route detail VLAN Group Next-hop v100 224.0.0.0, * 1323 Interfaces: ge-0/0/0.0 VLAN Group Next-hop v100 226.0.0.1, * 1322 Interfaces: ge-0/0/0.0, ge-0/0/1.0, ge-0/0/47.0

Meaning


The output shows the next-hop interfaces for a given multicast group on a VLAN. For example, route 226.0.0.1 on v100 has next-hop interfaces ge-0/0/0.0, ge-0/0/1.0, and ge-0/0/47.0.

•

clear igmp-snooping membership on page 3415

•

clear igmp-snooping statistics on page 3416

•


•



3311

®


3312


CHAPTER 85

Configuration Statements for Multicast •




3313

®



3314


Chapter 85: Configuration Statements for Multicast



3315

®



3316





3317

®



3318





3319

®



3320





•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•



3321

®


•


accounting (Per Interface) Syntax Hierarchy Level

Release Information


(accounting | no-accounting); [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable or disable the collection of IGMP join and leave event statistics for an interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Recording IGMP Join and Leave Events

accounting (Protocol) Syntax Hierarchy Level

Release Information


3322

accounting; [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable the collection of IGMP join and leave event statistics on the system. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Recording IGMP Join and Leave Events



address (Anycast RPs) Syntax Hierarchy Level

Release Information

Description

Options

address address ; [edit logical-systems logical-system-name protocols pim rp local (inet | inet6) anycast-pim rp-set], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local (inet | inet6) anycast-pim rp-set], [edit protocols pim rp local (inet | inet6) anycast-pim rp-set], [edit routing-instances routing-instance-name protocols pim rp local (inet | inet6) anycast-pim rp-set]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the anycast rendezvous point (RP) addresses in the RP set. Multiple addresses can be configured in an RP set. If the RP has peer Multicast Source Discovery Protocol (MSDP) connections, then the RP must forward MSDP source active (SA) messages. address—RP address in an RP set. forward-msdp-sa—(Optional) Forward MSDP SAs to this address.



address (Local RPs) Syntax Hierarchy Level

Release Information


address address; [edit logical-systems logical-system-name protocols pim rp local family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local family (inet | inet6)], [edit protocols pim rp local family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the local rendezvous point (RP) address. address—Local RP address.


Configuring Local PIM RPs


3323

®


anycast-pim Syntax

Hierarchy Level

Release Information

Description

anycast-pim { rp-set { address address ; } [edit logical-systems logical-system-name protocols pim rp local family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local family (inet | inet6)], [edit protocols pim rp local family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure properties for anycast RP using PIM. The remaining statements are explained separately.


3324


Example: Configuring PIM Anycast With or Without MSDP



assert-timeout Syntax Hierarchy Level

Release Information

Description

Options

assert-timeout seconds; [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Multicast routing devices running PIM sparse mode often forward the same stream of multicast packets onto the same LAN through the rendezvous-point tree (RPT) and shortest-path tree (SPT). PIM assert messages help routing devices determine which routing device forwards the traffic and prunes the RPT for this group. By default, routing devices enter an assert cycle every 180 seconds. You can configure this assert timeout to be between 5 and 210 seconds. seconds—Time for routing device to wait before another assert message cycle.



Example: Configuring the PIM Assert Timeout


3325

®


auto-rp Syntax

Hierarchy Level

Release Information

Description Options

auto-rp { (announce | discovery | mapping); (mapping-agent-election | no-mapping-agent-election); } [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced in Junos OS Release 7.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure automatic RP announcement and discovery. announce—Configure the routing device to listen only for mapping packets and also to

advertise itself if it is an RP. discovery—Configure the routing device to listen only for mapping packets. mapping—Configures the routing device to announce, listen for and generate mapping

packets, and announce that the routing device is eligible to be an RP. The remaining statement is explained separately. Required Privilege Level Related Documentation

3326


Configuring PIM Auto-RP



bootstrap Syntax

Hierarchy Level

Release Information

Description

bootstrap { family (inet | inet6) { export [ policy-names ]; import [ policy-names ]; priority number; } } [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure parameters to control bootstrap routers and messages. The remaining statements are explained separately.



Configuring PIM Bootstrap Properties for IPv4

•

Configuring PIM Bootstrap Properties for IPv4 or IPv6


3327

®


bootstrap-export Syntax Hierarchy Level

Release Information


3328

bootstrap-export [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more export policies to control outgoing PIM bootstrap messages. policy-names—Name of one or more import policies.



•


•

bootstrap-import on page 3329



bootstrap-import Syntax Hierarchy Level

Release Information


bootstrap-import [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more import policies to control incoming PIM bootstrap messages. policy-names—Name of one or more import policies.



•


•

bootstrap-export on page 3328


3329

®


bootstrap-priority Syntax Hierarchy Level

Release Information

bootstrap-priority number; [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]


Description

Configure whether this routing device is eligible to be a bootstrap router. In the case of a tie, the routing device with the highest IP address is elected to be the bootstrap router.

Options

number—Priority for becoming the bootstrap router. A value of 0 means that the routing

device is not eligible to be the bootstrap router. Range: 0 through 255 Default: 0 Required Privilege Level Related Documentation

3330





data-forwarding Syntax


data-forwarding { receiver { source-vlans vlan-list; install (Multicast VLAN Registration); } source (Multicast VLAN Registration) { groups (Multicast VLAN Registration) group-prefix; } } [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Configure the VLAN to be a multicast source VLAN (MVLAN) or a multicast VLAN registration (MVR) receiver VLAN. Each data-forwarding VLAN, which can be a multicast source VLAN (MVLAN) or a multicast receiver VLAN, must have exactly one source statement or exactly one receiver statement. A data-forwarding VLAN can operate only in IGMP version 2 (IGMPv2) mode. The remaining statements are explained separately.


Disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



3331

®


dense-groups Syntax

Hierarchy Level

Release Information


dense-groups { addresses; } [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure which groups are operating in dense mode. addresses—Address of groups operating in dense mode.


Configuring PIM Sparse-Dense Mode Properties

disable (IGMP Snooping) Syntax Hierarchy Level Release Information Description

Default


3332

disable; [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Disable IGMP snooping on the VLAN. Multicast traffic will be flooded to all interfaces on the VLAN except the source interface. If you do not include this statement in the configuration for a VLAN, IGMP snooping is enabled on the VLAN. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•




disable (MLD Snooping) Syntax Hierarchy Level Release Information Description

Default


disable; [edit protocols mld-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Disable MLD snooping on the VLAN. Multicast traffic will be flooded to all interfaces in the VLAN except the source interface. If you do not include this statement in the configuration for a VLAN, MLD snooping is enabled on the VLAN. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•

show mld-snooping vlans on page 3467


3333

®


disable (PIM) Syntax Hierarchy Level

Release Information


3334

disable; [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name protocols pim family (inet | inet6)], [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name protocols pim rp local family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local family (inet | inet6)], [edit protocols pim], [edit protocols pim family (inet | inet6)], [edit protocols pim interface interface-name], [edit protocols pim rp local family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim], [edit routing-instances routing-instance-name protocols pim family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)]

Statement introduced before Junos OS Release 7.4. disable statement extended to the [family] hierarchy level in Junos OS Release 9.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Explicitly disable PIM at the protocol, interface or family hierarchy levels. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Disabling PIM

•

family (Protocols PIM)




Release Information


disable; [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Disable IGMP on the system. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Disabling IGMP

dr-election-on-p2p Syntax Hierarchy Level

Release Information


dr-election-on-p2p; [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable PIM designated router (DR) election on point-to-point (P2P) links. No PIM DR election is performed on point-to-point links. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring PIM Designated Router Election on Point-to-Point Links


3335

®


dr-register-policy Syntax Hierarchy Level

dr-register-policy [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Release Information


Description

Apply one or more policies to control outgoing PIM register messages.


3336

policy-names—Name of one or more import policies.


Configuring Register Message Filters on a PIM RP and DR

•

rp-register-policy on page 3384



embedded-rp Syntax

Hierarchy Level

Release Information

Description

embedded-rp { group-ranges { destination-ip-prefix; } maximum-rps limit; } [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure properties for embedded IP version 6 (IPv6) RPs. The remaining statements are explained separately.



Configuring PIM Embedded RP for IPv6


3337

®


export (Bootstrap) Syntax Hierarchy Level

Release Information


3338

export [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp bootstrap family (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp bootstrap family (inet | inet6)], [edit protocols pim rp bootstrap family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp bootstrap family (inet | inet6)]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more export policies to control outgoing PIM bootstrap messages. policy-names—Name of one or more import policies.



•


•

import (Protocols PIM Bootstrap) on page 3351



family (Bootstrap) Syntax

Hierarchy Level

Release Information

Description Options

family (inet | inet6) { export [ policy-names ]; import [ policy-names ]; priority number; } [edit logical-systems logical-system-name protocols pim rp bootstrap], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp bootstrap], [edit protocols pim rp bootstrap], [edit routing-instances routing-instance-name protocols pim rp bootstrap]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure which IP protocol type bootstrap properties to apply. inet—Apply IP version 4 (IPv4) local RP properties. inet6—Apply IPv6 local RP properties.




•



3339

®


family (Local RP) Syntax

Hierarchy Level

Release Information

Description Options

family (inet | inet6) { disable; address address; anycast-pim { local-address address; rp-set { address address ; } } group-ranges { destination-ip-prefix; } hold-time seconds; override; priority number; } [edit logical-systems logical-system-name protocols pim rp local], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local], [edit protocols pim rp local], [edit routing-instances routing-instance-name protocols pim rp local]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure which IP protocol type local RP properties to apply. inet—Apply IP version 4 (IPv4) local RP properties. inet6—Apply IPv6 local RP properties.


3340






Hierarchy Level

Release Information

Description

graceful-restart { disable; no-bidirectional-mode; restart-duration seconds; } [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure PIM sparse mode graceful restart. The remaining statements are explained separately.



Configuring PIM Sparse Mode Graceful Restart

group (IGMP Snooping) Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

group ip-address; [edit protocols igmp-snooping vlan (all | vlan-name) interface (all | interface-name) static]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure a static multicast group on an interface. ip-address—Valid IP multicast address for the multicast group.



•

show igmp-snooping membership on page 3450


3341

®


group (MLD Snooping) Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation

3342

group ip-address; [edit protocols mld-snooping vlan (all | vlan-name) interface (all | interface-name) static]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure a static multicast group on an interface. ip-address—Valid IP multicast address for the multicast group.



•

show mld-snooping membership on page 3459



group Syntax

Hierarchy Level

Release Information

Description

group multicast-group-address { exclude; group-count number; group-increment increment; source ip-address { source-count number; source-increment increment; } } [edit logical-systems logical-system-name protocols igmp interface interface-name static], [edit protocols igmp interface interface-name static]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the IGMP multicast group address and (optionally) the source address for the multicast group being statically configured on an interface.

NOTE: You must specify a unique address for each group.



Enabling IGMP Static Group Membership


3343

®


group-ranges Syntax

Hierarchy Level

Release Information

Description

Default

Options

group-ranges { destination-ip-prefix; } [edit logical-systems logical-system-name protocols pim rp bidirectional address address], [edit logical-systems logical-system-name protocols pim rp embedded-rp], [edit logical-systems logical-system-name routing-instances instance-name protocols pim rp bidirectional address address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp embedded-rp], [edit protocols pim rp bidirectional address address], [edit protocols pim rp embedded-rp], [edit protocols pim rp local family (inet | inet6)], [edit protocols pim rp static address address], [edit routing-instances instance-name protocols pim rp bidirectional address address], [edit routing-instances routing-instance-name protocols pim rp embedded-rp], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp static address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional RP addresses introduced in Junos OS Release 12.1. Configure the address ranges of the multicast groups for which this routing device can be a rendezvous point (RP). The routing device is eligible to be the RP for all IPv4 or IPv6 groups (224.0.0.0/4 or FF70::/12 to FFF0::/12). destination-ip-prefix—Addresses or address ranges for which this routing

device can be an RP. Required Privilege Level Related Documentation


Configuring Local PIM RPs in the Junos OS Multicast Protocols Configuration Guide

•

Configuring PIM Embedded RP for IPv6 in the Junos OS Multicast Protocols Configuration Guide

•

3344

Example: Configuring Bidirectional PIM



groups Syntax Hierarchy Level Release Information Description Default Options

groups group-prefix; [edit protocols igmp-snooping vlan (all | vlan-name) data-forwarding source]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Specify the IP address range of the multicast VLAN (MVLAN) source interfaces. Disabled. group-prefix—IP address range of the source group. Each MVLAN must have exactly one groups statement. If there are multiple MVLANs on the switch, their group ranges

must be unique. Required Privilege Level Related Documentation



•



Release Information

Description Options

hello-interval seconds; [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify how often the routing device sends PIM hello packets out of an interface. seconds—Length of time between PIM hello packets.

Range: 0 through 255 Default: 30 seconds Required Privilege Level Related Documentation


hold-time (Protocols PIM) on page 3346

•

Modifying the PIM Hello Interval


3345

®


hold-time (PIM) Syntax Hierarchy Level

Release Information

Description

Options

hold-time seconds; [edit logical-systems logical-system-name protocols pim rp bidirectional address address], [edit logical-systems logical-system-name routing-instances instance-name protocols pim rp bidirectional address address], [edit protocols pim rp bidirectional address address], [edit protocols pim rp local family (inet | inet6)], [edit routing-instances instance-name protocols pim rp bidirectional address address], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional RP addresses introduced in Junos OS Release 12.1. Specify the time period for which a neighbor is to consider the sending routing device (this routing device) to be operative (up). seconds—Hold time.


3346



•




igmp-snooping Syntax


igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } [edit protocols]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure IGMP snooping. The factory default configuration enables IGMP snooping on all VLANs. The remaining statements are explained separately.




•



3347

®


immediate-leave (IGMP Snooping) Syntax Hierarchy Level Release Information Description

immediate-leave; [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure IGMP snooping immediate leave for the specified VLAN. When you configure immediate leave, host tracking is enabled, which allows the switch to track the hosts that send membership reports. The switch can then determine when the last host on an interface leaves the multicast group and immediately stop forwarding multicast traffic to the interface. Configuring immediate leave reduces the amount of time it takes for the switch to stop sending multicast traffic to an interface when the last host leaves the group. When immediate leave is disabled, the switch no longer tracks hosts. Instead, whenever it receives a leave report from a host, it sends out a group-specific query to all hosts. If it does not receive any membership reports on the interface in response to the group-specific query within a set interval, it stops forwarding multicast traffic to the interface.

NOTE: Immediate leave is supported for both IGMP version 2 (IGMPv2) and IGMPv3. However, with IGMPv2, we recommend that you configure immediate leave only when there is only one IGMP host on an interface. In IGMPv2, only one host on a interface sends a membership report in response to a general query—any other interested hosts suppress their reports. Report suppression avoids a flood of reports for the same group, but it also interferes with host tracking because the switch knows only about one interested host on the interface at any given time.


3348

The immediate-leave feature is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•




immediate-leave (MLD Snooping) Syntax Hierarchy Level Release Information Description

immediate-leave; [edit protocols mld-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure MLD snooping immediate leave for the specified VLAN. When you configure immediate leave, host tracking is enabled, which allows the switch to track the hosts that send membership reports. The switch can then determine when the last host on an interface leaves the multicast group and immediately stop forwarding multicast traffic to the interface. Configuring immediate leave reduces the amount of time it takes for the switch to stop sending multicast traffic to an interface when the last host leaves the group. When immediate leave is disabled, the switch no longer tracks hosts. Instead, whenever it receives a leave report from a host, it sends out a group-specific query to all hosts. If it does not receive any membership reports on the interface in response to the group-specific query within a set interval, it stops forwarding multicast traffic to the interface.

NOTE: Immediate leave is supported for both MLD version 1 (MLDv1) and MLDv2. However, with MLDv1, we recommend that you configure immediate leave only when there is only one MLD host on an interface. In MLDv1, only one host on a interface sends a membership report in response to a general query—any other interested hosts suppress their reports. Report suppression avoids a flood of reports for the same group, but it also interferes with host tracking because the switch knows only about one interested host on the interface at any given time.


The immediate-leave feature is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



3349

®


immediate-leave Syntax Hierarchy Level

Release Information

Description

immediate-leave; [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. The immediate leave setting is useful for minimizing the leave latency of IGMP memberships. When this setting is enabled, the routing device leaves the multicast group immediately after the last host leaves the multicast group. The immediate leave setting enables host tracking, meaning that the device keeps track of the hosts that send join messages. This allows IGMP to determine when the last host sends a leave message for the multicast group. When the immediate leave setting is enabled, the device removes an interface from the forwarding-table entry without first sending IGMP group-specific queries to the interface. The interface is pruned from the multicast tree for the multicast group specified in the IGMP leave message. The immediate leave setting ensures optimal bandwidth management for hosts on a switched network, even when multiple multicast groups are being used simultaneously. When immediate leave is disabled and one host sends a leave group message, the routing device first sends a group query to determine if another receiver responds. If no receiver responds, the routing device removes all hosts on the interface from the multicast group. Immediate leave is disabled by default for both IGMP version 2 and IGMP version 3.

NOTE: Although host tracking is enabled for IGMPv2 and MLDv1 when you enable immediate leave, use immediate leave with these versions only when there is one host on the interface. The reason is that IGMPv2 and MLDv1 use a report suppression mechanism whereby only one host on an interface sends a group join report in response to a membership query. The other interested hosts suppress their reports. The purpose of this mechanism is to avoid a flood of reports for the same group. But it also interferes with host tracking, because the router only knows about the one interested host and does not know about the others.


3350


Specifying Immediate-Leave Host Removal for IGMP



import (Bootstrap) Syntax Hierarchy Level

Release Information


import [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp bootstrap (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp bootstrap (inet | inet6)], [edit protocols pim rp bootstrap (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp bootstrap (inet | inet6)]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more import policies to control incoming PIM bootstrap messages. policy-names—Name of one or more import policies.



•


•

export (Protocols PIM Bootstrap) on page 3338


3351

®


import (PIM) Syntax Hierarchy Level

Release Information

Description


3352

import [ policy-names ]; [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to routes being imported into the routing table from PIM. Use the import statement to filter PIM join messages and prevent them from entering the network. policy-names—Name of one or more policies.


Filtering Incoming PIM Join Messages



infinity Syntax Hierarchy Level

Release Information

Description


infinity [ policy-names ]; [edit logical-systems logical-system-name protocols pim spt-threshold], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim spt-threshold], [edit protocols pim spt-threshold], [edit routing-instances routing-instance-name protocols pim spt-threshold]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply one or more policies to set the SPT threshold to infinity for a source-group address pair. Use the infinity statement to prevent the last-hop routing device from transitioning from the RPT rooted at the RP to an SPT rooted at the source for that source-group address pair. policy-names—Name of one or more policies.


Example: Configuring the PIM SPT Threshold Policy

install Syntax Hierarchy Level Release Information Description


install; [edit protocols igmp-snooping vlan (all | vlan-name) data-forwarding receiver]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Install forwarding entries in the multicast receiver VLAN. By default, only the multicast VLAN (MVLAN) installs forwarding entries for MVLAN groups. Disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



3353

®


interface Syntax

interface (all | interface-name) { accept-remote-source; disable; bfd-liveness-detection { authentication { algorithmalgorithm-name; key-chainkey-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (0 | 1 | automatic); } bidirectional { df-election { backoff-period milliseconds; offer-period milliseconds; robustness-count number; } } family (inet | inet6) { disable; } hello-interval seconds; mode (bidirectional-sparse | bidirectional-sparse-dense | dense | sparse | sparse-dense); neighbor-policy [ policy-names ]; override-interval milliseconds; priority number; propagation-delay milliseconds; reset-tracking-bit; version version; }

Hierarchy Level

[edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Release Information

Description

3354

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable PIM on an interface and configure interface-specific properties.



Options

interface-name—Name of the interface. Specify the full interface name, including the

physical and logical address components. To configure all interfaces, you can specify all. The remaining statements are explained separately. Required Privilege Level Related Documentation


PIM on Aggregated Interfaces

interface (IGMP Snooping) Syntax


Options

interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. For IGMP snooping, configure an interface as either a multicast-router interface or as a static member of a multicast group. all—All interfaces in the VLAN. interface-name—Name of the interface.




•


•



3355

®


interface (MLD Snooping) Syntax


Options

interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } [edit protocols mld-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. For MLD snooping, configure an interface either as a static multicast-router interface or as a static member of a multicast group. all—All interfaces in the VLAN. interface-name—Name of the interface.


3356



•


•




interface Syntax

Hierarchy Level

Release Information

Description Options

interface interface-name { disable; (accounting | no-accounting); group-limit limit; group-policy [ policy-names ]; immediate-leave; oif-map map-name; passive; promiscuous-mode; ssm-map ssm-map-name; ssm-map-policy ssm-map-policy-name; static { group multicast-group-address { exclude; group-count number; group-increment increment; source ip-address { source-count number; source-increment increment; } } } version version; } [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Enable IGMP on an interface and configure interface-specific properties. interface-name—Name of the interface. Specify the full interface name, including the

physical and logical address components. To configure all interfaces, you can specify all. The remaining statements are explained separately. Required Privilege Level Related Documentation


Enabling IGMP


3357

®


join-load-balance Syntax Hierarchy Level

Release Information


join-load-balance; [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Enable load balancing of PIM join messages across interfaces and routing devices. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring PIM Join Load Balancing

•

clear pim join-distribution in the Junos OS Routing Protocols and Policies Command Reference

3358



local Syntax

Hierarchy Level

Release Information


local { disable; address address; family (inet | inet6) { disable; address address; anycast-pim { local-address address; rp-set { address address ; } } group-ranges { destination-ip-prefix; } hold-time seconds; override; priority number; } group-ranges { destination-ip-prefix; } hold-time seconds; override; priority number; } [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. The remaining statements are explained separately. Configure the routing device’s RP properties. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



3359

®


local-address Syntax Hierarchy Level

Release Information

Description


3360

local-address address; [edit logical-systems logical-system-name protocols pim rp local family (inet | inet6) anycast-pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp local family (inet | inet6) anycast-pim], [edit protocols pim rp local family (inet | inet6) anycast-pim], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6) anycast-pim]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device local address for the anycast rendezvous point (RP). If this statement is omitted, the router ID is used as this address. address—Anycast RP IPv4 or IPv6 address, depending on family configuration.





mapping-agent-election Syntax Hierarchy Level

Release Information

Description Options

(mapping-agent-election | no-mapping-agent-election); [edit logical-systems logical-system-name protocols pim rp auto-rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp auto-rp], [edit protocols pim rp auto-rp], [edit routing-instances routing-instance-name protocols pim rp auto-rp]

Statement introduced in Junos OS Release 7.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device mapping announcements as a mapping agent. mapping-agent-election—Mapping agents do not announce mappings when receiving

mapping messages from a higher-addressed mapping agent. no-mapping-agent-election—Mapping agents always announce mappings and do not

perform mapping agent election. Default: mapping-agent-election Required Privilege Level Related Documentation


Configuring PIM Auto-RP


3361

®


maximum-rps Syntax Hierarchy Level

Release Information

Description Options

maximum-rps limit; [edit logical-systems logical-system-name protocols pim rp embedded-rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp embedded-rp], [edit protocols pim rp embedded-rp], [edit routing-instances routing-instance-name protocols pim rp embedded-rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Limit the number of RPs that the routing device acknowledges. limit—Number of RPs.


3362


Configuring PIM Embedded RP for IPv6



mld-snooping Syntax


mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } [edit protocols]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Enable and configure MLD snooping. The remaining statements are explained separately.




•



3363

®


mode Syntax Hierarchy Level

Release Information

Description Options

mode (bidirectional-sparse | bidirectional-sparse-dense | dense | sparse | sparse-dense); [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. bidirectional-sparse and bidirectional-sparse-dense options introduced in Junos OS Release 12.1. Configure the PIM mode on the interface. The choice of PIM mode is closely tied to controlling how groups are mapped to PIM modes, as follows: •

bidirectional-sparse—Use if all multicast groups are operating in bidirectional, sparse,

or SSM mode. •

bidirectional-sparse-dense—Use if multicast groups, except those that are specified in

the dense-groups statement, are operating in bidirectional, sparse, or SSM mode. •

dense—Use if all multicast groups are operating in dense mode.

•

sparse—Use if all multicast groups are operating in sparse mode or SSM mode.

•

sparse-dense—Use if multicast groups, except those that are specified in the dense-groups statement, are operating in sparse mode or SSM mode.

Default: Sparse mode Required Privilege Level Related Documentation


Configuring PIM Dense Mode Properties in the Junos OS Multicast Protocols Configuration Guide

•

Configuring PIM Sparse-Dense Mode Properties in the Junos OS Multicast Protocols Configuration Guide

•

3364




multicast-router-interface (IGMP Snooping) Syntax Hierarchy Level Release Information Description

multicast-router-interface; [edit protocols igmp-snooping vlan (all | vlan-name) interface (all | interface-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statically configure the interface as an IGMP snooping multicast-router interface—that is, an interface that faces towards an multicast router or other IGMP querier.

NOTE: If the specified interface is a trunk port, the interface becomes a multicast-router interface for all VLANs configured on the trunk port. In addition, all unregistered multicast packets, whether they are IPv4 or IPv6 packets, are forwarded to the multicast router interface, even if the interface is configured as a multicast-router interface only for IGMP snooping.




•


•



3365

®


multicast-router-interface (MLD Snooping) Syntax Hierarchy Level Release Information Description

multicast-router-interface; [edit protocols mld-snooping vlan (all | vlan-name) interface (all | interface-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statically configure the interface as a multicast-router interface—that is, an interface that faces towards a multicast router or other MLD querier.

NOTE: If the specified interface is a trunk port, the interface becomes a multicast-router interface for all VLANs configured on the trunk port. In addition, all unregistered multicast packets, whether they are IPv4 or IPv6 packets, are forwarded to the multicast router interface, even if the interface is configured as a multicast-router interface only for MLD snooping.


3366



•


•




neighbor-policy Syntax Hierarchy Level

Release Information


neighbor-policy [ policy-names ]; [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim interface interface-name]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Apply a PIM interface-level policy to filter neighbor IP addresses. policy-name—Name of the policy that filters neighbor IP addresses.


Configuring Interface-Level PIM Neighbor Policies


3367

®


pim Syntax

3368

pim { disable; assert-timeout seconds; dense-groups { addresses; } dr-election-on-p2p; export; family (inet | inet6) { disable; } graceful-restart { disable; no-bidirectional-mode; restart-duration seconds; } import [ policy-names ]; interface interface-name { accept-remote-source; disable; bfd-liveness-detection { authentication { algorithm algorithm-name; key-chain key-chain-name; loose-check; } detection-time { threshold milliseconds; } minimum-interval milliseconds; minimum-receive-interval milliseconds; multiplier number; no-adaptation; transmit-interval { minimum-interval milliseconds; threshold milliseconds; } version (0 | 1 | automatic); } bidirectional { df-election { backoff-period milliseconds; offer-period milliseconds; robustness-count number; } } family (inet | inet6) { disable; } hello-interval seconds; mode (bidirectional-sparse | bidirectional-sparse-dense | dense | sparse | sparse-dense); neighbor-policy [ policy-names ];



override-interval milliseconds; priority number; propagation-delay milliseconds; reset-tracking-bit; version version; } join-load-balance; join-prune-timeout; mvpn { autodiscovery { inet-mdt; } } nonstop-routing; override-interval milliseconds; propagation-delay milliseconds; reset-tracking-bit; rib-group group-name; rp { auto-rp { (announce | discovery | mapping); (mapping-agent-election | no-mapping-agent-election); } bidirectional { address address { group-ranges { destination-ip-prefix; } hold-time seconds; priority number; } } bootstrap { family (inet | inet6) { export [ policy-names ]; import [ policy-names ]; priority number; } } bootstrap-import [ policy-names ]; bootstrap-export [ policy-names ]; bootstrap-priority number; dr-register-policy [ policy-names ]; embedded-rp { group-ranges { destination-ip-prefix; } maximum-rps limit; } local { family (inet | inet6) { address address; anycast-pim { rp-set { address address ; }


3369

®


disable; local-address address; } group-ranges { destination-ip-prefix; } hold-time seconds; override; priority number; } } rp-register-policy [ policy-names ]; spt-threshold { infinity [ policy-names ]; } static { address address { override; version version; group-ranges { destination-ip-prefix; } } } } rpf-selection { group group-address{ sourcesource-address{ next-hop next-hop-address; } wildcard-source { next-hop next-hop-address; } } prefix-list prefix-list-addresses { source source-address { next-hop next-hop-address; } wildcard-source { next-hop next-hop-address; } } traceoptions { file filename ; flag flag ; } tunnel-devices [ mt-fpc/pic/port ]; }

Hierarchy Level

3370

[edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]



Release Information

Description

Statement introduced before Junos OS Release 7.4. family statement introduced in Junos OS Release 9.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable PIM on the routing device. The statements are explained separately.


PIM is disabled on the routing device. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Configuring PIM Dense Mode Properties

•


priority (Bootstrap) Syntax Hierarchy Level

Release Information

Description Options

priority number; [edit logical-systems logical-system-name protocols pim rp bootstrap (inet | inet6)], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp bootstrap (inet | inet6)], [edit protocols pim rp bootstrap (inet | inet6)], [edit routing-instances routing-instance-name protocols pim rp bootstrap (inet | inet6)]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device’s likelihood to be elected as the bootstrap router. number—Routing device’s priority for becoming the bootstrap router. A higher value

corresponds to a higher priority. Range: 0 through a 32-bit number Default: 0 (The routing device has the least likelihood of becoming the bootstrap router and sends packets with a priority of 0.) Required Privilege Level Related Documentation



•


•

bootstrap-priority on page 3330


3371

®


priority (PIM Interfaces) Syntax Hierarchy Level

Release Information

Description Options

priority number; [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device’s likelihood to be elected as the designated router. number—Routing device’s priority for becoming the designated router. A higher value

corresponds to a higher priority. Range: 0 through a 32-bit number Default: 0 (The routing device has the least likelihood of becoming the designated router.) Required Privilege Level Related Documentation

3372


Configuring Interface Priority for PIM Designated Router Selection



priority (PIM RPs) Syntax Hierarchy Level

Release Information

Description

priority number; [edit logical-systems logical-system-name protocols pim rp bidirectional address address], [edit logical-systems logical-system-name routing-instances instance-name protocols pim rp bidirectional address address], [edit protocols pim rp bidirectional address address], [edit protocols pim rp local family (inet | inet6)], [edit routing-instances instance-name protocols pim rp bidirectional address address], [edit routing-instances routing-instance-name protocols pim rp local family (inet | inet6)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional RP addresses introduced in Junos OS Release 12.1. For PIM-SM, configure this routing device’s priority for becoming an RP. For bidirectional PIM, configure this RP address’ priority for becoming an RP. The bootstrap router uses this field when selecting the list of candidate rendezvous points to send in the bootstrap message. A smaller number increases the likelihood that the routing device or RP address becomes the RP. A priority value of 0 means that bootstrap router can override the group range being advertised by the candidate RP.

Options

number—Priority for becoming an RP. A lower value corresponds to a higher priority.




•



3373

®


promiscuous-mode Syntax Hierarchy Level

Release Information


promiscuous-mode; [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify that the interface should accept IGMP reports from hosts on any subnetwork. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Accepting IGMP Messages from Remote Subnetworks

proxy Syntax Hierarchy Level Release Information Description


3374

proxy source-address ip-address; [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Specify that the VLAN operates in proxy mode. The proxy option is supported only for a VLAN acting as a data-forwarding source. Disabled. source-address ip-address—IP address of the source VLAN to act as proxy.



•




query-interval Syntax Hierarchy Level

Release Information

Description Options

query-interval seconds; [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify how often the querier router sends general host-query messages. seconds—Time interval.



Modifying the IGMP Host-Query Message Interval

•

query-last-member-interval (Protocols IGMP) on page 3376

•

query-response-interval (Protocols IGMP) on page 3377


3375

®


query-last-member-interval Syntax Hierarchy Level

Release Information

Description Options

query-last-member-interval seconds; [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify how often the querier router sends group-specific query messages. seconds—Time interval, in fractions of a second or seconds.

Range: 0.1 through 0.9, then in 1-second intervals 1 through 999999 Default: 1 second Required Privilege Level Related Documentation

3376


Modifying the IGMP Last-Member Query Interval

•

query-interval (Protocols IGMP) on page 3375

•

query-response-interval (Protocols IGMP) on page 3377



query-response-interval Syntax Hierarchy Level

Release Information

Description

Options

query-response-interval seconds; [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify how long the querier router waits to receive a response to a host-query message from a host. seconds—The query response interval must be less than the query interval.



Modifying the IGMP Query Response Interval

•

query-interval (Protocols IGMP) on page 3375

•

query-last-member-interval (Protocols IGMP) on page 3376

receiver Syntax


receiver { source-vlans vlan-list; install (Multicast VLAN Registration); } [edit protocols igmp-snooping vlan (all | vlan-name) data-forwarding]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Configure a VLAN as a multicast receiver VLAN of the multicast VLAN (MVLAN). The remaining statements are explained separately.




•



3377

®


restart-duration Syntax Hierarchy Level

Release Information

Description Options

restart-duration seconds; [edit logical-systems logical-system-name protocols pim graceful-restart], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim graceful-restart], [edit protocols pim graceful-restart], [edit routing-instances routing-instance-name protocols pim graceful-restart]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the duration of the graceful restart interval. seconds—Time that the routing device waits (in seconds) to complete PIM sparse mode

graceful restart. Range: 30 through 300 Default: 60 Required Privilege Level Related Documentation

3378


Configuring PIM Sparse Mode Graceful Restart



rib-group Syntax

Hierarchy Level

Release Information

Description Options

rib-group { inet group-name; inet6 group-name; } [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Associate a routing table group with PIM. table-name—Name of the routing table. The name must be one that you defined with

the rib-groups statement at the [edit routing-options] hierarchy level. Required Privilege Level Related Documentation


Example: Configuring a Dedicated PIM RPF Routing Table


3379

®


robust-count (IGMP Snooping) Syntax Hierarchy Level Release Information

robust-count number; [edit protocols igmp-snooping vlan (all | vlan-name)]


Description

Configure the number of queries the switch sends before removing a multicast group from the multicast forwarding table. We recommend that the robust count be set to the same value on all multicast routers and switches in the VLAN.

Default

The default is the value of the robust-count statement configured for IGMP. The default for the IGMP robust-count statement is 2.

Options

number—Number of queries the switch sends before timing out a multicast group.




robust-count (MLD Snooping) Syntax Hierarchy Level Release Information Description

Default

Options

robust-count number; [edit protocols mld-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure the number of queries the switch sends before removing a multicast group from the multicast forwarding table. We recommend that the robust count be set to the same value on all multicast routers and switches in the VLAN. The default is the value of the robust-count statement configured for MLD. The default for the MLD robust-count statement is 2. number—Number of queries the switch sends before timing out a multicast group.


3380



•




robust-count Syntax Hierarchy Level

Release Information

Description

Options

robust-count number; [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Tune the expected packet loss on a subnet. This factor is used to calculate the group member interval, other querier present interval, and last-member query count. number—Robustness variable.



Modifying the IGMP Robustness Variable


3381

®


rp Syntax

3382

rp { auto-rp { (announce | discovery | mapping); (mapping-agent-election | no-mapping-agent-election); } bidirectional { address address { group-ranges { destination-ip-prefix; } hold-time seconds; priority number; } } bootstrap { family (inet | inet6) { export [ policy-names ]; import [ policy-names ]; priority number; } } bootstrap-export [ policy-names ]; bootstrap-import [ policy-names ]; bootstrap-priority number; dr-register-policy [ policy-names ]; embedded-rp { group-ranges { destination-ip-prefix; } maximum-rps limit; } local { family (inet | inet6) { disable; address address; anycast-pim { local-address address; address address ; rp-set { } } group-ranges { destination-ip-prefix; } hold-time seconds; override; priority number; } } rp-register-policy [ policy-names ]; static { address address {



override; version version; group-ranges { destination-ip-prefix; } } } }

Hierarchy Level

Release Information

Description

[edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the routing device as an actual or potential RP. A routing device can be an RP for more than one group. The remaining statements are explained separately.


If you do not include the rp statement, the routing device can never become the RP. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Understanding PIM Sparse Mode


3383

®


rp-register-policy Syntax Hierarchy Level

rp-register-policy [ policy-names ]; [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Release Information


Description

Apply one or more policies to control incoming PIM register messages.


3384

policy-names—Name of one or more import policies.


Configuring Register Message Filters on a PIM RP and DR

•

dr-register-policy on page 3336



rp-set Syntax

Hierarchy Level

Release Information

Description

rp-set { address address ; } [edit logical-systems logical-system-name protocols pim local family (inet | inet6) anycast-pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim local family (inet | inet6) anycast-pim], [edit protocols pim local family (inet | inet6) anycast-pim], [edit routing-instances routing-instance-name protocols pim local family (inet | inet6) anycast-pim]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure a set of rendezvous point (RP) addresses for anycast RP. You can configure up to 15 RPs. The remaining statements are explained separately.




source Syntax


source { groups (Multicast VLAN Registration) group-prefix; } [edit protocols igmp-snooping vlan (all | vlan-name) data-forwarding]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Configure a VLAN to be a multicast source VLAN (MVLAN). The remaining statement is explained separately.




•



3385

®


source Syntax

Hierarchy Level

Release Information

Description

Options

source ip-address { source-count number; source-increment increment; } [edit logical-systems logical-system-name protocols igmp interface interface-name static group multicast-group-address], [edit protocols igmp interface interface-name static group multicast-group-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the IP version 4 (IPv4) unicast source address for the multicast group being statically configured on an interface. ip-address—IPv4 unicast address.




source-vlans Syntax Hierarchy Level Release Information Description


3386

source-vlans vlan-list; [edit protocols igmp-snooping vlan (all | vlan-name) data-forwarding receiver]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Specify a list of multicast VLANs (MVLANs) from which this multicast receiver VLAN receives multicast traffic. Either all of these MVLANs must be in proxy mode or none of them can be in proxy mode. Disabled. vlan-list—Names of the MVLANs.



•




spt-threshold Syntax

Hierarchy Level

Release Information

Description

spt-threshold { infinity [ policy-names ]; } [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Set the SPT threshold to infinity for a source-group address pair. Last-hop multicast routing devices running PIM sparse mode can forward the same stream of multicast packets onto the same LAN through an RPT rooted at the RP or an SPT rooted at the source. By default, last-hop routing devices transition to a direct SPT to the source. You can configure this routing device to set the SPT transition value to infinity to prevent this transition for any source-group address pair. The remaining statements are explained separately.



Example: Configuring the PIM SPT Threshold Policy


3387

®


ssm-map Syntax Hierarchy Level

Release Information


3388

ssm-map ssm-map-name; [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Apply an SSM map to an IGMP interface. ssm-map-name—Name of SSM map.





static Syntax

Hierarchy Level

Release Information

Description

static { address address { group-ranges { destination-ip-prefix; } override; version version; } } [edit logical-systems logical-system-name protocols pim rp], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp], [edit protocols pim rp], [edit routing-instances routing-instance-name protocols pim rp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure static RP addresses. The default static RP address is 224.0.0.0/4. To configure other addresses, include one or more address statements. You can configure a static RP in a logical system only if the logical system is not directly connected to a source. For each static RP address, you can optionally specify the PIM version and the groups for which this address can be the RP. The default PIM version is version 1. The remaining statements are explained separately.



Configuring the Static PIM RP Address on the Non-RP Routing Device


3389

®


static (IGMP Snooping) Syntax


static { group ip-address; } [edit protocols igmp-snooping vlan (all | vlan-name) interface (all | interface-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statically define multicast groups on an interface. The remaining statement is explained separately.


No multicast groups are statically defined. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


static (MLD Snooping) Syntax


static { group ip-address; } [edit protocols mld-snooping vlan (all | vlan-name) interface (all | interface-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statically define multicast groups on an interface. The remaining statement is explained separately.


3390

No multicast groups are statically defined. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•




static Syntax

Hierarchy Level

Release Information

Description

static { group multicast-group-address { exclude; group-count number; group-increment increment; source ip-address { source-count number; source-increment increment; } } } [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Test multicast forwarding on an interface without a receiver host. The static statement simulates IGMP joins on a routing device statically on an interface without any IGMP hosts. It is supported for both IGMPv2 and IGMPv3 joins. This statement is especially useful for testing multicast forwarding on an interface without a receiver host.

NOTE: To prevent joining too many groups accidentally, the static statement is not supported with the interface all statement.





3391

®


traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols pim], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim], [edit protocols pim], [edit routing-instances routing-instance-name protocols pim]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure PIM tracing options. To specify more than one tracing operation, include multiple flag statements.

Default

Options

The default PIM trace options are those inherited from the routing protocol's traceoptions statement included at the [edit routing-options] hierarchy level. disable—(Optional) Disable the tracing operation. You can use this option to disable a


name within quotation marks. All files are placed in the directory /var/log. We recommend that you place tracing output in the pim-log file. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you must also include the size statement to specify the maximum file size. Range: 2 through 1000 files Default: 2 files flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. PIM Tracing Flags

3392

•

assert—Assert messages

•

bidirectional-df-election—Bidirectional PIM designated-forwarder (DF) election events



•

bootstrap—Bootstrap messages

•

cache—Packets in the PIM sparse mode routing cache

•

graft—Graft and graft acknowledgment messages

•

hello—Hello packets

•

join—Join messages

•

mt—Multicast tunnel messages

•

nsr-synchronization—Nonstop active routing (NSR) synchronization messages

•

packets—All PIM packets

•

prune—Prune messages

•

register—Register and register stop messages

•

rp—Candidate RP advertisements

•


•


•




•


•


•


•

timer—Timer usage




•


•



in the trace file. Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output.


3393

®


no-world-readable—(Optional) Do not allow users to read the log file. replace—(Optional) Replace an existing trace file if there is one.

Default: If you do not include this option, tracing output is appended to an existing trace file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When trace-file again reaches this size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you must also include the files statement to specify the maximum number of trace files. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 0 KB through the maximum file size supported on your system Default: 1 MB world-readable—(Optional) Allow any user to read the log file.


3394


Configuring PIM Trace Options

•

Tracing DVMRP Protocol Traffic

•

Tracing MSDP Protocol Traffic

•

Configuring PIM Trace Options



traceoptions (IGMP Snooping) Syntax


traceoptions { file filename ; flag flag ; } [edit protocols igmp-snooping]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Define tracing operations for IGMP snooping. The traceoptions feature is disabled by default. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. files number—(Optional) Maximum number of trace files, including the active trace file.

When a trace file reaches its maximum size, its contents are archived into a compressed file named filename.0 and the trace file is emptied. When the trace file reaches its maximum size again, the filename.0 archive file is renamed filename.1 and a new filename.0 archive file is created from the contents of the trace file. This process continues until the maximum number of trace files is reached, at which point the system starts overwriting the oldest archive file each time the trace file is archived. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,



•

general—Trace general IGMP snooping protocol events.

•

krt—Trace communication over routing socket.

•

leave—Trace leave group messages (IGMPv2 and IGMPv3 only).

•

nexthop—Trace nexthop-related events.

•

normal—Trace normal IGMP snooping protocol events. If you do not specify this flag,

only unusual or abnormal operations are traced. •

packets—Trace all IGMP packets.

•

policy—Trace policy processing.

•

query—Trace IGMP membership query messages.

•

report—Trace membership report messages.


3395

®


•

route—Trace routing information.

•

state—Trace IGMP state transitions.

•

task—Trace routing protocol task processing.

•

timer—Trace routing protocol timer processing.

•

vlan—Trace VLAN-related events.


these modifiers per flag: •

detail—Provide detailed trace information

•

disable—Disable the tracing operation. You can use this option to disable a single

operation when you have defined a broad group of tracing operations, such as all. •


•


no-stamp—(Optional) Omit the timestamp at the beginning of each line in the trace file. no-world-readable—(Optional) Restrict file access to the user who created the file. replace—(Optional) Replace an existing trace file if there is one. If you do not include this

option, tracing output is appended to an existing trace file. size size —(Optional) Maximum size of each trace file, in bytes, kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is zipped and renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum size, you also must specify a maximum number of files with the files option. Syntax: x to specify bytes, xk to specify KB, xm to specify MB, or xg to specify GB Range: 10240 through 4294967295 bytes Default: 128 KB world-readable—(Optional) Allow unrestricted file access.


3396


Configuring IGMP Snooping Tracing Operations (CLI Procedure) on page 3301



traceoptions (MLD Snooping) Syntax


traceoptions { file filename ; flag flag ; } [edit protocols mld-snooping]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Define tracing operations for MLD snooping. The traceoptions feature is disabled by default. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. files number—(Optional) Maximum number of trace files, including the active trace file.

When a trace file reaches its maximum size, its contents are archived into a compressed file named filename.0 and the trace file is emptied. When the trace file reaches its maximum size again, the filename.0 archive file is renamed filename.1 and a new filename.0 archive file is created from the contents of the trace file. This process continues until the maximum number of trace files is reached, at which point the system starts overwriting the oldest archive file each time the trace file is archived. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,



•

general—Trace general MLD snooping protocol events.

•

krt—Trace communication over routing socket.

•

leave—Trace leave group messages.

•

nexthop—Trace nexthop-related events.

•

normal—Trace normal MLD snooping protocol events. If you do not specify this flag,

only unusual or abnormal operations are traced. •

packets—Trace all MLD packets.

•

policy—Trace policy processing.

•

query—Trace MLD membership query messages.

•

report—Trace membership report messages.


3397

®


•

route—Trace routing information.

•

state—Trace MLD state transitions.

•

task—Trace routing protocol task processing.

•

timer—Trace routing protocol timer processing.

•

vlan—Trace VLAN-related events.


these modifiers per flag: •

detail—Provide detailed trace information

•

disable—Disable the tracing operation. You can use this option to disable a single

operation when you have defined a broad group of tracing operations, such as all. •


•


no-stamp—(Optional) Omit the timestamp at the beginning of each line in the trace file. no-world-readable—(Optional) Restrict file access to the user who created the file. replace—(Optional) Replace an existing trace file if there is one. If you do not include this

option, tracing output is appended to an existing trace file. size size —(Optional) Maximum size of each trace file, in bytes, kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is zipped and renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum size, you also must specify a maximum number of files with the files option. Syntax: x to specify bytes, xk to specify KB, xm to specify MB, or xg to specify GB Range: 10240 through 4294967295 bytes Default: 128 KB world-readable—(Optional) Allow unrestricted file access.


3398


Configuring MLD Snooping Tracing Operations (CLI Procedure) on page 3299



traceoptions Syntax

Hierarchy Level

Release Information

Description

traceoptions { file filename ; flag flag ; } [edit logical-systems logical-system-name protocols igmp], [edit protocols igmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure IGMP tracing options. To specify more than one tracing operation, include multiple flag statements. To trace the paths of multicast packets, use the mtrace command.

Default

Options

The default IGMP trace options are those inherited from the routing protocols traceoptions statement included at the [edit routing-options] hierarchy level. disable—(Optional) Disable the tracing operation. You can use this option to disable a


name within quotation marks. All files are placed in the directory /var/log. We recommend that you place tracing output in the file igmp-log. files number—(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you must also include the size statement to specify the maximum file size. Range: 2 through 1000 files Default: 2 files flag—Tracing operation to perform. To specify more than one tracing operation, include

multiple flag statements. IGMP Tracing Flags •

leave—Leave group messages (for IGMP version 2 only).

•

mtrace—Mtrace packets. Use the mtrace command to troubleshoot the software.

•

packets—All IGMP packets.


3399

®


•

query—IGMP membership query messages, including general and group-specific queries.

•

report—Membership report messages.

Global Tracing Flags •


•


•




•


•


•


•

timer—Timer usage




•


•



in the trace file. Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output. no-world-readable—(Optional) Do not allow users to read the log file. replace—(Optional) Replace an existing trace file if there is one.

Default: If you do not include this option, tracing output is appended to an existing trace file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When trace-file again reaches this size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

3400



If you specify a maximum file size, you must also include the files statement to specify the maximum number of trace files. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 1 MB world-readable—(Optional) Allow any user to read the log file.



Tracing IGMP Protocol Traffic

version Syntax Hierarchy Level

Release Information

Description Options

version version; [edit logical-systems logical-system-name protocols igmp interface interface-name], [edit protocols igmp interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the version of IGMP. version—IGMP version number.

Range: 1, 2, or 3 Default: IGMP version 2 Required Privilege Level Related Documentation


Changing the IGMP Version


3401

®


version (IGMP Snooping) Syntax Hierarchy Level Release Information

Description

Default Options

version number; [edit protocols igmp-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify the IGMP version for the IGMP general query that the switch sends to hosts when an interface comes up. The configured IGMP version affects only the version of the general queries sent by a switch. It does not affect the version of IGMP messages that the switch can snoop. For example, If the switch is configured for IGMP version 1 (IGMPv1), it can snoop IGMPv2 and IGMPv3 messages. If you do not configure the version statement, the default is IGMPv2. version—IGMP version number.


3402



•

Configuring IGMP Snooping



version (MLD Snooping) Syntax Hierarchy Level Release Information Description

Default Options

version version; [edit protocols mld-snooping vlan (all | vlan-name)]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Specify the MLD version for the MLD general query the switch sends to hosts when an interface comes up. The configured MLD version affects only the version of the general queries sent by a switch: it does not affect the version of MLD messages that the switch can snoop. If the switch is configured for MLD version 1 (MLDv1), it can snoop MLDv2 messages and vice versa. MLDv1 is the default. version—MLD version number.

Values: 1 or 2 Required Privilege Level Related Documentation




3403

®


version (PIM) Syntax Hierarchy Level

Release Information

Description Options

version version; [edit logical-systems logical-system-name protocols pim interface interface-name], [edit logical-systems logical-system-name protocols pim rp static address address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols pim rp static address address], [edit protocols pim interface interface-name], [edit protocols pim rp static address address], [edit routing-instances routing-instance-name protocols pim interface interface-name], [edit routing-instances routing-instance-name protocols pim rp static address address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Specify the version of PIM. version—PIM version number.

Range: 1 or 2 Default: PIMv1 for rendezvous point (RP) mode (at the [edit protocols pim rp static address address] hierarchy level). PIMv2 for interface mode (at the [edit protocols pim interface interface-name] hierarchy level). Required Privilege Level Related Documentation

3404


Enabling PIM Sparse Mode

•

Configuring PIM Dense Mode Properties

•




vlan (IGMP Snooping) Syntax


Description

vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } [edit protocols igmp-snooping]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches. Configure IGMP snooping parameters for a VLAN. When the vlan configuration statement is used without the disable statement, IGMP snooping is enabled on the specified VLAN or on all VLANs.

NOTE: You cannot configure IGMP snooping on a secondary VLAN.

Default Options

If the vlan statement is not included in the configuration, IGMP snooping is disabled. •

all—All VLANs on the switch

•

vlan-name—Name of a VLAN.

TIP: When you configure IGMP snooping parameters using the vlan all statement, any VLAN that is not individually configured for IGMP snooping


3405

®


inherits the vlan all configuration. Any VLAN that is individually configured for IGMP snooping, on the other hand, inherits none of its configuration from vlan all. Any parameters that are not explicitly defined for the individual VLAN assume their default values, not the values specified in the vlan all configuration. For example, in the following configuration: protocols { igmp-snooping { vlan all { robust-count 8; } vlan employee { interface ge-0/0/8.0 { static { group 239.0.10.3 } } } } }



3406



•


•




vlan (MLD Snooping) Syntax


vlan (all | vlan-name) { disable; immediate-leave; interface ( all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } [edit protocols mld-snooping]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Configure MLD snooping parameters for a VLAN. When the vlan configuration statement is used without the disable statement, MLD snooping is enabled on the specified VLAN or on all VLANs.

Default Options

If the vlan statement is not included in the configuration, MLD snooping is disabled. all—all VLANs on the switch. vlan-name—Name of a VLAN.

TIP: When you configure MLD snooping parameters using the vlan all statement, any VLAN that is not individually configured for MLD snooping inherits the vlan all configuration. Any VLAN that is individually configured for MLD snooping, on the other hand, inherits none of its configuration from vlan all. Any parameters that are not explicitly defined for the individual VLAN assume their default values, not the values specified in the vlan all configuration. For example, in the following configuration: protocols { mld-snooping { vlan all { robust-count 8; } vlan employee { interface ge-0/0/8.0 { static { group ff1e::1; } } }


3407

®


} }



3408



•


•



CHAPTER 86

Operational Commands for Multicast


3409

®


clear igmp membership Syntax

clear igmp membership


clear igmp membership

Release Information


Description Options

Clear Internet Group Management Protocol (IGMP) group members. none—Clear all IGMP members on all interfaces and for all address ranges. group address-range—(Optional) Clear all IGMP members that are in a particular address

range. An example of a range is 224.2/16. If you omit the destination prefix length, the default is /32. interface interface-name—(Optional) Clear all IGMP group members on an interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. Required Privilege Level Related Documentation


Output Fields

clear

•

show igmp group on page 3440

•

show igmp interface on page 3444

clear igmp membership on page 3410 clear igmp membership interface on page 3411 clear igmp membership group on page 3411 See show igmp group for an explanation of output fields.

Sample Output clear igmp membership

The following sample output displays IGMP group information before and after the clear igmp membership command is entered: user@host> show igmp group Interface Group so-0/0/0 224.2.127.253 so-0/0/0 224.2.127.254 so-0/0/0 239.255.255.255 so-0/0/0 224.1.127.255

3410

Last Reported 10.1.128.1 10.1.128.1 10.1.128.1 10.1.128.1

Timeout 186 186 187 188


Chapter 86: Operational Commands for Multicast

local local local local local local

224.0.0.6 224.0.0.5 224.2.127.254 239.255.255.255 224.0.0.2 224.0.0.13

(null) (null) (null) (null) (null) (null)

0 0 0 0 0 0

user@host> clear igmp membership Clearing Group Membership Info for so-0/0/0 Clearing Group Membership Info for so-1/0/0 Clearing Group Membership Info for so-2/0/0

user@host> show igmp group Interface Group local 224.0.0.6 local 224.0.0.5 local 224.2.127.254 local 239.255.255.255 local 224.0.0.2 local 224.0.0.13

clear igmp membership interface

Last Reported (null) (null) (null) (null) (null) (null)

Timeout 0 0 0 0 0 0

The following sample output displays IGMP group information before and after the clear igmp membership interface command is issued: user@host> show igmp group Interface Group so-0/0/0 224.2.127.253 so-0/0/0 239.255.255.255 so-0/0/0 224.1.127.255 so-0/0/0 224.2.127.254 local 224.0.0.6 local 224.0.0.5 local 224.2.127.254 local 239.255.255.255 local 224.0.0.2 local 224.0.0.13

Last Reported 10.1.128.1 10.1.128.1 10.1.128.1 10.1.128.1 (null) (null) (null) (null) (null) (null)

Timeout 210 210 215 216 0 0 0 0 0 0

user@host> clear igmp membership interface so-0/0/0 Clearing Group Membership Info for so-0/0/0

user@host> show igmp group Interface Group local 224.0.0.6 local 224.0.0.5 local 224.2.127.254 local 239.255.255.255 local 224.0.0.2 local 224.0.0.13

clear igmp membership group

Last Reported (null) (null) (null) (null) (null) (null)

Timeout 0 0 0 0 0 0

The following sample output displays IGMP group information before and after the clear igmp membership group command is entered: user@host> show igmp group Interface Group so-0/0/0 224.2.127.253 so-0/0/0 239.255.255.255 so-0/0/0 224.1.127.255


Last Reported 10.1.128.1 10.1.128.1 10.1.128.1

Timeout 210 210 215

3411

®


so-0/0/0 local local local local local local

224.2.127.254 224.0.0.6 224.0.0.5 224.2.127.254 239.255.255.255 224.0.0.2 224.0.0.13

10.1.128.1 (null) (null) (null) (null) (null) (null)

216 0 0 0 0 0 0

user@host> clear igmp membership group 239.225/16 Clearing Group Membership Range 239.225.0.0/16 on so-0/0/0 Clearing Group Membership Range 239.225.0.0/16 on so-1/0/0 Clearing Group Membership Range 239.225.0.0/16 on so-2/0/0

user@host> show igmp group Interface Group so-0/0/0 224.1.127.255 so-0/0/0 224.2.127.254 so-0/0/0 224.2.127.253 local 224.0.0.6 local 224.0.0.5 local 224.2.127.254 local 239.255.255.255 local 224.0.0.2 local 224.0.0.13

3412

Last Reported 10.1.128.1 10.1.128.1 10.1.128.1 (null) (null) (null) (null) (null) (null)

Timeout 231 233 236 0 0 0 0 0 0



clear igmp statistics Syntax


Description Options

clear igmp statistics clear igmp statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Clear Internet Group Management Protocol (IGMP) statistics. none—Clear IGMP statistics on all interfaces. interface interface-name—(Optional) Clear IGMP statistics for the specified interface



clear

•

show igmp statistics on page 3447

clear igmp statistics on page 3413 See show igmp statistics for an explanation of output fields.

Sample Output clear igmp statistics

The following sample output displays IGMP statistics information before and after the clear igmp statistics command is entered: user@host> show igmp statistics IGMP packet statistics for all interfaces IGMP Message type Received Sent Membership Query 8883 459 V1 Membership Report 0 0 DVMRP 19784 35476 PIM V1 18310 0 Cisco Trace 0 0 V2 Membership Report 0 0 Group Leave 0 0 Mtrace Response 0 0 Mtrace Request 0 0 Domain Wide Report 0 0 V3 Membership Report 0 0 Other Unknown types IGMP v3 unsupported type


Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0

3413

®


IGMP v3 source required for SSM IGMP v3 mode not applicable for SSM IGMP Global Statistics Bad Length Bad Checksum Bad Receive If Rx non-local

0 0 0 1227

user@host> clear igmp statistics user@host> show igmp statistics IGMP packet statistics for all interfaces IGMP Message type Received Sent Membership Query 0 0 V1 Membership Report 0 0 DVMRP 0 0 PIM V1 0 0 Cisco Trace 0 0 V2 Membership Report 0 0 Group Leave 0 0 Mtrace Response 0 0 Mtrace Request 0 0 Domain Wide Report 0 0 V3 Membership Report 0 0 Other Unknown types IGMP v3 unsupported type IGMP v3 source required for SSM IGMP v3 mode not applicable for SSM IGMP Global Statistics Bad Length 0 Bad Checksum 0 Bad Receive If 0 Rx non-local 0

3414

0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0



clear igmp-snooping membership Syntax


Options

clear igmp-snooping membership

Command introduced in Junos OS Release 9.1 for EX Series switches. Clear IGMP snooping dynamic membership information from the multicast forwarding table. none—Clear dynamic membership information for all VLANs. vlan vlan-name —(Optional) Clear dynamic membership information for the specified

VLAN. Required Privilege Level Related Documentation


view

•


•



Sample Output clear igmp-snooping membership

user@switch> clear igmp-snooping membership vlan employee-vlan


3415

®


clear igmp-snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


clear igmp-snooping statistics

Command introduced in Junos OS Release 9.1 for EX Series switches. Clear IGMP snooping statistics. view

•


•



Sample Output clear igmp-snooping statistics

3416

user@switch> clear igmp-snooping statistics



clear mld-snooping membership Syntax


Options

clear mld-snooping membership

Command introduced in Junos OS Release 12.1 for EX Series switches. Clear MLD snooping dynamic membership information from the multicast forwarding table. none—Clear dynamic membership information for all VLANs. vlan vlan-name—(Optional) Clear dynamic membership information for the specified



view

•


•


clear mld-snooping membership vlan employee-vlan on page 3417

Sample Output clear mld-snooping membership vlan employee-vlan

user@switch> clear mld-snooping membership vlan employee-vlan


3417

®


clear mld-snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


clear mld-snooping statistics

Command introduced in Junos OS Release 12.1 for EX Series switches. Clear MLD snooping statistics. view

•

show mld-snooping statistics on page 3465

•



Sample Output clear mld-snooping statistics

3418

user@switch> clear mld-snooping statistics



clear multicast bandwidth-admission Syntax

Release Information

Description Options

clear multicast bandwidth-admission

Command introduced in Junos OS Release 8.3. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Reapply IP multicast bandwidth admissions. none—Reapply multicast bandwidth admissions for all IPv4 forwarding entries in the

master routing instance. group group-address—(Optional) Reapply multicast bandwidth admissions for the

specified group. inet—(Optional) Reapply multicast bandwidth admission settings for IPv4 flows. inet6—(Optional) Reapply multicast bandwidth admission settings for IPv6 flows. instance instance-name—(Optional) Reapply multicast bandwidth admission settings

for the specified instance. If you do not specify an instance, the command applies to the master routing instance. interface interface-name—(Optional) Examines the corresponding outbound interface in

the relevant entries and acts as follows: •

If the interface is congested, and it was admitted previously, it is removed.

•

If the interface was rejected previously, the clear multicast bandwidth-admission command enables the interface to be admitted as long as enough bandwidth exists on the interface.

•

If you do not specify an interface, issuing the clear multicast bandwidth-admission command readmits any previously rejected interface for the relevant entries as long as enough bandwidth exists on the interface.

To manually reject previously admitted outbound interfaces, you must specify the interface. source source-address—(Optional) Use with the group option to reapply multicast

bandwidth admission settings for the specified (source, group) entry. Required Privilege Level

clear


3419

®


Related Documentation List of Sample Output Output Fields

•

show multicast interface on page 3471

clear multicast bandwidth-admission on page 3420 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear multicast bandwidth-admission

3420

user@host> clear multicast bandwidth-admission



clear multicast scope Syntax

clear multicast scope


clear multicast scope

Release Information

Command introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 option introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description Options

Clear IP multicast scope statistics. none—(Same as logical-system all) Clear multicast scope statistics. inet—(Optional) Clear multicast scope statistics for IPv4 family addresses. inet6—(Optional) Clear multicast scope statistics for IPv6 family addresses. interface interface-name—(Optional) Clear multicast scope statistics on a specific

interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

•

show multicast scope on page 3492

clear multicast scope on page 3421 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear multicast scope

user@host> clear multicast scope


3421

®


clear multicast sessions Syntax

clear multicast sessions


clear multicast sessions

Release Information


Description Options

Clear IP multicast sessions. none—(Same as logical-system all) Clear multicast sessions. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. regular-expression—(Optional) Clear only multicast sessions that contain the specified

regular expression. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•

show multicast sessions on page 3494

clear multicast sessions on page 3422 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear multicast sessions

3422

user@host> clear multicast sessions



clear multicast statistics Syntax

clear multicast statistics


clear multicast statistics

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description Options

Clear IP multicast statistics. none—Clear multicast statistics for all supported address families on all interfaces. inet—(Optional) Clear multicast statistics for IPv4 family addresses. inet6—(Optional) Clear multicast statistics for IPv6 family addresses. instance instance-name—(Optional) Clear multicast statistics for the specified instance. interface interface-name—(Optional) Clear multicast statistics on a specific interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

•

show multicast statistics

clear multicast statistics on page 3423 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear multicast statistics

user@host> clear multicast statistics


3423

®


clear pim join Syntax

clear pim join


clear pim join

Release Information


Description Options

Clear the Protocol Independent Multicast (PIM) join and prune states. none—Clear the PIM join and prune states for all groups, family addresses, and instances. group-address—(Optional) Clear the PIM join and prune states for a group address. inet | inet6—(Optional) Clear the PIM join and prune states for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Clear the join and prune states for a specific

PIM-enabled routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical



The clear pim join command cannot be used to clear the PIM join and prune state on a backup Routing Engine when nonstop active routing is enabled. clear

•

show pim join on page 3505

clear pim join on page 3424 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear pim join

3424

user@host> clear pim join



clear pim register Syntax

clear pim register


clear pim register

Release Information

Command introduced in Junos OS Release 7.6. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description Options

Clear Protocol Independent Multicast (PIM) register message counters. none—Clear PIM register message counters for all family addresses, instances, and interfaces. inet | inet6—(Optional) Clear PIM register message counters for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Clear register message counters for a specific

PIM-enabled routing instance. interface interface-name—(Optional) Clear PIM register message counters for a specific

interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical



The clear pim register command cannot be used to clear the PIM register state on a backup Routing Engine when nonstop active routing is enabled. clear

•

show pim statistics on page 3526

clear pim register on page 3425 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear pim register

user@host> clear pim register


3425

®


3426



clear pim statistics Syntax

clear pim statistics


clear pim statistics

Release Information


Description Options

Clear Protocol Independent Multicast (PIM) statistics. none—Clear PIM statistics for all family addresses, instances, and interfaces. inet | inet6—(Optional) Clear PIM statistics for IPv4 or IPv6 family addresses, respectively. instance instance-name—(Optional) Clear statistics for a specific PIM-enabled routing

instance. interface interface-name—(Optional) Clear PIM statistics for a specific interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical



The clear pim statistics command cannot be used to clear the PIM statistics on a backup Routing Engine when nonstop active routing is enabled. clear

•

show pim statistics on page 3526

clear pim statistics on page 3427 See show pim statistics for an explanation of output fields.

Sample Output clear pim statistics

The following sample output displays PIM statistics before and after the clear pim statistics command is entered: user@host> show pim statistics


3427

®


PIM statistics on all interfaces: PIM Message type Received Sent Hello 0 0 Register 0 0 Register Stop 0 0 Join Prune 0 0 Bootstrap 0 0 Assert 0 0 Graft 0 0 Graft Ack 0 0 Candidate RP 0 0 V1 Query 2111 4222 V1 Register 0 0 V1 Register Stop 0 0 V1 Join Prune 14200 13115 V1 RP Reachability 0 0 V1 Assert 0 0 V1 Graft 0 0 V1 Graft Ack 0 0 PIM statistics summary for all interfaces: Unknown type 0 V1 Unknown type 0 Unknown Version 0 Neighbor unknown 0 Bad Length 0 Bad Checksum 0 Bad Receive If 0 Rx Intf disabled 2007 Rx V1 Require V2 0 Rx Register not RP 0 RP Filtered Source 0 Unknown Reg Stop 0 Rx Join/Prune no state 1040 Rx Graft/Graft Ack no state 0 ...

user@host> clear pim statistics user@host> show pim statistics PIM statistics on all interfaces: PIM Message type Received Hello 0 Register 0 Register Stop 0 Join Prune 0 Bootstrap 0 Assert 0 Graft 0 Graft Ack 0 Candidate RP 0 V1 Query 1 V1 Register 0 ...

3428

Sent 0 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0



mtrace Syntax

Release Information

Description Options

mtrace source

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 9.5 for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. Command introduced in Junos OS Release 11.3 for the QFX Series. Display trace information about an IP multicast path. source—Source hostname or address. logical-system (logical-system-name)—(Optional) Perform this operation on a logical

system. routing-instance routing-instance-name—(Optional) Trace a particular routing instance.



The mtrace command for multicast traffic is similar to the traceroute command used for unicast traffic. Unlike traceroute, mtrace traces traffic backwards, from the receiver to the source. view

mtrace source on page 3431 Table 368 on page 3429 describes the output fields for the mtrace command. Output fields are listed in the approximate order in which they appear.

Table 368: mtrace Output Fields Field Name

Field Description

Mtrace from

IP address of the receiver.

to

IP address of the source.

via group

IP address of the multicast group (if any).

Querying full reverse path

Indicates the full reverse path query has begun.

number-of-hops

Number of hops from the source to the named router or switch.

router-name

Name of the router or switch for this hop.

address

Address of the router or switch for this hop.


3429

®


Table 368: mtrace Output Fields (continued)

3430

Field Name

Field Description

protocol

Protocol used (for example, PIM).

Round trip time

Average round-trip time, in milliseconds (ms).

total ttl of

Time-to-live (TTL) threshold.



Sample Output mtrace source

user@host> mtrace 192.1.4.2 Mtrace from 192.1.4.2 to 192.1.1.2 via group 0.0.0.0 Querying full reverse path... * * 0 routerA.lab.mycompany.net (192.1.1.2) -1 routerB.lab.mycompany.net (192.1.2.2) PIM thresh^ 1 -2 routerC.lab.mycompany.net (192.1.3.2) PIM thresh^ 1 -3 hostA.lab.mycompany.net (192.1.4.2) Round trip time 2 ms; total ttl of 2 required.


3431

®


mtrace from-source Syntax

Release Information

Description

Options

mtrace from-source source source

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display trace information about an IP multicast path from a source to this router or switch. If you specify a group address with this command, Junos OS returns additional information, such as packet rates and losses. brief | detail—(Optional) Display the specified level of output. extra-hops extra-hops—(Optional) Number of hops to take after reaching a nonresponsive

router. You can specify a number between 0 and 255. group group—(Optional) Group address for which to trace the path. The default group

address is 0.0.0.0. interval interval—(Optional) Number of seconds to wait before gathering statistics again.

The default value is 10 seconds. loop—(Optional) Loop indefinitely, displaying rate and loss statistics. max-hops max-hops—(Optional) Maximum hops to trace toward the source. The range

of values is 0 through 255. The default value is 32 hops. max-queries max-queries—(Optional) Maximum number of query attempts for any hop.

The range of values is 1 through 32. The default is 3. multicast-response—(Optional) Always request the response using multicast. no-resolve—(Optional) Do not attempt to display addresses symbolically. no-router-alert—(Optional) Do not use the router-alert IP option. response response—(Optional) Send trace response to a host or multicast address.

3432



routing-instance routing-instance-name—(Optional) Trace a particular routing instance. source source—Source hostname or address. ttl ttl—(Optional) IP time-to-live (TTL) value. You can specify a number between 0 and 255. Local queries to the multicast group use a value of 1. Otherwise, the default

value is 127. unicast-response—(Optional) Always request the response using unicast. wait-time wait-time—(Optional) Number of seconds to wait for a response. The default

value is 3. Required Privilege Level List of Sample Output Output Fields

view

mtrace from-source on page 3434 Table 369 on page 3433 describes the output fields for the mtrace from-source command. Output fields are listed in the approximate order in which they appear.

Table 369: mtrace from-source Output Fields Field Name

Field Description

Mtrace from


to


via group




number-of-hops


router-name


address


protocol


Round trip time


total ttl of


source

Source address.

Response Dest

Response destination address.

Overall

Average packet rate for all traffic at each hop.


3433

®


Table 369: mtrace from-source Output Fields (continued) Field Name

Field Description

Packet Statistics for Traffic From

Number of packets lost, number of packets sent, percentage of packets lost, and average packet rate at each hop.

Receiver

IP address receiving the multicast.

Query source

IP address sending the mtrace query.

Sample Output mtrace from-source

user@host> mtrace from-source source 192.1.4.2 group 225.1.1.1 Mtrace from 192.1.4.2 to 192.1.1.2 via group 225.1.1.1 Querying full reverse path... * * 0 routerA.lab.mycompany.net (192.1.1.2) -1 routerB.lab.mycompany.net (192.1.2.2) PIM thresh^ 1 -2 routerC.lab.mycompany.net (192.1.3.2) PIM thresh^ 1 -3 hostA.lab.mycompany.net (192.1.4.2) Round trip time 2 ms; total ttl of 2 required. Waiting to accumulate statistics...Results after 10 seconds: Source Response Dest Overall Packet Statistics For Traffic From 192.1.4.2 192.1.1.2 Packet 192.1.4.2 To 225.1.1.1 v __/ rtt 2 ms Rate Lost/Sent = Pct Rate 192.1.2.1 192.1.3.2 routerC.lab.mycompany.net v ^ ttl 2 0/0 = -0 pps 192.1.4.1 192.1.2.2 routerB.lab.mycompany.net v \__ ttl 3 ?/0 0 pps 192.1.1.2 192.1.1.2 Receiver Query Source

3434



mtrace monitor Syntax Release Information

Description


mtrace monitor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Listen passively for IP multicast responses. To exit the mtrace monitor command, type Ctrl+c. none—Trace the master instance.

view

mtrace monitor on page 3436 Table 370 on page 3435 describes the output fields for the mtrace monitor command. Output fields are listed in the approximate order in which they appear.

Table 370: mtrace monitor Output Fields Field Name

Field Description

Mtrace query at

Date and time of the query.

by

Address of the host issuing the query.

resp to

Response destination.

qid

Query ID number.

packet from...to

IP address of the query source and default group destination.

from...to

IP address of the multicast source and the response address.

via group

IP address of the group to trace.

mxhop

Maximum hop setting.


3435

®


Sample Output mtrace monitor

user@host> mtrace monitor Mtrace query at Oct 22 13:36:14 by 192.1.3.2, resp to 224.0.1.32, qid 74a5b8 packet from 192.1.3.2 to 224.0.0.2 from 192.1.3.2 to 192.1.3.38 via group 224.1.1.1 (mxhop=60) Mtrace query at Oct 22 13:36:17 by 192.1.3.2, resp to 224.0.1.32, qid 1d07ba packet from 192.1.3.2 to 224.0.0.2 from 192.1.3.2 to 192.1.3.38 via group 224.1.1.1 (mxhop=60) Mtrace query at Oct 22 13:36:20 by 192.1.3.2, resp to same, qid 2fea1d packet from 192.1.3.2 to 224.0.0.2 from 192.1.3.2 to 192.1.3.38 via group 224.1.1.1 (mxhop=60) Mtrace query at Oct 22 13:36:30 by 192.1.3.2, resp to same, qid 7c88ad packet from 192.1.3.2 to 224.0.0.2 from 192.1.3.2 to 192.1.3.38 via group 224.1.1.1 (mxhop=60)

3436



mtrace to-gateway Syntax

Release Information

Description

Options

mtrace to-gateway gateway gateway

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Display trace information about a multicast path from this router or switch to a gateway router or switch. gateway gateway—Send the trace query to a gateway multicast address. brief | detail—(Optional) Display the specified level of output. extra-hops extra-hops—(Optional) Number of hops to take after reaching a nonresponsive

router or switch. You can specify a number between 0 and 255. group group—(Optional) Group address for which to trace the path. The default group

address is 0.0.0.0. interface interface-name—(Optional) Source address for sending the trace query. interval interval—(Optional) Number of seconds to wait before gathering statistics again.

The default value is 10. loop—(Optional) Loop indefinitely, displaying rate and loss statistics. max-hops max-hops—(Optional) Maximum hops to trace toward the source. You can

specify a number between 0 and 255.. The default value is 32. max-queries max-queries—(Optional) Maximum number of query attempts for any hop.

You can specify a number between 0 and 255. The default value is 3. multicast-response—(Optional) Always request the response using multicast. no-resolve—(Optional) Do not attempt to display addresses symbolically.


3437

®


no-router-alert—(Optional) Do not use the router-alert IP option. response response—(Optional) Send trace response to a host or multicast address. routing-instance routing-instance-name—(Optional) Trace a particular routing instance. ttl ttl—(Optional) IP time-to-live value. You can specify a number between 0 and 225.

Local queries to the multicast group use TTL 1. Otherwise, the default value is 127. unicast-response—(Optional) Always request the response using unicast. wait-time wait-time—(Optional) Number of seconds to wait for a response. The default

value is 3. Required Privilege Level List of Sample Output Output Fields

view

mtrace to-gateway on page 3438 Table 371 on page 3438 describes the output fields for the mtrace to-gateway command. Output fields are listed in the approximate order in which they appear.

Table 371: mtrace to-gateway Output Fields Field Name

Field Description

Mtrace from


to


via group




number-of-hops


router-name


address


protocol


Round trip time


total ttl of


Sample Output mtrace to-gateway

user@host> mtrace to-gateway gateway 192.1.3.2 group 225.1.1.1 interface 192.1.1.73 brief Mtrace from 192.1.1.73 to 192.1.1.2 via group 225.1.1.1 Querying full reverse path... * * 0 routerA.lab.mycompany.net (192.1.1.2)

3438



-1 routerA.lab.mycompany.net (192.1.1.2) PIM -2 routerB.lab.mycompany.net (192.1.2.2) PIM -3 routerC.lab.mycompany.net (192.1.3.2) PIM Round trip time 2 ms; total ttl of 3 required.


thresh^ 1 thresh^ 1 thresh^ 1

3439

®


show igmp group Syntax

show igmp group


show igmp group

Release Information


Description Options

Display Internet Group Management Protocol (IGMP) group membership information. none—Display standard information about membership for all IGMP groups. brief | detail—(Optional) Display the specified level of output. group-name—(Optional) Display group membership for the specified IP address only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

•

clear igmp membership on page 3410

show igmp group (Include Mode) on page 3441 show igmp group (Exclude Mode) on page 3442 show igmp group brief on page 3442 show igmp group detail on page 3442 Table 372 on page 3440 describes the output fields for the show igmp group command. Output fields are listed in the approximate order in which they appear.

Table 372: show igmp group Output Fields Field Name

Field Description

Level of Output

Interface

Name of the interface that received the IGMP membership report. A name of local indicates that the local routing device joined the group itself.

All levels

Group

Group address.

All levels

Group Mode

Mode the SSM group is operating in: Include or Exclude.

All levels

Source

Source address.

All levels

3440



Table 372: show igmp group Output Fields (continued) Field Name

Field Description

Level of Output

Source timeout

Time remaining until the group traffic is no longer forwarded. The timer is refreshed when a listener in include mode sends a report. A group in exclude mode or configured as a static group displays a zero timer.

detail

Last reported by

Address of the host that last reported membership in this group.

All levels

Timeout

Time remaining until the group membership is removed.

brief none

Group timeout

Time remaining until a group in exclude mode moves to include mode. The timer is refreshed when a listener in exclude mode sends a report. A group in include mode or configured as a static group displays a zero timer.

detail

Type

Type of group membership:

All levels

•

Dynamic—Host reported the membership.

•

Static—Membership is configured.

Sample Output show igmp group (Include Mode)

user@host> show igmp group Interface: t1-0/1/0.0 Group: 232.1.1.1 Group mode: Include Source: 10.0.0.2 Last reported by: 10.9.5.2 Timeout: 24 Type: Dynamic Group: 232.1.1.1 Group mode: Include Source: 10.0.0.3 Last reported by: 10.9.5.2 Timeout: 24 Type: Dynamic Group: 232.1.1.1 Group mode: Include Source: 10.0.0.4 Last reported by: 10.9.5.2 Timeout: 24 Type: Dynamic Group: 232.1.1.2 Group mode: Include Source: 10.0.0.4 Last reported by: 10.9.5.2 Timeout: 24 Type: Dynamic Interface: t1-0/1/1.0 Interface: ge-0/2/2.0 Interface: ge-0/2/0.0 Interface: local Group: 224.0.0.2 Source: 0.0.0.0 Last reported by: Local Timeout: 0 Type: Dynamic Group: 224.0.0.22 Source: 0.0.0.0


3441

®


Last reported by: Local Timeout: 0 Type: Dynamic

show igmp group (Exclude Mode)

user@host> show igmp group Interface: t1-0/1/0.0 Interface: t1-0/1/1.0 Interface: ge-0/2/2.0 Interface: ge-0/2/0.0 Interface: local Group: 224.0.0.2 Source: 0.0.0.0 Last reported by: Local Timeout: 0 Type: Dynamic Group: 224.0.0.22 Source: 0.0.0.0 Last reported by: Local Timeout: 0 Type: Dynamic

show igmp group brief

The output for the show igmp group brief command is identical to that for the show igmp group command.

show igmp group detail

user@host> show igmp group detail Interface: t1-0/1/0.0 Group: 232.1.1.1 Group mode: Include Source: 10.0.0.2 Source timeout: 12 Last reported by: 10.9.5.2 Group timeout: 0 Type: Group: 232.1.1.1 Group mode: Include Source: 10.0.0.3 Source timeout: 12 Last reported by: 10.9.5.2 Group timeout: 0 Type: Group: 232.1.1.1 Group mode: Include Source: 10.0.0.4 Source timeout: 12 Last reported by: 10.9.5.2 Group timeout: 0 Type: Group: 232.1.1.2 Group mode: Include Source: 10.0.0.4 Source timeout: 12 Last reported by: 10.9.5.2 Group timeout: 0 Type: Interface: t1-0/1/1.0 Interface: ge-0/2/2.0 Interface: ge-0/2/0.0 Interface: local Group: 224.0.0.2 Group mode: Exclude Source: 0.0.0.0 Source timeout: 0 Last reported by: Local Group timeout: 0 Type: Group: 224.0.0.22 Group mode: Exclude Source: 0.0.0.0

3442

Dynamic

Dynamic

Dynamic

Dynamic

Dynamic



Source timeout: 0 Last reported by: Local Group timeout: 0 Type: Dynamic


3443

®


show igmp interface Syntax

show igmp interface


show igmp interface

Release Information


Description

Options

Display information about Internet Group Management Protocol (IGMP)-enabled interfaces. none—Display standard information about all IGMP-enabled interfaces. brief | detail—(Optional) Display the specified level of output. interface-name—(Optional) Display information about the specified IGMP-enabled

interface only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

•

clear igmp membership on page 3410

show igmp interface on page 3446 show igmp interface brief on page 3446 show igmp interface detail on page 3446 Table 373 on page 3444 describes the output fields for the show igmp interface command. Output fields are listed in the approximate order in which they appear.

Table 373: show igmp interface Output Fields Field Name

Field Description

Level of Output

Interface


All levels

Querier

Address of the routing device that has been elected to send membership queries.

All levels

State

State of the interface: Up or Down.

All levels

3444



Table 373: show igmp interface Output Fields (continued) Field Name

Field Description

Level of Output

SSM Map Policy

Name of the source-specific multicast (SSM) map policy that has been applied to the IGMP interface.

All levels

Timeout

How long until the IGMP querier is declared to be unreachable, in seconds.

All levels

Version

IGMP version being used on the interface: 1 , 2 , or 3.

All levels

Groups

Number of groups on the interface.

All levels

Immediate Leave

State of the immediate leave option:

All levels

•

On—Indicates that the router removes a host from the multicast group as soon as the

router receives a leave group message from a host associated with the interface. •

Off—Indicates that after receiving a leave group message, instead of removing a host

from the multicast group immediately, the router sends a group query to determine if another receiver responds. Promiscuous Mode

State of the promiscuous mode option: •

All levels

On—Indicates that the router can accept IGMP reports from subnetworks that are not

associated with its interfaces. •

Off—Indicates that the router can accept IGMP reports only from subnetworks that

are associated with its interfaces. Passive

State of the passive mode option: •

All levels

On—Indicates that the router can run IGMP on the interface but not send or receive

control traffic such as IGMP reports, queries, and leaves. •

Off—Indicates that the router can run IGMP on the interface and send or receive control

traffic such as IGMP reports, queries, and leaves. The passive statement enables you to selectively activate up to two out of a possible three available query or control traffic options. When enabled, the following options appear after the on state declaration: •

send-general-query—The interface sends general queries.

•

send-group-query—The interface sends group-specific and group-source-specific

queries. •

allow-receive—The interface receives control traffic.

OIF map

Name of the OIF map (if configured) associated with the interface.

All levels

SSM map

Name of the source-specific multicast (SSM) map (if configured) used on the interface.

All levels


3445

®


Table 373: show igmp interface Output Fields (continued) Field Name

Field Description

Level of Output

Configured Parameters

Information configured by the user:

All levels

•

IGMP Query Interval—Interval (in seconds) at which this router sends membership

queries when it is the querier. •

IGMP Query Response Interval—Time (in seconds) that the router waits for a report in

response to a general query. •

IGMP Last Member Query Interval—Time (in seconds) that the router waits for a report

in response to a group-specific query. •

Derived Parameters

IGMP Robustness Count—Number of times the router retries a query.

Derived information: •

All levels

IGMP Membership Timeout—Timeout period (in seconds) for group membership. If no

report is received for these groups before the timeout expires, the group membership is removed. •

IGMP Other Querier Present Timeout—Time (in seconds) that the router waits for the

IGMP querier to send a query.

Sample Output show igmp interface

user@host> show igmp interface Interface: at-0/3/1.0 Querier: 10.111.30.1 State: Up Timeout: SSM Map Policy: ssm-policy-A Interface: so-1/0/0.0 Querier: 10.111.10.1 State: Up Timeout: SSM Map Policy: ssm-policy-B Interface: so-1/0/1.0 Querier: 10.111.20.1 State: Up Timeout: SSM Map Policy: ssm-policy-C Immediate Leave: On Promiscuous Mode: Off

None Version:

2 Groups:

4

None Version:

2 Groups:

2

None Version:

2 Groups:

4

Configured Parameters: IGMP Query Interval: 125.0 IGMP Query Response Interval: 10.0 IGMP Last Member Query Interval: 1.0 IGMP Robustness Count: 2 Derived Parameters: IGMP Membership Timeout: 260.0 IGMP Other Querier Present Timeout: 255.0

show igmp interface brief

The output for the show igmp interface brief command is identical to that for the show igmp interface command. For sample output, see show igmp interface on page 3446.

show igmp interface detail

The output for the show igmp interface detail command is identical to that for the show igmp interface command. For sample output, see show igmp interface on page 3446.

3446



show igmp statistics Syntax

show igmp statistics


show igmp statistics

Release Information


Description Options

Display Internet Group Management Protocol (IGMP) statistics. none—Display IGMP statistics for all interfaces. brief | detail—(Optional) Display the specified level of output. interface interface-name—(Optional) Display IGMP statistics about the specified interface



Output Fields

view

•

clear igmp statistics on page 3413

show igmp statistics on page 3448 show igmp statistics interface on page 3449 Table 374 on page 3447 describes the output fields for the show igmp statistics command. Output fields are listed in the approximate order in which they appear.

Table 374: show igmp statistics Output Fields Field Name

Field Description

IGMP packet statistics

Heading for IGMP packet statistics for all interfaces or for the specified interface name.


3447

®


Table 374: show igmp statistics Output Fields (continued) Field Name

Field Description

IGMP Message type

Summary of IGMP statistics: •

Membership Query—Number of membership queries sent and received.

•

V1 Membership Report—Number of version 1 membership reports sent and received.

•

DVMRP—Number of DVMRP messages sent or received.

•

PIM V1—Number of PIM version 1 messages sent or received.

•

Cisco Trace—Number of Cisco trace messages sent or received.

•

V2 Membership Report—Number of version 2 membership reports sent or received.

•

Group Leave—Number of group leave messages sent or received.

•

Mtrace Response—Number of Mtrace response messages sent or received.

•

Mtrace Request—Number of Mtrace request messages sent or received.

•

Domain Wide Report—Number of domain-wide reports sent or received.

•

V3 Membership Report—Number of version 3 membership reports sent or received.

•

Other Unknown types—Number of unknown message types received.

•

IGMP v3 unsupported type—Number of messages received with unknown and unsupported IGMP

version 3 message types. •

IGMP v3 source required for SSM—Number of IGMP version 3 messages received that contained no

source. •

IGMP v3 mode not applicable for SSM—Number of IGMP version 3 messages received that did not

contain a mode applicable for source-specific multicast (SSM). Received

Number of messages received.

Sent

Number of messages sent.

Rx errors

Number of received packets that contained errors.

IGMP Global Statistics

Summary of IGMP statistics for all interfaces. •

Bad Length—Number of messages received with length errors so severe that further classification

could not occur. •

Bad Checksum—Number of messages received with a bad IP checksum. No further classification

was performed. •

Bad Receive If—Number of messages received on an interface not enabled for IGMP.

•

Rx non-local—Number of messages received from senders that are not local.

•

Timed out—Number of groups that timed out as a result of not receiving an explicit leave message.

•

Rejected Report—Number of reports dropped because of the IGMP group policy.

•

Total Interfaces—Number of interfaces configured to support IGMP.

Sample Output show igmp statistics

3448

user@host> show igmp statistics IGMP packet statistics for all interfaces IGMP Message type Received Sent Membership Query 8883 459 V1 Membership Report 0 0 DVMRP 0 0 PIM V1 0 0

Rx errors 0 0 0 0



Cisco Trace 0 V2 Membership Report 0 Group Leave 0 Mtrace Response 0 Mtrace Request 0 Domain Wide Report 0 V3 Membership Report 0 Other Unknown types IGMP v3 unsupported type IGMP v3 source required for SSM IGMP v3 mode not applicable for SSM IGMP Global Statistics Bad Length Bad Checksum Bad Receive If Rx non-local Timed out Rejected Report Total Interfaces

show igmp statistics interface

0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0

0 0 0 1227 0 0 2

user@host> show igmp statistics interface fe-1/0/1.0 IGMP interface packet statistics for fe-1/0/1.0 IGMP Message type Received Sent Rx errors Membership Query 0 230 0 V1 Membership Report 0 0 0


3449

®


show igmp-snooping membership Syntax


show igmp-snooping membership

Command introduced in Junos OS Release 9.1 for EX Series switches. Display the multicast group membership information maintained by IGMP snooping. none—Display the multicast group membership information for all VLANs on which IGMP

snooping is enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. interface interface-name—(Optional) Display the multicast group membership information

for the specified interface. vlan (vlan-id | vlan-name)—(Optional) Display the multicast group membership for the

specified VLAN. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


show igmp-snooping membership on page 3451 show igmp-snooping membership detail on page 3451 show igmp-snooping membership vlan vlan60 detail on page 3452 Table 375 on page 3450 lists the output fields for the show igmp-snooping membership command. Output fields are listed in the approximate order in which they appear.

Table 375: show igmp-snooping membership Output Fields Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All

Interfaces

Interfaces that are members of the listed multicast group.

All

Tag

Numerical identifier of the VLAN.

detail

3450



Table 375: show igmp-snooping membership Output Fields (continued) Field Name

Field Description

Level of Output

Router interfaces

List of information about multicast-router interfaces:

detail

•

Name of the multicast-router interface.

•

static or dynamic—Whether the multicast router interface is static or

dynamic. •

Uptime—For static interfaces, amount of time since the interface was

configured as a multicast-router interface or since the interface last flapped. For dynamic interfaces, amount of time since the first query was received on the interface or since the interface last flapped. •

timeout—Seconds remaining before a dynamic multicast-router interface

times out. Group

IP multicast address of the multicast group.

detail

The following information is provided for the multicast group: •

Name of the interface belonging to the multicast group.

•

timeout—Time (in seconds) left until the entry for the multicast group is

removed from the multicast group if no membership reports are received on the interface. This counter is reset to its maximum value when a membership report is received. •

Last reporter—Last host to report membership for the multicast group.

•

Receiver count—Number of hosts on the interface that are members of the multicast group. This field appears only if immediate-leave is configured

on the VLAN. •

Flags—The lowest IGMP version in use by a host that is a member of the

group on the interface. If the flag static is included, the interface has been configured as static member of the multicast group. •

Include source—Multicast source addresses from all IGMPv3 membership

reports received for the group on the interface.

Sample Output show igmp-snooping membership

user@switch> show igmp-snooping membership VLAN: vlan24 224.1.1.1 * Interfaces: ge-0/0/0.0 224.1.1.100 * Interfaces: ge-0/0/0.0 225.1.1.100 * Interfaces: ge-0/0/0.0

show igmp-snooping membership detail

user@switch> show igmp-snooping membership detail VLAN: vlan24 Tag: 24 (Index: 3) Router interfaces: ge-0/0/8.0 dynamic Uptime: 00:08:35 timeout: 254 Group: 224.1.1.1 ge-0/0/0.0 timeout: 223 Receiver count: 1, Flags: Group: 224.1.1.100 ge-0/0/0.0 timeout: 170 Last reporter: 10.10.1.10 Receiver count: 1, Flags:


3451

®


Group: 225.1.1.100 ge-0/0/0.0 timeout: 168 Last reporter: 10.10.1.10 Receiver count: 1, Flags:

show igmp-snooping membership vlan vlan60 detail

3452

user@switch> show igmp-snooping membership vlan vlan60 detail VLAN: vlan_60 Tag: 60 (Index: 184) Group: 228.1.1.1 Receiver count: 1, Flags: V3-hosts ge-0/0/47.0 Uptime: 02:40:41 timeout: 237 Last reporter: 80.1.0.100 Include source: 50.8.0.100, 50.8.0.101, 50.8.0.102, 50.8.0.103, 50.8.0.104



show igmp-snooping route Syntax


show igmp-snooping route

Command introduced in Junos OS Release 9.1 for EX Series switches. Display IGMP snooping route information. none—Display route information for all VLANs on which IGMP snooping is enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. ethernet-switching—(Optional) Display information on Layer 2 multicast routes. This is

the default. inet—(Optional) Display information for Layer 3 multicast routes. vlan (vlan-id | vlan-name)—(Optional) Display route information for the specified VLAN.



Output Fields

view

•


•


•


•


•


show igmp-snooping route vlan v18 on page 3454 show igmp-snooping route detail on page 3454 show igmp-snooping route inet detail on page 3454 Table 376 on page 3453 lists the output fields for the show igmp-snooping route command. Output fields are listed in the approximate order in which they appear.

Table 376: show igmp-snooping route Output Fields Field Name

Field Description

Table

Routing table ID for virtual routing instances.

Routing Table


VLAN

Name of the VLAN on which IGMP snooping is enabled.

Group

Multicast IPv4 group address.


3453

®


Table 376: show igmp-snooping route Output Fields (continued) Field Name

Field Description

Next-hop

ID associated with the next-hop device.

Routing next-hop

ID associated with the Layer 3 next-hop device.

Interface or Interfaces

Name of the interface or interfaces in the VLAN associated with the multicast group.

Layer 2 next-hop


Sample Output show igmp-snooping route vlan v18

user@switch> show igmp-snooping route vlan v18 VLAN Group Next-hop vlan18 224.0.0.0, * vlan18 225.20.20.1, * 1539

show igmp-snooping route detail

user@switch> show igmp-snooping route detail VLAN Group Next-hop default 224.0.0.0, * vlan100 224.0.0.0, * 1332 Interfaces: ge-1/0/1.0 VLAN Group Next-hop vlan100 226.0.0.1, * 1334 Interfaces: ge-1/0/1.0, ge-5/0/30.0

show igmp-snooping route inet detail

user@switch> show igmp-snooping route inet detail Routing table: 0 Group: 229.0.0.1, 171.2.60.100 Routing next-hop: 3448 vlan.100 Interface: vlan.100, VLAN: vlan100, Layer 2 next-hop: 3343

3454



show igmp-snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


show igmp-snooping statistics

Command introduced in Junos OS Release 9.1 for EX Series switches. Display IGMP snooping statistics. view

•


•


•


•


•


•


show igmp-snooping statistics on page 3456 Table 377 on page 3455 lists the output fields for the show igmp-snooping statistics command. Output fields are listed in the approximate order in which they appear.

Table 377: show igmp-snooping statistics Output Fields Field Name

Field Description

Bad length

IGMP packet has illegal or bad length.

Bad checksum

IGMP or IP checksum is incorrect.

Invalid interface

Packet was received through an invalid interface.

Not local

Not used—always 0.

Receive unknown

Unknown IGMP type.

Timed out


IGMP Type

Type of IGMP message (Query, Report, Leave, or Other).

Received

Number of IGMP packets received.

Transmitted

Number of IGMP packets transmitted.

Recv Errors

Number of packets received that did not conform to the IGMP version 1 (IGMPv1), IGMPv2, or IGMPv3 standards.


3455

®


Sample Output show igmp-snooping statistics

user@switch> show igmp-snooping statistics Bad length: 0 Bad checksum: 0 Invalid interface: 0 Not local: 0 Receive unknown: 0 Timed out: 0 IGMP Type Queries: Reports: Leaves: Other:

3456

Received 74295 18148423 0 0

Transmitted 0 0 0 0

Recv Errors 0 16333523 0 0



show igmp-snooping vlans Syntax


show igmp-snooping vlans

Command introduced in Junos OS Release 9.1 for EX Series switches. Display IGMP snooping information for a VLAN or for all VLANs. none—Display IGMP snooping information for all VLANs on which IGMP snooping is

enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. vlan (vlan-id | vlan vlan-number)—(Optional) Display IGMP snooping information for the



Output Fields

view

•


•


•


•


•


show igmp-snooping vlans on page 3458 show igmp-snooping vlans vlan v10 on page 3458 show igmp-snooping vlans vlan 1 detail on page 3458 Table 378 on page 3457 lists the output fields for the show igmp-snooping vlans command. Output fields are listed in the approximate order in which they appear.

Table 378: show igmp-snooping vlans Output Fields Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All levels

Interfaces

Number of interfaces in the VLAN.

brief

Groups

Number of groups in the VLAN.

brief

MRouters

Number of multicast routers in the VLAN.

brief

Receivers

Number of VLAN interfaces with a receiver for any group. Indicates how many VLAN interfaces would receive data because of IGMP membership.

brief


3457

®


Table 378: show igmp-snooping vlans Output Fields (continued) Field Name

Field Description

Level of Output

RxVlans

Number of MVR receiver VLANs configured for that MVR source VLAN.

brief

Tag

VLAN tag.

detail

vlan-interface

The Layer 3 interface, if any, associated with the VLAN.

detail

Interface


detail

The following information is provided for each interface: •

tagged or untagged—Whether the interface accepts tagged packets (trunk

mode and tagged-access mode ports) or untagged packets (access mode ports) •

Groups—The number of multicast groups the interface belongs to.

•

Reporters—The number of hosts on the interface that are current members of multicast groups. This field appears only when immediate-leave is configured

on the VLAN. •

Router—Indicates the interface is a multicast-router interface.

Sample Output show igmp-snooping vlans

user@switch> show igmp-snooping vlans VLAN Interfaces Groups MRouters Receivers RxVlans default 0 0 0 0 0 v1 4 0 1 0 0 v10 1 0 0 0 0 v11 1 0 0 0 0 v180 3 0 1 0 0 v181 3 0 0 0 0 v182 3 0 0 0 0

show igmp-snooping vlans vlan v10

user@switch> show igmp-snooping vlans vlan v10 VLAN Interfaces Groups MRouters Receivers RxVlans v10 1 0 0 0 0

show igmp-snooping vlans vlan 1 detail

user@switch> show igmp-snooping vlans vlan 1 detail VLAN: vlan1, Tag: 1, vlan-interface: vlan.1 Interface: ae0.0, tagged, Groups: 0 Interface: xe-49/0/4.0, tagged, Groups: 0, Router Interface: ge-3/0/4.0, tagged, Groups: 0

3458



show mld-snooping membership Syntax


show mld-snooping membership

Command introduced in Junos OS Release 12.1 for EX Series switches. Display the multicast group membership information maintained by MLD snooping. none—Display the multicast group membership information for all VLANs on which MLD

snooping is enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. interface interface-name—(Optional) Display the multicast group membership information

for the specified interface. vlan (vlan-id | vlan-name)—(Optional) Display the multicast group membership for the



Output Fields

view

•


•

show mld-snooping route on page 3462

•


•


•


•


show mld-snooping membership on page 3460 show mld-snooping membership detail on page 3461 Table 379 on page 3459 lists the output fields for the show mld-snooping membership command. Output fields are listed in the approximate order in which they appear.

Table 379: show mld-snooping membership Output Fields Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All

Interfaces

Interfaces that are members of the listed multicast group.

brief

Tag

Numerical identifier of the VLAN.

detail


3459

®


Table 379: show mld-snooping membership Output Fields (continued) Field Name

Field Description

Level of Output

Router interfaces

List of information about multicast-router interfaces:

detail

•

Name of the multicast-router interface.

•

static or dynamic—Whether the multicast-router

interface has been statically configured or dynamically learned. •

Uptime—For static interfaces, amount of time since the

interface was configured as a multicast-router interface or since the interface last flapped. For dynamic interfaces, amount of time since the first query was received on the interface or since the interface last flapped. •

timeout—Seconds remaining before a dynamic

multicast-router interface times out. Group

IP multicast address of the multicast group.

detail

The following information is provided for the multicast group: •

Name of the interface belonging to the multicast group.

•

Timeout—Time (in seconds) left until a dynamically

learned interface is removed from the multicast group if no MLD membership reports are received on the interface. This counter is reset to its maximum value when a membership report is received. •

Flags—The lowest MLD version in use by a host that is

a member of the group on the interface. If the flag static is included, the interface has been configured as static member of the multicast group. •

Receiver count—Number of hosts on the interface that

are members of the multicast group. This field appears only if immediate-leave is configured on the VLAN. •

Last reporter—Last host to report membership for the

multicast group. •

Include source—Multicast source addresses from all

MLDv2 membership reports received for the group on the interface.

Sample Output show mld-snooping membership

3460

user@switch> show mld-snooping membership VLAN: mld_vlan ff1e::2010 Interfaces: ge-1/0/30.0 ff1e::2011 Interfaces: ge-1/0/30.0 ff1e::2012 Interfaces: ge-1/0/30.0 ff1e::2013 Interfaces: ge-1/0/30.0 ff1e::2014 Interfaces: ge-1/0/30.0



show mld-snooping membership detail

user@switch> show mld-snooping membership detail VLAN: mld-vlan Tag: 100 (Index: 3) Router interfaces: ge-1/0/0.0 static Uptime: 00:57:13 Group: ff1e::2010 ge-1/0/30.0 Timeout: 180 Flags: Last reporter: fe80::2020:1:1:3 Include source: 2020:1:1:1::2 VLAN: mld-vlan1 Tag: 200 (Index: 4) Router interfaces: ae200.0 dynamic Uptime: 00:14:24 timeout: 244 Group: ff1e::2010 ge-12/0/31.0 Timeout: 224 Flags: Last reporter: fe80::2020:1:1:4


3461

®


show mld-snooping route Syntax


show mld-snooping route

Command introduced in Junos OS Release 12.1 for EX Series switches. Display multicast route information maintained by MLD snooping. none—Display route information for all VLANs on which MLD snooping is enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. ethernet-switching—(Optional) Display information on Layer 2 IPv6 multicast routes.

This is the default. inet6—(Optional) Display information on Layer 3 IPv6 multicast routes. vlan (vlan-id | vlan-name) —(Optional) Display route information for the specified VLAN.



Output Fields

view

•


•


•


•


•


show mld-snooping route on page 3463 show mld-snooping route detail on page 3463 show mld-snooping route inet6 detail on page 3464 Table 380 on page 3462 lists the output fields for the show mld-snooping route command. Output fields are listed in the approximate order in which they appear.

Table 380: show mld-snooping route Output Fields

3462

Field Name

Field Description

Table


Routing Table


VLAN

Name of the VLAN on which MLD snooping is enabled.



Table 380: show mld-snooping route Output Fields (continued) Field Name

Field Description

Group

Multicast IPv6 group address. Only the last 32 bits of the address are shown. The switch uses only these bits in determining multicast routes.

Next-hop

ID associated with the next-hop device.

Routing next-hop


Interface or Interfaces

Name of the interface or interfaces in the VLAN associated with the multicast group.

Layer 2 next-hop


Sample Output show mld-snooping route

user@switch> show mld-snooping route VLAN vlan1 vlan1 vlan10 vlan10 vlan11 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan2 vlan20 vlan20 vlan3 vlan4 vlan5 vlan6 vlan7 vlan8 vlan9 default

show mld-snooping route detail

Group ::0000:0001 ff00:: ::0000:0002 ff00:: ::0000:0002 ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ::0000:0002 ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00:: ff00::

Next-hop 1464 1599 1513

1602

user@switch> show mld-snooping route detail VLAN Group Next-hop mld-vlan ::0000:2010 1323 Interfaces: ge-1/0/30.0 VLAN Group Next-hop mld-vlan ff00:: 1317 Interfaces: ge-1/0/0.0 VLAN Group Next-hop mld-vlan ::0000:0000 1317


3463

®


Interfaces: ge-1/0/0.0 VLAN Group Next-hop mld-vlan1 ::0000:2010 1324 Interfaces: ge-12/0/31.0 VLAN Group Next-hop mld-vlan1 ff00:: 1318 Interfaces: ae200.0 VLAN Group Next-hop mld-vlan1 ::0000:0000 1318 Interfaces: ae200.0

show mld-snooping route inet6 detail

3464

user@switch> show mld-snooping route inet6 detail Routing table: 0 Group: ff05::1, 4001::11 Routing next-hop: 1352 vlan.2 Interface: vlan.2, VLAN: vlan2, Layer 2 next-hop: 1387



show mld-snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


show mld-snooping statistics

Command introduced in Junos OS Release 12.1 for EX Series switches. Display MLD snooping statistics. view

•


•


•


•


•


show mld-snooping statistics on page 3466 Table 381 on page 3465 lists the output fields for the show mld-snooping statistics command. Output fields are listed in the approximate order in which they appear.

Table 381: show mld-snooping statistics Output Fields Field Name

Field Description

Bad length

MLD packet has illegal or bad length.

Bad checksum

MLD or IP checksum is incorrect.

Invalid interface

Packet was received through an invalid interface.

Not Local


Receive unknown

Unknown MLD message type.

Timed out


MLD Type

Type of MLD message (Query, Report, Leaves, or Other).

Received

Number of MLD packets received.

Transmitted

Number of MLD packets transmitted.

Recv Errors

Number of packets received that did not conform to the MLD version 1 (MLDv1) or MLDv2 standards.


3465

®


Sample Output show mld-snooping statistics

user@switch> show mld-snooping statistics Bad length: 0 Bad checksum: 0 Invalid interface: 0 Not local: 0 Receive unknown: 0 Timed out: 0 MLD Type Queries: Reports: Leaves: Other:

3466

Received 74295 18148423 0 0

Transmitted 0 0 0 0

Recv Errors 0 16333523 0 0



show mld-snooping vlans Syntax


show mld-snooping vlans

Command introduced in Junos OS Release 12.1 for EX Series switches. Display MLD snooping information for a VLAN or for all VLANs. none—Display MLD snooping information for all VLANs on which MLD snooping is enabled. brief | detail—(Optional) Display the specified level of output. The default is brief. vlan vlan-name —(Optional) Display MLD snooping information for the specified VLAN.



Output Fields

view

•


•


•


•


•


show mld-snooping vlans on page 3468 show mld-snooping vlans vlan v10 on page 3468 show mld-snooping vlans vlan vlan2 detail on page 3468 show mld-snooping vlans detail on page 3468 Table 378 on page 3457 lists the output fields for the show mld-snooping vlans command. Output fields are listed in the approximate order in which they appear.

Table 382: show mld-snooping vlans Output Fields Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All levels

Interfaces

Number of interfaces in the VLAN.

brief

Groups

Number of groups in the VLAN.

brief

MRouters

Number of multicast-router interfaces in the VLAN.

brief

Receivers

Number of interfaces in the VLAN with a receiver for any group. Indicates how many interfaces might receive data because of MLD group membership.

brief

Tag

VLAN tag.

detail


3467

®


Table 382: show mld-snooping vlans Output Fields (continued) Field Name

Field Description

Level of Output

vlan-interface

The Layer 3 interface, if any, associated with the VLAN.

detail

Interface


detail

The following information is provided for each interface: •

tagged or untagged—Whether the interface accepts tagged packets (trunk

mode and tagged-access mode ports) or untagged packets (access mode ports) •

Groups—The number of multicast groups the interface belongs to

•

Reporters—The number of hosts on the interface that are current members of multicast groups. This field appears only when immediate-leave is configured

on the VLAN. •

Router—Indicates the interface is a multicast-router interface

Sample Output show mld-snooping vlans

user@switch> show mld-snooping vlans VLAN Interfaces Groups MRouters Receivers default 0 0 0 0 v1 11 50 0 0 v10 1 0 0 0 v11 1 0 0 0 v180 3 0 1 0 v181 3 0 0 0 v182 3 0 0 0

show mld-snooping vlans vlan v10

user@switch> show igmp-snooping vlans vlan v10 VLAN Interfaces Groups MRouters Receivers v10 3 1 1 0

show mld-snooping vlans vlan vlan2 detail

0

user@switch> show mld-snooping vlans vlan vlan2 detail VLAN: vlan2, Tag: 2, vlan-interface: vlan.2 Interface: ge-0/0/2.0, untagged, Groups: 5 Interface: ge-0/0/4.0, tagged, Groups: 3, Router

show mld-snooping vlans detail

3468

user@switch> show mld-snooping vlans detail VLAN: mld-vlan, Tag: 100 Interface: ge-1/0/0.0, untagged, Groups: 0, Router Interface: ge-1/0/30.0, untagged, Groups: 1 Interface: ge-1/0/33.0, untagged, Groups: 0 Interface: ge-12/0/30.0, untagged, Groups: 0 VLAN: mld-vlan1, Tag: 200 Interface: ge-1/0/31.0, untagged, Groups: 0 Interface: ge-12/0/31.0, untagged, Groups: 1 Interface: ae200.0, untagged, Groups: 0, Router



show multicast flow-map Syntax

show multicast flow-map


show multicast flow-map

Release Information


Description Options

Display configuration information about IP multicast flow maps. none—Display configuration information about IP multicast flow maps on all systems. brief | detail—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast flow-map on page 3470 show multicast flow-map detail on page 3470 Table 383 on page 3469 describes the output fields for the show multicast flow-map command. Output fields are listed in the approximate order in which they appear.

Table 383: show multicast flow-map Output Fields Field Name

Field Description

Levels of Output

Name

Name of the flow map.

All levels

Policy

Name of the policy associated with the flow map.

All levels

Cache-timeout

Cache timeout value assigned to the flow map.

All levels

Bandwidth

Bandwidth setting associated with the flow map.

All levels

Adaptive

Whether or not adaptive mode is enabled for the flow map.

none

Flow-map

Name of the flow map.

detail

Adaptive Bandwidth

Whether or not adaptive mode is enabled for the flow map.

detail

Redundant Sources

Redundant sources defined for the same destination group.

detail


3469

®


Sample Output show multicast flow-map

user@host> show multicast flow-map Instance: master Name Policy map2 policy2 map1 policy1

Cache timeout never 60 seconds

Bandwidth Adaptive 2000000 no 2000000 no

Sample Output show multicast flow-map detail

3470

user@host> show multicast flow-map detail Instance: master Flow-map: map1 Policy: policy1 Cache Timeout: 600 seconds Bandwidth: 2000000 Adaptive Bandwidth: yes Redundant Sources: 11.11.11.11 Redundant Sources: 11.11.11.12 Redundant Sources: 11.11.11.13



show multicast interface Syntax

show multicast interface


show multicast interface

Release Information


Description Options

Display bandwidth information about IP multicast interfaces. none—Display all interfaces that have multicast configured. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show multicast interface on page 3472 Table 384 on page 3471 describes the output fields for the show multicast interface command. Output fields are listed in the approximate order in which they appear.

Table 384: show multicast interface Output Fields Field Name

Field Description

Interface

Name of the multicast interface.

Maximum bandwidth (bps)

Maximum bandwidth setting, in bits per second, for this interface.

Remaining bandwidth (bps)

Amount of bandwidth, in bits per second, remaining on the interface.

Mapped bandwidth deduction (bps)

Amount of bandwidth, in bits per second, used by any flows that are mapped to the interface. NOTE: Adding the mapped bandwidth deduction value to the local bandwidth deduction value results in the total deduction value for the interface. This field does not appear in the output when the no QoS adjustment feature is disabled.


3471

®


Table 384: show multicast interface Output Fields (continued) Field Name

Field Description

Local bandwidth deduction (bps)

Amount of bandwidth, in bits per second, used by any mapped flows that are traversing the interface. NOTE: Adding the mapped bandwidth deduction value to the local bandwidth deduction value results in the total deduction value for the interface. This field does not appear in the output when the no QoS adjustment feature is disabled.

Reverse OIF mapping

State of the reverse OIF mapping feature (on or off). NOTE: This field does not appear in the output when the no QoS adjustment feature is disabled.

Reverse OIF mapping no QoS adjustment

State of the no QoS adjustment feature (on or off) for interfaces that are using reverse OIF mapping. NOTE: This field does not appear in the output when the no QoS adjustment feature is disabled.

Leave timer

Amount of time a mapped interface remains active after the last mapping ends. NOTE: This field does not appear in the output when the no QoS adjustment feature is disabled.

No QoS adjustment

State (on) of the no QoS adjustment feature when this feature is enabled. NOTE: This field does not appear in the output when the no QoS adjustment feature is disabled.

Sample Output show multicast interface

3472

user@host> show multicast interface Interface Maximum bandwidth (bps) Remaining bandwidth (bps) fe-0/0/3 10000000 0 fe-0/0/3.210 10000000 –2000000 fe-0/0/3.220 100000000 100000000 fe-0/0/3.230 20000000 18000000 fe-0/0/2.200 100000000 100000000



show multicast mrinfo Syntax

show multicast mrinfo

Release Information


Description

Display configuration information about IP multicast networks, including neighboring multicast router addresses.

Options

none—Display configuration information about all multicast networks. host—(Optional) Display configuration information about a particular host. Replace host

with a hostname or IP address. Required Privilege Level

view


show multicast mrinfo on page 3474

Output Fields

Table 385 on page 3473 describes the output fields for the show multicast mrinfo command. Output fields are listed in the approximate order in which they appear.

Table 385: show multicast mrinfo Output Fields Field Name

Field Description

source-address

Query address, hostname (DNS name or IP address of the source address), and multicast protocol version or the software version of another vendor.

ip-address-1--->ip-address-2

Queried router interface address and directly attached neighbor interface address, respectively.

(name or ip-address)

Name or IP address of neighbor.

[metric/threshold/type/ flags]

Neighbor's multicast profile: •

metric—Always has a value of 1, because mrinfo queries the directly connected interfaces of a device.

•

threshold—Multicast threshold time-to-live (TTL). The range of values is 0 through 255.

•

type—Multicast connection type: pim or tunnel.

•

flags—Flags for this route: •

querier—Queried router is the designated router for the neighboring session.

•

leaf—Link is a leaf in the multicast network.

•

down—Link status indicator.


3473

®


Sample Output show multicast mrinfo

3474

user@host> show multicast mrinfo 10.35.4.1 10.35.4.1 (10.35.4.1) [version 12.0]: 192.168.195.166 -> 0.0.0.0 (local) [1/0/pim/querier/leaf] 10.38.20.1 -> 0.0.0.0 (local) [1/0/pim/querier/leaf] 10.47.1.1 -> 10.47.1.2 (10.47.1.2) [1/5/pim] 0.0.0.0 -> 0.0.0.0 (local) [1/0/pim/down]



show multicast next-hops Syntax

show multicast next-hops


show multicast next-hops

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 option introduced in Junos OS Release 10.0 for EX Series switches. detail option display of next-hop ID number introduced in Junos OS Release 11.1 for M Series and T Series routers and EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional PIM added in Junos OS Release 12.1.

Description Options

Display the entries in the IP multicast next-hop table. none—Display standard information about all entries in the multicast next-hop table for

all supported address families. brief | detail—(Optional) Display the specified level of output.

When you include the detail option on M Series and T Series routers and EX Series switches, the downstream interface name includes the next-hop ID number in parentheses, in the form fe-0/1/2.0-(1048574) where 1048574 is the next-hop ID number. identifier-number—(Optional) Show a particular next hop by ID number. The range of

values is 1 through 65,535. inet | inet6—(Optional) Display entries for IPv4 or IPv6 family addresses, respectively. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast next-hops on page 3476 show multicast next-hops (Bidirectional PIM on page 3476 show multicast next-hops brief on page 3476 show multicast next-hops detail on page 3477 Table 386 on page 3476 describes the output fields for the show multicast next-hops command. Output fields are listed in the approximate order in which they appear.


3475

®


Table 386: show multicast next-hops Output Fields Field Name

Field Description

Family

Protocol family (such as INET).

ID

Next-hop identifier of the prefix. The identifier is returned by the routing device's Packet Forwarding Engine.

Refcount

Number of cache entries that are using this next hop.

KRefcount

Kernel reference count for the next hop.

Downstream interface

Interface names associated with each multicast next-hop ID.

Incoming interface list

List of interfaces that accept incoming traffic. Only shown for routes that do not use strict RPF-based forwarding, for example for bidirectional PIM.

Sample Output show multicast next-hops

show multicast next-hops (Bidirectional PIM

user@host> show multicast next-hops Family: INET ID Refcount KRefcount Downstream interface 262142 4 2 so-1/0/0.0 262143 2 1 mt-1/1/0.49152 262148 2 1 mt-1/1/0.32769 user@host> show multicast next-hops Family: INET ID Refcount KRefcount Downstream interface 2097151 8 4 ge-0/0/1.0 Family: INET6 ID Refcount KRefcount Downstream interface 2097157 2 1 ge-0/0/1.0 Family: Incoming interface list ID Refcount KRefcount Downstream interface 513 5 2 lo0.0 ge-0/0/1.0 514 5 2 lo0.0 ge-0/0/1.0 xe-4/1/0.0 515 3 1 lo0.0 ge-0/0/1.0 xe-4/1/0.0 544 1 0 lo0.0 xe-4/1/0.0

show multicast next-hops brief

3476

The output for the show multicast next-hops brief command is identical to that for the show multicast next-hops command. For sample output, see show multicast next-hops on page 3476.



show multicast next-hops detail

user@host> show multicast next-hops detail Family: INET ID Refcount KRefcount Downstream interface 1048577 2 1 fe-0/1/2.0-(1048574) ge-0/2/3.0-(1048576)


3477

®


show multicast pim-to-igmp-proxy Syntax

show multicast pim-to-igmp-proxy


show multicast pim-to-igmp-proxy

Release Information

Command introduced in Junos OS Release 9.6. Command introduced in Junos OS Release 9.6 for EX Series switches. instance option introduced in Junos OS Release 10.0. instance option introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Display configuration information about PIM-to-IGMP message translation, also known as PIM-to-IGMP proxy.

Options

none—Display configuration information about PIM-to-IGMP message translation for all

routing instances. instance instance-name—(Optional) Display configuration information about PIM-to-IGMP

message translation for a specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast pim-to-igmp-proxy on page 3479 show multicast pim-to-igmp-proxy instance on page 3479 Table 387 on page 3478 describes the output fields for the show multicast pim-to-igmp-proxy command. Output fields are listed in the order in which they appear.

Table 387: show multicast pim-to-igmp-proxy Output Fields

3478

Field Name

Field Description

Instance

Routing instance. Default instance is master (inet.0 routing table).

Proxy state

State of PIM-to-IGMP message translation, also known as PIM-to-IGMP proxy, on the configured upstream interfaces: enabled or disabled.

interface-name

Name of upstream interface (no more than two allowed) on which PIM-to-IGMP message translation is configured.



Sample Output show multicast pim-to-igmp-proxy

user@host> show multicast pim-to-igmp-proxy Instance: master Proxy state: enabled ge-0/1/0.1 ge-0/1/0.2

show multicast pim-to-igmp-proxy instance

user@host> show multicast pim-to-igmp-proxy instance VPN-A Instance: VPN-A Proxy state: enabled ge-0/1/0.1


3479

®


show multicast pim-to-mld-proxy Syntax

show multicast pim-to-mld-proxy


show multicast pim-to-mld-proxy

Release Information

Command introduced in Junos OS Release 9.6. Command introduced in Junos OS Release 9.6 for EX Series switches. instance option introduced in Junos OS Release 10.0. instance option introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Options

Display configuration information about PIM-to-MLD message translation, also known as PIM-to-MLD proxy. none—Display configuration information about PIM-to-MLD message translation for all

routing instances. instance instance-name—(Optional) Display configuration information about PIM-to-MLD

message translation for a specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast pim-to-mld-proxy on page 3481 show multicast pim-to-mld-proxy instance on page 3481 Table 388 on page 3480 describes the output fields for the show multicast pim-to-mld-proxy command. Output fields are listed in the order in which they appear.

Table 388: show multicast pim-to-mld-proxy Output Fields

3480

Field Name

Field Description

Proxy state

State of PIM-to-MLD message translation, also known as PIM-to-MLD proxy, on the configured upstream interfaces: enabled or disabled.

interface-name

Name of upstream interface (no more than two allowed) on which PIM-to-MLD message translation is configured.



Sample Output show multicast pim-to-mld-proxy

user@host> show multicast pim-to-mld-proxy Instance: master Proxy state: enabled ge-0/5/0.1 ge-0/5/0.2

show multicast pim-to-mld-proxy instance

user@host> show multicast pim-to-mld-proxy instance VPN-A Instance: VPN-A Proxy state: enabled ge-0/5/0.1


3481

®


show multicast route Syntax

show multicast route


show multicast route

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional PIM added in Junos OS Release 12.1.

Description

Options

Display the entries in the IP multicast forwarding table. You can display similar information with the show route table inet.1 command. none—Display standard information about all entries in the multicast forwarding table

for all routing instances. brief | detail | extensive | summary—(Optional) Display the specified level of output. active | all | inactive—(Optional) Display all active entries, all entries, or all inactive entries,

respectively, in the multicast forwarding table. group group—(Optional) Display the cache entries for a particular group. inet | inet6—(Optional) Display multicast forwarding table entries for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Display entries in the multicast forwarding table for

a specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. regular-expression—(Optional) Display information about the multicast forwarding table

entries that match a UNIX OS-style regular expression.

3482



source-prefix source-prefix—(Optional) Display the cache entries for a particular source

prefix. Required Privilege Level List of Sample Output

Output Fields

view

show multicast route on page 3484 show multicast route (Bidirectional PIM) on page 3485 show multicast route brief on page 3485 show multicast route detail on page 3485 show multicast route extensive (Bidirectional PIM) on page 3486 show multicast route instance extensive on page 3486 show multicast route summary on page 3487 Table 389 on page 3483 describes the output fields for the show multicast route command. Output fields are listed in the approximate order in which they appear.

Table 389: show multicast route Output Fields Field Name

Field Description

Level of Output

family

IPv4 address family (INET) or IPv6 address family (INET6).

All levels

Group

Group address.

All levels

For any-source multicast routes, for example for bidirectional PIM, the group address includes the prefix length. Source

Prefix and length of the source as it is in the multicast forwarding table.

All levels

Incoming interface list

List of interfaces that accept incoming traffic. Only shown for routes that do not use strict RPF-based forwarding, for example for bidirectional PIM.

All levels

Upstream interface

Name of the interface on which the packet with this source prefix is expected to arrive.

All levels

Downstream interface list

List of interface names to which the packet with this source prefix is forwarded.

All levels

Session description

Name of the multicast session.

detail extensive

Statistics

Rate at which packets are being forwarded for this source and group entry (in Kbps and pps), and number of packets that have been forwarded to this prefix. If one or more of the kilobits per second packet forwarding statistic queries fails or times out, the statistics field displays Forwarding statistics are not available.

detail extensive

NOTE: On QFX Series switches, this field does not report valid statistics. Next-hop ID

Next-hop identifier of the prefix. The identifier is returned by the routing device’s Packet Forwarding Engine and is also displayed in the output of the show multicast nexthops command.


detail extensive

3483

®


Table 389: show multicast route Output Fields (continued) Field Name

Field Description

Level of Output

Incoming interface list ID

For bidirectional PIM, incoming interface list identifier.

detail extensive

Identifiers for interfaces that accept incoming traffic. Only shown for routes that do not use strict RPF-based forwarding, for example for bidirectional PIM. Upstream protocol

Protocol running on the interface on which the packet with this source prefix is expected to arrive.

detail extensive

Route type

Type of multicast route. Values can be (S,G) or (*,G).

summary

Route state

Whether the group is Active or Inactive.

summary extensive

Route count

Number of multicast routes.

summary

Forwarding state

Whether the prefix is pruned or forwarding.

extensive

Cache lifetime/timeout

Number of seconds until the prefix is removed from the multicast forwarding table. A value of never indicates a permanent forwarding entry. A value of forever indicates routes that do not have keepalive times.

extensive

Wrong incoming interface notifications

Number of times that the upstream interface was not available.

extensive

Uptime

Time since the creation of a multicast route.

extensive

Sample Output show multicast route

user@host> show multicast route Family: INET Group: 228.0.0.0 Source: 10.255.14.144/32 Upstream interface: local Downstream interface list: so-1/0/0.0 Group: 239.1.1.1 Source: 10.255.14.144/32 Upstream interface: local Downstream interface list: so-1/0/0.0 Group: 239.1.1.1 Source: 10.255.70.15/32 Upstream interface: so-1/0/0.0 Downstream interface list: mt-1/1/0.49152 Family: INET6

3484



show multicast route (Bidirectional PIM)

user@host> show multicast route Family: INET Group: 224.1.1.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 Downstream interface list: ge-0/0/1.0 Group: 224.1.3.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 xe-4/1/0.0 Downstream interface list: ge-0/0/1.0 Group: 225.1.1.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 Downstream interface list: ge-0/0/1.0 Group: 225.1.3.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 xe-4/1/0.0 Downstream interface list: ge-0/0/1.0 Family: INET6

show multicast route brief

The output for the show multicast route brief command is identical to that for the show multicast route command. For sample output, see show multicast route on page 3484 or show multicast route (Bidirectional PIM) on page 3485.

show multicast route detail

user@host> show multicast route detail Family: INET Group: 228.0.0.0 Source: 10.255.14.144/32 Upstream interface: local Downstream interface list: so-1/0/0.0 Session description: Unknown Statistics: 8 kBps, 100 pps, 45272 packets Next-hop ID: 262142 Upstream protocol: PIM Group: 239.1.1.1 Source: 10.255.14.144/32 Upstream interface: local Downstream interface list: so-1/0/0.0 Session description: Administratively Scoped Statistics: 0 kBps, 0 pps, 13404 packets Next-hop ID: 262142 Upstream protocol: PIM Group: 239.1.1.1


3485

®


Source: 10.255.70.15/32 Upstream interface: so-1/0/0.0 Downstream interface list: mt-1/1/0.49152 Session description: Administratively Scoped Statistics: 46 kBps, 1000 pps, 921077 packets Next-hop ID: 262143 Upstream protocol: PIM Family: INET6

show multicast route extensive (Bidirectional PIM)

user@host> show multicast route extensive Family: INET Group: 224.1.1.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 Downstream interface list: ge-0/0/1.0 Session description: NOB Cross media facilities Statistics: 0 kBps, 0 pps, 0 packets Next-hop ID: 2097153 Incoming interface list ID: 585 Upstream protocol: PIM Route state: Active Forwarding state: Forwarding Cache lifetime/timeout: forever Wrong incoming interface notifications: 0 Group: 224.1.3.0/24 Source: * Incoming interface list: lo0.0 ge-0/0/1.0 xe-4/1/0.0 Downstream interface list: ge-0/0/1.0 Session description: NOB Cross media facilities Statistics: 0 kBps, 0 pps, 0 packets Next-hop ID: 2097153 Incoming interface list ID: 589 Upstream protocol: PIM Route state: Active Forwarding state: Forwarding Cache lifetime/timeout: forever Wrong incoming interface notifications: 0 Family: INET6

show multicast route instance extensive

3486

user@host> show multicast route instance mvpn extensive Family: INET Group: 239.10.10.10 Source: 2.0.0.2/32 Upstream interface: xe-0/0/0.102 Downstream interface list: xe-10/3/0.0 xe-0/3/0.0 xe-0/0/0.106 xe-0/0/0.105 xe-0/0/0.103 xe-0/0/0.104 xe-0/0/0.107 xe-0/0/0.108 Session description: Administratively Scoped Statistics: 256 kBps, 3998 pps, 670150 packets Next-hop ID: 1048579



Upstream protocol: MVPN Route state: Active Forwarding state: Forwarding Cache lifetime/timeout: forever Wrong incoming interface notifications: 58 Uptime: 00:00:04

show multicast route summary

user@host>show multicast route summary Instance: master Family: INET Route type (S,G) (S,G)

Route state Active Inactive

Route count 2 3

Instance: master Family: INET6


3487

®


show multicast rpf Syntax

show multicast rpf


show multicast rpf

Release Information


Description Options

Display information about multicast reverse-path-forwarding (RPF) calculations. none—Display RPF calculation information for all supported address families. inet | inet6—(Optional) Display the RPF calculation information for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Display information about multicast RPF calculations

for a specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. prefix—(Optional) Display the RPF calculation information for the specified prefix. summary—(Optional) Display a summary of all multicast RPF information.


3488

view

show multicast rpf on page 3489 show multicast rpf inet6 on page 3490 show multicast rpf prefix on page 3491 show multicast rpf summary on page 3491



Output Fields

Table 390 on page 3489 describes the output fields for the show multicast rpf command. Output fields are listed in the approximate order in which they appear.

Table 390: show multicast rpf Output Fields Field Name

Field Description

Instance

Name of the routing instance. (Displayed when multicast is configured within a routing instance.)

Source prefix

Prefix and length of the source as it exists in the multicast forwarding table.

Protocol

How the route was learned.

Interface

Upstream RPF interface. NOTE: The displayed interface information does not apply to bidirectional PIM RP addresses. This is because the show multicast rpf command does not take into account equal-cost paths or the designated forwarder. For accurate upstream RPF interface information, always use the show pim join extensive command when bidirectional PIM is configured.

Neighbor

Upstream RPF neighbor. NOTE: The displayed neighbor information does not apply to bidirectional PIM. This is because the show multicast rpf command does not take into account equal-cost paths or the designated forwarder. For accurate upstream RPF neighbor information, always use the show pim join extensive command when bidirectional PIM is configured.

Sample Output show multicast rpf

user@host> show multicast rpf Multicast RPF table: inet.0, 12 entries 0.0.0.0/0 Protocol: Static 10.255.14.132/32 Protocol: Direct Interface: lo0.0 10.255.245.91/32 Protocol: IS-IS Interface: so-1/1/1.0 Neighbor: 192.168.195.21 127.0.0.1/32 Inactive172.16.0.0/12 Protocol: Static Interface: fxp0.0 Neighbor: 192.168.14.254


3489

®


192.168.0.0/16 Protocol: Static Interface: fxp0.0 Neighbor: 192.168.14.254 192.168.14.0/24 Protocol: Direct Interface: fxp0.0 192.168.14.132/32 Protocol: Local 192.168.195.20/30 Protocol: Direct Interface: so-1/1/1.0 192.168.195.22/32 Protocol: Local 192.168.195.36/30 Protocol: IS-IS Interface: so-1/1/1.0 Neighbor: 192.168.195.21

show multicast rpf inet6

user@host> show multicast rpf inet6 Multicast RPF table: inet6.0, 12 entries ::10.255.14.132/128 Protocol: Direct Interface: lo0.0 ::10.255.245.91/128 Protocol: IS-IS Interface: so-1/1/1.0 Neighbor: fe80::2a0:a5ff:fe28:2e8c ::192.168.195.20/126 Protocol: Direct Interface: so-1/1/1.0 ::192.168.195.22/128 Protocol: Local ::192.168.195.36/126 Protocol: IS-IS Interface: so-1/1/1.0 Neighbor: fe80::2a0:a5ff:fe28:2e8c ::192.168.195.76/126 Protocol: Direct Interface: fe-2/2/0.0 ::192.168.195.77/128 Protocol: Local fe80::/64 Protocol: Direct Interface: so-1/1/1.0

3490



fe80::290:69ff:fe0c:993a/128 Protocol: Local fe80::2a0:a5ff:fe12:84f/128 Protocol: Direct Interface: lo0.0 ff02::2/128 Protocol: PIM ff02::d/128 Protocol: PIM

show multicast rpf prefix

user@host> show multicast rpf ff02::/16 Multicast RPF table: inet6.0, 13 entries ff02::2/128 Protocol: PIM ff02::d/128 Protocol: PIM ...

show multicast rpf summary

user@host> show multicast rpf summary Multicast RPF table: inet.0, 16 entries Multicast RPF table: inet6.0, 12 entries


3491

®


show multicast scope Syntax

show multicast scope


show multicast scope

Release Information


Description Options

Display administratively scoped IP multicast information. none—Display standard information about administratively scoped multicast information

for all supported address families in all routing instances. inet | inet6—(Optional) Display scoped multicast information for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Display administratively scoped information for a

specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast scope on page 3493 show multicast scope inet on page 3493 show multicast scope inet6 on page 3493 Table 391 on page 3492 describes the output fields for the show multicast scope command. Output fields are listed in the approximate order in which they appear.

Table 391: show multicast scope Output Fields

3492

Field Name

Field Description

Scope name

Name of the multicast scope.

Group Prefix

Range of multicast groups that are scoped.

Interface

Interface that is the boundary of the administrative scope.

Resolve Rejects

Number of kernel resolve rejects.



Sample Output show multicast scope

user@host> show multicast scope Scope name 232-net local local larry

show multicast scope inet

Interface fe-0/0/0.1 fe-0/0/0.1 fe-0/0/0.1 fe-0/0/0.1

Resolve Rejects 0 0 0 0

Interface fe-0/0/0.1 fe-0/0/0.1

Resolve Rejects 0 0

Interface fe-0/0/0.1 fe-0/0/0.1

Resolve Rejects 0 0

user@host> show multicast scope inet Scope name 232-net local

show multicast scope inet6

Group Prefix 232.232.0.0/16 239.255.0.0/16 ff05::/16 ff05::1234/128

Group Prefix 232.232.0.0/16 239.255.0.0/16

user@host> show multicast scope inet6 Scope name local larry


Group Prefix ff05::/16 ff05::1234/128

3493

®


show multicast sessions Syntax

show multicast sessions


show multicast sessions

Release Information


Description Options

Display information about announced IP multicast sessions. none—Display standard information about all multicast sessions for all routing instances. brief | detail | extensive—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. regular-expression—(Optional) Display information about announced sessions that match

a UNIX-style regular expression. Required Privilege Level List of Sample Output

Output Fields

view

show multicast sessions on page 3495 show multicast sessions regular-expression detail on page 3495 Table 392 on page 3494 describes the output fields for the show multicast sessions command. Output fields are listed in the approximate order in which they appear.

Table 392: show multicast sessions Output Fields

3494

Field Name

Field Description

session-name

Name of the known announced multicast sessions.



Sample Output show multicast sessions

show multicast sessions regular-expression detail

user@host> show multicast sessions 1-Department of Biological Sciences, LSU ... Monterey Bay - DockCam Monterey Bay - JettyCam Monterey Bay - StandCam Monterey DockCam Monterey DockCam / ROV cam ... NASA TV (MPEG-1) ... UO Broadcast - NASA Videos - 25 Years of Progress UO Broadcast - NASA Videos - Journey through the Solar System UO Broadcast - NASA Videos - Life in the Universe UO Broadcast - NASA Videos - Nasa and the Airplane UO Broadcasts OPB's Oregon Story UO DOD News Clips UO Medical Management of Biological Casualties (1) UO Medical Management of Biological Casualties (2) UO Medical Management of Biological Casualties (3) ... 376 active sessions. user@host> show multicast sessions "NASA TV" detail SDP Version: 0 Originated by: [email protected] Session: NASA TV (MPEG-1) Description: NASA television in MPEG-1 format, provided by Private University. Please contact the UO if you have problems with this feed. Email: Your Name Here Phone: Your Name Here Bandwidth: AS:1000 Start time: permanent Stop time: none Attribute: type:broadcast Attribute: tool:IP/TV Content Manager 3.4.14 Attribute: live:capture:1 Attribute: x-iptv-capture:mp1s Media: video 54302 RTP/AVP 32 31 96 97 Connection Data: 224.2.231.45 ttl 127 Attribute: quality:8 Attribute: framerate:30 Attribute: rtpmap:96 WBIH/90000 Attribute: rtpmap:97 MP4V-ES/90000 Attribute: x-iptv-svr:video 128.223.91.191 live Attribute: fmtp:32 type=mpeg1 Media: audio 28848 RTP/AVP 14 0 96 3 5 97 98 99 100 101 102 10 11 103 104 105 106 Connection Data: 224.2.145.37 ttl 127 Attribute: rtpmap:96 X-WAVE/8000 Attribute: rtpmap:97 L8/8000/2 Attribute: rtpmap:98 L8/8000 Attribute: rtpmap:99 L8/22050/2 Attribute: rtpmap:100 L8/22050 Attribute: rtpmap:101 L8/11025/2 Attribute: rtpmap:102 L8/11025 Attribute: rtpmap:103 L16/22050/2 Attribute: rtpmap:104 L16/22050


3495

®


1 matching sessions.

3496



show multicast usage Syntax

show multicast usage


show multicast usage

Release Information


Description

Display usage information about the 10 most active Distance Vector Multicast Routing Protocol (DVMRP) or Protocol Independent Multicast (PIM) groups.

Options

none—Display multicast usage information for all supported address families for all

routing instances. brief | detail—(Optional) Display the specified level of output. inet | inet6—(Optional) Display usage information for IPv4 or IPv6 family addresses,

respectively. instance instance-name—(Optional) Display information about the most active DVMRP

or PIM groups for a specific multicast instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show multicast usage on page 3498 show multicast usage brief on page 3498 show multicast usage instance on page 3498 show multicast usage detail on page 3498 Table 393 on page 3497 describes the output fields for the show multicast usage command. Output fields are listed in the approximate order in which they appear.

Table 393: show multicast usage Output Fields Field Name

Field Description

Instance

Name of the routing instance. (Displayed when multicast is configured within a routing instance.)


3497

®


Table 393: show multicast usage Output Fields (continued) Field Name

Field Description

Group

Group address.

Sources

Number of sources.

Packets

Number of packets that have been forwarded to this prefix. If one or more of the packets forwarded statistic queries fails or times out, the packets field displays unavailable.

Bytes

Number of bytes that have been forwarded to this prefix. If one or more of the packets forwarded statistic queries fails or times out, the bytes field displays unavailable.

Prefix

IP address.

/len

Prefix length.

Groups

Number of multicast groups.

Sample Output show multicast usage

user@host> show multicast usage Group Sources Packets 228.0.0.0 1 52847 239.1.1.1 2 13450

Prefix 10.255.14.144 10.255.70.15

/len Groups Packets /32 2 66254 /32 1 43

Bytes 4439148 1125530

Bytes 5561304 3374...

show multicast usage brief

The output for the show multicast usage brief command is identical to that for the show multicast usage command. For sample output, see show multicast usage on page 3498.

show multicast usage instance

user@host> show multicast usage instance VPN-A Group Sources Packets 224.2.127.254 1 5538 224.0.1.39 1 13 224.0.1.40 1 13 Prefix 192.168.195.34 10.255.14.30 10.255.245.91 ...

show multicast usage detail

3498

/len /32 /32 /32

Groups 1 1 1

Packets 5538 13 13

Bytes 509496 624 624 Bytes 509496 624 624

user@host> show multicast usage detail Group Sources Packets Bytes 228.0.0.0 1 53159 4465356 Source: 10.255.14.144 /32 Packets: 53159 Bytes: 4465356 239.1.1.1 2 13450 1125530 Source: 10.255.14.144 /32 Packets: 13407 Bytes: 1122156



Source: 10.255.70.15

/32 Packets: 43 Bytes: 3374

Prefix /len Groups Packets Bytes 10.255.14.144 /32 2 66566 5587512 Group: 228.0.0.0 Packets: 53159 Bytes: 4465356 Group: 239.1.1.1 Packets: 13407 Bytes: 1122156 10.255.70.15 /32 1 43 3374 Group: 239.1.1.1 Packets: 43 Bytes: 3374


3499

®


show pim bootstrap Syntax

show pim bootstrap


show pim bootstrap

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. instance option introduced in Junos OS Release 10.0 for EX Series switches. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Options

For sparse mode only, display information about Protocol Independent Multicast (PIM) bootstrap routers. none—Display PIM bootstrap router information for all routing instances. instance instance-name—(Optional) Display information about bootstrap routers for a

specific PIM-enabled routing instance. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show pim bootstrap on page 3501 show pim bootstrap instance on page 3501 Table 394 on page 3500 describes the output fields for the show pim bootstrap command. Output fields are listed in the approximate order in which they appear.

Table 394: show pim bootstrap Output Fields

3500

Field Name

Field Description

Instance


BSR

Bootstrap router.

Pri

Priority of the routing device as elected to be the bootstrap router.

Local address

Local routing device address.

Pri

Local routing device address priority to be elected as the bootstrap router.

State

Local routing device election state: Candidate, Elected, or Ineligible.



Table 394: show pim bootstrap Output Fields (continued) Field Name

Field Description

Timeout

How long until the local routing device declares the bootstrap router to be unreachable, in seconds.

Sample Output show pim bootstrap

user@host> show pim bootstrap Instance: PIM.master BSR Pri Local address Pri State Timeout None 0 10.255.71.46 0 InEligible 0 feco:1:1:1:1:0:aff:785c 34 feco:1:1:1:1:0:aff:7c12 0 InEligible 0

show pim bootstrap instance

user@host> show pim bootstrap instance VPN-A Instance: PIM.VPN-A BSR None


Pri Local address Pri State Timeout 0 192.168.196.105 0 InEligible 0

3501

®


show pim interfaces Syntax

show pim interfaces


show pim interfaces

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Commmand introduced in Junos OS Release 11.3 for the QFX Series. Support for bidirectional PIM added in Junos OS Release 12.1.

Description

Options

Display information about the interfaces on which Protocol Independent Multicast (PIM) is configured. none—Display interface information for all family addresses for all routing instances. inet | inet6—(Optional) Display interface information for IPv4 or IPv6 family addresses,

respectively. instance instance-name—(Optional) Display information about interfaces for a specific



view

show pim interfaces on page 3503 Table 395 on page 3502 describes the output fields for the show pim interfaces command. Output fields are listed in the approximate order in which they appear.

Table 395: show pim interfaces Output Fields Field Name

Field Description

Instance


Name

Interface name.

State

State of the interface. The state also is displayed in the show interfaces command.

3502



Table 395: show pim interfaces Output Fields (continued) Field Name

Field Description

Mode

PIM mode running on the interface: •

B—In bidirectional mode, multicast groups are carried across the network over bidirectional shared

trees. This type of tree minimizes PIM routing state, which is especially important in networks with numerous and dispersed senders and receivers. •

S—In sparse mode, routing devices must join and leave multicast groups explicitly. Upstream routing

devices do not forward multicast traffic to this routing device unless this device has sent an explicit request (using a join message) to receive multicast traffic. •

Dense—Unlike sparse mode, where data is forwarded only to routing devices sending an explicit

request, dense mode implements a flood-and-prune mechanism, similar to DVMRP (the first multicast protocol used to support the multicast backbone). (Not supported on QFX Series.) •

Sparse-Dense—Sparse-dense mode allows the interface to operate on a per-group basis in either sparse or dense mode. A group specified as dense is not mapped to a rendezvous point (RP).

Instead, data packets destined for that group are forwarded using PIM-Dense Mode (PIM-DM) rules. A group specified as sparse is mapped to an RP, and data packets are forwarded using PIM-Sparse Mode (PIM-SM) rules. (Not supported on QFX Series.) When sparse-dense mode is configured, the output includes both S and D. When bidirectional-sparse mode is configured, the output includes S and B. When bidirectional-sparse-dense mode is configured, the output includes B, S, and D. IP

Version number of the address family on the interface: 4 (IPv4) or 6 (IPv6).

V

PIM version running on the interface: 1 or 2.

State

State of PIM on the interface: •

Active—Bidirectional mode is enabled on the interface and on all PIM neighbors.

•

DR—Designated router.

•

NotCap—Bidirectional mode is not enabled on the interface. This can happen when bidirectional

PIM is not configured locally, when one of the neighbors is not configured for bidirectional PIM, or when one of the neighbors has not implemented the bidirectional PIM protocol. •

NotDR—Not the designated router.

•

P2P—Point to point.

NbrCnt

Number of neighbors that have been seen on the interface.

JoinCnt(sg)

Number of (s,g) join messages that have been seen on the interface.

JointCnt(*g)

Number of (*,g) join messages that have been seen on the interface.

DR address


Sample Output show pim interfaces

user@host> show pim interfaces Stat = Status, V = Version, NbrCnt = Neighbor Count, S = Sparse, D = Dense, B = Bidirectional, DR = Designated Router, P2P = Point-to-point link, Active = Bidirectional is active, NotCap = Not Bidirectional Capable


3503

®


Name ge-0/3/0.0 ge-0/3/3.50 ge-0/3/3.51 pe-1/2/0.32769

3504

Stat Up Up Up Up

Mode IP V State NbrCnt JoinCnt(sg/*g) S 4 2 NotDR,NotCap 1 0/0 S 4 2 DR,NotCap 1 9901/100 S 4 2 DR,NotCap 1 0/0 S 4 2 P2P,NotCap 0 0/0

DR address 40.0.0.3 50.0.0.2 51.0.0.2



show pim join Syntax

show pim join


show pim join

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. summary option introduced in Junos OS Release 9.6. inet6 and instance options introduced in Junos OS Release 10.0 for EX Series switches. Support for bidirectional PIM added in Junos OS Release 12.1. Command introduced in Junos OS Release 11.3 for the QFX Series.

Description

Display information about Protocol Independent Multicast (PIM) groups for all PIM modes. For bidirectional PIM, display information about PIM group ranges (*,G-range) for each active bidirectional RP group range, in addition to each of the joined (*,G) routes.

Options

none—Display the standard information about PIM groups for all supported family

addresses for all routing instances. brief | detail | extensive | summary—(Optional) Display the specified level of output. inet | inet6—(Optional) Display PIM group information for IPv4 or IPv6 family addresses,

respectively. instance instance-name—(Optional) Display information about groups for the specified

PIM-enabled routing instance only. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. range—(Optional) Address range of the group, specified as prefix/prefix-length.


view

•

clear pim join on page 3424

show pim join summary on page 3508 show pim join (PIM Sparse Mode) on page 3509


3505

®


show pim join (Bidirectional PIM) on page 3509 show pim join instance on page 3510 show pim join detail on page 3510 show pim join extensive (PIM Sparse Mode) on page 3510 show pim join extensive (Bidirectional PIM) on page 3511 show pim join extensive (Bidirectional PIM with a Directly Connected Phantom RP) on page 3512 show pim join instance extensive on page 3512 Output Fields

Table 396 on page 3506 describes the output fields for the show pim join command. Output fields are listed in the approximate order in which they appear.

Table 396: show pim join Output Fields Field Name

Field Description

Level of Output

Instance


brief detail extensive summary none

Family

Name of the address family: inet (IPv4) or inet6 (IPv6).

brief detail extensive summary none

Route type

Type of multicast route: (S,G) or (*,G).

summary

Route count

Number of (S,G) routes and number of (*,G) routes.

summary

R

Rendezvous Point Tree.

brief detail extensive none

S

Sparse.


W

Wildcard.


Group

Group address.


Bidirectional group prefix length

For bidirectional PIM, length of the IP prefix for RP group ranges.

All levels

Source

Multicast source:


RP

3506

•

* (wildcard value)

•

ipv4-address

•

ipv6-address

Rendezvous point for the PIM group.




Table 396: show pim join Output Fields (continued) Field Name

Field Description

Level of Output

Flags

PIM flags:


•

bidirectional—Bidirectional mode entry.

•

dense—Dense mode entry.

•

rptree—Entry is on the rendezvous point tree.

•

sparse—Sparse mode entry.

•

spt—Entry is on the shortest-path tree for the

source. •

Upstream interface

wildcard—Entry is on the shared tree.

RPF interface toward the source address for the source-specific state (S,G) or toward the rendezvous point (RP) address for the non-source-specific state (*,G).


For bidirectional PIM, RP Link means that the interface is directly connected to a subnet that contains a phantom RP address. Upstream neighbor

Information about the upstream neighbor: Direct, Local, Unknown, or a specific IP address.

extensive

For bidirectional PIM, Direct means that the interface is directly connected to a subnet that contains a phantom RP address. Upstream state

Information about the upstream interface: •

Join to RP—Sending a join to the rendezvous point.

•

Join to Source—Sending a join to the source.

•

Local RP—Sending neither join messages nor

extensive

prune messages toward the RP, because this router is the rendezvous point. •

Local Source—Sending neither join messages nor

prune messages toward the source, because the source is locally attached to this routing device. •

Prune to RP—Sending a prune to the rendezvous

point. •

Prune to Source—Sending a prune to the source.

NOTE: RP group range entries have None in the Upstream state field because RP group ranges do not trigger actual PIM join messages between routers.


3507

®


Table 396: show pim join Output Fields (continued) Field Name

Field Description

Level of Output

Downstream neighbors

Information about downstream interfaces:

extensive

•

Interface—Interface name for the downstream

neighbor. NOTE: A pseudo PIM-SM interface appears for all IGMP-only interfaces. •

Interface address—Address of the downstream

neighbor. •

State—Information about the downstream neighbor: join or prune.

•

Flags—PIM join flags: R (RPtree), S (Sparse), W (Wildcard), or zero.

•

Uptime—Time since the downstream interface

joined the group. •

Time since last Join—Time since the last join

message was received from the downstream interface. •

Time since last Prune—Time since the last prune

message was received from the downstream interface. Assert Timeout

Length of time between assert cycles on the downstream interface. Not displayed if the assert timer is null.

extensive

Keepalive timeout

Time remaining until the downstream join state is updated (in seconds). If the downstream join state is not updated before this keepalive timer reaches zero, the entry is deleted. If there is a directly connected host, Keepalive timeout is Infinity.

extensive

Uptime

Time since the creation of (S,G) or (*,G) state. The uptime is not refreshed every time a PIM join message is received for an existing (S,G) or (*,G) state.

extensive

Bidirectional accepting interfaces

Interfaces on the router that forward bidirectional PIM traffic.

extensive

The reasons for forwarding bidirectional PIM traffic are that the interface is the winner of the designated forwarder election (DF Winner), or the interface is the reverse path forwarding (RPF) interface toward the RP (RPF).

Sample Output show pim join summary

user@host> show pim join summary Instance: PIM.master Family: INET Route type

3508

Route count



(s,g) (*,g)

2 1

Instance: PIM.master Family: INET6

show pim join (PIM Sparse Mode)

user@host> show pim join Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 239.1.1.1 Source: * RP: 10.255.14.144 Flags: sparse,rptree,wildcard Upstream interface: Local Group: 239.1.1.1 Source: 10.255.14.144 Flags: sparse,spt Upstream interface: Local Group: 239.1.1.1 Source: 10.255.70.15 Flags: sparse,spt Upstream interface: so-1/0/0.0 Instance: PIM.master Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join (Bidirectional PIM)

user@host> show pim join Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 224.1.1.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.13.2 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 Group: 224.1.3.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.1.3 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 (RP Link) Group: 225.1.1.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.13.2 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 Group: 225.1.3.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.1.3 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 (RP Link)


3509

®


Instance: PIM.master Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join instance

user@host> show pim join instance VPN-A Instance: PIM.VPN-A Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 235.1.1.2 Source: * RP: 10.10.47.100 Flags: sparse,rptree,wildcard Upstream interface: Local Group: 235.1.1.2 Source: 192.168.195.74 Flags: sparse,spt Upstream interface: at-0/3/1.0 Group: 235.1.1.2 Source: 192.168.195.169 Flags: sparse Upstream interface: so-1/0/1.0 Instance: PIM.VPN-A Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join detail

user@host> show pim join detail Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 239.1.1.1 Source: * RP: 10.255.14.144 Flags: sparse,rptree,wildcard Upstream interface: Local Group: 239.1.1.1 Source: 10.255.14.144 Flags: sparse,spt Upstream interface: Local Group: 239.1.1.1 Source: 10.255.70.15 Flags: sparse,spt Upstream interface: so-1/0/0.0 Instance: PIM.master Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join extensive (PIM Sparse Mode)

user@host> show pim join extensive Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 239.1.1.1 Source: * RP: 10.255.14.144 Flags: sparse,rptree,wildcard Upstream interface: Local Upstream neighbor: Local Upstream state: Local RP

3510



Uptime: 00:03:49 Downstream neighbors: Interface: so-1/0/0.0 10.111.10.2 State: Join Flags: SRW Timeout: 174 Uptime: 00:03:49 Time since last Join: 00:01:49 Interface: mt-1/1/0.32768 10.10.47.100 State: Join Flags: SRW Timeout: Infinity Uptime: 00:03:49 Time since last Join: 00:01:49 Group: 239.1.1.1 Source: 10.255.14.144 Flags: sparse,spt Upstream interface: Local Upstream neighbor: Local Upstream state: Local Source, Local RP Keepalive timeout: 344 Uptime: 00:03:49 Downstream neighbors: Interface: so-1/0/0.0 10.111.10.2 State: Join Flags: S Timeout: 174 Uptime: 00:03:49 Time since last Prune: 00:01:49 Interface: mt-1/1/0.32768 10.10.47.100 State: Join Flags: S Timeout: Infinity Uptime: 00:03:49 Time since last Prune: 00:01:49 Group: 239.1.1.1 Source: 10.255.70.15 Flags: sparse,spt Upstream interface: so-1/0/0.0 Upstream neighbor: 10.111.10.2 Upstream state: Local RP, Join to Source Keepalive timeout: 344 Uptime: 00:03:49 Downstream neighbors: Interface: Pseudo-GMP fe-0/0/0.0 fe-0/0/1.0 fe-0/0/3.0 Interface: so-1/0/0.0 (pruned) 10.111.10.2 State: Prune Flags: SR Timeout: 174 Uptime: 00:03:49 Time since last Prune: 00:01:49 Interface: mt-1/1/0.32768 10.10.47.100 State: Join Flags: S Timeout: Infinity Uptime: 00:03:49 Time since last Prune: 00:01:49 Instance: PIM.master Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join extensive (Bidirectional PIM)

user@host> show pim join extensive Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard Group: 224.1.1.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.13.2 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 Upstream neighbor: 10.10.1.2 Upstream state: None Uptime: 00:03:49 Bidirectional accepting interfaces: Interface: ge-0/0/1.0 (RPF)


3511

®


Interface: lo0.0

(DF Winner)

Group: 225.1.1.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.13.2 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 Upstream neighbor: 10.10.1.2 Upstream state: None Uptime: 00:03:49 Bidirectional accepting interfaces: Interface: ge-0/0/1.0 (RPF) Interface: lo0.0 (DF Winner) Group: 225.1.3.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.1.3 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 (RP Link) Upstream neighbor: Direct Upstream state: Local RP Uptime: 00:03:49 Bidirectional accepting interfaces: Interface: ge-0/0/1.0 (RPF) Interface: lo0.0 (DF Winner) Interface: xe-4/1/0.0 (DF Winner) Instance: PIM.master Family: INET6 R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join extensive (Bidirectional PIM with a Directly Connected Phantom RP)

user@host> show pim join extensive Instance: PIM.master Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard

show pim join instance extensive

user@host> show pim join instance VPN-A extensive Instance: PIM.VPN-A Family: INET R = Rendezvous Point Tree, S = Sparse, W = Wildcard

Group: 224.1.3.0 Bidirectional group prefix length: 24 Source: * RP: 10.10.1.3 Flags: bidirectional,rptree,wildcard Upstream interface: ge-0/0/1.0 (RP Link) Upstream neighbor: Direct Upstream state: Local RP Uptime: 00:03:49 Bidirectional accepting interfaces: Interface: ge-0/0/1.0 (RPF) Interface: lo0.0 (DF Winner) Interface: xe-4/1/0.0 (DF Winner)

Group: 235.1.1.2 Source: * RP: 10.10.47.100 Flags: sparse,rptree,wildcard Upstream interface: Local Upstream neighbor: Local Upstream state: Local RP

3512



Uptime: 00:03:49 Downstream neighbors: Interface: mt-1/1/0.32768 10.10.47.101 State: Join Flags: SRW Timeout: 156 Uptime: 00:03:49 Time since last Join: 00:01:49 Group: 235.1.1.2 Source: 192.168.195.74 Flags: sparse,spt Upstream interface: at-0/3/1.0 Upstream neighbor: 10.111.30.2 Upstream state: Local RP, Join to Source Keepalive timeout: 156 Uptime: 00:14:52 Group: 235.1.1.2 Source: 192.168.195.169 Flags: sparse Upstream interface: so-1/0/1.0 Upstream neighbor: 10.111.20.2 Upstream state: Local RP, Join to Source Keepalive timeout: 156 Uptime: 00:14:52


3513

®


show pim neighbors Syntax

show pim neighbors


show pim neighbors

Release Information


Description Options

Display information about Protocol Independent Multicast (PIM) neighbors. none—(Same as brief) Display standard information about PIM neighbors for all supported

family addresses for all routing instances. brief | detail—(Optional) Display the specified level of output. inet | inet6—(Optional) Display information about PIM neighbors for IPv4 or IPv6 family

addresses, respectively. instance instance-name—(Optional) Display information about neighbors for the specified



Output Fields

view

show pim neighbors on page 3516 show pim neighbors brief on page 3516 show pim neighbors instance on page 3516 show pim neighbors detail on page 3516 show pim neighbors detail (With BFD) on page 3517 Table 397 on page 3514 describes the output fields for the show pim neighbors command. Output fields are listed in the approximate order in which they appear.

Table 397: show pim neighbors Output Fields Field Name

Field Description

Level of Output

Instance


All levels

3514



Table 397: show pim neighbors Output Fields (continued) Field Name

Field Description

Level of Output

Interface


All levels

Neighbor addr

Address of the neighboring PIM routing device.

All levels

IP

IP version: 4 or 6.

All levels

V

PIM version running on the neighbor: 1 or 2.

All levels

Mode

PIM mode of the neighbor: Sparse, Dense, SparseDense, or Unknown. When the neighbor is running PIM version 2, this mode is always Unknown.

All levels

Option

Can be one or more of the following:

brief none

•

B—Bidirectional Capable.

•

H—Hello Option Holdtime.

•

G—Generation Identifier.

•

P—Hello Option DR Priority.

•

L—Hello Option LAN Prune Delay.

Uptime

Time the neighbor has been operational since the PIM process was last initialized, in the format dd:hh:mm:ss ago for less than a week and nwnd:hh:mm:ss ago for more than a week.

All levels

Address

Address of the neighboring PIM router.

detail

BFD

Status and operational state of the Bidirectional Forwarding Detection (BFD) protocol on the interface: Enabled, Operational state is up, or Disabled.

detail

Hello Option Holdtime

Time for which the neighbor is available, in seconds. The range of values is 0 through 65,535.

detail

Hello Default Holdtime

Default holdtime and the time remaining if the holdtime option is not in the received hello message.

detail

Hello Option DR Priority

Designated router election priority. The range of values is 0 through 255.

detail

Hello Option Generation ID

9-digit or 10-digit number used to tag hello messages.

detail

Hello Option Bi-Directional PIM supported

Neighbor can process bidirectional PIM messages.

detail

Hello Option LAN Prune Delay

Time to wait before the neighbor receives prune messages, in the format delay nnn ms override nnnn ms.

detail

Join Suppression supported

Neighbor is capable of join suppression.

detail


3515

®


Table 397: show pim neighbors Output Fields (continued) Field Name

Field Description

Level of Output

Rx Join

Information about joins received from the neighbor.

detail

•

Group—Group addresses in the join message.

•

Source—Address of the source in the join message.

•

Timeout—Time for which the join is valid.

Sample Output show pim neighbors

user@host> show pim neighbors Instance: PIM.master B = Bidirectional Capable, G = Generation Identifier, H = Hello Option Holdtime, L = Hello Option LAN Prune Delay, P = Hello Option DR Priority Interface so-1/0/0.0

IP V Mode 4 2

Option HPLG

Uptime Neighbor addr 00:07:10 10.111.10.2

show pim neighbors brief

The output for the show pim neighbors brief command is identical to that for the show pim neighbors command. For sample output, see show pim neighbors on page 3516.

show pim neighbors instance

user@host> show pim neighbors instance VPN-A Instance: PIM.VPN-A B = Bidirectional Capable, G = Generation Identifier, H = Hello Option Holdtime, L = Hello Option LAN Prune Delay, P = Hello Option DR Priority Interface at-0/3/1.0 mt-1/1/0.32768 so-1/0/1.0

show pim neighbors detail

IP 4 4 4

V Mode 2 2 2

Option HPLG HPLG HPLG

Uptime 00:07:54 00:07:22 00:07:50

Neighbor addr 10.111.30.2 10.10.47.101 10.111.20.2

user@host> show pim neighbors detail Instance: PIM.master Interface: ge-0/0/1.0 Address: 10.10.1.1, IPv4, PIM v2, Mode: SparseDense, sg Join Count: 0, tsg Join Count: 2 Hello Option Holdtime: 65535 seconds Hello Option DR Priority: 1 Hello Option Generation ID: 2053759302 Hello Option Bi-Directional PIM supported Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Join Suppression supported Address: 10.10.1.2, IPv4, PIM v2, sg Join Count: 0, tsg Join Count: 2 BFD: Disabled Hello Option Holdtime: 105 seconds 93 remaining Hello Option DR Priority: 1 Hello Option Generation ID: 1734018161 Hello Option Bi-Directional PIM supported Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Join Suppression supported

3516



Interface: lo0.0 Address: 10.255.179.246, IPv4, PIM v2, Mode: SparseDense, sg Join Count: 0, tsg Join Count: 0 Hello Option Holdtime: 65535 seconds Hello Option DR Priority: 1 Hello Option Generation ID: 1997462267 Hello Option Bi-Directional PIM supported Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Join Suppression supported

show pim neighbors detail (With BFD)

user@host> show pim neighbors detail Instance: PIM.master Interface: fe-1/0/0.0 Address: 192.168.11.1, IPv4, PIM v2, Mode: Sparse Hello Option Holdtime: 65535 seconds Hello Option DR Priority: 1 Hello Option Generation ID: 836607909 Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Address: 192.168.11.2, IPv4, PIM v2 BFD: Enabled, Operational state is up Hello Default Holdtime: 105 seconds 104 remaining Hello Option DR Priority: 1 Hello Option Generation ID: 1907549685 Hello Option LAN Prune Delay: delay 500 ms override 2000 ms Interface: fe-1/0/1.0 Address: 192.168.12.1, IPv4, PIM v2 BFD: Disabled Hello Default Holdtime: 105 seconds 80 remaining Hello Option DR Priority: 1 Hello Option Generation ID: 1971554705 Hello Option LAN Prune Delay: delay 500 ms override 2000 ms


3517

®


show pim rps Syntax

show pim rps


show pim rps

Release Information


Description

Options

Display information about Protocol Independent Multicast (PIM) rendezvous points (RPs). none—Display standard information about PIM RPs for all groups and family addresses

for all routing instances. brief | detail | extensive—(Optional) Display the specified level of output. group-address—(Optional) Display the RPs for a particular group. If you specify a group

address, the output lists the routing device that is the RP for that group. inet | inet6—(Optional) Display information for IPv4 or IPv6 family addresses, respectively. instance instance-name—(Optional) Display information about RPs for a specific



3518

view

•


show pim rps on page 3521 show pim rps brief on page 3521 show pim rps (Bidirectional PIM) on page 3521 show pim rps (PIM Dense Mode) on page 3521



show pim rps (SSM Range Without asm-override-ssm Configured) on page 3521 show pim rps (SSM Range With asm-override-ssm Configured and a Sparse-Mode RP) on page 3521 show pim rps (SSM Range With asm-override-ssm Configured and a Bidirectional RP) on page 3522 show pim rps instance on page 3522 show pim rps extensive (PIM Sparse Mode) on page 3522 show pim rps extensive (Bidirectional PIM) on page 3522 show pim rps extensive (PIM Anycast RP in Use) on page 3523 Output Fields

Table 398 on page 3519 describes the output fields for the show pim rps command. Output fields are listed in the approximate order in which they appear.

Table 398: show pim rps Output Fields Field Name

Field Description

Level of Output

Instance


All levels

Family or Address family

Name of the address family: inet (IPv4) or inet6 (IPv6).

All levels

RP address

Address of the rendezvous point.

All levels

Type

Type of RP:

brief none

•

auto-rp—Address of the RP known through the Auto-RP protocol.

•

bootstrap—Address of the RP known through the bootstrap router protocol

(BSR). •

embedded—Address of the RP known through an embedded RP (IPv6).

•

static—Address of RP known through static configuration.

Holdtime

How long to keep the RP active, with time remaining, in seconds.

All levels

Timeout

How long until the local routing device determines the RP to be unreachable, in seconds.

All levels

Groups

Number of groups currently using this RP.

All levels

Group prefixes

Addresses of groups that this RP can span.

brief none

Learned via

Address and method by which the RP was learned.

detail extensive

Mode

The PIM mode of the RP: bidirectional or sparse.

All levels

If a sparse and bidirectional RPs are configured with the same RP address, they appear as separate entries in both formats. Time Active

How long the RP has been active, in the format hh:mm:ss.


detail extensive

3519

®


Table 398: show pim rps Output Fields (continued) Field Name

Field Description

Level of Output

Device Index

Index value of the order in which Junos OS finds and initializes the interface.

detail extensive

For bidirectional RPs, the Device Index output field is omitted because bidirectional RPs do not require encapsulation and de-encapsulation interfaces. Subunit

Logical unit number of the interface.

detail extensive

For bidirectional RPs, the Subunit output field is omitted because bidirectional RPs do not require encapsulation and de-encapsulation interfaces. Interface

Either the encapsulation or the de-encapsulation logical interface, depending on whether this routing device is a designated router (DR) facing an RP router, or is the local RP, respectively.

detail extensive

For bidirectional RPs, the Interface output field is omitted because bidirectional RPs do not require encapsulation and de-encapsulation interfaces. Group Ranges

Addresses of groups that this RP spans.

detail extensive

group-address Active groups using RP

Number of groups currently using this RP.

detail extensive

total

Total number of active groups for this RP.

detail extensive

Register State for RP

Current register state for each group:

extensive

•

Group—Multicast group address.

•

Source—Multicast source address for which the PIM register is sent or received,

depending on whether this router is a designated router facing an RP router, or is the local RP, respectively: •

First Hop—PIM-designated routing device that sent the Register message

(the source address in the IP header). •

RP Address—RP to which the Register message was sent (the destination

address in the IP header). •

State:

On the designated router: •

Send—Sending Register messages.

•

Probe—Sent a null register. If a Register-Stop message does not arrive in

5 seconds, the designated router resumes sending Register messages. •

•

Suppress—Received a Register-Stop message. The designated router is waiting for the timer to resume before changing to Probe state.

On the RP: •

Receive—Receiving Register messages.

Anycast-PIM rpset

If anycast RP is configured, the addresses of the RPs in the set.

extensive

Anycast-PIM local address used

If anycast RP is configured, the local address used by the RP.

extensive

3520



Table 398: show pim rps Output Fields (continued) Field Name

Field Description

Level of Output

Anycast-PIM Register State

If anycast RP is configured, the current register state for each group:

extensive

•

Group—Multicast group address.

•

Source—Multicast source address for which the PIM register is sent or received,

depending on whether this routing device is a designated router facing an RP router, or is the local RP, respectively. •

RP selected

Origin—How the information was obtained: •

DIRECT—From a local attachment

•

MSDP—From the Multicast Source Discovery Protocol (MSDP)

•

DR—From the designated router

For sparse mode and bidirectional mode, the identity of the RP for the specified group address.

group-address

Sample Output show pim rps

show pim rps brief

show pim rps (Bidirectional PIM)

user@host> show pim rps Instance: PIM.master Address family INET RP address Type 10.10.1.3 static

Mode bidir

10.10.13.2

bidir

static

Holdtime Timeout Groups Group prefixes 150 None 2 224.1.3.0/24 225.1.3.0/24 150 None 2 224.1.1.0/24 225.1.1.0/24

The output for the show pim rps brief command is identical to that for the show pim rps command. For sample output, see show pim rps on page 3521. user@host> show pim rps 224.1.1.1 Instance: PIM.master 224.1.0.0/16 11.4.12.75 (Bidirectional) RP selected: 11.4.12.75

show pim rps (PIM Dense Mode)

user@host> show pim rps 224.1.1.1 Instance: PIM.master

show pim rps (SSM Range Without asm-override-ssm Configured)


show pim rps


Dense Mode active for group 224.1.1.1

Source-specific Mode (SSM) active for group 224.1.1.1


3521

®


(SSM Range With asm-override-ssm Configured and a Sparse-Mode RP)

Source-specific Mode (SSM) active with Sparse Mode ASM override for group 224.1.1.1 224.1.0.0/16 11.4.12.75 RP selected: 11.4.12.75

show pim rps (SSM Range With asm-override-ssm Configured and a Bidirectional RP)

user@host> show pim rps 224.1.1.1 Instance: PIM.master Source-specific Mode (SSM) active with Sparse Mode ASM override for group 224.1.1.1 224.1.0.0/16 11.4.12.75 (Bidirectional) RP selected: (null)

show pim rps instance

user@host> show pim rps instance VPN-A Instance: PIM.VPN-A Address family INET RP address Type Holdtime Timeout Groups Group prefixes 10.10.47.100 static 0 None 1 224.0.0.0/4 Address family INET6

show pim rps extensive (PIM Sparse Mode)

user@host> show pim rps extensive Instance: PIM.master Family: INET RP: 10.255.245.91 Learned via: static configuration Time Active: 00:05:48 Holdtime: 45 with 36 remaining Device Index: 122 Subunit: 32768 Interface: pd-6/0/0.32768 Group Ranges: 224.0.0.0/4, 36s remaining Active groups using RP: 225.1.1.1 total 1 groups active Register State for RP: Group Source 225.1.1.1 192.168.195.78

show pim rps extensive (Bidirectional PIM)

FirstHop 10.255.14.132

RP Address 10.255.245.91

State Receive

Timeout 0

user@host> show pim rps extensive Instance: PIM.master Address family INET RP: 10.10.1.3 Learned via: static configuration Mode: Bidirectional Time Active: 01:58:07 Holdtime: 150 Group Ranges: 224.1.3.0/24 225.1.3.0/24

3522



RP: 10.10.13.2 Learned via: static configuration Mode: Bidirectional Time Active: 01:58:07 Holdtime: 150 Group Ranges: 224.1.1.0/24 225.1.1.0/24

show pim rps extensive (PIM Anycast RP in Use)

user@host> show pim rps extensive Instance: PIM.master Family: INET RP: 10.10.10.2 Learned via: static configuration Time Active: 00:54:52 Holdtime: 0 Device Index: 130 Subunit: 32769 Interface: pimd.32769 Group Ranges: 224.0.0.0/4 Active groups using RP: 224.10.10.10 total 1 groups active Anycast-PIM rpset: 10.100.111.34 10.100.111.17 10.100.111.55 Anycast-PIM local address used: 10.100.111.1 Anycast-PIM Register State: Group Source 224.1.1.1 10.10.95.2 224.1.1.2 10.10.95.2 224.10.10.10 10.10.70.1 224.10.10.11 10.10.70.1 224.20.20.1 10.10.71.1

Origin DIRECT DIRECT MSDP MSDP DR

Address family INET6 Anycast-PIM rpset: ab::1 ab::2 Anycast-PIM local address used: cd::1 Anycast-PIM Register State: Group Source ::224.1.1.1 ::10.10.95.2 ::224.1.1.2 ::10.10.95.2 ::224.20.20.1 ::10.10.71.1


Origin DIRECT DIRECT DR

3523

®


show pim source Syntax

show pim source


show pim source

Release Information


Description

Options

Display information about the Protocol Independent Multicast (PIM) source reverse path forwarding (RPF) state. none—Display standard information about the PIM RPF state for all supported family

addresses for all routing instances. brief | detail—(Optional) Display the specified level of output. inet | inet6—(Optional) Display information for IPv4 or IPv6 family addresses, respectively. instance instance-name—(Optional) Display information about the RPF state for a specific


systems or on a particular logical system. source-prefix—(Optional) Display the state for source RPF states in the given range.


Output Fields

3524

view

show pim source on page 3525 show pim source brief on page 3525 show pim source detail on page 3525 Table 399 on page 3525 describes the output fields for the show pim source command. Output fields are listed in the approximate order in which they appear.



Table 399: show pim source Output Fields Field Name

Field Description

Instance


Source

Address of the source or reverse path.

Prefix/length

Prefix and prefix length for the route used to reach the RPF address.

Upstream interface

RPF interface toward the source address.

Upstream Neighbor

Address of the RPF neighbor used to reach the source address.

Sample Output show pim source

user@host> show pim source Instance: PIM.master Family: INET Source 10.255.14.144 Prefix 10.255.14.144/32 Upstream interface Local Upstream neighbor Local Source 10.255.70.15 Prefix 10.255.70.15/32 Upstream interface so-1/0/0.0 Upstream neighbor 10.111.10.2 Instance: PIM.master Family: INET6

show pim source brief

show pim source detail

The output for the show pim source brief command is identical to that for the show pim source command. For sample output, see show pim source on page 3525. user@host> show pim source detail Instance: PIM.master Family: INET Source 10.255.14.144 Prefix 10.255.14.144/32 Upstream interface Local Upstream neighbor Local Active groups:228.0.0.0 239.1.1.1 239.1.1.1 Source 10.255.70.15 Prefix 10.255.70.15/32 Upstream interface so-1/0/0.0 Upstream neighbor 10.111.10.2 Active groups:239.1.1.1 Instance: PIM.master Family: INET6


3525

®


show pim statistics Syntax

show pim statistics


show pim statistics

Release Information


Description Options

Display Protocol Independent Multicast (PIM) statistics. none—Display PIM statistics. inet | inet6—(Optional) Display IPv4 or IPv6 PIM statistics, respectively. instance instance-name—(Optional) Display statistics for a specific routing instance

enabled by Protocol Independent Multicast (PIM). interface interface-name—(Optional) Display statistics about the specified interface. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

3526

view

•

clear pim statistics on page 3427

show pim statistics on page 3532 show pim statistics inet interface on page 3533 show pim statistics inet6 interface on page 3534 show pim statistics interface on page 3534 Table 400 on page 3527 describes the output fields for the show pim statistics command. Output fields are listed in the approximate order in which they appear.



Table 400: show pim statistics Output Fields Field Name

Field Description

Instance

Name of the routing instance. This field only appears if you specify an interface, for example:

Family

•

inet interface interface-name

•

inet6 interface interface-name

•

interface interface-name

Output is for IPv4 or IPv6 PIM statistics. INET indicates IPv4 statistics, and INET6 indicates IPv6 statistics. This field only appears if you specify an interface, for example: •

inet interface interface-name

•

inet6 interface interface-name

•


PIM statistics

PIM statistics for all interfaces or for the specified interface.

PIM message type

Message type for which statistics are displayed.

Received

Number of received statistics.

Sent

Number of messages sent of a certain type.

Rx errors

Number of received packets that contained errors.

V2 Hello

PIM version 2 hello packets.

V2 Register

PIM version 2 register packets.

V2 Register Stop

PIM version 2 register stop packets.

V2 Join Prune

PIM version 2 join and prune packets.

V2 Bootstrap

PIM version 2 bootstrap packets.

V2 Assert

PIM version 2 assert packets.

V2 Graft

PIM version 2 graft packets.

V2 Graft Ack

PIM version 2 graft acknowledgment packets.

V2 Candidate RP

PIM version 2 candidate RP packets.


3527

®


Table 400: show pim statistics Output Fields (continued) Field Name

Field Description

V2 State Refresh

PIM version 2 control messages related to PIM dense mode (PIM-DM) state refresh. State refresh is an extension to PIM-DM. It not supported in Junos OS.

3528

V2 DF Election

PIM version 2 send and receive messages associated with bidirectional PIM designated forwarder election.

V1 Query

PIM version 1 query packets.

V1 Register

PIM version 1 register packets.

V1 Register Stop

PIM version 1 register stop packets.

V1 Join Prune

PIM version 1 join and prune packets.

V1 RP Reachability

PIM version 1 RP reachability packets.

V1 Assert

PIM version 1 assert packets.

V1 Graft

PIM version 1 graft packets.

V1 Graft Ack

PIM version 1 graft acknowledgment packets.

AutoRP Announce

Auto-RP announce packets.

AutoRP Mapping

Auto-RP mapping packets.

AutoRP Unknown type

Auto-RP packets with an unknown type.

Anycast Register


Anycast Register Stop


Global Statistics

Summary of PIM statistics for all interfaces.

Hello dropped on neighbor policy

Number of hello packets dropped because of a configured neighbor policy.

Unknown type

Number of PIM control packets received with an unknown type.

V1 Unknown type

Number of PIM version 1 control packets received with an unknown type.

Unknown Version

Number of PIM control packets received with an unknown version. The version is not version 1 or version 2.




Field Description

Neighbor unknown

Number of PIM control packets received (excluding PIM hello) without first receiving the hello packet.

Bad Length

Number of PIM control packets received for which the packet size does not match the PIM length field in the packet.

Bad Checksum

Number of PIM control packets received for which the calculated checksum does not match the checksum field in the packet.

Bad Receive If

Number of PIM control packets received on an interface that does not have PIM configured.

Rx Bad Data

Number of PIM control packets received that contain data for TCP Bad register packets.

Rx Intf disabled

Number of PIM control packets received on an interface that has PIM disabled.

Rx V1 Require V2

Number of PIM version 1 control packets received on an interface configured for PIM version 2.

Rx V2 Require V1

Number of PIM version 2 control packets received on an interface configured for PIM version 1.

Rx Register not RP

Number of PIM register packets received when the router is not the RP for the group.

Rx Register no route

Number of PIM register packets received when the RP does not have a unicast route back to the source.

Rx Register no decap if

Number of PIM register packets received when the RP does not have a de-encapsulation interface.

Null Register Timeout

Number of NULL register timeout packets.

RP Filtered Source

Number of PIM packets received when the router has a source address filter configured for the RP.

Rx Unknown Reg Stop

Number of register stop messages received with an unknown type.

Rx Join/Prune no state

Number of join and prune messages received for which the router has no state.

Rx Join/Prune on upstream if

Number of join and prune messages received on the interface used to reach the upstream router, toward the RP.

Rx Join/Prune for invalid group

Number of join or prune messages received for invalid multicast group addresses.


3529

®


Table 400: show pim statistics Output Fields (continued)

3530

Field Name

Field Description

Rx Join/Prune messages dropped

Number of join and prune messages received and dropped.

Rx sparse join for dense group

Number of PIM sparse mode join messages received for a group that is configured for dense mode.

Rx Graft/Graft Ack no state

Number of graft and graft acknowledgment messages received for which the router or switch has no state.

Rx Graft on upstream if

Number of graft messages received on the interface used to reach the upstream router, toward the RP.

Rx CRP not BSR

Number of BSR messages received in which the PIM message type is Candidate-RP-Advertisement, not Bootstrap.

Rx BSR when BSR

Number of BSR messages received in which the PIM message type is Bootstrap.

Rx BSR not RPF if

Number of BSR messages received on an interface that is not the RPF interface.

Rx unknown hello opt

Number of PIM hello packets received with options that Junos OS does not support.

Rx data no state

Number of PIM control packets received for which the router has no state for the data type.

Rx RP no state

Number of PIM control packets received for which the router has no state for the RP.

Rx aggregate

Number of PIM aggregate MDT packets received.

Rx malformed packet

Number of PIM control packets received with a malformed IP unicast or multicast address family.

No RP

Number of PIM control packets received with no RP address.

No register encap if

Number of PIM register packets received when the first-hop router does not have an encapsulation interface.

No route upstream

Number of PIM control packets received when the router does not have a unicast route to the the interface used to reach the upstream router, toward the RP.

Nexthop Unusable

Number of PIM control packets with an unusable nexthop. A path can be unusable if the route is hidden or the link is down.

RP mismatch

Number of PIM control packets received for which the router has an RP mismatch.




Field Description

RP mode mismatch

RP mode (sparse or bidirectional) mismatches encountered when processing join and prune messages.

RPF neighbor unknown

Number of PIM control packets received for which the router has an unknown RPF neighbor for the source.

Rx Joins/Prunes filtered

The number of join and prune messages filtered because of configured route filters and source address filters.

Tx Joins/Prunes filtered

The number of join and prune messages filtered because of configured route filters and source address filters.

Embedded-RP invalid addr

Number of packets received with an invalid embedded RP address in PIM join messages and other types of messages sent between routing domains.

Embedded-RP limit exceed

Number of times the limit configured with the maximum-rps statement is exceeded. The maximum-rps statement limits the number of embedded RPs created in a specific routing instance. The range is from 1 through 500. The default is 100.

Embedded-RP added

Number of packets in which the embedded RP for IPv6 is added. The following receive events trigger extraction of an IPv6 embedded RP address on the router: •

Multicast Listener Discovery (MLD) report for an embedded RP multicast group address

•

PIM join message with an embedded RP multicast group address

•

Static embedded RP multicast group address associated with an interface

•

Packets sent to an embedded RP multicast group address received on the DR

An embedded RP node discovered through these receive events is added if it does not already exist on the routing platform. Embedded-RP removed

Number of packets in which the embedded RP for IPv6 is removed. The embedded RP is removed whenever all PIM join states using this RP are removed or the configuration changes to remove the embedded RP feature.

Rx Register msgs filtering drop

Number of received register messages dropped because of a filter configured for PIM register messages.

Tx Register msgs filtering drop

Number of register messages dropped because of a filter configured for PIM register messages.

Rx Bidir Join/Prune on non-Bidir if

Error counter for join and prune messages received on non-bidirectional PIM interfaces.


3531

®



Field Description

Rx Bidir Join/Prune on non-DF if

Error counter for join and prune messages received on non-designated forwarder interfaces.

Sample Output show pim statistics

user@host> show pim statistics PIM Message type Received V2 Hello 15 V2 Register 0 V2 Register Stop 483 V2 Join Prune 18 V2 Bootstrap 0 V2 Assert 0 V2 Graft 0 V2 Graft Ack 0 V2 Candidate RP 0 V2 State Refresh 0 V2 DF Election 0 V1 Query 0 V1 Register 0 V1 Register Stop 0 V1 Join Prune 0 V1 RP Reachability 0 V1 Assert 0 V1 Graft 0 V1 Graft Ack 0 AutoRP Announce 0 AutoRP Mapping 0 AutoRP Unknown type 0 Anycast Register 0 Anycast Register Stop 0

Sent 32 362 0 518 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0

0 0

Global Statistics Hello dropped on neighbor policy Unknown type V1 Unknown type Unknown Version Neighbor unknown Bad Length Bad Checksum Bad Receive If Rx Bad Data Rx Intf disabled Rx V1 Require V2 Rx V2 Require V1 Rx Register not RP Rx Register no route Rx Register no decap if Null Register Timeout RP Filtered Source Rx Unknown Reg Stop Rx Join/Prune no state Rx Join/Prune on upstream if Rx Join/Prune for invalid group

3532

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5



Rx Join/Prune messages dropped Rx sparse join for dense group Rx Graft/Graft Ack no state Rx Graft on upstream if Rx CRP not BSR Rx BSR when BSR Rx BSR not RPF if Rx unknown hello opt Rx data no state Rx RP no state Rx aggregate Rx malformed packet Rx illegal TTL Rx illegal destination address No RP No register encap if No route upstream Nexthop Unusable RP mismatch RP mode mismatch RPF neighbor unknown Rx Joins/Prunes filtered Tx Joins/Prunes filtered Embedded-RP invalid addr Embedded-RP limit exceed Embedded-RP added Embedded-RP removed Rx Register msgs filtering drop Tx Register msgs filtering drop Rx Bidir Join/Prune on non-Bidir if Rx Bidir Join/Prune on non-DF if

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Sample Output show pim statistics inet interface

user@host> show pim statistics inet interface ge-0/3/0.0 Instance: PIM.master Family: INET PIM Interface statistics for ge-0/3/0.0 PIM Message type V2 Hello V2 Register V2 Register Stop V2 Join Prune V2 Bootstrap V2 Assert V2 Graft V2 Graft Ack V2 Candidate RP V1 Query V1 Register V1 Register Stop V1 Join Prune V1 RP Reachability V1 Assert V1 Graft V1 Graft Ack AutoRP Announce AutoRP Mapping AutoRP Unknown type


Received 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Sent 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

3533

®


Anycast Register Anycast Register Stop

0 0

0 0

0 0

Sample Output show pim statistics inet6 interface

user@host> show pim statistics inet6 interface ge-0/3/0.0 Instance: PIM.master Family: INET6 PIM Interface statistics for ge-0/3/0.0 PIM Message type V2 Hello V2 Register V2 Register Stop V2 Join Prune V2 Bootstrap V2 Assert V2 Graft V2 Graft Ack V2 Candidate RP Anycast Register Anycast Register Stop

Received 0 0 0 0 0 0 0 0 0 0 0

Sent 4 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0

Sample Output show pim statistics interface

user@host> show pim statistics interface ge-0/3/0.0 Instance: PIM.master Family: INET PIM Interface statistics for ge-0/3/0.0 PIM Message type V2 Hello V2 Register V2 Register Stop V2 Join Prune V2 Bootstrap V2 Assert V2 Graft V2 Graft Ack V2 Candidate RP V1 Query V1 Register V1 Register Stop V1 Join Prune V1 RP Reachability V1 Assert V1 Graft V1 Graft Ack AutoRP Announce AutoRP Mapping AutoRP Unknown type Anycast Register Anycast Register Stop

Received 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Sent 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Rx errors 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0

0 0

Sent 3

Rx errors 0

Instance: PIM.master Family: INET6 PIM Interface statistics for ge-0/3/0.0 PIM Message type V2 Hello

3534

Received 0



V2 Register V2 Register Stop V2 Join Prune V2 Bootstrap V2 Assert V2 Graft V2 Graft Ack V2 Candidate RP Anycast Register Anycast Register Stop


0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0

3535

®


3536


PART 18

Access Control •

802.1X and MAC RADIUS Authentication Overview on page 3539

•

Examples: Access Control Configuration on page 3561

•

Configuring Access Control on page 3627

•

Verifying 802.1X and MAC RADIUS Authentication on page 3655

•

Configuration Statements for Access Control on page 3659

•

Operational Commands for Access Control on page 3775


3537

®


3538


CHAPTER 87

802.1X and MAC RADIUS Authentication Overview •


•


•

Authentication Process Flow for EX Series Switches on page 3547

•


•

Understanding Dynamic VLANs for 802.1X on EX Series Switches on page 3550

•

Understanding Guest VLANs for 802.1X on EX Series Switches on page 3550

•

Understanding 802.1X and RADIUS Accounting on EX Series Switches on page 3551

•


•


•

Understanding 802.1X and VSAs on EX Series Switches on page 3557

•

Understanding Authentication Session Timeout on page 3558

•

Understanding NetBIOS Snooping on page 3559


3539

®


Understanding Authentication on EX Series Switches You can control access to your network through a Juniper Networks EX Series Ethernet Switch using several different authentication methods—802.1X, MAC RADIUS, or captive portal. Authentication prevents unauthorized devices and users from gaining access to your LAN. For 802.1X and MAC RADIUS authentication, end devices must be authenticated before they receive an IP address from a DHCP server. For captive portal authentication, the switch allows the end devices to get an IP address and allows forwarding of DHCP, DNS, and ARP packets. You can allow end devices to access the network without authentication by including the MAC address of the end device in the static MAC bypass list or, for captive portal, by including the MAC address of the end device in the authentication whitelist. You can configure 802.1X, MAC RADIUS, and captive portal on the same interface and in any combination, except that you cannot configure MAC RADIUS and captive portal on an interface without also configuring 802.1X. If you configure multiple authentication methods on a single interface, the switch falls back to another method if the first method is unsuccessful. For a description of the process flow when multiple authentication methods are configured on an interface, see “Authentication Process Flow for EX Series Switches” on page 3547. This topic covers: •

A Basic Authentication Topology on page 3540

•

802.1X Authentication on page 3541

•

MAC RADIUS Authentication on page 3542

•

Captive Portal Authentication on page 3543

•

Static MAC Bypass of Authentication on page 3544

•

Fallback of Authentication Methods on page 3544

A Basic Authentication Topology Figure 94 on page 3541 illustrates a basic deployment topology for authentication on an EX Series switch:

3540


Chapter 87: 802.1X and MAC RADIUS Authentication Overview

Figure 94: Example Authentication Topology

802.1X Authentication 802.1X is an IEEE standard for port-based network access control (PNAC). It provides an authentication mechanism to allow devices to access a LAN. The 802.1X authentication feature on an EX Series switch is based upon the IEEE 802.1D standard Port-Based Network Access Control. The communication protocol between the end device and the switch is Extensible Authentication Protocol Over LAN (EAPoL). EAPoL is a version of EAP designed to work with Ethernet networks. The communication protocol between the authentication server and the switch is RADIUS.


3541

®


During the authentication process, the switch completes multiple message exchanges between the end device and the authentication server. While 802.1X authentication is in process, only 802.1X traffic is allowed. Other traffic, such as DHCP and HTTP, is blocked at the data link layer.

NOTE: You can configure both the maximum number of times an EAPoL request packet is retransmitted and the timeout period between attempts. For information, see “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629.

An 802.1X authentication configuration for a LAN contains three basic components: •

Supplicant (also called end device)—Supplicant is the IEEE term for an end device that requests to join the network. The end device can be responsive or nonresponsive. A responsive end device is 802.1X-enabled and provides authentication credentials—specifically, a username and password for EAP MD5 or a username and client certificates for EAP-TLS, EAP-TTLS, and EAP-PEAP. You can configure a server-reject VLAN to provide limited LAN access for users who have entered incorrect login credentials. A server-reject VLAN can provide a remedial connection for these users. See“Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients” on page 3621 for additional information. A nonresponsive end device is not 802.1X-enabled, but it can be authenticated through MAC RADIUS authentication.

•

Authenticator port access entity—The IEEE term for the authenticator. The EX Series switch is the authenticator, and it controls access by blocking all traffic to and from end devices until they are authenticated.

•

Authentication server—The authentication server contains the backend database that makes authentication decisions. It contains credential information for each end device that is allowed to connect to the network. The authenticator forwards credentials supplied by the end device to the authentication server. If the credentials forwarded by the authenticator match the credentials in the authentication server database, access is granted. If the credentials forwarded do not match, access is denied. The EX Series switches support RADIUS authentication servers.

MAC RADIUS Authentication You can configure MAC RADIUS authentication on interfaces that are connected to end devices that are not 802.1X-enabled but that you want to allow to access the LAN. The EAP method supported for MAC RADIUS authentication on EX Series switches is EAP-MD5. If both 802.1X-enabled end devices and end devices that are not 802.1X-enabled connect to an interface, you can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case, the switch first attempts to authenticate using 802.1X, and

3542



if that method fails, it attempts to authenticate the end device using MAC RADIUS authentication. If you know that only non-802.1X-enabled end devices connect on that interface, you can eliminate the delay that occurs while the switch determines that the end device is non-802.1X-enabled by configuring the mac-radius restrict option. When this option is configured, the switch does not attempt to authenticate the end device through 802.1X but instead immediately sends a request to the RADIUS server for authentication of the MAC address of the end device. If the MAC address of an end device is configured as permitted on the RADIUS server, the switch opens LAN access to the end device on the interface to which it is connected. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface. When you configure mac-radius restrict on an interface to eliminate this delay, the switch drops all 802.1X packets.

Captive Portal Authentication Captive portal authentication (hereafter referred to as captive portal) allows you to authenticate users on EX Series switches by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network. Captive portal controls network access by requiring users to provide information that is authenticated against a RADIUS server database using EAP-MD5. You can also use captive portal to display an acceptable-use policy to users before they access your network. Juniper Networks Junos operating system (Junos OS) for EX Series switches provides a template that allows you to easily design and modify the look of the captive portal login page. You enable specific interfaces for captive portal. The first time an end device connected to a captive portal interface attempts to access a web page, the switch presents the captive portal login page. Upon successful authentication, the user is allowed access to the network and to continue to the original page requested.

NOTE: If Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) is enabled, Hypertext Transfer Protocol (HTTP) requests are redirected to an HTTPS connection for the captive portal authentication process. After authentication, the end device is returned to the HTTP connection.

If there are end devices that are not HTTP-enabled connected to the captive portal interface, you can allow them to bypass captive portal authentication by adding their MAC addresses to an authentication whitelist. When the user is authenticated by the RADIUS server, any per-user policies (attributes) associated with that user are also sent to the switch. Captive portal on EX Series switches has the following limitations: •

The captive portal interface must be configured for family ethernet-switching and set to port mode access.


3543

®


•

Captive portal does not support dynamic assignment of VLANs downloaded from the RADIUS server.

•

If the user is idle for more than about 5 minutes and there is no traffic passed, the user must log back in to the captive portal.

Static MAC Bypass of Authentication You can allow end devices to access the LAN without authentication on a RADIUS server by including their MAC addresses in the static MAC bypass list (also known as the exclusion list). You might choose to include a device in the bypass list to: •

Allow non-802.1X-enabled devices access to the LAN.

•

Eliminate the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host.

When you configure static MAC on the switch, the MAC address of the end device is first checked in a local database (a user-configured list of MAC addresses). If a match is found, the end device is successfully authenticated and the interface is opened up for it. No further authentication is done for that end device. If a match is not found and 802.1X authentication is enabled on the switch, the switch attempts to authenticate the end device through the RADIUS server. For each MAC address, you can also configure the VLAN to which the end device is moved or the interfaces on which the host connects.

Fallback of Authentication Methods You can configure multiple authentication methods on a single interface to enable fallback to another method if one method fails. If an interface is configured in multiple supplicant mode, all end devices connecting through the interface must use either captive portal or a combination of 802.1X and MAC RADIUS, captive portal cannot be mixed with 802.1X or MAC RADIUS. Therefore, if there is already an end device on the interface that was authenticated through 802.1X or MAC RADIUS authentication, then additional end devices authenticating do not fall back to captive portal. If only 802.1X authentication or MAC RADIUS authentication is configured, some end devices can be authenticated using 802.1X and others can still be authenticated using MAC RADIUS. Fallback of authentication methods occurs in the following order: 1.

802.1X authentication—If 802.1X is configured on the interface, the switch sends EAPoL requests to the end device and attempts to authenticate the end device through 802.1X authentication. If the end device does not respond to the EAP requests, the switch checks whether MAC RADIUS authentication is configured on the interface.

2. MAC RADIUS authentication—If MAC RADIUS authentication is configured on the

interface, the switch sends the MAC RADIUS address of the end device to the

3544



authentication server. If MAC RADIUS authentication is not configured, the switch checks whether captive portal is configured on the interface. 3. Captive portal authentication—If captive portal is configured on the interface, the

switch attempts to authenticate using this method after attempting any other configured authentication methods. If an end device is authenticated on the interface using captive portal, this becomes the active authentication method on the interface. When captive portal is the active authentication method, the switch falls back to 802.1X authentication if there are no sessions in the authenticated state and if the interface receives an EAP packet. Related Documentation

•


•

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch on page 3583

•

Configuring 802.1X Interface Settings (CLI Procedure) on page 3629

•

Configuring MAC RADIUS Authentication (CLI Procedure) on page 3634

•

Configuring Captive Portal Authentication (CLI Procedure) on page 3648

•

Configuring Static MAC Bypass of Authentication (CLI Procedure) on page 3633

•


•

Authentication Process Flow for EX Series Switches on page 3547

802.1X for EX Series Switches Overview IEEE 802.1X provides network edge security, protecting Ethernet LANs from unauthorized user access.

How 802.1X Authentication Works 802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant. The end device is authenticated in either single mode, single-secure mode, or multiple mode: •

single—Authenticates only the first end device. All other end devices that connect later

to the port are allowed full access without any further authentication. They effectively “piggyback” on the end devices’ authentication. •

single-secure—Allows only one end device to connect to the port. No other end device

is allowed to connect until the first logs out. •

multiple—Allows multiple end devices to connect to the port. Each end device will be

authenticated individually.


3545

®


Network access can be further defined using VLANs and firewall filters, which both act as filters to separate and match groups of end devices to the areas of the LAN they require. For example, you can configure VLANs to handle different categories of authentication failures depending upon: •

Whether or not the end device is 802.1X-enabled.

•

Whether or not MAC RADIUS authentication has been configured on the switch interfaces to which the hosts are connected.

•

Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. See “Configuring Server Fail Fallback (CLI Procedure)” on page 3636.

802.1X Features Overview 802.1X features on Juniper Networks EX Series Ethernet Switches are: •

Guest VLAN—Provides limited access to a LAN, typically just to the Internet, for nonresponsive end devices that are not 802.1X-enabled when MAC RADIUS authentication has not been configured on the switch interfaces to which the hosts are connected . Also, a guest VLAN can be used to provide limited access to a LAN for guest users. Typically, the guest VLAN provides access just to the Internet and to other guests’ end devices.

•

Server-reject VLAN—Provides limited access to a LAN, typically just to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials.

•

Server-fail VLAN—Provides limited access to a LAN, typically just to the Internet, for 802.1X end devices during a RADIUS server timeout.

•

Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.

•

Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs).

•

Dynamic changes to a user session—Allows the switch administrator to terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.

•

Support for VoIP—Supports IP telephones. If the phone is 802.1X-enabled, it is authenticated like any other supplicant. If the phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port, that device is authenticated, and then VoIP traffic can flow to and from the phone (providing that the interface is configured in single mode and not in single-secure mode).

NOTE: Configuring a VoIP VLAN on private VLAN (PVLAN) interfaces is not supported.

3546



•

RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription.

•

Vendor Specific Attributes (VSAs)—Supports the Juniper-Switching-Filter attribute on the RADIUS authentication server that can be used further define a supplicant's access during the 802.1X authentication process. Centrally configuring VSAs on the authentication server does away with the need to configure these same attributes in the form of firewall filters on every switch in the LAN to which the supplicant may connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support.

Supported Features Related to 802.1X Authentication 802.1X does not replace other security technologies. 802.1X works together with port security features, such as DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting, to guard against spoofing. Supported features related to authentication include:


•

Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled (such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X authentication.

•

MAC RADIUS authentication—Provides a means to enable or disable MAC authentication independently of whether 802.1X authentication is enabled.

•


•


•


•


•


•


•


Authentication Process Flow for EX Series Switches You can control access to your network through an EX Series switch by using several different authentication methods—including 802.1X, MAC RADIUS, or captive portal. Figure 95 on page 3548 illustrates the authentication process:


3547

®


Figure 95: Authentication Process Flow for an EX Series Switch Begin Authentication

MAC address in whitelist or static MAC list?

A

YES

NO

Authenticator configured?

A

=

Client authenticated. Allow access on port.

B

=

Client is not authenticated. Deny access on port.

C

= Captive portal

D

= Reauthentication

D Try authenticating using EAPOL— maximum 3 requests

Reauthentication YES

NO mac-radius restrict statement configured?

Does client respond to EAP message?

YES Try authenticating using MAC RADIUS

NO

MAC RADIUS configured?

NO

Captive portal configured?

NO

YES

YES

YES

Continue with 802.1X authentication

Try once to authenticate using MAC RADIUS

Continue with captive portal

Guest VLAN configured?

NO

NO

YES

C

B Authenticator is configured and MAC RADIUS or captive portal is not configured?

Captive portal configured?

NO

Does RADIUS server return access-accept?

Does RADIUS server respond?

NO

YES

Server-fail VLAN configured?

NO

YES

NO

A

B

B

YES NO

YES

C A

Does RADIUS server respond?

YES Authenticated with server-fail VLAN

NO

B

YES

B Does RADIUS server return access-accept?

A

NO

B

A


3548

g041098

YES

•


•


•


•


•

Example: Setting Up Captive Portal Authentication on an EX Series Switch on page 3616



Understanding Server Fail Fallback and Authentication on EX Series Switches Server fail fallback allows you to specify how end devices connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. Juniper Networks EX Series Ethernet Switches use authentication to implement access control in an enterprise network. If 802.1X, MAC RADIUS, or captive portal authentication are configured on the interface, end devices are evaluated at the initial connection by an authentication (RADIUS) server. If the end device is configured on the authentication server, the device is granted access to the LAN and the EX Series switch opens the interface to permit access. A RADIUS server timeout occurs if no RADIUS authentication servers are reachable when an end device logs in and attempts to access the LAN. Server fail fallback allows you to specify one of four actions to be taken toward end devices awaiting authentication when the server is timed out: •

Permit authentication, allowing traffic to flow from the end device through the interface as if the end device were successfully authenticated by the RADIUS server.

•

Deny authentication, preventing traffic from flowing from the end device through the interface. This is the default.

•

Move the end device to a specified VLAN. (The VLAN must already exist on the switch.)

•

Sustain authenticated end devices that already have LAN access and deny unauthenticated end devices. If the RADIUS servers time out during reauthentication, previously authenticated end devices are reauthenticated and new users are denied LAN access.

Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by an end device’s first attempt at authentication through the RADIUS server. Server fail fallback allows you to specify that an end device be moved to a specified VLAN if the switch receives a RADIUS access-reject message. The configured VLAN name overrides any attributes sent by the server. Related Documentation

•


•

Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch on page 3565

•


•

Configuring Server Fail Fallback (CLI Procedure) on page 3636

•



3549

®


Understanding Dynamic VLANs for 802.1X on EX Series Switches Dynamic VLANs, in conjunction with the 802.1X authentication process, provide secure access to the LAN for end devices belonging to different VLANs on a single port. When this feature is configured on the RADIUS server, an end device or user authenticating on the RADIUS server is assigned to the VLAN configured for it. The end device or user becomes a member of a VLAN dynamically after successful 802.1X authentication. For information on configuring dynamic VLANs on your RADIUS server, see the documentation for your RADIUS server. Successful authentication requires that the VLAN ID or VLAN name exist on the switch and match the VLAN ID or VLAN name sent by the RADIUS server during authentication. If neither exists, the end device is unauthenticated. If a guest VLAN is established, the unauthenticated end device is automatically moved to the guest VLAN. Related Documentation

•

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch on page 3570

•


Understanding Guest VLANs for 802.1X on EX Series Switches Guest VLANs can be configured on switches that are using 802.1X authentication to provide limited access—typically only to the Internet—for: •

Corporate guests

•

End devices that are not 802.1X-enabled

•

Nonresponsive end devices when MAC RADIUS authentication has not been configured on the switch interfaces to which the hosts are connected

A guest VLAN is not used for supplicants sending incorrect credentials. Those supplicants are directed to the server-reject VLAN instead. For end devices that are not 802.1X-enabled, a guest VLAN can allow limited access to a server from which the non-802.1X-enabled end device can download the supplicant software and attempt authentication again. A guest VLAN is not used when MAC RADIUS authentication has been configured on the switch interfaces to which the hosts are connected. Some end devices, such as a printer, cannot be enabled for 802.1X. The hosts for such devices should be connected to switch interfaces that are configured for MAC RADIUS authentication. See “Configuring MAC RADIUS Authentication (CLI Procedure)” on page 3634. Related Documentation

3550

•


•


•




Understanding 802.1X and RADIUS Accounting on EX Series Switches Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS Accounting. Configuring RADIUS accounting on an EX Series switch permits statistical data about users logging onto or off a LAN to be collected and sent to a RADIUS accounting server. The statistical data gathered can be used for general network monitoring, to analyze and track usage patterns, or to bill a user based upon the amount of time or type of services accessed. To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the switch, and select the type of accounting data to be collected. The RADIUS accounting server you specify can be the same server used for RADIUS authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. In the event that the primary server (the first one configured) is unavailable, each RADIUS server in the list is tried in the order in which they are configured in the Juniper Networks Junos operating system (Junos OS). The RADIUS accounting process between a switch and a RADIUS server works like this: 1.

A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For example, on FreeRADIUS, the default port is 1813.

2. The switch forwards an accounting-request packet containing an event record to the

accounting server. For example, a supplicant is authenticated through 802.1X authentication and connected to the LAN. The event record associated with this supplicant contains an Acct-Status-Type attribute whose value indicates the beginning of user service for this supplicant. When the supplicant's session ends, the accounting request will contain an Acct-Status-Type attribute value indicating the end of user service. The RADIUS accounting server records this as a stop-accounting record containing session information and the length of the session. 3. The RADIUS accounting server logs these events as start-accounting or

stop-accounting records. The records are in a file. On FreeRADIUS, the file name is the server's address; for example, 122.69.1.250. 4. The accounting server sends an accounting-response packet back to the switch

confirming it has received the accounting request. 5. If the switch does not receive a response from the server, it continues to send

accounting requests until an accounting response is returned from the accounting server. The statistics collected through this process can be displayed from the RADIUS server; to see those statistics, the user accesses the log file configured to receive them. Related Documentation

•


•


•



3551

®


Understanding 802.1X and LLDP and LLDP-MED on EX Series Switches Juniper Networks EX Series Ethernet Switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) to learn and distribute device information on network links. The information allows the switch to quickly identify a variety of devices, resulting in a LAN that interoperates smoothly and efficiently. LLDP-capable devices transmit information in type, length, and value (TLV) messages to neighbor devices. Device information can include specifics, such as chassis and port identification and system name and system capabilities. The TLVs leverage this information from parameters that have already been configured in the Juniper Networks Junos operating system (Junos OS). LLDP-MED goes one step further, exchanging IP-telephony messages between the switch and the IP telephone.

NOTE: If your IP telephone is configured for voice over IP, the switch automatically detects the configuration and assigns the telephone to the voice VLAN. The implementation of a voice VLAN on an IP telephone is vendor-specific. Consult the documentation that came with your IP telephone for instructions on configuring a voice VLAN. For example, on an Avaya phone, you can ensure that the phone gets the correct VoIP VLAN ID even in the absence of LLDP-MED by enabling DHCP option 176.

These TLV messages also provide detailed information on PoE policy. The PoE Management TLVs let the switch ports advertise the power level and power priority needed. The switch also uses these protocols to ensure that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p CoS and 802.1Q tag information can be sent to the IP telephone. EX Series switches support the following basic TLVs: •

Chassis Identifier—The MAC address associated with the local system.

•

Port identifier—The port identification for the specified port in the local system.

•

Port Description—Interface name of the port.

•

System Name—The user-configured name of the local system. The system name can

be a maximum of 256 characters. •

System Description—The system description containing information about the software

and current image running on the system. This information is not configurable, but taken from the software.

3552



•

System Capabilities—The primary function performed by the system. The capabilities

that system supports; for example, bridge or router. This information is not configurable, but based on the model of the product. •

Management Address—The IPv4 or IPv6 management address of the local system.

EX Series switches support the following 802.3 TLVs: •

Power via MDI—A TLV that advertises MDI power support, PSE power pair, and power

class information. •

MAC/PHY Configuration Status—A TLV that advertises information about the physical

interface, such as autonegotiation status and support and MAU type. The information is not configurable, but based on the physical interface structure. •

Link Aggregation—A TLV that advertises if the port is aggregated and its aggregated

port ID. •

Maximum Frame Size—A TLV that advertises the Maximum Transmission Unit (MTU)

of the interface sending LLDP frames. •

Port Vlan—A TLV that advertises the VLAN name configured on the interface.

EX Series switches support the following LLDP-MED TLVs: •

LLDP MED Capabilities—A TLV that advertises the primary function of the port. The

capabilities values range 0 through 15:

•

•

•

0— Capabilities

•

1— Network Policy

•

2— Location Identification

•

3— Extended Power via MDI-PSE

•

4— Inventory

•

5–15— Reserved

LLDP-MED Device Class Values: •

0— Class not defined.

•

1— Class 1 Device.

•


•


•

4— Network Connectivity Device

•

5–255— Reserved.

Network Policy—A TLV that advertises the port VLAN configuration and associated

Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types,


3553

®


such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points. •

Endpoint Location— A TLV that advertises the physical location of the endpoint.

•

Extended Power via MDI— A TLV that advertises the power type, power source, power

priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port. Related Documentation

•


•

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch on page 3595

•

Configuring LLDP (CLI Procedure) on page 3641

•

Configuring LLDP-MED (CLI Procedure) on page 3644

Understanding 802.1X and VoIP on EX Series Switches When you use Voice over IP (VoIP), you can connect IP telephones to the switch and configure IEEE 802.1X authentication for 802.1X-compatible IP telephones. The 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access. VoIP is a protocol used for the transmission of voice through packet-switched networks. VoIP transmits voice calls using a network connection instead of an analog phone line. When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters to the phone. You can configure 802.1X authentication to work with VoIP in multiple supplicant or single supplicant mode. In multiple-supplicant mode, the 802.1X process allows multiple supplicants to connect to the interface. Each supplicant will be authenticated individually. For an example of a VoIP multiple supplicant topology, see Figure 96 on page 3555.

3554



Figure 96: VoIP Multiple Supplicant Topology

If an 802.1X-compatible IP telephone does not have an 802.1X host but has another 802.1X-compatible device connected to its data port, you can connect the phone to an interface in single-supplicant mode. In single-supplicant mode, the 802.1X process authenticates only the first supplicant. All other supplicants who connect later to the interface are allowed full access without any further authentication. They effectively “piggyback” on the first supplicant’s authentication. For an example of a VoIP single supplicant topology, see Figure 97 on page 3556 .


3555

®


Figure 97: VoIP Single Supplicant Topology

If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X and LLDP-MED and have the packets forwarded to a VoIP VLAN, Related Documentation

3556

•


•


•

Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication on page 3602

•

Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support on page 3608



Understanding 802.1X and VSAs on EX Series Switches Juniper Networks EX Series Ethernet Switches support the configuration of RADIUS server attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). Through VSAs, you can configure port-filtering attributes on the RADIUS server. VSAs are clear text fields sent from the RADIUS server to the switch as a result of the 802.1X authentication success or failure. The 802.1X authentication prevents unauthorized user access by blocking a supplicant at the port until the supplicant is authenticated by the RADIUS server. The VSA attributes are interpreted by the switch during authentication, and the switch takes appropriate actions. Implementing port-filtering attributes with 802.1X authentication on the RADIUS server provides a central location for controlling LAN access for supplicants. These port-filtering attributes specific to Juniper Networks are encapsulated in a RADIUS server VSA with the vendor ID set to the Juniper Networks ID number, 2636. As well as configuring port-filtering attributes through VSAs, you can apply a port firewall filter that has already been configured on the switch directly to the RADIUS server. Like port-filtering attributes, the filter is applied during the 802.1X authentication process, and its actions are applied at the switch port. Adding a port firewall filter to a RADIUS server eliminates the need to add the filter to multiple ports and switches. For more information, see “Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch” on page 3588. VSAs are only supported for 802.1X single-supplicant configurations and multiple-supplicant configurations. Related Documentation

•


•


•

Filtering 802.1X Supplicants Using RADIUS Server Attributes on page 3638

•


•

VSA Match Conditions and Actions on page 3646


3557

®


Understanding Authentication Session Timeout You can specify authentication session timeout values for captive portal authentication sessions and 802.1X and MAC RADIUS authentication sessions. For captive portal authentication, the length of the session depends on the value configured for the session-expiry statement. The remainder of this topic pertains only to 802.1X and MAC RADIUS authentication sessions. For 802.1X and MAC RADIUS authentication sessions, the timeout of the session depends on the value of reauthentication interval for dot1x authentication. The authentication session might also end when the MAC table aging time expires because, unless you configure it not to, the session is removed from the authentication session table when the MAC address is removed from the Ethernet switching table. Information about each 802.1X and MAC RADIUS authentication session—including the associated interfaces and VLANs for each MAC address that is authenticated by 802.1X authentication or MAC RADIUS authentication—is stored in the authentication session table. The authentication session table is tied to the Ethernet switching table (also called the MAC table). Each time the switch detects traffic from a MAC address, it updates the timestamp for that network node in the Ethernet switching table. A timer on the switch periodically checks the timestamp and if its value exceeds the user-configured mac-table-aging-time value, the switch removes the MAC address from the Ethernet switching table. When a MAC address ages out of the Ethernet switching table, the entry for that MAC address is also removed from the authentication database, with the result that the session ends. You can control variables affecting timeout of authentication sessions in the following ways:


3558

•

Set the authentication session timeout on all interfaces or on selected interfaces using the reauthentication statement.

•

Disassociate the authentication session table from the Ethernet switching table using the no-mac-table-binding statement. This setting prevents the termination of the authentication session when the associated MAC address ages out of the Ethernet switching table.

•


•


•


•




Understanding NetBIOS Snooping NetBIOS snooping allows Juniper Networks EX Series Ethernet Switches to discover NetBIOS hosts that are connected to the switch. •

What Is a NetBIOS Name? on page 3559

•

How NetBIOS Snooping Works on page 3559

What Is a NetBIOS Name? A NetBIOS name is a key element in communications between NetBIOS resources. A NetBIOS name identifies a NetBIOS resource on the network. A NetBIOS name is either a unique (exclusive) name or a group (nonexclusive) name. When a NetBIOS resource communicates with one other NetBIOS resource, a unique name is used in that communication. When a NetBIOS resource communicates with multiple resources, a group name is used. The NetBIOS name of each NetBIOS resource is stored on the NetBIOS Name Server (NBNS). The NetBIOS name of a NetBIOS resource is mapped to its IP address. A NetBIOS name is a 16-byte address. The first 15 bytes contain the name and the last byte contains the name type. The NetBIOS name service is supported over UDP port 137.

How NetBIOS Snooping Works You can enable NetBIOS snooping on the switch so that the switch can identify NetBIOS resources that are connected to it. When a host connected to the switch initializes itself, it attempts to register its NetBIOS name by sending a NetBIOS name registration request message. The host can opt for either a unique or a group NetBIOS name. For a unique NetBIOS name, the host either broadcasts a NetBIOS name query message on the local network or unicasts it to the NBNS to check whether the requested name is already being used by another host. If so, the host that previously registered the name or the NBNS responds with a negative name registration response. If the host receives no negative response, it broadcasts the NetBIOS name registration packet to confirm the name. For a NetBIOS group name, the host sends a NetBIOS name registration packet, which generates no responses from other hosts because multiple hosts can use the same group name at the same time. The NetBIOS snooping-enabled switch extracts the host details from the NetBIOS name registration packet and stores the details in the LLDP neighbor database. Related Documentation

•

Configuring NetBIOS Snooping (CLI Procedure) on page 3653

•



3559

®


3560


CHAPTER 88

Examples: Access Control Configuration •


•


•


•

Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch on page 3575

•

Example: Configuring MAC RADIUS Authentication on an EX Series Switch on page 3578

•


•

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch on page 3588

•


•


•


•

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication on page 3611

•


•

Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients on page 3621

Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch 802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. You can use a RADIUS server as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.


3561

®


This example describes how to connect a RADIUS server to an EX Series switch, and configure it for 802.1X: •


•


•


•




•

One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

•

One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have: •

Performed basic bridging and VLAN configuration on the switch. See “Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch” on page 2117.

•

Configured users on the RADIUS authentication server.

Overview and Topology The EX Series switch acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access. Figure 98 on page 3563 shows one EX4200 switch that is connected to the devices listed in Table 401 on page 3563.

3562


Chapter 88: Examples: Access Control Configuration


Table 401: Components of the Topology Property

Settings

Switch hardware

EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

One RADIUS server

Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10


3563

®


In this example, connect the RADIUS server to access port ge-0/0/10 on the EX4200 switch. The switch acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS server. You must configure connectivity between the EX4200 and the RADIUS server by specifying the address of the server and configuring the secret password. This information is configured in an access profile on the switch.

NOTE: For more information about authentication, authorization, and accounting (AAA) services, see the Junos OS System Basics Configuration Guide.


To quickly connect the RADIUS server to the switch, copy the following commands and paste them into the switch terminal window: [edit] set access radius-server 10.0.0.100 secret juniper set access radius-server 10.0.0.200 secret juniper set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server [10.0.0.100 10.2.14.200]


To connect the RADIUS server to the switch: 1.

Define the address of the servers, and configure the secret password. The secret password on the switch must match the secret password on the server: [edit] user@switch# set access radius-server 10.0.0.100 secret juniper user@switch# set access radius-server 10.0.0.200 secret juniper

2.

Configure the authentication order, making radius the first method of authentication: [edit] user@switch# set access profile profile1 authentication-order radius

3.

Configure a list of server IP addresses to be tried in order to authenticate the supplicant: [edit] user@switch# set access profile profile1 radius authentication-server [10.0.0.100 10.2.14.200]

Results

Display the results of the configuration: user@switch> show configuration access radius-server { 10.0.0.100 port 1812; secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA } } profile profile1{ authentication-order radius; radius { authentication-server 10.0.0.100 10.2.14.200; } } }

3564




Verify That the Switch and RADIUS Server are Properly Connected on page 3565

Verify That the Switch and RADIUS Server are Properly Connected Purpose Action

Verify that the RADIUS server is connected to the switch on the specified port. Ping the RADIUS server to verify the connection between the switch and the server: user@switch> ping 10.0.0.100 PING 10.0.0.100 (10.0.0.100): 56 data bytes 64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms 64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms

Meaning


ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether it is reachable across the IP network. ICMP echo responses are being returned from the server, verifying that the switch and the server are connected.

•


•


•


•


•


Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch Server fail fallback allows you to specify how 802.1X supplicants connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. You use 802.1X to control network access. Only users and devices (supplicants) providing credentials that have been verified against a user database are allowed access to the network. You use a RADIUS server as the user database. This example describes how to configure an interface to move a supplicant to a VLAN in the event of a RADIUS server timeout: •


•



3565

®


•


•




•


•




•

Set up a connection between the switch and the RADIUS server. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•

Disable firewall filters on the interface. Firewall filters interfere with server fail fallback operation.

•

Configured users on the authentication server.

Overview and Topology A RADIUS server timeout occurs if no authentication RADIUS servers are reachable when a supplicant logs in and attempts to access the LAN. Using server fail fallback, configure alternative options for supplicants attempting LAN access. You can configure the switch to accept or deny access to supplicants or to maintain the access already granted towards supplicants before the RADIUS server timeout. Additionally, you can configure the switch to move supplicants to a specific VLAN if a RADIUS timeout occurs or if the RADIUS server sends an EAP Access-Reject message. Figure 99 on page 3567 shows the topology used for this example. The RADIUS server is connected to the EX4200 switch on access port ge-0/0/10. The switch acts as the authenticator Port Access Entity (PAE) and forwards credentials from the supplicant to the user database on the RADIUS server. The switch blocks all traffic and acts as a control gate until the supplicant is authenticated by the authentication server. A supplicant is connected to the switch through interface ge-0/0/1.

3566




Table 402 on page 3567 describes the components in this topology.

Table 402: Components of the Topology Property

Settings

Switch hardware

EX4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports.

VLAN names

default VLAN vlan-sf VLAN

Supplicant

Supplicant attempting access on interface ge-0/0/1

One RADIUS server

Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10

In this example, configure interface ge-0/0/1 to move a supplicant attempting access to the LAN during a RADIUS timeout to another VLAN. A RADIUS timeout prevents the normal exchange of EAP messages that carry information from the RADIUS server to the switch and permit the authentication of a supplicant. The default VLAN is configured on


3567

®


interface ge-0/0/1. When a RADIUS timeout occurs, supplicants on the interface will be moved from the default VLAN to the VLAN named vlan-sf.

NOTE: For more information about authentication, authorization, and accounting (AAA) services, see Junos OS System Basics Configuration Guide.

Configuration To configure server fail fallback on the switch: CLI Quick Configuration

To quickly configure server fail fallback on the switch, copy the following commands and paste them into the switch terminal window: [edit protocols dot1x authenticator] set interface ge-0/0/1 server-fail vlan-name vlan-sf


To configure an interface to divert supplicants to a specific VLAN when a RADIUS timeout occurs (here, the VLAN is vlan-sf): 1.

Define the VLAN to which supplicants are diverted: [edit protocols dot1x authenticator] user@switch# set interface server-fail vlan-name vlan-sf

Results

Display the results of the configuration: user@switch> show configuration interfaces { ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members default; } } } } protocols { dot1x { authenticator { authentication-profile-name profile52; interface { ge-0/0/1.0 { server-fail vlan-name vlan-sf; } } } } } }

3568




Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout on page 3569

Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout Purpose

Action

Verify that the interface moves supplicants to an alternative VLAN during a RADIUS timeout. Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member of the default VLAN: user@switch> show vlans Name Tag Interfaces default ge-0/0/0.0, ge-0/0/1.0*, ge-0/0/5.0*, ge-0/0/10.0, ge-0/0/12.0*, ge-0/0/14.0*, ge-0/0/15.0, ge-0/0/20.0 v2 77 None vlan—sf 50 None mgmt me0.0*

Display 802.1X protocol information on the switch to view supplicants that are authenticated on interface ge-0/0/1.0: user@switch> show dot1x interface brief 802.1X Information: Interface Role State ge-0/0/1.0 Authenticator Authenticated ge-0/0/10.0 Authenticator Initialize ge-0/0/14.0 Authenticator Connecting ge-0/0/15.0 Authenticator Initialize ge-0/0/20.0 Authenticator Initialize

MAC address 00:00:00:00:00:01

User abc

A RADIUS server timeout occurs. Display the Ethernet switching table to show that the supplicant with the MAC address 00:00:00:00:00:01 previously accessing the LAN through the default VLAN is now being learned on the VLAN named vlan-sf: user@switch> show ethernet-switching table Ethernet-switching table: 3 entries, 1 learned VLAN MAC address Type v1 * Flood vlan—sf 00:00:00:00:00:01 Learn default * Flood

Age 1:07 -

Interfaces All-members ge-0/0/1.0 All-members

Display 802.1X protocol information to show that interface ge-0/0/1.0 is connecting and will open LAN access to supplicants: user@switch> show dot1x interface brief


3569

®


802.1X Information: Interface Role ge-0/0/1.0 Authenticator ge-0/0/10.0 Authenticator ge-0/0/14.0 Authenticator ge-0/0/15.0 Authenticator ge-0/0/20.0 Authenticator

Meaning


State Connecting Initialize Connecting Initialize Initialize

MAC address

User

The command show vlans displays interface ge-0/0/1.0 as a member of the default VLAN. The command show dot1x interface brief shows that a supplicant (abc) is authenticated on interface ge-0/0/1.0 and has the MAC address 00:00:00:00:00:01. A RADIUS server timeout occurs, and the authentication server cannot be reached by the switch. The command show-ethernet-switching table shows that MAC address 00:00:00:00:00:01 is learned on VLAN vlan-sf. The supplicant has been moved from the default VLAN to the vlan-sf VLAN. The supplicant is then connected to the LAN through the VLAN named vlan-sf.

•


•


•


•


•


Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch 802.1X on EX Series switches provides LAN access to users who do not have credentials in the RADIUS database. These users, referred to as guests, are authenticated and typically provided with access to the Internet. This example describes how to create a guest VLAN and configure 802.1X authentication for it. •


•


•

Configuration of a Guest VLAN That Includes 802.1X Authentication on page 3573

•



3570




•

One EX Series switch acting as an authenticator interface access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

•


Before you configure guest VLAN authentication, be sure you have: •


•


•


Overview and Topology As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can provide limited network access to supplicants who do not belong to a VLAN authentication group by configuring authentication to a guest VLAN. Typically, guest VLAN access is used to provide Internet access to visitors to a corporate site. However, you can also use the guest VLAN feature to provide supplicants that fail 802.1X authentication to a corporate LAN with access to a VLAN with limited resources. Figure 100 on page 3572 shows the conference room connected to the switch at interface ge-0/0/1.


3571

®


Figure 100: Topology for Guest VLAN Example

Table 403: Components of the Guest VLAN Topology Property

Settings

Switch hardware

EX4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)


sales, tag 100 support, tag 200 guest-vlan, tag 300

One RADIUS server

3572

Backend database connected to the switch through interface ge-0/0/10



In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure this access interface to provide LAN connectivity to visitors in the conference room who are not authenticated by the corporate VLAN.

Configuration of a Guest VLAN That Includes 802.1X Authentication To create a guest VLAN and configure 802.1X authentication, perform these tasks: CLI Quick Configuration

To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste them into the switch terminal window: [edit] set vlans guest-vlan vlan-id 300 set protocols dot1x authenticator interface all guest-vlan guest-vlan


To configure a guest VLAN that includes 802.1X authentication on an EX Series switch: 1.

Configure the VLAN ID for the guest VLAN: [edit] user@switch# set vlans guest-vlan vlan-id 300

2.

Configure the guest VLAN under dot1x protocols: [edit] user@switch# set protocols dot1x authenticator interface all guest-vlan guest-vlan

Results

Check the results of the configuration: user@switch> show configuration protocols { dot1x { authenticator { interface { all { guest-vlan { guest-vlan; } } } } } } vlans { guest-vlan { vlan-id 300; } }


Verifying That the Guest VLAN is Configured on page 3573

Verifying That the Guest VLAN is Configured Purpose

Verify that the guest VLAN is created and that an interface has failed authentication and been moved to the guest VLAN.


3573

®


Action

Use the operational mode commands: user@switch> show vlans Name default

Tag

dynamic

40

guest

30

guest—vlan

300

Interfaces ge-0/0/3.0* None None ge-0/0/1.0*

vlan_dyn None

user@switch> show dot1x interface ge-0/0/1.0 detail ge-0/0/1.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: guest-vlan Number of connected supplicants: 1 Supplicant: user1, 00:00:00:00:13:23 Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds

Meaning

The output from the show vlans command shows guest-vlan as the the name of the VLAN and the VLAN ID as 300. The output from the show dot1x interface ge-0/0/1.0 detail command displays the Guest VLAN membership field, indicating that a supplicant at this interface failed 802.1X authentication and was passed through to the guest-vlan.


3574

•


•


•


•




Example: Configuring Static MAC Bypass of Authentication on an EX Series Switch To allow devices to access your LAN through 802.1X-configured interfaces without authentication, you can configure a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without a request to an authentication server. You can use static MAC bypass of authentication to allow connection for devices that are not 802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static MAC address list, the nonresponsive host is authenticated and an interface opened for it. This example describes how to configure static MAC bypass of authentication for two printers: •


•


•


•




•


Before you configure static MAC authentication, be sure you have: •


Overview and Topology To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this list are permitted access without authentication from the RADIUS server. Figure 101 on page 3576 shows the two printers connected to the EX4200.


3575

®


Figure 101: Topology for Static MAC Authentication Configuration

The interfaces shown in Table 404 on page 3576 will be configured for static MAC authentication.

Table 404: Components of the Static MAC Authentication Configuration Topology Property

Settings

Switch hardware

EX4200, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/23)

VLAN name

default

Connections to integrated printer/fax/copier machines (no PoE required)

ge-0/0/19, MAC address 00:04:0f:fd:ac:fe ge-0/0/20, MAC address 00:04:ae:cd:23:5f

3576



The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and bypass 802.1X authentication.

Configuration To configure static MAC authentication, perform these tasks: CLI Quick Configuration

To quickly configure static MAC authentication, copy the following commands and paste them into the switch terminal window: [edit] set protocols dot1x authenticator authenticaton-profile-name profile1 set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f] set protocols dot1x interface all supplicant multiple


Configure static MAC authentication: 1.

Configure the authentication profile name (access profile name) to use for authentication: [edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile1

2.

Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses: [edit protocols] user@switch# set dot1x authenticator static (Protocols 802.1X) [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]

3.

Configure the 802.1X authentication method: [edit protocols] user@switch# set dot1x interface all supplicant multiple

Results

Display the results of the configuration: user@switch> show interfaces { ge-0/0/19 { unit 0 { family ethernet-switching { vlan members default; } } } ge-0/0/20 { unit 0 { family ethernet-switching { vlan members default; } } } } protocols { dot1x { authenticator { authentication-profile-name profile1


3577

®


static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]; interface { all { supplicant multiple; } } } } }


Verifying Static MAC Bypass of Authentication on page 3578

Verifying Static MAC Bypass of Authentication Purpose

Action

Verify that the MAC address for both printers is configured and associated with the correct interfaces. Use the operational mode command: user@switch> show dot1x static-mac-address MAC address 00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f

Meaning

VLAN-Assignment default default

Interface ge-0/0/19.0 ge-0/0/20.0

The output field MAC address shows the MAC addresses of the two printers. The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.


•

Configuring 802.1X Authentication (J-Web Procedure) on page 3630

•


•


•


Example: Configuring MAC RADIUS Authentication on an EX Series Switch To permit hosts that are not 802.1X-enabled to access the LAN, you can configure MAC RADIUS authentication on the switch interfaces to which the non-802.1X-enabled hosts are connected. When MAC RADIUS authentication is configured, the switch will attempt to authenticate the host with the RADIUS server using the host’s MAC address.

3578



This example describes how to configure MAC RADIUS authentication for two non-802.1X-enabled hosts: •


•


•


•




•

An EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

•

A RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you configure MAC RADIUS authentication, be sure you have: •

Configured basic access between the EX Series switch and the RADIUS server. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•


•

Performed basic 802.1X configuration. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629.

Overview and Topology IEEE 802.1X Port-Based Network Access Control (PNAC) authenticates and permits devices access to a LAN if the devices can communicate with the switch using the 802.1X protocol (are 802.1X-enabled). To permit non-802.1X-enabled end devices to access the LAN, you can configure MAC RADIUS authentication on the interfaces to which the end devices are connected. When the MAC address of the end device appears on the interface, the switch consults the RADIUS server to check whether it is a permitted MAC address. If the MAC address of the end device is configured as permitted on the RADIUS server, the switch opens LAN access to the end device. You can configure both MAC RADIUS authentication and 802.1X authentication methods on an interface configured for multiple supplicants. Additionally, if an interface is only connected to a non-802.1X-enabled host, you can enable MAC RADIUS and not enable 802.1X authentication using the mac-radius restrict option, and thus avoid the delay that occurs while the switch determines that the device is does not respond to EAP messages. Figure 102 on page 3580 shows the two printers connected to the switch.


3579

®


Figure 102: Topology for MAC RADIUS Authentication Configuration

Table 405 on page 3580 shows the components in the example for MAC RADIUS authentication.

Table 405: Components of the MAC RADIUS Authentication Configuration Topology Property

Settings

Switch hardware

EX4200 ports (ge-0/0/0 through ge-0/0/23)

VLAN name

default

Connections to printers (no PoE required)

ge-0/0/19, MAC address 00040ffdacfe ge-0/0/20, MAC address 0004aecd235f

RADIUS server

Connected to the switch on interface ge-0/0/10

The printer with the MAC address 00040ffdacfe is connected to access interface ge-0/0/19. A second printer with the MAC address 0004aecd235f is connected to access

3580



interface ge-0/0/20. In this example, both interfaces are configured for MAC RADIUS authentication on the switch, and the MAC addresses (without colons) of both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured to eliminate the normal delay while the switch attempts 802.1X authentication; MAC RADIUS authentication is enabled and 802.1X authentication is disabled using the mac-radius restrict option.

Configuration To configure MAC RADIUS authentication on the switch, perform these tasks: CLI Quick Configuration

To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the switch terminal window: [edit] set protocols dot1x authenticator interface ge-0/0/19 mac-radius set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict

NOTE: You must also configure the two MAC addresses as usernames and passwords on the RADIUS server, as is done in step 2 of the Step-by-Step Procedure.


Configure MAC RADIUS authentication on the switch and on the RADIUS server: 1.

On the switch, configure the interfaces to which the printers are attached for MAC RADIUS authentication, and configure the restrict option on interface ge-0/0/20, so that only MAC RADIUS authentication is used: [edit] user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict

2.

On the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames and passwords: [root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=EAP, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=EAP, User-Password = "0004aecd235f"

Results

Display the results of the configuration on the switch: user@switch> show configuration protocols { dot1x { authenticator { authentication-profile-name profile52; interface { ge-0/0/19.0 { mac-radius; } ge-0/0/20.0 { mac-radius {


3581

®


restrict; } } } } } }

Verification Verify that the supplicants are authenticated: •

Verifying That the Supplicants Are Authenticated on page 3582

Verifying That the Supplicants Are Authenticated Purpose

Action

After supplicants are configured for MAC RADIUS authentication on the switch and on the RADIUS server, verify that they are authenticated and display the method of authentication: Display information about 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20: user@switch> show dot1x interface ge-0/0/19.0 detail ge-0/0/19.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user101, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds user@switch> show dot1x interface ge-0/0/20.0 detail ge-0/0/20.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Enabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds

3582



Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user102, 00:04:ae:cd:23:5f Operational state: Authenticated Authentcation method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds

Meaning


The sample output from the show dot1x interface detail command displays the MAC address of the connected end device in the Supplicant field. On interface ge-0/0/19, the MAC address is 00:04:0f:fd:ac:fe, which is the MAC address of the first printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as MAC Radius. On interface ge-0/0/20, the MAC address is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as MAC Radius.

•


•


•


•


Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch 802.1x Port-Based Network Access Control (PNAC) authentication on EX Series switches provides three types of authentication to meet the access needs of your enterprise LAN: •

Authenticate the first end device (supplicant) on an authenticator port, and allow all others also connecting to have access.

•

Authenticate only one end device on an authenticator port at one time.

•

Authenticate multiple end devices on an authenticator port. Multiple supplicant mode is used in VoIP configurations.

This example configures an EX4200 switch to use IEEE 802.1X to authenticate end devices that use three different administrative modes: •


•


•

Configuration of 802.1X to Support Multiple Supplicant Modes on page 3586

•



3583

®




•

One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from end devices until they are authenticated.

•

One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for end devices (supplicants) that have permission to connect to the network.

Before you configure the ports for 802.1X authentication, be sure you have: •

Installed your EX Series switch.

•


•


•

Configured users on the authentication server.

Overview and Topology As shown in Figure 103 on page 3585, the topology contains an EX4200 access switch connected to the authentication server on port ge-0/0/10. Interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/11 will be configured for three different administrative modes.

3584



Figure 103: Topology for Configuring Supplicant Modes

Table 406: Components of the Supplicant Mode Configuration Topology Property

Settings

Switch hardware

EX4200 switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

Connections to Avaya phones—with integrated hub, to connect phone and desktop PC to a single port; (requires PoE)

ge-0/0/8, ge-0/0/9, and ge-0/0/11

To configure the administrative modes to support supplicants in different areas of the Enterprise network:


3585

®


•

Configure access port ge-0/0/8 for single supplicant mode authentication.

•

Configure access port ge-0/0/9 for single secure supplicant mode authentication.

•

Configure access port ge-0/0/11 for multiple supplicant mode authentication.

Single supplicant mode authenticates only the first end device that connects to an authenticator port. All other end devices connecting to the authenticator port after the first has connected successfully, whether they are 802.1X-enabled or not, are permitted free access to the port without further authentication. If the first authenticated end device logs out, all other end devices are locked out until an end device authenticates. Single-secure supplicant mode authenticates only one end device to connect to an authenticator port. No other end device can connect to the authenticator port until the first logs out. Multiple supplicant mode authenticates multiple end devices individually on one authenticator port. If you configure a maximum number of devices that can be connected to a port through port security, the lesser of the configured values is used to determine the maximum number of end devices allowed per port.

Configuration of 802.1X to Support Multiple Supplicant Modes To configure 802.1X authentication to support multiple end devices, perform these tasks: CLI Quick Configuration

To quickly configure the ports with different 802.1X authentication modes, copy the following commands and paste them into the switch terminal window: [edit] set protocols dot1x authenticator interface ge-0/0/8 supplicant single set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple


Configure the administrative mode on the interfaces: 1.

Configure the supplicant mode as single on interface ge-0/0/8: [edit protocols] user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single

2.

Configure the supplicant mode as single secure on interface ge-0/0/9: [edit protocols] user@switch# set dot1x authenticator interface ge-0/0/9 supplicant single-secure

3.

Configure multiple supplicant mode on interface ge-0/0/11: [edit protocols] user@switch# set dot1x authenticator interface ge-0/0/11 supplicant multiple

Check the results of the configuration: [edit] user@access-switch> show configuration protocols { dot1x { authenticator { interface { ge-0/0/8.0 {

3586



supplicant single; ) ge-0/0/9.0 { supplicant single-secure; ) ge-0/0/11.0 { supplicant multiple; ) } } } }


Verifying the 802.1X Configuration on page 3587

Verifying the 802.1X Configuration Purpose Action

Verify the 802.1X configuration on interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/5. Verify the 802.1X configuration with the operational mode command show dot1x interface: user@switch> show dot1x interface ge-0/0/8.0 detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: user@switch> show dot1x interface ge-0/0/9.0 detail ge-0/0/9.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single-Secure Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2


3587

®


Guest VLAN member: Number of connected supplicants: 0 user@switch> show dot1x interface ge-0/0/11.0 detail ge-0/0/11.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 0

Meaning


The Supplicant mode output field displays the configured administrative mode for each interface. Interface ge-0/0/8.0 displays Single supplicant mode. Interface ge-0/0/9.0 displays Single Secure supplicant mode. Interface ge-0/0/11.0 displays Multiple supplicant mode.

•


•


•


•


•


•


•


Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch You can use RADIUS server attributes and a port firewall filter to centrally apply terms to multiple supplicants (end devices) connected to an EX Series switch in your enterprise. Terms are applied after a device is successfully authenticated through 802.1X. EX Series switches support port firewall filters. Port firewall filters are configured on a single EX Series switch, but in order for them to operate throughout an enterprise, they have to be configured on multiple switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead apply the filter centrally on the RADIUS server using RADIUS server attributes.

3588



The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS server. For specifics on configuring your server, consult the documentation that was included with your RADIUS server. This example describes how to configure a port firewall filter with terms, create counters to count packets for the supplicants, apply the filter to user profiles on the RADIUS server, and display the counters to verify the configuration: •


•


•

Configuring the Port Firewall Filter and Counters on page 3592

•

Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server on page 3594

•




•


•

One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.



•

Configured 802.1X authentication on the switch, with the authentication mode for interface ge-0/0/2 set to multiple. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629 and “Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch” on page 3583.

•

Configured users on the RADIUS authentication server (in this example, the user profiles for Supplicant 1 and Supplicant 2 in the topology are modified on the RADIUS server).

Overview and Topology When the 802.1X configuration on an interface is set to multiple supplicant mode, you can apply a single port firewall filter configured through the Junos OS CLI on the EX Series switch to any number of end devices (supplicants) on one interface by adding the filter centrally to the RADIUS server. Only a single filter can be applied to an interface; however, the filter can contain multiple terms for separate end devices. For more information about firewall filters, see “Firewall Filters for EX Series Switches Overview” on page 4237.


3589

®


RADIUS server attributes are applied to end devices after the devices are successfully authenticated using 802.1X. To authenticate an end device, the switch forwards the end device’s credentials to the RADIUS server. The RADIUS server matches the credentials against preconfigured information about the supplicant located in the supplicant’s user profile on the RADIUS server. If a match is found, the RADIUS server instructs the switch to open an interface to the end device. Traffic then flows from and to the end device on the LAN. Further instructions configured in the port firewall filter and added to the end device’s user profile using a RADIUS server attribute further define the access that the end device is granted. Filtering terms configured in the port firewall filter are applied to the end device after 802.1X authentication is complete. Figure 104 on page 3591 shows the topology used for this example. The RADIUS server is connected to an EX4200 switch on access port ge-0/0/10. Two end devices (supplicants) are accessing the LAN on interface ge-0/0/2. Supplicant 1 has the MAC address 00:50:8b:6f:60:3a. Supplicant 2 has the MAC address 00:50:8b:6f:60:3b.

3590



Figure 104: Topology for Firewall Filter and RADIUS Server Attributes Configuration

Table 407 on page 3591 describes the components in this topology.

Table 407: Components of the Firewall Filter and RADIUS Server Attributes Topology Property

Settings

Switch hardware

EX4200 access switch, 24 Gigabit Ethernet ports, 8 PoE ports.

One RADIUS server

Backend database with the address 10.0.0.100 connected to the switch at port ge-0/0/10.

802.1X supplicants connected to the switch on interface ge-0/0/2

•

Supplicant 1 has MAC address 00:50:8b:6f:60:3a.

•

Supplicant 2 has MAC address 00:50:8b:6f:60:3b.


3591

®


Table 407: Components of the Firewall Filter and RADIUS Server Attributes Topology (continued) Property

Settings

Port firewall filter to be applied on the RADIUS server

filter1

Counters

counter1 counts packets from Supplicant 1, and counter2 counts packets

from Supplicant 2. Policer

policer p1

User profiles on the RADIUS server

•

Supplicant 1 has the user profile supplicant1.

•

Supplicant 2 has the user profile supplicant2.

In this example, you configure a port firewall filter named filter1. The filter contains terms that will be applied to the end devices based on the MAC addresses of the end devices. When you configure the filter, you also configure the counters counter1 and counter2. Packets from each end device are counted, which helps you verify that the configuration is working. Policer policer p1 limits the traffic rate based on the values for exceeding and discard parameters. Then, you check to see that the RADIUS server attribute is available on the RADIUS server and apply the filter to the user profiles of each end device on the RADIUS server. Finally, you verify the configuration by displaying output for the two counters.

NOTE: For more information about authentication, authorization, and accounting (AAA) services, see the Junos OS System Basics Configuration Guide.

Configuring the Port Firewall Filter and Counters Configure a port firewall filter and counters: CLI Quick Configuration

To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant 2 and create parallel counters for each supplicant, copy the following commands and paste them into the switch terminal window: [edit] set firewall family ethernet-switching filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a set firewall family ethernet-switching filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b set firewall policer p1 if-exceeding bandwidth-limit 1m set firewall policer p1 if-exceeding burst-size-limit 1k set firewall family ethernet-switching filter filter1 term supplicant1 then count counter1 set firewall family ethernet-switching filter filter1 term supplicant1 then (Firewall Filters) policer p1 set firewall family ethernet-switching filter filter1 term supplicant2 then count counter2


To configure a port firewall filter and counters on the switch: 1.

Configure a port firewall filter (here, filter1) with terms for each end device based upon the MAC address of each end device: [edit firewall family ethernet-switching]

3592



user@switch# set filter (Firewall Filters) filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a user@switch# set filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b 2.

Set policer definition: user@switch# show policer p1 |display set set firewall policer p1 if-exceeding bandwidth-limit 1m set firewall policer p1 if-exceeding burst-size-limit 1k set firewall policer p1 then discard

3.

Create two counters that will count packets for each end device and a policer which limits the traffic rate: [edit firewall family ethernet-switching] user@switch# set filter filter1 term supplicant1 then (Firewall Filters) count counter1 user@switch# set filter filter1 term supplicant1 then (Firewall Filters) policer p1 user@switch# set filter filter1 term supplicant2 then count counter2

Results

Display the results of the configuration: user@switch> show configuration firewall { family ethernet-switching { filter filter1 { term supplicant1 { from { source-mac-address { 00:50:8b:6f:60:3a; } } then count counter1; then policer p1; } term supplicant2 { from { source-mac-address { 00:50:8b:6f:60:3b; } } then count counter2; } } } } policer p1 { if-exceeding { bandwidth-limit 1m; burst-size-limit 1k; } then discard; }


3593

®


Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server Verify that the RADIUS server attribute needed to apply a filter on the RADIUS server is on the server and then apply the port firewall filter to each end device’s user profile on the RADIUS server: Step-by-Step Procedure

To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to apply the filter to the user profiles: 1.

Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that the attribute Filter-ID is in the dictionary: [root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865

2.

Close the dictionary file.

3.

Display the local user profiles of the end devices to which you want to apply the filter (here, the user profiles are called supplicant1 and supplicant2): [root@freeradius]# cat /usr/local/etc/raddb/users

The output shows:

supplicant1 Auth-Type := EAP, User-Password == "supplicant1" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005" supplicant2 Auth-Type := EAP, User-Password == "supplicant2" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005" 4.

Apply the filter to both user profiles by adding the line Filter-Id = “filter1” to each profile, and then close the file: [root@freeradius]# cat /usr/local/etc/raddb/users

After you paste the line into the files, the files look like this:

supplicant1 Auth-Type := EAP, User-Password == "supplicant1" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005", Filter-Id = "filter1" supplicant2 Auth-Type := EAP, User-Password == "supplicant2" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005", Filter-Id = "filter1"

Verification Verify that the filter has been applied to the end devices: •

3594

Verifying That the Filter Has Been Applied to the Supplicants on page 3595



Verifying That the Filter Has Been Applied to the Supplicants Purpose

Action

After the end devices are authenticated, verify that the filter configured on the switch and added to each end device’s user profile on the RADIUS server has been applied: Display information about firewall filter filter1: user@switch> show firewall filter filter1 Filter: filter1 Counters: Name counter1 counter2

Meaning


Bytes 128 64

Packets 2 1

The output of the command show firewall filter filter1 displays counter1 and counter2. Packets from Supplicant 1 are counted using counter1, and packets from Supplicant 2 are counted using counter2. The output displays packets incrementing for both counters. The filter has been applied to both end devices.

•


•


•


•


•


Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. The Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol forwards VoIP parameters from the switch to the phone. You also configure 802.1X authentication to allow the telephone access to the LAN. Authentication is done through a backend RADIUS server. This example describes how to configure VoIP on an EX Series switch to support an Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication: •


•


•


•



3595

®




•

One EX Series switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

•

An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X

Before you configure VoIP, be sure you have: •


•


•


•

Configured the RADIUS server for 802.1X authentication and set up the access profile. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•

(Optional) Configured interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is not necessary if the VoIP supplicant is using a power adapter. For information about configuring PoE, see “Configuring PoE (CLI Procedure)” on page 4635.

NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

Overview and Topology Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch. In this example, the access interface ge-0/0/2 on the EX4200 switch is connected to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one interface on the switch. The EX Series switch is connected to a RADIUS server on interface ge-0/0/10 (see Figure 105 on page 3597).

3596



Figure 105: VoIP Topology

In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice traffic to provide the highest quality of service. Table 408 on page 3597 describes the components used in this VoIP configuration example.

Table 408: Components of the VoIP Configuration Topology Property

Settings

Switch hardware

EX4200 switch


3597

®


Table 408: Components of the VoIP Configuration Topology (continued) Property

Settings

VLAN names

data-vlan voice-vlan

Connection to Avaya phone—with integrated hub, to connect phone and desktop PC to a single interface (requires PoE)

ge-0/0/2

One RADIUS server

Provides backend database connected to the switch through interface ge-0/0/10.

As well as configuring a VoIP for interface ge-0/0/2, you configure: •

802.1X authentication. Authentication is set to multiple supplicant to support more than one supplicant's access to the LAN through interface ge-0/0/2.

•

LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP telephone.

NOTE: A PoE configuration is not necessary if an IP telephone is using a power adapter.

Configuration To configure VoIP, LLDP-MED, and 802.1X authentication: CLI Quick Configuration

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into the switch terminal window: [edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding set protocols lldp-med interface ge-0/0/2.0 set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple


To configure VoIP with LLDP-MED and 802.1X: 1.

Configure the VLANs for voice and data: [edit vlans] user@switch# set data-vlan vlan-id (802.1Q Tagging) 77 user@switch# set voice-vlan vlan-id 99

2.

Associate the VLAN data-vlan with the interface: [edit vlans] user@switch# set data-vlan interface (VoIP) ge-0/0/2.0

3598



3.

Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN: [edit interfaces] user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access

4.

Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service: [edit ethernet—switching—options] user@switch# set voip interface ge-0/0/2.0 vlan (VoIP) voice-vlan user@switch# set voip interface ge-0/0/2.0 forwarding-class (VoIP) assured-forwarding

5.

Configure LLDP-MED protocol support: [edit protocols] user@switch# set lldp-med (Ethernet Switching) interface ge-0/0/2.0

6.

To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode:

NOTE: If you do not want to authenticate any device, skip the 802.1X configuration on this interface.

[edit protocols] user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration: [edit] user@switch# show configuration interfaces { ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members data-vlan; } } } } } protocols { lldp-med { interface ge-0/0/2.0; } dot1x { authenticator { interface { ge-0/0/2.0 { supplicant multiple; } } } }


3599

®


} vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } } ethernet-switching options { voip { interface ge-0/0/2.0 { vlan voice-vlan; forwarding-class assured-forwarding; } } }


Verifying LLDP-MED Configuration on page 3600

•

Verifying 802.1X Authentication for IP Phone and Desktop PC on page 3601

•

Verifying the VLAN Association with the Interface on page 3602

Verifying LLDP-MED Configuration Purpose Action

Verify that LLDP-MED is enabled on the interface. user@switch> show lldp detail LLDP : Enabled Advertisement interval : 30 Second(s) Transmit delay : 2 Second(s) Hold timer : 2 Second(s) Config Trap Interval : 300 Second(s) Connection Hold timer : 60 Second(s) LLDP MED MED fast start count

Interface all ge-0/0/2.0 Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0

3600

LLDP Enabled VLAN-id 0 0 0 99 0 0

: Enabled : 3 Packet(s)

LLDP-MED Enabled

Neighbor count 0 0

VLAN-name default employee-vlan data-vlan voice-vlan employee-vlan employee-vlan



ge-0/0/10.0 ge-0/0/11.0 ge-0/0/23.0

0 20 0

default employee-vlan default

LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. LLDP 802 TLVs supported: Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. LLDP MED TLVs supported: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

Verifying 802.1X Authentication for IP Phone and Desktop PC Purpose

Action

Meaning

Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN. user@switch> show dot1x interface ge/0/0/2.0 detail ge-0/0/2.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user101, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.


3601

®


Verifying the VLAN Association with the Interface Purpose Action

Display the interface state and VLAN membership. user@switch> show ethernet-switching interfaces Ethernet-switching table: 0 entries, 0 learned user@switch> show ethernet-switching interfaces Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee-vlan unblocked ge-0/0/5.0 down employee-vlan unblocked ge-0/0/3.0 down employee-vlan unblocked ge-0/0/8.0 down employee-vlan unblocked ge-0/0/10.0 down default unblocked ge-0/0/11.0 down employee-vlan unblocked ge-0/0/23.0 down default unblocked ge-0/0/2.0 up voice-vlan unblocked data-vlan unblocked

Meaning


The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

•


•


•

Defining CoS Forwarding Classes (CLI Procedure) on page 4491

•

Defining CoS Forwarding Classes (J-Web Procedure) on page 4491

•


Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, you must either add the MAC address of the phone to the static MAC bypass list or enable MAC RADIUS authentication on the switch. This example describes how to configure VoIP on an EX Series switch without 802.1X authentication using static MAC bypass of authentication:

3602

•


•

Overview on page 3603

•


•






•

An IP telephone

Before you configure VoIP, be sure you have: •


•


•


•

Configured the RADIUS server for 802.1X authentication and set up the access profile. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•

(Optional) Configured interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is not necessary if the VoIP supplicant is using a power adapter. For information about configuring PoE, see “Configuring PoE (CLI Procedure)” on page 4635.

NOTE: If the IP address isn't configured on the Avaya IP phone, the phone exchanges LLDP-MED information to get the VLAN ID for the voice VLAN. You must configure the voip statement on the interface to designate the interface as a VoIP interface and allow the switch to forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLAN’s ID) to send a DHCP discover request and exchange information with the DHCP server (voice gateway).

Overview Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch. In this example, the access interface ge-0/0/2 on the EX4200 switch is connected to a non-802.1X IP phone. To configure VoIP on an EX Series switch to support an IP phone that does not support 802.1X authentication, add the MAC address of the phone as a static entry in the authenticator database and set the supplicant mode to multiple.


3603

®


Configuration To configure VoIP without 802.1X authentication: CLI Quick Configuration

To quickly configure VoIP, copy the following commands and paste them into the switch terminal window: [edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding set protocols lldp-med interface ge-0/0/2.0 set protocols dot1x authenticator authentication-profile-name auth-profile set protocols dot1x authenticator static 00:04:f2:11:aa:a7 set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple


To configure VoIP without 802.1X: 1.

Configure the VLANs for voice and data: [edit vlans] user@switch# set data-vlan vlan-id (802.1Q Tagging) 77 user@switch# set voice-vlan vlan-id 99

2.

Associate the VLAN data-vlan with the interface: [edit vlans] user@switch# set data-vlan interface (VoIP) ge-0/0/2.0

3.

Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN: [edit interfaces] user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access

4.

Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service: [edit ethernet-switching-options] user@switch# set voip interface ge-0/0/2.0 vlan (VoIP) voice-vlan user@switch# set voip interface ge-0/0/2.0 forwarding-class (VoIP) assured-forwarding

5.

Configure LLDP-MED protocol support: [edit protocols] user@switch# set lldp-med (Ethernet Switching) interface ge-0/0/2.0

6.

Set the authentication profile (see “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629 and “Configuring 802.1X RADIUS Accounting (CLI Procedure)” on page 3637): [edit protocols] set dot1x authenticator authentication-profile-name auth-profile

7.

Add the MAC address of the phone to the static MAC bypass list: [edit protocols] set dot1x authenticator static (Protocols 802.1X) 00:04:f2:11:aa:a7

8.

Set the supplicant mode to multiple: [edit protocols]

3604



set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration: [edit] user@switch# show configuration interfaces { ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members data-vlan; } } } } } protocols { lldp-med { interface ge-0/0/2.0; } dot1x { authenticator { authentication-profile-name auth-profile; static { 00:04:f2:11:aa:a7; } } interface { ge-0/0/2.0 { supplicant multiple; } } } } vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } } ethernet-switching options { voip { interface ge-0/0/2.0 { vlan voice-vlan; forwarding-class assured-forwarding; } } }


3605

®



Verifying LLDP-MED Configuration on page 3606

•

Verifying Authentication for the Desktop PC on page 3607

•


Verifying LLDP-MED Configuration Purpose Action

Verify that LLDP-MED is enabled on the interface. user@switch> show lldp detail LLDP : Enabled Advertisement interval : 30 Second(s) Transmit delay : 2 Second(s) Hold timer : 2 Second(s) Config Trap Interval : 300 Second(s) Connection Hold timer : 60 Second(s) LLDP MED MED fast start count

Interface all ge-0/0/2.0 Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/23.0

LLDP Enabled VLAN-id 0 0 0 99 0 0 0 20 0

: Enabled : 3 Packet(s)

LLDP-MED Enabled

Neighbor count 0 0

VLAN-name default employee-vlan data-vlan voice-vlan employee-vlan employee-vlan default employee-vlan default

LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. LLDP 802 TLVs supported: Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. LLDP MED TLVs supported: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.

Meaning

3606

The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.



Verifying Authentication for the Desktop PC Purpose

Action

Meaning

Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone. user@switch> show dot1x interface ge/0/0/2.0 detail ge-0/0/2.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user101, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: match source-dot1q-tag 10 action deny Session Reauth interval: 60 seconds Reauthentication due in 50 seconds

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.


Display the interface state and VLAN membership. user@switch> show ethernet-switching interfaces Ethernet-switching table: 0 entries, 0 learned user@switch> show ethernet-switching interfaces Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee-vlan unblocked ge-0/0/5.0 down employee-vlan unblocked ge-0/0/3.0 down employee-vlan unblocked ge-0/0/8.0 down employee-vlan unblocked ge-0/0/10.0 down default unblocked ge-0/0/11.0 down employee-vlan unblocked ge-0/0/23.0 down default unblocked ge-0/0/2.0 up voice-vlan unblocked data-vlan unblocked


3607

®


Meaning



•


•


•


•


Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. The Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) protocol is sometimes used with IP phones to forward VoIP parameters from the switch to the phone. Not all IP phones support LLDP-MED, however. This example describes how to configure VoIP on an EX Series switch without LLDP-MED and without 802.1X: •


•


•


•




•

One EX4200 switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

•

A IP phone that does not support LLDP-MED.

Before you configure VoIP, be sure you have:

3608

•


•

Configured the IP phone as a member of the voice VLAN.

•

(Optional) Configured interface ge-0/0/2 for Power over Ethernet (PoE). The PoE configuration is not necessary if the VoIP supplicant is using a power adapter. See “Configuring PoE (CLI Procedure)” on page 4635.



Overview Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch. To configure VoIP on an EX Series switch to support an IP phone that does not support LLDP-MED, add the port to which you want to connect the IP phone as a member of the voice VLAN and configure the data VLAN as the native VLAN on the EX Series switch. This configuration ensures that the voice traffic and data traffic do not affect each other. In this example, the interface ge-0/0/2 on the EX4200 switch is connected to a non-LLDP-MED IP phone.

NOTE: The implementation of a voice VLAN on an IP telephone is vendor-specific. Consult the documentation that came with your IP telephone for instructions on configuring a voice VLAN. For example, on an Avaya phone, you can ensure that the phone gets the correct VoIP VLAN ID even in the absence of LLDP-MED by enabling DHCP option 176.

Configuration To configure VoIP without LLDP-MED or 802.1X authentication: CLI Quick Configuration

To quickly configure VoIP, copy the following commands and paste them into the switch terminal window: [edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan


Configure VoIP: 1.

Configure the VLANs for data and voice: [edit vlans] user@switch# set data-vlan vlan-id (802.1Q Tagging) 77 user@switch# set voice-vlan vlan-id 99

2.

Configure the VLAN data-vlan on the interface: [edit vlans] user@switch# set data-vlan interface (VoIP) ge-0/0/2.0

3.

Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service: [edit ethernet-switching-options] user@switch# set voip interface ge-0/0/2.0 vlan (VoIP) voice-vlan user@switch# set voip interface ge-0/0/2.0 forwarding-class (VoIP) assured-forwarding


3609

®


4.

Add the interface as a member of the voice VLAN: [edit interfaces] set ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan

5.

Configure data-vlan as native to this trunk interface: [edit interfaces] user@switch# set ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan

Results

Display the results of the configuration: [edit] user@switch# show configuration interfaces { ge-0/0/2 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members voice-vlan; } native-vlan-id data-vlan; } } } } vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } } ethernet-switching options { voip { interface ge-0/0/2.0 { vlan voice-vlan; forwarding-class assured-forwarding; } } }

Verification To confirm that the configuration is working properly, perform the following task: •

Verifying the VLAN Association With the Interface on page 3610

Verifying the VLAN Association With the Interface Purpose

3610

Display the interface state and VLAN membership.



Action

user@switch> show ethernet-switching interfaces Ethernet-switching table: 0 entries, 0 learned user@switch> show ethernet-switching interfaces Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee-vlan unblocked ge-0/0/5.0 down employee-vlan unblocked ge-0/0/3.0 down employee-vlan unblocked ge-0/0/8.0 down employee-vlan unblocked ge-0/0/10.0 down default unblocked ge-0/0/11.0 down employee-vlan unblocked ge-0/0/23.0 down default unblocked ge-0/0/2.0 up voice-vlan unblocked data-vlan unblocked

Meaning



•


•


•


•


Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS server. The switch uses internal logic to dynamically combine the interface firewall filter with the user policies from the RADIUS server and create an individualized policy for each of the multiple users or nonresponsive hosts that are authenticated on the interface. This example describes how dynamic firewall filters are created for multiple supplicants on an 802.1X-enabled interface (the same principles shown in this example apply to interfaces enabled for MAC RADIUS authentication): •


•


•


•





3611

®


•


•

One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you apply firewall filters to an interface for use with multiple supplicants, be sure you have: •


•

Configured 802.1X authentication on the switch, with the authentication mode for interface ge-0/0/2 set to multiple. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629 and “Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch” on page 3583.

•

Configured users on the RADIUS authentication server.

Overview and Topology When the 802.1X configuration on an interface is set to multiple supplicant mode, the system dynamically combines interface firewall filter with the user policies sent to the switch from the RADIUS server during authentication and creates separate terms for each user. Because there are separate terms for each user authenticated on the interface, you can, as shown in this example, use counters to view the activities of individual users that are authenticated on the same interface. When a new user (or a nonresponsive host) is authenticated on an interface, the system adds a term to the firewall filter associated with the interface, and the term (policy) for each user is associated with the MAC address of the user. The term for each user is based on the user-specific filters set on the RADIUS server and the filters configured on the interface. For example, as shown in Figure 106 on page 3613, when User1 is authenticated by the EX Series switch, the system creates the firewall filter dynamic-filter-example. When User2 is authenticated, another term is added to the firewall filter, and so on.

3612



Figure 106: Conceptual Model: Dynamic Filter Updated for Each New User

This is a conceptual model of the internal process—you cannot access or view the dynamic filter.

NOTE: If the firewall filter on the interface is modified after the user (or nonresponsive host) is authenticated, the modifications are not reflected in the dynamic filter unless the user is reauthenticated.

In this example, you configure a firewall filter to count the requests made by each endpoint authenticated on interface ge-0/0/2 to the file server, which is located on subnet 192.0.2.16/28, and set policer definitions to rate limit the traffic. Figure 107 on page 3614 shows the network topology for this example.


3613

®


Figure 107: Multiple Supplicants on an 802.1X-Enabled Interface Connecting to a File Server

Configuration To configure firewall filters for multiple supplicants on 802.1X-enabled interfaces: •

Configuring Firewall Filters on Interfaces with Multiple Supplicants on page 3614

Configuring Firewall Filters on Interfaces with Multiple Supplicants CLI Quick Configuration

To quickly configure firewall filters for multiple supplicants on an 802.1X-enabled interface copy the following commands and paste them into the switch terminal window: [edit] set protocols dot1x authenticator interface ge-0/0/2 supplicant multiple set firewall family ethernet-switching filter filter1 term term1 from destination-address 192.0.2.16/28 set firewall policer p1 if-exceeding bandwidth-limit 1m set firewall policer p1 if-exceeding burst-size-limit 1k set firewall family ethernet-switching filter filter1 term term1 then count counter1 set firewall family ethernet-switching filter filter1 term term2 then policer p1


To configure firewall filters on an interface enabled for multiple supplicants: 1.

Configure interface ge-0/0/2 for multiple supplicant mode authentication: [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/2 supplicant multiple

2.

3614

Set policer definition:



user@switch# show policer p1 |display set set firewall policer p1 if-exceeding bandwidth-limit 1m set firewall policer p1 if-exceeding burst-size-limit 1k set firewall policer p1 then discard 3.

Configure a firewall filter to count packets from each user and a policer that limits the traffic rate. As each new user is authenticated on the multiple supplicant interface, this filter term will be included in the dynamically created term for the user: [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) filter1 term term1 from destination-address 192.0.2.16/28 user@switch# set filter filter1 term term1 then count counter1 user@switch# set filter filter1 term term2 then policer p1

Results

Check the results of the configuration: user@switch> show configuration firewall { family ethernet-switching { filter filter1 { term term1 { from { destination-address { 192.0.2.16/28; } } then count counter1; term term2 { from { destination-address { 192.0.2.16/28; } } then policer p1; } } } policer p1 { if-exceeding { bandwidth-limit 1m; burst-size-limit 1k; } then discard; } } protocols { dot1x { authenticator interface ge-0/0/2 { supplicant multiple; } } }


3615

®



Verifying Firewall Filters on Interfaces with Multiple Supplicants on page 3616

Verifying Firewall Filters on Interfaces with Multiple Supplicants Purpose Action

Verify that firewall filters are functioning on the interface with multiple supplicants. 1.

Check the results with one user authenticated on the interface. In this case, the user is authenticated on ge-0/0/2: user@switch> show dot1x firewall Filter: dot1x_ge-0/0/2 Counters counter1_dot1x_ge-0/0/2_user1 100

2. When a second user, User2, is authenticated on the same interface, ge-0/0/2, you

can verify that the filter includes the results for both of the users authenticated on the interface: user@switch> show dot1x firewall Filter: dot1x-filter-ge-0/0/0 Counters counter1_dot1x_ge-0/0/2_user1 100 counter1_dot1x_ge-0/0/2_user2 400

Meaning


The results displayed by the show dot1x firewall command output reflect the dynamic filter created with the authentication of each new user. User1 accessed the file server located at the specified destination address 100 times, while User2 accessed the same file server 400 times.

•

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX Series Switch on page 3588

•


•


Example: Setting Up Captive Portal Authentication on an EX Series Switch You can set up captive portal authentication (hereafter referred to as captive portal) on a switch to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network. This example describes how to set up captive portal on an EX Series switch:

3616

•


•




•


•


•




•

An EX3200 or EX4200 Series switch



•

Generated an SSL certificate and installed it on the switch. See “Generating SSL Certificates to Be Used for Secure Web Access” on page 600.

•


•

Designed your captive portal login page. See “Designing a Captive Portal Authentication Login Page on an EX Series Switch” on page 3650.

Overview and Topology This example shows the configuration required on the switch to enable captive portal on an interface. To permit a printer connected to the captive portal interface to access the LAN, add its MAC address to the authentication whitelist. The MAC addresses on this list are permitted access on the interface without captive portal authentication. The topology for this example consists of one EX Series switch connected to a RADIUS authentication server. One interface on the switch is configured for captive portal. In this example, the interface is configured in single supplicant mode.

Configuration To configure captive portal on your switch: CLI Quick Configuration

To quickly configure captive portal on the switch after completing the tasks in the Requirements section, copy the following commands and paste them into the switch terminal window: [edit] set system services web-management https local-certificate my-signed-cert set services captive-portal secure-authentication https set services captive-portal interface ge-0/0/10.0 set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 set custom-options post-authentication-url http://www.my-home-page.com


3617

®



To configure captive portal on the switch: 1.

To create a secure channel for Web access to the switch, configure captive portal for HTTPS: a. Associate the security certificate with the Web server and enable HTTPS on the

switch: [edit] user@switch# set system services web-management https local-certificate my-signed-cert

NOTE: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.

b. Configure captive portal to use HTTPS: [edit] user@switch# set services captive-portal secure-authentication https 2.

Enable an interface for captive portal: [edit] user@switch# set services captive-portal interface ge-0/0/10

3.

(Optional) Allow specific clients to bypass captive portal authentication:

NOTE: If the client is already attached to the switch, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address mac-address command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address will not be added to the ethernet switching table and the authentication bypass will not be allowed.

[edit] user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22

NOTE: Optionally, you can use set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit

the scope to the interface.

4.

(Optional) To redirect clients to a specified page rather than the page they originally requested, configure the post-authentication URL: [edit services captive-portal] user@switch# set custom-options post-authentication-url http://www.my-home-page.com

Results

Display the results of the configuration: [edit]

3618



user@switch# show system { services { web-management { https { local-certificate my-signed-cert; } } } } security { certificates { local { my-signed-cert { "-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgQDk8sUggnXdDUmr7T vLv63yJq/LRpDASfIDZlX3z9ZDe1Kfk5C9\nr/tkyvzv ... Pt5YmvWDoGo0mSjoE/liH0BqYdh9YGqv3T2IEUfflSTQQHEOShS0ogWDHF\ nnyOb1O/vQtjk20X9NVQg JHBwidssY9eRp\n-----END CERTIFICATE-----\n"; ## SECRET-DATA } } } } services { captive-portal { interface { ge-0/0/10.0; } secure-authentication https; } } ethernet-switching-options { authentication-whitelist { 00:10:12:e0:28:22/48; } }

Verification To confirm that captive portal authentication is configured and working properly, perform these tasks: •

Verifying That Captive Portal Is Enabled on the Interface on page 3619

•

Verify That Captive Portal Is Working Correctly on page 3620

Verifying That Captive Portal Is Enabled on the Interface Purpose Action

Verify that captive portal is configured on interface ge-0/0/10. Use the operational mode command show captive-portal interface interface-name detail: user@switch> show captive-portal interface ge-0/0/10.0 detail ge-0/0/10.0 Supplicant mode: Single


3619

®


Number of retries: 3 Quiet period: 60 seconds Configured CP session timeout: 3600 seconds Server timeout: 15 seconds

Meaning

The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for number of retries, quiet period, CP session timeout, and server timeout.

Verify That Captive Portal Is Working Correctly Purpose Action

Verify that captive portal is working on the switch. Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage. The captive portal login page that you designed should be displayed. After you enter your login information and are authenticated against the RADIUS server, the Web browser should display either the page you requested or the post-authentication URL that you configured.

Troubleshooting To troubleshoot captive portal, perform these tasks: •

Troubleshooting Captive Portal on page 3620

Troubleshooting Captive Portal Problem

The switch does not return the captive portal login page when a user connected to a captive portal interface on the switch requests a Web page.

Solution

You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not incrementing, this provides an indication of where the problem lies. For example, if the client cannot get an IP address, you might check the switch interface to determine whether the DHCP counter is incrementing—if the counter increments, the DHCP packet was received by the switch. user@switch> show captive-portal firewall ge-0/0/10.0 ge-0/0/10.0 Filter name: dot1x_ge-0/0/10 Counters: Name Bytes Packets dot1x_ge-0/0/10_CP_arp 7616 119 dot1x_ge-0/0/10_CP_dhcp 0 0 dot1x_ge-0/0/10_CP_http 0 0 dot1x_ge-0/0/10_CP_https 0 0 dot1x_ge-0/0/10_CP_t_dns 0 0 dot1x_ge-0/0/10_CP_u_dns 0 0


3620

•

Configuring Captive Portal Authentication (CLI Procedure) on page 3648Configuring

•

Designing a Captive Portal Authentication Login Page on an EX Series Switch on page 3650



Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients For 802.1X user authentication, EX Series switches support RADIUS authentication servers that are using Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) to authenticate Odyssey Access Client (OAC) supplicants. OAC networking software runs on endpoint computers (desktop, laptop, or notepad computers and supported wireless devices) and provides secure access to both wired and wireless networks. This example describes how to configure an 802.1X-enabled interface on the switch to provide fallback support for OAC users who have entered incorrect login credentials: •


•


•


•




•


•


•

One OAC end device acting as a supplicant.

Before you begin configuring the fallback option, ensure that you have: •


•

Configured EAP-TTLS on the server. See your RADIUS server documentation.

•

Configured users on the RADIUS server. See your RADIUS server documentation.

Overview and Topology OAC is networking software that runs on endpoint computers (desktop, laptop, or notepad) and supported wireless devices. OAC provides full support for EAP, which is required for secure wireless LAN access. In this topology, OAC is deployed with an 802.1X-enabled switch and a RADIUS server. The switch functions as an enforcement point in the network security architecture. This topology:


3621

®


•

Ensures that only authorized users can connect.

•

Maintains privacy of login credentials.

•

Maintains data privacy over the wireless link.

This example includes the configuration of a server-reject VLAN on the switch, which can be used to prevent accidental lockout for users who have entered incorrect login credentials. These users can be given limited LAN access. However, this fallback configuration is complicated by the fact that the OAC supplicant and RADIUS server are using EAP-TTLS. EAP-TTLS creates a secure encrypted tunnel between the server and the end device to complete the authentication process. When the user enters an incorrect login, the RADIUS server sends EAP failure messages directly to the client through this tunnel. The EAP failure message causes the client to restart the authentication procedure, so that the switch’s 802.1X authentication process tears down the session that was established with the switch using the server-reject VLAN. You can enable the remedial connection to continue by configuring: •

eapol-block—Enable the EAPoL block timer on the 802.1X interface that is configured

to belong to the server-reject VLAN. The block timer causes the authentication port access entity to ignore EAP start messages from the client, attempting to restart the authentication procedure.

NOTE: The EAPoL block timer is triggered only after the retries on the 802.1X interface have been exhausted. You can configure retries to specify the number of times the switch attempts to authenticate the port after an initial failure. The default is three retries.

•

block-interval—Configure the amount of time that you want the EAPoL block timer to

continue to ignore EAP start messages. If you do not configure the block interval, the EAPoL block timer defaults to 120 seconds. When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing remedial session that was established through the server-reject VLAN to remain open. These configuration options apply to single, single-secure, and multiple supplicant authentication modes. In this example, the 802.1X interface is configured in single-supplicant mode. Figure 108 on page 3623 shows an EX Series switch connecting an OAC end device to a RADIUS server, and indicates the protocols being used to connect the network entities.

3622



Figure 108: EX Series Switch Connecting OAC to RADIUS Server Using EAP-TTLS Authentication

Table 409 on page 3623 describes the components in this OAC deployment:.

Table 409: Components of the OAC Deployment Property

Settings

Switch hardware

EX Series switch

VLANs

default server-reject-vlan: VLAN name is remedial and VLAN ID is 700

802.1X interface

ge-0/0/8

OAC supplicant

EAP-TTLS

One RADIUS authentication server

EAP-TTLS

Configuration To configure fallback options for EAP-TTLS and OAC supplicants, perform this task: CLI Quick Configuration

To quickly configure the fallback options for EAP-TTLS and OAC supplicants, copy the following commands and paste them into the switch terminal window: [edit] set vlans remedial vlan-id 700 set protocols dot1x authenticator interface ge-0/0/8 retries 4 set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan remedial set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan eapol-block set protocols dot1x authenticator interface ge-0/0/8 server-reject-vlan block-interval 130


3623

®



To configure the fallback options for EAP-TTLS and OAC supplicants:

TIP: In this example, the switch has only one server-reject VLAN. Therefore, the configuration specifies eapol-block and block-interval directly after server-reject-vlan. However, if you have configured multiple VLANs on the switch, you should include the VLAN name or VLAN ID directly after server-reject-vlan to indicate which VLAN is being modified.

1.

Configure a VLAN that will function as the server-reject VLAN to provide limited LAN access for users who have entered incorrect login credentials: [edit] user@switch# set vlans remedial vlan-id 700

2.

Configure the number of times for the client to be prompted for username and password before an incorrect login is directed to the server-reject VLAN: [edit protocols dot1x authenticator interface ge-0/0/8] user@switch# set retries 4

3.

Configure the 802.1X authenticator interface to use the server-reject VLAN as a fallback for incorrect logins: [edit protocols dot1x authenticator interface ge-0/0/8] user@switch# set server-reject-vlan remedial

4.

Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the server-reject VLAN. [edit protocols dot1x authenticator interface ge-0/0/8] user@switch# set server-reject-vlan eapol-block

5.

Configure the amount of time for the EAPoL block to remain in effect: [edit protocols dot1x authenticator interface ge-0/0/8] user@switch# set server-reject-vlan block-interval 130

Check the results of the configuration: user@switch> show configuration protocols { dot1x { authenticator { interface { ge-0/0/8.0 { supplicant single; retries 4; server-reject-vlan remedial block-interval 130 eapol-block; }

Verification To confirm that the configuration and the fallback options are working correctly, perform this task: •

3624

Verifying the Configuration of the 802.1X Interface on page 3625



Verifying the Configuration of the 802.1X Interface Purpose Action

Meaning


Verify that the 802.1X interface is configured with the desired options: user@switch> show dot1x interface ge-0/0/8.0 detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 4 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 120 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPoL requests: 2 Guest VLAN member: guest Number of connected supplicants: 1 Supplicant: tem, 2A:92:E6:F2:00:00 Operational state: Authenticated Backend Authentication state: Idle Authentication method: Radius Authenticated VLAN: remedial Session Reauth interval: 120 seconds Reauthentication due in 68 seconds

The show dot1x ge-0/0/8 detail output shows that the ge-0/0/8 interface is in the Authenticated state and that it is using the remedial VLAN.

•



3625

®


3626


CHAPTER 89

Configuring Access Control •

Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure) on page 3628

•


•


•


•


•


•


•


•


•

Configuring LLDP (J-Web Procedure) on page 3643

•


•

VSA Match Conditions and Actions on page 3646

•


•


•


•



3627

®


Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure) IEEE 802.1X and MAC RADIUS authentication both provide network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the supplicant's credentials or MAC address are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant. To use 802.1X or MAC RADIUS authentication, you must specify the connections on the switch for each RADIUS server to which you will connect. To configure a RADIUS server on the switch: 1.

Define the IP address of the RADIUS server, the RADIUS server authentication port number, and the secret password. You can define more than one RADIUS server. The secret password on the switch must match the secret password on the server: [edit access] user@switch# set radius-server 10.0.0.100 port 1812 secret abc

NOTE: Specifying the authentication port is optional, and port 1812 is the default. However, we recommend that you configure it in order to avoid confusion as some RADIUS servers might refer to an older default.

2. (Optional) Specify the IP address by which the switch is identified by the RADIUS

server. If you do not specify this, the RADIUS server uses the address of the interface sending the RADIUS request. We recommend that you specify this IP address because if the request gets diverted on an alternate route to the RADIUS server, the interface relaying the request might not be an interface on the switch. [edit access] user@switch# set access radius-erver source-address 10.93.14.100 3. Configure the authentication order, making radius the first method of authentication: [edit access] user@switch# set profile profile1 authentication-order radius 4. Create a profile and specify the list of RADIUS servers to be associated with the profile.

For example, you might choose to group your RADIUS servers geographically by city. This feature enables easy modification whenever you want to change to a different sent of authentication servers. [edit access profile] user@switch# set atlanta radius authentication-server 10.0.0.100 10.2.14.200 5. Specify the group of servers to be used for 802.1X or MAC RADIUS authentication by

identifying the profile name: [edit access profile] user@switch# set protocols dot1x authenticator authentication-profile-name denver 6. Configure the IP address of the EX Series switch in the list of clients on the RADIUS

server. For specifics on configuring the RADIUS server, consult the documentation for your server.

3628


Chapter 89: Configuring Access Control


•


•


•


•


Configuring 802.1X Interface Settings (CLI Procedure) IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.

NOTE: •

You can also specify an 802.1X exclusion list to specify supplicants can that can bypass authentication and be automatically connected to the LAN. See “Configuring Static MAC Bypass of Authentication (CLI Procedure)” on page 3633.

•

You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.

Before you begin, specify the RADIUS server or servers to be used as the authentication server. See “Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure)” on page 3628. To configure 802.1X on an interface: 1.

Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates only one supplicant), or multiple (authenticates multiple supplicants): [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 supplicant multiple

2. Enable reauthentication and specify the reauthentication interval: [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5/0 reauthentication interval 5 3. Configure the interface timeout value for the response from the supplicant: [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 supplicant-timeout 5 4. Configure the timeout for the interface before it resends an authentication request to

the RADIUS server: [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 server-timeout 5 5. Configure how long, in seconds, the interface waits before retransmitting the initial

EAPOL PDUs to the supplicant:


3629

®


[edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 transmit-period 60 6. Configure the maximum number of times an EAPOL request packet is retransmitted

to the supplicant before the authentication session times out: [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 maximum-requests 5 7. Configure the number of times the switch attempts to authenticate the port after an

initial failure. The port remains in a wait state during the quiet period after the authentication attempt. [edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 retries 1

NOTE: This setting specifies the number of tries before the switch puts the interface in a “HELD” state.


•


•


•

Monitoring 802.1X Authentication on page 3655

•

Verifying 802.1X Authentication on page 3656

•


•


Configuring 802.1X Authentication (J-Web Procedure) To configure 802.1X settings on an EX Series switch using the J-Web interface: 1.

Select Configure > Security > 802.1X. The 802.1X screen displays a list of interfaces, whether 802.1X security has been enabled, and the assigned port role. When you select an interface, the Details of 802.1x configuration on port section displays 802.1X details for that interface.


2. Click one:

3630



•

RADIUS Servers—Specifies the RADIUS server to be used for authentication. Select the check box to specify a server. Click Add or Edit to add or modify the RADIUS server settings. Enter information as specified in Table 410 on page 3631.

•

Exclusion List—Excludes hosts from the 802.1X authentication list by specifying the MAC address. Click Add or Edit in the Exclusion list screen to include or modify the MAC addresses. Enter information as specified in Table 411 on page 3631.

•

Edit—Specifies 802.1X settings for the selected interface

•

•

Apply 802.1X Profile—Applies an 802.1X profile based on the port role. If a message appears asking whether you want to configure a RADIUS server, click Yes.

•

802.1X Configuration—Configures custom 802.1X settings for the selected interface. If a message appears asking if you want to configure a RADIUS server, click Yes. Enter information as specified in Table 410 on page 3631. To configure 802.1X settings, enter information as specified in Table 412 on page 3632.

Delete—Deletes 802.1X authentication configuration on the selected interface.

Table 410: RADIUS Server Settings Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Enter the IP address in dotted decimal notation.

Password

Specifies the login password.

Enter the password.

Confirm Password

Verifies the login password for the server.

Reenter the password.

Server Port Number

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the switch using which the switch can communicate with the server.

Type the IP address in dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a login failure.

Type the number.

Timeout

Specifies the time interval to wait before the connection to the server is closed.

Type the interval in seconds.

Table 411: 802.1X Exclusion List Field

Function

Your Action

MAC Address

Specifies the MAC address to be excluded from 802.1X authentication.

Enter the MAC address.

Exclude if connected through the port

Specifies that the host can bypass authentication if it is connected through a particular interface.

Select to enable the option. Select the port through which the host is connected.


3631

®


Table 411: 802.1X Exclusion List (continued) Field

Function

Your Action

Move the host to the VLAN

Specifies moving the host to a specific VLAN once the host is authenticated.

Select to enable the option. Select the VLAN from the list.

Table 412: 802.1X Port Settings Field

Function

Your Action

Specifies the mode to be adopted for supplicants:

Select a mode.

Supplicant Mode Supplicant Mode

•

Single—allows only one host for authentication.

•

Multiple—allows multiple hosts for authentication. Each host is checked before being admitted to the network.

•

Single authentication for multiple hosts—Allows multiple hosts but only the first is authenticated.

Authentication Enable re-authentication

Specifies enabling reauthentication on the selected interface.

1.

Action on authentication failure

Specifies the action to be taken in case the host does not respond, leading to an authentication failure.

Select one:

Timeouts

Specifies timeout values for each action.


3632

Select to enable reauthentication.

2. Enter the timeout for reauthentication in seconds.

•

Move to the Guest VLAN—Select the VLAN to move the interface to.

•

Deny—The host is not permitted access.

Enter the value in seconds for: •

Port waiting time after an authentication failure

•

EAPOL retransmitting interval

•

Max. EAPOL requests

•

Maximum number of retries

•

Port timeout value for the response from the supplicant

•

Port timeout value for the response from the RADIUS server

•


•


•




Configuring Static MAC Bypass of Authentication (CLI Procedure) You can configure a static MAC bypass list (sometimes called the exclusion list) on the switch to specify MAC addresses of devices allowed access to the LAN without 802.1X or MAC RADIUS authentication requests to the RADIUS server. To configure the static MAC bypass list: •

Specify a MAC address to bypass authentication: [edit protocols dot1x] user@switch# set authenticator static (Protocols 802.1X) 00:04:0f:fd:ac:fe

•

Configure a supplicant to bypass authentication if connected through a particular interface: [edit protocols dot1x] user@switch# set authenticator static 00:04:0f:fd:ac:fe interface (Static MAC Bypass) ge-0/0/5

•

You can configure a supplicant to be moved to a specific VLAN after it is authenticated: [edit protocols dot1x] user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5 vlan-assignment default-vlan


•


•


•



3633

®


Configuring MAC RADIUS Authentication (CLI Procedure) You can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication on the EX Series switch interfaces to which the hosts are connected.

NOTE: You can also allow non-802.1X-enabled devices to access the LAN by configuring their MAC address for static MAC bypass of authentication.

You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication, or you can configure either authentication method alone. If both MAC RADIUS and 802.1X authentication are enabled on the interface, the switch first sends the host three EAPOL requests to the host. If there is no response from the host, the switch sends the host’s MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected. If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using the mac-radius restrict option), the switch attempts to authenticate the MAC address with the RADIUS server without delaying by attempting 802.1X authentication first. Before you configure MAC RADIUS authentication, be sure you have: •


To configure MAC RADIUS authentication using the CLI: •

On the switch, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS authentication: [edit] user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict

•

On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC address (without colons) of the nonresponsive host as the username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f): [root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"

3634




•


•


•



3635

®


Configuring Server Fail Fallback (CLI Procedure) Server fail fallback allows you to specify how end devices connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. 802.1X and MAC RADIUS authentication work by using an authenticator port access entity (the EX Series switch) to block all traffic to and from an end device at the interface until the end device's credentials are presented and matched on the authentication server (a RADIUS server). When the end device has been authenticated, the switch stops blocking and opens the interface to the end device. When you set up 802.1X or MAC RADIUS authentication on the switch, you specify a primary authentication server and one or more backup authentication servers. If the primary authentication server cannot be reached by the switch and the secondary authentication servers are also unreachable, a RADIUS server timeout occurs. Because the authentication server grants or denies access to the end devices awaiting authentication, the switch does not receive access instructions for end devices attempting access to the LAN and normal authentication cannot be completed. Server fail fallback allows you to configure authentication alternatives that permit the switch to take appropriate actions toward end devices awaiting authentication or reauthentication. To configure basic server fail fallback options using the CLI: •

Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout occurs (as if the end device had been successfully authenticated by a RADIUS server): [edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail permit

•

Configure an interface to prevent traffic flow from an end device to the LAN (as if the end device had failed authentication and had been rejected by the RADIUS server): [edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail deny

•

Configure an interface to move an end device to a specified VLAN if a RADIUS server timeout occurs (in this case, the VLAN name is vlan1): [edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail vlan-name vlan1

•

Configure an interface to recognize already connected end devices as reauthenticated if there is a RADIUS timeout during reauthentication (new users will be denied access): [edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail use-cache

•

Configure an interface that receives a RADIUS access-reject message from the authentication server to move end devices attempting LAN access on the interface to a specified VLAN already configured on the switch (in this case, the VLAN name is vlan-sf): [edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-reject-vlan vlan-sf

3636




•


•


•


•


•


Configuring 802.1X RADIUS Accounting (CLI Procedure) RADIUS accounting permits statistical data about users logging onto or off a LAN to be collected and sent to a RADIUS accounting server. The statistical data gathered can be used for general network monitoring, to analyze and track usage patterns, or to bill a user based upon the amount of time or type of services accessed. To configure basic RADIUS accounting using the CLI: 1.

Specify the accounting servers to which the switch will forward accounting statistics: [edit access] user@switch# set profile profile1 radius accounting-server [122.69.1.250 122.69.1.252]

2. Define the RADIUS accounting servers: [edit access] user@switch# set radius-server 122.69.1.250 secret juniper user@switch# set radius-server 122.69.1.252 secret juniper1 3. Enable accounting for an access profile: [edit access] user@switch# set profile profile1 accounting 4. Configure the RADIUS servers to use while sending accounting messages and updates: [edit access] user@switch# set profile profile1 accounting order radius 5. Configure the statistics to be collected on the switch and forwarded to the accounting

server: [edit access] user@switch# set profile profile1 accounting accounting-stop-on-access-deny user@switch# set profile profile1 accounting accounting-stop-on-failure 6. Display accounting statistics collected on the switch: user@switch> show network-access aaa statistics accounting Accounting module statistics Requests received: 1 Accounting Response failures: 0 Accounting Response Success: 1 Requests timedout: 0 7. Open an accounting log on the RADIUS accounting server using the server's address,

and view accounting statistics: [root@freeradius]# cd /usr/local/var/log/radius/radacct/122.69.1.250 [root@freeradius 122.69.1.250]# ls


3637

®


detail-20071214

[root@freeradius 122.69.1.250]# vi details-20071214 User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Stop Acct-Session-Id = "8O2.1x811912" Acct-Input-Octets = 17454 Acct-Output-Octets = 4245 Acct-Session-Time = 1221041249 Acct-Input-Packets = 72 Acct-Output-Packets = 53 Acct-Terminate-Cause = Lost-Carrier Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 16:52:39 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Start Acct-Session-Id = "8O2.1x811219" Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 18:58:52 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual


•


•


Filtering 802.1X Supplicants Using RADIUS Server Attributes There are two ways to configure the RADIUS server with port firewall filters:

3638

•

Include a match statement and corresponding action in the Juniper-Firewall-Filter attribute. The Juniper-Firewall-Filter attribute is a vendor-specific attribute (VSA) in the Juniper dictionary on the RADIUS server. Use this attribute to configure simple filter conditions for authenticated users. Nothing needs to be configured on the switch; all of the configuration is on the RADIUS server.

•

Apply a local firewall filter to users authenticated through the RADIUS server. Use this method for more complex filters. The firewall filter must be configured on each switch.



This example describes using FreeRADIUS software to configure VSAs. For specifics on configuring your server, consult the AAA documentation that was included with your server. This topic includes the following tasks: 1.

Configuring Match Statements on the RADIUS Server on page 3639

2. Applying a Port Firewall Filter from the RADIUS Server on page 3641

Configuring Match Statements on the RADIUS Server You can configure simple filter conditions using the Juniper-Switching-Filter attribute in the Juniper dictionary on the RADIUS server. These filters are then sent to a switch whenever a new user is authenticated successfully. The filters are created and applied on all EX Series switches that authenticate users through that RADIUS server without the need to configure anything on each individual switch. To configure the Juniper-Switching-Filter attribute, enter one or more match conditions and a resulting action using the CLI for the RADIUS server. Enter the match statement plus an action statement enclosed within quotes (" ") using the following syntax: match } action [allow | deny] }

See “VSA Match Conditions and Actions” on page 3646 for definitions of match statement options. To configure match conditions on the RADIUS server: 1.

Verify that the Juniper dictionary is loaded on your RADIUS server and includes the filtering attribute Juniper-Switching-Filter, attribute ID 48: [root@freeradius]# cat /usr/local/share/freeradius/dictionary.juniper # dictionary.juniper # # Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp $ # VENDOR Juniper 2636 BEGIN-VENDOR Juniper ATTRIBUTE Juniper-Local-User-Name 1 string ATTRIBUTE Juniper-Allow-Commands 2 string ATTRIBUTE Juniper-Deny-Commands 3 string ATTRIBUTE Juniper-Allow-Configuration 4 string ATTRIBUTE Juniper-Deny-Configuration 5 string ATTRIBUTE Juniper-Switching-Filter 48 string Switching > LLDP. The LLDP Configuration page displays LLDP Global Settings and Port Settings. The second half of the screen displays operational details for the selected port.


3643

®



2. To modify LLDP Global Settings, click Global Settings.

Enter information as described in Table 413 on page 3644. 3. To modify Port Settings, click Edit in the Port Settings section.

Enter information as described in Table 414 on page 3644.

Table 413: Global Settings Field

Function

Your Action

Advertising interval

Specifies the frequency of outbound LLDP advertisements. You can increase or decrease this interval.

Type the number of seconds.

Hold multiplier

Specifies the multiplier factor to be used by an LLDP-enabled switch to calculate the time-to-live (TTL) value for the LLDP advertisements it generates and transmits to LLDP neighbors.

Type the required number in the field.

Fast start count

Specifies the number of LLDP advertisements sent in the first second after the device connects. The default is 3. Increasing this number results in the port initially advertising LLDP–MED at a faster rate for a limited time.

Type the Fast start count.

Table 414: Edit Port Settings Field

Function

Your Action

LLDP Status

Specifies whether LLDP has been enabled on the port.

Select one: Enabled, Disabled, or None.

LLDP-MED Status

Specifies whether LLDP–MED has been enabled on the port.

Select Enable from the list.


•


•


•


Configuring LLDP-MED (CLI Procedure) Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) is an extension of LLDP. The EX Series switch uses LLDP-MED to support device discovery of VoIP telephones and to create location databases for these telephone locations.

3644



LLDP-MED is turned on by default on EX Series switches. This topic describes: •

Enabling LLDP-MED on Interfaces on page 3645

•

Configuring Location Information Advertised by the Switch on page 3645

•

Configuring for Fast Start on page 3645

Enabling LLDP-MED on Interfaces LLDP-MED is enabled on all interfaces by default. If it is disabled, you can enable LLDP-MED by configuring it on all interfaces or on specific interfaces. To configure LLDP-MED on all interfaces or on a specific interface: [edit protocols lldp-med] user@switch# set interface (LLDP-MED) ge-0/0/2.0

Configuring Location Information Advertised by the Switch You can configure the location information that is advertised from the switch to the LLDP-MED device. You can specify a civic-based location (geographic location) or a location based on an elin (emergency location identification string): •

To specify a location by geography: [edit protocols lldp-med] user@switch# set interface ge-0/0/2.0 location civic-based country-code US user@switch# set interface ge-0/0/2.0 location civic-based ca-type 1 ca-value “El Dorado County” user@switch# set interface ge-0/0/2.0 location civic-based ca-type 2 ca-value CA user@switch# set interface ge-0/0/2.0 location civic-based ca-type 3 ca-value Somerset user@switch# set interface ge-0/0/2.0 location civic-based ca-type 6 ca-value “Mount Aukum Road” user@switch# set interface ge-0/0/2.0 location civic-based ca-type 19 ca-value 6450 user@switch# set interface ge-0/0/2.0 location civic-based ca-type 21 ca-value “Holiday Market”

•

To specify a location using an elin string: [edit protocols lldp-med] user@switch# set interface ge-0/0/2.0 location elin 4085551212

Configuring for Fast Start You can specify the number of LLDP-MED advertisements sent from the switch in the first second after it has detected an LLDP-MED device. The default is 3; to set it to another value: [edit protocols lldp-med] user@switch# set fast-start (LLDP-MED) 6


3645

®


NOTE: If an interface is configured as a voip interface, the switch does not wait for an attached phone to identify itself as an LLDP-MED device before it performs an LLDP-MED fast start after a graceful Routing Engine restart (GRES) or a reboot. Instead, it immediately performs an LLDP-MED fast-start after a GRES or reboot. This behavior prevents certain models of IP phones from resetting after a GRES.


•

Configuring LLDP (J-Web Procedure) on page 3643

•


•


•


VSA Match Conditions and Actions EX Series switches and the QFX Series support the configuration of RADIUS server attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs). They are configured on RADIUS servers and work in combination with 802.1X authentication. Using VSAs, you can apply port firewall filter attributes as a subset of match conditions and actions sent from the RADIUS server to the switch as a result of successful 802.1X authentication. Each term in a VSA configured through the RADIUS server consists of match conditions and an action. Match conditions are the values or fields that the packet must contain. You can define single, multiple, or no match conditions. If no match conditions are specified for the term, the packet is accepted by default. The action is the action that the switch takes if a packet matches the match conditions for the specific term. Allowed actions are to accept a packet or to discard a packet. The following guidelines apply when you specify match conditions and actions for VSAs: •

Both match and action statements are mandatory.

•

Any or all options (separated by commas) may be included in each match and action statement.

•

Fields separated by commas will be ANDed if they are of a different type. The same types cannot be repeated.

•

For OR cases (for example, match 10.1.1.0/24 OR 11.1.1.0/24), apply multiple VSAs to the 802.1X supplicant.

•

In order for the forwarding-class option to be applied, the forwarding class must be configured on the switch. If it is not configured on the switch, this option is ignored.

Table 415 on page 3647 describes the match conditions you can specify when configuring a VSA using the match command on the RADIUS server. The string that defines a match condition is called a match statement.

3646



Table 415: Match Conditions Option

Description

destination-mac mac-address

Destination media access control (MAC) address of the packet.

source-vlan source-vlan

Name of the source VLAN.

source-dot1q-tag tag

Tag value in the 802.1Q header, in the range 0 through 4095.

destination-ip ip-address

Address of the final destination node.

ip-protocol protocol-id

IPv4 protocol value. In place of the numeric value, you can specify one of the following text synonyms: ah, egp (8), esp (50, gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17)

source-port port

TCP or User Datagram Protocol (UDP) source port field. Normally, you specify this match statement in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric field, you can specify one of the text options listed under destination-port.

destination-port port

TCP or UDP destination port field. Normally, you specify this match in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cvspserver (2401), cmd (514), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), telnet (23), tacacs-ds (65), talk (517), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)

When you define one or more terms that specify the filtering criteria, you also define the action to take if the packet matches all criteria. Table 416 on page 3647 shows the actions that you can specify in a term.

Table 416: Actions for VSAs Option

Description

(allow | deny)

Accept a packet or discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.


3647

®


Table 416: Actions for VSAs (continued) Option

Description

forwarding-class class-of-service

(Optional) Classify the packet in one of the following forwarding classes:

loss-priority (low | medium | high)


•

assured-forwarding

•

best-effort

•


•

network-control

(Optional) Set the packet loss priority (PLP) to low, medium, or high. Specify both the forwarding class and loss priority.

•


•


•

Understanding VSAs on the QFX Series

Configuring Captive Portal Authentication (CLI Procedure) Configure captive portal authentication (hereafter referred to as captive portal) on an EX Series switch so that users connected to the switch are authenticated before being allowed to access the network. When the user requests a webpage, a login page is displayed that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network. Before you begin, be sure you have: •


•

Generated an SSL certificate and installed it on the switch. See “Generating SSL Certificates to Be Used for Secure Web Access” on page 600.

•


•

Designed your captive portal login page. See “Designing a Captive Portal Authentication Login Page on an EX Series Switch” on page 3650.


Configuring Secure Access for Captive Portal on page 3648

•

Enabling an Interface for Captive Portal on page 3649

•

Configuring Bypass of Captive Portal Authentication on page 3649

Configuring Secure Access for Captive Portal To configure secure access for captive portal:

3648



1.

Associate the security certificate with the Web server and enable HTTPS on the switch: [edit] user@switch# set system services web-management https local-certificate my-signed-cert

NOTE: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.

2. Configure captive portal to use HTTPS: [edit] user@switch# set services captive-portal secure-authentication https

Enabling an Interface for Captive Portal To enable an interface for use with captive portal authentication: [edit] user@switch# set services captive-portal interface ge-0/0/10

Configuring Bypass of Captive Portal Authentication You can allow specific clients to bypass captive portal authentication: [edit] user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22

NOTE: Optionally, you can use set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the

scope to the interface.

NOTE: If the client is already attached to the switch, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address mac-address command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address will not be added to the ethernet switching table and the authentication bypass will not be allowed.


•


•



3649

®


Designing a Captive Portal Authentication Login Page on an EX Series Switch You can set up captive portal authentication on your switch to redirect all Web browser requests to a login page that requires the user to input a username and password before they are allowed access. Upon successful authentication, the user is allowed access to the network and redirected to the original page requested. Junos OS provides a customizable template for the captive portal window that allows you to easily design and modify the look of the captive portal login page. You can modify the design elements in the template to change the look of your captive portal login page and to add instructions or information to the page. You can also modify any of the design elements of a captive portal login page. The first screen displayed before the captive login page requires the user to read the “Terms and Conditions of Use”. By clicking the Agree button, the user can access the captive portal login page. Figure 109 on page 3650 shows an example of a captive portal login page:

Figure 109: Example of a Captive Portal Login Page

Table 417 on page 3650 summarizes the configurable elements of a captive portal login page.

Table 417: Configurable Elements of a Captive Portal Login Page Element

CLI Statement

Description

Footer background color

footer-bgcolor hex-color

The HTML hexadecimal code for the background color of the captive portal login page footer.

3650



Table 417: Configurable Elements of a Captive Portal Login Page (continued) Element

CLI Statement

Description

Footer message

footer-message text-string

Text displayed in the footer of the captive portal login page. You can include copyright information, links, and additional information such as help instructions, legal notices, or a privacy policy. The default text shown in the footer is Copyright @2010, Juniper Networks Inc.

Footer text color

footer- text-color color

Color of the text in the footer. The default color is white.

Form header background color

form-header-bgcolor hex-color

The HTML hexadecimal code for the background color of the header bar across the top of the form area of the captive portal login page.

Form header message

form-header-message text-string

Text displayed in the header of the captive portal login page. The default text is Captive Portal User Authentication

Form header text color

form-header- text- color

Color of the text in the form header. The default color is black.

Form reset button label

form-reset-label label-name

Using the Reset button, the user can clear the username and password fields on the form.

Form submit button label

form-submit-label label-name

Using the Login button, the user can submit the login information.

Header background color

header-bgcolor hex-color

The HTML hexadecimal code for the background color of the captive portal login page header.

Header logo

header-logo filename

Filename of the file containing the image of the logo that you want to appear at the top of the captive portal login page. The image file can be in GIF, JPEG, or PNG format.

color

You can upload a logo image file to the switch. Copy the logo to the /var/tmp directory on the switch (during the commit the files are saved to persistent locations). If you do not specify a logo image, the Juniper Networks logo is displayed. Header message

header-message text-string

Text displayed in the page header. The default text is User Authentication.

Header text color

header-text- color color

Color of the text in the header . The default color is white.

Post-authentication URL

post-authentication-url url

URL to which the users are directed upon successful authentication. The default is to redirect users to the page they had originally requested.

To design the captive portal login page: 1.

(Optional) Upload your logo image file to the switch: user@switch> file copy ftp://username:[email protected]/var/tmp/my-logo.jpeg

2. Configure the custom options to specify the background colors and text displayed in

the captive portal page:


3651

®


[edit system services captive-portal] user@switch# set custom-options header-bgcolor #006600 set custom-options header-message “Welcome to Our Network” set custom-options banner-message “Please enter your username and password.’The banner displays the message ”XXXXXXX” by default. The user can modify this message. set custom-options footer-message “Copyright ©2010,Our Network”

Now you can commit the configuration.

NOTE: For the custom options that you do not specify, the default value is used.


•


•


•

captive-portal on page 3691

Controlling Authentication Session Timeouts (CLI Procedure) For 802.1X and MAC RADIUS authentication sessions, the timeout of the session depends on the reauthentication value that you configure. Additionally, unless you configure it not to, the session is removed from the authentication session table when the MAC address ages out of the Ethernet switching table (when the value specified for the mac-table-aging-time is exceeded). Before you begin:

3652

•

Specify the RADIUS server or servers to be used as the authentication server. See “Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure)” on page 3628.

•

Configure 802.1X authentication on the switch. See “Configuring 802.1X Interface Settings (CLI Procedure)” on page 3629.



To configure the authentication session time on all interfaces: [edit] user@switch# set protocols dot1x authenticator interface all seconds;

To configure the authentication session time on a single interface: [edit] user@switch# set protocols dot1x authenticator interface interface-name seconds;

To disable removal of authentication sessions from the authentication session table when a MAC address ages out of the Ethernet switching table, remove the binding of the authentication table to the Ethernet switching table To remove the binding on all interfaces: [edit] user@switch# set protocols dot1x authenticator interface all no-mac-table-binding;

To remove the binding on a single interface: [edit] user@switch# set protocols dot1x authenticator interface interface-name no-mac-table-binding;


•


•


•


•

Understanding Authentication Session Timeout on page 3558

Configuring NetBIOS Snooping (CLI Procedure) NetBIOS snooping enables an EX Series switch to learn information about NetBIOS hosts that are connected to the switch. This topic describes: •

Enabling NetBIOS Snooping on page 3653

•

Disabling NetBIOS Snooping on page 3653

Enabling NetBIOS Snooping To enable NetBIOS snooping: [edit protocols lldp] user@switch# set netbios-snooping

Disabling NetBIOS Snooping To disable NetBIOS snooping: [edit protocols lldp] user@switch# delete netbios-snooping


•

show lldp neighbors on page 3808

•

Understanding NetBIOS Snooping on page 3559


3653

®


3654


CHAPTER 90

Verifying 802.1X and MAC RADIUS Authentication •


•


Monitoring 802.1X Authentication Purpose

Action

Use the monitoring feature to display details of authenticated users and users who have failed authentication. To display authentication details in the J-Web interface, select Monitoring > Security > 802.1X. To display authentication details in the CLI, enter the following commands:

Meaning

•

show dot1x interface detail | display xml

•

show dot1x interface detail | display xml

•

show dot1x auth-failed-users

The details displayed include: •

A list of authenticated users.

•

The total number of users connected.

•

A list of users who have failed authentication

You can also specify an interface for which the details must be displayed.


•


•


•



3655

®


Verifying 802.1X Authentication Purpose

Action

Verify that supplicants are being authenticated on an interface on an EX Series switch with the interface configured for 802.1X authentication, and display the method of authentication being used. Display detailed information about an interface configured for 802.1X (here, the interface is ge-0/0/16): user@switch> show dot1x interface ge-0/0/16.0 detail ge-0/0/16.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user5, 00:30:48:8C:66:BD Operational state: Authenticated Authentication method: Radius Authenticated VLAN: v200 Reauthentication due in 17 seconds

Meaning

The sample output from the show dot1x interface detail command shows that the Number of connected supplicants is 1. The supplicant that was authenticated and is now connected to the LAN is known as user5 on the RADIUS server and has the MAC address 00:30:48:8C:66:BD. The supplicant was authenticated by means of the 802.1X authentication method called Radius authentication. When the Radius authentication method is used, the supplicant is configured on the RADIUS server, the RADIUS server communicates this to the switch, and the switch opens LAN access on the interface to which the supplicant is connected. The sample output also shows that the supplicant is connected to VLAN v200. Other 802.1X authentication methods supported on EX Series switches in addition to the RADIUS method are: •

Guest VLAN—A nonresponsive host is granted Guest-VLAN access.

•

MAC Radius—A nonresponsive host is authenticated based on its MAC address. The

MAC address is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected. •

Server-fail deny—If the RADIUS servers time out, all supplicants are denied access to

the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default.

3656


Chapter 90: Verifying 802.1X and MAC RADIUS Authentication

•

Server-fail permit—When the RADIUS server is unavailable, a supplicant is still permitted

access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server. •

Server-fail use-cache—If the RADIUS servers time out during reauthentication, previously

authenticated supplicants are granted access, but new supplicants are denied LAN access. •

Server-fail VLAN—A supplicant is configured to be moved to a specified VLAN if the

RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.)


•


•


•


•



3657

®


3658


CHAPTER 91

Configuration Statements for Access Control •

[edit access] Configuration Statement Hierarchy on page 3659

•


•


[edit access] Configuration Statement Hierarchy access { profile profile-name { accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; order [ radius | none ]; } authentication-order [ authentication-method ]; radius { accounting-server [ server-address ]; authentication-server [ server-address ]; } } }


•


•


[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); }


3659

®


egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address {

3660


Chapter 91: Configuration Statements for Access Control

vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) {


3661

®


interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•


•


•


•


•


•


•


•


•


•


•


•


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping {

3662



traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number;


3663

®


country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth;

3664



} description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; }


3665

®


traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ;

3666



flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; }


3667

®


event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id;

3668



collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name;


3669

®


} } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


3670

•


•


•


•


•


•


•


•




•


•


•


•


•


•


•


•


•



3671

®


access Syntax


Description

access { address-assignment pool pool-name address-poolpool-name profile profile-name { accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; authentication-order [(none | ldap | password | radius)]; order (radius | none); } radius { accounting-server [server-addresses]; authentication-server [server-addresses]; } } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure authentication, authorization, and accounting (AAA) services. The statements are explained separately.

NOTE: The [edit access] hierarchy is not available on QFabric switches.


3672

Not enabled admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •




accounting Syntax


Description

Default Options

accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; order (radius | none); } [edit access profile profile-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the authentication order for authentication, authorization, and accounting (AAA) services. Not enabled none—Use no authentication for specified subscribers. radius—Use RADIUS authentication for specified subscribers.






•


•


•

Configuring RADIUS Accounting

•

Understanding RADIUS Accounting


3673

®


accounting (access profile) Syntax


Description

accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; coa-immediate-update; coa-no-override service-class-attribute; duplication; immediate-update; order [ accounting-method ]; statistics (time | volume-time); update-interval minutes; } [edit access profile profile-name]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure RADIUS accounting parameters and enable RADIUS accounting for an access profile. The remaining statements are explained separately.


3674


Configuring Authentication and Accounting Parameters for Subscriber Access

•

Configuring Per-Subscriber Session Accounting

•

Understanding RADIUS Accounting Duplicate Reporting



accounting Syntax


Description


accounting { events [ login change-log interactive-commands ]; destination { radius { server { server-address { accounting-port port-number; secret password; source-address address; retry number; timeout seconds; } } } tacplus { server { server-address { port port-number; secret password; single-connection; timeout seconds; } } } } } [edit system]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure audit of TACACS+ or RADIUS authentication events, configuration changes, and interactive commands. The remaining statements are explained separately. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •

Configuring RADIUS System Accounting

•



3675

®


accounting-port Syntax Hierarchy Level

Release Information

Description Options

accounting-port port-number; [edit system accounting destination radius server server-address], [edit system radius-server server-address]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the accounting port number on which to contact the RADIUS server. number—Port number on which to contact the RADIUS server.


3676



•




accounting-server Syntax Hierarchy Level Release Information

Description

Default Options

accounting-server[server-addresses]; [edit access profile profile-name radius]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the Remote Authentication Dial-In User Service (RADIUS) server for authentication. To configure multiple RADIUS servers, include multiple server addresses. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. Not enabled server-addresses—One or more addresses of RADIUS authentication servers.




show network-access aaa statistics authentication on page 3820

•


•


•



3677

®


accounting-session-id-format Syntax Hierarchy Level Release Information


accounting-session-id-format (decimal | description); [edit access profile profile-name radius options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the format the router or switch uses to identify the accounting session. decimal decimal—Use the decimal format. description—Use the generic format, in the form: jnpr interface-specifier:subscriber-session-id.


3678


Configuring RADIUS Server Options for Subscriber Access

•




accounting-stop-on-access-deny Syntax Hierarchy Level Release Information

Description

accounting-stop-on-access-deny; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the authentication order for authentication, authorization, and accounting (AAA) services to send an Acct-Stop message if the AAA server denies access to a supplicant.





•


•


•


accounting-stop-on-access-deny Syntax Hierarchy Level Release Information

Description


accounting-stop-on-access-deny; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure RADIUS accounting to send an Acct-Stop message when the AAA server refuses a client request for access. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •



3679

®


accounting-stop-on-failure Syntax Hierarchy Level Release Information

Description

accounting-stop-on-failure; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure authentication order for authentication, authorization, and accounting (AAA) services to send an Acct-Stop message if a supplicant fails AAA authorization, but the RADIUS server grants access. For example, a supplicant might fail AAA authentication because of an internal error such as a timeout.





•


•


•


•


accounting-stop-on-failure Syntax Hierarchy Level Release Information

Description


3680

accounting-stop-on-failure; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure RADIUS accounting to send an Acct-Stop message when client access fails AAA but the AAA server grants access. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •




address Syntax Hierarchy Level Release Information


address address-or-prefix; [edit access address-pool pool-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the IP address or prefix value for clients. address-or-prefix—An address or prefix value.


Configuring the Address Pool for L2TP Network Server IP Address Allocation

address-pool Syntax


Description

address-pool pool-name { address address-or-prefix; address-range ; } [edit access]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Allocate IP addresses for clients.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Options

pool-name—Name assigned to an address pool.





3681

®


address-range Syntax Hierarchy Level Release Information

Description Options


3682

address-range ; [edit access address-pool pool-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the address range. •

high upper-limit—Upper limit of an address range.

•

low lower-limit—Lower limit of an address range.





advertisement-interval Syntax Hierarchy Level Release Information

Description

advertisement-interval seconds; [edit protocols lldp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. For switches configured for Link Layer Discovery Protocol, configure the frequency at which LLDP advertisements are sent. The advertisement-interval value must be greater than or equal to four times the transmit-delay value, or an error will be returned when you attempt to commit the configuration.

NOTE: The default value of transmit-delay is 2 seconds. If you configure the advertisement-interval as less than 8 seconds and you do not configure a value for transmit-delay, the default value of transmit-delay is automatically changed to 1 second in order to satisfy the requirement that the advertisement-interval value must be greater than or equal to four times the transmit-delay value.

Default Options

Disabled. seconds—(Optional) The number of seconds.



show lldp on page 3801

•


•


•

transmit-delay

•

Configuring LLDP

•

Understanding LLDP


3683

®


attributes Syntax


Description

attributes { exclude { ... } ignore { framed-ip-netmask; input-filter; logical-system-routing-instance; output-filter; } } [edit access profile profile-name radius]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Specify how the router or switch processes RADIUS attributes. The remaining statements are explained separately.


3684


Configuring How RADIUS Attributes Are Used for Subscriber Access




Description

Default Options

authentication-order [(none | ldap | password | radius)]; [edit access profile profile-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. (EX and QFX Series only) Configure the order of authentication, authorization, and accounting (AAA) servers to use while sending authentication messages. Not enabled none—No authentication for specified subscribers. ldap— Lightweight Directory Access Protocol. password—Locally configured password in access profile. radius—RADIUS authentication.




•



3685

®



Description

Default Options

authentication-order [ authentication-methods ]; [edit access profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. none option introduced in Junos OS Release 11.2. Set the order in which the Junos OS tries different authentication methods when verifying that a client can access the router or switch. For each login attempt, the software tries the authentication methods in order, from first to last. password authentication-methods •

none—Grants authentication without examining the client credentials. Can be used,

for example, when the Diameter function Gx-Plus is employed for notification during subscriber provisioning. •

password—Verify the client using the information configured at the [edit access profile profile-name client client-name] hierarchy level.

•

radius—Verify the client using RADIUS authentication services.

NOTE: For subscriber access management, you must always specify the radius method. Subscriber access management does not support the password option (the default), and authentication fails when no method is specified.


3686


Example: Configuring CHAP Authentication with RADIUS

•

Specifying the Authentication and Accounting Methods for Subscriber Access

•

Configuring Access Profiles for L2TP or PPP Parameters



authentication-profile-name Syntax Hierarchy Level

authentication-profile-name access-profile-name; [edit protocols dot1x authenticator], [edit services captive-portal]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. Added to [edit services captive-portal] hierarchy in Junos OS Release 10.1 for EX Series switches.

Description

Specify the name of the access profile to be used for 802.1X, MAC RADIUS, or captive portal authentication.

Default Options

No access profile is specified. access-profile-name—Name of the access profile. The access profile is configured at the

[edit access profile] hierarchy level and contains the RADIUS server IP address and other information used for authentication. Required Privilege Level Related Documentation



•


•


•


•


•



3687

®


authentication-server Syntax Hierarchy Level Release Information

Description


authentication-server [server-addresses]; [edit access profile profile-name radius]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the RADIUS server for authentication. To configure multiple RADIUS servers, include multiple server addresses. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. server-addresses—Configure one or more RADIUS server addresses.



•


authentication-whitelist Syntax

Hierarchy Level Release Information Description Required Privilege Level Related Documentation

3688

authentication-whitelist { mac-address { interface interface-name; vlan-assignment ( vlan-id |vlan-name); } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure MAC addresses for which RADIUS authentication is to be bypassed. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•




authenticator Syntax


authenticator { authentication-profile-name access-profile-name; interface (802.1X) (all | [ interface-names ]) { disable (802.1X); guest-vlan ( vlan-id | vlan-name); mac-radius ; maximum-requests number; no-mac-table-binding no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name) { eapol-block; block-interval block-interval; } server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } static (Protocols 802.1X) mac-address { vlan-assignment vlan-identifier; } } [edit protocols dot1x]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an authenticator for 802.1X authentication. The statements are explained separately.

NOTE: You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.


No static MAC address or VLAN is configured. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



3689

®


•

Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure) on page 3628

•


block-interval Syntax Hierarchy Level


Options

block-interval block-interval; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names]) server-reject-vlan (vlan-id | vlan-name)], [edit protocols dot1x authenticator interface (all | [interface-names]) server-reject-vlan]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Specify the amount of time that the 802.1X interface ignores Extensible Authentication Protocol (EAP) start messages from the client when an EAPoL block has been enabled on the 802.1X interface. block-interval—The number of seconds for the interval.

Range: 120 through 65,535 Required Privilege Level Related Documentation

3690


eapol-block on page 3702

•




captive-portal Syntax


captive-portal { authentication-profile-name authentication-profile-name custom-options { banner-message string; footer-bgcolor color; footer-message string; footer-text-color color; form-header-bgcolor color; form-header-message string; form-header-text-color color; form-reset-label label name; form-submit-label label name; header-bgcolor color; header-logo filename; header-message string; header-text-color color; post-authentication-url url-string; } interface (all | [interface-names]) { quiet-period seconds; retries number-of-retries; server-timeout seconds; session-expiry seconds; supplicant (multiple | single | single-secure); } secure-authentication (http | https); } [edit services]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure captive portal to authenticate clients connected to the switch for access to the network. The remaining statements are explained separately.


Captive portal is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•



3691

®


ca-type Syntax

Hierarchy Level


ca-type { number { ca-value value; } } [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name location (LLDP-MED) civic-based)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Device (LLDP-MED), configure the address elements. These elements are included in the location information to be advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. For further information about the values that can be used to comprise the location,, refer to RFC 4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option for Civic Addresses Configuration Information. A subset of those values is provided below. The ca-value statement is explained separately.

Default Options


3692

Disabled. value—Civic address elements that represent the civic or postal address. Values are: •

0—A code that specifies the language used to describe the location.

•

16—The leading-street direction, such as “N”.

•

17—A trailing street suffix, such as “SW”.

•

18—A street suffix or type, such as “Ave” or “Platz”.

•

19—A house number, such as “6450”.

•

20—A house-number suffix, such as “A” or “1/2”.

•

21—A landmark, such as “Stanford University”.

•

22—Additional location information, such as “South Wing”.

•

23—The name and occupant of a location, such as “Carrillo's Holiday Market”.

•

24—A house-number suffix, such as “95684”.

•

25—A building structure, such as “East Library”.





•


•


ca-value Syntax Hierarchy Level


ca-value value; [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name ) location (LLDP-MED) civic-based ca-type number]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Device (LLDP-MED), configure location information, such as street address and city, that is indexed by the ca-type code. This information is advertised from the switch to the MED and is used during emergency calls to identify the location of the MED.

Default

Disabled.

Options

value—Specify a value that correlates to the ca-type. See ca-type for a list of codes and suggested values.




•


•



3693

®


civic-based Syntax

Hierarchy Level


civic-based { what number; country-code code; ca-type { number { ca-value value; } } } [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name) location (LLDP-MED)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED), configure the geographic location to be advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. The statements are explained separately.


3694



•


•




country-code Syntax Hierarchy Level Release Information Description


country-code code; [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Device (LLDP-MED), configure the two-letter country code to include in the location information. Location information is advertised from the switch to the MED, and is used during emergency calls to identify the location of the MED. The country code is required when configuring LLDP-MED based on location. Disabled. code—Two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE.



•


•



3695

®


custom-options Syntax


custom-options { banner-message string; footer-bgcolor color; footer-message string; footer-text-color color; form-header-bgcolor color; form-header-message string; form-header-text-color color; form-reset-label label name; form-submit-label label name; header-bgcolor color; header-logo filename; header-message string; header-text-color color; post-authentication-url url-string; } [edit services captive-portal]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Specify the design elements of a captive portal login page. banner-message—The first screen displayed before the captive portal login page is

displayed—for example, a disclaimer message. Range: 1–2047 characters footer-bgcolor —The hexadecimal color code for the color of the footer bar across the

bottom of the captive portal login page—for example, #2E8B57 (sea green). Values: # symbol followed by six characters. footer-message—Text message displayed in the footer bar across the bottom of the

captive portal login page. Range: 1–2047 characters Default: Copyright @2010, Juniper Networks Inc. footer-text-color — Color of the text in the footer.

Default: The default color is white. form-header-bgcolor —The hexadecimal color code for the background color of the

header bar across the top of the form area of the captive portal login page. Values: # symbol followed by six characters. form-header-message—Text message displayed in the header bar across the top of the

form area of the captive portal login page. Range: 1–255 characters Default: Captive Portal User Authentication form-header-text-color—Color of the text in the form header.

3696



Default: The default color is black. form-reset-label—Label displayed in the button that the user can select to clear the

username and password fields on the form. Range: 1–255 characters Default: Reset form-submit-label —Label displayed in the button that the user selects to submit their

login information—for example, Log In . Range: 1–255 characters Default: Log In header-bgcolor—The hexadecimal color code for the color of the header bar across the

top of the captive portal login page. Values: # symbol followed by six characters. header-logo—Filename of the file containing the image of the logo displayed at the top

of the captive portal login page. The image file can be in GIF, JPEG, or PNG format. Default: The Juniper Networks logo header-message—Text displayed in the header bar across the bottom of the captive

portal login page. Range: 1–2047 characters Default: User Authentication header-text-color—Color of the text in the header.

Default: The default color is white. post-authentication-url—URL to which the users are directed upon successful

authentication—for example www.mycafe.com. Range: 1–255 characters Default: The page originally requested by the user. Required Privilege Level Related Documentation



•



3697

®


destination Syntax



3698

destination { radius { server { server-address { accounting-port port-number; secret password; source-address address; retry number; timeout seconds; } } } tacplus { server { server-address { port port-number; secret password; single-connection; timeout seconds; } } } } [edit system accounting]

Statement introduced before Junos OS Release 7.4. radius statement added in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the authentication server. The remaining statements are explained separately. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•




disable Syntax Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

disable; [edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable 802.1X authentication on a specified interface or all interfaces. 802.1X authentication is disabled on all interfaces. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

show dot1x on page 3788

•


•


•


•


•


•



3699

®


disable (LLDP) Syntax Hierarchy Level

Release Information


disable; [edit protocols lldp], [edit protocols interface (LLDP) lldp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Disable the LLDP configuration on the switch or on one or more interfaces. If you do not configure LLDP, it is disabled on the switch and on specific switch interfaces. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•

Configuring LLDP

•

Understanding LLDP


Release Information Description Default


3700

disable; [edit protocols lldp-med (Ethernet Switching)], [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable the LLDP-MED configuration on the switch or on one or more interfaces. If you do not configure LLDP-MED, it is disabled on the switch and on specific switch interfaces. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•




dot1x Syntax


dot1x { authenticator { authentication-profile-name access-profile-name; interface (802.1X) (all | [ interface-names ]) { disable (802.1X); guest-vlan (vlan-id | vlan-name); mac-radius ; maximum-requests number; no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name) { eapol-block; block-interval block-interval; } server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } no-mac-table-binding { interface interface-names static (Protocols 802.1X) mac-address } static (Protocols 802.1X) mac-address { interface (Static MAC Bypass) interface-names; vlan-assignment (vlan-id |vlan-name); } } } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure 802.1X authentication for Port-Based Network Access Control. 802.1X authentication is supported on interfaces that are members of private VLANs (PVLANs). The remaining statements are explained separately.


802.1X is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



3701

®


•


•


•


•


•


•


eapol-block Syntax Hierarchy Level



3702

eapol-block; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names]) server-reject-vlan], [edit protocols dot1x authenticator interface (all | [interface-names]) server-reject-vlan (vlan-id | vlan-name)]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Enable an EAPoL block that causes the 802.1X interface to ignore Extensible Authentication Protocol (EAP) start messages from the client, which are attempts to restart the authentication procedure. When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing session that was established through the server-reject VLAN to remain open. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

block-interval on page 3690

•




elin Syntax Hierarchy Level



elin number; [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name location (LLDP-MED))]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED), configure the Emergency Line Identification Number (ELIN) as location information. Location information is advertised from the switch to the MED device and is used during emergency calls to identify the location of the MED device. Disabled. number—Configure a 10-digit number (area code and telephone number).



•


•



3703

®


ethernet-port-type-virtual Syntax Hierarchy Level Release Information

Description

ethernet-port-type-virtual; [edit access profile profile-name radius options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Specify the physical port type the router or switch uses to authenticate clients. The router or switch passes a port type of ethernet in RADIUS attribute 61 (NAS-Port-Type) by default. This statement specifies a port type of virtual.

NOTE: This statement takes precedence over the nas-port-type statement if you include both statements in the same access profile.


3704



•

Configuring RADIUS Server Parameters for Subscriber Access






3705

®



3706





[edit]





•


•


•


•


•


•


•


•


•


•



3707

®


events Syntax Hierarchy Level Release Information

Description Options


3708

events [ events ]; [edit system accounting]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the types of events to track and log. events—Event types; can be one or more of the following: •

change-log—Audit configuration changes.

•

interactive-commands—Audit interactive commands (any command-line input).

•

login—Audit logins.





exclude (RADIUS) Syntax


Description

exclude { accounting-authentic [ accounting-on | accounting-off ]; accounting-delay-time [ accounting-on | accounting-off ]; accounting-session-id [ access-request | accounting-on | accounting-off | accounting-stop ]; accounting-terminate-cause [ accounting-off ]; called-station-id [ access-request | accounting-start | accounting-stop ]; calling-station-id [ access-request | accounting-start | accounting-stop ]; class [ accounting-start | accounting-stop ]; dhcp-gi-address [ access-request | accounting-start | accounting-stop ]; dhcp-mac-address [ access-request | accounting-start | accounting-stop ]; dhcp-options [ access-request | accounting-start | accounting-stop ]; downstream-calculated-qos-rate [ access-request | accounting-start | accounting-stop ]; dsl-forum-attributes [ access-request | accounting-start | accounting-stop ]; event-timestamp [ accounting-on | accounting-off | accounting-start | accounting-stop ]; framed-ip-address [ accounting-start | accounting-stop ]; framed-ip-netmask [ accounting-start | accounting-stop ]; input-filter [ accounting-start | accounting-stop ]; input-gigapackets [ accounting-stop ]; input-gigawords [ accounting-stop ]; interface-description [ access-request | accounting-start | accounting-stop ]; nas-identifier [ access-request | accounting-on | accounting-off | accounting-start | accounting-stop ]; nas-port [ access-request | accounting-start | accounting-stop ]; nas-port-id [ access-request | accounting-start | accounting-stop ]; nas-port-type [ access-request | accounting-start | accounting-stop ]; output-filter [ accounting-start | accounting-stop ]; output-gigapackets [ accounting-stop ]; output-gigawords [ accounting-stop ]; upstream-calculated-qos-rate [ access-request | accounting-start | accounting-stop ]; } [edit access profile profile-name radius attributes]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Options downstream-calculated-qos-rate, dsl-forum-attributes, and upstream-calculated-qos-rate introduced in Junos OS Release 11.4. Configure the router or switch to exclude the specified attributes from the specified type of RADIUS message. Not all attributes are available in all types of RADIUS messages. By default, the router or switch includes the specified attributes in RADIUS Access-Request, Acct-On, Acct-Off, Acct-Start, and Acct-Stop messages.

Options

RADIUS attribute type—RADIUS attribute or Juniper Networks VSA number and name. •

accounting-authentic—RADIUS attribute 45, Acct-Authentic.


3709

®


•

accounting-delay-time—RADIUS attribute 41, Acct-Delay-Time.

•

accounting-session-id—RADIUS attribute 44, Acct-Session-Id.

•

accounting-terminate-cause—RADIUS attribute 49, Acct-Terminate-Cause.

•

called-station-id—RADIUS attribute 30, Called-Station-Id.

•

calling-station-id—RADIUS attribute 31, Calling-Station-Id.

•

class—RADIUS attribute 25, Class.

•

dhcp-gi-address—Juniper VSA 26-57, DHCP-GI-Address.

•

dhcp-mac-address—Juniper VSA 26-56, DHCP-MAC-Address.

•

dhcp-options—Juniper VSA 26-55, DHCP-Options.

•

downstream-calculated-qos-rate—Juniper VSA 26-141

•

dsl-forum-attributes—DSL Forum VSA as described in RFC 4679, DSL Forum

Vendor-Specific RADIUS Attributes •

event-timestamp—RADIUS attribute 55, Event-Timestamp.

•

framed-ip-address—RADIUS attribute 8, Framed-IP-Address.

•

framed-ip-netmask—RADIUS attribute 9, Framed-IP-Netmask.

•

input-filter—Juniper VSA 26-10, Ingress-Policy-Name.

•

input-gigapackets—Juniper VSA 26-42, Acct-Input-Gigapackets.

•

input-gigawords—RADIUS attribute 52, Acct-Input-Gigawords.

•

interface-description—Juniper VSA 26-53, Interface-Desc.

•

nas-identifier—RADIUS attribute 32, NAS-Identifier.

•

nas-port—RADIUS attribute 5, NAS-Port.

•

nas-port-id—RADIUS attribute 87, NAS-Port-Id.

•

nas-port-type—RADIUS attribute 61, NAS-Port-Type.

•

output-filter—Juniper VSA 26-11, Egress-Policy-Name.

•

output-gigapackets—Juniper VSA 25-43, Acct-Output-Gigapackets.

•

output-gigawords—RADIUS attribute 53, Acct-Output-Gigawords.

•

upstream-calculated-qos-rate—Juniper VSA 26-142

RADIUS message type

3710

•

access-request—RADIUS Access-Accept messages.

•

accounting-off—RADIUS Accounting-Off messages.

•

accounting-on—RADIUS Accounting-On messages.

•

accounting-start—RADIUS Accounting-Start messages.

•

accounting-stop—RADIUS Accounting-Stop messages.






fast-start Syntax Hierarchy Level Release Information Description

Options

fast-start count; [edit protocols lldp-med (Ethernet Switching)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the number of Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) advertisements sent from the switch in the first second after it has detected an LLDP-MED device (such as an IP telephone). count—Number of advertisements.




•


•



3711

®


forwarding-class Syntax

forwarding-class < assured-forwarding | best-effort | expedited-forwarding |network-control >;

Hierarchy Level

[edit ethernet-switching-options voip interface (VoIP)


Statement introduced in Junos OS Release 9.0 for EX Series switches. For EX Series switches, configure the forwarding class used to handle packets on the VoIP interface.

Default

Disabled.

Options

class—Forwarding class: •

assured-forwarding— Assured forwarding (AF)—Provides a group of values you can

define and includes four subclasses: AF1, AF2, AF3, and AF4, each with three drop probabilities: low, medium, and high. •

best-effort—Provides no service profile. For the best effort forwarding class, loss priority

is typically not carried in a class-of-service (CoS) value, and random early detection (RED) drop profiles are more aggressive. •

expedited-forwading—Provides a low loss, low latency, low jitter, assured bandwidth,

end-to-end service. •


3712

network-control—Provides a typically high priority because it supports protocol control.



•


•




guest-vlan Syntax Hierarchy Level Release Information Description

Default Options

guest-vlan (vlan-id | vlan-name); [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names ])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch. None vlan-id—VLAN tag identifier of the guest VLAN. vlan-name—Name of the guest VLAN.




•



3713

®


hold-multiplier Syntax Hierarchy Level Release Information

Description

Default Options

hold-multiplier number; [edit protocols lldp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for QFX Series. Specify the multiplier used in combination with the advertisement-interval value to determine the length of time LLDP information is held before it is discarded. The default value is 4 (or 120 seconds). Disabled. number—A number used as a multiplier.

Range: 2 through 10 Default: 4 (or 120 seconds) Required Privilege Level Related Documentation

3714



•


•


•

Configuring LLDP

•

Understanding LLDP



ignore Syntax


Description

Options

ignore { framed-ip-netmask; input-filter; logical-system-routing-instance; output-filter; } [edit access profile profile-name radius attributes]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the router or switch to ignore the specified attributes in RADIUS Access-Accept messages. By default, the router or switch processes the attributes it receives from the external server. framed-ip-netmask—Ignore Framed-IP-Netmask (RADIUS attribute 9). input-filter—Ignore Ingress-Policy-Name (VSA 26-10). logical-system-routing-instance—Ignore Virtual-Router (VSA 26-1). output-filter—Ignore Egress-Policy-Name (VSA 26-11).




immediate-update Syntax Hierarchy Level Release Information

Description


immediate-update; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the router or switch to send an Acct-Update message to the RADIUS accounting server on receipt of a response (for example, an ACK or timeout) to the Acct-Start message. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •


•

Configuring Per-Subscriber Session Accounting


3715

®


interface Syntax


Options

interface (all | [ interface-names ]) { disable (802.1X); guest-vlan (vlan-name | vlan-id); mac-radius ; maximum-requests number; no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name) { eapol-block; block-interval block-interval; } server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } [edit protocols dot1x authenticator]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure 802.1X authentication for Port-Based Network Access Control for all interfaces or for specific interfaces. all—Configure all interfaces for 802.1X authentication.

[ interface-names ]— List of names of interfaces to configure for 802.1X authentication. The remaining statements are explained separately. Required Privilege Level Related Documentation

3716



•


•


•


•


•




•


interface-description-format Syntax

Hierarchy Level

interface-description-format { exclude-adapter; exclude-sub-interface; } [edit access profile profile-name radius options]

Release Information

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Options exclude-adapter and exclude-sub-interface introduced in Junos OS Release 10.4.

Description

Specify the information that is excluded from the interface description that the device passes to RADIUS for inclusion in the RADIUS attribute 87 (NAS-Port-Id). By default, the device includes both the subinterface and the adapter in the interface description.

Options

exclude-adapter—Exclude the adapter from the interface description. exclude-sub-interface—Exclude the subinterface from the interface description.




•

RADIUS Server Options for Subscriber Access


3717

®


interface (Captive Portal) Syntax


interface (all | [interface-names]) { quiet-period seconds; session-expiry seconds; retries number-of-retries; server-timeout seconds; supplicant ( multiple | single | single-secure); } [edit service captive-portal]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure captive portal authentication for all interfaces or for specific interfaces. all—All interfaces to be configured for captive portal authentication. [interface-names]—List of names of interfaces to be configured for captive portal

authentication. The remaining statements are explained separately. Required Privilege Level Related Documentation

3718



•




interface (LLDP) Syntax



interface (all | interface-name) { disable (LLDP); } [edit protocols lldp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure Link Layer Discovery Protocol (LLDP) on all interfaces or on a specific interface. None all—All interfaces on the switch. interface-name—Name of a specific interface.




•


•

Configuring LLDP

•

Understanding LLDP


3719

®


interface Syntax


Default Options

interface (all | interface-name) { disable (LLDP-MED); location (LLDP-MED) { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } [edit protocols lldp-med (Ethernet Switching)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) on all interfaces or on a specific interface. Not enabled all—All interfaces on the switch. interface-name—Name of a specific interface.


3720



•


•


•





Release Information

Description


interface [interface-names]; [edit protocols dot1x authenticator authentication-profile-name static (Protocols 802.1X) mac-address], [edit ethernet-switching-options authentication-whitelist ]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement added to the [edit ethernet-switching-options authentication-whitelist] hierarchy in Junos OS Release 10.1 for EX Series switches. Configure interfaces on which the specified MAC addresses are allowed to bypass RADIUS authentication and allowed to connect to the LAN without authentication. interface-names—List of interfaces.


show dot1x static-mac-address on page 3795

•


•


•


•



3721

®


interface Syntax


interface (all | [interface-name] | access-ports) { vlan (VoIP) vlan-name ); forwarding-class (VoIP) ; } [edit ethernet-switching-options voip]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable voice over IP (VoIP) for all interfaces or specific interfaces. all | interface-name | access-ports—Enable VoIP on all interfaces, on a specific interface,

or on all access ports. Required Privilege Level Related Documentation

3722



•


•




lldp Syntax


Description

lldp { advertisement-interval seconds; disable (LLDP); hold-multiplier number; interface (LLDP) (all | [interface-name]) { disable (LLDP); } lldp-configuration-notification-interval seconds; management-address ip-management-address; netbios-snooping; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions (LLDP) { file filename ; flag flag ; } transmit-delay seconds; } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for QFX Series. Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise its identity and capabilities on a LAN, as well as receive information about other network devices. LLDP is defined in the IEEE standard 802.1AB-2005. The remaining statements are explained separately.

NOTE: The transmit-delay and netbios-snooping options are not available on QFabric switches.


LLDP is enabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•

Configuring LLDP

•

Understanding LLDP


3723

®


lldp-configuration-notification-interval Syntax Hierarchy Level Release Information

Description

Default Options

lldp-configuration-notification-interval seconds; [edit protocols lldp]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify how often SNMP trap notifications are generated as a result of LLDP database changes. If the interval value is 0, trap notifications of database changes are disabled. SNMP trap notifications of LLDP database changes are disabled. seconds—Interval between trap notifications about LLDP database changes.


3724





lldp-med Syntax


lldp-med { disable (LLDP-MED); fast-start number; interface (LLDP-MED) (all | interface-name) { disable (LLDP-MED); location (LLDP-MED) { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } [edit protocols]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Link Layer Discovery Protocol–Media Endpoint Discovery. LLDP-MED is an extension of LLDP. The switch uses LLDP-MED to support device discovery of VoIP telephones and to create location databases for these telephone locations for emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA). The statements are explained separately.




•


•



3725

®


location Syntax


location { elin number; civic-based { what number; country-code code; ca-type{ number { ca-value value; } } } } [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED), configure the location information. Location information is advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. The statements are explained separately.


3726



•


•




mac-radius Syntax Hierarchy Level Release Information

Description

mac-radius ; [edit protocols dot1x authenticator interface (802.1X) interface-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Option flap-on-disconnect introduced in Junos OS Release 9.4 for EX Series switches. Configure MAC RADIUS authentication for specific interfaces. MAC RADIUS authentication allows LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN. If MAC RADIUS is configured, the switch first tries to get a response from the host for 802.1X authentication. If the host is unresponsive, the switch attempts to authenticate using MAC RADIUS. To restrict authentication to MAC RADIUS only, use the restrict option. In restrictive mode, all 802.1X packets are eliminated and the attached device on the interface is considered a nonresponsive host.

Options

flap-on-disconnect—(Optional) When the RADIUS server sends a disconnect message

to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the restrict option is also set. restrict—(Optional) Restricts authentication to MAC RADIUS only. When mac-radius restrict is configured the switch drops all 802.1X packets. This option is useful when

no other 802.1X authentication methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host. Required Privilege Level Related Documentation



•


•


•


•


•



3727

®


management-address Syntax Hierarchy Level Release Information

Description

management-address ip-management-address; [edit protocols lldp]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify the management address of the switch to be used in the LLDP Management type, length, and value (TLV) .

Default

LLDP Management TLV uses the IP address of the switch's management Ethernet interface (me0) or the IP address of the virtual management Ethernet (VME) interface if the switch is a Virtual Chassis.

Options

ip-management-address—You can specify either an IPv4 or IPv6 management address

for the switch. Required Privilege Level Related Documentation

3728



•


•


•

Understanding LLDP



maximum-requests Syntax Hierarchy Level Release Information Description

Default Options

maximum-requests number; [edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out. Two retransmission attempts number—Number of retransmission attempts.




•


nas-identifier Syntax Hierarchy Level Release Information

Description

Options

nas-identifier identifier-value; [edit access profile profile-name radius options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the value for the client RADIUS attribute 32 (NAS-Identifier). This attribute is used for authentication and accounting requests. identifier-value—String to use for authentication and accounting requests.

Range: 1 through 64 characters Required Privilege Level Related Documentation

admin—To view this statement in the configuration. admin–control—To add this statement to the configuration. •


•



3729

®


nas-port-extended-format Syntax


Description

Options

nas-port-extended-format { adapter-width width; port-width width; slot-width width; stacked-vlan-width width; vlan-width width; } [edit access profile profile-name radius options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify the width of the fields in the NAS-Port attribute. adapter-width width—Number of bits in the adapter field. port-width width—Number of bits in the port field. slot-width width—Number of bits in the slot field. stacked-vlan-width width—Number of bits in the SVLAN ID field. vlan-width width—Number of bits in the VLAN ID field.

NOTE: The total of the widths must not exceed 32 bits, or the configuration will fail.


3730



•




netbios-snooping Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

netbios-snooping; [edit protocols lldp]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Enable NetBIOS snooping on the switch. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


no-mac-table-binding Syntax Hierarchy Level Release Information Description


no-mac-table-binding; [edit protocols dot1x authenticator]

Statement introduced in Junos OS Release 11.1 for EX Series switches. For 802.1X authentication, disable the removal of the session from the authentication session table when the MAC address ages out of the Ethernet switching table. Not enabled routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



3731

®


no-reauthentication Syntax Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

3732

no-reauthentication; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, disables reauthentication. Not disabled routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•




options Syntax


Description

options { accounting-session-id-format (decimal | description); client-accounting-algorithm (direct | round-robin); client-authentication-algorithm (direct | round-robin); coa-dynamic-variable-validation; ethernet-port-type-virtual; interface-description-format { exclude-adapter; exclude-sub-interface; } juniper-dsl-attributes; nas-identifier identifier-value; nas-port-extended-format { adapter-width width; port-width width; slot-width width; stacked-vlan-width width; vlan-width width; } nas-port-id-delimiter delimiter-character; nas-port-id-format { agent-circuit-id; agent-remote-id; interface-description; nas-identifier; } nas-port-type { ethernet { port-type; } } revert-interval interval; vlan-nas-port-stacked-format; } [edit access profile profile-name radius]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the options used by RADIUS authentication and accounting servers. The remaining statements are explained separately.




•



3733

®


order Syntax Hierarchy Level Release Information

Description

Default Options

order (radius | [ accounting-order-data-list ] ); [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the order of authentication, authorization, and accounting (AAA) servers to use while sending accounting messages and updates. No order specified radius—RADIUS accounting for specified subscribers. [ accounting-order-data-list ]— Set of data listing the authentication order to be used,

enclosed by brackets. This can be any combination of the authentication methods, up to and including a full list of the entire authentication order.



3734



•


•




order Syntax Hierarchy Level Release Information

order [ accounting-method ]; [edit access profile profile-name accounting]


Description

Set the order in which the Junos OS tries different accounting methods for client activity. When a client logs in, the software tries the accounting methods in the specified order.

Options

accounting-method—One or more accounting methods. When a client logs in, the software

tries the accounting methods in the following order, from first to last. The only valid value is radius for RADIUS accounting. Required Privilege Level Related Documentation



port Syntax Hierarchy Level

Release Information

port port-number; [edit access radius-serverserver-address], [edit access profile profile-name radius-server server-address]


Description

Configure the port number on which to contact the RADIUS server.

Options

port-number—Port number on which to contact the RADIUS server.

Default: 1812 (as specified in RFC 2865) Required Privilege Level Related Documentation


Configuring Router or Switch Interaction with RADIUS Servers

•



3735

®


port (RADIUS Server) Syntax Hierarchy Level

Release Information

Description Options

port port-number; [edit system radius-server address], [edit system accounting destination radius server address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the port number on which to contact the RADIUS server. number—Port number on which to contact the RADIUS server.

Default: 1812 (as specified in RFC 2865)

NOTE: The [edit system accounting] hierarchy is not available on QFabric switches.




•


port (TACACS+ Server) Syntax Hierarchy Level Release Information

Description Options

port port-number; [edit system accounting destination tacplus server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the port number on which to contact the TACACS+ server. number—Port number on which to contact the TACACS+ server.


3736





profile Syntax


Description

Default Options

profile profile-name { accounting { accounting-stop-on-access-deny; accounting-stop-on-failure; order ( radius | [ accounting-order-data-list ] )]; } authentication-order [authentication-method]; radius { accounting-server [server-addresses]; authentication-server [server-addresses]; } } [edit access]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure an access profile. The access profile contains the entire authentication, authorization, and accounting (AAA) configuration that aids in handling AAA requests, including the authentication method and order, AAA server addresses, and AAA accounting. Not enabled profile-name—Profile name of up to 32 characters.






•


•



3737

®


ptopo-configuration-maximum-hold-time Syntax Hierarchy Level Release Information

Description

Options

ptopo-configuration-maximum-hold-time seconds; [edit protocols lldp]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure how long to maintain the physical topology database entries. The physical topology identifies the devices on the network and their physical interconnections. seconds—Time to maintain physical topology database entries.

Default: 300 Range: 1 through 2147483647 Required Privilege Level Related Documentation



•


•

Understanding LLDP

ptopo-configuration-trap-interval Syntax Hierarchy Level Release Information

Description

Default Options

ptopo-configuration-trap-interval seconds; [edit protocols lldp]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify how often SNMP trap notifications are sent regarding changes in physical topology global statistics. SNMP trap notifications of changes in physical topology global statistics are disabled. seconds—Interval between SNMP trap notifications about physical topology global

statistics. Range: 0 through 3600 Required Privilege Level

3738




quiet-period Syntax Hierarchy Level Release Information Description

Default Options

quiet-period seconds; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, configure the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. 60 seconds seconds—Number of seconds the interface remains in the wait state.




•


quiet-period (Captive Portal) Syntax Hierarchy Level Release Information Description

Options

quiet-period seconds; [edit services captive-portal interface (all | interface-names)]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure time, in seconds, after a user exceeds the maximum number of retries before they can attempt to authenticate. seconds—Number of seconds.

Range: 1–65535 Default: 60 Required Privilege Level Related Documentation



•



3739

®


radius Syntax


Description

radius { accounting-server [server-addresses]; authentication-server [server-addresses]; } [edit access profile profile-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the RADIUS servers for authentication and for accounting. To configure multiple RADIUS servers, include multiple radius statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. The statements are explained separately.



3740



•


•


•




radius (Access Profile) Syntax

Hierarchy Level

radius { accounting-server [ ip-address ]; attributes { exclude ... } ignore { framed-ip-netmask; input-filter; logical-system-routing-instance; output-filter; } } authentication-server [ ip-address ]; options { accounting-session-id-format (decimal | description); client-accounting-algorithm (direct | round-robin); client-authentication-algorithm (direct | round-robin); coa-dynamic-variable-validation; ethernet-port-type-virtual; interface-description-format { exclude-adapter; exclude-sub-interface; } juniper-dsl-attributes; nas-identifier identifier-value; nas-port-extended-format { adapter-width width; port-width width; slot-width width; stacked-vlan-width width; vlan-width width; } nas-port-id-delimiter delimiter-character; nas-port-id-format { agent-circuit-id; agent-remote-id; interface-description; nas-identifier; } nas-port-type { ethernet { port-type; } } revert-interval interval; vlan-nas-port-stacked-format; } } [edit access profile profile-name]


3741

®


Release Information

Description

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the RADIUS parameters that the router uses for AAA authentication and accounting for subscribers. The remaining statements are explained separately.




•


radius Syntax


Description Options

radius { server { server-address { accounting-port port-number; secret password; source-address address; retry number; timeout seconds; } } } [edit system accounting destination]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the RADIUS accounting server. server-address—Address of the RADIUS accounting server.


3742





radius-server Syntax

Hierarchy Level

Release Information

Description

radius-server server-address { accounting-port port-number; port port-number; retry attempts; routing-instance routing-instance-name; secret password; max-outstanding-requests value; source-address source-address; timeout seconds; } [edit access], [edit access profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure RADIUS for subscriber access management, L2TP, or PPP. To configure multiple RADIUS servers, include multiple radius-server statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached.

Options

server-address—Address of the RADIUS authentication server.



Configuring RADIUS Authentication for L2TP

•

Configuring the PPP Authentication Protocol

•


•


•

show network-access aaa statistics

•

clear network-access aaa statistics


3743

®


reauthentication Syntax


Options

reauthentication { interval seconds; } [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, specify the number of seconds before an authentication session times out. disable—Disables the periodic reauthentication of the end device. interval seconds—Sets the periodic reauthentication time interval.

Range: 1 through 4,294,967,296 seconds Default: 3600 seconds Required Privilege Level Related Documentation



retries Syntax Hierarchy Level Release Information Description

Options

retries number; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, configure the number of times the switch attempts to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. number —Number of retries.


3744



•


•




retries (Captive Portal) Syntax Hierarchy Level Release Information Description Options

retries number-of-tries; [edit services captive-portal interface (all | interface-names)] ]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure the number of times the user can attempt to submit authentication information. number-of-tries—Number of authentication attempts by user.




•



3745

®


retry Syntax Hierarchy Level

Release Information

retry attempts; [edit access radius-server server-address], [edit access profile profile-name radius-server server-address]


Description

Specify the number of times that the router or switch is allowed to attempt to contact a RADIUS authentication or accounting server.

Options

attempts—Number of times that the router is allowed to attempt to contact a RADIUS

server. Range: 1 through 10 Default: 3 Required Privilege Level Related Documentation

3746



•


•


•


•

timeout on page 3764



retry Syntax Hierarchy Level

Release Information

Description

Options

retry number; [edit system radius-server server-address], [edit system accounting destination radius server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Number of times the router or switch is allowed to try to contact a RADIUS authentication or accounting server. number—Number of retries allowed for contacting a RADIUS server.




•


•

timeout on page 3763


3747

®


revert-interval Syntax Hierarchy Level

Release Information

Description

Options

revert-interval interval; [edit access profile profile-name radius options], [edit access radius-options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the amount of time the router or switch waits after a server has become unreachable. The router or switch rechecks the connection to the server when the specified interval expires. If the server is then reachable, it is used in accordance with the order of the server list. interval—Amount of time to wait.




•


routing-instance Syntax Hierarchy Level

Release Information


3748

routing-instance routing-instance-name; [edit access radius-server server-address], [edit access profile profile-name radius-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the routing instance used to send RADIUS packets to the RADIUS server. routing-instance-name—Routing instance name.


Configuring the PPP Authentication Protocol

•




secret Syntax Hierarchy Level

Release Information

Description

Options

secret password; [edit access profile profile-name radius-server server-address], [edit access radius-disconnect client-address], [edit access radius-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the password to use with the RADIUS server. The secret password used by the local router or switch must match that used by the server. password—Password to use; it can include spaces if the character string is enclosed in

quotation marks. Required Privilege Level Related Documentation



•


•


•


•

Configuring the RADIUS Disconnect Server for L2TP


3749

®


secret Syntax Hierarchy Level

Release Information

Description


secret password; [edit system accounting destination radius server server-address], [edit system accounting destination tacplus server server-address], [edit system radius-server server-address], [edit system tacplus-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the password to use with the RADIUS or TACACS+ server. The secret password used by the local router or switch must match that used by the server. password—Password to use; can include spaces included in quotation marks.



•


•


•


secure-authentication Syntax Hierarchy Level Release Information Description Default Options

secure-authentication (http | https); [edit services captive-portal]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Enable HTTP or HTTPS access on the captive portal interface. http http—Enables HTTP access on the captive portal interface. https—Enables HTTPS access on the captive portal interface. HTTPS is recommended.


3750



•




server (RADIUS Accounting) Syntax


Description

server { server-address { accounting-port port-number; retry number secret password; source-address address; timeout seconds; } } [edit system accounting destination radius]

Statement introduced in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure RADIUS logging. The remaining statements are explained separately.




server (TACACS+ Accounting) Syntax


Description

server { server-address { port port-number; secret password; single-connection; timeout seconds; } } [edit system accounting destination tacplus]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure TACACS+ logging. The remaining statements are explained separately.





3751

®


server-fail Syntax Hierarchy Level Release Information Description

server-fail (deny | permit | use-cache | vlan-id | vlan-name); [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.3 for EX Series switches. For EX Series switches configured for 802.1X authentication, specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable. When you specify the action vlan-name or vlan-id, the VLAN must already be configured on the switch.

Default Options

Authentication is denied. deny—Force fail the supplicant authentication. No traffic will flow through the interface. permit—Force succeed the supplicant authentication. Traffic will flow through the interface

as if it were successfully authenticated by the RADIUS server. use-cache—Force succeed the supplicant authentication only if it was previously

authenticated successfully. This action ensures that already authenticated supplicants are not affected. vlan-id—Move supplicant on the interface to the VLAN specified by this numeric identifier.

This action is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. vlan-name—Move supplicant on the interface to the VLAN specified by this name. This

action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. Required Privilege Level Related Documentation

3752



•


•


•


•




server-reject-vlan Syntax


server-reject-vlan (vlan-id | vlan-name) { eapol-block; block-interval block-interval; } [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])]

Statement introduced in Junos OS Release 9.3 for EX Series switches. For EX Series switches configured for 802.1X authentication, specify that when the switch receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server, supplicants attempting access to the LAN are granted access and moved to a specific VLAN. Any VLAN name or VLAN ID sent by a RADIUS server as part of the EAPoL Access-Reject message is ignored. When you specify the VLAN ID or VLAN name, the VLAN must already be configured on the switch. The remaining statements are explained separately.

Default Options

None vlan-id—Numeric identifier of the VLAN to which the supplicant is moved. vlan-name—Name of the VLAN to which the supplicant is moved.




•


•

Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients

•


•



3753

®


server-timeout Syntax Hierarchy Level Release Information Description

Default Options

server-timeout seconds; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-name])

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, configure the amount of time a port will wait for a reply when relaying a response from the supplicant to the authentication server before timing out and invoking the server-fail action. 30 seconds seconds —Number of seconds.


3754



•

clear dot1x on page 3778

•


•




server-timeout (Captive Portal) Syntax Hierarchy Level Release Information Description

Options

server-timeout seconds; [edit services captive-portal interface (all | interface-names)] ]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action. seconds—Number of seconds.




•


session-expiry Syntax Hierarchy Level Release Information Description Options

session-expiry seconds; [edit services captive-portal interface (all | interface-names)] ]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure the maximum duration in seconds of a session. seconds—Duration of session.




•



3755

®


single-connection Syntax Hierarchy Level

Release Information

Description


single-connection; [edit system accounting destination tacplus-server server-address] [edit system tacplus-server server-address],

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Optimize attempts to connect to a TACACS+ server. The software maintains one open TCP connection to the server for multiple requests rather than opening a connection for each connection attempt. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


source-address Syntax Hierarchy Level

Release Information

Description

Options

source-address source-address; [edit access radius-server server-address], [edit access profile profile-name radius-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a source address for each configured RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. source-address—Valid IPv4 address configured on one of the router or switch interfaces.

On M Series routers only, the source address can be an IPv6 address and the UDP source port is 514. Required Privilege Level Related Documentation

3756



•


•


•




source-address (NTP, RADIUS, System Logging, or TACACS+) Syntax Hierarchy Level

Release Information

Description

Options

source-address source-address; [edit system accounting destination radius server server-address], [edit system accounting destination tacplus server server-address], [edit system ntp], [edit system radius-server server-address], [edit system syslog], [edit system tacplus-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a source address for each configured TACACS+ server, RADIUS server, NTP server, or the source address to record in system log messages that are directed to a remote machine. source-address—A valid IP address configured on one of the router or switch interfaces.

For system logging, the address is recorded as the message source in messages sent to the remote machines specified in all host hostname statements at the [edit system syslog] hierarchy level, but not for messages directed to the other Routing Engine or to the TX Matrix router or TX Matrix Plus router in a routing matrix based on a TX Matrix router or TX Matrix Plus router. Required Privilege Level Related Documentation



•


•

Specifying an Alternative Source Address for System Log Messages


3757

®


static Syntax


static mac-address { interface (Static MAC Bypass) interface-names; vlan-assignment (vlan-id |vlan-name ); } [edit protocols dot1x authenticator]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure MAC addresses to exclude from 802.1X authentication. The static MAC list provides an authentication bypass mechanism for supplicants connecting to a port, permitting devices such as printers that are not 802.1X-enabled to be connected to the network on 802.1X-enabled ports. Using this 802.1X authentication-bypass mechanism, the supplicant connected to the MAC address is assumed to be successfully authenticated and the port is opened for it. No further authentication is done for the supplicant. You can optionally configure the VLAN that the supplicant is moved to or the interfaces on which the MAC address can gain access from.

Options

mac-address —The MAC address of the device for which 802.1X authentication should

be bypassed and the device permitted access to the port. The remaining statements are explained separately. Required Privilege Level Related Documentation

3758



•


•


•


•




statistics Syntax Hierarchy Level Release Information

Description

Options

statistics (time | volume-time); [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Option volume-time introduced in Junos OS Release 9.4. Configure the router or switch to collect time statistics, or both volume and time statistics, for the sessions being managed by AAA. time—Collect uptime statistics only. volume-time—Collect both volume and uptime statistics. This option is not available for

Mobile IP. Required Privilege Level Related Documentation


Mobile IP Home Agent Elements and Behavior

•



3759

®


supplicant Syntax Hierarchy Level

supplicant (multiple | single | single-secure); [edit protocols dot1x authenticator interface (802.1X) (all | [interface-names])], [edit services captive-portal interface (all | interface-names)]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement added to the [edit services captive-portal interface] hierarchy in Junos OS Release 10.1 for EX Series switches

Description

Configure the MAC-based method used to authenticate clients for 802.1X or captive portal authentication.

Default Options

single single—Authenticates only the first client that connects to an authenticator port. All other

clients connecting to the authenticator port after the first are permitted free access to the port without further authentication. If the first authenticated client logs out, all other supplicants are locked out until a client authenticates again. single-secure—Authenticates only one client to connect to an authenticator port. The

host must be directly connected to the switch. multiple—Authenticates multiple clients individually on one authenticator port. You can

configure the number of clients per port. If you also configure a maximum number of devices that can be connected to a port through port security settings, the lower of the configured values is used to determine the maximum number of clients allowed per port. Required Privilege Level Related Documentation

3760



•


•


•




supplicant-timeout Syntax Hierarchy Level Release Information Description

Default Options

supplicant-timeout seconds; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-name])

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, configure how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. 30 seconds seconds —Number of seconds.



supplicant on page 3760

•


•



3761

®


tacplus Syntax


Description Options

tacplus { server { server-address { port port-number; secret password; single-connection; timeout seconds; } } } [edit system accounting destination]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the Terminal Access Controller Access Control System Plus (TACACS+). server-address—Address of the TACACS+ authentication server.


3762





timeout Syntax Hierarchy Level

Release Information

Description

Options

timeout seconds; [edit system radius-server server-address], [edit system tacplus-server server-address], [edit system accounting destination radius server server-address], [edit system accounting destination tacplus server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the amount of time that the local router or switch waits to receive a response from a RADIUS or TACACS+ server. seconds—Amount of time to wait.




•


•

retry on page 3747


3763

®


timeout (RADIUS) Syntax Hierarchy Level

Release Information

Description

Options

timeout seconds; [edit access radius-server server-address], [edit access profile profile-name radius-server server-address]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the amount of time that the local router or switch waits to receive a response from a RADIUS server. seconds—Amount of time to wait.


3764



•


•


•




traceoptions Syntax

Hierarchy Level

traceoptions { file filename ; flag flag ; } [edit protocols dot1x] [edit protocols edge-virtual-bridging

Release Information Description Default Options

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define tracing operations for the 802.1X protocol. Tracing operations are disabled. file filename—Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. All files are placed in the directory /var/log. file number—(Optional) Maximum number of trace files. When a trace file named trace-file

reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify gigabytes number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the sizeoption. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,



•

config-internal—Trace internal configuration operations.

•

general—Trace general operations.

•

normal—Trace normal operations.

•


•

regex-parse—Trace regular-expression parsing operations.

•

state—Trace protocol state changes.

•

task—Trace protocol task operations.

•

timer—Trace protocol timer operations.


expression.


3765

®


no-world-readable—(Optional) Restricted file access to the user who created the file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte Range: 10 KB through 1gigabyte Default: 128 KB world-readable—(Optional) Enable unrestricted file access.


3766



•


•




traceoptions (LLDP) Syntax


Description

traceoptions { file filename ; flag flag ; } [edit protocols lldp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Define tracing operations for the Link Layer Discovery Protocol (LLDP). You can trace messages under LLDP for LLDP and PTOPO MIBs.

NOTE: The traceoptions statement is not supported on the QFX3000 QFabric switch.

Default Options

Tracing operations are disabled. file filename—Name of the file to receive the output of the tracing operation. Enclose the


so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify GB number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,



•

configuration—Trace configuration operations.

•

interface—Trace interface update events.

•

netbios—Trace NetBIOS events.

•

packet—Trace packet events.

•

rtsock—Trace routing socket operations.

•

snmp—Trace SNMP configuration operations.


3767

®


•

vlan—Trace VLAN update events.

no-stamp—(Optional) Do not timestamp the trace file.

Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output. no-world-readable—(Optional) Restrict file access to the user who created the file. replace—(Optional) Replace an existing trace file if there is one rather than appending

output to it. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB Default: If you do not include this option, tracing output is appended to an existing trace file. world-readable—(Optional) Enable unrestricted file access.

NOTE: The traceoptions statement is not supported on the QFX3000 QFabric switch.


3768



•


•

Configuring LLDP

•

Understanding LLDP



transmit-period Syntax Hierarchy Level Release Information Description

transmit-period seconds; [edit protocols dot1x authenticator interface (802.1X) (all | [interface-name])

Statement introduced in Junos OS Release 9.0 for EX Series switches. For 802.1X authentication, how long the port waits before retransmitting the initial EAPOL PDUs to the supplicant.

Default

30 seconds

Options

seconds—Number of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant. Range: 1 through 65,535 seconds Default: 30 seconds




•



3769

®


update-interval Syntax Hierarchy Level Release Information

Description

Default Options

update-interval minutes; [edit access profile profile-name accounting]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure the amount of time that the router or switch waits before sending a new accounting update. No updates minutes—Amount of time between updates, in minutes. All values are rounded up to the

next higher multiple of 10. For example, the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820. Range: 10 through 1440 minutes Required Privilege Level Related Documentation

3770





vlan-assignment Syntax Hierarchy Level

Release Information

vlan-assignment (vlan-id | vlan-name); [edit protocols dot1x authenticator authentication-profile-name static (Protocols 802.1X) mac-address], [edit ethernet-switching-options authentication-whitelist]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement added to the [edit ethernet-switching-options authentication-whitelist] hierarchy in Junos OS Release 10.1 for EX Series switches.

Description

Configure the VLAN that is associated with the list of MAC addresses that are excluded from RADIUS authentication.

Options

vlan-id | vlan-name—The name of the VLAN or the VLAN tag identifier to associate with

the device. The VLAN already exists on the switch. Required Privilege Level Related Documentation



•


•


•


•


•


vlan-nas-port-stacked-format Syntax Hierarchy Level Release Information

Description


vlan-nas-port-stacked-format; [edit access profile profile-name radius options]

Statement introduced in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure RADIUS attribute 5 (NAS-Port) to include the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. •


•



3771

®


vlan Syntax Hierarchy Level Release Information Description

Options

vlan (vlan-id | vlan-name | untagged); [edit ethernet-switching-options voip interface (VoIP) (all | [interface-name | access-ports])

Statement introduced in Junos OS Release 9.0 for EX Series switches. For EX Series switches, specify the VLAN name or VLAN tag identifier associated with the VLAN to be sent from the authenticating server to the IP phone. vlan-name—Name of a VLAN. vlan-id—The VLAN tag identifier. Range: 0 through 4095. Tags 0 and 4095 are reserved by Junos OS, and you should not configure them. untagged—Allow untagged VLAN traffic.


3772



•


•




voip Syntax


voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ); forwarding-class (VoIP) ; } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure voice over IP (VoIP) interfaces. The statements are explained separately.




•


•



3773

®


what Syntax Hierarchy Level

Release Information

Description

what number; [edit protocols lldp-med (Ethernet Switching) interface (LLDP-MED) (all | interface-name) location (LLDP-MED) civic-based]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Modified in Junos OS Release 9.2 for EX Series switches to display new default. For Link Layer Discovery Protocol–Media Endpoint Device (LLDP-MED), configure the location to which the DHCP entry refers. This information is advertised, along with other location information, from the switch to the MED. It is used during emergency calls to identify the location of the MED. Options 0 and 1 should not be used unless it is known that the DHCP client is in close physical proximity to the server or network element.

Default Options


3774

1 number—Location: •

0—Location of the DHCP server.

•

1—Location of a network element believed to be closest to the client.

•

2—Location of the client.



•


•



CHAPTER 92

Operational Commands for Access Control


3775

®


clear captive-portal Syntax

Release Information

clear captive-portal (firewall [interface-names] | interface (802.1X) (all | [interface-names]) | mac-address [mac-addresses])


Description

Reset the authentication state of a captive portal interface or captive-portal firewall statistics on one or more interfaces.

Options

firewall [interface-names]—Resets captive portal statistics on all interfaces or on the

specified interface. interface (all | interface-names)—Resets the authentication state of users connected to

all interfaces or the specified interfaces. mac-address mac-addresses—Resets the authentication state for the specified MAC

addresses. Required Privilege Level Related Documentation


Output Fields

view

•

show captive-portal authentication-failed-users on page 3782

•

show captive-portal interface on page 3785

•

show captive-portal firewall on page 3783

•


•


clear captive-portal interface on page 3777 clear captive-portal interface on page 3777 clear captive-portal mac-address on page 3777 clear captive-portal firewall on page 3777 Table 418 on page 3776 lists the output fields for the clear captive-portal interface command. (The clear captive-portal firewall and clear captive-portal mac-address commands have no output). Output fields are listed in the approximate order in which they appear.

Table 418: clear captive-portal interface Output Fields Field Name

Field Description

Interface

Interface on which captive portal has been configured.

3776


Chapter 92: Operational Commands for Access Control

Table 418: clear captive-portal interface Output Fields (continued) Field Name

Field Description

State

The state of the port: •

Authenticated—The client has been authenticated through the RADIUS server or has been permitted access through

server fail fallback. •

Authenticating—The client is authenticating through the RADIUS server.

•

Connecting—Switch is attempting to contact the RADIUS server.

•

Initialize—The interface link is down.

•

Held—An action has been triggered through server fail fallback during a RADIUS server timeout. A supplicant is denied

access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred. MAC address

The MAC address of the connected client on the interface.

User

Users connected to the captive portal interface.

Sample Output clear captive-portal interface

user@switch> clear captive-portal interface ge-0/0/3.0

clear captive-portal interface

user@switch> clear captive-portal interface Captive Portal Information: Interface State MAC address ge-0/0/3.0 Authenticated 00:03:47:e1:ba:b9 ge-0/0/5.0 Connecting ge-0/0/7.0 Connecting ge-0/0/9.0 Connecting

User aclallow

clear captive-portal mac-address

user@switch> clear captive-portal mac-address 00:03:47:e1:ba:b9

clear captive-portal firewall

user@switch> clear captive-portal firewall

This command has no output.

This command has no output.


3777

®


clear dot1x Syntax

Release Information

Description

clear dot1x (firewall | interface | mac-address [mac-addresses] | statistics )

Command introduced in Junos OS Release 9.0 for EX Series switches. firewall option added in Junos OS Release 9.5 for EX Series switches. Reset the authentication state of an interface or delete 802.1X statistics from the switch. When you reset an interface using the interface or mac-address options, reauthentication on the interface is also triggered. The switch sends out a multicast message on the interface to restart the authentication of all connected supplicants. If a MAC address is reset, then the switch sends out a unicast message to that specific MAC address to restart authentication. If a supplicant is sending traffic when the clear dot1x interface command is issued, the authenticator immediately initiates reauthentication. This process happens quickly, and it might seem that reauthentication did not occur. To verify that reauthentication has happened, issue the show dot1x interface detail command. The values for Reauthentication due and Reauthentication interval will be about the same.

Options

firewall —Clear 802.1X firewall counter statistics. If the counter-name

option is specified, clear 802.1X firewall statistics for that counter. interface —Reset the authentication state of all supplicants connected

to the specified interfaces (when the interface is an authenticator) or reset the authentication state for the interface itself (when the interface is a supplicant). mac-address [mac-addresses]—Reset the authentication state of the specified MAC

addresses. statistics —Clear 802.1X statistics on all 802.1X-enabled

interfaces. If the interface option is specified, clear 802.1X firewall statistics for that interface or interfaces. Required Privilege Level Related Documentation


3778

view

•


•


•


clear dot1x firewall c1 on page 3779 clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0 on page 3779 clear dot1x mac-address 00:04:ae:cd:23:5f on page 3779 clear dot1x statistics interface ge-1/0/1 on page 3779



Sample Output clear dot1x firewall c1 clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0 clear dot1x mac-address 00:04:ae:cd:23:5f clear dot1x statistics interface ge-1/0/1

user@switch> clear dot1x firewall c1 user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0

user@switch> clear dot1x mac-address 00:04:ae:cd:23:5f

user@switch> clear dot1x statistics interface ge-1/0/1


3779

®


clear lldp neighbors Syntax


clear lldp neighbors

Command introduced in Junos OS Release 9.0 for EX Series switches. Clear the learned remote neighbor information on all or selected interfaces. none—Clear the remote neighbor information on all interfaces. interface interface—(Optional) Clear the remote neighbor information from one or more

selected interfaces. Required Privilege Level Related Documentation


view

•


•


•


clear lldp neighbors on page 3780 clear lldp neighbors interface ge-0/1/1.0 on page 3780

Sample Output clear lldp neighbors

user@switch> clear lldp neighbors

clear lldp neighbors interface ge-0/1/1.0

user@switch> clear lldp neighbors interface ge-0/1/1.0

3780



clear lldp statistics Syntax


clear lldp statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. Clear LLDP statistics on one or more interfaces. none—Clears LLDP statistics on all interfaces. interface interface-names—(Optional) Clear LLDP statistics on one or more interfaces.



view

•


•


clear lldp statistics on page 3781 clear lldp statistics interface ge-0/1/1.0 on page 3781

Sample Output clear lldp statistics clear lldp statistics interface ge-0/1/1.0

user@switch> clear lldp statistics user@switch> clear lldp statistics interface ge-0/1/1.0


3781

®


show captive-portal authentication-failed-users Syntax Release Information Description Required Privilege Level Related Documentation


show captive-portal authentication-failed-users

Command introduced in Junos OS Release 10.1 for EX Series switches. Display the users that have failed captive portal authentication. view

•


•


•

clear captive-portal on page 3776

•


•


show captive-portal authentication-failed-users on page 3782 Table 419 on page 3782 lists the output fields for the show captive-portal authentication-failed-users command. Output fields are listed in the approximate order in which they appear.

Table 419: show captive-portal authentication-failed-users Output Fields Field Name

Field Description

Level of Output

Interface

The MAC address configured to bypass captive portal authentication.

all

MAC address

The MAC address configured statically on the interface.

all

User

Name of the user that has failed captive portal authentication.

all

Failure Count

The number of times that 802.1X authentication has failed on the interface.

all

Sample Output show captive-portal authentication-failed-users

user@switch> show captive-portal authentication-failed-users Interface ge-0/0/17.0 ge-0/0/20.0 ge-0/0/18.0 ge-0/0/19.0

3782

MAC address 00:37:00:00:00:00 00:04:10:00:00:00 00:00:03:00:0a:00 00:00:03:00:0b:00

User 003700000000 000410000000 000003000a00 000003000b00

Failure Count 28 32 4 18



show captive-portal firewall Syntax


Options

show captive-portal firewall

Command introduced in Junos OS Release 10.1 for EX Series switches. Display information about the firewall filters for each user that is authenticated on each captive portal interface. none—Display all the firewall filters on all captive portal interfaces. brief | detail—(Optional) Display the specified level of output. interface-name—(Optional) Display all the terms of the firewall filters for the specified

interface. interface-name detail—(Optional) Display all of the terms of the firewall filters for the

specified interface. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


show captive-portal firewall brief on page 3783 show captive-portal firewall ge-0/0/10.0 on page 3784 show captive-portal firewall on page 3784 Output fields for the show captive-portal firewall command include any action modifier specified in firewall filters except policers. Policers are not supported in the terms of the internally generated dynamic firewall filters that are created when multiple supplicants authenticate on 802.1X-enabled interfaces.

Sample Output show captive-portal firewall brief

user@switch> show captive-portal firewall brief Captive Portal Information: Interface State MAC address ge-0/0/1.0 Connecting ge-0/0/10.0 Connecting 00:30:48:8c:66:bd


User No User

3783

®


show captive-portal firewall ge-0/0/10.0

show captive-portal firewall

3784

user@switch> show captive-portal firewall ge-0/0/10.0 Filter name: dot1x_ge-0/0/10 Counters: Name Bytes dot1x_ge-0/0/10_CP_arp 7616 dot1x_ge-0/0/10_CP_dhcp 0 dot1x_ge-0/0/10_CP_http 0 dot1x_ge-0/0/10_CP_https 0 dot1x_ge-0/0/10_CP_t_dns 0 dot1x_ge-0/0/10_CP_u_dns 0 user@switch> show captive-portal firewall Filter name: dot1x_ge-0/0/0 Counters: Name Bytes dot1x_ge-0/0/0_CP_arp 0 dot1x_ge-0/0/0_CP_dhcp 0 dot1x_ge-0/0/0_CP_http 0 dot1x_ge-0/0/0_CP_https 0 dot1x_ge-0/0/0_CP_t_dns 0 dot1x_ge-0/0/0_CP_u_dns 0 Filter name: dot1x_ge-0/0/1 Counters: Name Bytes dot1x_ge-0/0/1_CP_arp 0 dot1x_ge-0/0/1_CP_dhcp 0 dot1x_ge-0/0/1_CP_http 0 dot1x_ge-0/0/1_CP_https 0 dot1x_ge-0/0/1_CP_t_dns 0 dot1x_ge-0/0/1_CP_u_dns 0 Filter name: dot1x_ge-0/0/10 Counters: Name Bytes dot1x_ge-0/0/10_CP_arp 7616 dot1x_ge-0/0/10_CP_dhcp 0 dot1x_ge-0/0/10_CP_http 0 dot1x_ge-0/0/10_CP_https 0 dot1x_ge-0/0/10_CP_t_dns 0 dot1x_ge-0/0/10_CP_u_dns 0 Filter name: dot1x_ge-0/0/11

Packets 119 0 0 0 0 0

Packets 0 0 0 0 0 0

Packets 0 0 0 0 0 0

Packets 119 0 0 0 0 0



show captive-portal interface Syntax


Options

show captive-portal interface detail

Command introduced in Junos OS Release 10.1 for EX Series switches. Display the current operational state of all captive portal interfaces with the list of connected users and the configured values of captive portal attributes on the interfaces. none—Display all captive portal interfaces. interface-name—(Optional) Display the state for the specified captive portal interface

and lists the MAC address and user names of any clients authenticated on the interface. interface-name detail—(Optional) Displays the configured values of captive portal

attributes on the specified captive portal interface. Required Privilege Level Related Documentation


Output Fields

view

•


•


•

captive-portal on page 3691

•


•


•


show captive-portal interface (Only captive portal is enabled) on page 3787 show captive-portal interface (Both 802.1X authentication and captive portal are enabled) on page 3787 show captive-portal interface detail (Only captive portal is enabled) on page 3787 show captive-portal interface detail (Both 802.1X authentication and captive portal are enabled) on page 3787 Table 420 on page 3785 lists the output fields for the show captive-portal interface command. Output fields are listed in the approximate order in which they appear.

Table 420: show captive-portal interface Output Fields Field Name

Field Description

Level of Output

Interface

Interface on which captive portal has been configured.

All levels


3785

®


Table 420: show captive-portal interface Output Fields (continued) Field Name

Field Description

Level of Output

State

The state of the interface:

All levels

•

Authenticated—The client has been authenticated through the RADIUS server

or has been permitted access through server fail fallback. •

Authenticating—The client is authenticating through the RADIUS server.

•

Connecting—Switch is attempting to contact the RADIUS server.

•

Initialize—The interface link is down.

•

Held—An action has been triggered through server fail fallback during a

RADIUS server timeout. A supplicant is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred. MAC address

The MAC address of the connected client on the interface..

brief

User

Users connected to the captive portal interface.

brief

Fallen back

Indicates when 802.1X authentication and captive portal are both enabled on an interface: •

If 802.1X authentication and captive portal are both enabled, CP fallen back status is Yes.

•

If 802.1X authentication and captive portal are not both enabled, CP fallen back status is No.

Supplicant mode

Mode used to authenticate clients—multiple, single, or single-supplicant.

detail

Number of retries

Number of times the user can attempt to submit authentication information.

detail

Quiet period

Time, in seconds, after a user exceeds the maximum number of retries before they can attempt to authenticate.

detail

Configured CP session timeout

Time, in seconds, that a client can be idle before the session expires.

detail

Server timeout

Time, in seconds, that an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action.

detail

Number of connected supplicants

Number of users connecting through the captive portal interface. Information for each user includes:

detail

•

Supplicant—User name and MAC address.

•

Operational state—See State (above).

•

Dynamic CP session timeout—Timeout value dynamically downloaded from

the RADIUS server for this user, if any. •

3786

CP Session expiration due in—Time remaining in session.



Sample Output show captive-portal interface (Only captive portal is enabled)

show captive-portal interface (Both 802.1X authentication and captive portal are enabled)

user@switch> show captive-portal interface Captive Portal Information: Interface State MAC address ge-0/0/1.0 Connecting ge-0/0/10.0 Connecting 00:30:48:8c:66:bd ge-6/0/5.0 Authenticated 00:30:48:8d:7a:9b user@switch> show captive-portal interface Captive Portal Information: Interface State MAC address ge-0/0/1.0 Connecting ge-0/0/10.0 Connecting 00:30:48:8c:66:bd ge-6/0/5.0 Authenticated 00:30:48:8d:7a:9b

User No User abcdeX

User No User abcdeX

show captive-portal interface detail (Only captive portal is enabled)

user@switch> show captive-portal interface detail ge-6/0/5.0 Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Configured CP session timeout: 3600 seconds Server timeout: 15 seconds CP fallen back: No Number of connected supplicants: 1 Supplicant: abcdeX, 00:30:48:8d:7a:9b Operational state: Authenticated Dynamic CP Session Timeout: 3600 seconds CP Session Expiration due in: 3583 seconds

show captive-portal interface detail (Both 802.1X authentication and captive portal are enabled)

user@switch> show captive-portal interface detail ge-6/0/5.0 Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Configured CP session timeout: 3600 seconds Server timeout: 15 seconds CP fallen back: Yes Number of connected supplicants: 1 Supplicant: abcdeX, 00:30:48:8d:7a:9b Operational state: Authenticated Dynamic CP Session Timeout: 3600 seconds CP Session Expiration due in: 3583 seconds


Fallen back

No

Fallen back

Yes

3787

®


show dot1x Syntax


show dot1x

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the current operational state of all ports with the list of connected users. This command displays the list of connected supplicants received from the RADIUS authentication server regardless of the session state—that is, for both authenticated supplicants and for supplicants that attempted authentication.

Options

none—Display information for all authenticator ports. brief | detail—(Optional) Display the specified level of output. interface interface-names—Display information for the specified port with a list of

connected supplicants. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


•


show dot1x interface brief on page 3791 show dot1x interface detail on page 3791 Table 421 on page 3788 lists the output fields for the show dot1x command. Output fields are listed in the approximate order in which they appear.

Table 421: show dot1x Output Fields Field Name

Field Description

Level of Output

Interface

Name of a port.

All levels

MAC address

The MAC address of the connected supplicant on the port.

All levels

3788



Table 421: show dot1x Output Fields (continued) Field Name

Field Description

Level of Output

Role

The 802.1X authentication role of the interface. When 802.1X is enabled on an interface, the role is Authenticator. As Authenticator, the interface blocks LAN access until a supplicant is authenticated through 802.1X or MAC RADIUS authentication.

brief, detail

State

The state of the port:

brief

•

Authenticated—The supplicant has been authenticated through the RADIUS

server or has been permitted access through server fail fallback. •

Authenticating—The supplicant is authenticating through the RADIUS server.

•

Held—An action has been triggered through server fail fallback during a

RADIUS server timeout. A supplicant is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred. Administrative state

The administrative state of the port: •

detail

auto—Traffic is allowed through the port based on the authentication result.

(Default) •

force-authorize—All traffic flows through the port irrespective of the

authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic. •

force-unauthorize—All traffic drops on the port irrespective of the

authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic. Supplicant

The mode for the supplicant: •

detail

single—Authenticates only the first supplicant. All other supplicants who

connect later to the port are allowed full access without any further authentication. They effectively “piggyback” on the first supplicant’s authentication. •

single-secure—Allows only one supplicant to connect to the port. No other

supplicant is allowed to connect until the first supplicant logs out. •

multiple—Allows multiple supplicants to connect to the port. Each supplicant

is authenticated individually. Quiet period

The number of seconds the port remains in the wait state following a failed authentication exchange with the supplicant before reattempting the authentication. The default value is 60 seconds. The range is 0 through 65,535 seconds.

detail

Transmit period

The number of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant. The default value is 30 seconds. The range is 1 through 65,535 seconds.

detail

MAC radius

MAC RADIUS authentication:

detail

•

enabled—The switch sends an EAPOL request to the connecting host to

attempt 802.1X authentication and if the connecting host is unresponsive, the switch tries to authenticate using the MAC address. •

disabled—The default. The switch will not attempt to authenticate the MAC

address of the connecting host.


3789

®



Field Description

Level of Output

MAC radius restrict

The authentication method is restricted to MAC RADIUS only. 802.1X authentication is not enabled.

detail

Reauthentication

The reauthentication state:

detail

•

disable—Periodic reauthentication of the client is disabled.

•

interval—Sets the periodic reauthentication time interval. The default value

is 3600 seconds. The range is 1 through 65,535 seconds. Supplicant timeout

The number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default value is 30 seconds. The range is 1 through 60 seconds.

detail

Server timeout

The number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out. The default value is 30 seconds. The range is 1 through 60 seconds.

detail

Maximum EAPOL requests

The maximum number of retransmission times of an EAPOL request packet to the supplicant before the authentication session times out. The default value is 2. The range is 1 through 10.

detail

Number of clients bypassed because of authentication

The number of non-802.1X clients granted access to the LAN by means of static MAC bypass. The following fields are displayed:

detail

•

Client—MAC address of the client.

•

vlan —The name of the VLAN to which the client is connected.

Guest VLAN member

The VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. If a guest VLAN is not configured on the interface, this field displays .

detail

Number of connected supplicants

The number of supplicants connected to a port.

detail

Supplicant

The user name and MAC address of the connected supplicant.

detail

3790




Field Description

Level of Output

Authentication method

The 802.1X authentication method used for a supplicant:

detail

•

Guest VLAN—A supplicant is connected to the LAN through the guest VLAN.

•

MAC Radius—A nonresponsive host is authenticated based on its MAC address.

The MAC address is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected. •

Radius—A supplicant is configured on the RADIUS server, the RADIUS server

communicates this to the switch, and the switch opens LAN access on the interface to which the supplicant is connected. •

Server-fail deny—If the RADIUS servers time out, all supplicants are denied

access to the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default. •

Server-fail permit—When the RADIUS server is unavailable, a supplicant is

still permitted access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server. •

Server-fail use-cache—If the RADIUS servers time out during reauthentication,

previously authenticated supplicants are reauthenticated, but new supplicants are denied LAN access. •

Server-fail VLAN—A supplicant is configured to be moved to a specified VLAN

if the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.) Authenticated VLAN

The VLAN to which the supplicant is connected.

detail

Dynamic filter

User policy filter sent by the RADIUS server.

detail

Session Reauth interval

The configured reauthentication interval.

detail

Reauthentication due in

The number of seconds in which reauthentication will occur again for the connected supplicant.

detail

Sample Output show dot1x interface brief

user@switch> show dot1x interface [ge-0/0/1 ge-0/0/2 ge-0/0/3] brief Interface Role State MAC address -------- ------------------------ge-0/0/1 Authenticator Authenticated 00:a0:d2:18:1a:c8 ge-0/0/2 Authenticator Connecting ge-0/0/3 Supplicant Held 00:a6:55:f2:94:ae

show dot1x interface detail

User ----

user@switch> show dot1x interface ge-0/0/16.0 detail ge-0/0/16.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3


3791

®


Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: Number of connected supplicants: 1 Supplicant: abc, 00:30:48:8C:66:BD Operational state: Authenticated Authentication method: Radius Authenticated VLAN: v200 Reauthentication due in 17 seconds

3792



show dot1x authentication-failed-users Syntax Release Information Description Required Privilege Level Related Documentation


show dot1x authentication-failed-users

Command introduced in Junos OS Release 9.0 for EX Series switches. Displays supplicants (users) that have failed 802.1X authentication. view

•


•


•


show dot1x authentication-failed-users on page 3793 Table 422 on page 3793 lists the output fields for the show dot1x authentication-failed-users command. Output fields are listed in the approximate order in which they appear.

Table 422: show dot1x authentication-failed-users Output Fields Field Name

Field Description

Level of Output

Interface

The MAC address configured to bypass 802.1X authentication.

all

MAC address

The MAC address configured statically on the interface.

all

User

The user that is configured on the RADIUS server and that has failed 802.1X authentication.

all

Failure Count

The number of times that 802.1X authentication has failed on the interface.

all

Sample Output show dot1x authentication-failed-users

user@switch> show dot1x authentication-failed-users Interface ge-0/0/17.0 ge-0/0/20.0 ge-0/0/18.0 ge-0/0/19.0


MAC address 00:37:00:00:00:00 00:04:10:00:00:00 00:00:03:00:0a:00 00:00:03:00:0b:00

User 003700000000 000410000000 000003000a00 000003000b00

Failure Count 28 32 4 18

3793

®


show dot1x firewall Syntax Release Information Description



Output Fields

show dot1x firewall

Command introduced in Junos OS Release 9.5 for EX Series switches. Displays information about the firewall filters for each user or nonresponsive host that is authenticated on each 802.1X-enabled interface that is configured for multiple supplicants. For example, if the firewall filter is configured with a term for counters, the command shows the count for each user. interface interface-names—(Optional) Display information for the specified interface.

view

•


•

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication on page 3611

show dot1x firewall on page 3794 show dot1x firewall on page 3794 Output fields include any action modifier that is specified in firewall filters.

Sample Output show dot1x firewall

(Showing counter action) user@switch> show dot1x firewall Filter: dot1x-filter-ge-0/0/3 Counters counter1_dot1x_ge-0/0/3_user1 counter1_dot1x_ge-0/0/3_user2

show dot1x firewall

342 857

(Showing policer action) user@switch> show dot1x firewall Filter: dot1x_ge-0/0/0 Counters p1-t1 494946

3794



show dot1x static-mac-address Syntax Release Information Description

Options

show dot1x static-mac-address

Command introduced in Junos OS Release 9.0 for EX Series switches. Displays all the static MAC addresses that are configured to bypass 802.1X authentication on the switch. interface [ interface-name ]—(Optional) Display static MAC addresses for a specific



Output Fields

view

•


•


•


•


show dot1x static-mac-address on page 3795 show dot1x static-mac-address interface ge-0/0/0.1 on page 3796 Table 423 on page 3795 lists the output fields for the show dot1x static-mac-address command. Output fields are listed in the approximate order in which they appear.

Table 423: show dot1x static-mac-address Output Fields Field Name

Field Description

Level of Output

MAC address

The MAC address of the device that is configured to bypass 802.1X authentication.

all

VLAN-Assignment

The name of the VLAN to which the device is assigned.

all

Interface

The name of the interface on which authentication is bypassed for a given MAC address.

all

Sample Output show dot1x static-mac-address

user@switch> show dot1x static-mac-address MAC address 00:00:00:11:22:33 00:00:00:00:12:12 00:00:00:02:34:56


VLAN-Assignment

facilities

Interface ge-0/0/3.0 ge-0/0/1.0

3795

®


show dot1x static-mac-address interface ge-0/0/0.1

3796

user@switch> show dot1x static-mac-address interface ge-0/0/0.1 MAC address 00:00:00:12:24:12 00:00:00:72:30:58

VLAN-Assignment support support





Release Information




•


•





view

•


•


•




Output Fields



3797

®



Field Description

Level of Output

Interface



Index


detail

State


none, brief, detail

Port mode


detail



detail



detail

VLAN membership



Tag



Tagging



Blocking



•


•


•




•


error. •







3798




Field Description

Level of Output



detail

mapping


detail

•


bundling). •


S-VLAN. •


•


•





State



ge-0/0/15.0

up

ge-0/0/16.0 ge-0/0/17.0

down down

VLAN members

Tag


300

100 200 100 200 100

vlan200


200

Tagging

Blocking




up

vlan100 vlan200

100 200

tagged tagged




3799

®










3800





show lldp Syntax

Release Information

Description

show lldp

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display information about Link Layer Discovery Protocol (LLDP) and Link Level Discovery Protocol–Media Endpoint Discovery (LLDP-MED) configuration and capabilities on the switch. LLDP and LLDP-MED are used to learn about and to distribute device information on network links.

NOTE: LLDP-MED is not available on the QFX Series.

Options

none—Display LLDP information for all interfaces. detail—(Optional) Display detailed LLDP information for all interfaces.

NOTE: fast-start is not available on the QFX Series.



Output Fields

view

•


•


•


•

Configuring LLDP

•

Understanding LLDP

show lldp on page 3804 show lldp detail on page 3804 Table 425 on page 3802 lists the output fields for the show lldp command. Output fields are listed in the approximate order in which they appear.


3801

®


Table 425: show lldp Output Fields Field Name

Field Description

Level of Output

LLDP

LLDP operating state. The state can be enabled or disabled.

All levels

NOTE: If a VLAN that has been configured for untagged packets on an interface also has Layer 2 protocol tunneling (L2PT) enabled for LLDP, the LLDP operating state for that interface is displayed as disabled. Advertisement interval

Frequency, in seconds, at which LLDP advertisements are sent.

All levels

This value is set by the advertisement-interval configuration statement. Transmit delay

Seconds of delay before advertisements are sent to neighbors following a change to a TLV (type, length, or value) element in the LLDP protocol or to the state of the local system, such as a change in hostname or management address. You can set this value to reduce the delay in notifying neighbors of a change in the local system.

All levels

This value is set by the transmit-delay configuration statement. Hold timer

Multiplier used in combination with the advertisement-interval value to determine the length of time LLDP information is held before it is discarded.

All levels

This value is set by the hold-multiplier configuration statement. Notification interval

How often LLDP trap notifications are generated as a result of LLDP database changes. If the interval value is 0, LLDP trap notifications of database changes are disabled.

All levels

This value is set by the lldp-configuration-notification-interval configuration statement. Config Trap Interval

How often LLDP trap notifications are generated as a result of changes in topology—for example, when an endpoint connects or disconnects. If the interval value is 0, LLDP trap notifications of topology changes are disabled.

All levels

This value is set by the ptopo-configuration-trap-interval configuration statement. Connection Hold timer

Amount of time the system maintains dynamic topology entries.

All levels

This value is set by the ptopo-configuration-maximum-hold-time configuration statement. LLDP-MED

LLDP-MED operating state. The state can be enabled or disabled.

All levels

MED fast start count

Number of advertisements sent from a switch to a device, such as a VoIP telephone, when the device is first detected by the switch. These increased advertisements are temporary. After a device and a switch exchange information and can communicate, advertisements are reduced to one per second.

All levels

This value is set by the fast-start configuration statement. Interface

Name of the interface for which LLDP configuration information is being reported.

All levels

Parent Interface

Name of the aggregated Ethernet interface, if any, to which the interface belongs.

All levels

3802



Table 425: show lldp Output Fields (continued) Field Name

Field Description

Level of Output

LLDP

LLDP operating state. The state can be enabled or disabled.

All levels

Neighbor count

Total number of new LLDP neighbors detected since the last switch reboot.

detail

Interface

Name of the interface that is advertising VLAN information.

All levels

Vlan-id

VLAN tag associated with the interface sending LLDP frames. If the interface is not a member of a VLAN, the VLAN ID is advertised as 0.

detail

Vlan-name

VLAN name associated with the VLAN ID.

detail

LLDP basic TLVs supported

Basic TLVs supported on the switch:

detail

•

Chassis identifier—TLV that advertises the MAC address associated with the

local system. •

Port identifier—TLV that advertises the port identification for the specified

port in the local system. •

Port description—Interface name for the port.

•

System name—TLV that advertises the user-configured name of the local

system. •

System description—TLV that advertises the system description containing

information about the software and current image running on the system. This information is taken from the software and is not configurable. •

System capabilities—TLV that advertises the primary functions performed by

the system—for example, bridge or router. •

Management address—TLV that advertises the IP management address of

the local system. Supported LLDP 802 TLVs

802.3 TLVs supported on the switch: •

detail

MAC/PHY configuration status—TLV that advertises information about the

physical interface, such as autonegotiation status and support and MAU type. The information is based on the physical interface structure and is not configurable. •

Power via MDI—TLV that advertises MDI power support, PSE power pair, and

power class information. •

Link aggregation—TLV that advertises if the interface is aggregated and its

aggregated interface ID. •

Maximum frame size—TLV that advertises the maximum transmission unit

(MTU) of the interface sending LLDP frames. •

Port VLAN tag—TLV that advertises the VLAN tag configured on the interface.

•

Port VLAN name—TLV that advertises the VLAN name configured on the

interface.


3803

®


Table 425: show lldp Output Fields (continued) Field Name

Field Description

Level of Output

Supported LLDP MED TLVs

LLDP-MED TLVs supported on the switch:

detail

•

LLDP MED capabilities—TLV that advertises the primary function of the port.

The capabilities values range from 0 through 15:

•

•

0—Capabilities

•

1—Network Policy

•

2—Location Identification

•

3—Extended Power via MDI-PSE

•

4—Inventory

•

5–15—Reserved

Network policy—TLV that advertises the port VLAN configuration and

associated Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types—such as voice or streaming video—802.1Q VLAN tagging, and 802.1p priority bits and DiffServ code points. •

Endpoint location—TLV that advertises the physical location of the endpoint.

•

Extended power Via MDI—TLV that advertises the power type, power source,

power priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port.

Sample Output show lldp

user@switch> show lldp LLDP Advertisement interval Transmit delay Hold timer Notification interval Config Trap Interval Connection Hold timer

: : : : : : :

LLDP MED MED fast start count

: Disabled : 3 Packets

Interface all me0.0

show lldp detail

3804

Enabled 30 seconds 2 seconds 4 seconds 0 Second(s) 0 seconds 300 seconds

Parent Interface -

LLDP Enabled Disabled

LLDP-MED -

user@switch> show lldp detail LLDP Advertisement interval Transmit delay Hold timer Notification interval Config Trap Interval Connection Hold timer

: : : : : : :

Enabled 30 seconds 2 seconds 4 seconds 0 Second(s) 0 seconds 300 seconds

LLDP MED MED fast start count

: Disabled : 3 Packets



Interface all me0.0

Parent Interface -

LLDP Enabled Disabled

LLDP-MED -

Interface xe-3/0/0.0 xe-3/0/0.0 xe-3/0/0.0 xe-3/0/1.0 xe-3/0/1.0 xe-3/0/1.0 xe-3/0/2.0 xe-3/0/2.0 xe-3/0/2.0

Parent Interface ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0

Vlan-id 100 101 4000 100 101 4000 100 101 4000

Vlan-name v100 v101 v4000 v100 v101 v4000 v100 v101 v4000

Neighbor count 8 0

LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. Supported LLDP 802 TLVs: MAC/PHY configuration/status, Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. Supported LLDP MED TLVs: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.


3805

®


show lldp local-information Syntax Release Information

Description



show lldp local-information

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the information that the switch provides in Link Layer Discovery Protocol (LLDP) advertisements to its neighbors. view

•


•


•

management-address on page 3728

•

Configuring LLDP

•

Understanding LLDP

show lldp local-information (EX Series Switch) on page 3807 Table 426 on page 3806 lists the output fields for the show lldp local-information command. Output fields are listed in the approximate order in which they appear.

Table 426: show lldp local-information Output Fields Field Name

Field Description

LLDP Local Information details

Information about the local system (the switch): •

Chassis ID—MAC address associated with the switch.

•

System name—User-configured name of the switch.

•

System descr—System description containing information about the switch

model and the current software image running on the switch. This information is taken from the software and is not configurable. System Capabilities

Capabilities (such as bridge or router) that are supported or enabled on the system.

Management Information

Details of the management information: Port Name, Port Address (such as 10.204.34.35), Address Type (such as ipv4 or ipv6), Port ID (SNMP interface index), Port ID Subtype, and Port Subtype. The Port Subtype displays: •

ifIndex(2)— IP address of the switch's management Ethernet interface (me0) or virtual management Ethernet (VME) interface address (for a virtual chassis)

is used to manage the switch. •

3806

unknown(1)—IP management address has been configured with set protocols lldp management-address.



Table 426: show lldp local-information Output Fields (continued) Field Name

Field Description

Interface name

Name of the local interface which is configured for either LLDP or LLDP-MED.

Parent Interface

Name of the aggregated Ethernet interface, if any, to which the local interface belongs.

SNMP Index

SNMP interface index.

Interface description

User-configured port description.

Status

Administrative status of the interface: either up or down.

Tunneling

Status of tunneling on the interface: either enabled or disabled.

Sample Output show lldp local-information (EX Series Switch)

user@switch> show lldp local-information LLDP Local Information details Chassis ID : 00:1d:b5:aa:b9:f0 System name : switch System descr : Juniper Networks, Inc. ex8208 , version 10.4I0 [builder] Build date: 2010-11-17 12:38:30 UTC System Capabilities Supported : Bridge Router Enabled : Bridge Router Management Information Port Name : Port Address : 10.93.54.6 Address Type : IPv4 Port ID : 34 Port ID Subtype : local(7) Port Subtype : ifIndex(2) Interface name me0.0 xe-3/0/0.0 xe-3/0/1.0 xe-3/0/2.0 xe-3/0/3.0 xe-3/0/4.0 xe-3/0/5.0 xe-3/0/6.0 xe-3/0/7.0


Parent Interface ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0

SNMP Index Interface description Status Tunneling 34 Down Disabled 769 xe-3/0/0.0 Up Disabled 770 xe-3/0/1.0 Up Disabled 771 xe-3/0/2.0 Up Disabled 772 xe-3/0/3.0 Up Disabled 577 xe-3/0/4.0 Up Disabled 578 xe-3/0/5.0 Up Disabled 579 xe-3/0/6.0 Up Disabled 581 xe-3/0/7.0 Up Disabled

3807

®


show lldp neighbors Syntax


Options

show lldp neighbors

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the information about neighboring devices learned by the switch by using the Link Layer Discovery Protocol (LLDP). none—Display LLDP neighbor information for all interfaces. interface interface—(Optional) Display LLDP neighbor information for a selected interface.


view

•


•



show lldp neighbors on page 3810 show lldp neighbors interface ge-0/0/2 on page 3811 show lldp neighbors interface ge-0/0/0.0 (for a VoIP AvayaTelephone with LLDP-MED Support) on page 3811 show lldp neighbors interface ge-0/0/5.0 (with NetBIOS Snooping Enabled on the Switch) on page 3813

Output Fields

Table 427 on page 3808 lists the output fields for the show lldp neighbors command. Output fields are listed in the approximate order in which they appear.

Table 427: show lldp neighbors Output Fields

3808

Field Name

Field Description

Local Interface

List of local interfaces for which neighbor information is available.

Parent Interface

List of aggregated Ethernet interfaces, if any, to which the local interfaces belong.

Chassis ID

List of chassis identifiers for neighbors.

Port info

List of port information gathered from neighbors. This could be the port identifier or port description.

System name

List of system names gathered from neighbors.

LLDP Neighbor Information

Information about both the local system (the switch) and a neighbor system on the interface (appears when the interface option is used).



Table 427: show lldp neighbors Output Fields (continued) Field Name

Field Description

Local Information

Information about the local system (appears when the interface option is used).

Index

Local interface index (appears when the interface option is used).

Time to live

Number of seconds for which this information is valid (appears when the interface option is used).

Time mark

Date and timestamp of information (appears when the interface option is used).

Local Interface

Name of the local physical interface (appears when the interface option is used).

Parent Interface

Name of the aggregated Ethernet interface, if any, to which the interface belongs (appears when the interface option is used).

Local Port ID

Local interface SNMP index (appears when the interface option is used).

Ageout Count

Number of times the complete set of information advertised by the neighbor has been deleted from LLDP neighbor information maintained by the local system because the information timeliness interval has expired (appears when the interface option is used).

Neighbor Information

Information about a neighbor system on the interface (appears when the interface option is used).

Chassis type

Type of chassis identifier supplied, such as MAC address (appears when the interface option is used).

Chassis ID

Chassis identifier of the chassis type listed (appears when the interface option is used).

Port type

Type of port identifier supplied, such as locally assigned (appears when the interface option is used).

Port ID

Port identifier of the port type listed (appears when the interface option is used).

Port description

Port description (appears when the interface option is used).

System name

Name supplied by the system on the interface (appears when the interface option is used).

System Description

Description supplied by the system on the interface (appears when the interface option is used).

System capabilities

Capabilities (such as Bridge, Router, and Telephone) that are supported or enabled by the system on the interface (appears when the interface option is used).


3809

®


Table 427: show lldp neighbors Output Fields (continued) Field Name

Field Description

Management Info

Details of management information: Type (such as ipv4 or ipv6), Address (such as 10.204.34.35), Port ID, Subtype, Interface Subtype, and organization identifier (OID) (appears when the interface option is used). The Interface Subtype displays: •

ifIndex(2)— IP address of the neighbor’s management Ethernet interface (me0) or virtual management Ethernet (VME) interface address (for a

virtual chassis) is used to manage the switch. •

unknown(1)—Neighbor’s IP management address has been configured with set protocols lldp management-address.

Media Info

Additional details about the endpoint device appear when a device that supports LLDP-MED is attached to the interface. The specific details depend upon the capabilities of the device. Details might include: Media endpoint class (such as Class 3 for communication devices such as IP phones), MED Hardware revision, MED Firmware revision, MED Software revision, MED Serial number, MED Manufacturer name, MED Model name.

Organization Info

One or more entries listing remote information by organizationally unique identifier (OUI), Subtype, Index, and Info (appears when the interface option is used).

Age

How long the neighbor has been identified (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

Local Interface

Name of the local physical interface (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

Parent Interface

Name of the aggregated Ethernet interface, if any, to which the interface belongs (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

Chassis ID

Chassis identifier of the chassis type listed (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

Port description

Port description (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

System name

NetBIOS name of the host (appears when the interface option is used and NetBIOS snooping is enabled on the switch).

Sample Output show lldp neighbors

user@switch> show lldp neighbors Local Interface xe-3/0/4.0 xe-3/0/5.0 xe-3/0/6.0 xe-3/0/7.0 xe-3/0/0.0

3810

Parent Interface ae31.0 ae31.0 ae31.0 ae31.0 ae31.0

Chassis Id b0:c6:9a:63:80:40 b0:c6:9a:63:80:40 b0:c6:9a:63:80:40 b0:c6:9a:63:80:40 b0:c6:9a:63:80:40

Port info xe-0/0/0.0 xe-0/0/1.0 xe-0/0/2.0 xe-0/0/3.0 xe-0/1/0.0

System Name newyork31 newyork31 newyork31 newyork31 newyork31



xe-3/0/1.0 xe-3/0/2.0 xe-3/0/3.0

show lldp neighbors interface ge-0/0/2

ae31.0 ae31.0 ae31.0

b0:c6:9a:63:80:40 b0:c6:9a:63:80:40 b0:c6:9a:63:80:40

xe-0/1/1.0 xe-0/1/2.0 xe-0/1/3.0

newyork31 newyork31 newyork31

user@switch> show lldp neighbors interface ge-0/0/2 LLLDP Neighbor Information: Local Information: Index: 1 Time to live: 240 Time mark: Wed Dec Local Interface : ge-0/0/2.0 Parent Interface : Local Port ID : 507 Ageout Count : 0

1 10:23:24 2010 Age: 29 secs

Neighbour Information: Chassis type : Mac address Chassis ID : 00:1f:12:38:7f:c0 Port type : Locally assigned Port ID : 507 Port description : ge-0/0/2.0 System name : bng-l48p5-dev

System Description : Juniper Networks, Inc. ex4200-48p , version 10.4I0 Build date: 2010-11-30 09:32:17 UTC System capabilities Supported : Bridge Router Enabled : Bridge Router Management Info Type : IPv4 Address : 10.204.96.235 Port ID : 34 Subtype : 1 Interface Subtype : ifIndex(2) OID : 1.3.6.1.2.1.31.1.1.1.1.34 Media endpoint class: Network Connectivity

show lldp neighbors interface ge-0/0/0.0 (for a VoIP AvayaTelephone with LLDP-MED Support)

Organization Info OUI : Subtype : Index : Info :

0.12.f 1 1 22A8360000


0.12.f 2 2 030100

user@switch>show lldp neighbors interface ge-0/0/0.0 LLDP Neighbor Information: Local Information: Index: 20 Time to live: 120 Time mark: Thu Apr 15 22:26:22 2010 Age: 16 secs Local Interface : ge-0/0/0.0 Parent Interface : Local Port ID : 517 Ageout Count : 0


3811

®


Neighbour Information: Chassis type : Network address Chassis ID : 0.0.0.0 Port type : Mac address Port ID : 00:04:0d:fc:55:48 System name : AVAFC5548 System capabilities Supported : Bridge Telephone Enabled : Bridge Management Info Type : Address : Port ID : Subtype : Interface Subtype : OID : Media endpoint class: Class MED MED MED MED MED MED

Hardware revision Firmware revision Software revision Serial number Manufacturer name Model name

: : : : : :

IPv4 0.0.0.0 1 1 ifIndex(2) 1.3.6.1.2.1.31.1.1.1.1.1 III Device

4610D01A b10d01b2_9.bin a10d01b2_9.bin 07N510103424 Avaya 4610


0.18.15 1 1 036CA00010


0.18.15 1 2 002303


0.18.15 2 3 014001AE


0.18.15 5 4 3436313044303141


0.18.15 6 5 62313064303162325F392E62696E

Organization Info OUI : 0.18.15 Subtype : 7 Index : 6

3812



Info

show lldp neighbors interface ge-0/0/5.0 (with NetBIOS

: 61313064303162325F392E62696E


0.18.15 8 7 30374E353130313033343234


0.18.15 9 8 4176617961


0.18.15 10 9 34363130


0.18.15 1 10 000028003C


0.18.15 3 11 00000000


0.18.15 4 12 000000000000000000000000


0.18.15 5 13 00000000


0.18.15 6 14 00000000


0.18.15 7 15 01

user@switch> show lldp neighbors interface ge-0/0/5 Age: 299999 secs Local Interface


: ge-0/0/5.0

3813

®


Snooping Enabled on the Switch)

3814

Parent Interface Chassis ID Port description System name

: : : :

00:10:94:00:00:02 169.254.58.17 JNPRU\



show lldp remote-global-statistics Syntax Release Information Description Options Required Privilege Level Related Documentation


show lldp remote-global-statistics

Command introduced in Junos OS Release 10.0 for EX Series switches. Display remote Link Layer Discovery Protocol (LLDP) global statistics. This command has no options. view

•


•


show lldp remote-global-statistics on page 3816 Table 428 on page 3815 describes the output fields for the show lldp remote-global-statistics command. Output fields are listed in the approximate order in which they appear.

Table 428: show lldp remote-global-statistics Output Fields Field Name

Field Description

LLDP Remote Database Table Counters

Information about remote database table counters.

LastchangeTime

Time elapsed between LLDP agent startup and the last change to the remote database table information.

Inserts

Number of insertions made in the remote database table.

Deletes

Number of deletions made in the remote database table.

Drops

Number of LLDP frames dropped from the remote database table because of errors.

Ageouts

Number of remote database table entries that have aged out of the table.


3815

®


Sample Output show lldp remote-global-statistics

3816

user@host> show lldp remote-global-statistics user@host> show lldp remote-global-statistics LLDP Remote Database Table Counters LastchangeTime Inserts Deletes 00:00:76 (76 sec) 192 0

Drops 0

Ageouts 0



show lldp statistics Syntax


show lldp statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. Display LLDP statistics for all interfaces or for the specified interface. none—Display LLDP statistics for all interfaces. interface interface—(Optional) Display LLDP statistics for the specified interface.



Output Fields

view

•


•


show lldp statistics on page 3818 show lldp statistics interface xe-3/0/0.0 on page 3818 Table 429 on page 3817 lists the output fields for the show lldp statistics command. Output fields are listed in the approximate order in which they appear.

Table 429: show lldp statistics Output Fields Field Name

Field Description

Interface


Parent Interface

Name of the aggregated Ethernet interface, if any, to which the interface belongs. NOTE: Because LLDP packets are transmitted and received on member interfaces only, statistics are available only for the member interfaces, not for the aggregated interface.

Received

Total number of LLDP frames received on an interface.

Unknown TLVs

Number of unrecognized LLDP TLVs received on an interface.

With Errors

Number of invalid LLDP TLVs received on an interface.

Discarded

Number of LLDP TLVs received and then discarded on an interface.

Transmitted

Total number of LLDP frames that were transmitted on an interface.

Untransmitted

Total number of LLDP frames that were untransmitted on an interface.


3817

®


Sample Output show lldp statistics

user@switch> show lldp statistics Interface xe-3/0/0.0 xe-3/0/1.0 xe-3/0/2.0 xe-3/0/3.0 xe-3/0/4.0 xe-3/0/5.0 xe-3/0/6.0 xe-3/0/7.0 xe-5/0/6.0 xe-5/0/7.0

Parent Interface ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 ae31.0 -

Discarded TLVs 0 0 0 0 0 0 0 0 0 0

show lldp statistics interface xe-3/0/0.0

Unknown TLVs 0 0 0 0 0 0 0 0 0 0

With Errors 0 0 0 0 0 0 0 0 0 0

Untransmitted 1 1 1 1 1 1 1 1 0 0

user@switch> show lldp statistics interface xe-3/0/0.0 Interface xe-3/0/0.0

Parent Interface ae31.0

Discarded TLVs 0

3818

Transmitted 3044 3044 3044 3044 3075 3075 3075 3075 17312 17312

Received 1564 1564 1565 1566 1598 1598 1596 1597 0 0

Transmitted 3046

Received 1566

Unknown TLVs 0

With Errors 0

Untransmitted 1



show network-access aaa statistics accounting Syntax Release Information



show network-access aaa statistics accounting

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches. Display authentication, authorization, and accounting (AAA) accounting statistics. view

•

accounting-server on page 3677

•

accounting-stop-on-access-deny on page 3679

•


•


show network-access aaa statistics accounting on page 3819 Table 430 on page 3819 lists the output fields for the show network-access aaa statistics accounting command. Output fields are listed in the approximate order in which they appear.

Table 430: show network-access aaa statistics accounting Output Fields Field Name

Field Description

Requests received

The number of accounting-request packets sent from a switch to a RADIUS accounting server.

Accounting Response failures

The number of accounting-response failure packets sent from the RADIUS accounting server to the switch.

Accounting Response Success

The number of accounting-response success packets sent from the RADIUS accounting server to the switch.

Requests timedout

The number of requests-timedout packets sent from the RADIUS accounting server to the switch.

Sample Output show network-access aaa statistics accounting

user@switch> show network-access aaa statistics accounting Accounting module statistics Requests received: 1 Accounting Response failures: 0 Accounting Response Success: 1 Requests timedout: 0


3819

®


show network-access aaa statistics authentication Syntax Release Information


show network-access aaa statistics authentication

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches. Display authentication, authorization, and accounting (AAA) authentication statistics. view

•

authentication-server on page 3688

•



show network-access aaa statistics authentication on page 3820 show network-access aaa statistics authentication (in QFX Series Switches) on page 3820

Output Fields

Table 431 on page 3820 lists the output fields for the show network-access aaa statistics authentication command. Output fields are listed in the approximate order in which they appear.

Table 431: show network-access aaa statistics authentication Output Fields Field Name

Field Description

Requests received

The number of authentication requests received by the switch.

Accepts

The number of authentication accepts received by the RADIUS server.

Rejects

The number authentication rejects sent by the RADIUS server.

Challenges

The number of authentication challenges sent by the RADIUS server.

Sample Output show network-access aaa statistics authentication

show network-access aaa statistics authentication (in QFX Series Switches)

3820

user@switch> show network-access aaa statistics authentication Authentication module statistics Requests received: 2 Accepts: 1 Rejects: 0 Challenges: 1 user@lf0> show network-access aaa statistics authentication Authentication module statistics Requests received: 2 Accepts: 1 Rejects: 0 Challenges: 1



show network-access aaa statistics dynamic-requests Syntax Release Information

Description



show network-access aaa statistics dynamic-requests;

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for QFX Series switches. Display authentication, authorization, and accounting (AAA) authentication statistics for disconnects. view

•

authentication-server on page 3688

•


show network-access aaa statistics authentication on page 3821 Table 432 on page 3821 lists the output fields for the show network-access aaa statistics dynamic-requests command. Output fields are listed in the approximate order in which they appear.

Table 432: show network-access aaa statistics dynamic-requests Output Fields Field Name

Field Description

Requests received

The number of dynamic requests received by the RADIUS server.

Processed successfully

The number of dynamic requests successfully processed by the RADIUS server.

Errors during processing

The number of errors that occurred while the RADIUS server was processing the dynamic request.

Silently dropped

The number of silently dropped requests.

Sample Output show network-access aaa statistics authentication

user@switch> show network-access aaa statistics dynamic-requests Dynamic-requests module statistics Requests received: 0 Processed successfully: 0 Errors during processing: 0 Silently dropped: 0


3821

®


3822


PART 19

Access Privileges •

Access Privileges—Overview on page 3825

•

Examples: Access Privileges Configuration on page 3835

•

Configuring Access Privileges on page 3845

•

Configuration Statements for Access Privileges on page 3849

•

Operational Commands for Access Privileges on page 3999


3823

®


3824


CHAPTER 93

Access Privileges—Overview •

Understanding Junos OS Access Privilege Levels on page 3825

•

Junos OS Login Classes Overview on page 3829

•

Access Privilege User Permission Flags Overview on page 3830

•

Specifying Access Privileges for Junos OS Configuration Mode Hierarchies on page 3832

Understanding Junos OS Access Privilege Levels Each top-level command-line interface (CLI) command and each configuration statement have an access privilege level associated with them. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission flags. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement. The following sections provide additional information about permissions: •

Junos OS Login Class Permission Flags on page 3825

•

Allowing or Denying Individual Commands for Junos OS Login Classes on page 3828

Junos OS Login Class Permission Flags The permissions statement specifies one or more of the permission flags listed in Table 433 on page 3826. Permission flags are not cumulative, so for each class you must list all the permission flags needed, including view to display information and configure to enter configuration mode. Two forms of permissions control for individual parts of the configuration are: •

"Plain” form—Provides read-only capability for that permission type. An example is interface.

•

Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.


3825

®


Table 433 on page 3826 lists the Junos OS login class permission flags that you can configure by including the permissions statement at the [edit system login class class-name] hierarchy level.

Table 433: Login Class Permission Flags

3826

Permission Flag

Description

access

Can view the access configuration in configuration mode and with the show configuration operational mode command.

access-control

Can view and configure access information at the [edit access] hierarchy level.

admin

Can view user account information in configuration mode and with the show configuration operational mode command.

admin-control

Can view user accounts and configure them at the [edit system login] hierarchy level.

all-control

Can access all operational mode commands and configuration mode commands. Can modify configuration in all the configuration hierarchy levels.

clear

Can clear (delete) information learned from the network that is stored in various network databases by using the clear commands.

configure

Can enter configuration mode by using the configure command.

control

Can perform all control-level operations—all operations configured with the -control permission flags.

field

Can view field debug commands. Reserved for debugging support.

firewall

Can view the firewall filter configuration in configuration mode.

firewall-control

Can view and configure firewall filter information at the [edit firewall] hierarchy level.

floppy

Can read from and write to the removable media.

flow-tap

Can view the flow-tap configuration in configuration mode.

flow-tap-control

Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap] hierarchy level.


Chapter 93: Access Privileges—Overview

Table 433: Login Class Permission Flags (continued) Permission Flag

Description

flow-tap-operation

Can make flow-tap requests to the router or switch. For example, a Dynamic Tasking Control Protocol (DTCP) client must authenticate itself to the Junos OS as an administrative user. That account must have flow-tap-operation permission. NOTE: The flow-tap-operation option is not included in the all-control permissions flag.

idp-profiler-operation

Can view profiler data.

interface

Can view the interface configuration in configuration mode and with the show configuration operational mode command.

interface-control

Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can edit configuration at the following hierarchy levels: •

[edit chassis]

•

[edit class-of-service]

•

[edit groups]

•

[edit forwarding-options]

•

[edit interfaces]

maintenance

Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell by using the su root command, and can halt and reboot the router by using the request system commands.

network

Can access the network by using the ping, ssh, telnet, and traceroute commands.

pgcp-session-mirroring

Can view the pgcp session mirroring configuration.

pgcp-session-mirroring-control

Can modify the pgcp session mirroring configuration.

reset

Can restart software processes by using the restart command and can configure whether software processes are enabled or disabled at the [edit system processes] hierarchy level.

rollback

Can use the rollback command to return to a previously committed configuration other than the most recently committed one.

routing

Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.


3827

®


Table 433: Login Class Permission Flags (continued) Permission Flag

Description

routing-control

Can view general routing, routing protocol, and routing policy configuration information and can configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level.

secret

Can view passwords and other authentication keys in the configuration.

secret-control

Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.

security

Can view security configuration in configuration mode and with the show configuration operational mode command.

security-control

Can view and configure security information at the [edit security] hierarchy level.

shell

Can start a local shell on the router or switch by using the start shell command.

snmp

Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes.

snmp-control

Can view SNMP configuration information and can modify SNMP configuration at the [edit snmp] hierarchy level.

system

Can view system-level information in configuration and operational modes.

system-control

Can view system-level configuration information and configure it at the [edit system] hierarchy level.

trace

Can view trace file settings and configure trace file properties.

trace-control

Can modify trace file settings and configure trace file properties.

view

Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.

view-configuration

Can view all of the configuration (excluding secrets).

Allowing or Denying Individual Commands for Junos OS Login Classes By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of

3828



operational and configuration mode commands that would otherwise be permitted or not allowed by a privilege level specified in the permissions statement. •

The all login class permission bits take precedence over extended regular expressions when a user with rollback permission issues the rollback command.

•

Expressions used to allow and deny commands for users on RADIUS and TACACS+ servers have been simplified. Instead of a single, long expression with multiple commands (allow-commands=cmd1 cmd2 ... cmdn), you can specify each command as a separate expression. This new syntax is valid for allow-configuration-regexps and deny-configuration-regexps, allow-commands and deny-commands, and all user permission bits.

•

Users cannot issue the load override command when specifying an extended regular expression. Users can only issue the merge, replace, and patch configuration commands.

•

If you allow and deny the same commands, the allow-commands permissions take precedence over the permissions specified by the deny-commands. For example, if you include allow-commands "request system software add" and deny-commands "request system software add", the login class user is allowed to install software using the request system software add command.

•

Regular expressions for allow-commands and deny-commands can also include the commit, load, rollback, save, status, and update commands.

•

If you specify a regular expression for allow-commands and deny-commands with two different variants of a command, the longest match is always executed. For example, if you specify a regular expression for allow-commands with the commit-synchronize command and a regular expression for deny-commands with the commit command, users assigned to such a login class would be able to issue the commit synchronize command, but not the commit command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for allow-commands. Likewise, if you specify a regular expression for allow-commands with the commit command and a regular expression for deny-commands with the commit-synchronize command, users assigned to such a login class would be able to issue the commit command, but not the commit-synchronize command. This is because commit-synchronize is the longest match between commit and commit-synchronize and it is specified for deny-commands.


•


Junos OS Login Classes Overview All users who can log in to the router or switch must be in a login class. With login classes, you define the following: •

Access privileges that users have when they are logged in to the router or switch

•

Commands and statements that users can and cannot specify


3829

®


•

How long a login session can be idle before it times out and the user is logged out

You can define any number of login classes and then apply one login class to an individual user account. The Junos OS contains a few predefined login classes, which are listed in Table 434 on page 3830. The predefined login classes cannot be modified.

Table 434: Predefined System Login Classes Login Class

Permission Flag Set

operator

clear, network, reset, trace, and view

read-only

view

superuser or super-user

all

unauthorized

None

NOTE: •

You cannot modify a predefined login class name. If you issue the set command on a predefined class name, the Junos OS appends -local to the login class name. The following message also appears: warning: '' is a predefined class name; changing to '-local'

•

You cannot issue the rename or copy command on a predefined login class. Doing so results in the following error message: error: target '' is a predefined class


•


•


•

Understanding QFabric System Login Classes

Access Privilege User Permission Flags Overview Permission flags are used to grant a user access to operational mode commands and configuration hierarchy levels and statements. By specifying a specific permission flag on the user's login class at the [edit system login class] hierarchy level, you grant the user access to the corresponding commands and configuration hierarchy levels and statements. To grant access to all commands and configuration statements, use the all permissions flag. For permission flags that grant access to configuration hierarchy levels and statements, the flags grant read-only privilege to that configuration. For example, the interface

3830



permissions flag grants read-only access to the [edit interfaces] hierarchy level. The -control form of the flag grants read-write access to that configuration. Using the preceding example, interface-control grants read-write access to the [edit interfaces] hierarchy level. The permission flags listed in "Related Documentation" grant a specific set of access privileges. Each permission flag is listed with the operational mode commands and configuration hierarchy levels and statements for which that flag grants access.

NOTE: Each command listed represents that command and all subcommands with that command as a prefix. Each configuration statement listed represents the top of the configuration hierarchy to which that flag grants access.


•


•

access on page 3850

•

access-control on page 3851

•

admin on page 3852

•

admin-control on page 3852

•

all-control on page 3853

•

clear on page 3853

•

configure on page 3887

•

control on page 3887

•

field on page 3887

•

firewall on page 3888

•

firewall-control on page 3889

•

floppy on page 3889

•

flow-tap on page 3890

•

flow-tap-operation on page 3891

•

idp-profiler-operation on page 3891

•

interface on page 3891

•

interface-control on page 3892

•

maintenance on page 3893

•

network on page 3899

•

pgcp-session-mirroring on page 3901

•

pgcp-session-mirroring-control on page 3901

•

reset on page 3902


3831

®


•

rollback on page 3902

•

routing on page 3903

•

routing-control on page 3907

•

secret on page 3911

•

secret-control on page 3912

•

security on page 3913

•

security-control on page 3916

•

shell on page 3920

•

snmp on page 3920

•

system on page 3921

•

system-control on page 3922

•

trace on page 3924

•

trace-control on page 3929

•

view on page 3934

•

view-configuration on page 3997

Specifying Access Privileges for Junos OS Configuration Mode Hierarchies The allow/deny-configuration and allow/deny-configuration-regexps statements let you explicitly allow or deny users access privileges to portions of the configuration hierarchy. Each of these statements is added to named login classes and configured with one or more regular expressions to be allowed or denied. Each login class is assigned to specific users or user IDs. The search and match methods differ in the two forms of these statements. You must select which form to use within a login class—you cannot configure allow-configuration and allow-configuration-regexps together in the same login class. You must select just one. If you have existing configurations using the allow/deny-configuration form of the statements, using the same configuration options with the allow/deny-configuration-regexps form of the statements might not produce the same results. •

Allow/deny-configuration statements perform slower matching, with more flexibility,

especially in wildcard matching. However, it can take a very long time to evaluate all of the possible statements if a great number of full path regular expressions or wildcard expressions are configured, possibly impacting performance. These statements were introduced before Junos OS Release 7.4. •

Allow/deny-configuration-regexps statements perform faster matching, with less

flexibility. You configure a set of strings in which each string is a regular expression, with spaces between the terms of the string. This provides very fast matching. However, it is more tedious to use wildcard expressions in this form of the statement, because

3832



you must set up wildcards for each token (term) of the space-delimited string you want to match. These statements were introduced in Junos OS Release 11.2. Related Documentation

•


•

Example: Configuring Access Privilege Levels on page 3835

•


•



3833

®


3834


CHAPTER 94

Examples: Access Privileges Configuration •


•

Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements on page 3835

•

Example: Configuring Access Privileges for Operational Mode Commands on page 3839

•

Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements on page 3840

Example: Configuring Access Privilege Levels Create two access privilege classes on the router or switch, one for configuring and viewing user accounts only and the second for configuring and viewing SNMP parameters only: [edit] system { login { class user-accounts { permissions [ configure admin admin-control ]; } class network-mgmt { permissions [ configure snmp snmp-control ]; } } }


•


Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements This example shows how to set up configuration access privileges using the allow-configuration-regexps and deny-configuration-regexps statements. •


•


•


•

Examples Using Allow or Deny Configurations with Regular Expressions on page 3837


3835

®



One Juniper Networks J Series, M Series, MX Series, or T Series device

•

Junos OS Release 11.2 or later •

There must be at least one user assigned to a login class.

•

There can be more than one login class, each with varying permission configurations, and more than one user on the device.

Overview The allow-configuration-regexps and deny-configuration-regexps statements let you explicitly allow or deny users assigned to named user classes access privileges to portions of the configuration hierarchy, giving the system administrator precision control over who can change specific configurations in the system.

NOTE: The statements allow-configuration-regexps and deny-configuration-regexps perform similar functions as the statements allow-configuration and deny-configuration, except you can configure sets of strings in which the strings include spaces when using the first set of statements. You cannot use the two kinds of statements together.

Configuration To set up configuration access privileges: 1.

To explicitly allow one or more individual configuration mode hierarchies that would otherwise be denied, include the allow-configuration-regexps statement at the [edit system login class class-name] hierarchy level, configured with the regular expressions to be allowed. [edit system login class class-name] user@host# set allow-configuration-regexps "regular expression 1" "regular expression 2" "regular expression 3" "regular expression 4" ...

2. To explicitly deny one or more individual configuration hierarchies that would otherwise

be allowed, include the deny-configuration-regexps statement at the [edit system login class class-name] hierarchy level, configured with the regular expressions to be denied. [edit system login class class-name] user@host# set deny-configuration-regexps "regular expression 1" "regular-expression 2" "regular expression 3" "regular expression 4"... 3. Assign the login class to one or more users.

[edit system login]

3836


Chapter 94: Examples: Access Privileges Configuration

user@host# set user username class class-name 4. Commit your changes.

Users assigned this login class have the permissions you have set for the class.

Examples Using Allow or Deny Configurations with Regular Expressions Purpose

This section provides examples of access privilege configurations to give you ideas for creating configurations appropriate for your system. You can use combinations of privilege statements for configuration access and for operational mode commands to give precise control over classes of access privileges.

Allow Configuration Changes

The following example login class lets the user make changes at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to the permissions specified by the configure permissions flag, which allows the user to enter configuration mode using the configure command. [edit system login class class-name] user@host# set permissions configure view view-configuration user@host# set allow-configuration-regexps "system services"

Deny Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag. However, it denies modifying the configuration at the [edit system services] hierarchy level. [edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set deny-configuration-regexps "system services"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot configure telnet parameters: [edit system login class class-name] user@host# set deny-configuration "system services telnet"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot issue login class commands within any login class whose name begins with “m”: [edit system login class class-name] user@host# set deny-configuration "system login class m .*"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot edit the configuration or issue commands (such as commit) at the [edit system login class] or the [edit system services] hierarchy levels: [edit system login class class-name] user@host# set deny-configuration "system login class" "system services"


3837

®


Allow and Deny Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to [system "interfaces .* unit .* family inet address .*" protocols]. However, the user is denied configuration access to the SNMP hierarchy level.

NOTE: You can use the * wildcard character when denoting regular expressions. However, it must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.

[edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set allow-configuration-regexps system "interfaces .* unit .* family inet address .*" protocols user@host# set deny-configuration-regexps snmp

Allow and Deny Multiple Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to multiple hierarchy levels for interfaces. It denies configuration access to the [edit system] and [edit protocols] hierarchy levels.

NOTE: You can configure as many regular expressions as needed to be allowed or denied. Regular expressions to be denied take precedence over configurations to be allowed.

[edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set allow-configuration-regexps "interfaces .* description .*" "interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*" "interfaces .* disable" user@host# set deny-configuration-regexps "system" "protocols"

Allow Configuration Changes and Deny Operations Commands

You can combine allow and deny configuration statements with allow and deny operational commands statements to fine-tune access privileges. The following example login class uses a combination of the deny-commands operational permissions statement and the allow-configuration-regexps configuration permissions statement to let the user configure and commit changes to the OSPF and BGP protocols. However, this class of user cannot issue the show system statistics or the show bgp summary commands. [edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set deny-commands "(show system statistics)|(show bgp summary)" user@host# set allow-configuration-regexps "protocols ospf|bgp"

The following shows permissions set for individual configuration mode hierarchies: [edit] system { login { # This login class has operator privileges and the additional ability to edit # configuration at the system services hierarchy level. class only-system-services { permissions [ configure ];

3838



allow-configuration "system services"; } # services commands. class all-except-system-services { # This login class has operator privileges but # cannot edit any system services configuration. permissions [ all ]; deny-configuration "system services"; } } }

Verification

To verify that you have set the access privileges correctly: 1.

Configure a login class and commit the changes.

2. Assign the login class to a username. 3. Log in as the username assigned with the new login class. 4. Attempt to perform the configurations that have been allowed or denied.


•

You should be able to perform configuration changes to hierarchy levels and regular expressions that have been allowed.

•

You should not be able to perform configuration changes to hierarchy levels and regular expressions that have been denied.

•

Denied expressions should take precedence over allowed expressions.

•

Any allowed or denied expressions should take precedence over any permissions granted with the permissions statement.

•


•


•


•


Example: Configuring Access Privileges for Operational Mode Commands The following example shows how to configure access privileges for different login classes for individual operational mode commands: [edit] system { # This login class has operator privileges and the additional ability # to reboot the router. login { # This login class has operator privileges and the additional ability to reboot the # router or switch. class operator-and-boot { permissions [ clear network reset trace view ]; allow-commands "request system reboot"; } # This login class has operator privileges but can't use any commands beginning


3839

®


# with “set” . # This login class has operator privileges # but cannot use any commands beginning with “set” class operator-no-set { permissions [ clear network reset trace view ]; deny-commands "^set"; } # This login class has operator privileges and can install software but not view # BGP information, and can issue the show route command, without specifying # commands or arguments under it. class operator-and-install-but-no-bgp { permissions [ clear network reset trace view ]; allow-commands "(request system software add)|(show route$)"; deny-commands "show bgp"; } } }


•


Example: Specifying Access Privileges Using allow/deny-configuration-regexps Statements This example shows how to set up configuration access privileges using the allow-configuration-regexps and deny-configuration-regexps statements. •


•


•


•

Examples Using Allow or Deny Configurations with Regular Expressions on page 3841


One Juniper Networks J Series, M Series, MX Series, or T Series device

•

Junos OS Release 11.2 or later •

There must be at least one user assigned to a login class.

•

There can be more than one login class, each with varying permission configurations, and more than one user on the device.

Overview The allow-configuration-regexps and deny-configuration-regexps statements let you explicitly allow or deny users assigned to named user classes access privileges to portions of the configuration hierarchy, giving the system administrator precision control over who can change specific configurations in the system.

3840



NOTE: The statements allow-configuration-regexps and deny-configuration-regexps perform similar functions as the statements allow-configuration and deny-configuration, except you can configure sets of strings in which the strings include spaces when using the first set of statements. You cannot use the two kinds of statements together.

Configuration To set up configuration access privileges: 1.

To explicitly allow one or more individual configuration mode hierarchies that would otherwise be denied, include the allow-configuration-regexps statement at the [edit system login class class-name] hierarchy level, configured with the regular expressions to be allowed. [edit system login class class-name] user@host# set allow-configuration-regexps "regular expression 1" "regular expression 2" "regular expression 3" "regular expression 4" ...

2. To explicitly deny one or more individual configuration hierarchies that would otherwise

be allowed, include the deny-configuration-regexps statement at the [edit system login class class-name] hierarchy level, configured with the regular expressions to be denied. [edit system login class class-name] user@host# set deny-configuration-regexps "regular expression 1" "regular-expression 2" "regular expression 3" "regular expression 4"... 3. Assign the login class to one or more users.

[edit system login] user@host# set user username class class-name 4. Commit your changes.

Users assigned this login class have the permissions you have set for the class.

Examples Using Allow or Deny Configurations with Regular Expressions Purpose

This section provides examples of access privilege configurations to give you ideas for creating configurations appropriate for your system. You can use combinations of privilege statements for configuration access and for operational mode commands to give precise control over classes of access privileges.

Allow Configuration Changes

The following example login class lets the user make changes at the [edit system services] hierarchy level and issue configuration mode commands (such as commit), in addition to the permissions specified by the configure permissions flag, which allows the user to enter configuration mode using the configure command. [edit system login class class-name] user@host# set permissions configure view view-configuration user@host# set allow-configuration-regexps "system services"


3841

®


Deny Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag. However, it denies modifying the configuration at the [edit system services] hierarchy level. [edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set deny-configuration-regexps "system services"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot configure telnet parameters: [edit system login class class-name] user@host# set deny-configuration "system services telnet"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot issue login class commands within any login class whose name begins with “m”: [edit system login class class-name] user@host# set deny-configuration "system login class m .*"

If the following statement is included in the configuration and the user’s login class permission bit is set to all, the user cannot edit the configuration or issue commands (such as commit) at the [edit system login class] or the [edit system services] hierarchy levels: [edit system login class class-name] user@host# set deny-configuration "system login class" "system services"

Allow and Deny Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to [system "interfaces .* unit .* family inet address .*" protocols]. However, the user is denied configuration access to the SNMP hierarchy level.

NOTE: You can use the * wildcard character when denoting regular expressions. However, it must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.

[edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set allow-configuration-regexps system "interfaces .* unit .* family inet address .*" protocols user@host# set deny-configuration-regexps snmp

3842



Allow and Deny Multiple Configuration Changes

The following example login class lets the user perform all operations allowed by the all permissions flag, and explicitly grants configuration access to multiple hierarchy levels for interfaces. It denies configuration access to the [edit system] and [edit protocols] hierarchy levels.

NOTE: You can configure as many regular expressions as needed to be allowed or denied. Regular expressions to be denied take precedence over configurations to be allowed.

[edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set allow-configuration-regexps "interfaces .* description .*" "interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*" "interfaces .* disable" user@host# set deny-configuration-regexps "system" "protocols"

Allow Configuration Changes and Deny Operations Commands

You can combine allow and deny configuration statements with allow and deny operational commands statements to fine-tune access privileges. The following example login class uses a combination of the deny-commands operational permissions statement and the allow-configuration-regexps configuration permissions statement to let the user configure and commit changes to the OSPF and BGP protocols. However, this class of user cannot issue the show system statistics or the show bgp summary commands. [edit system login class class-name] user@host# set permissions all configure view view-configuration user@host# set deny-commands "(show system statistics)|(show bgp summary)" user@host# set allow-configuration-regexps "protocols ospf|bgp"

The following shows permissions set for individual configuration mode hierarchies: [edit] system { login { # This login class has operator privileges and the additional ability to edit # configuration at the system services hierarchy level. class only-system-services { permissions [ configure ]; allow-configuration "system services"; } # services commands. class all-except-system-services { # This login class has operator privileges but # cannot edit any system services configuration. permissions [ all ]; deny-configuration "system services"; } } }


3843

®


Verification

To verify that you have set the access privileges correctly: 1.

Configure a login class and commit the changes.

2. Assign the login class to a username. 3. Log in as the username assigned with the new login class. 4. Attempt to perform the configurations that have been allowed or denied.


3844

•

You should be able to perform configuration changes to hierarchy levels and regular expressions that have been allowed.

•

You should not be able to perform configuration changes to hierarchy levels and regular expressions that have been denied.

•

Denied expressions should take precedence over allowed expressions.

•

Any allowed or denied expressions should take precedence over any permissions granted with the permissions statement.

•


•


•


•



CHAPTER 95

Configuring Access Privileges •


•


•


Configuring Access Privilege Levels Each top-level command-line interface (CLI) command and each configuration statement have an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. To configure access privilege levels, include the permissions statement at the [edit system login class class-name] hierarchy level: [edit system login class class-name] permissions [ permissions ];


•


•


•


•

permissions on page 626

Specifying Access Privileges for Junos OS Operational Mode Commands You can specify extended regular expressions by using the allow-commands and deny-commands statements to define a user’s access privileges to individual operational mode commands. Doing so takes precedence over a login class permissions bit set for a user. You can include one deny-commands and one allow-commands statement in each login class. To explicitly provide use of an individual operational mode command that would otherwise be denied, include the allow-commands statement at the [edit system login class class-name] hierarchy level: [edit system login class class-name] allow-commands "regular-expression”;


3845

®


To explicitly deny access to an individual operational mode command that would otherwise be supported, include the deny-commands statement at the [edit system login class class-name] hierarchy level: [edit system login class class-name] deny-commands "regular-expression”;

If the regular expression contains any spaces, operators, or wildcard characters, enclose the expression in quotation marks. Regular expressions are not case-sensitive. allow-commands "show interfaces";

NOTE: Modifiers are not supported within the regular expression string to be matched. If a modifier is used, then nothing is matched. For example, the deny command set protocols does not match anything, whereas protocols matches protocols.

Explicitly providing access to operational mode commands using the allow-commands statement adds to the regular permissions set using the permissions statement. Likewise, explicitly denying access to operational mode commands using the deny-commands statement removes permissions for the specified commands from the default permissions provided by the permissions statement. For example, if a login class has the permission view and the allow-commands statement includes the request system software add command, the specified login class user can install software, in addition to the permissions specified by the view permissions flag. Likewise, if a login class has the permission all and the deny-commands statement includes the request system software add command, the specified login class user can perform all operations allowed by the all permissions flag, except installing software using the request system software add command. If you allow and deny the same commands, the allow-commands permissions take precedence over the permissions specified by deny-commands. For example, if you include allow-commands "request system software add" and deny-commands "request system software add", the login class user is allowed to install software using the request system software add command. If you specify a regular expression for allow-commands and deny-commands with two different variants of a command, the longest match is always executed. For example, if you specify a regular expression for allow-commands with the commit-synchronize command and a regular expression for deny-commands with the commit command, users assigned to such a login class would be able to issue the commit synchronize command, but not the commit command. This is because commit-synchronize is the longest match between commit and commit-synchronize, and it is specified for allow-commands. Likewise, if you specify a regular expression for allow-commands with the commit command and a regular expression for deny-commands with the commit-synchronize command, users assigned to such a login class would be able to issue the commit

3846


Chapter 95: Configuring Access Privileges

command, but not the commit-synchronize command. This is because commit-synchronize is the longest match between commit and commit-synchronize, and it is specified for deny-commands. Anchors are required when specifying complex regular expressions with allow-commands or deny-commands statements. For example, when specifying multiple commands using the pipe (|) symbol for allow-commands, the following syntax is incorrect: allow-commands = "(monitor.*)|(ping.*)|(show.*)|(exit)" . Instead, you must specify the expression using the following syntax: allow-commands = "(^monitor) | (^ping) | (^show) | (êxit)" OR allow-commands ="^(monitor | ping | show | exit)" Related Documentation

•

Example: Configuring Access Privileges for Operational Mode Commands on page 3839

•

Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands

•

allow-commands on page 609

•

deny-commands on page 616

Specifying Access Privileges for Junos OS Configuration Mode Hierarchies The allow/deny-configuration and allow/deny-configuration-regexps statements let you explicitly allow or deny users access privileges to portions of the configuration hierarchy. Each of these statements is added to named login classes and configured with one or more regular expressions to be allowed or denied. Each login class is assigned to specific users or user IDs. The search and match methods differ in the two forms of these statements. You must select which form to use within a login class—you cannot configure allow-configuration and allow-configuration-regexps together in the same login class. You must select just one. If you have existing configurations using the allow/deny-configuration form of the statements, using the same configuration options with the allow/deny-configuration-regexps form of the statements might not produce the same results. •

Allow/deny-configuration statements perform slower matching, with more flexibility,

especially in wildcard matching. However, it can take a very long time to evaluate all of the possible statements if a great number of full path regular expressions or wildcard expressions are configured, possibly impacting performance. These statements were introduced before Junos OS Release 7.4. •

Allow/deny-configuration-regexps statements perform faster matching, with less

flexibility. You configure a set of strings in which each string is a regular expression, with spaces between the terms of the string. This provides very fast matching. However, it is more tedious to use wildcard expressions in this form of the statement, because you must set up wildcards for each token (term) of the space-delimited string you want to match. These statements were introduced in Junos OS Release 11.2. Related Documentation

•


•



3847

®


3848

•


•



CHAPTER 96

Configuration Statements for Access Privileges •

access on page 3850

•


•

admin on page 3852

•


•

all-control on page 3853

•

clear on page 3853

•

configure on page 3887

•

control on page 3887

•

field on page 3887

•


•


•

floppy on page 3889

•


•

flow-tap-control on page 3890

•

flow-tap-operation on page 3891

•

idp-profiler-operation on page 3891

•


•


•

maintenance on page 3893

•

network on page 3899

•


•


•

reset on page 3902

•

rollback on page 3902

•


•



3849

®


•

secret on page 3911

•


•


•


•

shell on page 3920

•

snmp on page 3920

•

system on page 3921

•


•

trace on page 3924

•


•

view on page 3934

•

view-configuration on page 3997

access Can view the access configuration in configuration mode. Commands

No associated CLI commands.

Configuration Hierarchy Levels


3850

[edit access] [edit access ppp-options] [edit dynamic-profile] [edit logical-systems access] [edit logical-systems routing-instances instance system services static-subscribers access-profile] [edit logical-systems routing-instances instance system services static-subscribers dynamic-profile] [edit logical-systems routing-instances instance system services static-subscribers group access-profile] [edit logical-systems routing-instances instance system services static-subscribers group dynamic-profile] [edit logical-systems system services static-subscribers access-profile] [edit logical-systems system services static-subscribers dynamic-profile] [edit logical-systems system services static-subscribers group access-profile] [edit logical-systems system services static-subscribers group dynamic-profile] [edit routing-instances instance system services static-subscribers access-profile] [edit routing-instances instance system services static-subscribers dynamic-profile] [edit routing-instances instance system services static-subscribers group access-profile] [edit routing-instances instance system services static-subscribers group dynamic-profile] [edit system services static-subscribers access-profile] [edit system services static-subscribers dynamic-profile] [edit system services static-subscribers group access-profile] [edit system services static-subscribers group dynamic-profile]

•


•



Chapter 96: Configuration Statements for Access Privileges

•


•


•


•


access-control Can view access configuration information. Can edit access configuration at the [edit access], [edit logical-systems], [edit routing-instances, and [edit system services] hierarchy levels. Configuration Hierarchy Levels


[edit access] [edit access ppp-options] [edit dynamic-profile] [edit logical-systems access] [edit logical-systems routing-instances instance system services static-subscribers access-profile] [edit logical-systems routing-instances instance system services static-subscribers dynamic-profile] [edit logical-systems routing-instances instance system services static-subscribers group access-profile] [edit logical-systems routing-instances instance system services static-subscribers group dynamic-profile] [edit logical-systems system services static-subscribers access-profile] [edit logical-systems system services static-subscribers dynamic-profile] [edit logical-systems system services static-subscribers group access-profile] [edit logical-systems system services static-subscribers group dynamic-profile] [edit routing-instances instance system services static-subscribers access-profile] [edit routing-instances instance system services static-subscribers dynamic-profile] [edit routing-instances instance system services static-subscribers group access-profile] [edit routing-instances instance system services static-subscribers group dynamic-profile] [edit system services static-subscribers access-profile] [edit system services static-subscribers dynamic-profile] [edit system services static-subscribers group access-profile] [edit system services static-subscribers group dynamic-profile]

•


•


•


•


•


•

access on page 3850


3851

®


admin Can view user account information in configuration mode. Commands

show system audit



[edit protocols uplink-failure-detection] [edit system] [edit system accounting] [edit system diag-port-authentication] [edit system extensions] [edit system login] [edit system pic-console-authentication] [edit system root-authentication] [edit system services ssh ciphers] [edit system services ssh client-alive-count-max] [edit system services ssh client-alive-interval]] [edit system services ssh hostkey-algorithm] [edit system services ssh key-exchange] [edit system services ssh macs] [edit system services ssh max-sessions-per-connection] [edit system services ssh no-tcp-fowarding] [edit system services ssh protocol-version] [edit system services ssh root-login] [edit system services ssh tcp-fowarding]

•


•


•


•


•


•


admin-control Can view user account information and configure it at the [edit system] hierarchy level. Commands Configuration Hierarchy Levels

3852

show system audit [edit protocols uplink-failure-detection] [edit system] [edit system accounting] [edit system diag-port-authentication] [edit system extensions] [edit system login] [edit system pic-console-authentication] [edit system root-authentication] [edit system services ssh ciphers]



[edit system services ssh hostkey-algorithm] [edit system services ssh key-exchange] [edit system services ssh macs] [edit system services ssh protocol-version] [edit system services ssh root-login]


•


•


•


•


•


•

admin on page 3852

all-control Can access all operational mode commands and configuration mode commands. Can modify configuration in all the configuration hierarchy levels. Commands Configuration Hierarchy Levels Related Documentation

All CLI commands. All CLI configuration hierarchy levels and statements.

•


•


•


•


•


clear Can clear (delete) information learned from the network that is stored in various network databases. Commands

clear clear amt clear amt statistics clear amt tunnel clear-amt-tunnel clear amt tunnel gateway-address clear amt tunnel statistics clear amt tunnel statistics gateway-address


3853

®


clear amt tunnel statistics tunnel-interface clear amt tunnel tunnel-interface clear protection-group ethernet-ring statistics > clear r2cp clear r2cp radio clear r2cp session clear r2cp statistics clear r2cp statistics radio clear r2cp statistics session clear rip clear rip general-statistics clear rip statistics clear rip statistics peer

3882



clear ripng clear ripng general-statistics clear ripng statistics clear rsvp clear rsvp session clear rsvp statistics < clear-rsvp-counters-information> clear services clear services alg clear services alg statistics clear services application-aware-access-list clear services application-aware-access-list statistics clear services application-aware-access-list statistics interface clear services application-aware-access-list statistics subscriber clear services application-identification clear services application-identification application-system-cache clear services application-identification counter clear services application-identification counter ssl-encrypted-sessions clear services application-identification statistics clear services application-identification statistics cumulative clear services application-identification statistics interval clear services border-signaling-gateway clear services border-signaling-gateway denied-messages clear services border-signaling-gateway name-resolution-cache

clear services border-signaling-gateway name-resolution-cache all clear services border-signaling-gateway name-resolution-cache by-fqdn clear services border-signaling-gateway statistics clear services captive-portal-content-delivery clear services captive-portal-content-delivery statistics clear services captive-portal-content-delivery statistics interface clear services cos clear services cos statistics


3883

®


clear services crtp clear services crtp statistics clear services dynamic-flow-capture clear services dynamic-flow-capture criteria clear services dynamic-flow-capture sequence-number clear services flow-collector clear services flow-collector statistics clear-service-msp-flow-ipaction-table clear services ids clear services ids destination-table clear services ids pair-table clear services ids source-table clear services inline clear services inline nat clear services inline nat pool clear services inline nat statistics clear services inline softwire clear services inline softwire statistics clear services ipsec-vpn clear services ipsec-vpn ipsec clear services ipsec-vpn ipsec security-associations clear services ipsec-vpn ike clear services ipsec-vpn ike security-associations clear services ipsec-vpn ipsec statistics clear services l2tp clear services l2tp disconnect-cause-summary clear services l2tp multilink clear services l2tp session clear services l2tp destination clear services l2tp disconnect-cause-summary clear services l2tp tunnel clear services l2tp user clear services local-policy-decision-function

3884



clear services local-policy-decision-function statistics clear services local-policy-decision-function statistics interface clear services local-policy-decision-function statistics subscriber clear services server-load-balance clear services server-load-balance external-manager-statistics clear services server-load-balance real-server-group-statistics clear services server-load-balance real-server-statistics clear services server-load-balance sticky clear services server-load-balance virtual-server-statistics> clear services service-sets statistics syslog clear services stateful-firewall flow-analysis clear services stateful-firewall flows clear services stateful-firewall sip-call clear services stateful-firewall sip-register clear services stateful-firewall statistics clear services stateful-firewall subscriber-analysis clear services subscriber clear services subscriber sessions clear services softwire clear services softwire statistics clear services stateful-firewall clear services stateful-firewall flow-analysis clear services stateful-firewall flows clear services pgcp clear services pgcp gates clear services pgcp gates gateway clear services pgcp statistics clear services pgcp statistics gateway


3885

®


clear-twamp-information clear-twamp-server-information clear-twamp-server-connection-information clear snmp clear snmp history clear snmp statistics clear spanning-tree clear spanning-tree protocol-migration clear spanning-tree protocol-migration interface clear spanning-tree statistics clear spanning-tree statistics interface clear spanning-tree statistics routing-instance clear spanning-tree topology-change-counter clear synchronous-ethernet clear synchronous-ethernet esmc clear synchronous-ethernet esmc statistics clear system clear system login clear system login lockout < clear-system-login-lockout> clear vpls clear vpls mac-address clear vpls mac-table clear vpls mac-table interface request interface rebalance request pppoe request pppoe connect request pppoe disconnect request snmp clear vrrp clear vrrp interface request services ipsec-vpn ipsec request services ipsec-vpn ipsec switch request services ipsec-vpn ipsec switch tunnel

Configuration Hierarchy Levels Related Documentation

3886

No asscociated CLI configuration hierarchy levels and statements.

•


•




•


•


•


configure Can enter configuration mode. Commands configure request snmp request-snmp-utility-mib-clear request-snmp-utility-mib-set


No associated CLI configuration hierarchy levels and statements.

•


•


•


•


•


control Can perform all control-level operations; can modify any configuration. Commands Configuration Hierarchy Levels Related Documentation

test configuration


•


•


•


•


•


field Can view field debug commands.


3887

®


Commands Configuration Hierarchy Levels Related Documentation

No associated CLI commands. No associated CLI configuration hierarchy levels and statements.

•


•


•


•


•


firewall Can view the firewall filter configuration in configuration mode. Commands

show firewall show firewall counter show firewall filter show firewall filter version show firewall log show firewall prefix-action-stats show policer



3888

[edit dynamic-profiles firewall] [edit firewall] [edit logical-systems firewall]

•


•


•


•


•


•




firewall-control Can view and configure firewall filter information at the [edit dynamic-profiles firewall], [edit firewall], and [edit logical-systems firewall] hierarchy levels. Commands

show firewall show firewall counter show firewall filter show firewall filter version show firewall log show firewall prefix-action-stats show policer



[edit dynamic-profiles firewall] [edit firewall] [edit logical-systems firewall]

•


•


•


•


•


•


floppy Can read from and write to the removable media. Commands Configuration Hierarchy Levels Related Documentation


•


•



3889

®


•


•


•


flow-tap Can view the flow-tap configuration in configuration mode. Commands




[edit services flow-tap] [edit services radius-flow-tap] [edit system services flow-tap-dtcp]

•


•


•


•


•


•

flow-tap-control on page 3890

flow-tap-control Can view the flow-tap configuration in configuration mode and can configure flow-tap configuration information at the [edit services flow-tap], [edit services radius-flow-tap], and [edit system services flow-tap-dtcp] hierarchy levels. Commands




3890

[edit services flow-tap] [edit services radius-flow-tap] [edit system services flow-tap-dtcp]

•


•


•


•


•


•




flow-tap-operation Can make flow-tap requests to the router. Commands Configuration Hierarchy Levels Related Documentation


•


•


•


•


•


idp-profiler-operation Can view profiler data. Commands CLI Configuration Hierarchy Levels


interface Can view the interface configuration in configuration mode. Commands Configuration Hierarchy Levels

No associated CLI commands. [edit accounting-options] [edit chassis] [edit class-of-service] [edit class-of-service interfaces] [edit dynamic-profiles class-of-service] [edit dynamic-profiles class-of-service interfaces] [edit dynamic-profiles interfaces] [edit dynamic-profiles routing-instances instance system services dhcp-local-server] [edit dynamic-profiles routing-instances instance system services static-subscribers group] [edit forwarding-options] [edit interfaces] [edit jnx-example] [edit logical-systems forwarding-options] [edit logical-systems interfaces] [edit logical-systems routing-instances instance system services dhcp-local-server] [edit logical-systems routing-instances instance system services static-subscribers group] [edit logical-systems system services dhcp-local-server]


3891

®


[edit logical-systems system services static-subscribers group] [edit routing-instances instance system services dhcp-local-server] [edit routing-instances instance system services static-subscribers group] [edit services logging] [edit services radius-flow-tap] [edit services radius-flow-tap interfaces] [edit system services dhcp-local-server] [edit system services static-subscribers group]


•


•


•


•


•


•


interface-control Can view chassis, class of service (CoS), groups, forwarding options, and interfaces configuration information. Can edit configuration at the [edit chassis], [edit class-of-service], [edit groups], [edit forwarding-options], and [edit interfaces] hierarchy levels. Commands Configuration Hierarchy Levels

3892

No associated CLI commands. [edit accounting-options] [edit chassis] [edit class-of-service] [edit class-of-service interfaces] [edit dynamic-profiles class-of-service] [edit dynamic-profiles class-of-service interfaces] [edit dynamic-profiles interfaces] [edit dynamic-profiles routing-instances instance system services dhcp-local-server] [edit dynamic-profiles routing-instances instance system services static-subscribers group] [edit forwarding-options] [edit interfaces] [edit jnx-example] [edit logical-systems forwarding-options] [edit logical-systems interfaces] [edit logical-systems routing-instances instance system services dhcp-local-server] [edit logical-systems routing-instances instance system services static-subscribers group] [edit logical-systems system services dhcp-local-server] [edit logical-systems system services static-subscribers group] [edit routing-instances instance system services dhcp-local-server] [edit routing-instances instance system services static-subscribers group] [edit services logging] [edit services radius-flow-tap] [edit services radius-flow-tap interfaces]



[edit system services dhcp-local-server] [edit system services static-subscribers group]


•


•


•


•


•


•


maintenance Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell, and can halt and reboot the router. Commands

clear system reboot clear-system-services-reverse-information file archive monitor traffic request chassis beacon request chassis ccg request chassis cb request chassis cfeb request chassis cfeb master request chassis cip request chassis fabric request chassis fabric device request chassis fabric plane request chassis fabric upgrade-bandwidth request chassis fabric upgrade-bandwidth fpc request chassis fabric upgrade-bandwidth info request chassis feb request chassis fpc request chassis mcs request chassis mic request chassis pcg request chassis pic request chassis redundancy request chassis redundancy feb request chassis routing-engine request chassis routing-engine hard-disk-test request chassis routing-engine master request chassis scg


3893

®


request chassis sfm request chassis sfm master request chassis sib request chassis sib f13 request chassis sib f2s request chassis spmb request chassis ssb request chassis ssb master request chassis synchronization request chassis synchronization force request chassis synchronization force automatic-switching request chassis synchronization force mark-failed request chassis synchronization force unmark-failed request chassis synchronization switch request chassis tfeb request chassis vcpu request chassis vnpu request l2circuit-switchover request mpls request mpls lsp request mpls lsp adjust-autobandwidth request security request security certificate request security certificate enroll request security datapath-debug request security datapath-debug action-profile request security datapath-debug action-profile reload-all request security idp equest security idp security-package request security idp security-package download request security idp security-package download version request security idp security-package install request security idp ssl-inspection request security idp ssl-inspection key request security idp ssl-inspection key add request security idp ssl-inspection key delete request security idp storage-cleanup request security key-pair request security pki request security pki ca-certificate

3894



request security pki ca-certificate enroll request security pki ca-certificate load request security pki ca-certificate verify request security pki crl request security pki crl load request security pki generate-certificate-request request security pki generate-key-pair request security pki local-certificate request security pki local-certificate enroll request security pki local-certificate generate-self-signed request security pki local-certificate load request security pki local-certificate verify request security pki verify-integrity-status request services fips request services fips authorize request services fips authorize pic request services fips zeroize request services fips zeroize pic request services flow-collector request services flow-collector change-destination request services ggsn request services ggsn pdp request services ggsn pdp terminate request services ggsn pdp terminate apn request services ggsn pdp terminate context request services ggsn pdp terminate context msisdn request services ggsn restart request services ggsn restart interface request services ggsn restart node request services ggsn start request services ggsn start interface request services ggsn stop request services ggsn stop interface


3895

®


request services ggsn stop node request services ggsn trace request services ggsn trace software request services ggsn trace software update request services ggsn trace start request services ggsn trace start imsi request services ggsn trace start msisdn request services ggsn trace stop request services ggsn trace stop all request services ggsn trace stop imsi request services ggsn trace stop msisdn request support request support information request system request system certificate request system certificate add request system commit request system commit server request system commit server pause request system commit server queue request system commit server queue cleanup request system commit server start request system configuration request system configuration rescue request system configuration rescue delete request system configuration rescue save request system firmware request system firmware downgrade request system firmware downgrade feb request system firmware downgrade fpc request system firmware downgrade pic request system firmware downgrade poe request system firmware downgrade re request system firmware downgrade scb request system firmware downgrade sfm

3896



request system firmware downgrade spmb request system firmware downgrade ssb request system firmware downgrade vcpu request system firmware upgrade request system firmware upgrade feb request system firmware upgrade fpc request system firmware upgrade pic request system firmware upgrade poe request system firmware upgrade re request system firmware upgrade re bios request system firmware upgrade scb request system firmware upgrade sfm request system firmware upgrade spmb request system firmware upgrade ssb request system firmware upgrade vcpu request system halt request system keep-alive request system license request system license add request system license delete request system license save request system license update .... request system logout request system partition request system partition abort request system partition compact-flash request system partition hard-disk request system power-off request system power-on request system reboot request system scripts request system scripts add request system scripts convert request system scripts convert slax-to-xslt request system scripts convert xslt-to-slax request system scripts delete request system scripts event-scripts request system scripts event-scripts reload request system scripts refresh-from


3897

®


request system scripts rollback request system snapshot request system software request system software abort request system software abort in-service-upgrade request system software add request system software delete request system software delete-backup request system software in-service-upgrade request system software nonstop-upgrade request system software recovery-package request system software recovery-package add request system software recovery-package delete request system software recovery-package extract request system software recovery-package extract ex-8200-package equest system software recovery-package extract ex-xre200-package request system software rollback request system software validate request system software validate in-service-upgrade request system storage request system storage cleanup request system storage cleanup qfabric request system zeroize request vpls-switchover set date set date ntpshow services fips start shell start shell user test access test access profile test access radius-server

3898



get-test-services-l2tp-tunnel-result



[edit event-options] [edit security ipsec internal] [edit security ipsect trusted-channel] [edit services dynamic-flow-capture traceoptions] [edit services ggsn] [edit system fips] [edit services ggsn rule-space] [edit system processes daemon-process command] [edit system scripts] [edit system scripts commit] [edit system scripts op]

•


•


•


•


•


network Can access the network by using the ping, ssh, telnet, and traceroute commands. Commands mtrace mtrace from-source mtrace monitor mtrace to-gateway ping ping atm ping clns ping ethernet ping fibre-channel ping mpls ping mpls bgp ping mpls l2circuit ping mpls l2circuit interface ping mpls l2circuit virtual-circuit ping mpls l2vpn ping mpls l2vpn instance


3899

®


ping mpls l2vpn interface ping mpls l3vpn ping mpls ldp ping mpls ldp p2mp ping mpls lsp-end-point ping mpls rsvp ping vpls ping vpls instance request routing-engine request routing-engine login request routing-engine login other-routing-engine request services flow-collector request services flow-collector test-file-transfer show host show interfaces level-extra descriptions show multicast mrinfo ssh telnet traceroute traceroute clns traceroute ethernet traceroute monitor traceroute mpls traceroute mpls ldp traceroute mpls rsvp

3900





•


•


•


•


•


pgcp-session-mirroring Can view session mirroring configuration by using the pgcp command. Commands

show services pgcp gates gate-way display session-mirroring


[edit services pgcp gateway session-mirroring] [edit services pgcp session-mirroring]

•


•


•


•


•


•


pgcp-session-mirroring-control Can modify PGCP session mirroring configuration Commands

show services pgcp gates gate-way display session-mirroring



[edit services pgcp gateway session-mirroring] [edit services pgcp session-mirroring]

•


•


•


•


•


•



3901

®


reset Can restart software processes by using the restart command and can configure whether software processes configured at the [edit system processes] hierarchy level are enabled or disabled. Commands

request chassis cfeb master switch request chassis cfeb master switch no-confirm request chassis routing-engine master acquire request chassis routing-engine master acquire force request chassis routing-engine master acquire force no-confirm request chassis routing-engine master acquire no-confirm request chassis routing-engine master release request chassis routing-engine master release no-confirm request chassis routing-engine master switch request chassis routing-engine master switch no-confirm request chassis sfm master switch request chassis sfm master switch no-confirm request chassis ssb master switch request chassis ssb master switch no-confirm restart restart kernel-replication restart-named-service restart routing restart services restart services border-signaling-gateway restart services pgcp restart web-management




•


•


•


•


•


rollback Can roll back to previous configurations.

3902



Commands

rollback


[edit]

•


•


•


•


•


routing Can view general routing, routing protocol, and routing policy configuration information. Commands Configuration Hierarchy Levels

No associated CLI commands. [edit bridge-domains] [edit bridge-domains domain multicast-snooping-options] [edit bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles protocols igmp traceoptions] [edit dynamic-profiles protocols mld traceoptions] [edit dynamic-profiles protocols router-advertisement traceoptions] [edit dynamic-profiles routing-instances] [edit dynamic-profiles routing-instances instance bridge-domains] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance multicast-snooping-options] [edit dynamic-profiles routing-instances instance multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance pbb-options] [edit dynamic-profiles routing-instances instance protocols] [edit dynamic-profiles routing-instances instance protocols bgp group neighbor traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp group traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp traceoptions] [edit dynamic-profiles routing-instances instance protocols esis traceoptions] [edit dynamic-profiles routing-instances instance protocols isis traceoptions] [edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ldp traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp traceoptions] [edit dynamic-profiles routing-instances instance protocols mvpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ospf traceoptions] [edit dynamic-profiles routing-instances instance protocols pim traceoptions]


3903

®


[edit dynamic-profiles routing-instances instance protocols rip traceoptions] [edit dynamic-profiles routing-instances instance protocols ripng traceoptions] [edit dynamic-profiles routing-instances instance protocols router-discovery traceoptions] [edit dynamic-profiles routing-instances instance protocols vpls traceoptions] [edit dynamic-profiles routing-instances instance routing-options] [edit dynamic-profiles routing-instances instance routing-options multicast traceoptions] [edit dynamic-profiles routing-instances instance routing-options traceoptions] [edit dynamic-profiles routing-instances instance service-groups] [edit dynamic-profiles routing-instances instance switch-options] [edit dynamic-profiles routing-options multicast traceoptions] [edit jnx-example] [edit fabric protocols] [edit fabric protocols bgp group neighbor traceoptions] [edit fabric protocols bgp group traceoptions] [edit fabric protocols bgp traceoptions] [edit fabric routing-instances] [edit fabric routing-instances instance routing-options] [edit fabric routing-instances instance routing-options traceoptions] [edit fabric routing-options] [edit fabric routing-options traceoptions] [edit logical-systems bridge-domains] [edit logical-systems bridge-domains domain multicast-snooping-options] [edit logical-systems bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems policy-options] [edit logical-systems protocols] [edit logical-systems protocols bgp group neighbor traceoptions] [edit logical-systems protocols bgp group traceoptions] [edit logical-systems protocols bgp traceoptions] [edit logical-systems protocols dvmrp traceoptions] [edit logical-systems protocols esis traceoptions] [edit logical-systems protocols igmp traceoptions] [edit logical-systems protocols igmp-host traceoptions] [edit logical-systems protocols isis traceoptions] [edit logical-systems protocols l2circuit traceoptions] [edit logical-systems protocols l2iw traceoptions] [edit logical-systems protocols ldp traceoptions] [edit logical-systems protocols mld traceoptions] [edit logical-systems protocols mld-host traceoptions] [edit logical-systems protocols msdp group peer traceoptions] [edit logical-systems protocols msdp group traceoptions] [edit logical-systems protocols msdp peer traceoptions] [edit logical-systems protocols msdp traceoptions] [edit logical-systems protocols ospf traceoptions] [edit logical-systems protocols pim traceoptions] [edit logical-systems protocols rip traceoptions] [edit logical-systems protocols ripng traceoptions] [edit logical-systems protocols router-advertisement traceoptions] [edit logical-systems protocols router-discovery traceoptions] [edit logical-systems protocols rsvp lsp-set] [edit logical-systems protocols rsvp traceoptions] [edit logical-systems routing-instances] [edit logical-systems routing-instances instance bridge-domains] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options traceoptions]

3904



[edit logical-systems routing-instances instance multicast-snooping-options] [edit logical-systems routing-instances instance multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance pbb-options] [edit logical-systems routing-instances instance protocols] [edit logical-systems routing-instances instance protocols bgp group neighbor traceoptions] [edit logical-systems routing-instances instance protocols bgp group traceoptions] [edit logical-systems routing-instances instance protocols bgp traceoptions] [edit logical-systems routing-instances instance protocols esis traceoptions] [edit logical-systems routing-instances instance protocols isis traceoptions] [edit logical-systems routing-instances instance protocols l2vpn traceoptions] [edit logical-systems routing-instances instance protocols ldp traceoptions] [edit logical-systems routing-instances instance protocols msdp group peer traceoptions] [edit logical-systems routing-instances instance protocols msdp group traceoptions] [edit logical-systems routing-instances instance protocols msdp peer traceoptions] [edit logical-systems routing-instances instance protocols msdp traceoptions] [edit logical-systems routing-instances instance protocols mvpn traceoptions] [edit logical-systems routing-instances instance protocols ospf traceoptions] [edit logical-systems routing-instances instance protocols pim traceoptions] [edit logical-systems routing-instances instance protocols rip traceoptions] [edit logical-systems routing-instances instance protocols ripng traceoptions] [edit logical-systems routing-instances instance protocols router-discovery traceoptions] [edit logical-systems routing-instances instance protocols vpls traceoptions] [edit logical-systems routing-instances instance routing-options] [edit logical-systems routing-instances instance routing-options multicast traceoptions] [edit logical-systems routing-instances instance routing-options traceoptions] [edit logical-systems routing-instances instance service-groups] [edit logical-systems routing-instances instance switch-options] [edit logical-systems routing-options] [edit logical-systems routing-options multicast traceoptions] [edit logical-systems routing-options traceoptions] [edit logical-systems switch-options] [edit multicast-snooping-options] [edit multicast-snooping-options traceoptions] [edit policy-options] [edit protocols] [edit protocols amt traceoptions] [edit protocols bgp group neighbor traceoptions] [edit protocols bgp group traceoptions] [edit protocols bgp traceoptions] [edit protocols connections][edit protocols dot1x] [edit protocols dvmrp traceoptions] [edit protocols esis traceoptions] [edit protocols igmp traceoptions] [edit protocols igmp-host traceoptions] [edit protocols igmp-snooping] [edit protocols isis traceoptions] [edit protocols l2circuit traceoptions] [edit protocols l2iw traceoptions] [edit protocols ldp traceoptions] [edit protocols lldp] [edit protocols lldp-med] [edit protocols mld traceoptions] [edit protocols mld-host traceoptions] [edit protocols msdp group peer traceoptions]


3905

®


[edit protocols msdp group traceoptions] [edit protocols msdp peer traceoptions] [edit protocols msdp traceoptions] [edit protocols mstp] [edit protocols mvrp] [edit protocols oam] [edit protocols ospf traceoptions] [edit protocols pim traceoptions] [edit protocols rip traceoptions] [edit protocols ripng traceoptions] [edit protocols router-advertisement traceoptions] [edit protocols router-discovery traceoptions] [edit protocols rsvp traceoptions] [edit protocols sflow] [edit protocols stp] [edit protocols uplink-failure-detection] [edit protocols vstp] [edit routing-instances] [edit routing-instances instance bridge-domains] [edit routing-instances instance bridge-domains domain multicast-snooping-options] [edit routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit routing-instances instance multicast-snooping-options] [edit routing-instances instance multicast-snooping-options traceoptions] [edit routing-instances instance pbb-options] [edit routing-instances instance protocols] [edit routing-instances instance protocols bgp group neighbor traceoptions] [edit routing-instances instance protocols bgp group traceoptions] [edit routing-instances instance protocols bgp traceoptions] [edit routing-instances instance protocols esis traceoptions] [edit routing-instances instance protocols isis traceoptions] [edit routing-instances instance protocols l2vpn traceoptions] [edit routing-instances instance protocols ldp traceoptions] [edit routing-instances instance protocols msdp group peer traceoptions] [edit routing-instances instance protocols msdp group traceoptions] [edit routing-instances instance protocols msdp peer traceoptions] [edit routing-instances instance protocols msdp traceoptions] [edit routing-instances instance protocols mvpn traceoptions] [edit routing-instances instance protocols ospf traceoptions] [edit routing-instances instance protocols pim traceoptions] [edit routing-instances instance protocols rip traceoptions] [edit routing-instances instance protocols ripng traceoptions] [edit routing-instances instance protocols router-discovery traceoptions] [edit routing-instances instance protocols vpls traceoptions] [edit routing-instances instance routing-options] [edit routing-instances instance routing-options multicast traceoptions] [edit routing-instances instance routing-options traceoptions] [edit routing-instances instance service-groups] [edit routing-instances instance switch-options] [edit routing-options] [edit routing-options multicast traceoptions] [edit routing-options traceoptions] [edit switch-options]

3906




•


•


•


•


•


•


routing-control Can view general routing, routing protocol, and routing policy configuration information and can configure general routing at the [edit routing-options] hierarchy level, routing protocols at the [edit protocols] hierarchy level, and routing policy at the [edit policy-options] hierarchy level. Commands Configuration Hierarchy Levels

No associated CLI commands. [edit bridge-domains] [edit bridge-domains domain multicast-snooping-options] [edit bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles protocols igmp traceoptions] [edit dynamic-profiles protocols mld traceoptions] [edit dynamic-profiles protocols router-advertisement traceoptions] [edit dynamic-profiles routing-instances] [edit dynamic-profiles routing-instances instance bridge-domains] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance multicast-snooping-options] [edit dynamic-profiles routing-instances instance multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance pbb-options] [edit dynamic-profiles routing-instances instance protocols] [edit dynamic-profiles routing-instances instance protocols bgp group neighbor traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp group traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp traceoptions] [edit dynamic-profiles routing-instances instance protocols esis traceoptions] [edit dynamic-profiles routing-instances instance protocols isis traceoptions] [edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ldp traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp traceoptions] [edit dynamic-profiles routing-instances instance protocols mvpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ospf traceoptions] [edit dynamic-profiles routing-instances instance protocols pim traceoptions] [edit dynamic-profiles routing-instances instance protocols rip traceoptions]


3907

®


[edit dynamic-profiles routing-instances instance protocols ripng traceoptions] [edit dynamic-profiles routing-instances instance protocols router-discovery traceoptions] [edit dynamic-profiles routing-instances instance protocols vpls traceoptions] [edit dynamic-profiles routing-instances instance routing-options] [edit dynamic-profiles routing-instances instance routing-options multicast traceoptions] [edit dynamic-profiles routing-instances instance routing-options traceoptions] [edit dynamic-profiles routing-instances instance service-groups] [edit dynamic-profiles routing-instances instance switch-options] [edit dynamic-profiles routing-options multicast traceoptions] [edit jnx-example] [edit fabric protocols] [edit fabric protocols bgp group neighbor traceoptions] [edit fabric protocols bgp group traceoptions] [edit fabric protocols bgp traceoptions] [edit fabric routing-instances] [edit fabric routing-instances instance routing-options] [edit fabric routing-instances instance routing-options traceoptions] [edit fabric routing-options] [edit fabric routing-options traceoptions] [edit logical-systems bridge-domains] [edit logical-systems bridge-domains domain multicast-snooping-options] [edit logical-systems bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems policy-options] [edit logical-systems protocols] [edit logical-systems protocols bgp group neighbor traceoptions] [edit logical-systems protocols bgp group traceoptions] [edit logical-systems protocols bgp traceoptions] [edit logical-systems protocols dvmrp traceoptions] [edit logical-systems protocols esis traceoptions] [edit logical-systems protocols igmp traceoptions] [edit logical-systems protocols igmp-host traceoptions] [edit logical-systems protocols isis traceoptions] [edit logical-systems protocols l2circuit traceoptions] [edit logical-systems protocols l2iw traceoptions] [edit logical-systems protocols ldp traceoptions] [edit logical-systems protocols mld traceoptions] [edit logical-systems protocols mld-host traceoptions] [edit logical-systems protocols msdp group peer traceoptions] [edit logical-systems protocols msdp group traceoptions] [edit logical-systems protocols msdp peer traceoptions] [edit logical-systems protocols msdp traceoptions] [edit logical-systems protocols ospf traceoptions] [edit logical-systems protocols pim traceoptions] [edit logical-systems protocols rip traceoptions] [edit logical-systems protocols ripng traceoptions] [edit logical-systems protocols router-advertisement traceoptions] [edit logical-systems protocols router-discovery traceoptions] [edit logical-systems protocols rsvp traceoptions] [edit logical-systems routing-instances] [edit logical-systems routing-instances instance bridge-domains] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance multicast-snooping-options] [edit logical-systems routing-instances instance multicast-snooping-options

3908



traceoptions] [edit logical-systems routing-instances instance pbb-options] [edit logical-systems routing-instances instance protocols] [edit logical-systems routing-instances instance protocols bgp group neighbor traceoptions] [edit logical-systems routing-instances instance protocols bgp group traceoptions] [edit logical-systems routing-instances instance protocols bgp traceoptions] [edit logical-systems routing-instances instance protocols esis traceoptions] [edit logical-systems routing-instances instance protocols isis traceoptions] [edit logical-systems routing-instances instance protocols l2vpn traceoptions] [edit logical-systems routing-instances instance protocols ldp traceoptions] [edit logical-systems routing-instances instance protocols msdp group peer traceoptions] [edit logical-systems routing-instances instance protocols msdp group traceoptions] [edit logical-systems routing-instances instance protocols msdp peer traceoptions] [edit logical-systems routing-instances instance protocols msdp traceoptions] [edit logical-systems routing-instances instance protocols mvpn traceoptions] [edit logical-systems routing-instances instance protocols ospf traceoptions] [edit logical-systems routing-instances instance protocols pim traceoptions] [edit logical-systems routing-instances instance protocols rip traceoptions] [edit logical-systems routing-instances instance protocols ripng traceoptions] [edit logical-systems routing-instances instance protocols router-discovery traceoptions] [edit logical-systems routing-instances instance protocols vpls traceoptions] [edit logical-systems routing-instances instance routing-options] [edit logical-systems routing-instances instance routing-options multicast traceoptions] [edit logical-systems routing-instances instance routing-options traceoptions] [edit logical-systems routing-instances instance service-groups] [edit logical-systems routing-instances instance switch-options] [edit logical-systems routing-options] [edit logical-systems routing-options multicast traceoptions] [edit logical-systems routing-options traceoptions] [edit logical-systems switch-options] [edit multicast-snooping-options] [edit multicast-snooping-options traceoptions] [edit policy-options] [edit protocols] [edit protocols amt traceoptions] [edit protocols bgp group neighbor traceoptions] [edit protocols bgp group traceoptions] [edit protocols bgp traceoptions] [edit protocols connections][edit protocols dot1x] [edit protocols dvmrp traceoptions] [edit protocols esis traceoptions] [edit protocols igmp traceoptions] [edit protocols igmp-host traceoptions] [edit protocols igmp-snooping] [edit protocols isis traceoptions] [edit protocols l2circuit traceoptions] [edit protocols l2iw traceoptions] [edit protocols ldp traceoptions] [edit protocols lldp] [edit protocols lldp-med] [edit protocols mld traceoptions] [edit protocols mld-host traceoptions] [edit protocols msdp group peer traceoptions] [edit protocols msdp group traceoptions] [edit protocols msdp peer traceoptions]


3909

®


[edit protocols msdp traceoptions] [edit protocols mstp] [edit protocols mvrp] [edit protocols oam] [edit protocols ospf traceoptions] [edit protocols pim traceoptions] [edit protocols rip traceoptions] [edit protocols ripng traceoptions] [edit protocols router-advertisement traceoptions] [edit protocols router-discovery traceoptions] [edit protocols rsvp traceoptions] [edit protocols sflow] [edit protocols stp] [edit protocols uplink-failure-detection] [edit protocols vstp] [edit routing-instances] [edit routing-instances instance bridge-domains] [edit routing-instances instance bridge-domains domain multicast-snooping-options] [edit routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit routing-instances instance multicast-snooping-options] [edit routing-instances instance multicast-snooping-options traceoptions] [edit routing-instances instance pbb-options] [edit routing-instances instance protocols] [edit routing-instances instance protocols bgp group neighbor traceoptions] [edit routing-instances instance protocols bgp group traceoptions] [edit routing-instances instance protocols bgp traceoptions] [edit routing-instances instance protocols esis traceoptions] [edit routing-instances instance protocols isis traceoptions] [edit routing-instances instance protocols l2vpn traceoptions] [edit routing-instances instance protocols ldp traceoptions] [edit routing-instances instance protocols msdp group peer traceoptions] [edit routing-instances instance protocols msdp group traceoptions] [edit routing-instances instance protocols msdp peer traceoptions] [edit routing-instances instance protocols msdp traceoptions] [edit routing-instances instance protocols mvpn traceoptions] [edit routing-instances instance protocols ospf traceoptions] [edit routing-instances instance protocols pim traceoptions] [edit routing-instances instance protocols rip traceoptions] [edit routing-instances instance protocols ripng traceoptions] [edit routing-instances instance protocols router-discovery traceoptions] [edit routing-instances instance protocols vpls traceoptions] [edit routing-instances instance routing-options] [edit routing-instances instance routing-options multicast traceoptions] [edit routing-instances instance routing-options traceoptions] [edit routing-instances instance service-groups] [edit routing-instances instance switch-options] [edit routing-options] [edit routing-options multicast traceoptions] [edit routing-options traceoptions] [edit switch-options]


3910

•


•




•


•


•


•


secret Can view passwords and other authentication keys in the configuration. Commands Configuration Hierarchy Levels

No associated CLI commands. [edit access profile client chap-secret] [edit access profile client firewall-user password] [edit access profile client l2tp shared-secret] [edit access profile client pap-password] [edit access profile radius-server secret] [edit access radius-disconnect secret] [edit dynamic-profiles interfaces interface ppp-options chap default-chap-secret] [edit dynamic-profiles interfaces interface ppp-options pap default-password] [edit dynamic-profiles interfaces interface ppp-options pap local-password] [edit dynamic-profiles interfaces interface unit ppp-options chap default-chap-secret] [edit dynamic-profiles interfaces interface unit ppp-options pap default-password] [edit dynamic-profiles interfaces interface unit ppp-options pap local-password] [edit interfaces interface ppp-options chap default-chap-secret] [edit interfaces interface ppp-options pap default-password] [edit interfaces interface ppp-options pap local-password] [edit interfaces interface unit ppp-options chap default-chap-secret] [edit interfaces interface unit ppp-options pap default-password] [edit interfaces interface unit ppp-options pap local-password] [edit logical-systems interfaces interface unit ppp-options chap] [edit logical-systems interfaces interface unit ppp-options pap default-password] [edit logical-systems interfaces interface unit ppp-options pap local-password] [edit logical-systems routing-instances instance system services static-subscribers authentication password] [edit logical-systems routing-instances instance system services static-subscribers group authentication password] [edit logical-systems system services static-subscribers authentication password] [edit logical-systems system services static-subscribers group authentication password] [edit routing-instances instance system services static-subscribers authentication password] [edit routing-instances instance system services static-subscribers group authentication password] [edit services ggsn apn radius accounting server secret] [edit services ggsn apn radius authentication server secret] [edit services ggsn radius server secret] [edit system accounting destination radius server secret] [edit system accounting destination tacplus server secret] [edit system radius-server secret] [edit system services outbound-ssh client secret] [edit system services packet-triggered-subscribers partition-radius accounting-shared-secret] [edit system services static-subscribers authentication password]


3911

®


[edit system services static-subscribers group authentication password] [edit system tacplus-server secret]


•


•


•


•


•


•


secret-control Can view passwords and other authentication keys in the configuration and can modify them in configuration mode. Commands Configuration Hierarchy Levels

3912

No associated CLI commands. [edit access profile client chap-secret] [edit access profile client firewall-user password] [edit access profile client l2tp shared-secret] [edit access profile client pap-password] [edit access profile radius-server secret] [edit access radius-disconnect secret] [edit dynamic-profiles interfaces interface ppp-options chap default-chap-secret] [edit dynamic-profiles interfaces interface ppp-options pap default-password] [edit dynamic-profiles interfaces interface ppp-options pap local-password] [edit dynamic-profiles interfaces interface unit ppp-options chap default-chap-secret] [edit dynamic-profiles interfaces interface unit ppp-options pap default-password] [edit dynamic-profiles interfaces interface unit ppp-options pap local-password] [edit interfaces interface ppp-options chap default-chap-secret] [edit interfaces interface ppp-options pap default-password] [edit interfaces interface ppp-options pap local-password] [edit interfaces interface unit ppp-options chap default-chap-secret] [edit interfaces interface unit ppp-options pap default-password] [edit interfaces interface unit ppp-options pap local-password] [edit logical-systems interfaces interface unit ppp-options chap] [edit logical-systems interfaces interface unit ppp-options pap default-password] [edit logical-systems interfaces interface unit ppp-options pap local-password] [edit logical-systems routing-instances instance system services static-subscribers authentication password] [edit logical-systems routing-instances instance system services static-subscribers group authentication password] [edit logical-systems system services static-subscribers authentication password] [edit logical-systems system services static-subscribers group authentication password] [edit routing-instances instance system services static-subscribers authentication password] [edit routing-instances instance system services static-subscribers group authentication password] [edit services ggsn apn radius accounting server secret] [edit services ggsn apn radius authentication server secret]



[edit services ggsn radius server secret] [edit system accounting destination radius server secret] [edit system accounting destination tacplus server secret] [edit system radius-server secret] [edit system services outbound-ssh client secret] [edit system services packet-triggered-subscribers partition-radius accounting-shared-secret] [edit system services static-subscribers authentication password] [edit system services static-subscribers group authentication password] [edit system tacplus-server secret]


•


•


•


•


•


•

secret on page 3911

security Can view security configuration. Commands clear security clear security alarms clear security idp clear security idp application-ddos clear security idp application-ddos cache clear security idp application-identification clear security idp application-identification application-system-cache clear security idp application-statistics clear security idp attack clear security idp attack table clear security idp counters clear security idp ssl-inspection clear security idp ssl-inspection session-id-cache clear security idp status clear security log


3913

®


clear security pki clear security pki ca-certificate clear security pki certificate-request clear security pki crl clear security pki key-pair clear security pki local-certificate request security request security certificate request security certificate enroll request security datapath-debug request security datapath-debug action-profile request security datapath-debug action-profile reload-all request security idp request security idp security-package request security idp security-package download request security idp security-package download version request security idp security-package install request security idp ssl-inspection request security idp ssl-inspection key request security idp ssl-inspection key add request security idp ssl-inspection key delete request security idp storage-cleanup request security key-pair request security pki request security pki ca-certificate request security pki ca-certificate verify request security pki ca-certificate enroll request security pki ca-certificate load request security pki crl request security pki crl load request security pki generate-certificate-request request security pki generate-key-pair request security pki local-certificate request security pki local-certificate verify

3914



request security pki verify-integrity-status request security pki local-certificate enroll request security pki local-certificate generate-self-signed request security pki local-certificate load request system set-encryption-key show security show security alarms show security idp show security idp application-ddos show security idp application-ddos application show security idp application-identification show security idp application-identification application-system-cache show security idp application-statistics show security idp attack show security idp attack description show security idp attack detail show security idp attack table show security idp counters show security idp logical-system show security idp logical-system policy-association show security idp memory show security idp policies show security idp policy-templates-list show security idp policy-commit-status show security idp security-package-version


3915

®


show security idp ssl-inspection show security idp ssl-inspection key show security idp ssl-inspection session-id-cache show security idp status show security idp status detail show security keychain show security log show security pki show security pki ca-certificate show security pki certificate-request show security pki crl show security pki local-certificate



[edit security] [edit security alarms] [edit security log]

•


•


•


•


•


•


security-control Can view and configure security information at the [edit security] hierarchy level. Commands clear security clear security alarms clear security idp clear security idp application-ddos

3916



clear security idp application-ddos cache clear security idp application-identification clear security idp application-identification application-system-cache clear security idp application-statistics clear security idp attack clear security idp attack table clear security idp counters clear security idp ssl-inspection clear security idp ssl-inspection session-id-cache clear security idp status clear security log clear security pki clear security pki ca-certificate clear security pki certificate-request clear security pki crl clear security pki key-pair clear security pki local-certificate request security request security certificate request security certificate enroll request security datapath-debug request security datapath-debug action-profile request security datapath-debug action-profile reload-all request security idp request security idp security-package request security idp security-package download request security idp security-package download version request security idp security-package install request security idp ssl-inspection request security idp ssl-inspection key request security idp ssl-inspection key add


3917

®


request security idp ssl-inspection key delete request security idp storage-cleanup request security key-pair request security pki request security pki ca-certificate request security pki ca-certificate verify request security pki ca-certificate enroll request security pki ca-certificate load request security pki crl request security pki crl load request security pki generate-certificate-request request security pki generate-key-pair request security pki local-certificate request security pki local-certificate verify request security pki local-certificate enroll request security pki local-certificate generate-self-signed request security pki local-certificate load request system set-encryption-key show security show security alarms show security idp show security idp application-ddos show security idp application-ddos application show security idp application-identification show security idp application-identification application-system-cache show security idp application-statistics show security idp attack show security idp attack description show security idp attack detail show security idp attack table show security idp counters

3918



show security idp logical-system show security idp logical-system policy-association show security idp memory show security idp policies show security idp policy-templates-list show security idp policy-commit-status show security idp security-package-version show security idp ssl-inspection show security idp ssl-inspection key show security idp ssl-inspection session-id-cache show security idp status show security idp status detail show security keychain show security log show security pki show security pki ca-certificate show security pki certificate-request show security pki crl show security pki local-certificate


[edit security] [edit security alarms] [edit security log]


3919

®



•


•


•


•


•


•


shell Can start a local shell on the router. Commands


start shell start shell user


•


•


•


•


•


snmp Can view Simple Network Management Protocol (SNMP) configuration. Commands



3920

[edit snmp]

•


•


•


•


•


•

snmp-control



system Can view system-level configuration information. Commands


request chassis synchronization request chassis synchronization force request chassis synchronization force automatic-switching request chassis synchronization force mark-failed request chassis synchronization force unmark-failed request chassis synchronization switch [edit applications] [edit chassis system-domains] [edit dynamic-profiles routing-instances instance forwarding-options helpers tftp] [edit dynamic-profiles routing-instances instance routing-options fate-sharing] [edit ethernet-switching-options] [edit forwarding-options helpers bootp] [edit forwarding-options helpers domain] [edit forwarding-options helpers port] [edit forwarding-options helpers tftp] [edit logical-systems] [edit logical-systems routing-instances instance forwarding-options helpers bootp] [edit logical-systems routing-instances instance forwarding-options helpers domain] [edit logical-systems routing-instances instance forwarding-options helpers port] [edit logical-systems routing-instances instance forwarding-options helpers tftp] [edit logical-systems routing-instances instance routing-options fate-sharing] [edit logical-systems routing-options fate-sharing] [edit logical-systems system] [edit logical-systems system syslog] [edit routing-instances instance forwarding-options helpers bootp] [edit routing-instances instance forwarding-options helpers domain] [edit routing-instances instance forwarding-options helpers port] [edit routing-instances instance forwarding-options helpers tftp] [edit routing-instances instance routing-options fate-sharing] [edit routing-options fate-sharing] [edit services] [edit services ggsn charging charging-log traceoptions] [edit system] [edit system archival] [edit system backup-router] [edit system compress-configuration-files] [edit system default-address-selection] [edit system domain-name] [edit system domain-search] [edit system encrypt-configuration-files] [edit system host-name] [edit system inet6-backup-router] [edit system internet-options gre-path-mtu-discovery] [edit system internet-options ipip-path-mtu-discovery] [edit system internet-options ipv6-path-mtu-discovery] [edit system internet-options ipv6-path-mtu-discovery-timeout] [edit system internet-options ipv6-reject-zero-hop-limit] [edit system internet-options no-tcp-reset]


3921

®


[edit system internet-options no-tcp-rfc1323] [edit system internet-options no-tcp-rfc1323-paws] [edit system internet-options path-mtu-discovery] [edit system internet-options source-port upper-limit] [edit system internet-options source-quench] [edit system internet-options tcp-drop-synfin-set] [edit system internet-options tcp-mss] [edit system license] [edit system max-configuration-rollbacks] [edit system max-configurations-on-flash] [edit system mirror-flash-on-disk] [edit system no-debugger-on-alt-break> [edit system name-server] [edit system no-multicast-echo] [edit system no-neighbor-learn] [edit system no-redirects] [edit system ports auxiliary log-out-on-disconnect] [edit system ports auxiliary port-type] [edit system ports console log-out-on-disconnect] [edit system ports console port-type] [edit system processes] [edit system proxy] [edit system saved-core-context] [edit system saved-core-files] [edit system services] [edit system services web-management] [edit system static-host-mapping] [edit system syslog] [edit system time-zone] [edit virtual-chassis] [edit vlans]


•


•


•


•


•


•


system-control Can view system-level configuration information and configure it at the [edit system] hierarchy level. Configuration Hierarchy Levels

3922

[edit applications] [edit chassis system-domains] [edit dynamic-profiles routing-instances instance forwarding-options helpers tftp] [edit dynamic-profiles routing-instances instance routing-options fate-sharing] [edit ethernet-switching-options] [edit forwarding-options helpers bootp] [edit forwarding-options helpers domain]



[edit forwarding-options helpers port] [edit forwarding-options helpers tftp] [edit logical-systems] [edit logical-systems routing-instances instance forwarding-options helpers bootp] [edit logical-systems routing-instances instance forwarding-options helpers domain] [edit logical-systems routing-instances instance forwarding-options helpers port] [edit logical-systems routing-instances instance forwarding-options helpers tftp] [edit logical-systems routing-instances instance routing-options fate-sharing] [edit logical-systems routing-options fate-sharing] [edit logical-systems system] [edit poe] [edit routing-instances instance forwarding-options helpers bootp] [edit routing-instances instance forwarding-options helpers domain] [edit routing-instances instance forwarding-options helpers port] [edit routing-instances instance forwarding-options helpers tftp] [edit routing-instances instance routing-options fate-sharing] [edit routing-options fate-sharing] [edit services] [edit services ggsn charging charging-log traceoptions] [edit system] [edit system archival] [edit system backup-router] [edit system compress-configuration-files] [edit system default-address-selection] [edit system domain-name] [edit system domain-search] [edit system encrypt-configuration-files] [edit system host-name] [edit system inet6-backup-router] [edit system internet-options gre-path-mtu-discovery] [edit system internet-options ipip-path-mtu-discovery] [edit system internet-options ipv6-path-mtu-discovery] [edit system internet-options ipv6-path-mtu-discovery-timeout] [edit system internet-options ipv6-reject-zero-hop-limit] [edit system internet-options no-tcp-reset] [edit system internet-options no-tcp-rfc1323] [edit system internet-options no-tcp-rfc1323-paws] [edit system internet-options path-mtu-discovery] [edit system internet-options source-port upper-limit] [edit system internet-options source-quench] [edit system internet-options tcp-drop-synfin-set] [edit system internet-options tcp-mss] [edit system license] [edit system max-configuration-rollbacks] [edit system max-configurations-on-flash] [edit system mirror-flash-on-disk] [edit system name-server] [edit system no-multicast-echo] [edit system no-neighbor-learn] [edit system no-redirects] [edit system ports auxiliary log-out-on-disconnect] [edit system ports auxiliary port-type] [edit system ports console log-out-on-disconnect] [edit system ports console port-type] [edit system processes] [edit system saved-core-context]


3923

®


[edit system saved-core-files] [edit system services] [edit system services web-management] [edit system static-host-mapping] [edit system syslog] [edit system time-zone] [edit virtual-chassis] [edit vlans]


•


•


•


•


•


•

system on page 3921

trace Can view trace file settings and configure trace file properties. Commands clear log monitor request-monitor-ethernet-delay-measurement monitor interface monitor interface traffic monitor label-switched-path monitor list monitor start monitor static-lsp monitor stop show log show log user


3924

[edit bridge-domains domain multicast-snooping-options traceoptions] [edit bridge-domains domain protocols igmp-snooping] [edit bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit bridge-domains domain protocols igmp-snooping traceoptions] [edit bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit bridge-domains domain multicast-snooping-options traceoptions] [edit bridge-domains domain protocols igmp-snooping traceoptions] [edit class-of-service application-traffic-control traceoptions] [edit demux traceoptions] [edit dynamic-profiles protocols igmp traceoptions] [edit dynamic-profiles protocols mld traceoptions]



[edit dynamic-profiles class-of-service application-traffic-control traceoptions] [edit dynamic-profiles protocols oam ethernet link-fault-management traceoptions] [dynamic-profiles protocols oam ethernet lmi] [edit dynamic-profiles protocols router-advertisement traceoptions] [edit dynamic-profiles protocols oam gre-tunnel traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay traceoptions] [edit dynamic-profiles routing-instances instance multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp group neighbor traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp group traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp traceoptions] [edit dynamic-profiles routing-instances instance protocols esis traceoptions] [edit dynamic-profiles routing-instances instance protocols igmp-snooping traceoptions] [edit dynamic-profiles routing-instances instance protocols isis traceoptions] [edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ldp traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp traceoptions] [edit dynamic-profiles routing-instances instance protocols mvpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ospf traceoptions] [edit dynamic-profiles routing-instances instance protocols pim traceoptions] [edit dynamic-profiles routing-instances instance protocols rip traceoptions] [edit dynamic-profiles routing-instances instance protocols ripng traceoptions] [edit dynamic-profiles routing-instances instance protocols router-discovery traceoptions] [edit dynamic-profiles routing-instances instance protocols vpls traceoptions] [edit dynamic-profiles routing-instances instance routing-options multicast traceoptions] [edit dynamic-profiles routing-instances instance routing-options traceoptions] [edit dynamic-profiles routing-instances instance services mobile-ip traceoptions] [edit dynamic-profiles routing-instances instance system services dhcp-local-server traceoptions] [edit dynamic-profiles routing-options multicast traceoptions] [edit fabric protocols bgp group neighbor traceoptions] [edit fabric protocols bgp group traceoptions] [edit fabric protocols bgp traceoptions] [edit fabric routing-instances instance routing-options traceoptions] [edit fabric routing-options traceoptions] [edit jnx-example traceoptions] [edit logical-systems bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit logical-systems bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit logical-systems bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems bridge-domains domain protocols igmp-snooping traceoptions] [edit logical-systems forwarding-options dhcp-relay traceoptions] [edit logical-systems protocols ancp traceoptions]


3925

®


[edit logical-systems protocols bgp group neighbor traceoptions] [edit logical-systems protocols bgp group traceoptions] [edit logical-systems protocols bgp traceoptions] [edit logical-systems protocols dot1x traceoptions] [edit logical-systems protocols dvmrp traceoptions] [edit logical-systems protocols esis traceoptions] [edit logical-systems protocols igmp traceoptions] [edit logical-systems protocols igmp-host traceoptions] [edit logical-systems protocols ilmi traceoptions] [edit logical-systems protocols isis traceoptions] [edit logical-systems protocols l2circuit traceoptions] [edit logical-systems protocols l2iw traceoptions] [edit logical-systems protocols lacp traceoptions] [edit logical-systems protocols layer2-control traceoptions] [edit logical-systems protocols ldp traceoptions] [edit logical-systems protocols mld traceoptions] [edit dynamic-profiles protocols oam ethernet fnp traceoptions] [edit logical-systems protocols mld-host traceoptions] [edit logical-systems protocols mpls label-switched-path oam traceoptions] [edit logical-systems protocols mpls label-switched-path primary oam traceoptions] [edit logical-systems protocols mpls label-switched-path secondary oam traceoptions] [edit logical-systems protocols mpls oam traceoptions] [edit logical-systems protocols msdp group peer traceoptions] [edit logical-systems protocols msdp group traceoptions] [edit logical-systems protocols msdp peer traceoptions] [edit logical-systems protocols msdp traceoptions] [edit logical-systems protocols neighbor-discovery secure traceoptions] [edit logical-systems protocols oam ethernet fnp traceoptions] [edit logical-systems protocols oam ethernet link-fault-management traceoptions] [edit logical-systems protocols oam ethernet lmi traceoptions] [edit logical-systems protocols ospf traceoptions] [edit logical-systems protocols pim traceoptions] [edit logical-systems protocols ppp monitor-session] [edit logical-systems protocols ppp traceoptions] [edit logical-systems protocols ppp-service traceoptions] [edit logical-systems protocols pppoe traceoptions] [edit logical-systems protocols rip traceoptions] [edit logical-systems protocols ripng traceoptions] [edit logical-systems protocols router-advertisement traceoptions] [edit logical-systems protocols router-discovery traceoptions] [edit logical-systems protocols rsvp lsp-set traceoptions] [edit logical-systems protocols rsvp traceoptions] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit logical-systems routing-instances instance forwarding-options dhcp-relay traceoptions] [edit logical-systems routing-instances instance multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance protocols bgp group neighbor traceoptions] [edit logical-systems routing-instances instance protocols bgp group traceoptions] [edit logical-systems routing-instances instance protocols bgp traceoptions] [edit logical-systems routing-instances instance protocols esis traceoptions] [edit logical-systems routing-instances instance protocols igmp-snooping traceoptions]

3926



[edit logical-systems routing-instances instance protocols isis traceoptions] [edit logical-systems routing-instances instance protocols l2vpn traceoptions] [edit logical-systems routing-instances instance protocols ldp traceoptions] [edit logical-systems routing-instances instance protocols msdp group peer traceoptions] [edit logical-systems routing-instances instance protocols msdp group traceoptions] [edit logical-systems routing-instances instance protocols msdp peer traceoptions] [edit logical-systems routing-instances instance protocols msdp traceoptions] [edit logical-systems routing-instances instance protocols mvpn traceoptions] [edit logical-systems routing-instances instance protocols ospf traceoptions] [edit logical-systems routing-instances instance protocols pim traceoptions] [edit logical-systems routing-instances instance protocols rip traceoptions] [edit logical-systems routing-instances instance protocols ripng traceoptions] [edit logical-systems routing-instances instance protocols router-discovery traceoptions] [edit logical-systems routing-instances instance protocols vpls traceoptions] [edit logical-systems routing-instances instance routing-options multicast traceoptions] [edit logical-systems routing-instances instance routing-options traceoptions] [edit logical-systems routing-instances instance services mobile-ip traceoptions] [edit logical-systems routing-instances instance system services dhcp-local-server traceoptions] [edit logical-systems routing-instances instance system services dhcp-local-server interface-traceoptions] [edit logical-systems routing-options multicast traceoptions] [edit logical-systems routing-options traceoptions] [edit logical-systems services mobile-ip traceoptions] [edit logical-systems system services dhcp-local-server traceoptions] [edit logical-systems system services dhcp-local-server interface-traceoptions] [edit multicast-snooping-options traceoptions] [edit protocols ancp traceoptions] [edit protocols bgp group neighbor traceoptions] [edit protocols bgp group traceoptions] [edit protocols bgp traceoptions] [edit protocols dot1x traceoptions] [edit protocols dvmrp traceoptions] [edit protocols esis traceoptions] [edit protocols igmp traceoptions] [edit protocols igmp-host traceoptions] [edit protocols ilmi traceoptions] [edit protocols isis traceoptions] [edit protocols l2circuit traceoptions] [edit protocols l2iw traceoptions] [edit protocols lacp traceoptions] [edit protocols layer2-control traceoptions] [edit protocols ldp traceoptions] [edit protocols mld traceoptions] [edit protocols mld-host traceoptions] [edit protocols mpls label-switched-path oam traceoptions] [edit protocols mpls label-switched-path primary oam traceoptions] [edit protocols mpls label-switched-path secondary oam traceoptions] [edit protocols mpls oam traceoptions] [edit protocols msdp group peer traceoptions] [edit protocols msdp group traceoptions] [edit protocols msdp peer traceoptions] [edit protocols msdp traceoptions] [edit protocols neighbor-discovery secure traceoptions] [edit protocols protocols oam ethernet fnp] [edit protocols oam ethernet connectivity-fault-management traceoptions]


3927

®


[edit protocols oam ethernet link-fault-management traceoptions] [edit protocols oam ethernet lmi traceoptions] [edit protocols ospf traceoptions] [edit protocols pim traceoptions] [edit protocols ppp monitor-session] [edit protocols ppp traceoptions] [edit protocols ppp-service traceoptions] [edit protocols pppoe traceoptions] [edit protocols rip traceoptions] [edit protocols ripng traceoptions] [edit protocols router-advertisement traceoptions] [edit protocols router-discovery traceoptions] [edit protocols rsvp lsp-set traceoptions] [edit protocols rsvp traceoptions] [edit routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit routing-instances instance multicast-snooping-options traceoptions] [edit routing-instances instance protocols bgp group neighbor traceoptions] [edit routing-instances instance protocols bgp group traceoptions] [edit routing-instances instance protocols bgp traceoptions] [edit routing-instances instance protocols esis traceoptions] [edit routing-instances instance protocols igmp-snooping traceoptions] [edit routing-instances instance protocols isis traceoptions] [edit routing-instances instance protocols l2vpn traceoptions] [edit routing-instances instance protocols ldp traceoptions] [edit routing-instances instance protocols msdp group peer traceoptions] [edit routing-instances instance protocols msdp group traceoptions] [edit routing-instances instance protocols msdp peer traceoptions] [edit routing-instances instance protocols msdp traceoptions] [edit routing-instances instance protocols mvpn traceoptions] [edit routing-instances instance protocols ospf traceoptions] [edit routing-instances instance protocols pim traceoptions] [edit routing-instances instance protocols rip traceoptions] [edit routing-instances instance protocols ripng traceoptions] [edit routing-instances instance protocols router-discovery traceoptions] [edit routing-instances instance protocols vpls traceoptions] [edit routing-instances instance routing-options multicast traceoptions] [edit routing-instances instance routing-options traceoptions] [edit routing-options multicast traceoptions] [edit routing-options traceoptions] [edit security idp traceoptions] [edit security pki traceoptions] [edit services adaptive-services-pics traceoptions] [edit services captive-portal-content-delivery] [edit services l2tp traceoptions] [edit services server-load-balance traceoptions] [edit services logging traceoptions] [edit services mobile-ip traceoptions] [edit services ssl traceoptions] [edit system accounting traceoptions] [edit system auto-configuration traceoptions] [edit system ddos-protection traceoptions] [edit system license traceoptions] [edit system processes datapath-trace-service traceoptions]

3928



[edit system processes dhcp-service interface-traceoptions] [edit system processes dhcp-service traceoptions] [edit system processes diameter-service traceoptions] [edit system processes general-authentication-service traceoptions] [edit system processes mac-validation traceoptions] [edit system processes mag-service traceoptions] [edit system processes process-monitor traceoptions] [edit system processes resource-cleanup traceoptions] [edit system processes sdk-service traceoptions] [edit system processes static-subscribers traceoptions] [edit system services database-replication traceoptions] [edit system services dhcp traceoptions] [edit system services local-policy-decision-function traceoptions] [edit system services outbound-ssh traceoptions] [edit system services service-deployment traceoptions] [edit system services subscriber-management traceoptions] [edit system services subscriber-management-helper traceoptions]


•


•


•


•


•


•


trace-control Can modify trace file settings and configure trace file properties Configuration Hierarchy Levels

[edit bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit bridge-domains domain multicast-snooping-options traceoptions] [edit bridge-domains domain protocols igmp-snooping traceoptions] [edit demux traceoptions] [edit dynamic-profiles protocols igmp traceoptions] [edit dynamic-profiles protocols mld traceoptions] [edit dynamic-profiles protocols oam ethernet link-fault-management traceoptions] [dynamic-profiles protocols oam ethernet lmi] [edit dynamic-profiles protocols router-advertisement traceoptions] [edit dynamic-profiles protocols oam gre-tunnel traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit dynamic-profiles routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay traceoptions] [edit dynamic-profiles routing-instances instance multicast-snooping-options traceoptions]


3929

®


[edit dynamic-profiles routing-instances instance protocols bgp group neighbor traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp group traceoptions] [edit dynamic-profiles routing-instances instance protocols bgp traceoptions] [edit dynamic-profiles routing-instances instance protocols esis traceoptions] [edit dynamic-profiles routing-instances instance protocols igmp-snooping traceoptions] [edit dynamic-profiles routing-instances instance protocols isis traceoptions] [edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ldp traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp group traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp peer traceoptions] [edit dynamic-profiles routing-instances instance protocols msdp traceoptions] [edit dynamic-profiles routing-instances instance protocols mvpn traceoptions] [edit dynamic-profiles routing-instances instance protocols ospf traceoptions] [edit dynamic-profiles routing-instances instance protocols pim traceoptions] [edit dynamic-profiles routing-instances instance protocols rip traceoptions] [edit dynamic-profiles routing-instances instance protocols ripng traceoptions] [edit dynamic-profiles routing-instances instance protocols router-discovery traceoptions] [edit dynamic-profiles routing-instances instance protocols vpls traceoptions] [edit dynamic-profiles routing-instances instance routing-options multicast traceoptions] [edit dynamic-profiles routing-instances instance routing-options traceoptions] [edit dynamic-profiles routing-instances instance services mobile-ip traceoptions] [edit dynamic-profiles routing-instances instance system services dhcp-local-server traceoptions] [edit dynamic-profiles routing-options multicast traceoptions] [edit fabric protocols bgp group neighbor traceoptions] [edit fabric protocols bgp group traceoptions] [edit fabric protocols bgp traceoptions] [edit fabric routing-instances instance routing-options traceoptions] [edit fabric routing-options traceoptions] [edit forwarding-options dhcp-relay interface-traceoptions] [edit forwarding-options dhcp-relay traceoptions] [edit jnx-example traceoptions] [edit logical-systems bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit logical-systems bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit logical-systems bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems bridge-domains domain protocols igmp-snooping traceoptions] [edit logical-systems forwarding-options dhcp-relay traceoptions] [edit logical-systems protocols ancp traceoptions] [edit logical-systems protocols bgp group neighbor traceoptions] [edit logical-systems protocols bgp group traceoptions] [edit logical-systems protocols bgp traceoptions] [edit logical-systems protocols dot1x traceoptions] [edit logical-systems protocols dvmrp traceoptions] [edit logical-systems protocols esis traceoptions] [edit logical-systems protocols igmp traceoptions] [edit logical-systems protocols igmp-host traceoptions] [edit logical-systems protocols ilmi traceoptions] [edit logical-systems protocols isis traceoptions] [edit logical-systems protocols l2circuit traceoptions] [edit logical-systems protocols l2iw traceoptions] [edit logical-systems protocols lacp traceoptions]

3930



[edit logical-systems protocols layer2-control traceoptions] [edit logical-systems protocols ldp traceoptions] [edit logical-systems protocols mld traceoptions] [edit logical-systems protocols mld-host traceoptions] [edit logical-systems protocols mpls label-switched-path oam traceoptions] [edit logical-systems protocols mpls label-switched-path primary oam traceoptions] [edit logical-systems protocols mpls label-switched-path secondary oam traceoptions] [edit logical-systems protocols mpls oam traceoptions] [edit logical-systems protocols msdp group peer traceoptions] [edit logical-systems protocols msdp group traceoptions] [edit logical-systems protocols msdp peer traceoptions] [edit logical-systems protocols msdp traceoptions] [edit logical-systems protocols neighbor-discovery secure traceoptions] [edit logical-systems protocols oam ethernet link-fault-management traceoptions] [edit logical-systems protocols oam ethernet lmi traceoptions] [edit logical-systems protocols ospf traceoptions] [edit logical-systems protocols pim traceoptions] [edit logical-systems protocols ppp monitor-session] [edit logical-systems protocols ppp traceoptions] [edit logical-systems protocols ppp-service traceoptions] [edit logical-systems protocols pppoe traceoptions] [edit logical-systems protocols rip traceoptions] [edit logical-systems protocols ripng traceoptions] [edit logical-systems protocols router-advertisement traceoptions] [edit logical-systems protocols router-discovery traceoptions] [edit logical-systems protocols rsvp traceoptions] [edit logical-systems routing-instances instance bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit logical-systems routing-instances instance bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit logical-systems routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit logical-systems routing-instances instance forwarding-options dhcp-relay traceoptions] [edit logical-systems routing-instances instance multicast-snooping-options traceoptions] [edit logical-systems routing-instances instance protocols bgp group neighbor traceoptions] [edit logical-systems routing-instances instance protocols bgp group traceoptions] [edit logical-systems routing-instances instance protocols bgp traceoptions] [edit logical-systems routing-instances instance protocols esis traceoptions] [edit logical-systems routing-instances instance protocols igmp-snooping traceoptions] [edit logical-systems routing-instances instance protocols isis traceoptions] [edit logical-systems routing-instances instance protocols l2vpn traceoptions] [edit logical-systems routing-instances instance protocols ldp traceoptions] [edit logical-systems routing-instances instance protocols msdp group peer traceoptions] [edit logical-systems routing-instances instance protocols msdp group traceoptions] [edit logical-systems routing-instances instance protocols msdp peer traceoptions] [edit logical-systems routing-instances instance protocols msdp traceoptions] [edit logical-systems routing-instances instance protocols mvpn traceoptions] [edit logical-systems routing-instances instance protocols ospf traceoptions] [edit logical-systems routing-instances instance protocols pim traceoptions] [edit logical-systems routing-instances instance protocols rip traceoptions] [edit logical-systems routing-instances instance protocols ripng traceoptions]


3931

®


[edit logical-systems routing-instances instance protocols router-discovery traceoptions] [edit logical-systems routing-instances instance protocols vpls traceoptions] [edit logical-systems routing-instances instance routing-options multicast traceoptions] [edit logical-systems routing-instances instance routing-options traceoptions] [edit logical-systems routing-instances instance services mobile-ip traceoptions] [edit logical-systems routing-instances instance system services dhcp-local-server interface-traceoptions] [edit logical-systems routing-instances instance system services dhcp-local-server traceoptions] [edit logical-systems routing-options multicast traceoptions] [edit logical-systems routing-options traceoptions] [edit logical-systems services mobile-ip traceoptions] [edit logical-systems system services dhcp-local-server interface-traceoptions] [edit logical-systems system services dhcp-local-server traceoptions] [edit multicast-snooping-options traceoptions] [edit protocols ancp traceoptions] [edit protocols bgp group neighbor traceoptions] [edit protocols bgp group traceoptions] [edit protocols bgp traceoptions] [edit protocols dot1x traceoptions] [edit protocols dvmrp traceoptions] [edit protocols esis traceoptions] [edit protocols igmp traceoptions] [edit protocols igmp-host traceoptions] [edit protocols ilmi traceoptions] [edit protocols isis traceoptions] [edit protocols l2circuit traceoptions] [edit protocols l2iw traceoptions] [edit protocols lacp traceoptions] [edit protocols layer2-control traceoptions] [edit protocols ldp traceoptions] [edit protocols mld traceoptions] [edit protocols mld-host traceoptions] [edit protocols mpls label-switched-path oam traceoptions] [edit protocols mpls label-switched-path primary oam traceoptions] [edit protocols mpls label-switched-path secondary oam traceoptions] [edit protocols mpls oam traceoptions] [edit protocols msdp group peer traceoptions] [edit protocols msdp group traceoptions] [edit protocols msdp peer traceoptions] [edit protocols msdp traceoptions] [edit protocols neighbor-discovery secure traceoptions] [edit protocols oam ethernet connectivity-fault-management traceoptions] [edit protocols oam ethernet link-fault-management traceoptions] [edit protocols oam ethernet lmi traceoptions] [edit protocols ospf traceoptions] [edit protocols pim traceoptions] [edit protocols ppp monitor-session] [edit protocols ppp traceoptions] [edit protocols ppp-service traceoptions] [edit protocols pppoe traceoptions] [edit protocols rip traceoptions] [edit protocols ripng traceoptions] [edit protocols router-advertisement traceoptions] [edit protocols router-discovery traceoptions] [edit protocols rsvp traceoptions]

3932



[edit routing-instances instance bridge-domains domain forwarding-options dhcp-relay interface-traceoptions] [edit routing-instances instance bridge-domains domain forwarding-options dhcp-relay traceoptions] [edit routing-instances instance bridge-domains domain multicast-snooping-options traceoptions] [edit routing-instances instance bridge-domains domain protocols igmp-snooping traceoptions] [edit routing-instances instance forwarding-options dhcp-relay traceoptions] [edit routing-instances instance forwarding-options dhcp-relay interface-traceoptions] [edit routing-instances instance multicast-snooping-options traceoptions] [edit routing-instances instance protocols bgp group neighbor traceoptions] [edit routing-instances instance protocols bgp group traceoptions] [edit routing-instances instance protocols bgp traceoptions] [edit routing-instances instance protocols esis traceoptions] [edit routing-instances instance protocols igmp-snooping traceoptions] [edit routing-instances instance protocols isis traceoptions] [edit routing-instances instance protocols l2vpn traceoptions] [edit routing-instances instance protocols ldp traceoptions] [edit routing-instances instance protocols msdp group peer traceoptions] [edit routing-instances instance protocols msdp group traceoptions] [edit routing-instances instance protocols msdp peer traceoptions] [edit routing-instances instance protocols msdp traceoptions] [edit routing-instances instance protocols mvpn traceoptions] [edit routing-instances instance protocols ospf traceoptions] [edit routing-instances instance protocols pim traceoptions] [edit routing-instances instance protocols rip traceoptions] [edit routing-instances instance protocols ripng traceoptions] [edit routing-instances instance protocols router-discovery traceoptions] [edit routing-instances instance protocols vpls traceoptions] [edit routing-instances instance routing-options multicast traceoptions] [edit routing-instances instance routing-options traceoptions] [edit routing-instances instance system services dhcp-local-server interface-traceoptions] [edit routing-instances instance system services dhcp-local-server traceoptions] [edit routing-options multicast traceoptions] [edit routing-options traceoptions] [edit security idp traceoptions] [edit security pki traceoptions] [edit services adaptive-services-pics traceoptions] [edit services captive-portal-content-delivery] [edit system ddos-protection traceoptions] [edit services l2tp traceoptions] [edit services logging traceoptions] [edit services mobile-ip traceoptions] [edit services server-load-balance traceoptions] [edit services ssl traceoptions] [edit system accounting traceoptions] [edit system auto-configuration traceoptions] [edit system license traceoptions] [edit system processes datapath-trace-service traceoptions] [edit system processes diameter-service traceoptions] [edit system processes general-authentication-service traceoptions] [edit system processes mac-validation traceoptions] [edit system processes process-monitor traceoptions] [edit system processes resource-cleanup traceoptions] [edit system processes sdk-service traceoptions]


3933

®


[edit system processes static-subscribers traceoptions] [edit system services database-replication traceoptions] [edit system services dhcp traceoptions] [edit system services dhcp-local-server traceoptions] [edit system services dhcp-local-server interface-traceoptions] [edit system services local-policy-decision-function traceoptions] [edit system services outbound-ssh traceoptions] [edit system services service-deployment traceoptions] [edit system services subscriber-management traceoptions] [edit system services subscriber-management-helper traceoptions]


•


•


•


•


•


•

trace on page 3924

view Can view current system-wide, routing table, and protocol-specific values and statistics. Commands clear ipv6 router-advertisement show show accounting show accounting profile show accounting records show amt show amt statistics show amt summary show amt tunnel show amt tunnel gateway-address show amt tunnel tunnel-interface show ancp show ancp cos show ancp cos last-update

3934



show ancp cos pending-update show ancp neighbor show ancp subscriber show ancp subscriber identifier show ancp subscriber neighbor show aps show aps group show aps interface show arp show as-path show as-path domain show auto-configuration show auto-configuration interfaces show bfd show bfd session show bfd session address show bfd session discriminator show bfd session prefix show bgp show bgp bmp show bgp group show bgp group rtf show bgp group traffic-statistics show bgp neighbor show bgp neighbor orf


3935

®


show bgp replication show bgp summary show bridge show bridge domain show bridge domain operational show bridge flood show bridge flood event-queue show bridge flood route show bridge flood route all-ce-flood show bridge flood route all-ve-flood show bridge flood route alt-root-flood show bridge flood route bd-flood show bridge flood route mlp-flood show bridge flood route re-flood show bridge mac-table show bridge mac-table interface show bridge statistics show chassis show chassis alarms show chassis alarms fpc show chassis beacon get-chassis-beacon-information> show chassis beacon cb show chassis environment ccg

3936



show chassis cfeb show chassis cip show chassis craft-interface show chassis environment show chassis environment cb show chassis environment cip show chassis environment feb show chassis environment fpc show chassis environment fpm show chassis environment mcs show chassis environment pcg show chassis environment pdu show chassis environment pem show chassis environment psu show chassis environment routing-engine show chassis environment scg show chassis environment sfm show chassis environment sib show chassis environment sib f13 show chassis environment sib f2s show chassis ethernet-switch show chassis ethernet-switch errors show chassis ethernet-switch statistics


3937

®


show chassis fabric show chassis fabric device show chassis fabric connectivity show chassis fabric destinations show chassis fabric errors show chassis fabric errors autoheal show chassis fabric errors fpc show chassis fabric errors sib show chassis fabric errors sib f13 show chassis fabric errors sib f2s show chassis fabric feb show chassis fabric fpcs show chassis fabric links show chassis fabric map show chassis fabric plane show chassis fabric plane-location show chassis fabric reachability show chassis fabric sibs show chassis fabric spray-weights .... show chassis fabric spray-weights from show chassis fabric spray-weights to show chassis fabric summary show chassis fabric topology show chassis fabric unreachable-destinations show chassis fan show chassis feb show chassis feb detail show chassis firmware show chassis firmware detail

3938



show chassis forwarding show chassis fpc show chassis fpc pic-status show chassis fpc-feb-connectivity show chassis hardware show chassis hss show chassis hss link-quality show chassis in-service-upgrade show chassis ioc-npc-connectivity show chassis lccs show chassis location show chassis location fpc show chassis location interface show chassis location interface by-name show chassis location interface by-slot show chassis mac-addresses show chassis multicast-loadbalance show chassis network-services show chassis nonstop-upgrade show chassis pic show chassis power show chassis power detail show chassis power sequence show chassis power upgrade show chassis power-ratings show chassis psd


3939

®


show chassis redundancy show chassis redundancy feb show chassis redundancy feb errors show chassis redundancy feb redundancy-group show chassis redundant-power-system show chassis routing-engine show chassis routing-engine bios show chassis scb show chassis sfm show chassis sfm detail show chassis sibs show chassis spmb show chassis spmb sibs show chassis ssb show chassis synchronization show chassis synchronization backup show chassis synchronization master show chassis temperature-thresholds show chassis zones show class-of-service show class-of-service adaptive-shaper show class-of-service application-traffic-control show class-of-service application-traffic-control counter

3940



show class-of-service application-traffic-control statistics show class-of-service application-traffic-control statistics rate-limiter show class-of-service application-traffic-control statistics rule show class-of-service classifier show class-of-service code-point-aliases show class-of-service congestion-notification show class-of-service drop-profile show class-of-service fabric show class-of-service fabric scheduler-map show class-of-service fabric statistics show class-of-service forwarding-class show class-of-service forwarding-class-set show class-of-service forwarding-table show class-of-service forwarding-table classifier show class-of-service forwarding-table classifier mapping show class-of-service forwarding-table drop-profile show class-of-service forwarding-table fabric show class-of-service forwarding-table fabric scheduler-map show class-of-service forwarding-table forwarding-class-map show class-of-service forwarding-table forwarding-class-map mapping show class-of-service forwarding-table loss-priority-map show class-of-service forwarding-table loss-priority-map mapping show class-of-service forwarding-table loss-priority-rewrite


3941

®


show class-of-service forwarding-table loss-priority-rewrite mapping show class-of-service forwarding-table policer show class-of-service forwarding-table rewrite-rule show class-of-service forwarding-table rewrite-rule mapping show class-of-service forwarding-table scheduler-map show class-of-service forwarding-table shaper show class-of-service forwarding-table translation-table show class-of-service forwarding-table translation-table mapping show class-of-service fragmentation-map show class-of-service interface show class-of-service interface-set show class-of-service l2tp-session show class-of-service loss-priority-map show class-of-service loss-priority-rewrite show class-of-service multi-destination show class-of-service rewrite-rule show class-of-service routing-instance show class-of-service scheduler-map show class-of-service traffic-control-profile

3942



show class-of-service translation-table show class-of-service virtual-channel show class-of-service virtual-channel-group show cli show cli authorization show cli directory show cli history show configuration show connections show database-replication show database-replication statistics show database-replication summary show ddos-protection show ddos-protection protocols

show ddos-protection protocols ancp

show ddos-protection protocols ancp aggregate

show ddos-protection protocols ancp parameters

show ddos-protection protocols ancp statistics show ddos-protection protocols ancp violations show ddos-protection protocols ancpv6 show ddos-protection protocols ancpv6 aggregate get-ddos-ancpv6-aggregate show ddos-protection protocols ancpv6 parameters get-ddos-ancpv6-parameters show ddos-protection protocols ancpv6 statistics get-ddos-ancpv6-statistics show ddos-protection protocols ancpv6 violations


3943

®


get-ddos-ancpv6-violations show ddos-protection protocols arp get-ddos-arp-information show ddos-protection protocols arp aggregate get-ddos-arp-aggregate show ddos-protection protocols arp parameters get-ddos-arp-parameters show ddos-protection protocols arp statistics get-ddos-arp-statistics show ddos-protection protocols arp violations get-ddos-arp-violations show ddos-protection protocols atm get-ddos-atm-information show ddos-protection protocols atm aggregate get-ddos-atm-aggregate show ddos-protection protocols atm parameters get-ddos-atm-parameters show ddos-protection protocols atm statistics get-ddos-atm-statistics show ddos-protection protocols atm violations get-ddos-atm-violations show ddos-protection protocols bfd get-ddos-bfd-information show ddos-protection protocols bfd aggregate get-ddos-bfd-aggregate show ddos-protection protocols bfd parameters get-ddos-bfd-parameters show ddos-protection protocols bfd statistics get-ddos-bfd-statistics show ddos-protection protocols bfd violations get-ddos-bfd-violations show ddos-protection protocols bfdv6 get-ddos-bfdv6-information show ddos-protection protocols bfdv6 aggregate get-ddos-bfdv6-aggregate show ddos-protection protocols bfdv6 parameters get-ddos-bfdv6-parameters show ddos-protection protocols bfdv6 statistics get-ddos-bfdv6-statistics show ddos-protection protocols bfdv6 violations get-ddos-bfdv6-violations show ddos-protection protocols bgp get-ddos-bgp-information show ddos-protection protocols bgp aggregate get-ddos-bgp-aggregate show ddos-protection protocols bgp parameters get-ddos-bgp-parameters show ddos-protection protocols bgp statistics get-ddos-bgp-statistics show ddos-protection protocols bgp violations get-ddos-bgp-violations show ddos-protection protocols bgpv6 get-ddos-bgpv6-information show ddos-protection protocols bgpv6 aggregate get-ddos-bgpv6-aggregate show ddos-protection protocols bgpv6 parameters

3944



get-ddos-bgpv6-parameters show ddos-protection protocols bgpv6 statistics get-ddos-bgpv6-statistics show ddos-protection protocols bgpv6 violations get-ddos-bgpv6-violations show ddos-protection protocols demux-autosense get-ddos-demuxauto-information show ddos-protection protocols demux-autosense aggregate get-ddos-demuxauto-aggregate show ddos-protection protocols demux-autosense parameters get-ddos-demuxauto-parameters show ddos-protection protocols demux-autosense statistics get-ddos-demuxauto-statistics show ddos-protection protocols demux-autosense violations get-ddos-demuxauto-violations show ddos-protection protocols dhcpv4 get-ddos-dhcpv4-information show ddos-protection protocols dhcpv4 ack get-ddos-dhcpv4-ack show ddos-protection protocols dhcpv4 aggregate get-ddos-dhcpv4-aggregate show ddos-protection protocols dhcpv4 bad-packets get-ddos-dhcpv4-bad-pack show ddos-protection protocols dhcpv4 bootp get-ddos-dhcpv4-bootp show ddos-protection protocols dhcpv4 decline get-ddos-dhcpv4-decline show ddos-protection protocols dhcpv4 discover get-ddos-dhcpv4-discover show ddos-protection protocols dhcpv4 force-renew get-ddos-dhcpv4-forcerenew show ddos-protection protocols dhcpv4 inform get-ddos-dhcpv4-inform show ddos-protection protocols dhcpv4 lease-active get-ddos-dhcpv4-leaseact show ddos-protection protocols dhcpv4 lease-query get-ddos-dhcpv4-leasequery show ddos-protection protocols dhcpv4 lease-unassigned get-ddos-dhcpv4-leaseuna show ddos-protection protocols dhcpv4 lease-unknown get-ddos-dhcpv4-leaseunk show ddos-protection protocols dhcpv4 nak get-ddos-dhcpv4-nak show ddos-protection protocols dhcpv4 no-message-type get-ddos-dhcpv4-no-msgtype show ddos-protection protocols dhcpv4 offer get-ddos-dhcpv4-offer show ddos-protection protocols dhcpv4 parameters get-ddos-dhcpv4-parameters show ddos-protection protocols dhcpv4 release get-ddos-dhcpv4-release show ddos-protection protocols dhcpv4 renew get-ddos-dhcpv4-renew show ddos-protection protocols dhcpv4 request get-ddos-dhcpv4-request show ddos-protection protocols dhcpv4 statistics


3945

®


get-ddos-dhcpv4-statistics show ddos-protection protocols dhcpv4 unclassified get-ddos-dhcpv4-unclass show ddos-protection protocols dhcpv4 violations get-ddos-dhcpv4-violations show ddos-protection protocols dhcpv6 get-ddos-dhcpv6-information show ddos-protection protocols dhcpv6 advertise get-ddos-dhcpv6-advertise show ddos-protection protocols dhcpv6 aggregate get-ddos-dhcpv6-aggregate show ddos-protection protocols dhcpv6 confirm get-ddos-dhcpv6-confirm show ddos-protection protocols dhcpv6 decline get-ddos-dhcpv6-decline show ddos-protection protocols dhcpv6 information-request get-ddos-dhcpv6-info-req show ddos-protection protocols dhcpv6 leasequery get-ddos-dhcpv6-leasequery show ddos-protection protocols dhcpv6 leasequery-data get-ddos-dhcpv6-leaseq-da show ddos-protection protocols dhcpv6 leasequery-done get-ddos-dhcpv6-leaseq-do show ddos-protection protocols dhcpv6 leasequery-reply get-ddos-dhcpv6-leaseq-re show ddos-protection protocols dhcpv6 parameters get-ddos-dhcpv6-parameters show ddos-protection protocols dhcpv6 rebind get-ddos-dhcpv6-rebind show ddos-protection protocols dhcpv6 reconfigure get-ddos-dhcpv6-reconfig show ddos-protection protocols dhcpv6 relay-forward get-ddos-dhcpv6-relay-for show ddos-protection protocols dhcpv6 relay-reply get-ddos-dhcpv6-relay-rep show ddos-protection protocols dhcpv6 release get-ddos-dhcpv6-release show ddos-protection protocols dhcpv6 renew get-ddos-dhcpv6-renew show ddos-protection protocols dhcpv6 reply get-ddos-dhcpv6-reply show ddos-protection protocols dhcpv6 request get-ddos-dhcpv6-request show ddos-protection protocols dhcpv6 solicit get-ddos-dhcpv6-solicit show ddos-protection protocols dhcpv6 statistics get-ddos-dhcpv6-statistics show ddos-protection protocols dhcpv6 unclassified get-ddos-dhcpv6-unclass show ddos-protection protocols dhcpv6 violations get-ddos-dhcpv6-violations show ddos-protection protocols diameter get-ddos-diameter-information show ddos-protection protocols diameter aggregate get-ddos-diameter-aggregate show ddos-protection protocols diameter parameters

3946



get-ddos-diameter-parameters show ddos-protection protocols diameter statistics get-ddos-diameter-statistics show ddos-protection protocols diameter violations get-ddos-diameter-violations show ddos-protection protocols dns get-ddos-dns-information show ddos-protection protocols dns aggregate get-ddos-dns-aggregate show ddos-protection protocols dns parameters get-ddos-dns-parameters show ddos-protection protocols dns statistics get-ddos-dns-statistics show ddos-protection protocols dns violations get-ddos-dns-violations show ddos-protection protocols dtcp get-ddos-dtcp-information show ddos-protection protocols dtcp aggregate get-ddos-dtcp-aggregate show ddos-protection protocols dtcp parameters get-ddos-dtcp-parameters show ddos-protection protocols dtcp statistics get-ddos-dtcp-statistics show ddos-protection protocols dtcp violations get-ddos-dtcp-violations show ddos-protection protocols dynamic-vlan get-ddos-dynvlan-information show ddos-protection protocols dynamic-vlan aggregate get-ddos-dynvlan-aggregate show ddos-protection protocols dynamic-vlan parameters get-ddos-dynvlan-parameters show ddos-protection protocols dynamic-vlan statistics get-ddos-dynvlan-statistics show ddos-protection protocols dynamic-vlan violations get-ddos-dynvlan-violations show ddos-protection protocols egpv6 get-ddos-egpv6-information show ddos-protection protocols egpv6 aggregate get-ddos-egpv6-aggregate show ddos-protection protocols egpv6 parameters get-ddos-egpv6-parameters show ddos-protection protocols egpv6 statistics get-ddos-egpv6-statistics show ddos-protection protocols egpv6 violations get-ddos-egpv6-violations show ddos-protection protocols eoam get-ddos-eoam-information show ddos-protection protocols eoam aggregate get-ddos-eoam-aggregate show ddos-protection protocols eoam parameters get-ddos-eoam-parameters show ddos-protection protocols eoam statistics get-ddos-eoam-statistics show ddos-protection protocols eoam violations get-ddos-eoam-violations show ddos-protection protocols esmc


3947

®


get-ddos-esmc-information show ddos-protection protocols esmc aggregate get-ddos-esmc-aggregate show ddos-protection protocols esmc parameters get-ddos-esmc-parameters show ddos-protection protocols esmc statistics get-ddos-esmc-statistics show ddos-protection protocols esmc violations get-ddos-esmc-violations show ddos-protection protocols fab-probe show ddos-protection protocols fab-probe aggregate show ddos-protection protocols fab-probe parameters show ddos-protection protocols fab-probe statistics show ddos-protection protocols fab-probe violations show ddos-protection protocols firewall-host get-ddos-fw-host-information show ddos-protection protocols firewall-host aggregate get-ddos-fw-host-aggregate show ddos-protection protocols firewall-host parameters get-ddos-fw-host-parameters show ddos-protection protocols firewall-host statistics get-ddos-fw-host-statistics show ddos-protection protocols firewall-host violations get-ddos-fw-host-violations

show ddos-protection protocols ftp get-ddos-ftp-information show ddos-protection protocols ftp aggregate get-ddos-ftp-aggregate show ddos-protection protocols ftp parameters get-ddos-ftp-parameters show ddos-protection protocols ftp statistics get-ddos-ftp-statistics show ddos-protection protocols ftp violations get-ddos-ftp-violations show ddos-protection protocols ftpv6 get-ddos-ftpv6-information show ddos-protection protocols ftpv6 aggregate get-ddos-ftpv6-aggregate show ddos-protection protocols ftpv6 parameters get-ddos-ftpv6-parameters show ddos-protection protocols ftpv6 statistics get-ddos-ftpv6-statistics show ddos-protection protocols ftpv6 violations get-ddos-ftpv6-violations show ddos-protection protocols gre get-ddos-gre-information show ddos-protection protocols gre aggregate get-ddos-gre-aggregate show ddos-protection protocols gre parameters

3948



get-ddos-gre-parameters show ddos-protection protocols gre statistics get-ddos-gre-statistics show ddos-protection protocols gre violations get-ddos-gre-violations show ddos-protection protocols icmp get-ddos-icmp-information show ddos-protection protocols icmp aggregate get-ddos-icmp-aggregate show ddos-protection protocols icmp parameters get-ddos-icmp-parameters show ddos-protection protocols icmp statistics get-ddos-icmp-statistics show ddos-protection protocols icmp violations get-ddos-icmp-violations show ddos-protection protocols icmpv6 show ddos-protection protocols icmpv6 aggregate show ddos-protection protocols icmpv6 parameters show ddos-protection protocols icmpv6 statistics show ddos-protection protocols icmpv6 violations show ddos-protection protocols igmp get-ddos-igmp-information show ddos-protection protocols igmp aggregate get-ddos-igmp-aggregate show ddos-protection protocols igmp parameters get-ddos-igmp-parameters show ddos-protection protocols igmp statistics get-ddos-igmp-statistics show ddos-protection protocols igmp violations get-ddos-igmp-violations show ddos-protection protocols igmp-snoop get-ddos-igmp-snoop-information show ddos-protection protocols igmp-snoop aggregate get-ddos-igmp-snoop-aggregate show ddos-protection protocols igmp-snoop parameters get-ddos-igmp-snoop-parameters show ddos-protection protocols igmp-snoop statistics get-ddos-igmp-snoop-statistics show ddos-protection protocols igmp-snoop violations get-ddos-igmp-snoop-violations show ddos-protection protocols igmpv4v6 get-ddos-igmpv4v6-information show ddos-protection protocols igmpv4v6 aggregate get-ddos-igmpv4v6-aggregate show ddos-protection protocols igmpv4v6 parameters get-ddos-igmpv4v6-parameters show ddos-protection protocols igmpv4v6 statistics get-ddos-igmpv4v6-statistics show ddos-protection protocols igmpv4v6 violations get-ddos-igmpv4v6-violations show ddos-protection protocols igmpv6


3949

®


get-ddos-igmpv6-information show ddos-protection protocols igmpv6 aggregate get-ddos-igmpv6-aggregate show ddos-protection protocols igmpv6 parameters get-ddos-igmpv6-parameters show ddos-protection protocols igmpv6 statistics get-ddos-igmpv6-statistics show ddos-protection protocols igmpv6 violations get-ddos-igmpv6-violations show ddos-protection protocols ip-fragments get-ddos-ip-frag-information show ddos-protection protocols ip-fragments aggregate get-ddos-ip-frag-aggregate show ddos-protection protocols ip-fragments first-fragment get-ddos-ip-frag-first-frag show ddos-protection protocols ip-fragments parameters get-ddos-ip-frag-parameters show ddos-protection protocols ip-fragments statistics get-ddos-ip-frag-statistics show ddos-protection protocols ip-fragments trail-fragment get-ddos-ip-frag-trail-frag show ddos-protection protocols ip-fragments violations get-ddos-ip-frag-violations show ddos-protection protocols ip-options get-ddos-ip-opt-information show ddos-protection protocols ip-options aggregate get-ddos-ip-opt-aggregate show ddos-protection protocols ip-options non-v4v6 show ddos-protection protocols ip-options parameters get-ddos-ip-opt-parameters show ddos-protection protocols ip-options router-alert get-ddos-ip-opt-rt-alert show ddos-protection protocols ip-options statistics get-ddos-ip-opt-statistics show ddos-protection protocols ip-options unclassified get-ddos-ip-opt-unclass show ddos-protection protocols ip-options violations get-ddos-ip-opt-violations show ddos-protection protocols ipv4-unclassified get-ddos-ipv4-uncls-information show ddos-protection protocols ipv4-unclassified aggregate get-ddos-ipv4-uncls-aggregate show ddos-protection protocols ipv4-unclassified parameters get-ddos-ipv4-uncls-parameters show ddos-protection protocols ipv4-unclassified statistics get-ddos-ipv4-uncls-statistics show ddos-protection protocols ipv4-unclassified violations get-ddos-ipv4-uncls-violations show ddos-protection protocols ipv6-unclassified get-ddos-ipv6-uncls-information show ddos-protection protocols ipv6-unclassified aggregate get-ddos-ipv6-uncls-aggregate show ddos-protection protocols ipv6-unclassified parameters get-ddos-ipv6-uncls-parameters show ddos-protection protocols ipv6-unclassified statistics

3950



get-ddos-ipv6-uncls-statistics show ddos-protection protocols ipv6-unclassified violations get-ddos-ipv6-uncls-violations show ddos-protection protocols isis get-ddos-isis-information show ddos-protection protocols isis aggregate get-ddos-isis-aggregate show ddos-protection protocols isis parameters get-ddos-isis-parameters show ddos-protection protocols isis statistics get-ddos-isis-statistics show ddos-protection protocols isis violations get-ddos-isis-violations show ddos-protection protocols jfm get-ddos-jfm-information show ddos-protection protocols jfm aggregate get-ddos-jfm-aggregate show ddos-protection protocols jfm parameters get-ddos-jfm-parameters show ddos-protection protocols jfm statistics get-ddos-jfm-statistics show ddos-protection protocols jfm violations get-ddos-jfm-violations show ddos-protection protocols l2tp get-ddos-l2tp-information show ddos-protection protocols l2tp aggregate get-ddos-l2tp-aggregate show ddos-protection protocols l2tp parameters get-ddos-l2tp-parameters show ddos-protection protocols l2tp statistics get-ddos-l2tp-statistics show ddos-protection protocols l2tp violations get-ddos-l2tp-violations show ddos-protection protocols lacp get-ddos-lacp-information show ddos-protection protocols lacp aggregate get-ddos-lacp-aggregate show ddos-protection protocols lacp parameters get-ddos-lacp-parameters show ddos-protection protocols lacp statistics get-ddos-lacp-statistics show ddos-protection protocols lacp violations get-ddos-lacp-violations show ddos-protection protocols ldp get-ddos-ldp-information show ddos-protection protocols ldp aggregate get-ddos-ldp-aggregate show ddos-protection protocols ldp parameters get-ddos-ldp-parameters show ddos-protection protocols ldp statistics get-ddos-ldp-statistics show ddos-protection protocols ldp violations get-ddos-ldp-violations show ddos-protection protocols ldpv6 get-ddos-ldpv6-information show ddos-protection protocols ldpv6 aggregate


3951

®


get-ddos-ldpv6-aggregate show ddos-protection protocols ldpv6 parameters get-ddos-ldpv6-parameters show ddos-protection protocols ldpv6 statistics get-ddos-ldpv6-statistics show ddos-protection protocols ldpv6 violations get-ddos-ldpv6-violations show ddos-protection protocols lldp get-ddos-lldp-information show ddos-protection protocols lldp aggregate get-ddos-lldp-aggregate show ddos-protection protocols lldp parameters get-ddos-lldp-parameters show ddos-protection protocols lldp statistics get-ddos-lldp-statistics show ddos-protection protocols lldp violations get-ddos-lldp-violations show ddos-protection protocols lmp get-ddos-lmp-information show ddos-protection protocols lmp aggregate get-ddos-lmp-aggregate show ddos-protection protocols lmp parameters get-ddos-lmp-parameters show ddos-protection protocols lmp statistics get-ddos-lmp-statistics show ddos-protection protocols lmp violations get-ddos-lmp-violations show ddos-protection protocols lmpv6 get-ddos-lmpv6-information show ddos-protection protocols lmpv6 aggregate get-ddos-lmpv6-aggregate show ddos-protection protocols lmpv6 parameters get-ddos-lmpv6-parameters show ddos-protection protocols lmpv6 statistics get-ddos-lmpv6-statistics show ddos-protection protocols lmpv6 violations get-ddos-lmpv6-violations show ddos-protection protocols mac-host get-ddos-mac-host-information show ddos-protection protocols mac-host aggregate get-ddos-mac-host-aggregate show ddos-protection protocols mac-host parameters get-ddos-mac-host-parameters show ddos-protection protocols mac-host statistics get-ddos-mac-host-statistics show ddos-protection protocols mac-host violations get-ddos-mac-host-violations show ddos-protection protocols mlp get-ddos-mlp-information show ddos-protection protocols mlp aggregate get-ddos-mlp-aggregate show ddos-protection protocols mlp aging-exception get-ddos-mlp-aging-exc show ddos-protection protocols mlp packets get-ddos-mlp-packets show ddos-protection protocols mlp parameters

3952



get-ddos-mlp-parameters show ddos-protection protocols mlp statistics get-ddos-mlp-statistics show ddos-protection protocols mlp unclassified get-ddos-mlp-unclass show ddos-protection protocols mlp violations get-ddos-mlp-violations show ddos-protection protocols msdp get-ddos-msdp-information show ddos-protection protocols msdp aggregate get-ddos-msdp-aggregate show ddos-protection protocols msdp parameters get-ddos-msdp-parameters show ddos-protection protocols msdp statistics get-ddos-msdp-statistics show ddos-protection protocols msdp violations get-ddos-msdp-violations show ddos-protection protocols msdpv6 get-ddos-msdpv6-information show ddos-protection protocols msdpv6 aggregate get-ddos-msdpv6-aggregate show ddos-protection protocols msdpv6 parameters get-ddos-msdpv6-parameters show ddos-protection protocols msdpv6 statistics get-ddos-msdpv6-statistics show ddos-protection protocols msdpv6 violations get-ddos-msdpv6-violations show ddos-protection protocols multicast-copy get-ddos-mcast-copy-information show ddos-protection protocols multicast-copy aggregate get-ddos-mcast-copy-aggregate show ddos-protection protocols multicast-copy parameters get-ddos-mcast-copy-parameters show ddos-protection protocols multicast-copy statistics get-ddos-mcast-copy-statistics show ddos-protection protocols multicast-copy violations get-ddos-mcast-copy-violations show ddos-protection protocols mvrp get-ddos-mvrp-information show ddos-protection protocols mvrp aggregate get-ddos-mvrp-aggregate show ddos-protection protocols mvrp parameters get-ddos-mvrp-parameters show ddos-protection protocols mvrp statistics get-ddos-mvrp-statistics show ddos-protection protocols mvrp violations get-ddos-mvrp-violations show ddos-protection protocols ntp get-ddos-ntp-information show ddos-protection protocols ntp aggregate get-ddos-ntp-aggregate show ddos-protection protocols ntp parameters get-ddos-ntp-parameters show ddos-protection protocols ntp statistics get-ddos-ntp-statistics show ddos-protection protocols ntp violations


3953

®


get-ddos-ntp-violations show ddos-protection protocols oam-lfm get-ddos-oam-lfm-information show ddos-protection protocols oam-lfm aggregate get-ddos-oam-lfm-aggregate show ddos-protection protocols oam-lfm parameters get-ddos-oam-lfm-parameters show ddos-protection protocols oam-lfm statistics get-ddos-oam-lfm-statistics show ddos-protection protocols oam-lfm violations get-ddos-oam-lfm-violations show ddos-protection protocols ospf get-ddos-ospf-information show ddos-protection protocols ospf aggregate get-ddos-ospf-aggregate show ddos-protection protocols ospf parameters get-ddos-ospf-parameters show ddos-protection protocols ospf statistics get-ddos-ospf-statistics show ddos-protection protocols ospf violations get-ddos-ospf-violations show ddos-protection protocols ospfv3v6 get-ddos-ospfv3v6-information show ddos-protection protocols ospfv3v6 aggregate get-ddos-ospfv3v6-aggregate show ddos-protection protocols ospfv3v6 parameters get-ddos-ospfv3v6-parameters show ddos-protection protocols ospfv3v6 statistics get-ddos-ospfv3v6-statistics show ddos-protection protocols ospfv3v6 violations get-ddos-ospfv3v6-violations show ddos-protection protocols parameters get-ddos-protocols-parameters show ddos-protection protocols pfe-alive get-ddos-pfe-alive-information show ddos-protection protocols pfe-alive aggregate get-ddos-pfe-alive-aggregate show ddos-protection protocols pfe-alive parameters get-ddos-pfe-alive-parameters show ddos-protection protocols pfe-alive statistics get-ddos-pfe-alive-statistics show ddos-protection protocols pfe-alive violations get-ddos-pfe-alive-violations show ddos-protection protocols pim get-ddos-pim-information show ddos-protection protocols pim aggregate get-ddos-pim-aggregate show ddos-protection protocols pim parameters get-ddos-pim-parameters show ddos-protection protocols pim statistics get-ddos-pim-statistics show ddos-protection protocols pim violations get-ddos-pim-violations

show ddos-protection protocols pimv6

3954



show ddos-protection protocols pimv6 aggregate show ddos-protection protocols pimv6 parameters show ddos-protection protocols pimv6 statistics show ddos-protection protocols pimv6 violations

show ddos-protection protocols pmvrp get-ddos-pmvrp-information show ddos-protection protocols pmvrp aggregate get-ddos-pmvrp-aggregate show ddos-protection protocols pmvrp parameters get-ddos-pmvrp-parameters show ddos-protection protocols pmvrp statistics get-ddos-pmvrp-statistics show ddos-protection protocols pmvrp violations get-ddos-pmvrp-violations show ddos-protection protocols pos get-ddos-pos-information show ddos-protection protocols pos aggregate get-ddos-pos-aggregate show ddos-protection protocols pos parameters get-ddos-pos-parameters show ddos-protection protocols pos statistics get-ddos-pos-statistics show ddos-protection protocols pos violations get-ddos-pos-violations show ddos-protection protocols ppp get-ddos-ppp-information show ddos-protection protocols ppp aggregate get-ddos-ppp-aggregate show ddos-protection protocols ppp authentication get-ddos-ppp-auth show ddos-protection protocols ppp ipcp get-ddos-ppp-ipcp show ddos-protection protocols ppp ipv6cp get-ddos-ppp-ipv6cp show ddos-protection protocols ppp isis get-ddos-ppp-isis show ddos-protection protocols ppp lcp get-ddos-ppp-lcp show ddos-protection protocols ppp mplscp get-ddos-ppp-mplscp show ddos-protection protocols ppp parameters get-ddos-ppp-parameters show ddos-protection protocols ppp statistics get-ddos-ppp-statistics show ddos-protection protocols ppp unclassified show ddos-protection protocols ppp violations get-ddos-ppp-violations show ddos-protection protocols pppoe


3955

®


get-ddos-pppoe-information show ddos-protection protocols pppoe aggregate get-ddos-pppoe-aggregate show ddos-protection protocols pppoe padi get-ddos-pppoe-padi show ddos-protection protocols pppoe padm get-ddos-pppoe-padm show ddos-protection protocols pppoe padn get-ddos-pppoe-padn show ddos-protection protocols pppoe pado get-ddos-pppoe-pado show ddos-protection protocols pppoe padr get-ddos-pppoe-padr show ddos-protection protocols pppoe pads get-ddos-pppoe-pads show ddos-protection protocols pppoe padt get-ddos-pppoe-padt show ddos-protection protocols pppoe parameters get-ddos-pppoe-parameters show ddos-protection protocols pppoe statistics get-ddos-pppoe-statistics show ddos-protection protocols pppoe violations get-ddos-pppoe-violations show ddos-protection protocols ptp get-ddos-ptp-information show ddos-protection protocols ptp aggregate get-ddos-ptp-aggregate show ddos-protection protocols ptp parameters get-ddos-ptp-parameters show ddos-protection protocols ptp statistics get-ddos-ptp-statistics show ddos-protection protocols ptp violations get-ddos-ptp-violations show ddos-protection protocols pvstp get-ddos-pvstp-information show ddos-protection protocols pvstp aggregate get-ddos-pvstp-aggregate show ddos-protection protocols pvstp parameters get-ddos-pvstp-parameters show ddos-protection protocols pvstp statistics get-ddos-pvstp-statistics show ddos-protection protocols pvstp violations get-ddos-pvstp-violations show ddos-protection protocols radius get-ddos-radius-information show ddos-protection protocols radius accounting get-ddos-radius-account show ddos-protection protocols radius aggregate get-ddos-radius-aggregate show ddos-protection protocols radius authorization get-ddos-radius-auth show ddos-protection protocols radius parameters get-ddos-radius-parameters show ddos-protection protocols radius server get-ddos-radius-server show ddos-protection protocols radius statistics

3956



get-ddos-radius-statistics show ddos-protection protocols radius violations get-ddos-radius-violations show ddos-protection protocols redirect get-ddos-redirect-information show ddos-protection protocols redirect aggregate get-ddos-redirect-aggregate show ddos-protection protocols redirect parameters get-ddos-redirect-parameters show ddos-protection protocols redirect statistics get-ddos-redirect-statistics show ddos-protection protocols redirect violations get-ddos-redirect-violations

show ddos-protection protocols reject show ddos-protection protocols reject aggregate show ddos-protection protocols reject parameters show ddos-protection protocols reject statistics show ddos-protection protocols reject violations show ddos-protection protocols rip get-ddos-rip-information show ddos-protection protocols rip aggregate get-ddos-rip-aggregate show ddos-protection protocols rip parameters get-ddos-rip-parameters show ddos-protection protocols rip statistics get-ddos-rip-statistics show ddos-protection protocols rip violations get-ddos-rip-violations show ddos-protection protocols ripv6 get-ddos-ripv6-information show ddos-protection protocols ripv6 aggregate get-ddos-ripv6-aggregate show ddos-protection protocols ripv6 parameters get-ddos-ripv6-parameters show ddos-protection protocols ripv6 statistics get-ddos-ripv6-statistics show ddos-protection protocols ripv6 violations get-ddos-ripv6-violations show ddos-protection protocols rsvp get-ddos-rsvp-information show ddos-protection protocols rsvp aggregate get-ddos-rsvp-aggregate show ddos-protection protocols rsvp parameters get-ddos-rsvp-parameters show ddos-protection protocols rsvp statistics get-ddos-rsvp-statistics show ddos-protection protocols rsvp violations get-ddos-rsvp-violations


3957

®


show ddos-protection protocols rsvpv6 get-ddos-rsvpv6-information show ddos-protection protocols rsvpv6 aggregate get-ddos-rsvpv6-aggregate show ddos-protection protocols rsvpv6 parameters get-ddos-rsvpv6-parameters show ddos-protection protocols rsvpv6 statistics get-ddos-rsvpv6-statistics show ddos-protection protocols rsvpv6 violations get-ddos-rsvpv6-violations show ddos-protection protocols sample show ddos-protection protocols sample aggregate show ddos-protection protocols sample host show ddos-protection protocols sample parameters show ddos-protection protocols sample pfe show ddos-protection protocols sample statistics show ddos-protection protocols sample syslog show ddos-protection protocols sample tap show ddos-protection protocols sample violations show ddos-protection protocols services get-ddos-services-information show ddos-protection protocols services aggregate get-ddos-services-aggregate show ddos-protection protocols services parameters get-ddos-services-parameters show ddos-protection protocols services statistics get-ddos-services-statistics show ddos-protection protocols services violations get-ddos-services-violations show ddos-protection protocols snmp get-ddos-snmp-information show ddos-protection protocols snmp aggregate get-ddos-snmp-aggregate show ddos-protection protocols snmp parameters get-ddos-snmp-parameters show ddos-protection protocols snmp statistics get-ddos-snmp-statistics show ddos-protection protocols snmp violations get-ddos-snmp-violations show ddos-protection protocols snmpv6 get-ddos-snmpv6-information show ddos-protection protocols snmpv6 aggregate get-ddos-snmpv6-aggregate show ddos-protection protocols snmpv6 parameters get-ddos-snmpv6-parameters show ddos-protection protocols snmpv6 statistics get-ddos-snmpv6-statistics show ddos-protection protocols snmpv6 violations

3958



get-ddos-snmpv6-violations show ddos-protection protocols ssh get-ddos-ssh-information show ddos-protection protocols ssh aggregate get-ddos-ssh-aggregate show ddos-protection protocols ssh parameters get-ddos-ssh-parameters show ddos-protection protocols ssh statistics get-ddos-ssh-statistics show ddos-protection protocols ssh violations get-ddos-ssh-violations show ddos-protection protocols sshv6 get-ddos-sshv6-information show ddos-protection protocols sshv6 aggregate get-ddos-sshv6-aggregate show ddos-protection protocols sshv6 parameters get-ddos-sshv6-parameters show ddos-protection protocols sshv6 statistics get-ddos-sshv6-statistics show ddos-protection protocols sshv6 violations get-ddos-sshv6-violations show ddos-protection protocols statistics get-ddos-protocols-statistics show ddos-protection protocols stp get-ddos-stp-information show ddos-protection protocols stp aggregate get-ddos-stp-aggregate show ddos-protection protocols stp parameters get-ddos-stp-parameters show ddos-protection protocols stp statistics get-ddos-stp-statistics show ddos-protection protocols stp violations get-ddos-stp-violations show ddos-protection protocols tacacs get-ddos-tacacs-information show ddos-protection protocols tacacs aggregate get-ddos-tacacs-aggregate show ddos-protection protocols tacacs parameters get-ddos-tacacs-parameters show ddos-protection protocols tacacs statistics get-ddos-tacacs-statistics show ddos-protection protocols tacacs violations get-ddos-tacacs-violations show ddos-protection protocols tcp-flags get-ddos-tcp-flags-information show ddos-protection protocols tcp-flags aggregate get-ddos-tcp-flags-aggregate show ddos-protection protocols tcp-flags established get-ddos-tcp-flags-establish show ddos-protection protocols tcp-flags initial get-ddos-tcp-flags-initial show ddos-protection protocols tcp-flags parameters get-ddos-tcp-flags-parameters show ddos-protection protocols tcp-flags statistics get-ddos-tcp-flags-statistics show ddos-protection protocols tcp-flags unclassified


3959

®


get-ddos-tcp-flags-unclass show ddos-protection protocols tcp-flags violations get-ddos-tcp-flags-violations show ddos-protection protocols telnet get-ddos-telnet-information show ddos-protection protocols telnet aggregate get-ddos-telnet-aggregate show ddos-protection protocols telnet parameters get-ddos-telnet-parameters show ddos-protection protocols telnet statistics get-ddos-telnet-statistics show ddos-protection protocols telnet violations get-ddos-telnet-violations show ddos-protection protocols telnetv6 get-ddos-telnetv6-information show ddos-protection protocols telnetv6 aggregate get-ddos-telnetv6-aggregate show ddos-protection protocols telnetv6 parameters get-ddos-telnetv6-parameters show ddos-protection protocols telnetv6 statistics get-ddos-telnetv6-statistics show ddos-protection protocols telnetv6 violations get-ddos-telnetv6-violations show ddos-protection protocols ttl get-ddos-ttl-information show ddos-protection protocols ttl aggregate get-ddos-ttl-aggregate show ddos-protection protocols ttl parameters get-ddos-ttl-parameters show ddos-protection protocols ttl statistics get-ddos-ttl-statistics show ddos-protection protocols ttl violations get-ddos-ttl-violations show ddos-protection protocols tunnel-fragment get-ddos-tun-frag-information show ddos-protection protocols tunnel-fragment aggregate get-ddos-tun-frag-aggregate show ddos-protection protocols tunnel-fragment parameters get-ddos-tun-frag-parameters show ddos-protection protocols tunnel-fragment statistics get-ddos-tun-frag-statistics show ddos-protection protocols tunnel-fragment violations get-ddos-tun-frag-violations show ddos-protection protocols unclassified show ddos-protection protocols unclassified aggregate show ddos-protection protocols unclassified parameters show ddos-protection protocols unclassified statistics show ddos-protection protocols unclassified violations show ddos-protection protocols violations get-ddos-protocols-violations show ddos-protection protocols virtual-chassis

3960



get-ddos-vchassis-information show ddos-protection protocols virtual-chassis aggregate get-ddos-vchassis-aggregate show ddos-protection protocols virtual-chassis control-high get-ddos-vchassis-control-hi show ddos-protection protocols virtual-chassis control-low get-ddos-vchassis-control-lo show ddos-protection protocols virtual-chassis parameters get-ddos-vchassis-parameters show ddos-protection protocols virtual-chassis statistics get-ddos-vchassis-statistics show ddos-protection protocols virtual-chassis unclassified get-ddos-vchassis-unclass show ddos-protection protocols virtual-chassis vc-packets get-ddos-vchassis-vc-packets show ddos-protection protocols virtual-chassis vc-ttl-errors get-ddos-vchassis-vc-ttl-err show ddos-protection protocols virtual-chassis violations get-ddos-vchassis-violations show ddos-protection protocols vrrp get-ddos-vrrp-information show ddos-protection protocols vrrp aggregate get-ddos-vrrp-aggregate show ddos-protection protocols vrrp parameters get-ddos-vrrp-parameters show ddos-protection protocols vrrp statistics get-ddos-vrrp-statistics show ddos-protection protocols vrrp violations get-ddos-vrrp-violations show ddos-protection protocols vrrpv6 get-ddos-vrrpv6-information show ddos-protection protocols vrrpv6 aggregate get-ddos-vrrpv6-aggregate show ddos-protection protocols vrrpv6 parameters get-ddos-vrrpv6-parameters show ddos-protection protocols vrrpv6 statistics get-ddos-vrrpv6-statistics show ddos-protection protocols vrrpv6 violations get-ddos-vrrpv6-violations show ddos-protection statistics get-ddos-statistics-information show ddos-protection version get-ddos-version show dhcp show dhcp relay show dhcp relay binding show dhcp relay binding interface show dhcp relay statistics show dhcp server show dhcp server binding


3961

®


show dhcp server binding interface show dhcp server statistics show dhcp statistics get-dhcp-service-statistics-information> show dhcpv6 show dhcpv6 relay show dhcpv6 relay binding show dhcpv6 relay binding interface show dhcpv6 relay statistics show dhcpv6 server show dhcpv6 server binding show dhcpv6 server binding interface show dhcpv6 server statistics show dhcpv6 statistics show diameter show diameter function show diameter function statistics show diameter instance show diameter network-element show diameter network-element map show diameter peer show diameter peer map show diameter peer statistics show diameter route show dot1x

3962



show dot1x authentication-failed-users show dot1x interface show dot1x static-mac-address show dot1x static-mac-address interface show dvmrp show dvmrp interfaces show dvmrp neighbors show dvmrp prefix show dvmrp prunes show dynamic-tunnels show dynamic-tunnels database show esis show esis adjacency show esis interface show esis statistics show event-options show event-options event-scripts show event-options event-scripts policies get-event-scripts-policies> show extension-provider show extension-provider system show extension-provider system connections show extension-provider system packages show extension-provider system processes show extension-provider system processes brief


3963

®


show extension-provider system processes extensive show extension-provider system uptime show extension-provider system virtual-memory show network-access aaa terminate-code reverse dhcp show network-access aaa terminate-code reverse l2tp show network-access aaa terminate-code reverse ppp show network-access address-assignment show network-access address-assignment pool show network-access requests show network-access requests pending show network-access requests statistics show network-access securid-node-secret-file show ntp show ntp associations


3973

®


show ntp status show oam show oam ethernet show oam ethernet connectivity-fault-management show oam ethernet connectivity-fault-management delay-statistics show oam ethernet connectivity-fault-management forwarding-state show oam ethernet connectivity-fault-management forwarding-state instance show oam ethernet connectivity-fault-management forwarding-state interface show oam ethernet connectivity-fault-management interfaces show oam ethernet connectivity-fault-management loss-statistics show oam ethernet connectivity-fault-management mep-database show oam ethernet connectivity-fault-management mep-statistics show oam ethernet connectivity-fault-management mip show oam ethernet connectivity-fault-management path-database show oam ethernet connectivity-fault-management policer show oam ethernet connectivity-fault-management sla-iterator-statistics show oam ethernet evc show oam ethernet link-fault-management show oam ethernet lmi show oam ethernet lmi statistics show ospf show ospf backup show ospf backup coverage show ospf backup lsp show ospf backup neighbor

3974



show ospf backup spf show ospf context-identifier show ospf database show ospf interface show ospf io-statistics show ospf log show ospf neighbor show ospf overview show ospf route show ospf statistics show ospf3 show ospf3 backup show ospf3 backup coverage show ospf3 backup lsp show ospf3 backup neighbor show ospf3 backup spf show ospf3 database show ospf3 interface show ospf3 io-statistics show ospf3 log


3975

®


show ospf3 neighbor show ospf3 overview show ospf3 route show ospf3 statistics show passive-monitoring show passive-monitoring error show passive-monitoring flow show passive-monitoring memory show passive-monitoring status show passive-monitoring usage show pfe show pfe cfeb show pfe feb show pfe fpc show pfe fwdd show pfe lcc show pfe next-hop show pfe pfem show pfe pfem detail show pfe pfem extensive show pfe route show pfe route clnp show pfe route clnp table show pfe route inet6 show pfe route inet6 table show pfe route ip show pfe route ip table show pfe route iso show pfe route iso table show pfe scb show pfe sfm show pfe ssb show pfe statistics show pfe statistics fabric show pfe statistics ip

3976



show pfe statistics ip6 show pfe statistics traffic show pfe statistics traffic cpu show pfe statistics traffic cpu fpe show pfe statistics traffic egress-queues show pfe statistics traffic egress-queues fpc show pfe statistics traffic multicast show pfe statistics traffic multicast fpcshow pfe statistics traffic protocol show pfe terse show pfe version brief show pfe version detail show pgm show pgm negative-acknowledgments show pgm source-path-messages show pgm statistics show pim show pim bidirectional show pim bidirectional df-election show pim bidirectional df-election interface show pim bootstrap show pim interfaces show pim join show pim mdt show pim mdt data-mdt-joins show pim mvpn show pim neighbors show pim rps show pim source


3977

®


show pim statistics show policy show policy conditions show policy damping show ppp show ppp address-pool show ppp interface show ppp statistics show ppp summary show pppoe show pppoe interfaces show pppoe lockout show pppoe service-name-tables show pppoe statistics show pppoe underlying-interfaces show pppoe version show protection-group show protection-group ethernet-aps show protection-group ethernet-ring show protection-group ethernet-ring aps show protection-group ethernet-ring data-channel show protection-group ethernet-ring interface show protection-group ethernet-ring node-state show protection-group ethernet-ring node-state show protection-group ethernet-ring statistics show protection-group ethernet-ring vlan show ptp

3978



show ptp clock get-ptp-clock> show ptp global-information get-ptp-global-information> show ptp hybrid show ptp hybrid config show ptp hybrid status show ptp last-tod-update show ptp lock-status get-ptp-lock-status> show ptp master show ptp port show ptp quality-level-mapping show ptp slave show ptp statistics show r2cp show r2cp interfaces show r2cp radio show r2cp sessions show r2cp statistics show redundant-power-system show redundant-power-system led show redundant-power-system multi-backup show redundant-power-system network show redundant-power-system power-supply show redundant-power-system status show redundant-power-system upgrade show redundant-power-system version show rip show rip general-statistics show rip neighbor show rip statistics show rip statistics peer show ripng show ripng general-statistics


3979

®


show ripng neighbor show ripng statistics show route show route export show route export instance show route localization show route export vrf-target show route flow show route flow validation show route forwarding-table show route instance show route instance operational show route martians show route resolution show route resolution summary show route resolution unresolved show route rib-groups show route snooping show route snooping summary show route summary show rsvp show rsvp interface show rsvp neighbor

3980



show rsvp session show rsvp statistics show rsvp version show sap show sap listen show services show services accounting show services accounting aggregation show services accounting aggregation as show services accounting aggregation destination-prefix show services accounting aggregation protocol-port show services accounting aggregation source-destination-prefix show services accounting aggregation source-prefix show services accounting aggregation template show services accounting errors show services accounting flow show services accounting flow-detail show services accounting memory show services accounting packet-size-distribution show services accounting status


3981

®


show services accounting usage show services alg show services alg conversations show services alg sip-globals show services alg statistics show services application-aware-access-list show services application-aware-access-list flows show services application-aware-access-list flows interface show services application-aware-access-list flows subscriber show services application-aware-access-list statistics show services application-aware-access-list statistics interface show services application-aware-access-list statistics subscriber show services application-identification show services application-identification application show services application-identification application detail show services application-identification application summary show services application-identification application-system-cache show services application-identification counter show services application-identification counter ssl-encrypted-sessions show services application-identification group show services application-identification group detail show services application-identification group summary show services application-identification statistics show services application-identification statistics application-groups show services application-identification statistics applications show services application-identification version show services border-signaling-gateway show services border-signaling-gateway accounting show services border-signaling-gateway accounting statistics show services border-signaling-gateway accounting status show services border-signaling-gateway admission-control

3982



show services border-signaling-gateway by-call-context-id show services border-signaling-gateway by-contact show services border-signaling-gateway by-request-uri show services border-signaling-gateway calls show services border-signaling-gateway calls-duration show services border-signaling-gateway calls-failed

how services border-signaling-gateway charging show services border-signaling-gateway charging statistics show services border-signaling-gateway charging status show services border-signaling-gateway denied-messages show services border-signaling-gateway embedded-spdf show services border-signaling-gateway embedded-spdf status show services border-signaling-gateway name-resolution-cache show services border-signaling-gateway name-resolution-cache all show services border-signaling-gateway name-resolution-cache by-fqdn show services border-signaling-gateway status show services captive-portal-content-delivery show services captive-portal-content-delivery pic show services captive-portal-content-delivery profile show services captive-portal-content-delivery rule show services captive-portal-content-delivery ruleset show services captive-portal-content-delivery sset show services captive-portal-content-delivery statistics show services captive-portal-content-delivery statistics interface show services cos


3983

®


show services cos statistics show services cos statistics diffserv show services cos statistics forwarding-class show services crtp show services crtp extensive show services crtp flows show services dynamic-flow-capture show services dynamic-flow-capture content-destination show services dynamic-flow-capture control-source show services dynamic-flow-capture statistics show services fips show services fips pic show services fips pic status show services flow-collector show services flow-collector file show services flow-collector input show services flow-table show services flow-table statistics show services flows show services ggsn show services ggsn diagnostics show services ggsn diagnostics pdp show services ggsn statistics

3984



show services ggsn statistics apn show services ggsn statistics charging show services ggsn statistics gtp show services ggsn statistics gtp-prime show services ggsn statistics imsi show services ggsn statistics l2tp-tunnel show services ggsn statistics msisdn show services ggsn statistics radius show services ggsn statistics sgsn show services ggsn status show services ggsn trace show services ggsn trace all show services ggsn trace imsi show services ggsn trace msisdn show services ids show services ids destination-table show services ids pair-table show services ids source-table show services inline show services inline nat show services inline nat pool show services inline nat statistics get-inline-nat-statistics-information> show services inline softwire show services inline softwire statistics


3985

®


show services ipsec-vpn show services ipsec-vpn ike show services ipsec-vpn ike security-associations show services ipsec-vpn ipsec show services ipsec-vpn ipsec security-associations show services ipsec-vpn ipsec statistics show services l2tp show services l2tp destination show services l2tp disconnect-cause-summary< show services l2tp multilink show services l2tp radius show services l2tp radius accounting show services l2tp radius accounting servers show services l2tp radius accounting statistics show services l2tp radius authentication show services l2tp radius authentication servers show services l2tp radius authentication statistics show services l2tp radius servers show services l2tp radius statistics show services l2tp session show services l2tp summary show services l2tp tunnel show services l2tp user show services link-services show services link-services cpu-usage

3986



show services local-policy-decision-function show services local-policy-decision-function flows show services local-policy-decision-function flows interface show services local-policy-decision-function flows subscriber show services local-policy-decision-function statistics show services local-policy-decision-function statistics interface show services local-policy-decision-function statistics subscriber show services logging show services logging history show services logging history client show services logging logfiles show services nat show services nat ipv6-multicast-interfaces show services nat deterministic-nat show services nat deterministic-nat internal-host show services nat deterministic-nat nat-port-block show services nat mappings show services nat mappings brief show services nat mappings detail show services nat mappings endpoint-independent show services nat mappings brief show services nat mappings detail show services nat mappings summary show services nat pool show services pgcp show services pgcp active-configuration show services pgcp active-configuration gateway show services pgcp conversations show services pgcp conversations gateway show services pgcp flows show services pgcp flows gateway


3987

®


show services pgcp gate show services pgcp gate gateway show services pgcp gates show services pgcp gates gateway show services pgcp root-termination show services pgcp root-termination gateway show services pgcp statistics show services pgcp statistics gateway show services pgcp terminations show services pgcp terminations gateway show services rpm show services rpm active-servers show services rpm history-results show services rpm probe-results show services rpm twamp show services rpm twamp server show services rpm twamp server connection show services rpm twamp server session show services server-load-balance show services server-load-balance external-manager show services server-load-balance external-manager information show services server-load-balance external-manager statistics show services server-load-balance hash-table

3988



show services server-load-balance health-monitor show services server-load-balance health-monitor information show services server-load-balance health-monitor statistics show services server-load-balance real-server show services server-load-balance real-server statistics show services server-load-balance real-server-group show services server-load-balance real-server-group information show services server-load-balance real-server-group statistics show services server-load-balance sticky show services server-load-balance virtual-server show services server-load-balance virtual-server information show services server-load-balance virtual-server statistics show services service-identification show services service-identification header-redirect show services service-identification header-redirect statistics show services service-identification statistics show services service-identification uri-redirect show services service-identification uri-redirect statistics show services service-sets show services service-sets cpu-usage show services service-sets memory-usage show services service-sets memory-usage zone show services service-sets plug-ins show services service-sets statistics show services service-sets statistics packet-drops show services service-sets statistics syslog show services service-sets statistics tcp-mss show services service-sets summary


3989

®


show services sessions show services softwire show services softwire flows show services softwire statistics

show services stateful-firewall show services stateful-firewall flow-analysis show services stateful-firewall conversations show services stateful-firewall flows show services stateful-firewall redundancy-statistics show services stateful-firewall sip-call show services stateful-firewall sip-register show services stateful-firewall statistics show services stateful-firewall statistics application-protocol show services stateful-firewall subscriber-analysis show services subscriber show services subscriber bandwidth show services subscriber bandwidth client-id show services subscriber bandwidth interface show services subscriber bandwidth ip-address show services subscriber bandwidth service-interface show services subscriber dynamic-policies show services subscriber flows show services subscriber sessions show services subscriber statistics show snmp

3990



show snmp health-monitor show snmp health-monitor alarms show snmp health-monitor logs show snmp inform-statistics show snmp mib show snmp mib get show snmp mib get-next show snmp mib walk show snmp rmon show snmp rmon alarms show snmp rmon events show snmp rmon history show snmp rmon logs show snmp statistics show snmp v3 show snmp v3 access show snmp v3 community show snmp v3 general show snmp v3 groups show snmp v3 notify


3991

®


show snmp v3 notify filter show snmp v3 target show snmp v3 target address show snmp v3 target parameters show snmp v3 users show spanning-tree show spanning-tree bridge show spanning-tree interface show spanning-tree mstp show spanning-tree mstp configuration show spanning-tree statistics show spanning-tree statistics interface show spanning-tree statistics routing-instance show static-subscribers show static-subscribers sessions show ethernet-switching table vlan v1 Ethernet-switching table: 3 unicast entries VLAN MAC address Type v1 * Flood v1 00:01:09:00:00:00 Learn v1 00:11:09:00:01:00 Learn

Meaning

Age 24 37

Interfaces All-members ge-0/0/7.0 ge-0/0/3.0

The sample output from the show configuration ethernet-switching-options command shows that the unknown unicast forwarding interface for VLAN v1 is interface ge-0/0/7. The show ethernet-switching table command shows that an unknown unicast packet is received on interface ge-0/0/3 with the destination MAC address (DMAC) 00:01:09:00:00:00 and the source MAC address (SMAC) of 00:11:09:00:01:00. This shows that the SMAC of the packet is learned in the normal way (through the interface ge-0/0/3.0), while the DMAC is learned on interface ge-0/0/7.


4015

®



•

Configuring Unknown Unicast Forwarding (CLI Procedure) on page 4013

Verifying That the Port Error Disable Setting Is Working Correctly Purpose

Action

Verify that the port error disable setting is working as expected on MAC limited, MAC move limited and rate-limited interfaces on an EX Series switch. Display information about interfaces: user@switch> show ethernet-switching interfaces Interface State VLAN members ge-0/0/0.0 up T1122 ge-0/0/1.0 down default ge-0/0/2.0 down default ge-0/0/3.0 down default ge-0/0/4.0 down default ge-0/0/5.0 down default ge-0/0/6.0 down default ge-0/0/7.0 down default ge-0/0/8.0 down default ge-0/0/9.0 up T111 ge-0/0/10.0 down default ge-0/0/11.0 down default ge-0/0/12.0 down default ge-0/0/13.0 down default ge-0/0/14.0 down default ge-0/0/15.0 down default ge-0/0/16.0 down default ge-0/0/17.0 down default ge-0/0/18.0 down default ge-0/0/19.0 up T111 ge-0/1/0.0 down default ge-0/1/1.0 down default ge-0/1/2.0 down default ge-0/1/3.0 down default

Meaning

Blocking unblocked MAC limit exceeded MAC move limit exceeded Storm control in effect unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked

The sample output from the show ethernet-switching interfaces command shows that three of the down interfaces specify the reason that the interface is disabled: •

MAC limit exceeded—The interface is temporarily disabled due to a mac-limit (Access

Port Security) error. The disabled interface is automatically restored to service when the disable-timeout expires. •

MAC move limit exceeded—The interface is temporarily disabled due to a

mac-move-limit error. The disabled interface is automatically restored to service when the disable-timeout expires. •

Storm control in efffect —The interface is temporarily disabled due to a storm-control

error. The disabled interface is automatically restored to service when the disable-timeout expires.


4016

•



CHAPTER 102

Configuration Statements for Device Security •


[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds;


4017

®


} mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip {

4018


Chapter 102: Configuration Statements for Device Security

fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•


•


•


•


•


•


•



4019

®


•


•


•


•


•


action-shutdown Syntax Hierarchy Level Release Information Description

Default


4020

action-shutdown; [edit ethernet-switching-options storm-control]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Shut down or disable interfaces when the storm control level is exceeded, as follows: •

If you set both the action-shutdown and the port-error-disable statements, the interfaces are disabled temporarily and recover automatically when the disable timeout expires.

•

If you set the action-shutdown statement and do not the specify the port-error-disable statement, the interfaces that are enabled for storm control are shut down when the storm control level is exceeded and they do not recover automatically from that port-error condition. You must issue the clear ethernet-switching port-error command to clear the port error and restore the interfaces to service.

The action-shutdown option is not enabled. When the storm control level is exceeded, the switch drops applicable types of traffic on the specified interfaces. Depending upon the configuration, applicable traffic could include broadcast, unknown unicast, and multicast traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

port-error-disable on page 4031

•

disable-timeout on page 4022

•

clear ethernet-switching port-error

•

Example: Configuring Storm Control to Prevent Network Outages on EX Series Switches on page 4009

•






bandwidth bandwidth; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure the storm control level as the bandwidth in kilobits per second of the applicable traffic streams, as follows: •

On EX2200, EX3200, EX3300, EX4200, and EX6200 switches—Applies to the combined broadcast and unknown unicast streams by default. Storm control does not apply to multicast traffic by default on these switches. If you enable storm control for multicast traffic on a specific interface, the configured bandwidth allocation applies to the combined broadcast, unknown unicast, and multicast traffic on that interface.

•

On EX4500 and EX8200 switches—Applies to the combined broadcast, multicast, and unknown unicast streams.

NOTE: When you configure storm control bandwidth on an aggregated Ethernet interface, the storm control level for each member of the aggregated Ethernet interface is set to that bandwidth. For example, if you configure a storm control bandwidth of 15,000 Kbps on ae1, and ae1 has two members, ge-0/0/0 and ge-0/0/1, each member has a storm control level of 15,000 Kbps. Thus, the storm control level on ae1 allows a traffic rate of up to 30,000 Kbps of combined broadcast, multicast, and unknown unicast traffic.

Default

If you omit the bandwidth statement when you configure storm control on an interface, the storm control level defaults to 80 percent of the combined applicable traffic streams. Depending upon the configuration, applicable traffic could include broadcast, unknown unicast, and multicast traffic.

Options

bandwidth—Traffic rate in kilobits per second of the combined applicable traffic streams.

Range: 100 through 10000000 Default: None Required Privilege Level Related Documentation


level

•


•

Disabling or Enabling Storm Control (CLI Procedure)


4021

®



Default Options

disable-timeout timeout; [edit ethernet-switching-options port-error-disable]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Specify how long the Ethernet-switching interfaces remain in a disabled state due to the MAC limiting, MAC move liming, or storm control errors. The disable timeout is not enabled. timeout —Amount of time, in seconds, that the disabled state remains in effect. The

disabled interface is automatically restored to service when the specified timeout is reached. Range: 10 through 3600 seconds Required Privilege Level Related Documentation

4022


Configuring Port Security (CLI Procedure) on page 4133

•


•







4023

®



4024





[edit]





•


•


•


•


•


•


•


•


•


•



4025

®


interface Syntax

Hierarchy Level Release Information Description Default

Options

interface (all | interface-name) { bandwidth bandwidth; level level; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } [edit ethernet-switching-options storm-control]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Enable and configure storm control on all interfaces or on the specified interface. •

On EX2200, EX3200, EX3300, EX4200, and EX6200 switches—Storm control does not apply by default to multicast traffic. The factory default configuration enables storm control for broadcast and unknown unicast traffic on all switch interfaces, with the storm control level set to 80 percent of the combined broadcast and unknown unicast streams.

•

On EX4500 and EX8200 switches—Storm control applies to broadcast, multicast, and unknown unicast traffic. The factory default configuration enables storm control on all switch interfaces, with the storm control level set to 80 percent of the combined broadcast, multicast, and unknown unicast streams.

all—All interfaces. The storm control settings configured with the all option affect only

those interfaces that have not been individually configured for storm control. interface-name—Name of an interface. The storm control settings configured with the interface-name option override any settings configured with the all option.


4026



•





Release Information Description Required Privilege Level Related Documentation

interface interface-name; [edit ethernet-switching-options unknown-unicast-forwarding vlan (Unknown Unicast Forwarding)(all|vlan-name)]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the interface to which unknown unicast packets will be forwarded. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•


no-broadcast Syntax Hierarchy Level

Release Information Description Default Required Privilege Level Related Documentation

no-broadcast; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Disable storm control for broadcast traffic for the specified interface or for all interfaces. Storm control is enabled for broadcast traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•



4027

®


no-multicast Syntax Hierarchy Level


Default


4028

no-multicast; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 10.3 for EX Series switches. Disable storm control for all multicast traffic (both registered multicast and unregistered multicast) for the specified interface or for all interfaces. •

On EX2200, EX3200, EX3300, and EX4200 switches—The factory default configuration enables storm control on all interfaces at 80 percent of the combined unknown unicast, unregistered multicast, and broadcast traffic.

•

On EX4500 and EX8200 switches—The factory default configuration enables storm control on all interfaces at 80 percent of the combined broadcast, multicast, and unknown unicast streams. On EX8200 switches, you can selectively disable storm control on registered multicast traffic, on unregistered multicast traffic, or on both types of multicast traffic.

•

On EX6200 switches—The factory default configuration enables storm control on all interfaces at 80 percent of the combined unknown unicast, and broadcast traffic. Storm-control can be disabled for each type of traffic individually.


no-registered-multicast on page 4029

•

no-unregistered-multicast on page 4030

•




no-registered-multicast Syntax Hierarchy Level


Default


no-registered-multicast; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 10.3 for EX Series switches. (EX8200 switches only) Disable storm control for registered multicast traffic for the specified interface or for all interfaces. Storm control is enabled for unknown unicast traffic, multicast traffic, and broadcast traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

no-multicast on page 4028

•

no-unregistered-multicast on page 4030

•


no-unknown-unicast Syntax Hierarchy Level



no-unknown-unicast; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Disable storm control for unknown unicast traffic for the specified interface or for all interfaces. Storm control is enabled for unknown unicast traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•



4029

®


no-unregistered-multicast Syntax Hierarchy Level


Default


4030

no-unregistered-multicast; [edit ethernet-switching-options storm-control interface (Storm Control) (all | interface-name)]

Statement introduced in Junos OS Release 10.3 for EX Series switches. (EX8200 switches only) Disable storm control for unregistered multicast traffic for the specified interface or for all interfaces. Storm control is enabled for unknown unicast traffic, multicast traffic, and broadcast traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •

no-multicast on page 4028

•

no-registered-multicast on page 4029

•




port-error-disable Syntax


port-error-disable { disable-timeout timeout ; } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Disable rather than block an interface when enforcing MAC limiting, MAC move limiting, and rate-limiting configuration options for shutting down the interface, and allow the interface to recover automatically from the error condition after a specified period of time: •

If you have enabled mac-limit (Access Port Security) with the shutdown option and enable port-error-disable, the switch disables (rather than shuts down) the interface when the MAC address limit is reached.

•

If you have enabled mac-move-limit with the shutdown option and you enable port-error-disable, the switch disables (rather than shuts down) the interface when the maximum number of moves to a new interface is reached.

•

If you have enabled storm-control with the action-shutdown option and you enable port-error-disable, the switch disables (rather than shuts down) the interface when applicable traffic exceeds the specified levels. Depending upon the configuration, applicable traffic could include broadcast, unknown unicast, and multicast traffic.

NOTE: The port-error-disable configuration does not apply to pre-existing error conditions. It impacts only error conditions that are detected after port-error-disable has been enabled and committed. To clear a pre-existing error condition and restore the interface to service, use the clear ethernet-switching port-error command.


Not enabled. system—To view this statement in the configuration. system–control—To add this statement to the configuration. •

action-shutdown on page 4020

•


•


•



4031

®


storm-control Syntax


storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.1 for EX Series switches. Configure storm control on the switch. The remaining statements are explained separately.


4032



•




unknown-unicast-forwarding Syntax


unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name){ interface (Unknown Unicast Forwarding) interface-name; } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure the switch to forward all unknown unicast packets in a VLAN or on all VLANs to a particular interface.

NOTE: Before you can configure unknown unicast forwarding within a VLAN, you must first configure that VLAN.


Unknown unicast packets are flooded to all interfaces that belong to the same VLAN. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•



4033

®


vlan Syntax

Hierarchy Level

vlan (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } [edit ethernet-switching-options unknown-unicast-forwarding]

Release Information

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement updated with enhanced ? (CLI completion feature) functionality in Junos OS Release 9.5 for EX Series switches.

Description

Specify a VLAN from which unknown unicast packets will be forwarded or specify that the packets will be forwarded from all VLANS. Unknown unicast packets are forwarded from a VLAN to a specific trunk interface. The interface statement is explained separately.


Options

all—All VLANs. vlan-name—Name of a VLAN.


4034



•


•


•

Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 4015

•



CHAPTER 103

Operational Commands for Device Security


4035

®



Release Information




•


•





view

•


•


•




Output Fields


4036


Chapter 103: Operational Commands for Device Security


Field Description

Level of Output

Interface



Index


detail

State


none, brief, detail

Port mode


detail



detail



detail

VLAN membership



Tag



Tagging



Blocking



•


•


•




•


error. •








4037

®



Field Description

Level of Output



detail

mapping


detail

•


bundling). •


S-VLAN. •


•


•





State



ge-0/0/15.0

up

ge-0/0/16.0 ge-0/0/17.0

down down

VLAN members

Tag


300

100 200 100 200 100

vlan200


4038

200

Tagging

Blocking




up

vlan100 vlan200

100 200

tagged tagged
















4039

®



Release Information

Description Options









4040

view

•


•


•


•








Field Description

Level of Output

VLAN

The name of a VLAN.

All levels

Tag


extensive

MAC or MAC address


All levels

Type



•


•


address. •


•





•


persistent-mac



All levels

Interfaces


All levels

Learned


detail, extensive

Nexthop index


detail, extensive

persistent-mac




4041

®






4042







0 0 0






4043

®




4044


MAC address 00:10:94:00:05:02 00:10:94:00:06:03 00:10:94:00:07:04



PART 21

Port Security •


•

Examples: Port Security Configuration on page 4073

•

Configuring Port Security on page 4133

•

Verifying Port Security on page 4165

•

Troubleshooting Port Security on page 4177

•

Configuration Statements for Port Security on page 4179

•

Operational Commands for Port Security on page 4221


4045

®


4046


CHAPTER 104

Port Security Overview •


•

Understanding How to Protect Access Ports on EX Series Switches from Common Attacks on page 4049

•

Understanding DHCP Snooping for Port Security on page 4052

•

Understanding DAI for Port Security on page 4059

•

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches on page 4061

•

Understanding Trusted DHCP Servers for Port Security on page 4063

•


•

Understanding IP Source Guard for Port Security on EX Series Switches on page 4067

•


Port Security Overview Ethernet LANs are vulnerable to attacks such as address spoofing (forging) and Layer 2 denial of service (DoS) on network devices. Port security features help protect the access ports on your switch against the losses of information and productivity that can result from such attacks. Juniper OS provides features to help secure ports on the switch. The ports can be categorized as either trusted or untrusted. You apply policies appropriate to those categories to protect against various types of attacks. Port security features can be turned on to obtain the most robust port security level. Basic port security features are enabled in the switch's default configuration. You can configure additional features with minimal configuration steps. Depending on the particular feature, you can configure the port security feature either on: •

VLANs—A specific VLAN or all VLANs

•

Interfaces—A specific interface or all interfaces


4047

®


NOTE: If you configure one of the port security features on all VLANs or all interfaces, the switch software enables that port security feature on all VLANs and all interfaces that are not explicitly configured with other port security features. However, if you do explicitly configure one of the port security features on a specific VLAN or on a specific interface, you must explicitly configure any additional port security features that you want to apply to that VLAN or interface. Otherwise, the switch software automatically applies the default values for the feature. For example, if you enable DHCP snooping on all VLANs and decide to explicitly enable IP source guard (not supported on the QFX Series switch) only on a specific VLAN, you must also explicitly enable DHCP snooping on that specific VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

Port security features on switches are: •

DHCP option 82—Also known as the DHCP relay agent information option. Helps protect the switch against attacks such as spoofing of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.

•

DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP address/MAC address binding database (called the DHCP snooping database). You enable this feature on VLANs.

•

Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. You enable this feature on VLANs.

•

IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet LAN. With IP source guard enabled, the source IP address in the packet sent from an untrusted access interface is validated against the source MAC address in the DHCP snooping database. The packet is forwarded if the source IP address to source MAC address binding is valid; if the binding is not valid, the packet is discarded. You enable this feature on VLANs.

NOTE: IP source guard is not supported on the QFX Series.

4048

•

MAC limiting—Protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on access interfaces (ports).

•

MAC move limiting—Detects MAC movement and MAC spoofing on access ports. You enable this feature on VLANs.


Chapter 104: Port Security Overview


•

Persistent MAC learning—Also known as sticky MAC. Allows dynamically learned MAC addresses to be retained on an interface across restarts of the switch. You enable this feature on interfaces.

•

Trusted DHCP server—With a DHCP server on a trusted port, protects against rogue DHCP servers sending leases. You enable this feature on interfaces (ports). By default, access ports are untrusted, and trunk ports are trusted. (Access ports are the switch ports that connect to Ethernet endpoints such as user PCs and laptops, servers, and printers. Trunk ports are the switch ports that connect to other Ethernet switches or to routers.)

•


•


•


•


•


•


•


•


•

Example: Configuring Basic Port Security Features on page 4073

Understanding How to Protect Access Ports on EX Series Switches from Common Attacks Port security features can protect the Juniper Networks EX Series Ethernet Switch against various types of attacks. Protection methods against some common attacks are: •

Mitigation of Ethernet Switching Table Overflow Attacks on page 4049

•

Mitigation of Rogue DHCP Server Attacks on page 4050

•

Protection Against ARP Spoofing Attacks on page 4050

•

Protection Against DHCP Snooping Database Alteration Attacks on page 4051

•

Protection Against DHCP Starvation Attacks on page 4051

Mitigation of Ethernet Switching Table Overflow Attacks In an overflow attack on the Ethernet switching table, an intruder sends so many requests from new MAC addresses that the table cannot learn all the addresses. When the switch can no longer use information in the table to forward traffic, it is forced to broadcast messages. Traffic flow on the switch is disrupted, and packets are sent to all hosts on the network. In addition to overloading the network with traffic, the attacker might also be able to sniff that broadcast traffic.


4049

®


To mitigate such attacks, configure both a MAC limit for learned MAC addresses and some specific allowed MAC addresses. Use the MAC limiting feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface or interfaces. By setting the MAC addresses that are explicitly allowed, you ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table. See “Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks” on page 4080.

NOTE: You can also configure learned MAC addresses to persist on each interface. Used in combination with a configured MAC limit, this persistent MAC learning helps prevent traffic loss after a restart or an interface-down event and also increases port security by limiting the MAC addresses allowed on the interface.

Mitigation of Rogue DHCP Server Attacks If an attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server on the LAN, the rogue server can start issuing leases to the network's DHCP clients. The information provided to the clients by this rogue server can disrupt their network access, causing DoS. The rogue server might also assign itself as the default gateway device for the network. The attacker can then sniff the network traffic and perpetrate a man-in-the-middle attack—that is, it misdirects traffic intended for a legitimate network device to a device of its choice. To mitigate a rogue DHCP server attack, set the interface to which that rogue server is connected as untrusted. That action will block all ingress DHCP server messages from that interface. See “Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks” on page 4084.

NOTE: The switch logs all DHCP server packets that are received on untrusted ports—for example: 5 untrusted DHCPOFFER received, interface ge-0/0/0.0[65], vlan v1[10] server ip/mac 12.12.12.1/00:00:00:00:01:12 offer ip/client mac 12.12.12.253/00:AA:BB:CC:DD:01

You can use these messages to detect malicious DHCP servers on the network.

Protection Against ARP Spoofing Attacks In ARP spoofing, an attacker sends faked ARP messages on the network. The attacker associates its own MAC address with the IP address of a network device connected to the switch. Any traffic sent to that IP address is instead sent to the attacker. Now the attacker can create various types of mischief, including sniffing the packets that were meant for another host and perpetrating man-in-the middle attacks. (In a

4050



man-in-the-middle attack, the attacker intercepts messages between two hosts, reads them, and perhaps alters them, all without the original hosts knowing that their communications have been compromised. ) To protect against ARP spoofing on your switch, enable both DHCP snooping and dynamic ARP inspection (DAI). DHCP snooping builds and maintains the DHCP snooping table. That table contains the MAC addresses, IP addresses, lease times, binding types, VLAN information, and interface information for the untrusted interfaces on the switch. DAI uses the information in the DHCP snooping table to validate ARP packets. Invalid ARP packets are blocked and, when they are blocked, a system log message is recorded that includes the type of ARP packet and the sender’s IP address and MAC address. See “Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks” on page 4091.

Protection Against DHCP Snooping Database Alteration Attacks In an attack designed to alter the DHCP snooping database, an intruder introduces a DHCP client on one of the switch's untrusted access interfaces that has a MAC address identical to that of a client on another untrusted port. The intruder acquires the DHCP lease, which results in changes to the entries in the DHCP snooping table. Subsequently, what would have been valid ARP requests from the legitimate client are blocked. To protect against this type of alteration of the DHCP snooping database, configure MAC addresses that are explicitly allowed on the interface. See “Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks” on page 4095.

Protection Against DHCP Starvation Attacks In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests from spoofed (counterfeit) MAC addresses so that the switch's trusted DHCP servers cannot keep up with requests from legitimate DHCP clients on the switch. The address space of those servers is completely used up, so they can no longer assign IP addresses and lease times to clients. DHCP requests from those clients are either dropped—that is, the result is a denial of service (DoS)—or directed to a rogue DHCP server set up by the attacker to impersonate a legitimate DHCP server on the LAN. To protect the switch from DHCP starvation attacks, use the MAC limiting feature. Specify the maximum number of MAC addresses that the switch can learn on the access interfaces to which those clients connect. The switch's DHCP server or servers will then be able to supply the specified number of IP addresses and leases to those clients and no more. If a DHCP starvation attack occurs after the maximum number of IP addresses has been assigned, the attack will fail. See “Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks” on page 4088.


4051

®


NOTE: For additional protection, you can configure learned MAC addresses on each interface to persist across restarts of the switch by enabling persistent MAC learning. This persistent MAC learning both helps to prevent traffic loss after a restart and ensures that even after a restart or an interface-down event, the persistent MAC addresses are re-entered into the forwarding database rather than the switch learning new MAC addresses.


•


•


•


•


•


•

Configuring Port Security (J-Web Procedure) on page 4136

Understanding DHCP Snooping for Port Security DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. When DHCP snooping is enabled, the system snoops the DHCP messages to view DHCP lease information and build and maintain a database of valid IP address to MAC address (IP-MAC) bindings called the DHCP snooping database. Only clients with valid bindings are allowed access to the network. •

DHCP Snooping Basics on page 4052

•

DHCP Snooping Process on page 4053

•

DHCP Server Access on page 4054

•

DHCP Snooping Table on page 4057

•

Static IP Address Additions to the DHCP Snooping Database on page 4057

•

Snooping DHCP Packets That Have Invalid IP Addresses on page 4057

•

Prioritizing Snooped Packets on page 4058

DHCP Snooping Basics Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically, “leasing” addresses to devices so that the addresses can be reused when no longer needed. Hosts and end devices that require IP addresses obtained through DHCP must communicate with a DHCP server across the LAN. DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server (the server is connected to a trusted network port). By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping. You can modify these defaults on each of the switch's interfaces.

4052



When DHCP snooping is enabled, the lease information from the switch (which is a DHCP client) is used to create the DHCP snooping database, a mapping of IP address to VLAN–MAC-address pairs. For each VLAN–MAC-address pair, the database stores the corresponding IP address. Entries in the DHCP database are updated in these events: •

When a DHCP client releases an IP address (sends a DHCPRELEASE message), the associated mapping entry is deleted from the database.

•

If you move a network device from one VLAN to another, typically the device has to acquire a new IP address, so its entry in the database, including the VLAN ID, is updated.

•

When the lease time (timeout value) assigned by the DHCP server expires, the associated entry is deleted from the database.

TIP: By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the dhcp-snooping-file statement to store the database file either locally or remotely.

You can configure the switch to snoop DHCP server responses only from particular VLANs. Doing this prevents spoofing of DHCP server messages. You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs.

NOTE: If you configure DHCP for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

TIP: For private VLANs (PVLANs), enable DHCP snooping on the primary VLAN. If you enable DHCP snooping only on a community VLAN, DHCP messages coming from PVLAN trunk ports are not snooped.

DHCP Snooping Process The basic process of DHCP snooping entails the following steps: 1.

Device sends DHCPDISCOVER to request IP address.

2. Switch forwards the packet to the DHCP server. 3. Server sends DHCPOFFER to offer an address. If the DHCPOFFER is from a trusted

interface, switch forwards the packet to the DHCP client.


4053

®


4. Device sends DHCPREQUEST to accept the IP address. Switch snoops this packet

and adds IP-MAC placeholder binding to the database. The entry is considered a placeholder until a DHCPACK is received from the server. Until then, the IP address could still be assigned to some other host. 5. Server sends DHCPACK to assign the IP address or DHCPNAK to deny the address

request. 6. Switch updates the DHCP database in accordance with the type of packet received: •

Upon receipt of DHCPACK, switch updates lease information for the IP-MAC binding in its database.

•

Upon receipt of DHCPNACK, switch deletes the placeholder.

NOTE: DHCPDISCOVER and DHCPOFFER packets are not snooped. The DHCP database is updated only after the DHCPREQUEST packet has been sent.

For general information about the messages that the DHCP client and DHCP server exchange during the assignment of an IP address for the client, see the Junos OS System Basics Configuration Guide.

DHCP Server Access Switch access to the DHCP server can be configured in three ways: •

Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN on page 4054

•

Switch Acts as DHCP Server on page 4055

•

Switch Acts as Relay Agent on page 4056

Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN When the switch, DHCP clients, and DHCP server are all members of the same VLAN, the DHCP server can be connected to the switch in one of two ways:

4054

•

The server is directly connected to the same switch as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). You must configure the port that connects the server to the switch as a trusted port. See Figure 110 on page 4055.

•

The server is directly connected to a switch that is itself directly connected through a trunk port to the switch that the DHCP clients are connected to. The trunk port is configured by default as a trusted port. The switch that the DHCP server is connected to is not configured for DHCP snooping. See Figure 111 on page 4055—in the figure, ge-0/0/11 is a trusted trunk port.



Figure 110: DHCP Server Connected Directly to Switch

Figure 111: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to Switch 1 Through a Trusted Trunk Port

Switch Acts as DHCP Server

NOTE: This is not supported on the QFX Series switch.


4055

®


The switch itself is configured as a DHCP server; this is known as a “local” configuration. See Figure 112 on page 4056.

Figure 112: Switch Is the DHCP Server

Switch Acts as Relay Agent The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface (on the switch, these interfaces are configured as routed VLAN interfaces, or RVIs). These trunk interfaces are trusted by default. These two scenarios illustrate the switch acting as a relay agent:

4056

•

The DHCP server and clients are in different VLANs.

•

The switch is connected to a router that is in turn connected to the DHCP server. See Figure 113 on page 4057.



Figure 113: Switch Acting as Relay Agent Through Router to DHCP Server

DHCP Snooping Table The software creates a DHCP snooping information table that displays the content of the DHCP snooping database. The table shows current IP-MAC bindings, as well as lease time, type of binding, names of associated VLANs, and associated interface. To view the table, type show dhcp snooping binding at the operational mode prompt: user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) 00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720

Type dynamic dynamic dynamic

VLAN employee employee employee

Interface ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0

Static IP Address Additions to the DHCP Snooping Database You can add specific static IP addresses to the database as well as have the addresses dynamically assigned through DHCP snooping. To add static IP addresses, you supply the IP address, the MAC address of the device, the interface on which the device is connected, and the VLAN with which the interface is associated. No lease time is assigned to the entry. The statically configured entry never expires.

Snooping DHCP Packets That Have Invalid IP Addresses If you enable DHCP snooping on a VLAN and then devices on that VLAN send DHCP packets that request invalid IP addresses, these invalid IP addresses will be stored in the DHCP snooping database until they are deleted when their default timeout is reached. To eliminate this unnecessary consumption of space in the DHCP snooping database,


4057

®


the switch drops the DCHP packets that request invalid IP addresses, preventing the snooping of these packets. The invalid IP addresses are: •

0.0.0.0

•

128.0.x.x

•

191.255.x.x

•

192.0.0.x

•

223.255.255.x

•

224.x.x.x

•

240.x.x.x to 255.255.255.255

Prioritizing Snooped Packets NOTE: This is not supported on the QFX Series.

You can use CoS forwarding classes and queues to prioritize DHCP snooped packets for a specified VLAN. This type of configuration places the DHCP snooped packets for that VLAN in the desired egress queue, so that the security procedure does not interfere with the transmittal of high-priority traffic. Related Documentation

4058

•


•


•


•

Understanding DHCP Option 82 for Port Security

•


•


•


•

Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic on page 4127

•

Enabling DHCP Snooping (CLI Procedure) on page 4138 and Enabling DHCP Snooping (J-Web Procedure) on page 4140

•




Understanding DAI for Port Security Dynamic ARP inspection (DAI) protects switches against ARP spoofing. DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP cache poisoning. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address to entries in the database. If the MAC address or IP address in an ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped. ARP packets are sent to the Routing Engine and are rate-limited to protect the switch from CPU overload. •

Address Resolution Protocol on page 4059

•

ARP Spoofing on page 4059

•

Dynamic ARP Inspection (DAI) on page 4060

•

Prioritizing Inspected Packets on page 4060

Address Resolution Protocol Sending IP packets on a multiaccess network requires mapping an IP address to an Ethernet media access control (MAC) address. Ethernet LANs use Address Resolution Protocol (ARP) to map MAC addresses to IP addresses. The switch maintains this mapping in a cache that it consults when forwarding packets to network devices. If the ARP cache does not contain an entry for the destination device, the host (the DHCP client) broadcasts an ARP request for that device's address and stores the response in the cache.

ARP Spoofing ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the MAC address of another device on the LAN. Instead of the switch sending traffic to the proper network device, it sends it to the device with the spoofed address that is impersonating the proper device. If the impersonating device is the attacker's machine, the attacker receives all the traffic from the switch that should have gone to another device. The result is that traffic from the switch is misdirected and cannot reach its proper destination. One type of ARP spoofing is gratuitous ARP, which is when a network device sends an ARP request to resolve its own IP address. In normal LAN operation, gratuitous ARP messages indicate that two devices have the same MAC address. They are also broadcast when a network interface card (NIC) in a device is changed and the device is rebooted, so that other devices on the LAN update their ARP caches. In malicious situations, an


4059

®


attacker can poison the ARP cache of a network device by sending an ARP response to the device that directs all packets destined for a certain IP address to go to a different MAC address instead. To prevent MAC spoofing through gratuitous ARP and through other types of spoofing, the switches examine ARP responses through DAI.

Dynamic ARP Inspection (DAI) DAI examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the database corresponds to the information in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is invalid. Junos OS for EX Series switches and the QFX Series uses DAI for ARP packets received on access ports because these ports are untrusted by default. Trunk ports are trusted by default, so ARP packets bypass DAI on them. You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. You can set an interface to be trusted for ARP packets by setting dhcp-trusted on that port. For packets directed to the switch to which a network device is connected, ARP queries are broadcast on the VLAN. The ARP responses to those queries are subjected to the DAI check. For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU overloading, ARP packets destined for the Routing Engine are rate-limited. If the DHCP server goes down and the lease time for an IP-MAC entry for a previously valid ARP packet runs out, that packet is blocked.

Prioritizing Inspected Packets NOTE: This is not supported on the QFX Series.

You can use CoS forwarding classes and queues to prioritize DAI packets for a specified VLAN. This type of configuration places inspected packets for that VLAN in the desired egress queue, ensuring that the security procedure does not interfere with the transmittal of high-priority traffic. Related Documentation

4060

•


•


•


•

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch on page 4098



•

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 4091

•


•

Enabling Dynamic ARP Inspection (CLI Procedure) on page 4142

•

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 4144

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on access interfaces. You enable this feature on VLANs. •

MAC Limiting on page 4061

•

MAC Move Limiting on page 4062

•

Actions for MAC Limiting and MAC Move Limiting on page 4062

•

MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 4062

MAC Limiting MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface or on all the Layer 2 access interfaces on the switch, or on a specific VLAN. Junos operating system (Junos OS) provides two MAC limiting methods: •

Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface or per VLAN. When the limit is exceeded, incoming packets with new MAC addresses are treated as specified by the MAC limit configuration. The incoming packets with new MAC addresses can be ignored, dropped, logged, or the interface can be shut down or temporarily disabled. Static MAC addresses do not count toward the limit you specify for dynamic MAC addresses. You can also configure the learned MAC addresses on an interface to persist across restarts of the switch by enabling persistent MAC learning; see “Understanding Persistent MAC Learning (Sticky MAC)” on page 4070.

•

Allowed MAC—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned and the switch logs the message. Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.


4061

®


NOTE: If you do not want the switch to log messages received for invalid MAC addresses on an interface that has been configured for specific “allowed” MAC addresses, you can disable the logging by configuring the no-allowed-mac-log statement.

MAC Move Limiting MAC move limiting causes the switch to track the number of times a MAC address can move to a new interface (port). It can help to prevent MAC spoofing, and it can also detect and prevent loops. If a MAC address moves more than the configured number of times within one second, the switch performs the configured action. You can configure MAC move limiting to apply to all VLANs or to a specific VLAN.

Actions for MAC Limiting and MAC Move Limiting You can choose to have one of the following actions performed when the limit of MAC addresses or the limit of MAC moves is exceeded: •

drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.

This is the default. •

log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log

entry. •

none—Take no action.

•

shutdown—Disable the interface and generate an alarm. If you have configured the

switch with the port-error-disable statement, the disabled interface or VLAN recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command. See descriptions of results of these various action settings in “Verifying That MAC Limiting Is Working Correctly” on page 4169. If you have set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying action none. See “Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)” on page 4153.

MAC Addresses That Exceed the MAC Limit or MAC Move Limit If you have configured the port-error-disable statement, you can view which interfaces are temporarily disabled due to exceeding the MAC limit or MAC move limit in the output for the show ethernet-switching interfaces command.

4062



The log messages that indicate the MAC limit or MAC move limit has been exceeded include the offending MAC addresses that have exceeded the limit. See “Troubleshooting Port Security” on page 4177 for details. Related Documentation

•


•

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 4080

•

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 4088

•

Configuring MAC Limiting (CLI Procedure) on page 4145

•

Configuring MAC Limiting (J-Web Procedure) on page 4147

•


•

no-allowed-mac-log on page 4202

Understanding Trusted DHCP Servers for Port Security Any interface on the switch that connects to a DHCP server can be configured as a trusted port. Configuring a DHCP server on a trusted port protects against rogue DHCP servers sending leases. Ensure that the DHCP server interface is physically secure—that is, that access to the server is monitored and controlled at the site—before you configure the port as trusted. Related Documentation

•


•


•

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 4084

•

Enabling a Trusted DHCP Server (CLI Procedure) on page 4141

•

Enabling a Trusted DHCP Server (J-Web Procedure) on page 4142


4063

®


Understanding DHCP Option 82 for Port Security on EX Series Switches You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Hosts on untrusted access interfaces on Ethernet LAN switches send requests for IP addresses in order to access the Internet. The switch forwards or relays these requests to DHCP servers, and the servers send offers for IP address leases in response. Attackers can use these messages to perpetrate address spoofing and starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. The Juniper Networks Junos operating system (Junos OS) implementation of DHCP option 82 supports RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.


DHCP Option 82 Processing on page 4064

•

Suboption Components of Option 82 on page 4065

•

Configurations of the EX Series Switch That Support Option 82 on page 4065

DHCP Option 82 Processing If DHCP option 82 is enabled on the switch, then when a network device—a DHCP client—that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or another parameter for the client. See “Suboption Components of Option 82” on page 4065 for details about option 82 information. You can enable DHCP option 82 on a single VLAN or on all VLANs on the switch. You can also configure it on Layer 3 interfaces (in routed VLAN interfaces, or RVIs) when the switch is functioning as a relay agent. When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request: 1.

The switch receives the request and inserts the option 82 information in the packet header.

2. The switch forwards or relays the request to the DHCP server. 3. The server uses the DHCP option 82 information to formulate its reply and sends a

response back to the switch. It does not alter the option 82 information. 4. The switch strips the option 82 information from the response packet. 5. The switch forwards the response packet to the client.

4064



NOTE: To use the DHCP option 82 feature, you must ensure that the DHCP server is configured to accept option 82. If it is not configured to accept option 82, then when it receives requests containing option 82 information, it does not use the information in setting parameters and it does not echo the information in its response message. For detailed information about configuring DHCP services, see the Junos OS System Basics Configuration Guide. The configuration for DHCP service on the Juniper Networks EX Series Ethernet Switch includes the dhcp statement at the [edit system services] hierarchy level.

Suboption Components of Option 82 Option 82 as implemented on the EX Series switch comprises the suboptions circuit ID, remote ID, and vendor ID. These suboptions are fields in the packet header: •

circuit ID—Identifies the circuit (interface and/or VLAN) on the switch on which the request was received. The circuit ID contains the interface name and/or VLAN name, with the two elements separated by a colon—for example, ge-0/0/10:vlan1, where ge-0/0/10 is the interface name and vlan1 is the VLAN name. If the request packet is received on a Layer 3 interface, the circuit ID is just the interface name—for example, ge-0/0/10. Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix option, the hostname for the switch is used as the prefix; for example, switch1:ge-0/0/10:vlan1, where switch1 is the hostname. You can also specify that the interface description be used rather than the interface name and/or that the VLAN ID be used rather than the VLAN name.

•

remote ID—Identifies the host. By default, the remote ID is the MAC address of the switch. You can specify that the remote ID be the hostname of the switch, the interface description, or a character string of your choice. You can also add an optional prefix to the remote ID.

•

vendor ID—Identifies the vendor of the host. If you specify the vendor-id option but do not enter a value, the default value Juniper is used. To specify a value, you type a character string.

Configurations of the EX Series Switch That Support Option 82 Configurations of the EX Series switch that support option 82 are: •

Switch and Clients Are on Same VLAN as DHCP Server on page 4065

•

Switch Acts as Relay Agent on page 4066

Switch and Clients Are on Same VLAN as DHCP Server If the DHCP clients, the switch, and the DHCP server are all on the same VLAN, the switch forwards the requests from the clients on untrusted access interfaces to the server on a trusted interface. See Figure 114 on page 4066.


4065

®


Figure 114: DHCP Clients, Switch, and DHCP Server Are All on Same VLAN

For the configuration shown in Figure 114 on page 4066, you set DHCP option 82 at the [edit ethernet-switching-options secure-access-port vlan] hierarchy level.

Switch Acts as Relay Agent The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. Figure 115 on page 4067 illustrates a scenario for the switch-as-relay-agent; in this instance, the switch relays requests through a router to the server.

4066



Figure 115: Switch Relays DHCP Requests to Server

For the configuration shown in Figure 115 on page 4067, you set DHCP option 82 at the [edit forwarding-options helpers bootp] hierarchy level. Related Documentation

•


•

Example: Setting Up DHCP Option 82 with a Switch with No Relay Agent Between Clients and a DHCP Server on page 4123

•


•

Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 4159

•


Understanding IP Source Guard for Port Security on EX Series Switches Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. You can use the IP source guard access port security feature on Juniper Networks EX Series Ethernet Switches to mitigate the effects of these attacks. •

IP Address Spoofing on page 4068

•

How IP Source Guard Works on page 4068

•

The IP Source Guard Database on page 4068

•

Typical Uses of Other Junos Operating System (Junos OS) Features with IP Source Guard on page 4069


4067

®


IP Address Spoofing Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses by flooding the switch with packets containing invalid addresses. Such attacks combined with other techniques such as TCP SYN flood attacks can result in denial-of-service (DoS) attacks. With source IP address or source MAC address spoofing, the system administrator cannot identify the source of the attack. The attacker can spoof addresses on the same subnet or on a different subnet.

How IP Source Guard Works IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch against entries stored in the DHCP snooping database. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded. When you configure IP source guard, you can enable it on a specific VLAN or on all VLANs. if you explicitly enable IP source guard only on a specific VLAN, you must also explicitly enable DHCP snooping on that specific VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN. IP source guard applies its checking rules to packets sent from untrusted access interfaces on those VLANs. By default, on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or to trusted access interfaces—that is, interfaces configured as dhcp-trusted so that a DHCP server can be connected to that interface to provide dynamic IP addresses.

NOTE: IP source guard is not supported on trunk interfaces regardless of whether the trunk interface is trusted or untrusted.

IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP snooping database. It causes the switch to validate incoming IP packets against the entries in that database. After the DHCP snooping database has been populated either through dynamic DHCP snooping or through configuration of specific static IP address/MAC address bindings, the IP source guard feature builds its database. It then checks incoming packets from access interfaces on the VLANs on which it is enabled. If the source IP addresses and source MAC addresses match the IP source guard binding entries, the switch forwards the packets to their specified destination addresses. If there are no matches, the switch discards the packets.

The IP Source Guard Database The IP source guard database looks like this: user@switch> show ip-source-guard

4068



IP source guard information: Interface Tag IP Address

MAC Address

VLAN

ge-0/0/12.0

0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/13.0

0

10.10.10.9

00:30:48:8D:01:3D

vlan100

ge—0/0/13.0

100

*

*

voice

The IP source guard database table shows the untrusted access interfaces in VLANs that have been enabled for IP source guard. The entries include the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If an untrusted access interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output. If you are using IP source guard together with 802.1X user authentication, you must abide by additional configuration guidelines. See “Typical Uses of Other Junos Operating System (Junos OS) Features with IP Source Guard” on page 4069.

Typical Uses of Other Junos Operating System (Junos OS) Features with IP Source Guard You can configure IP source guard with various other features on the EX Series switch to provide access port security, including: •

VLAN tagging (used for voice VLANs)

•

GRES (Graceful Routing Engine switchover)

•

Virtual Chassis configurations (See EX Series Switch Software Features Overview for list of models that support IP Source Guard.)

•

Link-aggregation groups (LAGs)

•

802.1X user authentication in single supplicant, single-secure supplicant, or multiple supplicant mode.

NOTE: If you are implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines:


•

If the 802.1X interface is part of an untagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has untagged membership.

•

If the 802.1X interface is part of a tagged MAC-based VLAN and you want to enable IP source guard and DHCP snooping on that VLAN, you must enable IP source guard and DHCP snooping on all dynamic VLANs in which the interface has tagged membership.

4069

®



•


•

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN on page 4114

•

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 4106

Understanding Persistent MAC Learning (Sticky MAC) Persistent MAC learning, also known as sticky MAC, is a port security feature that allows retention of dynamically learned MAC addresses on an interface across restarts of the switch (or if the interface goes down). Persistent MAC address learning is disabled by default. You can enable persistent MAC address learning in conjunction with MAC limiting to restrict the number of persistent MAC addresses. You enable this feature on interfaces. Configure persistent MAC learning on an interface to: •

Prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.

•

Protects the switch against security attacks. Use persistent MAC learning in combination with MAC limiting to protect against attacks such as Layer 2 denial of service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the MAC addresses allowed while still allowing the interface to dynamically learn a specified number of MAC addresses. The interface is secured because after the limit has been reached, additional devices cannot connect to the port. By enabling persistent MAC learning along with MAC limiting, you can allow interfaces to learn MAC addresses of trusted workstations and servers during the period from when you connect the interface to your network until the limit for MAC addresses is reached, and ensure that after this initial period with the limit reached, new devices will not be allowed even if the switch restarts. The alternatives to using persistent MAC learning with MAC limiting are to statically configure each MAC address on each port or to allow the port to continuously learn new MAC addresses after restarts or interface-down events. Allowing the port to continuously learn MAC addresses represents a security risk.

NOTE: While a switch is rebooting or an interface is coming back up, there might be a short delay before the interface can learn more MAC addresses. This delay occurs while the system re-enters previously learned persistent MAC addresses into the forwarding database for the interface.

TIP: If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table persistent-mac command to clear the persistent MAC address entry from the

4070



interface. If you move the device and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address and the device will not be able to connect. If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect. However, if you do not clear the MAC address on the original port, then when the port comes back up, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the address is removed from the new port and the device loses connectivity.

Consider the following configuration guidelines when configuring persistent MAC learning:


•

Interfaces must be configured in access mode (use the port-mode configuration statement).

•

You cannot enable persistent MAC learning on an interface on which 802.1x authentication is configured.

•

You cannot enable persistent MAC learning on an interface that is part of a redundant trunk group.

•

You cannot enable persistent MAC learning on an interface on which no-mac-learning is enabled.

•


•

Configuring Persistent MAC Learning (CLI Procedure) on page 4162


4071

®


4072


CHAPTER 105

Examples: Port Security Configuration •


•


•


•


•


•

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 4095

•


•


•


•


•


•


Example: Configuring Basic Port Security Features You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting, persistent MAC learning, and MAC move limiting on the access ports of switches to protect the switches and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. You can also configure a trusted DHCP server and specific (allowed) MAC addresses for the switch interfaces.


4073

®


This example describes how to configure basic port security features on a switch: •


•


•


•



One EX Series switch or one QFX3500 switch

•

Junos OS Release 11.4 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series

•

A DHCP server to provide IP addresses to network devices on the switch

Before you configure basic port security features, be sure you have: •

Connected the DHCP server to the switch.

•

Configured a VLAN on the switch. See the task for your platform: •


•

Configuring VLANs for the QFX Series

NOTE: In this example, the DHCP server and its clients are all members of a single VLAN on the switch.

Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure: •

DHCP snooping to validate DHCP server messages

•

DAI to protect against MAC spoofing

•

MAC limiting to constrain the number of MAC addresses the switch adds to its MAC address cache

•

MAC move limiting to help prevent MAC spoofing

•

Persistent MAC learning (sticky MAC) to constrain the MAC addresses that can be learned on an interface to the first ones learned, even after a reboot of the switch

•

Trusted DHCP server configured on a trusted port to protect against rogue DHCP servers sending leases

This example shows how to configure these security features on a switch connected to a DHCP server.

4074


Chapter 105: Examples: Port Security Configuration

The setup for this example includes the VLAN employee-vlan on the switch. Figure 116 on page 4075 illustrates the topology for this example.

Figure 116: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 437 on page 4075.

Table 437: Components of the Port Security Topology Properties

Settings

Switch hardware


VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31 is subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch is initially configured with the default port security setup. In the default switch configuration: •

Secure port access is activated on the switch.

•

DHCP snooping and DAI are disabled on all VLANs.

•

All access ports are untrusted, and all trunk ports are trusted for DHCP snooping.


4075

®


In the configuration tasks for this example, you set the DHCP server as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a VLAN; you set a value for a MAC limit on some interfaces; you configure some specific (allowed) MAC addresses on an interface; and you configure persistent MAC learning on an interface.

Configuration To configure basic port security on a switch whose DHCP server and client ports are in a single VLAN: CLI Quick Configuration

To quickly configure basic port security on the switch, copy the following commands and paste them into the switch terminal window: [edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 4 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88 set interface ge-0/0/2 mac-limit 4 set interface ge-0/0/1 persistent-learning set interface ge-0/0/8 dhcp-trusted set vlan employee-vlan arp-inspection set vlan employee-vlan examine-dhcp set vlan employee-vlan mac-move-limit 5


Configure basic port security on the switch: 1.

Enable DHCP snooping on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan examine-dhcp

2.

Specify the interface (port) from which DHCP responses are allowed: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 dhcp-trusted

3.

Enable dynamic ARP inspection (DAI) on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan arp-inspection

4.

Configure a MAC limit of 4 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if the MAC limit is exceeded on the interfaces): [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit 4 user@switch# set interface ge-0/0/2 mac-limit 4

5.

Allow learned MAC addresses for a particular interface to persist across restarts of the switch and interface-down events by enabling persistent MAC learning: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 persistent-learning

6.

Configure a MAC move limit of 5 and use the default action, drop. (Packets are dropped, and the MAC address is not added to the Ethernet switching table if a MAC address has exceeded the MAC move limit): [edit ethernet-switching-options secure-access-port]

4076



user@switch# set vlan employee-vlan mac-move-limit 5 7.

Configure allowed MAC addresses: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/1.0 { mac-limit 4; persistent-learning; } interface ge-0/0/2.0 { allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85:3a:82:85 00:05:85:3a:82:88 ]; mac-limit 4; } interface ge-0/0/8.0 { dhcp-trusted; } vlan employee-vlan { arp-inspection examine-dhcp; mac-move-limit 5; }


Verifying That DHCP Snooping Is Working Correctly on the Switch on page 4077

•

Verifying That DAI Is Working Correctly on the Switch on page 4078

•

Verifying That MAC Limiting, MAC Move Limiting, and Persistent MAC Learning Are Working Correctly on the Switch on page 4078

•

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch on page 4079

Verifying That DHCP Snooping Is Working Correctly on the Switch Purpose Action

Verify that DHCP snooping is working on the switch. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases: user@switch> show dhcp snooping binding


4077

®


DHCP Snooping Information: MAC Address IP Address -------------------------00:05:85:3A:82:77 192.0.2.17 00:05:85:3A:82:79 192.0.2.18 00:05:85:3A:82:80 192.0.2.19 00:05:85:3A:82:81 192.0.2.20 00:05:85:3A:82:83 192.0.2.21 00:05:85:27:32:88 192.0.2.22

Meaning

Lease ----600 653 720 932 1230 3200

Type ---dynamic dynamic dynamic dynamic dynamic dynamic

VLAN ---employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan

Interface --------ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. If the DHCP server had been configured as untrusted, no entries would be added to the DHCP snooping database, and nothing would be shown in the output of the show dhcp snooping binding command.

Verifying That DAI Is Working Correctly on the Switch Purpose Action

Verify that DAI is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information: user@switch> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0

Meaning

The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.

Verifying That MAC Limiting, MAC Move Limiting, and Persistent MAC Learning Are Working Correctly on the Switch Purpose

Verify that MAC limiting, MAC move limiting, and persistent MAC learning are working on the switch.

Action

Suppose that two packets have been sent from hosts on ge-0/0/1 and five packets from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the default action drop and ge-0/0/1 enabled for persistent MAC learning. Display the MAC addresses learned:

4078



user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 4 learned, 2 persistent entries VLAN MAC address Type Age Interfaces employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

* 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85

Flood Persistent Persistent Learn Learn Learn Learn

0 0 0 0 0 0

All-members ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

Now suppose packets have been sent from two of the hosts on ge-0/0/2 after they have been moved to other interfaces more than five times in 1 second, with employee-vlan set to a MAC move limit of 5 with the default action drop. Display the MAC addresses in the table: user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 2 learned, 2 persistent entries VLAN MAC address Type Age Interfaces employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning

* 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 * *

Flood Persistent Persistent Learn Learn Flood Flood

0 0 0 0 -

All-members ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

The first sample output shows that with a MAC limit of 4 for each interface, the fifth MAC address on ge-0/0/2 was not learned because it exceeded the MAC limit. The second sample output shows that MAC addresses for three of the hosts on ge-/0/0/2 were not learned, because the hosts had been moved back more than five times in 1 second. Interface ge-0/0/1.0 was enabled for persistent MAC learning, so the MAC addresses associated with this interface are of the type persistent.

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch Purpose Action

Verify that allowed MAC addresses are working on the switch. Display the MAC cache information after five allowed MAC addresses have been configured on interface ge-0/0/2: user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan


00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85

Learn Learn Learn Learn

Age

Interfaces

0 0 0 0

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

4079

®


employee-vlan

Meaning


*

Flood

-

ge-0/0/2.0

Because the MAC limit value for this interface has been set to 4, only four of the five configured allowed addresses are learned.

•


•


•


•


•


•


•


•


•

secure-access-port on page 4208

•

secure-access-port

•

show arp inspection statistics on page 4225

•

show dhcp snooping binding on page 4226

•


•


Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks In an Ethernet switching table overflow attack, an intruder sends so many requests from new MAC addresses that the Ethernet switching table fills up and then overflows, forcing the switch to broadcast all messages. This example describes how to configure MAC limiting and allowed MAC addresses, two port security features, to protect the switch from Ethernet switching table attacks:

4080

•


•


•


•





One EX Series switch or QFX3500 switch

•

Junos OS Release 9.0 or later for EX Series switches or Junos OS 12.1 or later for the QFX Series.

•


Before you configure specific port security features to mitigate common access-interface attacks, be sure you have: •


•

Configured a VLAN on the switch. See the task for your platform:

Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from an attack on the Ethernet switching table that causes the table to overflow and thus forces the switch to broadcast all messages. This example shows how to configure port security features on a switch connected to a DHCP server. The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124 and Example: Setting Up Bridging with Multiple VLANs for the QFX Series. That procedure is not repeated here. Figure 117 on page 4082 illustrates the topology for this example.


4081

®





Settings

Switch hardware


VLAN name and ID


VLAN subnets



ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8


ge-0/0/8

In this example, use the MAC limit feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface. Use the allowed MAC addresses feature to ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table. In this example, the switch has already been configured as follows:

4082

•


•

No MAC limit is set on any of the interfaces.

•

All access interfaces are untrusted, which is the default setting.



Configuration To configure MAC limiting and some allowed MAC addresses to protect the switch against Ethernet switching table overflow attacks: CLI Quick Configuration

To quickly configure MAC limiting, clear the MAC forwarding table, and configure some allowed MAC addresses, copy the following commands and paste them into the switch terminal window: [edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 4 action drop set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 exit exit clear ethernet-switching-table interface ge-0/0/1


Configure MAC limiting and some allowed MAC addresses: 1.

Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with different addresses be dropped once the limit is exceeded on the interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 4 action drop

2.

Clear the current entries for interface ge-0/0/1 from the MAC address forwarding table : user@switch# clear ethernet-switching-table interface ge-0/0/1

3.

Configure the allowed MAC addresses on ge-0/0/2: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/1.0 { mac-limit 4 action drop; } interface ge-0/0/2.0 { allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85 :3a:82:85 ]; }


Verifying That MAC Limiting Is Working Correctly on the Switch on page 4084


4083

®


Verifying That MAC Limiting Is Working Correctly on the Switch Purpose Action

Verify that MAC limiting is working on the switch. Display the MAC cache information after DHCP requests have been sent from hosts on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after four allowed MAC addresses have been configured on interface ge/0/0/2: user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning


00:05:85:3A:82:71 00:05:85:3A:82:74 00:05:85:3A:82:77 00:05:85:3A:82:79 * 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 *

Learn Learn Learn Learn Flood Learn Learn Learn Learn Flood

Age

Interfaces

0 0 0 0 0 0 0 0 0 -

ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

The sample output shows that with a MAC limit of 4 for the interface, the DHCP request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the MAC limit and that only the specified allowed MAC addresses have been learned on the ge-0/0/2 interface.

•


•


•

Configuring MAC Limiting

•

Configuring MAC Move Limiting (CLI Procedure) on page 4150

•


Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks In a rogue DHCP server attack, an attacker has introduced a rogue server into the network, allowing it to give IP address leases to the network's DHCP clients and to assign itself as the gateway device. This example describes how to configure a DHCP server interface as untrusted to protect the switch from a rogue DHCP server:

4084

•


•


•


•






•


•


Before you configure an untrusted DHCP server interface to mitigate rogue DHCP server attacks, be sure you have: •


•

Enabled DHCP snooping on the VLAN.

•



•

Example: Setting Up Bridging with Multiple VLANs for the QFX Series

Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from rogue DHCP server attacks. This example shows how to explicitly configure an untrusted interface on an EX3200-24P switch and a QFX3500 switch. Figure 118 on page 4086 illustrates the topology for this example.


4085

®





Settings

Switch hardware

One EX3200-24P, 24 ports (8 PoE ports) or one QFX3500 switch

VLAN name and ID


VLAN subnets

192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31 is the subnet's broadcast address


ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8


ge-0/0/8

In this example, the switch has already been configured as follows: •


•

DHCP snooping is enabled on the VLAN employee-vlan.

•

The interface (port) where the rogue DHCP server has connected to the switch is currently trusted.

Configuration To configure the DHCP server interface as untrusted because the interface is being used by a rogue DHCP server:

4086




To quickly set the rogue DHCP server interface as untrusted, copy the following command and paste it into the switch terminal window: [edit ethernet-switching-options secure-access-port] set interface ge-0/0/8 no-dhcp-trusted


To set the DHCP server interface as untrusted: •

Specify the interface (port) from which DHCP responses are not allowed:

[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 no-dhcp-trusted

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/8.0 { no-dhcp-trusted; }

Verification Confirm that the configuration is working properly.

Verifying That the DHCP Server Interface Is Untrusted Purpose Action

Verify that the DHCP server is untrusted. 1.

Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch.

2. Display the DHCP snooping information when the port on which the DHCP server

connects to the switch is not trusted. Meaning


There is no output from the command because no entries are added to the DHCP snooping database.

•


•


•


•


•

secure-access-port

•



4087

®


Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests from spoofed (counterfeit) MAC addresses, causing the switch's overworked DHCP server to stop assigning IP addresses and lease times to legitimate DHCP clients on the switch (hence the name starvation). Requests from those clients are either dropped or directed to a rogue DHCP server set up by the attacker. This example describes how to configure MAC limiting, a port security feature, to protect the switch against DHCP starvation attacks: •


•


•


•




•


•


Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation attacks, be sure you have: •


•

Configured the VLAN employee-vlan on the switch. See “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124.

Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch against one common type of attack, a DHCP starvation attack. This example shows how to configure port security features on a switch connected to a DHCP server. The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124. That procedure is not repeated here. Figure 119 on page 4089 illustrates the topology for this example.

4088






Settings

Switch hardware VLAN name and ID

default


ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8


ge-0/0/8



•

No MAC limit is set on any of the interfaces.

•

DHCP snooping is disabled on the VLAN employee-vlan.

•

All access interfaces are untrusted, which is the default setting.

Configuration To configure the MAC limiting port security feature to protect the switch against DHCP starvation attacks: CLI Quick Configuration

To quickly configure MAC limiting, copy the following commands and paste them into the switch terminal window:


4089

®


[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 3 action drop set interface ge-0/0/2 mac-limit 3 action drop


Configure MAC limiting: 1.

Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge–0/0/1 mac-limit (Access Port Security) 3 action drop

2.

Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 mac-limit 3 action drop

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/1.0 { mac-limit 3 action drop; } interface ge-0/0/2.0 { mac-limit 3 action drop; }


Verifying That MAC Limiting Is Working Correctly on the Switch on page 4090

Verifying That MAC Limiting Is Working Correctly on the Switch Purpose Action

Verify that MAC limiting is working on the switch. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the MAC addresses learned when DHCP requests are sent from hosts on ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3 with the action drop: user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type default default default default default default default

4090

* 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85

Flood Learn Learn Learn Learn Learn Learn

Age

Interfaces

0 0 0 0 0 0

ge-0/0/2.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0



Meaning

The sample output shows that with a MAC limit of 3 for each interface, the DHCP request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. Because only 3 MAC addresses can be learned on each of the two interfaces, attempted DHCP starvation attacks will fail.


•


•


•

Configuring MAC Limiting

•


Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks In an ARP spoofing attack, the attacker associates its own MAC address with the IP address of a network device connected to the switch. Traffic intended for that IP address is now sent to the attacker instead of being sent to the intended destination. The attacker can send faked, or “spoofed,” ARP messages on the LAN.

NOTE: When dynamic ARP inspection (DAI) is enabled, the switch logs the number of invalid ARP packets that it receives on each interface, along with the sender’s IP and MAC addresses. You can use these log messages to discover ARP spoofing on the network.

This example describes how to configure DHCP snooping and dynamic ARP inspection (DAI), two port security features, to protect the switch against ARP spoofing attacks: •


•


•


•




•


•



4091

®


Before you configure DHCP snooping and DAI (two port security features) to mitigate ARP spoofing attacks, be sure you have: •


•



•


Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch against one common type of attack, an ARP spoofing attack. In an ARP spoofing attack, the attacker sends faked ARP messages, thus creating various types of problems on the LAN—for example, the attacker might launch a man-in-the middle attack. This example shows how to configure port security features on a switch that is connected to a DHCP server. The setup for this example includes the VLAN employee-vlan on the switch. The procedure for creating that VLAN is described in the topic “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124 and Example: Setting Up Bridging with Multiple VLANs for the QFX Series. That procedure is not repeated here. Figure 120 on page 4092 illustrates the topology for this example.



4092




Settings

Switch hardware


VLAN name and ID


VLAN subnets



ge-0/0/1,ge-0/0/2, ge-0/0/3, ge-0/0/8


ge-0/0/8



•

DHCP snooping is disabled on the VLAN employee-vlan.

•

All access ports are untrusted, which is the default setting.

Configuration To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch against ARP attacks: CLI Quick Configuration

To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the following commands and paste them into the switch terminal window: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 dhcp-trusted user@switch# set vlan employee-vlan examine-dhcp user@switch# set vlan employee-vlan arp-inspection


Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN: 1.

Set the ge-0/0/8 interface as trusted: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 dhcp-trusted

2.

Enable DHCP snooping on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan examine-dhcp

3.

Enable DAI on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan arp-inspection

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/8.0 { dhcp-trusted;


4093

®


} vlan employee-vlan { arp-inspection; examine-dhcp; }

Verification Confirm that the configuration is working properly. •

Verifying That DHCP Snooping Is Working Correctly on the Switch on page 4094

•

Verifying That DAI Is Working Correctly on the Switch on page 4094

Verifying That DHCP Snooping Is Working Correctly on the Switch Purpose Action

Verify that DHCP snooping is working on the switch. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the port on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases: user@switch> show dhcp-snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:27:32:88 192.0.2.22 3200

Meaning


VLAN ---employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan


When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.

Verifying That DAI Is Working Correctly on the Switch Purpose Action

Verify that DAI is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information: user@switch> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2

4094



ge-0/0/2.0 ge-0/0/3.0

Meaning


10 12

10 12

0 0


•


•

Enabling DHCP Snooping (CLI Procedure) on page 4138

•

Enabling DHCP Snooping (J-Web Procedure) on page 4140

•


•


•


•

secure-access-port

•


•


Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks In one type of attack on the DHCP snooping database, an intruder introduces a DHCP client on an untrusted access interface with a MAC address identical to that of a client on another untrusted interface. The intruder then acquires the DHCP lease of that other client, thus changing the entries in the DHCP snooping table. Subsequently, what would have been valid ARP requests from the legitimate client are blocked. This example describes how to configure allowed MAC addresses, a port security feature, to protect the switch from DHCP snooping database alteration attacks: •


•


•


•




•


•



4095

®


Before you configure specific port security features to mitigate common access-inteface attacks, be sure you have: •


•



•


Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. This example describes how to protect the switch from an attack on the DHCP snooping database that alters the MAC addresses assigned to some clients. This example shows how to configure port security features on a switch that is connected to a DHCP server. The setup for this example includes the VLAN employee-vlan on the switch. Figure 121 on page 4096 illustrates the topology for this example.




Settings

Switch hardware


VLAN name and ID


4096



Table 442: Components of the Port Security Topology (continued) Properties

Settings

VLAN subnets



ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8


ge-0/0/8



•

DHCP snooping is enabled on the VLAN employee-vlan.

•


Configuration To configure allowed MAC addresses to protect the switch against DHCP snooping database alteration attacks: CLI Quick Configuration

To quickly configure some allowed MAC addresses on an interface, copy the following commands and paste them into the switch terminal window: [edit ethernet-switching-options secure-access-port] set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88


To configure some allowed MAC addresses on an interface: Configure the five allowed MAC addresses on an interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show interface ge-0/0/2.0 { allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85 :3a:82:85 00:05:85:3a:82:88 ]; }


4097

®


Verification Confirm that the configuration is working properly. •

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch on page 4098

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch Purpose Action

Verify that allowed MAC addresses are working on the switch. Display the MAC cache information: user@switch> show ethernet-switching table Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning


00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 00:05:85:3A:82:88 *

Learn Learn Learn Learn Learn Flood

Age

Interfaces

0 0 0 0 0 -

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

The output shows that the five MAC addresses configured as allowed MAC addresses have been learned and are displayed in the MAC cache. The last MAC address in the list, one that had not been configured as allowed, has not been added to the list of learned addresses.

•


•


•


•


•

secure-access-port

•


•


Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch You can configure DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting on the access interfaces of switches to protect the switch and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. To obtain those basic settings, you can use the switch's default configuration for port security, configure the MAC limit, and enable DHCP snooping and DAI on a VLAN. You can configure those features when the DHCP server is connected to a different switch from the one to which the DHCP clients (network devices) are connected.

4098



This example describes how to configure port security features on a switch whose hosts obtain IP addresses and lease times from a DHCP server connected to a second switch: •


•


•

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 4101

•

Configuring a VLAN and Interfaces on Switch 2 on page 4103

•



One EX Series switch or QFX3500 switch—“Switch 1” in this example.

•

An additional EX Series switch or QFX3500 switch—”Switch 2” in this example. You do not configure port security on this second switch.

•

Junos OS Release 9.0 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series.

•

A DHCP server connected to Switch 2. You use the server to provide IP addresses to network devices connected to Switch 1.

•

At least two network devices (hosts) that you connect to access interfaces on Switch 1. These devices are DHCP clients.

Before you configure DHCP snooping, DAI, and MAC limiting port security features, be sure you have: •

Connected the DHCP server to Switch 2.

•



•


Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure: •

DHCP snooping to validate DHCP server messages

•

DAI to protect against ARP spoofing

•

MAC limiting to constrain the number of MAC addresses the switch adds to its MAC address cache

This example shows how to configure these port security features on Switch 1. Switch 1 is connected to another switch (Switch 2) that is not configured with port security features. That second switch is connected to a DHCP server. (See Figure 122 on page 4100.) Network devices (hosts) that are connected to Switch 1 send requests for IP addresses (that is,


4099

®


the devices are DHCP clients). Those requests are transmitted from Switch 1 to Switch 2 and then to the DHCP server connected to Switch 2. Responses to the requests are transmitted along the reverse path of the one followed by the requests. The setup for this example includes the VLAN employee-vlan on both switches. Figure 122 on page 4100 shows the network topology for the example.

Figure 122: Network Topology for Port Security Setup with Two Switches on the Same VLAN


Table 443: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 Properties

Settings

Switch hardware

One EX Series switch or one QFX3500 switch (Switch 1), and an additional EX Series switch or QFX3500 switch (Switch 2)

VLAN name and ID


VLAN subnets


Trunk interface on both switches

ge-0/0/11

Access interfaces on Switch 1

ge-0/0/1, ge-0/0/2, and ge-0/0/3

Access interface on Switch 2

ge-0/0/1

4100



Table 443: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 (continued) Properties

Settings


ge-0/0/1 on Switch 2

Switch 1 is initially configured with the default port security setup. In the default configuration on the switch: •


•

The switch does not drop any packets, which is the default setting.

•

DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs.

•

All access interfaces are untrusted and trunk interfaces are trusted; these are the default settings.

In the configuration tasks for this example, you configure a VLAN on both switches. In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this example, you also enable DAI and a MAC limit of 5 on Switch 1. Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do not have to configure this interface to be trusted. As noted above, trunk interfaces are automatically trusted, so DHCP messages coming from the DHCP server to Switch 2 and then on to Switch 1 are trusted.

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 CLI Quick Configuration

To quickly configure a VLAN, interfaces, and port security features, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options secure-access-port interface ge-0/0/1 mac-limit 5 action drop clear ethernet-switching table interface ge-0/0/1 set ethernet-switching-options secure-access-port vlan employee-vlan arp-inspection set ethernet-switching-options secure-access-port vlan employee-vlan examine-dhcp set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 20 set vlans employee-vlan vlan-id 20


To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and DHCP on the VLAN: 1.

Configure the VLAN employee-vlan with VLAN ID 20: [edit vlans] user@switch1# set employee-vlan vlan-id 20

2.

Configure an interface on Switch 1 as a trunk interface: [edit interfaces] user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

3.

Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:


4101

®


[edit interfaces] user@switch1# set ge-0/0/1 unit 0 family ethernet-switching vlan members 20 user@switch1# set ge-0/0/2 unit 0 family ethernet-switching vlan members 20 user@switch1# set ge-0/0/3 unit 0 family ethernet-switching vlan members 20 user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members 20 4.

Enable DHCP snooping on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch1# set vlan employee-vlan examine-dhcp

5.

Enable DAI on the VLAN: [edit ethernet-switching-options secure-access-port] user@switch1# set vlan employee-vlan arp-inspection

6.

Configure a MAC limit of 5 on ge-0/0/1 and use the default action, drop (packets with new addresses are dropped if the limit has been exceeded): [edit ethernet-switching-options secure-access-port] user@switch1# set interface ge-0/0/1 mac-limit 5 drop

7.

Clear the existing MAC address table entries from interface ge-0/0/1: user@switch1# clear ethernet-switching table interface ge-0/0/1

Results

Display the results of the configuration: [edit] user@switch1# show ethernet-switching-options { secure-access-port { interface ge-0/0/1.0{ mac-limit 5 action drop; } vlan employee-vlan { arp-inspection; examine-dhcp; } } } interfaces { ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members 20; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members 20; } } } } ge-0/0/3 { unit 0 {

4102



family ethernet-switching { vlan { members 20; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 20; } } } } } vlans { employee-vlan { vlan-id 20; } }

Configuring a VLAN and Interfaces on Switch 2 To configure the VLAN and interfaces on Switch 2: CLI Quick Configuration

To quickly configure the VLAN and interfaces on Switch 2, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set vlans employee-vlan vlan-id 20


To configure the VLAN and interfaces on Switch 2: 1.

Configure an interface on Switch 2 as a trunk interface: [edit interfaces] user@switch2# set ge-0/0/11 unit 0 ethernet-switching port-mode trunk

2.

Associate the VLAN with interfaces ge-0/0/1 and ge-0/0/11: [edit interfaces] user@switch2# set ge-0/0/1 unit 0 family ethernet-switching vlan members 20 user@switch2# set ge-0/0/11 unit 0 family ethernet-switching vlan members 20

Results

Display the results of the configuration: [edit] user@switch2# show interfaces { ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members 20;


4103

®


} } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 20; } } } } } vlans { employee-vlan { vlan-id 20; } }

Verification To confirm that the configuration is working properly. •

Verifying That DHCP Snooping Is Working Correctly on Switch 1 on page 4104

•

Verifying That DAI Is Working Correctly on Switch 1 on page 4105

•

Verifying That MAC Limiting Is Working Correctly on Switch 1 on page 4105

Verifying That DHCP Snooping Is Working Correctly on Switch 1 Purpose Action

Verify that DHCP snooping is working on Switch 1. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface through which Switch 2 sends the DHCP server replies to clients connected to Switch 1 is trusted. The server has provided the IP addresses and leases: user@switch1> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:3A:82:90 192.0.2.20 932 00:05:85:3A:82:91 192.0.2.21 1230

Meaning

4104

Type ---dynamic dynamic dynamic dynamic dynamic dynamic dynamic

VLAN ---employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan

Interface --------ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0

The output shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.



Verifying That DAI Is Working Correctly on Switch 1 Purpose Action

Verify that DAI is working on Switch 1. Send some ARP requests from network devices connected to the switch. Display the DAI information: user@switch1> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ---------–-------------–- ------------------ge-0/0/1.0 7 5 ge-0/0/2.0 10 10 ge-0/0/3.0 18 15

Meaning

ARP inspection failed --------------------2 0 3


Verifying That MAC Limiting Is Working Correctly on Switch 1 Purpose Action

Verify that MAC limiting is working on Switch 1. Display the MAC addresses that are learned when DHCP requests are sent from hosts on ge-0/0/1: user@switch1> show ethernet-switching table Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning


00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 *

Learn Learn Learn Learn Learn Flood

Age

Interfaces

0 0 0 0 0 -

ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0

The sample output shows that five MAC addresses have been learned for interface ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last line of the output shows that a sixth MAC address request was dropped, as indicated by the asterisk (*) in the MAC address column.

•


•


•


•


•

secure-access-port


4105

®


•


•


•


•


Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX Series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet. You can use IP source guard in combination with other EX Series switch features to mitigate address-spoofing attacks on untrusted access interfaces. This example shows two configuration scenarios: •


•


•

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection on page 4108

•

Configuring IP Source Guard on a Guest VLAN on page 4110

•




•

An EX4200-24P switch

•


•

A RADIUS server to provide 802.1X authentication

Before you configure IP source guard for these scenarios, be sure you have:

4106

•


•

Connected the RADIUS server and configured user authentication on the RADIUS server. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•

Configured the VLANs on the switch. See “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124 for detailed information about configuring VLANs.



Overview and Topology IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded. When you configure IP source guard, you enable on it on one or more VLANs. IP source guard applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or trusted access interfaces—that is, interfaces configured with dhcp-trusted so that a DHCP server can be connected to that interface to provide dynamic IP addresses. IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP snooping database. It causes the switch to validate incoming IP packets against the entries in that database. The topology for this example includes an EX-4200-24P switch, a connection to a DHCP server, and a connection to a RADIUS server for user authentication.

NOTE: The 802.1X user authentication applied in this example is for single supplicants. You can also use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines: •


•


In the first example configuration, two clients (network devices) are connected to an access switch. You configure IP source guard and 802.1X user authentication, in combination with two access port security features: DHCP snooping and dynamic ARP inspection (DAI). This setup is designed to protect the switch from IP attacks such as “ping of death” attacks, DHCP starvation, and ARP spoofing.


4107

®


In the second example configuration, the switch is configured for 802.1X user authentication. If the client fails authentication, the switch redirects the client to a guest VLAN that allows this client to access a set of restricted network features. You configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.

NOTE: Control-plane rate limiting is achieved by restricting CPU control-plane protection. It can be used in conjunction with storm control (see “Understanding Storm Control on EX Series Switches” on page 4005) to limit data-plane activity.

TIP: You can set the ip-source-guard flag in the traceoptions (Access Port Security) statement for debugging purposes.

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection CLI Quick Configuration

To quickly configure IP source guard with 802.1X authentication and with other access port security features, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set ethernet-switching-options secure-access-port vlan data examine-dhcp set ethernet-switching-options secure-access-port vlan data arp-inspection set ethernet-switching-options secure-access-port vlan data ip-source-guard set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members data set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members data set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data set protocols lldp-med interface ge-0/0/0.0 set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single set protocols lldp-med interface ge-0/0/1.0 set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single


To configure IP source guard with 802.1X authentication and various port security features: 1.

Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the data VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan members data

2.

Associate two interfaces with the data VLAN: [edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members data user@switch# set ge-0/0/1 unit 0 family ethernet-switching vlan members data

3.

Configure 802.1X user authentication and LLDP-MED on the two interfaces that you associated with the data VLAN: [edit protocols] user@switch# set lldp-med (Ethernet Switching) interface ge-0/0/0.0 user@switch# set dot1x authenticator authentication-profile-name profile52

4108



user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single user@switch# set lldp-med interface ge-0/0/1.0 user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single 4.

Configure three access port security features—DHCP snooping, dynamic ARP inspection (DAI), and IP source guard—on the data VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port vlan data examine-dhcp user@switch# set secure-access-port vlan data arp-inspection user@switch# set secure-access-port vlan data ip-source-guard

Results

Check the results of the configuration: [edit ethernet-switching-options] secure-access-port { interface ge-0/0/24.0 { dhcp-trusted; } vlan data { arp-inspection; examine-dhcp; ip-source-guard; } } [edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members data; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members data; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members data; } } } } [edit protocols] lldp-med { interface ge-0/0/14.0;


4109

®


interface ge-0/0/0.0; interface ge-0/0/1.0; } dot1x { authenticator { authentication-profile-name profile52; } interface { ge-0/0/0.0 { supplicant single; } ge-0/0/1.0 { supplicant single; } ge-0/0/14.0 { supplicant single; } } }

Configuring IP Source Guard on a Guest VLAN CLI Quick Configuration

To quickly configure IP source guard on a guest VLAN, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members employee set ethernet-switching-options secure-access-port vlan employee examine-dhcp set ethernet-switching-options secure-access-port vlan employee ip-source-guard set ethernet-switching-options secure-access-port interface ge-0/0/0 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan employee set ethernet-switching-options secure-access-port interface ge-0/0/1 static-ip 11.1.1.2 mac 00:22:22:22:22:22 vlan employee set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/0 supplicant single set protocols dot1x authenticator interface ge-0/0/0 guest-vlan employee set protocols dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 set protocols dot1x authenticator interface ge-0/0/1 supplicant single set protocols dot1x authenticator interface ge-0/0/1 guest-vlan employee set protocols dot1x authenticator interface ge-0/0/1 supplicant-timeout 2 set vlans employee vlan-id 300


To configure IP source guard on a guest VLAN: 1.

Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the employee VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members employee

2.

Configure two interfaces for the access port mode: [edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/1 unit 0 family ethernet-switching port-mode access

4110



3.

Configure DHCP snooping and IP source guard on the employee VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port vlan employee examine-dhcp user@switch# set secure-access-port vlan employee ip-source-guard

4.

Configure a static IP address on each of two interfaces on the employee VLAN (optional): [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/0 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan employee [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/1 static-ip 11.1.1.2 mac 00:22:22:22:22:22 vlan employee

5.

Configure 802.1X user authentication: [edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/0 supplicant single user@switch# set dot1x authenticator interface ge-0/0/1 supplicant single user@switch# set dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 user@switch# set dot1x authenticator interface ge-0/0/1 supplicant-timeout 2

6.

Set the VLAN ID for the employee VLAN: [edit vlans] user@switch# set employee vlan-id (802.1Q Tagging) 100

Results

Check the results of the configuration: [edit protocols] dot1x { authenticator { authentication-profile-name profile52; } interface { ge-0/0/0.0 { guest-vlan employee; supplicant single; supplicant-timeout 2; } ge-0/0/1.0 { guest-vlan employee; supplicant single; supplicant-timeout 2; } } } } [edit vlans] employee { vlan-id 100; } [edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching {


4111

®


port-mode access; } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members employee; } } } } [edit ethernet-switching-options] secure-access-port { interface ge-0/0/0.0 { static-ip 11.1.1.1 vlan employee mac 00:11:11:11:11:11; } interface ge-0/0/1.0 { static-ip 11.1.1.2 vlan employee mac 00:22:22:22:22:22; } interface ge-0/0/24.0 { dhcp-trusted; } vlan employee { examine-dhcp; ip-source-guard; } }


Verifying That 802.1X User Authentication Is Working on the Interface on page 4112

•


•

Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN on page 4113

Verifying That 802.1X User Authentication Is Working on the Interface Purpose Action

4112

Verify that the 802.1X configuration is working on the interface. Use the show dot1x interface command to view the 802.1X details.



Meaning

The Supplicant mode output field displays the configured administrative mode for each interface.


Meaning

Verity interface states and VLAN memberships. Use the show ethernet-switching interfaces command to view the Ethernet switching table entries. The field VLAN members shows the associations between VLANs and interfaces. The State field shows whether the interfaces are up or down. For the guest VLAN configuration, the interface is associated with the guest VLAN if and when the supplicant fails 802.1X user authentication.

Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN Purpose Action

Verify that DHCP snooping and IP source guard are enabled and working on the VLAN. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Use the show dhcp snooping binding command to display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. View the MAC addresses from which requests were sent and the IP addresses and leases provided by the server. Use the show ip-source-guard command to view IP source guard information for the VLAN.

Meaning

When the interface on which the DHCP server connects to the switch has been set to trusted, the output shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire. The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields.


•


•


•



4113

®


•

Configuring IP Source Guard (CLI Procedure) on page 4154

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX Series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet. If two VLANs share an interface, you can configure IP source guard on just one of the VLANs; in this example, you configure IP source guard on an untagged data VLAN but not on the tagged voice VLAN. You can use 802.1X user authentication to validate the device connections on the data VLAN. This example describes how to configure IP source guard with 802.1X user authentication on a data VLAN, with a voice VLAN on the same interface: •


•


•


•




•


•


•

A RADIUS server to provide 802.1X authentication

Before you configure IP source guard for the data VLANs, be sure you have:

4114

•


•

Connected the RADIUS server to the switch and configured user authentication on the server. See “Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch” on page 3561.

•

Configured the VLANs. See “Example: Setting Up Bridging with Multiple VLANs for EX Series Switches” on page 2124 for detailed information about configuring VLANs.



Overview and Topology IP source guard checks the IP source address and MAC source address in a packet sent from a host attached to an untrusted access interface on the switch. If IP source guard determines that the packet header contains an invalid source IP address or source MAC address, it ensures that the switch does not forward the packet—that is, the packet is discarded. When you configure IP source guard, you enable on it on one or more VLANs. IP source guard applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX Series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or trusted access interfaces—that is, interfaces configured with dhcp-trusted so that a DHCP server can be connected to that interface to provide dynamic IP addresses. IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP snooping database. It causes the switch to validate incoming IP packets against the entries in that database. The topology for this example includes one EX-3200-24P switch, a PC and an IP phone connected on the same interface, a connection to a DHCP server, and a connection to a RADIUS server for user authentication.

NOTE: The 802.1X user authentication applied in this example is for single supplicants. You can also use IP source guard with 802.1X user authentication for single-secure supplicant or multiple supplicant mode. If you are implementing IP source guard with 802.1X authentication in single-secure supplicant or multiple supplicant mode, you must use the following configuration guidelines: •


•


TIP: You can set the ip-source-guard flag in the traceoptions (Access Port Security) statement for debugging purposes. This example shows how to configure a static IP address to be added to the DHCP snooping database.


4115

®



To quickly configure IP source guard on a data VLAN, copy the following commands and paste them into the switch terminal window: set ethernet-switching-options voip interface ge-0/0/14.0 vlan voice set ethernet-switching-options secure-access-port interface ge-0/0/24.0 dhcp-trusted set ethernet-switching-options secure-access-port interface ge-0/0/14 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan data set ethernet-switching-options secure-access-port vlan data examine-dhcp set ethernet-switching-options secure-access-port vlan data ip-source-guard set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data set vlans voice vlan-id 100 set protocols lldp-med interface ge-0/0/14.0 set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/14.0 supplicant single


To configure IP source guard on the data VLAN: 1.

Configure the VoIP interface: [edit ethernet-switching-options] user@switch# set voip interface ge-0/0/14.0 vlan voice

2.

Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the data VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24.0 dhcp-trusted [edit interfaces] user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members data

3.

Configure a static IP address on an interface on the data VLAN (optional) [edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/14 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan data

4.

Configure DHCP snooping and IP source guard on the data VLAN: [edit ethernet-switching-options] user@switch# set secure-access-port vlan data examine-dhcp user@switch# set secure-access-port vlan data ip-source-guard

5.

Configure 802.1X user authentication and LLDP-MED on the interface that is shared by the data VLAN and the voice VLAN: [edit protocols] user@switch# set lldp-med (Ethernet Switching) interface ge-0/0/14.0 user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/14.0 supplicant single

6.

Set the VLAN ID for the voice VLAN: [edit vlans] user@switch# set voice vlan-id (802.1Q Tagging) 100

Results

Check the results of the configuration: [edit ethernet-switching-options] user@switch# show voip { interface ge-0/0/14.0 { vlan voice;

4116



} } secure-access-port { interface ge-0/0/14.0 { static-ip 11.1.1.1 vlan data mac 00:11:11:11:11:11; } interface ge-0/0/24.0 { dhcp-trusted; } vlan data { examine-dhcp; ip-source-guard; } } [edit interfaces] ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members data; } } } } [edit vlans] voice { vlan-id 100; } [edit protocols] lldp-med { interface ge-0/0/14.0; } dot1x { authenticator { authentication-profile-name profile52; interface { ge-0/0/14.0 { supplicant single; } } } }

TIP: If you wanted to configure IP source guard on the voice VLAN as well as on the data VLAN, you would configure DHCP snooping and IP source guard exactly as you did for the data VLAN. The configuration result for the voice VLAN under secure-access-port would look like this: secure-access-port { vlan voice { examine-dhcp; ip-source-guard;


4117

®


} }


Verifying That 802.1X User Authentication Is Working on the Interface on page 4118

•


•

Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN on page 4119

Verifying That 802.1X User Authentication Is Working on the Interface Purpose Action

Verify the 802.1X configuration on interface ge-0/0/14. Verify the 802.1X configuration with the operational mode command show dot1x interface: user@switch> show dot1x interface ge-0/0/14.0 detail ge-0/0/14.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: user101, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: Radius Authenticated VLAN: vo11 Dynamic Filter: Session Reauth interval: 60 seconds Reauthentication due in 50 seconds

Meaning

The Supplicant mode output field displays the configured administrative mode for each interface. Interface ge-0/0/14.0 displays Single supplicant mode.


4118

Display the interface state and VLAN membership. user@switch> show ethernet-switching interfaces Ethernet-switching table: 0 entries, 0 learned



user@switch> show ethernet-switching interfaces Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee unblocked ge-0/0/2.0 down employee unblocked ge-0/0/12.0 down default unblocked ge-0/0/13.0 down default unblocked ge-0/0/13.0 down vlan100 unblocked ge-0/0/14.0 up voice unblocked data unblocked ge-0/0/17.0 down employee unblocked ge-0/0/23.0 down default unblocked ge-0/0/24.0 down data unblocked employee unblocked vlan100 unblocked voice unblocked

Meaning

The field VLAN members shows that the ge-0/0/14.0 interface supports both the data VLAN and the voice VLAN. The State field shows that the interface is up.

Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN Purpose

Action

Verify that DHCP snooping and IP source guard are enabled and working on the data VLAN. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases: user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type

VLAN

Interface

00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81

employee employee employee employee

ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0

192.0.2.17 192.0.2.18 192.0.2.19 192.0.2.20

600 653 720 932

00:30:48:92:A5:9D vlan100 ge-0/0/13.0 00:30:48:8D:01:3D 10.10.10.9 720 00:30:48:8D:01:5D 10.10.10.8 1230 00:11:11:11:11:11 11.1.1.1 — 00:05:85:27:32:88 192.0.2.22 — 00:05:85:27:32:89 192.0.2.23 — 00:05:85:27:32:90 192.0.2.27 —

dynamic dynamic dynamic dynamic 10.10.10.7 dynamic dynamic static static static static

720 data voice data employee employee employee

dynamic ge-0/0/14.0 ge-0/0/14.0 ge-0/0/14.0 ge-0/0/17.0 ge-0/0/17.0 ge-0/0/17.0

View the IP source guard information for the data VLAN.


4119

®


Meaning

user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address

VLAN

ge-0/0/13.0

0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/14.0 ge-0/0/14.0

0 0

10.10.10.9 11.1.1.1

00:30:48:8D:01:3D 00:11:11:11:11:11

data data

ge–0/0/13.0

100

*

*

voice

When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see the preceding sample output for show dhcp snooping binding) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire. The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output.


•


•


•


•


Example: Setting Up DHCP Option 82 with a Switch as a Relay Agent Between Clients and a DHCP Server You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. This example describes how to configure DHCP option 82 on a switch that is on the same VLAN with the DHCP clients but on a different VLAN from the DHCP server. in this example, the switch acts as a relay agent:

4120

•


•


•





One EX4200-24P switch or one QFX3500 switch

•


•


Before you configure DHCP option 82 on the switch, be sure you have: •

Connected and configured the DHCP server.

NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not configured for DHCP option 82, it does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

•

Configured the employee VLAN on the switch and associated the interfaces on which the clients connect to the switch with that VLAN. See the task for your platform: •


•


•

Configured the corporate VLAN for the DHCP server.

•

Configured the switch as a BOOTP relay agent. See “DHCP/BOOTP Relay for EX Series Switches Overview” on page 659.

•

Configured the routed VLAN interface (RVI) to allow the switch to relay packets to the server and receive packets from the server. See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223 or Configuring Routed VLAN Interfaces for the QFX Series.

Overview and Topology If DHCP option 82 is enabled on the switch, then when a network device—a DHCP client—that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request (in this setting, it relays the request) to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or other parameter for the client. When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request: 1.


2. The switch relays the request to the DHCP server.


4121

®


3. The server uses the DHCP option 82 information to formulate its reply and sends a


In this example, you configure option 82 on the switch. The switch is configured as a BOOTP relay agent. The switch connects to the DHCP server through the routed VLAN interface (RVI) that you configured. The switch and clients are members of the employee VLAN. The DHCP server is a member of the corporate VLAN.

Configuration To configure DHCP option 82: CLI Quick Configuration

To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window: set forwarding-options helpers bootp dhcp-option82 set forwarding-options helpers bootp dhcp-option82 circuit-id prefix hostname set forwarding-options helpers bootp dhcp-option82 circuit-id use-vlan-id set forwarding-options helpers bootp dhcp-option82 remote-id set forwarding-options helpers bootp dhcp-option82 remote-id prefix mac set forwarding-options helpers bootp dhcp-option82 remote-id use-string employee-switch1 set forwarding-options helpers bootp dhcp-option82 vendor-id


To configure DHCP option 82: 1.

Specify DHCP option 82 for the employee VLAN: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82

2.

Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id prefix hostname

3.

Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-vlan-id

4.

Specify that the remote ID suboption be included in the DHCP option 82 information: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id

5.

Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix mac

6.

Specify that the remote ID suboption value contains a character string (here, the string is employee-switch1): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id use-string employee-switch1

7.

4122

Configure a vendor ID suboption value, and use the default value. To use the default value, do not type a character string after the vendor-id option keyword:



[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 vendor-id

Results

Check the results of the configuration: [edit forwarding-options helpers bootp] user@switch# show dhcp-option82 { circuit-id { prefix hostname; use-vlan-id; } remote-id { prefix mac; use-string employee-switch1; } vendor-id; }


•


•


•

RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.

•

forwarding-options

Example: Setting Up DHCP Option 82 with a Switch with No Relay Agent Between Clients and a DHCP Server You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. This example describes how to configure DHCP option 82 on a switch with DHCP clients, DHCP server, and switch all on the same VLAN: •


•


•




•



4123

®


•


Before you configure DHCP option 82 on the switch, be sure you have: •

Connected and configured the DHCP server.

NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not configured for DHCP option 82, it does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

•

Configured the employee VLAN on the switch and associated the interfaces on which the clients and the server connect to the switch with that VLAN. See the task for your platform: •


•


Overview and Topology If DHCP option 82 is enabled on the switch, then when a network device—a DHCP client—that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or other parameter for the client. DHCP option 82 is enabled on an individual VLAN or on all VLANs on the switch. When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request: 1.


2. The switch forwards the request to the DHCP server. 3. The server uses the DHCP option 82 information to formulate its reply and sends a


Figure 123 on page 4125 illustrates the topology for this example.

4124



Figure 123: Network Topology for Configuring DHCP Option 82 on a Switch That Is on the Same VLAN as the DHCP Clients and the DHCP Server

In this example, you configure DHCP option 82 on the switch. The switch connects to the DHCP server on interface ge-0/0/8. The DHCP clients connect to the switch on interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3. The switch, server, and clients are all members of the employee VLAN.


To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window: set ethernet-switching-options secure-access-port vlan employee dhcp-option82 set ethernet-switching-options secure-access-port vlan employee dhcp-option82 circuit-id prefix hostname set ethernet-switching-options secure-access-port vlan employee dhcp-option82 circuit-id use-vlan-id set ethernet-switching-options secure-access-port vlan employee dhcp-option82 remote-id set ethernet-switching-options secure-access-port vlan employee dhcp-option82 remote-id prefix mac set ethernet-switching-options secure-access-port vlan employee dhcp-option82 remote-id use-string employee-switch1 set ethernet-switching-options secure-access-port vlan employee dhcp-option82 vendor-id


To configure DHCP option 82: 1.

Specify DHCP option 82 for the employee VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82

2.

Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch): [edit ethernet-switching-options secure-access-port]


4125

®


user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname 3.

Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id

4.

Specify that the remote ID suboption be included in the DHCP option 82 information: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id

5.

Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix mac

6.

Specify that the remote ID suboption value contain a character string (here, the string is employee-switch1): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-string employee-switch1

7.

Configure a vendor ID suboption value, and use the default value. To use the default value, do not type a character string after the vendor-id option keyword: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id

Results

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show vlan employee { dhcp-option82 { circuit-id { prefix hostname; use-vlan-id; } remote-id { prefix mac; use-string employee-switch1; } vendor-id; } }


4126

•


•


•


•


•

secure-access-port



Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping and dynamic ARP inspection (DAI) on the same ports through which those critical packets are entering and leaving. You can combine the advantages of both these features by using CoS forwarding classes and queues to prioritize snooped and inspected packets. This type of configuration places the snooped and inspected packets in the desired egress queue, ensuring that the security procedure does not interfere with the transmittal of this high-priority traffic. This is especially important for traffic that is sensitive to jitter and delay, such as voice traffic. This example shows how to configure the switch to prioritize snooped and inspected packets in heavy network traffic. •


•


•


•




•


•


Before you specify CoS forwarding classes for snooped and inspected packets, be sure you have: •


•

Configured the VLAN VLAN200 on the switch. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

•

Configured two interfaces, ge-0/0/1 and ge-0/0/8, to belong to VLAN200.

Overview and Topology Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices. To protect the devices from such attacks, you can configure DHCP snooping to validate DHCP server messages and DAI to protect against MAC spoofing. If you have to deal with periods of heavy network congestion and you want to ensure that sensitive traffic is not disrupted, you can combine the port security features with CoS forwarding classes to prioritize the handling of the snooped and inspected security packets.


4127

®


In the default switch configuration: •


•

DHCP snooping and DAI are disabled on all VLANs.

•

All access ports are untrusted and all trunk ports are trusted for DHCP snooping.

This example shows how to combine the DHCP snooping and DAI security features with prioritized forwarding of snooped and inspected packets. The setup for this example includes the VLAN VLAN200 on the switch. Figure 124 on page 4128 illustrates the topology for this example.

Figure 124: Network Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets


Table 444: Components of the Topology for Using CoS Forwarding Classes to Prioritize Snooped and Inspected Packets Properties

Settings

Switch hardware

EX Series switch

VLAN name

VLAN200

Interfaces in VLAN200

ge-0/0/1,ge-0/0/2,ge-0/0/3,ge-0/0/8


ge-0/0/8

4128



In the configuration tasks for this example, you create a user-defined forwarding class c1, you enable DHCP snooping and DAI on VLAN200, and you assign the snooped and inspected packets to forwarding class c1 and queue 6. Queues 6 and 7 are reserved for high priority, control packets. The packets that are subjected to DHCP snooping and DAI are control (not data) packets; therefore, it is appropriate to place these snooped and inspected high-priority control packets in queue 6. (Queue 7 is higher priority than queue 6 and can also be used for this purpose.)

Configuration To configure DHCP snooping and DAI on VLAN200, and to prioritize the snooped and inspected packets: CLI Quick Configuration

To quickly configure DHCP snooping and DAI with prioritized forwarding of snooped and inspected packets, copy the following commands and paste them into the switch terminal window: [edit] set class-of-service forwarding-classes class c1 queue 6 set ethernet-switching-options security-access-port vlan VLAN200 examine-dhcp forwarding-class c1 set ethernet-switching-options security-access-port vlan VLAN200 arp-inspection forwarding-class c1


Configure DHCP and DAI with prioritized forwarding of snooped and inspected packets: 1.

Create a user-defined forwarding class to be used for prioritizing the snooped and inspected packets. [edit class-of-service] user@switch# set forwarding-classes class c1 queue 6

2.

Enable DHCP snooping on the VLAN and apply forwarding class c1 to the snooped packets: [edit ethernet-switching-options secure-access-port] user@switch# set vlan VLAN200 examine-dhcp forwarding-class c1

3.

Enable DAI on the VLAN and apply forwarding class c1 to the inspected packets: [edit ethernet-switching-options secure-access-port] user@switch# set vlan VLAN200 arp-inspection forwarding-class c1

Check the results of the configuration: [edit ethernet-switching-options secure-access-port] user@switch# show vlan VLAN200 { arp-inspection forwarding-class c1; examine-dhcp forwarding-class c1; } [edit class-of-service] user@switch# show } forwarding-classes { class c1 queue-num 6; }


4129

®



Verifying That Prioritized Forwarding Is Working Correctly on the Snooped Packets on page 4130

•

Verifying That Prioritized Forwarding Is Working Correctly on the DAI Inspected Packets on page 4130

Verifying That Prioritized Forwarding Is Working Correctly on the Snooped Packets Purpose Action

Verify that prioritized forwarding is working on the DHCP snooped packets. Send some DHCP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue: user@switch> show interfaces ge- 0/0/1 extensive Egress queues: 8 supported, 5 in use Queue counters: Queued packets Transmitted packets 0 best-effort 0 0 1 assured-forw 0 0 5 expedited-fo 0 0 6 c1 0 3209 7 network-cont 0 126371

Meaning

Dropped packets 0 0 0 0 0

The command output shows that packets have been transmitted on forwarding class c1 queue 6. Continue testing by changing the setting of examine-dhcp forwarding-class to use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working correctly by seeing the difference in the number of transmitted packets reported for forwarding class c1 queue 6.

Verifying That Prioritized Forwarding Is Working Correctly on the DAI Inspected Packets Purpose Action

Verify that prioritized forwarding is working on the DAI inspected packets. Send some ARP requests from network devices to the switch. Display the output queue for one of the interfaces in VLAN200 to make sure that the packets are being transmitted in the designated queue: user@switch> show interfaces ge-0/0/1 extensive Egress queues: 8 supported, 5 in use Queue counters: Queued packets Transmitted packets 0 best-effort 0 0 1 assured-forw 0 0 5 expedited-fo 0 0 6 c1 0 3209 7 network-cont 0 126371

4130

Dropped packets 0 0 0 0 0



Meaning

The command output shows that packets have been transmitted on forwarding class c1 queue 6. Continue testing by changing the setting of arp-inspection forwarding-class to use one of the default queues, such as best-effort, and repeat the show interfaces command to compare the difference in the output. You can tell that the setting is working correctly by seeing the difference in the number of transmitted packets reported for forwarding class c1 queue 6.


•



4131

®


4132


CHAPTER 106

Configuring Port Security •


•


•


•


•


•


•


•


•


•


•


•

Configuring MAC Move Limiting (J-Web Procedure) on page 4152

•

Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 4153

•


•

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 4156

•


•


•


•


Configuring Port Security (CLI Procedure) Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Port security features such as DHCP snooping, DAI (dynamic ARP inspection), MAC limiting, MAC move limiting, and persistent MAC learning,


4133

®


as well as trusted DHCP server, help protect the access ports on the switch against the losses of information and productivity that can result from such attacks. Depending on the particular feature, you can configure the port security feature either on: •

VLANs—A specific VLAN or all VLANs

•

Interfaces—A specific interface or all interfaces

NOTE: If you configure one of the port security features on all VLANs or all interfaces, the switch software enables that port security feature on all VLANs and all interfaces that are not explicitly configured with other port security features. However, if you do explicitly configure one of the port security features on a specific VLAN or on a specific interface, you must explicitly configure any additional port security features that you want to apply to that VLAN or interface. Otherwise, the switch software automatically applies the default values for the feature. For example, if you enable DHCP snooping on all VLANs and decide to explicitly enable IP source guard only on a specific VLAN, you must also explicitly enable DHCP snooping on that specific VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

To configure port security features using the CLI: •

Enabling DHCP Snooping on page 4134

•

Enabling Dynamic ARP Inspection (DAI) on page 4135

•

Limiting Dynamic MAC Addresses on an Interface on page 4135

•

Enabling Persistent MAC Learning on an Interface on page 4135

•

Limiting MAC Address Movement on page 4135

•

Configuring Trusted DHCP Servers on an Interface on page 4136

Enabling DHCP Snooping You can configure DHCP snooping to allow the device to monitor DHCP messages received, ensure that hosts only use the IP addresses assigned to them, and allow access only to authorized DHCP servers. To enable DHCP snooping: •

On a specific VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan default examine-dhcp

•

On all VLANs: [edit ethernet-switching-options secure-access-port]

4134


Chapter 106: Configuring Port Security

user@switch# set vlan all examine-dhcp

Enabling Dynamic ARP Inspection (DAI) You can enable DAI to protect against ARP snooping. To enable DAI: •

On a single VLAN (here, the VLAN is employee-vlan): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan arp-inspection

•

On all VLANs: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all arp-inspection

Limiting Dynamic MAC Addresses on an Interface Limit the number of dynamic MAC addresses allowed on an interface and specify the action to take if the limit is exceeded—for example, set a MAC limit of 5 with an action of drop: •

On a single interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit 5 action drop

•

On all interfaces: [edit ethernet-switching-options secure-access-port] user@switch# set interface all mac-limit 5 action drop

You can also specify the actions log (do not drop the packet but generate an alarm, an SNMP trap, or a system log entry), none (no action), or shutdown (disable the interface and generate an alarm) to occur if the number of dynamic MAC addresses is exceeded.

Enabling Persistent MAC Learning on an Interface You can configure learned MAC addresses to persist on an interface across restarts of the switch: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 persistent-learning

Limiting MAC Address Movement You can limit the number of times a MAC address can move from its original interface in 1 second—for example, set a MAC move limit of 5 with an action of drop if the limit is exceeded: •

On a single VLAN (here, the VLAN is employee-vlan): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan mac-move-limit 5 action drop

•

On all VLANs: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all mac-move-limit 5 action drop


4135

®


You can also specify the actions log (do not drop the packet but generate an alarm, an SNMP trap, or a system log entry), none (no action), or shutdown (disable the interface or VLAN and generate an alarm) to occur if the MAC address moves more than the specified number of times in 1 second.

Configuring Trusted DHCP Servers on an Interface Configure a trusted DHCP server on an interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 dhcp-trusted


•


•


•


•


•

Monitoring Port Security on page 4165

•


•


•

secure-access-port

Configuring Port Security (J-Web Procedure) To configure port security on an EX Series switch using the J-Web interface: 1.

Select Configure > Security > Port Security. The VLAN List table lists all the VLAN names, VLAN identifiers, port members, and port security VLAN features. The Interface List table lists all the ports and indicates whether security features have been enabled on the ports.


2. Click one: •

Edit—Click this option to modify the security features for the selected port or VLAN. Enter information as specified in Table 445 on page 4137 to modify Port Security settings on VLANs.

4136



Enter information as specified in Table 446 on page 4137 to modify Port Security settings on interfaces. •

Activate/Deactivate—Click this option to enable or disable security on the switch.

Table 445: Port Security Settings on VLANs Field

Function

Your Action

Enable DHCP Snooping on VLAN

Allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. Builds and maintains a database of valid IP addresses/MAC address bindings. (By default, access ports are untrusted and trunk ports are trusted.)

Select to enable DHCP snooping on a specified VLAN or all VLANs.

Enable ARP Inspection on VLAN

Uses information in the DHCP snooping database to validate ARP packets on the LAN and protect against ARP cache poisoning.

Select to enable ARP inspection on a specified VLAN or all VLANs. (Configure any port on which you do not want ARP inspection to occur as a trusted DHCP server port.)

MAC Movement

Specifies the number of times per second that a MAC address can move to a new interface.

Enter a number. The default is unlimited.

MAC Movement Action

Specifies the action to be taken if the MAC move limit is exceeded.

Select one:


•

Log—Generate a system log entry, an SNMP trap, or an alarm.

•

Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm (default).

•

Shutdown—Shut down the VLAN and generate an alarm. You can mitigate the effect of this option by configuring autorecovery from the disabled state and specifying a disable timeout value. See “Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)” on page 4014.

•

None—No action to be taken.

Table 446: Port Security on Interfaces Field

Function

Your Action

Trust DHCP

Specifies trusting DHCP packets on the selected interface. By default, trunk ports are dhcp-trusted.

Select to enable DHCP trust.

MAC Limit

Specifies the number of MAC addresses that can be learned on a single Layer 2 access port. This option is not valid for trunk ports.

Enter a number.


4137

®


Table 446: Port Security on Interfaces (continued) Field

Function

Your Action

MAC Limit Action

Specifies the action to be taken if the MAC limit is exceeded. This option is not valid for trunk ports.

Select one:

Allowed MAC List

Specifies the MAC addresses that are allowed for the interface.

•


•

Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm. (Default)

•

Shutdown—Shut down the interface and generate an alarm. You can mitigate the effect of this option by configuring autorecovery from the disabled state and specifying a disable timeout value. See “Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)” on page 4014

•

None—No action to be taken.

To add a MAC address: 1.

Click Add.

2. Enter the MAC address. 3. Click OK.


•


•


•


•


Enabling DHCP Snooping (CLI Procedure) DHCP snooping allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. It builds and maintains a database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping database.

NOTE: If you configure DHCP snooping for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

This topic describes:

4138

•

Enabling DHCP Snooping on page 4139

•

Applying CoS Forwarding Classes to Prioritize Snooped Packets on page 4139



Enabling DHCP Snooping You configure DHCP snooping per VLAN, not per interface (port). By default, DHCP snooping is disabled for all VLANs. You can enable DHCP snooping on all VLANs or on specific VLANs. To enable DHCP snooping on a VLAN or all VLANs: •

On a specific VLAN: [edit ethernet-switching-options secure-access port] user@switch# set vlan vlan-name examine-dhcp

•

On all VLANs: [edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcp

TIP: By default, the IP-MAC bindings are lost when the switch is rebooted and DHCP clients (the network devices, or hosts) must reacquire bindings. However, you can configure the bindings to persist by setting the dhcp-snooping-file statement to store the database file either locally or remotely.


Applying CoS Forwarding Classes to Prioritize Snooped Packets On EX Series switches you might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping on the same ports through which those critical packets are entering and leaving.

NOTE: This is not supported on the QFX Series switch.

To apply CoS forwarding classes and queues to snooped packets: 1.

Create a user-defined forwarding class to be used for prioritizing snooped packets: [edit class-of-service] user@switch# set forwarding-classes class class-name queue queue-number

2. Enable DHCP snooping on a specific VLAN or on all VLANs and apply the desired

forwarding class on the snooped packets: •

On a specific VLAN: [edit ethernet-switching-options secure-access port] user@switch# set vlan vlan-name examine-dhcp forwarding-class class-name


4139

®


•

On all VLANs: [edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcp forwarding-class class-name


•


•


•


•


•


•

Verifying That DHCP Snooping Is Working Correctly on page 4166

•


•


•

class-of-service

•


•

secure-access-port

Enabling DHCP Snooping (J-Web Procedure) DHCP snooping allows the EX Series switch to monitor and control DHCP messages received from untrusted devices connected to the switch. It builds and maintains a database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping database. You configure DHCP snooping for each VLAN, not for each interface (port). By default, DHCP snooping is disabled for all VLANs. To enable DHCP snooping on one or more VLANs by using the J-Web interface: 1.

Select Configure>Security>Port Security.

2. Select one or more VLANs from the VLAN list. 3. Click the Edit button. If a message appears asking if you want to enable port security,

click Yes. 4. Select the Enable DHCP Snooping on VLAN check box and then click OK. 5. Click OK after the command has been successfully delivered.

4140



NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.


•


•


•


•


•


•


•


Enabling a Trusted DHCP Server (CLI Procedure) You can configure any interface on a switch that connects to a DHCP server as a trusted interface (port). Configuring a DHCP server on a trusted interface protects against rogue DHCP servers sending leases. You configure a trusted DHCP server on an interface, not on a VLAN. By default, all access interfaces are untrusted, and all trunk interfaces are trusted. To configure a trusted interface for a DHCP server by using the CLI (here, the interface is ge-0/0/8): [edit ethernet-switching-options secure-access port] user@switch# set interface ge-0/0/8 dhcp-trusted


•


•


•


•

Verifying That a Trusted DHCP Server Is Working Correctly on page 4167

•


•


•


•

secure-access-port


4141

®


Enabling a Trusted DHCP Server (J-Web Procedure) You can configure any interface on the EX Series switch that connects to a DHCP server as a trusted interface (port). Configuring a DHCP server on a trusted interface protects against rogue DHCP servers sending leases. You configure a trusted DHCP server on an interface, not on a VLAN. By default, all access interfaces are untrusted and all trunk interfaces are trusted. To enable a trusted DHCP server on one or more interfaces by using the J-Web interface: 1.


2. Select one or more interfaces from the Port list. 3. Click the Edit button. If a message appears asking if you want to enable port security,

click Yes. 4. Select the Trust DHCP check box and then click OK. 5. Click OK after the command has been successfully delivered.



•


•


•


•


•


•


Enabling Dynamic ARP Inspection (CLI Procedure) Dynamic ARP inspection (DAI) protects switches against ARP spoofing. DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP cache poisoning. This topic describes:

4142

•

Enabling DAI on page 4143

•

Applying CoS Forwarding Classes to Prioritize Inspected Packets on page 4143



Enabling DAI You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. To enable DAI on a VLAN or all VLANs: •

On a single VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name arp-inspection

•

On all VLANs: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all arp-inspection

Applying CoS Forwarding Classes to Prioritize Inspected Packets You might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping on the same ports through which those critical packets are entering and leaving. To apply CoS forwarding classes and queues to DAI packets: 1.

Create a user-defined forwarding class to be used for prioritizing DAI packets: [edit class-of-service] user@switch# set forwarding-classes class class-name queue queue-number

2. Enable DAI on a specific VLAN or on all VLANs and apply the desired forwarding class

on the DAI packets: •

On a specific VLAN: [edit ethernet-switching-options secure-access port] user@switch# set vlan vlan-name arp-inspection forwarding-class class-name

•

On all VLANs: [edit ethernet-switching-options secure-access port] user@switch# set vlan all arp-inspection forwarding-class class-name


•


•


•


•


•


•

Verifying That DAI Is Working Correctly on page 4168

•



4143

®


•


•


•

class-of-service

•


•

secure-access-port

Enabling Dynamic ARP Inspection (J-Web Procedure) Dynamic ARP inspection (DAI) protects EX Series switches against ARP spoofing. DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP cache poisoning. You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. To enable DAI on one or more VLANs by using the J-Web interface: 1.


2. Select one or more VLANs from the VLAN list. 3. Click the Edit button. If a message appears asking if you want to enable port security,

click Yes. 4. Select the Enable ARP Inspection on VLAN check box and then click OK. 5. Click OK after the command has been successfully delivered.



4144

•


•


•


•


•


•


•




Configuring MAC Limiting (CLI Procedure) MAC limiting restricts the MAC addresses that can be learned and added to the MAC address forwarding table. You can impose a limit on either a single Layer 2 access interface, on all the Layer 2 access interfaces on the switch, or on a specific VLAN. There are two ways you can limit the MAC addresses added to the MAC address forwarding table: •

Limit the number of MAC addresses added to the table—Configure the maximum number of dynamic MAC addresses that can be added to the MAC address forwarding table. This limit can be set either for the entire switch, for one interface, or for one VLAN. When this limit is exceeded, incoming packets with new MAC addresses are either dropped, logged, ignored, or the interface is shut down. Note that only learned MAC addresses, not static MAC addresses, count toward the limit you specify for dynamic MAC addresses.

•

Allow only named MAC addresses to be added to the table—Configure specific “allowed” MAC addresses for an access interface. Any MAC address that is not in the list of configured addresses is not learned and the switch logs a corresponding message. Using this allowed MAC option binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

NOTE: If you do not want the switch to log messages received for invalid MAC addresses, disable that logging using the command no-allowed-mac-log .

When the configured limit of MAC addresses is exceeded, any one of the following actions can be performed : •




entry. •


•

shutdown—Disable the interface or VLAN and generate an alarm. If you have configured

the switch with the port-error-disable statement, the disabled interface (or VLAN) recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces or VLAN using the command clear ethernet-switching port-error . To configure MAC limiting, using the CLI: 1.

Limit the number of dynamic MAC addresses to5.


4145

®


Because no action is specified, the switch performs the default action drop if the limit is exceeded: •

Limit a single interface (here, the interface is ge-0/0/1): [edit ethernet-switching-options secure-access-port] user@switch# set interface ge–0/0/1 mac-limit (Access Port Security) 5

•

Limit all interfaces: [edit ethernet-switching-options secure-access-port] user@switch# set interface all mac–limit 5

•

Limit a specific VLAN: [edit vlans] user@switch# set vlan-abc mac–limit 20

NOTE: Do not set the mac-limit to 1. The first learned MAC address is often inserted into the forwarding database automatically (for instance, for Routed VLAN Interfaces the first MAC address inserted into the forwarding database is the MAC address of the RVI. For Aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet). The switch will therefore not learn MAC addresses other than the automatic addresses when the mac-limit is set to 1, and this will cause problems with MAC learning and forwarding.

NOTE: You must clear existing entries in the MAC address forwarding table that correspond to the change you make with the command mac-limit. For example, if you change the limit on an interface, clear the MAC address forwarding table entries for that interface. If you change the limit on all interfaces and VLANs, clear all MAC address forwarding table entries. If you change the limit on a VLAN, clear the MAC address forwarding table entries for that VLAN. This action is performed in the next step.

2. Clear the current MAC address forwarding table entries for the MAC limited entity,

either the interface, all entries, or a VLAN : •

Clear MAC address entries from a specific interface (here, the interface is ge-0/0/1) in the forwarding table: user@switch# clear ethernet-switching-table interface ge-0/0/1

•

Clear all MAC address entries in the forwarding table: user@switch# clear ethernet-switching-table

•

Clear MAC address entries from a specific VLAN (here, the VLAN is vlan-abc) in the forwarding table: user@switch1# clear ethernet-switching-table vlan vlan-abc

3. Specify specific allowed MAC addresses:

4146



•

On a single interface (here, the interface is ge-0/0/2): [edit ethernet-switching-options secure-access-port] user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:83

•

On all interfaces: [edit ethernet-switching-options secure-access-port] user@switch# set interface all allowed-mac 00:05:85:3A:82:80 user@switch# set interface all allowed-mac 00:05:85:3A:82:81 user@switch# set interface all allowed-mac 00:05:85:3A:82:83


•


•


•

Verifying That MAC Limiting Is Working Correctly on page 4169

•


•


•


•

no-allowed-mac-log on page 4202

Configuring MAC Limiting (J-Web Procedure) MAC limiting protects against flooding of the Ethernet switching table on an EX Series switch. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port). Junos OS provides two MAC limiting methods: •

Maximum number of dynamic MAC addresses allowed per interface—If the limit is exceeded, incoming packets with new MAC addresses are dropped.

•

Specific “allowed” MAC addresses for the access interface—Any MAC address that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. You can specify the maximum number of dynamic MAC addresses that can be learned on a single Layer 2 access interface or on all Layer 2 access interfaces. The default action that the switch will take if that maximum number is exceeded is drop—drop the packet and generate an alarm, an SNMP trap, or a system log entry. To enable MAC limiting on one or more interfaces using the J-Web interface: 1.


2. Select one or more interfaces from the Interface List.


4147

®


3. Click the Edit button. If a message appears asking whether you want to enable port

security, click Yes. 4. To set a dynamic MAC limit: 1.

Type a limit value in the MAC Limit box.

2. Select an action from the MAC Limit Action box (optional). The switch takes this

action when the MAC limit is exceeded. If you do not select an action, the switch applies the default action, drop. •


•


•

Shutdown—Shut down the VLAN and generate an alarm. You can mitigate the effect of this option by configuring the switch for autorecovery from the disabled state and specifying a disable timeout value. See “Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)” on page 4014. If you have not configured autorecovery from the disabled state, you can bring up the interfaces by running the clear ethernet-switching port-error command.

•

None— No action to be taken.

5. To add allowed MAC addresses: 1.

Click Add.

2. Type the allowed MAC address and click OK.

Repeat this step to add more allowed MAC addresses. 6. Click OK when you have finished setting MAC limits. 7. Click OK after the configuration has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), a message asking whether you want to enable port security appears.


4148

•


•


•


•




•


•


•



4149

®


Configuring MAC Move Limiting (CLI Procedure) When MAC move limiting is configured, MAC address movements are tracked by the switch and, if a MAC address changes more than the configured number of times within 1 second, the changes to MAC addresses are dropped, logged, ignored, or the interface is shut down.

NOTE: Although you enable this feature on VLANs, the MAC move limitation pertains to the number of movements for each individual MAC address rather than the total number of MAC address moves in the VLAN. For example, If the MAC move limit is set to 1, the switch allows an unlimited number of MAC address movements within the VLAN as long as the same MAC address does not change more than once.

You configure MAC move limiting per VLAN, not per interface (port). In the default configuration, the number of MAC moves permitted is unlimited. You can choose to have one of the following actions performed when the MAC move limit is exceeded: •




entry. •


•

shutdown—Disable the interfaces in the VLAN and generate an alarm. If you have

configured the switch with the port-error-disable statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.

4150



To configure a MAC move limit for MAC addresses within a specific VLAN or for MAC addresses within all VLANs, using the CLI: •

On a single VLAN: To limit the number of MAC address movements that can be made by an individual MAC address within the VLAN employee-vlan, set a MAC move limit of 5: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan mac-move-limit 5

The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within the employee-vlan has moved more than 5 times within one second. •

On all VLANs: To limit the number of MAC movements that can be made by individual MAC addresses within all VLANs, set a MAC move limit of 5: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all mac-move-limit 5

The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within any of the VLANs has moved more than 5 times within 1 second. Related Documentation

•


•


•

Verifying That MAC Move Limiting Is Working Correctly on page 4173

•


•


•


•

Understanding MAC Limiting and MAC Move Limiting for Port Security

•


•


•

port-error-disable

•

port-error-disable

•


•

secure-access-port


4151

®


Configuring MAC Move Limiting (J-Web Procedure) MAC move limiting detects MAC address movement and MAC address spoofing on access ports. MAC address movements are tracked, and if a MAC address moves more than the configured number of times within one second, the configured (or default) action is performed. You enable this feature on VLANs.

NOTE: Although you enable this feature on VLANs, the MAC move limitation pertains to the number of movements for each individual MAC address rather than the total number of MAC address moves in the VLAN. For example, If the MAC move limit is set to 1, the switch allows an unlimited number of MAC address movements within the VLAN as long as the same MAC address does not move more than once.

In the default configuration, the MAC move limit within each VLAN is unlimited; the default action that the switch will take if the specified MAC move limit is exceeded is drop. To enable MAC move limiting for MAC addresses within one or more VLANs by using the J-Web interface: 1.


2. Select one or more VLANs from the VLAN List. 3. Click the Edit button. If a message appears asking whether you want to enable port

security, click Yes. 4. To set a MAC move limit: 1.

Type a limit value in the MAC Movement box.

2. Select an action from the MAC Movement Action box (optional). The switch takes

this action when an individual MAC address exceeds the MAC move limit. If you do not select an action, the switch applies the default action, drop. Select one:

4152

•


•


•

Shutdown—Shut down the VLAN and generate an alarm. You can mitigate the effect of this option by configuring the switch for autorecovery from the disabled state and specifying a disable timeout value. See “Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)” on page 4014. If you have not configured autorecovery from the disabled state, you can bring up the interfaces by running the clear ethernet-switching port-error command.

•

None— No action to be taken.



3. Click OK. 5. Click OK after the configuration has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs, a message asking whether you want to enable port security appears.


•


•


•


•


•


Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) If you set a MAC limit in your port security settings to apply to all interfaces on the EX Series switch, you can override that setting for a particular interface by specifying action none. To use the none action to override a MAC limit setting: 1.

Set the MAC limit—for example, a limit of 5 with action drop: [edit ethernet-switching-options secure-access-port] user@switch# set interface all mac-limit (Access Port Security) 5 action drop

2. Then change the action for one interface (here, ge-0/0/2) with this command. You

don't need to specify a limit value. [edit ethernet-switching-options secure-access-port] user@switch# set interface ge–0/0/2 mac-limit action none


•


•


•


•



4153

®


Configuring IP Source Guard (CLI Procedure) You can use the IP source guard access port security feature on EX Series switches to mitigate the effects of source IP address spoofing and source MAC address spoofing. If IP source guard determines that a host connected to an access interface has sent a packet with an invalid source IP address or source MAC address in the packet header, it ensures that the switch does not forward the packet—that is, the packet is discarded. You enable the IP source guard feature on VLANs. You can enable it on a specific VLAN, on all VLANs, or on a VLAN range.

NOTE: IP source guard applies only to access interfaces and only to untrusted interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or an interface set to dhcp-trusted, the CLI shows an error when you try to commit the configuration.

NOTE: You can use IP source guard together with 802.1X user authentication in single supplicant, single-secure supplicant or multiple supplicant mode. If you are implementing 801.X user authentication in single-secure supplicant or multiple supplicant mode, use the following configuration guidelines: •


•


Before you configure IP source guard, be sure that you have: Explicitly enabled DHCP snooping on the specific VLAN or specific VLANs on which you will configure IP source guard. See “Enabling DHCP Snooping (CLI Procedure)” on page 4138. If you configure IP source guard on specific VLANs rather than on all VLANs, you must also enable DHCP snooping explcitly on those VLANs. Otherwise, the default value of no DHCP snooping applies to that VLAN.

4154



To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged VLANs) by using the CLI:

NOTE: Replace values displayed in italics with values for your configuration.

•

On a specific VLAN: [edit ethernet-switching-options secure-access port] user@switch#set vlan default ip-source-guard

•

On all VLANs: [edit ethernet-switching-options secure-access port] user@switch# set vlan all ip-source-guard

•

On a VLAN range: 1.

Set the VLAN range (the VLAN name is employee): [edit vlans] user@switch# set employeevlan-range 100-101

2. Associate an interface with a VLAN-range number (100 in the following example)

and set the port mode to access: [edit interfaces] user@switch# set ge-0/0/6 unit 0 family ethernet-switching port-mode access vlan members100 3. Enable IP source guard on the VLAN employee: [edit ethernet-switching-options secure-access port] user@switch# set vlan employee ip-source-guard

NOTE: You can use the no-ip-source-guard statement to disable IP source guard for a specific VLAN after you have enabled the feature for all VLANs.

To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt. Related Documentation

•

Verifying That IP Source Guard Is Working Correctly on page 4173

•


•


•



4155

®


Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. These bindings are labeled as “static” in the database, while those bindings that have been added through the process of DHCP snooping are labeled “dynamic.” To configure a static IP address/MAC address binding in the DHCP snooping database (replace ge-0/0/2, 10.0.10.12, data-vlan, and 00:05:85:3A:82:80 with values for your configuration): [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 static-ip 10.0.10.12 vlan data-vlan mac 00:05:85:3A:82:80


4156

•


•


•


•

secure-access-port



Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) You can use DHCP option 82, also known as the DHCP relay agent information option, to help switches against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. You can configure the DHCP option 82 feature in two topologies: •

The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients. This topic describes this configuration.

•

The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients. This configuration is described in “Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)” on page 4159.

Before you configure DHCP option 82 on the switch, perform these tasks: •

Connect and configure the DHCP server.

NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

•

Configure the VLAN on the switch and associate the interfaces on which the clients connect to the switch with that VLAN.

•

Configure the routed VLAN interface (RVI) to allow the switch to relay packets to the server and receive packets from the server. See “Configuring Routed VLAN Interfaces (CLI Procedure)” on page 2223 or Configuring Routed VLAN Interfaces for the QFX Series.

•

Configure the switch as a BOOTP relay agent. See “DHCP/BOOTP Relay for EX Series Switches Overview” on page 659.


4157

®


To configure DHCP option 82:


1.

Specify DHCP option 82 for the BOOTP server: •

On all interfaces that connect to the server: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82

•

On a specific interface that connects to the server: [edit forwarding-options helpers bootp] user@switch# set interface ge-0/0/10 dhcp-option82

The remaining steps are optional. They show configurations for all interfaces; include the specific interface designation to configure any of the following options on a specific interface: 2. To configure a prefix for the circuit ID suboption (the prefix is always the hostname

of the switch): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id prefix hostname 3. To specify that the circuit ID suboption value should contain the interface description

rather than the interface name (the default): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-interface-description 4. To specify that the circuit ID suboption value should contain the VLAN ID rather than

the VLAN name (the default): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-vlan-id 5. To specify that the remote ID suboption be included in the DHCP option 82 information: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id 6. To configure a prefix for the remote ID suboption (here, the prefix is the MAC address

of the switch): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix mac 7. To specify that the prefix for the remote ID suboption be the hostname of the switch

rather than the MAC address of the switch (the default): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix hostname 8. To specify that the remote ID suboption value should contain the interface description: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id use-interface-description 9. To specify that the remote ID suboption value should contain a character string: [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id use-string mystring 10. To configure a vendor ID suboption and use the default value (the default value is

Juniper), do not type a character string after the vendor-id option keyword:

4158



[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 vendor-id 11. To specify that the vendor ID suboption value contains a character string value that

you specify rather than Juniper (the default): [edit forwarding-options helpers bootp] user@switch# set dhcp-option82 vendor-id mystring


•


•

[edit forwarding-options] Configuration Statement Hierarchy on EX Series Switches on page 89

•


•


•


Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. You can configure the DHCP option 82 feature in two topologies: •

The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients. This topic describes this configuration.

•

The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients. This configuration is described in “Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)” on page 4157.

Before you configure DHCP option 82 on the switch, perform these tasks: •

Connect and configure the DHCP server.


4159

®


NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

•

Configure a VLAN on the switch and associate the interfaces on which the clients and the server connect to the switch with that VLAN.

To configure DHCP option 82:


1.

Specify DHCP option 82 for all VLANs associated with the switch or for a specified VLAN. (You can also configure the feature for a VLAN range.) •

On a specific VLAN: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82

•

On all VLANs: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all dhcp-option82

The remaining steps are optional. 2. To configure a prefix for the circuit ID suboption (the prefix is always the hostname

of the switch): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname 3. To specify that the circuit ID suboption value should contain the interface description

rather than the interface name (the default): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-interface-description 4. To specify that the circuit ID suboption value should contain the VLAN ID rather than

the VLAN name (the default): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id 5. To specify that the remote ID suboption be included in the DHCP option 82 information: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id 6. To configure a prefix for the remote ID suboption (here, the prefix is the MAC address

of the switch): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix mac 7. To specify that the prefix for the remote ID suboption be the hostname of the switch

rather than the MAC address of the switch (the default): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix hostname

4160



8. To specify that the remote ID suboption value should contain the interface description: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-interface-description 9. To specify that the remote ID suboption value should contain a character string: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-string mystring 10. To configure a vendor ID suboption and use the default value (the default value is

Juniper), do not type a character string after the vendor-id option keyword: [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id 11. To specify that the vendor ID suboption value should contain a character string value

that you specify rather than Juniper (the default): [edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id mystring


•


•


•

secure-access-port

•


•


•



4161

®


Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure) An Ethernet switching access interface on an EX Series switch might shut down or be disabled as a result of one of the following port-security or storm-control configurations: •

MAC limiting—mac-limit statement is configured with action shutdown.

•

MAC move limiting—mac-move-limit statement is configured with action shutdown.

•

Storm control—storm-control statement is configured with the action shutdown.

You can configure the switch to automatically restore the disabled interfaces to service after a specified period of time. Autorecovery applies to all the interfaces that have been disabled due to MAC limiting, MAC move limiting, or storm control errors.

NOTE: You must specify the disable timeout value for the interfaces to recover automatically. There is no default disable timeout. If you do not specify a timeout value, you need to use the clear ethernet-switching port-error command to clear the errors and restore the interfaces or the specified interface to service.

To configure autorecovery from the disabled state due to MAC limiting, MAC move limiting, or storm control shutdown actions: [edit ethernet-switching-options] user@switch# set port-error-disable disable-timeout 60


•


•


•


•


•


Configuring Persistent MAC Learning (CLI Procedure) You can configure persistent MAC learning, also known as sticky MAC, to allow dynamically learned MAC addresses to be retained on an interface across restarts of the switch. Persistent MAC address learning is disabled by default. You can enable it to:

4162

•

Help prevent traffic losses for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic after a restart.

•

Protect the switch against security attacks—use persistent MAC learning in combination with MAC limiting to protect against attacks while still avoiding the need to statically



configure MAC addresses. When the initial learning of MAC addresses up to the number specified by the MAC limit is done, new addresses will not be allowed even after a reboot. The port is secured because after the limit has been reached, additional devices cannot connect to the interface. The first devices that send traffic after you connect are learned during the initial connection period. You can monitor the MAC addresses and provide the same level of security as if you statically configured each MAC address on each interface, except with less manual effort. Persistent MAC learning also helps prevent traffic loss for trusted workstations and servers because the interface does not have to relearn the addresses from ingress traffic. To configure persistent MAC learning on an interface and limit the number of allowed MAC addresses: 1.

Enable persistent MAC learning on an interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 persistent-learning

2. Limit the number of dynamic MAC addresses. You can do one of: •

Allow the switch to take the default action (which is drop) regarding packets received on the interface after the limit is reached.

•

Configure an action for the switch to take regarding packets received on the interface after the limit is reached. You can configure any one of the following actions--you can also explicitly configure drop: •

log—Allow the packets but log a message.

•


•

shutdown—Shut down the interface.

[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit (Access Port Security) 5

TIP: If you move a device within your network that has a persistent MAC address entry on the switch, use the clear ethernet-switching table persistent-mac command to clear the persistent MAC-address entry. If you move the device to another port on the switch and do not clear the persistent MAC address from the original port it was learned on, then the new port will not learn the MAC address and the device will not be able to connect. If the original port is down when you move the device, then the new port will learn the MAC address and the device can connect—however, unless you cleared the MAC address on the original port, when that port comes back up, the system reinstalls the persistent MAC address in the forwarding table for that port. If this occurs, the address is removed from the new port and the device loses connectivity.


•



4163

®


4164

•


•



CHAPTER 107

Verifying Port Security •


•


•


•


•


•


•


•

Verifying That the Port Error Disable Setting Is Working Correctly on page 4174

•

Verifying That Persistent MAC Learning Is Working Correctly on page 4175

Monitoring Port Security Purpose

Action

Use the monitoring functionality to view these port security details: •

DHCP snooping database for a VLAN or all VLANs

•

ARP inspection details for all interfaces

To monitor port security in the J-Web interface, select Monitor > Security > Port Security. To monitor and manipulate the DHCP snooping database and ARP inspection statistics in the CLI, enter the following commands: •

show dhcp snooping binding

•

clear dhcp snooping binding—In addition to clearing the whole database, you can clear

database entries for specified VLANs or MAC addresses.

Meaning

•

show arp inspection statistics

•

clear arp inspection statistics

The J-Web Port Security Monitoring page comprises two sections: •

DHCP Snooping—Displays the DHCP snooping database for all the VLANs for which DHCP snooping is enabled. To view the DHCP snooping database for a specific VLAN, select the specific VLAN from the list.


4165

®


•

ARP Inspection—Displays the ARP inspection details for all interfaces. The information includes details of the number of packets that passed ARP inspection and the number of packets that failed the inspection. The pie chart graphically represents these statistics when you select an interface. To view ARP inspection statistics for a specific interface, select the interface from the list.

You have the following options on the page: •

Clear ALL—Clears the DHCP snooping database, either for all VLANs if the option ALL has been selected in the Select VLANs list or for the specific VLAN that has been selected in that list.

•

Clear—Deletes a specific IP address from the DHCP snooping database.

To clear ARP statistics on the page, click Clear All in the ARP Statistics section. Use the CLI commands to show and clear DHCP snooping database and ARP inspection statistics details.


•


•


•


Verifying That DHCP Snooping Is Working Correctly Purpose

Verify that DHCP snooping is working on the switch and that the DHCP snooping database is correctly populated with both dynamic and static bindings.

Action

Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:

Meaning

4166

user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type

VLAN

Interface

00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:27:32:88

employee employee employee employee employee data

ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/4.0

192.0.2.17 192.0.2.18 192.0.2.19 192.0.2.20 192.0.2.21 192.0.2.22

600 653 720 932 1230 —

dynamic dynamic dynamic dynamic dynamic static

When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease


Chapter 107: Verifying Port Security

expires. Static IP addresses have no assigned lease time. The statically configured entry never expires. If the DHCP server had been configured as untrusted, no entries would be added to the DHCP snooping database and nothing would be shown in the output of the show dhcp snooping binding command.


•


•


•


•


•


•


•


•


Verifying That a Trusted DHCP Server Is Working Correctly Purpose

Verify that a DHCP trusted server is working on the switch. See what happens when the DHCP server is trusted and then untrusted.

Action

Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases: user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:27:32:88 192.0.2.22 3200

Meaning


VLAN ---employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan


When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.


4167

®


If the DHCP server had been configured as untrusted, no entries would be added to the DHCP snooping database and nothing would be shown in the output of the show dhcp snooping binding command.


•


•

Enabling a Trusted Port for DHCP

•


•


•


•


•


Verifying That DAI Is Working Correctly Purpose Action

Verify that dynamic ARP inspection (DAI) is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information: user@switch> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0

Meaning


4168


•


•


•


•


•


•




Verifying That MAC Limiting Is Working Correctly MAC limiting protects against flooding of the Ethernet switching table. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port). Junos OS provides two MAC limiting methods: •

Maximum number of dynamic MAC addresses allowed per interface—When the limit is exceeded, incoming packets with new MAC addresses are dropped.

•

Specific “allowed” MAC addresses for the access interface—Any MAC address that is not in the list of configured addresses is not learned.

To verify MAC limiting configurations: 1.

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly on page 4169

2. Verifying That Allowed MAC Addresses Are Working Correctly on page 4170 3. Verifying Results of Various Action Settings When the MAC Limit Is

Exceeded on page 4170 4. Customizing the Ethernet Switching Table Display to View Information for a Specific

Interface on page 4172

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly Purpose Action

Verify that MAC limiting for dynamic MAC addresses is working on the switch. Display the MAC addresses that have been learned. The following sample output shows the results when two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop: user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning

* 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85

Flood Learn Learn Learn Learn Learn Learn

Age

Interfaces

0 0 0 0 0 0

ge-0/0/2.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

The sample output shows that with a MAC limit of 4 for each interface, the packet for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.


4169

®


Verifying That Allowed MAC Addresses Are Working Correctly Purpose Action

Verify that allowed MAC addresses are working on the switch. Display the MAC cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC cache after 5 allowed MAC addresses had been configured on interface ge/0/0/2. In this instance, the interface was also set to a dynamic MAC limit of 4 with action drop. user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning

00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 *

Learn Learn Learn Learn Flood

Age

Interfaces

0 0 0 0 -

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

Because the MAC limit value for this interface had been set to 4, only four of the five configured allowed addresses were learned and thus added to the MAC cache. Because the fifth address was not learned, an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.

Verifying Results of Various Action Settings When the MAC Limit Is Exceeded Purpose

Action

Verify the results provided by the various action settings for MAC limits—drop, log, none, and shutdown—when the limits are exceeded. Display the results of the various action settings.

NOTE: You can view log messages by using the show log messages command. You can also have the log messages displayed by configuring the monitor start messages with the monitor start messages command.

•

drop action—For MAC limiting configured with a drop action and with the MAC limit

set to 5: user@switch> show ethernet-switching table Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan •

4170

* 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 00:05:85:3A:82:88

Flood Learn Learn Learn Learn Learn

Age

Interfaces

0 0 0 0 0

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

log action—For MAC limiting configured with a log action and with MAC limit set to 5:



user@switch> show ethernet-switching table Ethernet-switching table: 74 entries, 73 learned VLAN MAC address Type employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan employee—vlan . . . •

* 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:82 00:05:85:3A:82:83 00:05:85:3A:82:84 00:05:85:3A:82:85 00:05:85:3A:82:87 00:05:85:3A:82:88

Flood Learn Learn Learn Learn Learn Learn Learn Learn

Age

Interfaces

0 0 0 0 0 0 0 0

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

shutdown action—For MAC limiting configured with a shutdown action and with MAC

limit set to 3: user@switch> show ethernet-switching table Ethernet-switching table: 4 entries, 3 learned VLAN MAC address Type employee—vlan employee—vlan employee—vlan employee—vlan •

* 00:05:85:3A:82:82 00:05:85:3A:82:84 00:05:85:3A:82:87

Flood Learn Learn Learn

Age

Interfaces

0 0 0

ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

none action—If you set a MAC limit to apply to all interfaces on the switch, you can

override that setting for a particular interface by specifying this action for that interface. See “Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)” on page 4153. Meaning

For the drop action results—The sixth MAC address exceeded the MAC limit. The request packet for that address was dropped. Only five MAC addresses have been learned on ge-0/0/2. For the log action results—The sixth MAC address exceeded the MAC limit. No MAC addresses were blocked. For the shutdown action results—The fourth MAC address exceeded the MAC limit. Only three MAC addresses have been learned on ge-0/0/2. The interface ge-0/0/1 is shut down. For more information about interfaces that have been shut down, use the show ethernet-switching interfaces command. user@switch> show ethernet-switching interfaces Interface State VLAN members Tag

Tagging

bme0.32770

down

mgmt

untagged unblocked

ge-1/0/0.0

down

v1

untagged MAC limit exceeded

ge-1/0/1.0

up

v1

untagged unblocked

ge-1/0/2.0

up

v1

untagged unblocked


Blocking

4171

®


me0.0

up

mgmt

untagged unblocked

NOTE: You can configure the switch to recover automatically from this type of error condition by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to pre-existing error conditions. It impacts only error conditions that are detected after port-error-disable has been enabled and committed. To clear a pre-existing error condition and restore the interface to service, use the clear ethernet-switching port-error command.

Customizing the Ethernet Switching Table Display to View Information for a Specific Interface Purpose

You can use the show ethernet-switching table command to view information for a specific interface.

Action

For example, to display the MAC addresses that have been learned on ge-0/0/2 interface, type: user@switch> show ethernet-switching table interface ge-0/0/2.0 Ethernet-switching table: 1 unicast entries

Meaning


4172

VLAN

MAC address

Type

v1

*

Flood

v1

00:00:06:00:00:00 Learn

Age Interfaces - All-members 0 ge-2/0/0.0

The MAC limit value for ge-0/0/2 had been set to 1, and the output shows that only one MAC address was learned and thus added to the MAC cache. An asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.

•


•


•


•


•


•


•




Verifying That MAC Move Limiting Is Working Correctly Purpose Action

Verify that MAC move limiting is working on the switch. Display the MAC addresses in the Ethernet switching table when MAC move limiting has been configured for a VLAN. The following sample shows the results after two of the hosts on ge-0/0/2 sent packets after the MAC addresses for those hosts had moved to other interfaces more than five times in 1 second. The VLAN, employee-vlan, was set to a MAC move limit of 5 with the action drop: user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan

Meaning


00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 * *

Age

Interfaces

0 0 0 0 -

ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0

Learn Learn Learn Learn Flood Flood

The last two lines of the sample output show that MAC addresses for two hosts on ge-0/0/2 were not learned, because the hosts had been moved back and forth from the original interfaces more than five times in 1 second.

•


•


•


•


•


Verifying That IP Source Guard Is Working Correctly Purpose

Action

Verify that IP source guard is enabled and is mitigating the effects of any source IP spoofing attacks on the EX Series switch. Display the IP source guard database. user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address

VLAN

ge-0/0/12.0

0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/13.0

0

10.10.10.9

00:30:48:8D:01:3D

vlan100

ge—0/0/13.0

100

*

*

voice


4173

®


Meaning


The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output.

•


Verifying That the Port Error Disable Setting Is Working Correctly Purpose

Action

Verify that the port error disable setting is working as expected on MAC limited, MAC move limited and rate-limited interfaces on an EX Series switch. Display information about interfaces: user@switch> show ethernet-switching interfaces Interface State VLAN members ge-0/0/0.0 up T1122 ge-0/0/1.0 down default ge-0/0/2.0 down default ge-0/0/3.0 down default ge-0/0/4.0 down default ge-0/0/5.0 down default ge-0/0/6.0 down default ge-0/0/7.0 down default ge-0/0/8.0 down default ge-0/0/9.0 up T111 ge-0/0/10.0 down default ge-0/0/11.0 down default ge-0/0/12.0 down default ge-0/0/13.0 down default ge-0/0/14.0 down default ge-0/0/15.0 down default ge-0/0/16.0 down default ge-0/0/17.0 down default ge-0/0/18.0 down default ge-0/0/19.0 up T111 ge-0/1/0.0 down default ge-0/1/1.0 down default ge-0/1/2.0 down default ge-0/1/3.0 down default

Meaning

Blocking unblocked MAC limit exceeded MAC move limit exceeded Storm control in effect unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked

The sample output from the show ethernet-switching interfaces command shows that three of the down interfaces specify the reason that the interface is disabled: •

MAC limit exceeded—The interface is temporarily disabled due to a mac-limit (Access

Port Security) error. The disabled interface is automatically restored to service when the disable-timeout expires. •

MAC move limit exceeded—The interface is temporarily disabled due to a

mac-move-limit error. The disabled interface is automatically restored to service when the disable-timeout expires.

4174



•

Storm control in efffect —The interface is temporarily disabled due to a storm-control

error. The disabled interface is automatically restored to service when the disable-timeout expires.


•


Verifying That Persistent MAC Learning Is Working Correctly Purpose

Verify that persistent MAC learning, also known as sticky MAC, is working on the interface. Persistent MAC learning allows retention of dynamically learned MAC addresses on an interface across restarts of the switch (or if the interface goes down).

Action

Display the MAC addresses that have been learned. The following sample output shows the results when persistent MAC learning is enabled on interface ge-0/0/42:


Meaning


user@switch> show ethernet-switching table Ethernet-switching table: 8 entries, 2 learned, 5 persistent entries VLAN MAC address Type Age Interfaces default * Flood - All-members default 00:10:94:00:00:02 Persistent 0 ge-0/0/42.0 default 00:10:94:00:00:03 Persistent 0 ge-0/0/42.0 default 00:10:94:00:00:04 Persistent 0 ge-0/0/42.0 default 00:10:94:00:00:05 Persistent 0 ge-0/0/42.0 default 00:10:94:00:00:06 Persistent 0 ge-0/0/42.0 default 00:21:59:c8:0c:50 Learn 0 ae0.0 default 02:21:59:c8:0c:44 Learn 0 ae0.0

The sample output shows that learned MAC addresses are stored in the Ethernet switching table as persistent entries. If the switch is rebooted or the interface goes down and comes back up, these addresses will be restored to the table.

•


•



4175

®


4176


CHAPTER 108

Troubleshooting Port Security •


Troubleshooting Port Security Troubleshooting issues for port security on EX Series switches: •

MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table on page 4177

•

Multiple DHCP Server Packets Have Been Received on Untrusted Interfaces on page 4177

MAC Addresses That Exceed the MAC Limit or MAC Move Limit Are Not Listed in the Ethernet Switching Table Problem

You see log messages telling you that the MAC limit or MAC move limit has been exceeded, but the specific offending MAC addresses that have been exceeding the limit are not listed in the Ethernet switching table.

Solution

1.

Set the MAC limit or MAC move limit action to log. [edit ethernet-switching-options secure-access port] user@switch# set interface ge-0/0/2 mac-limit (Access Port Security) 5 action log

2. Allow some MAC address requests to come in. 3. View the entries in the Ethernet switching table: user@switch> show ethernet-switching table

Multiple DHCP Server Packets Have Been Received on Untrusted Interfaces Problem

You see log messages that DHCP server packets were received on an untrusted interface—for example: 5 untrusted DHCPOFFER received, interface ge-0/0/0.0[65], vlan v1[10] server ip/mac 12.12.12.1/00:00:00:00:01:12 offer ip/client mac 12.12.12.253/00:AA:BB:CC:DD:01

These messages can signal the presence of a malicious DHCP server on the network. Solution

Configure a firewall filter to block the IP address or MAC address of the malicious DHCP server. See “Configuring Firewall Filters (CLI Procedure)” on page 4323.


4177

®



4178

•


•


•


•


•



CHAPTER 109

Configuration Statements for Port Security •


•

[edit forwarding-options] Configuration Statement Hierarchy on page 4182

[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); }


4179

®


mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name;

4180


Chapter 109: Configuration Statements for Port Security

} examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•


•


•


•


•


•



4181

®


•


•


•


•


•


•


[edit forwarding-options] Configuration Statement Hierarchy helpers { bootp { dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } interface interface-name { dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } source-address-giaddr; } source-address-giaddr; } }


4182

•


•


•




•


•

For more information about the [edit forwarding-options] hierarchy and its options, see Junos OS Policy Framework Configuration Guide


4183

®


allowed-mac Syntax

Hierarchy Level


allowed-mac { mac-address-list; } [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify particular MAC addresses to be added to the MAC address cache.

NOTE: Although this configuration restricts the addresses that can be added to the MAC address cache, it does not block the switch from receiving Layer 2 control packets—such as Link Layer Discovery Protocol (LLDP) packets—transmitted from MAC addresses that are not specified in the list of allowed MAC addresses. Control packets do not undergo the MAC address check and they are therefore included in the statistics of packets received. However, they are not forwarded to another destination. They are trapped within the switch.

Default

Options

Allowed MAC addresses take precedence over dynamic MAC values that have been applied with the mac-limit statement. mac-address-list—One or more MAC addresses configured as allowed MAC addresses

for a specified interface or all interfaces. Required Privilege Level Related Documentation

4184


mac-limit (Access Port Security) on page 4199

•


•


•


•


•


•




arp-inspection Syntax

Hierarchy Level


(arp-inspection | no-arp-inspection) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Perform dynamic ARP inspection (DAI) on all VLANs or on the specified VLAN. •

arp-inspection—Enable DAI.

When ARP inspection is enabled, the switch logs invalid ARP packets that it receives on each interface, along with the sender’s IP and MAC addresses. •

no-arp-inspection—Disable DAI.


Disabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•


•


•



4185

®


circuit-id Syntax

Hierarchy Level

Release Information

Description

circuit-id { prefix hostname; use-interface-description; use-vlan-id; } [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Configure the circuit-id suboption (suboption 1) of DHCP option 82 (the DHCP relay agent information option) in DHCP packets destined for a DHCP server. This suboption identifies the circuit (interface and/or VLAN) on which the DHCP request arrived. The format of the circuit-id information for Gigabit Ethernet interfaces that use VLANs is interface-name:vlan-name . On a Layer 3 interface, the format is just interface-name. The remaining statements are explained separately.

Default


4186

If DCHP option 82 is enabled on the switch, the circuit ID is supplied by default in the format interface-name:vlan-name or, on a Layer 3 interface, just interface-name . system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•


•


•




dhcp-option82 Syntax

Hierarchy Level

Release Information

Description

dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name)] [edit forwarding-options helpers bootp] [edit forwarding-options helpers bootp interface interface-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. When the switch receives a DHCP request from a DHCP client connected on one of the switch's interfaces, have the switch insert DHCP option 82 (also known as the DHCP relay agent information option) information in the DHCP request packet header before it forwards or relays the request to a DHCP server. The server uses the option 82 information, which provides details about the circuit and host the request came from, in formulating the reply; the server does not, however, make any changes to the option 82 information in the packet header. The switch receives the reply and then removes the DHCP option 82 information before forwarding the reply to the client. The remaining statements are explained separately.


Insertion of DHCP option 82 information is not enabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•



4187

®


•


•


dhcp-snooping-file Syntax


dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } [edit ethernet-switching-options secure-access-port]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify a local pathname or remote URL for the DHCP snooping database file to maintain persistence of IP-MAC bindings. The remaining statements are explained separately.

Default


4188

The IP-MAC bindings in the DHCP snooping database file are not persistent. If the switch is rebooted, the bindings are lost. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •




dhcp-trusted Syntax Hierarchy Level



(dhcp-trusted | no-dhcp-trusted); [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Allow DHCP responses from the specified interfaces (ports) or all interfaces. •

dhcp-trusted—Allow DHCP responses.

•

no-dhcp-trusted—Deny DHCP responses.

Trusted for trunk ports, untrusted for access ports. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•



4189

®



disable-timeout timeout; [edit ethernet-switching-options port-error-disable]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Specify how long the Ethernet switching interfaces remain in a disabled state due to MAC limiting, MAC move limiting, or storm control errors.

NOTE: If you modify the timeout value of an existing disable timeout, the new timeout value does not impact the timing of restoration to service of currently disabled interfaces that have been configured for automatic recovery. The new timeout value is applied only during the next occurrence of a port error. You can bring up the currently disabled interfaces by running the clear ethernet-switching port-error command.

Default Options

The disable timeout is not enabled. timeout—Time, in seconds, that the disabled state remains in effect. The disabled interface

is automatically restored to service when the specified timeout value is reached. Range: 10 through 3600 seconds Required Privilege Level Related Documentation

4190



•







4191

®



4192





[edit]





•


•


•


•


•


•


•


•


•


•



4193

®


examine-dhcp Syntax

Hierarchy Level


(examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable DHCP snooping on all VLANs or on the specified VLAN.

NOTE: If you configure DHCP for all VLANs and you enable a different port security feature on a specific VLAN, you must also explicitly enable DHCP snooping on that VLAN. Otherwise, the default value of no DHCP snooping applies to that VLAN.

•

examine-dhcp—Enable DHCP snooping.

•

no-examine-dhcp—Disable DHCP snooping.

When DHCP snooping is enabled, the switch logs DHCP packets (DHCPOFFER, DHCPDECLINE, DHCPACK, and DHCPNAK packets) that it receives on untrusted ports. You can monitor the log for these messages, which can signal the presence of a malicious DHCP server on the network.



4194



•


•




•


•


•


forwarding-class Syntax Hierarchy Level

Release Information

Description

forwarding-class class class-name; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) (examine-dhcp | arp-inspection)]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Assign a user-defined or a predefined forwarding class to the packets that have been checked for DHCP snooping or dynamic ARP inspection (DAI).

NOTE: To assign a user-defined class, you must first configure the user-defined class by using the forwarding-classes configuration statement at the [edit class-of-service] hierarchy level.

Default Options

Disabled. class-name—Name of the forwarding class. The forwarding class can be one of the

predefined forwarding classes (best-effort, assured-forwarding, expedited-forwarding, network-control) or it can be a user-defined forwarding class. Required Privilege Level Related Documentation



•

Understanding Junos OS CoS Components for EX Series Switches on page 4422

•


•



4195

®


interface Syntax

interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } }

Hierarchy Level

[edit ethernet-switching-options secure-access-port]


Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply port security features to all interfaces or to the specified interface. all—Apply port security features to all interfaces. interface-name —Apply port security features to the specified interface.


4196



•


•


•


•


•


•


•




ip-source-guard Syntax Hierarchy Level


(ip-source-guard | no-ip-source-guard); [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name)]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Perform IP source guard checking on packets sent from access interfaces. Validate source IP addresses and source MAC addresses on all VLANs or on the specified VLAN or VLAN range. Forward packets with valid addresses and drop those with invalid addresses. •

ip-source-guard—Enable IP source guard checking.

•

no-ip-source-guard—Disable IP source guard checking.

NOTE: Before you configure IP source guard, be sure that you have: Explicitly enabled DHCP snooping on the specific VLAN or specific VLANs on which you will configure IP source guard. See “Enabling DHCP Snooping (CLI Procedure)” on page 4138. If you configure IP source guard on specific VLANs rather than on all VLANs, you must also enable DHCP snooping explicitly on those VLANs. Otherwise, the default value of no DHCP snooping applies to that VLAN.




•


•



4197

®


mac Syntax Hierarchy Level



4198

mac mac-address; [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name) static-ip ip-address vlan (DHCP Bindings on Access Ports) vlan-name]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Media access control (MAC) address, or hardware address, for the device connected to the specified interface. mac-address —Value (in hexadecimal format) for address assigned to this device.





mac-limit Syntax Hierarchy Level


mac-limit limit action action; [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the number of MAC addresses to dynamically add to the MAC address cache for this access interface (port) and the action to be taken by the switch if the MAC address learning limit is exceeded on the interface (port). When you reset the number of MAC addresses, the MAC address table is not automatically cleared. Therefore, if you reduce the number of addresses from the default (unlimited) or a previously set limit, you could already have more entries in the table than the new limit allows. Previous entries remain in the table after you reduce the number of addresses, so you should clear the forwarding table for the specified interface or MAC address. Use the command clear ethernet-switching tableto clear the existing MAC addresses from the table.

Default Options

The default action is drop. action action—(Optional) Action to take when the MAC address limit is exceeded: •




entry. •

none—No action.

•


switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command. limit—Maximum number of MAC addresses.



allowed-mac on page 4184

•


•



4199

®


4200

•


•


•


•


•




mac-move-limit Syntax Hierarchy Level

mac-move-limit limit action action; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name)]

Release Information

Statement introduced in Junos OS Release 9.0 for EX Series switches. The default value for the action option was changed in Junos OS Release 9.5 for EX Series switches. The shutdown option was modified in Junos OS Release 9.6 for EX Series switches.

Description

Specify the number of times a MAC address can move to a new interface (port) in 1 second and the action to be taken by the switch if the MAC address move limit is exceeded.

Default Options

The default move limit is unlimited. The default action is drop. limit—Maximum number of moves to a new interface per second. action action—(Optional) Action to take when the MAC address move limit is reached: •




entry. •

none—No action.

•


switch with the port-error-disable statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command. Required Privilege Level Related Documentation


mac-limit (Access Port Security) on page 4199

•


•


•


•



4201

®


no-allowed-mac-log Syntax Hierarchy Level

Release Information

[edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name)]


Description

Specify that the switch does not log messages when it receives packets from invalid MAC addresses on an interface that has been configured for particular (allowed) MAC addresses.

Default

The switch logs messages when it receives packets from invalid MAC addresses on an interface that has been configured for particular (allowed) MAC addresses.


4202

no-allowed-mac-log;


allowed-mac on page 4184

•


•


•


•


•




no-gratuitous-arp-request Syntax Hierarchy Level Release Information Description


no-gratuitous-arp-request; [edit interfaces interface-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the switch not to respond to gratuitous ARP requests. You can disable responses to gratuitous ARP requests on both Layer 2 Ethernet switching interfaces and routed VLAN interfaces (RVIs). Gratuitous ARP responses are enabled on all Ethernet switching interfaces and RVIs. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


persistent-learning Syntax Hierarchy Level

Release Information

Description


persistent-learning; [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name)]

Statement introduced in Junos OS Release 11.4 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify that learned MAC addresses persist on the specified interfaces across restarts of the switch and link-down conditions. This feature is also known as sticky MAC. system—To view this statement in the configuration. system–control—To add this statement to the configuration. •


•



4203

®


port-error-disable Syntax


port-error-disable { disable-timeout timeout ; } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.6 for EX Series switches. Disable rather than block an interface when enforcing MAC limiting, MAC move limiting, and rate-limiting configuration options for shutting down the interface, and allow the interface to recover automatically from the error condition after a specified period of time: •

If you have enabled mac-limit (Access Port Security) with the shutdown option and enable port-error-disable, the switch disables (rather than shuts down) the interface when the MAC address limit is reached.

•

If you have enabled mac-move-limit with the shutdown option and you enable port-error-disable, the switch disables (rather than shuts down) the interface when the maximum number of moves to a new interface is reached.

•

If you have enabled storm-control with the action-shutdown option and you enable port-error-disable, the switch disables (rather than shuts down) the interface when applicable traffic exceeds the specified levels. Depending upon the configuration, applicable traffic could include broadcast, unknown unicast, and multicast traffic.

NOTE: The port-error-disable configuration does not apply to pre-existing error conditions. It impacts only error conditions that are detected after port-error-disable has been enabled and committed. To clear a pre-existing error condition and restore the interface to service, use the clear ethernet-switching port-error command.


4204

Not enabled. system—To view this statement in the configuration. system–control—To add this statement to the configuration. •

action-shutdown on page 4020

•


•


•





Release Information

prefix hostname; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82 circuit-id] [edit forwarding-options helpers bootp dhcp-option82 circuit-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series.

Description

Configure an optional prefix for the circuit ID suboption in the DHCP option 82 information that is inserted by the switch into the packet header of a DHCP request before it forwards or relays the request to a DHCP server.

Default

If prefix is not explicitly specified, no prefix is appended to the circuit ID. When prefix is specified, it is specified as prefix hostname (and the value is the hostname of the switch).

Options

hostname—Name of the host system (the switch) that is forwarding or relaying the DHCP

request from the DHCP client to the DHCP server. Required Privilege Level Related Documentation



•


•


•


•


•



4205

®



Release Information

Description

Default Options

prefix hostname | mac | none; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure an optional prefix for the remote ID suboption in the DHCP option 82 information that is inserted by the switch into the packet header of a DHCP request before it forwards or relays the request to a DHCP server. If prefix is not explicitly specified, no prefix is appended to the remote ID. hostname—Name of the host system (the switch) that is forwarding or relaying the DHCP

request from the DHCP client to the DHCP server. mac—MAC address of the host system (the switch) that is forwarding or relaying the

DHCP request from the DHCP client to the DHCP server. none—No prefix is applied to the remote ID.


4206



•


•


•


•


•




remote-id Syntax

Hierarchy Level

Release Information

Description

remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Insert the remote-id suboption of DHCP option 82 (also known as the DHCP relay agent information option) in DHCP request packet headers before forwarding or relaying requests to a DHCP server. This suboption provides a trusted identifier for the host system that has forwarded or relayed requests to the server. The remaining statements are explained separately.

Default


If remote-id is not explicitly set, no remote ID value is inserted in the DHCP request packet header. If the remote-id option is specified but is not qualified by a keyword, the MAC address of the host device (the switch) is used as the remote ID. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•


•


•



4207

®


secure-access-port Syntax


4208

secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } [edit ethernet-switching-options]




Description

Configure port security features, including MAC limiting, dynamic ARP inspection, whether interfaces can receive DHCP responses, DHCP snooping, IP source guard, DHCP option 82, MAC move limiting, and FIP snooping. The remaining statements are explained separately.




•


•


•


•

Example: Configuring an FCoE Transit Switch on page 4703

static-ip Syntax

Hierarchy Level


Options

static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all|interface-name)]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Static (fixed) IP address and static MAC address, with an associated VLAN, added to the DHCP snooping database. ip-address—IP address assigned to a device connected on the specified interface.





4209

®


timeout Syntax Hierarchy Level Release Information Description

Default Options

timeout seconds; [edit ethernet-switching-options secure-access-port dhcp-snooping-file]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify a timeout value for remote read and write operations. This value determines the amount of time that the switch waits for a remote system to respond when the DHCP snooping database is stored on a remote FTP site. None seconds —Value in seconds.


4210





traceoptions Syntax


traceoptions { file filename ; flag flag ; } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Define global tracing operations for access security features on Ethernet switches. The traceoptions feature is disabled by default. disable—(Optional) Disable the tracing operation. You can use this option to disable a

single operation when you have defined a broad group of tracing operations, such as all. file filename —Name of the file to receive the output of the tracing operation. Enclose the


so on, until the maximum number of trace files is reached (xk to specify KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag flag—Tracing operation to perform. To specify more than one tracing operation,


access-security—Trace access security events.

•


•

config-internals—Trace internal configuration operations.

•

forwarding-database—Trace forwarding database and next-hop events.

•

general—Trace general events.

•

interface—Trace interface events.

•

ip-source-guard—Trace IP source guard events.

•

krt—Trace communications over routing sockets.

•

lib—Trace library calls.

•



4211

®


•


•

regex-parse—Trace regular-expression parsing operations.

•

rtg—Trace redundant trunk group events.

•

state—Trace state transitions.

•

stp—Trace spanning-tree events.

•

task—Trace Ethernet-switching task processing.

•

timer—Trace Ethernet-switching timer processing.

•

vlan—Trace VLAN events.

no-stamp—(Optional) Do not timestamp the trace file.

Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output. no-world-readable—(Optional) Restrict file access to the user who created the file. replace—(Optional) Replace an existing trace file if there is one rather than appending

to it. Default: If you do not include this option, tracing output is appended to an existing trace file. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes Range: 10 KB through 1 gigabyte Default: 128 KB world-readable—(Optional) Enable unrestricted file access.


4212



•


•


•


•


•




use-interface-description Syntax Hierarchy Level

use-interface-description; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82 circuit-id], [edit forwarding-options helpers bootp dhcp-option82 circuit-id], [edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id] [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]

Release Information

Description


Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Use the interface description rather than the interface name (the default) in the circuit ID or remote ID value in the DHCP option 82 information. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•


•


•


•



4213

®


use-string Syntax Hierarchy Level

Release Information

Description

Options

use-string string; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Use a string rather than the MAC address of the host system (the default) in the remote ID value in the DHCP option 82 information. string—Character string used as the remote ID value.

Range:1–255 characters Required Privilege Level Related Documentation

4214



•


•


•


•


•




use-vlan-id Syntax Hierarchy Level

Release Information

Description


use-vlan-id; [edit forwarding-options helpers bootp dhcp-option82-circuit-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82-circuit-id]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Use the VLAN ID rather than the VLAN name (the default) in the circuit ID value in the DHCP option 82 information. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•



4215

®


vendor-id Syntax Hierarchy Level

Release Information

Description

Default Options

vendor-id ; [edit ethernet-switching-options secure-access-port vlan (Access Port Security) (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Statement introduced in Junos OS Release 11.3 for the QFX Series. Insert a vendor ID in the DHCP option 82 information in a DHCP request packet header before forwarding or relaying the request to a DHCP server. If vendor-id is not explicitly configured for DHCP option 82, no vendor ID is set. string—(Optional) A single string that designates the vendor ID.

Range: 1–255 characters Default: If you specify vendor-id with no string value, the default vendor ID Juniper is configured. Required Privilege Level Related Documentation

4216



•


•


•


•




vlan Syntax


vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } (examine-dhcp | no-examine-dhcp); examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } [edit ethernet-switching-options secure-access-port]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply any of the following security options to a VLAN: •

DHCP snooping

•

DHCP option 82

•


•

FIP snooping

•

IP source guard

•

MAC move limiting



Options

all—Apply the feature to all VLANs.


4217

®


vlan-name—Apply the feature to the specified VLAN.




•


•


•


vlan Syntax Hierarchy Level



4218

vlan (Access Port Security) vlan-name; [edit ethernet-switching-options secure-access-port interface (Access Port Security) (all | interface-name) static-ip ip-address]

Statement introduced in Junos OS Release 9.2 for EX Series switches. Associate the static IP address with the specified VLAN associated with the specified interface. vlan-name —Name of a specific VLAN associated with the specified interface.





write-interval Syntax Hierarchy Level Release Information Description

Default Options

write-interval seconds; [edit ethernet-switching-options secure-access-port dhcp-snooping-file]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify how frequently the switch writes the database entries from memory into the specified DHCP snooping database file. None seconds—Value in seconds.





4219

®


4220


CHAPTER 110

Operational Commands for Port Security


4221

®


clear arp inspection statistics Syntax

Release Information

Description Options

clear arp inspection statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear ARP inspection statistics. none—Clears ARP statistics on all interfaces. interface interface-names—(Optional) Clear ARP statistics on one or more interfaces.



clear

•


•


•


clear arp inspection statistics on page 4222 This command produces no output.

Sample Output clear arp inspection statistics

4222

user@switch> clear arp inspection statistics


Chapter 110: Operational Commands for Port Security

clear dhcp snooping binding Syntax

Release Information

Description Options

clear dhcp snooping binding

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Clear the DHCP snooping database information. mac (all | mac-address)—(Optional) Clear DHCP snooping information for the specified

MAC address or all MAC addresses. vlan (all | vlan-name )—(Optional) Clear DHCP snooping information for the specified

VLAN or all VLANs. Required Privilege Level Related Documentation


clear

•


•


•


clear dhcp snooping binding on page 4223 This command produces no output.

Sample Output clear dhcp snooping binding

user@switch> clear dhcp snooping binding


4223

®


clear dhcp snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


clear dhcp snooping statistics

Command introduced in Junos OS Release 9.4 for EX Series switches. Clear all Dynamic Host Configuration Protocol (DHCP) snooping statistics. view

•

show dhcp snooping statistics on page 4227

•


clear dhcp snooping statistics on page 4224 See show dhcp snooping statistics for an explanation of the output fields.

Sample Output clear dhcp snooping statistics

The following sample output displays the DHCP snooping statistics before and after the clear dhcp snooping statistics command is issued. user@switch> show dhcp snooping statistics Successful Transfers : 0 Failed Transfers : Successful Reads : 0 Failed Reads : Successful Writes : 0 Failed Writes :

21 0 21

user@switch> clear dhcp snooping statistics user@switch> show dhcp snooping statistics Successful Transfers : 0 Failed Transfers : Successful Reads : 0 Failed Reads : Successful Writes : 0 Failed Writes :

4224

0 0 0



show arp inspection statistics Syntax Release Information



show arp inspection statistics

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display ARP inspection statistics. view

•

clear arp inspection statistics on page 4222

•


•


show arp inspection statistics on page 4225 Table 447 on page 4225 lists the output fields for the show arp inspection statistics command. Output fields are listed in the approximate order in which they appear.

Table 447: show arp inspection statistics Output Fields Field Name

Field Description

Level of Output

Interface

Interface on which ARP inspection has been applied.

All levels

Packets received

Total number of packets total that underwent ARP inspection.

All levels

ARP inspection pass

Total number of packets that passed ARP inspection.

All levels

ARP inspection failed

Total number of packets that failed ARP inspection.

All levels

Sample Output show arp inspection statistics

user@switch> show arp inspection statistics Interface --------ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7


Packets received ----------------0 0 0 0 0 0 0 703

ARP inspection pass ------------------0 0 0 0 0 0 0 701

ARP inspection failed --------------------0 0 0 0 0 0 0 2

4225

®


show dhcp snooping binding Syntax Release Information



show dhcp snooping binding

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 12.1 for the QFX Series. Display the DHCP snooping database information. view

•

clear dhcp snooping binding on page 4223

•


•


show dhcp snooping binding on page 4226 Table 448 on page 4226 lists the output fields for the show dhcp snooping binding command. Output fields are listed in the approximate order in which they appear.

Table 448: show dhcp snooping binding Output Fields Field Name

Field Description

Level of Output

MAC Address

MAC address of the network device; bound to the IP address.

All levels

IP Address

IP address of the network device; bound to the MAC address.

All levels

Lease

Lease granted to the IP address.

All levels

Type

How the MAC address was acquired.

All levels

VLAN

VLAN name of the network device whose MAC address is shown.

All levels

Interface

Interface address (port).

All levels

Sample Output show dhcp snooping binding

user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address -------------------------00:00:01:00:00:03 192.0.2.0 00:00:01:00:00:04 192.0.2.1 00:00:01:00:00:05 192.0.2.5

4226

Lease ----640 720 800

Type ------dynamic dynamic dynamic

VLAN ---guest guest guest

Interface --------ge-0/0/12.0 ge-0/0/12.0 ge-0/0/13.0



show dhcp snooping statistics Syntax Release Information Description Required Privilege Level Related Documentation


show dhcp snooping statistics

Command introduced in Junos OS Release 9.4 for EX Series switches. Display statistics for read and write operations to the DHCP snooping database. view

•

clear dhcp snooping statistics on page 4224

•


show dhcp snooping statistics on page 4227 Table 449 on page 4227 lists the output fields for the show dhcp snooping statistics command. Output fields are listed in the approximate order in which they appear.

Table 449: show dhcp snooping statistics Output Fields Field Name

Field Description

Successful Transfers

Number of entries successfully transferred from memory to the DHCP snooping database.

Successful Reads

Number of entries successfully read from memory to the DHCP snooping database.

Successful Writes

Number of entries successfully written from memory to the DHCP snooping database.

Failed Transfers

Number of entries that failed being transferred from memory to the DHCP snooping database.

Failed Reads

Number of entries that failed being read from memory to the DHCP snooping database.

Failed Writes

Number of entries that failed being written from memory to the DHCP snooping database.

Sample Output show dhcp snooping statistics

user@switch> show dhcp snooping statistics Successful Transfers : 0 Failed Transfers : Successful Reads : 0 Failed Reads : Successful Writes : 0 Failed Writes :


21 0 21

4227

®



Release Information

Description Options









4228

view

•


•


•


•








Field Description

Level of Output

VLAN

The name of a VLAN.

All levels

Tag


extensive

MAC or MAC address


All levels

Type



•


•


address. •


•





•


persistent-mac



All levels

Interfaces


All levels

Learned


detail, extensive

Nexthop index


detail, extensive

persistent-mac




4229

®






4230







0 0 0






4231

®




4232


MAC address 00:10:94:00:05:02 00:10:94:00:06:03 00:10:94:00:07:04




show ip-source-guard Syntax Release Information Description Required Privilege Level Related Documentation


show ip-source-guard

Command introduced in Junos OS Release 9.2 for EX Series switches. Display IP source guard database information. view

•


•


•


show ip-source-guard on page 4233 Table 451 on page 4233 lists the output fields for the show ip-source-guard command. Output fields are listed in the approximate order in which they appear.

Table 451: show ip-source-guard Output Fields Field Name

Field Description

VLAN

VLAN on which IP source guard is enabled.

Interface

Access interface associated with the VLAN in column 1.

Tag

VLAN ID for the VLAN in column 1. Possible values are: •

0, indicating the VLAN is not tagged.

•

1 – 4093

IP Address

Source IP address for a device connected to the interface in column 2. A value of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN but the interface is shared with a VLAN that is enabled for IP source guard.

MAC Address

Source MAC address for a device connected to the interface in column 2. A value of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN but the interface is shared with a VLAN that is enabled for IP source guard.

Sample Output show ip-source-guard

user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address

VLAN

ge-0/0/12.0

vlan100


0

10.10.10.7

00:30:48:92:A5:9D

4233

®


4234

ge-0/0/13.0

0

10.10.10.9

00:30:48:8D:01:3D

vlan100

ge—0/0/13.0

100

*

*

voice


PART 22

Routing Policy and Packet Filtering (Firewall Filters) •

Firewall Filters—Overview on page 4237

•

Examples of Firewall Filters Configuration on page 4297

•

Configuring Firewall Filters on page 4323

•

Verifying Firewall Filter Configuration on page 4347

•

Troubleshooting Firewall Filters on page 4351

•

Configuration Statements for Firewall Filters on page 4355

•

Operational Commands for Firewall Filters on page 4393


4235

®


4236


CHAPTER 111

Firewall Filters—Overview •


•

Understanding Planning of Firewall Filters on page 4241

•

Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches on page 4243

•

Understanding How Firewall Filters Control Packet Flows on page 4245

•

Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches on page 4246

•

Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches on page 4256

•

Support for Match Conditions and Actions for Loopback Firewall Filters on Switches on page 4282

•

Understanding How Firewall Filters Are Evaluated on page 4286

•

Understanding Firewall Filter Match Conditions on page 4288

•

Understanding How Firewall Filters Test a Packet's Protocol on page 4292

•


•

Understanding Tricolor Marking Architecture on page 4295

•

Understanding Filter-Based Forwarding for EX Series Switches on page 4296

Firewall Filters for EX Series Switches Overview Firewall filters provide rules that define whether to permit, deny, or forward packets that are transiting an interface on a Juniper Networks EX Series Ethernet Switch from a source address to a destination address. You configure firewall filters to determine whether to permit, deny, or forward traffic before it enters or exits a port, VLAN, or Layer 3 (routed) interface to which the firewall filter is applied. To apply a firewall filter, you must first configure the filter and then apply it to an port, VLAN, or Layer 3 interface. You can apply firewall filters to network interfaces, aggregated Ethernet interfaces (also known as link aggregation groups (LAGs)), loopback interfaces, management interfaces, virtual management Ethernet interfaces (VMEs), routed VLAN interfaces (RVIs), and Virtual Chassis port (VCP) interfaces. For information on EX Series switches that support a firewall filter on these interfaces, see EX Series Switch Software Features Overview.


4237

®


An ingress firewall filter is a filter that is applied to packets that are entering a network. An egress firewall filter is a filter that is applied to packets that are exiting a network. You can configure firewall filters to subject packets to filtering, class-of-service (CoS) marking (grouping similar types of traffic together, and treating each type of traffic as a class with its own level of service priority), and traffic policing (controlling the maximum rate of traffic sent or received on an interface). This topic describes: •

Firewall Filter Types on page 4238

•

Firewall Filter Components on page 4239

•

Firewall Filter Processing on page 4240

Firewall Filter Types The following firewall filter types are supported for EX Series switches: •

Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can apply port firewall filters in both ingress and egress directions on a physical port.

•

VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN.

•

Router (Layer 3) firewall filter—You can apply a router firewall filter in both ingress and egress directions on Layer 3 (routed) interfaces and routed VLAN interfaces (RVIs). You can apply a router firewall filter in the ingress direction on the loopback interface (lo0) also. Firewall filters configured on loopback interfaces are applied only to packets that are sent to the Routing Engine CPU for further processing.

You can apply port, VLAN, or router firewall filters to both IPv4 and IPv6 traffic on these switches: •

EX3200 switch

•

EX4200 switch

•

EX8200 switch

You can apply port, VLAN, or router firewall filters to only IPv4 traffic on these switches: •

EX2200 switch

•

EX3300 switch

•

EX4500 switch

•

EX6200 switch

For information on firewall filters supported on different switches, see “Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches” on page 4256.

4238


Chapter 111: Firewall Filters—Overview

Firewall Filter Components In a firewall filter, you first define the family address type (ethernet-switching, inet, or inet6), and then you define one or more terms that specify the filtering criteria (specified as terms with match conditions) and the action (specified as actions or action modifiers) to take if a match occurs. The maximum number of terms allowed per firewall filter for EX Series switches is: •

512 for EX2200 switches

•

1,436 for EX3300 switches

NOTE: On EX3300 switches, if you add and delete filters with a large number of terms (on the order of 1000 or more) in the same commit operation, not all the filters are installed. You must add filters in one commit operation, and delete filters in a separate commit operation.

•

7,042 for EX3200 and EX4200 switches—as allocated by the dynamic allocation of ternary content addressable memory (TCAM) for firewall filters.

•


•


•


NOTE: The on-demand dynamic allocation of the shared space TCAM in EX8200 switches is achieved by assigning free space blocks to firewall filters. Firewall filters are categorized into two different pools. Port and VLAN filters are pooled together (the memory threshold for this pool is 22K) while router firewall filters are pooled separately (the threshold for this pool is 32K). The assignment happens based on the filter pool type. Free space blocks can be shared only among the firewall filters belonging to the same filter pool type. An error message is generated when you try to configure a firewall filter beyond the TCAM threshold.

Each term consists of the following components: •

Match conditions—Specify the values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces.

•

Action—Specifies what to do if a packet matches the match conditions. Possible actions are to accept or discard the packet or to send the packet to a specific virtual routing interface. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.


4239

®


•

Action modifier—Specifies one or more actions for the switch if a packet matches the match conditions. You can specify action modifiers such as count, mirror, rate limit, and classify packets.

Firewall Filter Processing The order of the terms within a firewall filter configuration is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. For information on how firewall filters process packets, see “Understanding How Firewall Filters Are Evaluated” on page 4286. Related Documentation

4240

•

Understanding Planning of Firewall Filters on page 4241

•


•


•


•


•


•


•

Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches on page 4315



Understanding Planning of Firewall Filters Before you create a firewall filter and apply it to an interface, determine what you want the firewall filter to accomplish and how to use its match conditions and actions to achieve your goals. You must understand how packets are matched to match conditions, the default and configured actions of the firewall filter, and proper placement of the firewall filter. You can configure and apply no more than one firewall filter per port, VLAN, or router interface, per direction. The following limits apply for the number of firewall filter terms allowed per filter on various switch models: •

On EX2200 switches, the number of terms per filter cannot exceed 512.

•


•

On EX3200 and EX4200 switches, the number of terms per filter cannot exceed 7042.

•


•


•


In addition, try to be conservative in the number of terms (rules) that you include in each firewall filter because a large number of terms requires longer processing time during a commit and also can make firewall filter testing and troubleshooting more difficult. Similarly, applying firewall filters across many switch and router interfaces can make testing and troubleshooting the rules of those filters difficult. Before you configure and apply firewall filters, answer the following questions for each of those firewall filters: 1.

What is the purpose of the firewall filter? For example, you can use a firewall filter to limit traffic to source and destination MAC addresses, specific protocols, or certain data rates or to prevent denial of service (DoS) attacks.

2. What are the appropriate match conditions? a. Determine the packet header fields that the packet must contain for a match.

Possible fields include: •

Layer 2 header fields—Source and destination MAC addresses, dot1q tag, Ethernet type, and VLAN

•

Layer 3 header fields—Source and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, TTL type)

•

TCP header fields—Source and destination ports and flags

•

ICMP header fields—Packet type and code


4241

®


b. Determine the port, VLAN, or router interface on which the packet was received. 3. What are the appropriate actions to take if a match occurs?

Possible actions to take if a match occurs are accept, discard, and forward to a routing instance. 4. What additional action modifiers might be required?

Determine whether additional actions are required if a packet matches a match condition; for example, you can specify an action modifier to count, analyze, or police packets. 5. On what interface should the firewall filter be applied?

Start with the following basic guidelines: •

If all the packets entering a port need to be exposed to filtering, then use port firewall filters.

•

If all the packets that are bridged need filtering, then use VLAN firewall filters.

•

If all the packets that are routed need filtering, then use router firewall filters.

Before you choose the interface on which to apply a firewall filter, understand how that placement can impact traffic flow to other interfaces. In general, apply a firewall filter that filters on source and destination IP addresses, IP protocols, or protocol information—such as ICMP message types, and TCP and UDP port numbers—nearest to the source devices. However, typically apply a firewall filter that filters only on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall filter that filters only on a source IP address could potentially prevent that source device from accessing other services that are available on the network.

NOTE: Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine.

6. In which direction should the firewall filter be applied?

You can apply firewall filters to ports on the switch to filter packets that are entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter packets that are entering or exiting a VLAN or routed interface. Typically, you configure different sets of actions for traffic entering an interface than you configure for traffic exiting an interface. Related Documentation

4242

•


•


•


•




•


•


Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches Juniper Networks EX Series Ethernet Switches are multilayered switches that provide Layer 2 switching and Layer 3 routing. You apply firewall filters at multiple processing points in the packet forwarding path on EX Series switches. At each processing point, the action to be taken on a packet is determined based on the results of the lookup in the switch's forwarding table. A table lookup determines which exit port on the switch to use to forward the packet. For both bridged unicast packets and routed unicast packets, firewall filters are evaluated and applied hierarchically. First, a packet is checked against the port firewall filter, if present. If the packet is permitted, it is then checked against the VLAN firewall filter, if present. If the packet is permitted, it is then checked against the router firewall filter, if present. The packet must be permitted by the router firewall filter before it is processed. Figure 125 on page 4244 shows the various firewall filter processing points in the packet forwarding path in a multilayered switching platform.


4243

®


Figure 125: Firewall Filter Processing Points in the Packet Forwarding Path

For a multicast packet that results in replications, an egress firewall filter is applied to each copy of the packet based on its corresponding egress VLAN. For Layer 2 (bridged) unicast packets, the following firewall filter processing points apply: •

Ingress port firewall filter

•

Ingress VLAN firewall filter

•

Egress port firewall filter

•

Egress VLAN firewall filter

For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall filter processing points apply:

4244

•

Ingress port firewall filter

•

Ingress VLAN firewall filter (Layer 2 CoS)

•

Ingress router firewall filter (Layer 3 CoS)

•

Egress router firewall filter

•

Egress VLAN firewall filter




•


•

Understanding How Firewall Filters Control Packet Flows on page 4245

•


•


Understanding How Firewall Filters Control Packet Flows Juniper Networks EX Series Ethernet Switches support firewall filters that allow you to control flows of data packets and local packets. Data packets are chunks of data that transit the switch as they are forwarded from a source to a destination. Local packets are chunks of data that are destined for or sent by the switch. Local packets usually contain routing protocol data, data for IP services such as Telnet or SSH, and data for administrative protocols such as the Internet Control Message Protocol (ICMP). You create firewall filters to protect your switch from excessive traffic transiting the switch to a network destination or destined for the Routing Engine on the switch. Firewall filters that control local packets can also protect your switch from external incidents such as denial-of-service (DoS) attacks. Firewall filters affect packet flows entering in to or exiting from the switch's interfaces: •

Ingress firewall filters affect the flow of data packets that are received by the switch's interfaces. The Packet Forwarding Engine handles this flow. When a switch receives a data packet on an interface, the switch determines where to forward the packet by looking in the forwarding table for the best route (Layer 2 switching, Layer 3 routing) to a destination. Data packets are forwarded to their destination through an outgoing interface. Locally destined packets are forwarded to the Routing Engine.

•

Egress firewall filters affect the flow of data packets that are transmitted from the switch's interfaces but do not affect the flow of locally generated control packets from the Routing Engine. The Packet Forwarding Engine handles the flow of data packets that are transmitted from the switch, and egress firewall filters are applied here. The Packet Forwarding Engine also handles the flow of control packets from the Routing Engine.

Figure 126 on page 4246 illustrates the application of ingress and egress firewall filters to control the flow of packets through the switch.


4245

®


Figure 126: Application of Firewall Filters to Control Packet Flow

1.

Ingress firewall filter applied to control locally destined packets that are received on the switch's interfaces and are destined for the Routing Engine.

2. Ingress firewall filter applied to control incoming packets on the switch's interfaces. 3. Egress firewall filter applied to control packets that are transiting the switch's

interfaces. Related Documentation

•


•


Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches When you define a firewall filter for an EX Series switch, you define filtering criteria (terms, with match conditions) for the packets and an action (action, or action modifier) for the switch to take if the packets match the filtering criteria. You can define a firewall filter to monitor IPv4, IPv6, or non-IP traffic. This topic describes in detail the various match conditions, actions, and action modifiers that you can define in a firewall filter. For information on support for match conditions on various EX Series switches, see “Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches” on page 4256. This topic describes:

4246

•

Firewall Filter Elements on page 4247

•

Match Conditions Supported on Switches on page 4247

•

Actions for Firewall Filters on page 4253

•

Action Modifiers for Firewall Filters on page 4254



Firewall Filter Elements A firewall filter configuration contains a term, match condition, an action, and, optionally, an action modifier. Table 452 on page 4247 describes each element in a firewall filter configuration.

Table 452: Elements of a Firewall Filter Configuration Elements Name

Description

term

Defines the filtering criteria for the packets. Each term in the firewall filter consists of match conditions and an action. You can define a single or multiple terms in the firewall filter. If you define multiple terms, each term must have a unique name.

match condition

Consists of a string (called a match statement) that defines the match condition. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default.

action

Specifies the action that the switch takes if a packet matches all the criteria specified in the match conditions.

action modifier

Specifies one or more actions that the switch takes if a packet matches the match conditions for the specific term.

Match Conditions Supported on Switches Based on the type of traffic that you want to monitor, you can configure a firewall filter to monitor IPv4, IPv6, or non-IP traffic. When you configure a firewall filter to monitor a type of traffic, ensure that you specify match conditions that are supported for that particular type of traffic. For information on match conditions supported for a specific type of traffic and switches on which they are supported, see “Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches” on page 4256. Table 453 on page 4247 describes all the match conditions that are supported for firewall filters on switches.

Table 453: Firewall Filter Match Conditions Supported on Switches Match Condition

Description

destination-address ip-address

IP destination address field, which is the address of the final destination node.

destination-mac-address mac-address

Destination media access control (MAC) address of the packet. You can define a destination MAC address with a prefix, such as destination-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.


4247

®


Table 453: Firewall Filter Match Conditions Supported on Switches (continued) Match Condition

Description

destination-port number

TCP or User Datagram Protocol (UDP) destination port field. Typically, you specify this match condition in conjunction with the protocol match statement to determine which protocol is used on the port. For number, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level.

dot1q-tag number

4248

The tag field in the Ethernet header. The tag values can be 1 through 4095. The dot1q-tag match condition and the vlan match condition are mutually exclusive.




Description

dot1q-user-priority number

User-priority field of the tagged Ethernet packet. User-priority values can be 0–7. For number, you can specify one of the following text synonyms (the field values are also listed):

dscp number

•

background (1)—Background

•

best-effort (0)—Best effort

•

controlled-load (4)—Controlled load

•

excellent-load (3)—Excellent load

•

network-control (7)—Network control reserved traffic

•

standard (2)—Standard or Spare

•

video (5)—Video

•

voice (6)—Voice

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. For number, you can specify one of the following text synonyms (the field values are also listed): •

ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB.

•

af11 (10), af12 (12), af13 (14); af21 (18), af22 (20), af23 (22); af31 (26), af32 (28), af33 (30); af41 (34), af42 (36), af43 (38)

These four classes, with three drop precedences in each class, are defined for 12 code points, in RFC 2597, Assured Forwarding PHB Group.


4249

®



Description

ether-type (aarp | appletalk | arp | ipv4 | ipv6 | mpls-multicast | mpls-unicast | oam | ppp | pppoe-discovery | pppoe-session | sna |value)

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. For value, you can specify one of the following text synonyms: •

aarp—EtherType value AARP (0x80F3)

•

appletalk—EtherType value AppleTalk (0x809B)

•

arp—EtherType value ARP (0x0806)

•

ipv4—EtherType value IPv4 (0x0800)

•

ipv6—EtherType value IPv6 (0x08DD)

•

mpls multicast—EtherType value MPLS multicast (0x8848)

•

mpls unicast—EtherType value MPLS unicast (0x8847)

•

oam—EtherType value OAM (0x88A8)

•

ppp—EtherType value PPP (0x880B)

•

pppoe-discovery—EtherType value PPPoE Discovery Stage (0x8863)

•

pppoe-session—EtherType value PPPoE Session Stage (0x8864)

•

sna—EtherType value SNA (0x80D5)

NOTE: The following match conditions are not supported when ether-type is set to ipv6:

fragment-flags fragment-flags

•

dscp

•

fragment-flags

•

is-fragment

•

precedence

•

protocol

IP fragmentation flags, specified in symbolic or hexadecimal formats. You can specify one of the following options: dont-fragment (0x4000), more-fragments (0x2000), or reserved (0x8000)

icmp-code number

4250

ICMP code field. This value or option provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For number, you can specify one of the following text synonyms (the field values are also listed). The options are grouped by the ICMP type with which they are associated: •

parameter-problem—ip-header-bad (0), required-option-missing (1)

•

redirect—redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

•

time-exceeded—ttl-eq-zeroduring-reassembly (1), ttl-eq-zero-during-transit (0)

•

unreachable—communicationprohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)




Description

icmp-type number

ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match statement to determine which protocol is being used on the port. For number, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3)


Interface on which the packet is received. You can specify the wildcard character (*) as part of an interface name. NOTE: The interface match condition is not supported on an EX8200 Virtual Chassis for egress traffic.

ip-options

Presence of the options field in the IP header.

ip-version version [match_condition(s) ]

Version of the IP protocol for port and VLAN firewall filters. The value for version can be ipv4 or ipv6. For match condition (s), you can specify one or more of the following match conditions: •

destination-address

•

destination-port

•

destination-prefix-list

•

dscp

•

fragment-flags

•

icmp-code

•

icmp-type

•

is-fragment

•

precedence

•

protocol

•

source-address

•

source-port

•

source-prefix-list

•

tcp-established

•

tcp-flags

•

tcp-initial

is-fragment

If the packet is a trailing fragment, this match condition does not match the first fragment of a fragmented packet. Use two terms to match both first and trailing fragments.

l2-encap-type llc-non-snap

Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.


4251

®



Description

next-header bytes

8-bit protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

packet-length bytes

Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

precedence precedence

IP precedence. For precedence, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (5), flash (3), flash-override (4), immediate (2), internet-control (6), net-control (7), priority (1), or routine (0).

protocol list of protocol

IPv4 protocol value. For protocols, you can specify one of the following text synonyms: egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)

source-address ip-address

IP source address field, which is the address of the source node sending the packet. For IPV6, the source-address field is 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses that are described in RFC 2373, IP Version 6 Addressing Architecture.

source-mac-address mac-address

Source MAC address. You can define a source MAC address with a prefix, such as source-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.

source-port number

TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For number, you can specify one of the text synonyms listed under destination-port.

source-prefix-list prefix-list

IP source prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level.

tcp-established

TCP packets of an established TCP connection. This condition matches packets other than the first packet of a connection. tcp-established is a synonym for the bit names "(ack|rst)". tcp-established does not implicitly check whether the protocol is TCP. To do so, specify the next-header tcp match condition.

4252




Description

tcp-flags (flags tcp-initial)

One or more TCP flags: •

bit-name—fin, syn, rst, push, ack, urgent

•

logical operators—& (logical AND), | (logical OR), ! (negation)

•

numerical value—0x01 through 0x20

•

text synonym—tcp-initial

To specify multiple flags, use logical operators. Match the first TCP packet of a connection. tcp-initial is a synonym for the bit names "(syn&!ack)".

tcp-initial

tcp-initial does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp match condition.

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

traffic-class number

You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): •

ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB.

•

af11 (10), af12 (12), af13 (14); af21 (18), af22 (20), af23 (22); af31 (26), af32 (28), af33 (30); af41 (34), af42 (36), af43 (38)

These four classes, with three drop precedences in each class, are defined for 12 code points, in RFC 2597, Assured Forwarding PHB. ttl value

TTL type to match. The value can be 1–255.

vlan (vlan-name | vlan-id)

The VLAN that is associated with the packet. For vlan-id, you can either specify the VLAN ID or a VLAN range. The vlan match condition and the dot1q-tag match condition are mutually exclusive.

Actions for Firewall Filters You can define an action for the switch to take if a packet matches the filtering criteria defined in a match condition. Table 454 on page 4253 describes the actions supported in a firewall filter configuration.

Table 454: Actions for Firewall Filters Action

Description

accept

Accept a packet.


4253

®


Table 454: Actions for Firewall Filters (continued) Action

Description

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet, and send an ICMPv4 message (type 3) destination unreachable. You can log the rejected packets if you configure the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

If you specify tcp-reset, a TCP reset is returned if the packet is a TCP packet. Otherwise nothing is returned. If you do not specify a message type, the ICMP notification destination unreachable is sent with the default message communication administratively filtered. routing-instance routing-instance-name

Forward matched packets to a virtual routing instance. NOTE: EX4200 switches do not support firewall-filter-based redirection to the default routing instance.

vlan vlan-name

Forward matched packets to a specific VLAN. Ensure that you specify the VLAN name or VLAN ID and not a VLAN range, because the vlan action does not support the vlan-range option. NOTE: If you have defined a VLAN that is enabled for dot1q tunneling, then that particular VLAN is not supported as an action (using the vlan vlan-name action) for an ingress VLAN firewall filter.

Action Modifiers for Firewall Filters In addition to the actions described in Table 454 on page 4253, you can define action modifiers that a switch can perform if packets match the filtering criteria defined in the match condition. Table 455 on page 4254 describes the action modifiers supported in a firewall filter configuration.

Table 455: Action Modifiers for Firewall Filters Action Modifier

Description

analyzer analyzer-name

Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. Mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port. The analyzer name must be configured under [edit ethernet-switching-options analyzer]. NOTE: analyzer is not a supported action modifier for a management interface. On EX4500 switches, you can configure only one analyzer and include it in a firewall filter. If you configure multiple analyzers, you cannot include any one of those analyzers in a firewall filter.

4254



Table 455: Action Modifiers for Firewall Filters (continued) Action Modifier

Description

count counter-name

Count the number of packets that pass this filter, term, or policer.

forwarding-class class

Classify the packet in one of the following forwarding classes: •

assured-forwarding

•

best-effort

•


•

network-control


Forward the traffic to the specified interface bypassing the switching lookup.

log

Log the packet's header information in the Routing Engine. To view this information, issue the show firewall log command in the CLI. NOTE: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.

loss-priority (high | low)

Set the packet loss priority (PLP).

policer policer-name

Apply rate limits to the traffic. You can specify a policer in a firewall filter only for ingress traffic on a port, VLAN, and router. NOTE: A counter for a policer is not supported on EX8200 switches. Log an alert for this packet. You can specify that the log be sent to a server for storage and analysis.

syslog

NOTE: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected. Apply a three-color policer.

three-color-policer


•


•


•


•


•



4255

®


Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches After you define a firewall filter on a switch, you must associate the filter to a bind point so that the filter can filter the packets that enter or exist the bind point. Ports (Layer 2), VLANs, and Layer 3 interfaces are different bind points on which you can apply a firewall filter on a switch. While a port firewall filter applies to Layer 2 interfaces, a VLAN firewall filter applies to packets that enter or leave a VLAN and also to packets that are bridged within a VLAN. A Layer 3 firewall filter applies to Layer 3 (routed) interfaces and routed VLAN interfaces (RVIs).

NOTE: If you want to control the traffic that enters the Routing Engine of the switch, you must configure a firewall filter on the loopback interface (lo0) of the switch. For information on match conditions, actions, and action modifiers supported on the loopback (lo0) interface of a switch, see “Support for Match Conditions and Actions for Loopback Firewall Filters on Switches” on page 4282.

This topic describes in detail the supported switch platforms and bind points for match conditions, actions, and action modifiers in firewall filters on the switches. For descriptions of those match conditions, actions, and action modifiers, see “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. This topic describes: •

Firewall Filter Types and Their Bind Points on page 4256

•

Support for IPv4 and IPv6 Firewall Filters Per Switch on page 4257

•

Platform Support for Match Conditions for IPv4 Traffic on page 4257

•

Platform Support for Match Conditions for IPv6 Traffic on page 4268

•

Platform Support for Match Conditions for Non-IP Traffic on page 4272

•

Platform Support for Actions for IPv4 Traffic on page 4273

•

Platform Support for Actions for IPv6 Traffic on page 4275

•

Platform Support for Action Modifiers for IPv4 Traffic on page 4276

•

Platform Support for Action Modifiers for IPv6 Traffic on page 4280

Firewall Filter Types and Their Bind Points You can apply a firewall filter at specific bind points to filter IPv4, IPv6, or non-IP traffic. See the remaining sections in this topic for information about support on individual switch platforms for different traffic types. Table 456 on page 4257 lists the firewall filter types and their associated bind points that are supported on the switches.

4256



Table 456: Bind Points Associated With Firewall Filter Types Bind Points

Firewall Filter Type

Ports (These are Layer 2 interfaces.)

Port firewall filter

VLANs

VLAN firewall filter

Layer 3 interfaces (These are Layer 3 (routed) interfaces or routed VLAN interfaces (RVIs).)

Router firewall filter

Support for IPv4 and IPv6 Firewall Filters Per Switch You can apply a port, VLAN, or router firewall filter to filter IPv4 traffic on all EX Series switches. You can apply these firewall filters to filter IPv6 traffic on all EX Series switches except EX2200, EX3300, EX4500, and EX6200 switches. Table 457 on page 4257 summarizes the support for IPv4 and IPv6 firewall filters on different switches.

Table 457: Support for IPv4 and IPv6 Firewall Filters on Switches Switch

Support for IPv4 Firewall Filter

Support for IPv6 Firewall Filter

EX2200

Yes

No

EX3200 and EX4200

Yes

Yes

EX3300

Yes

No

EX4500

Yes

Yes

EX6200

Yes

No

EX8200

Yes

Yes

Platform Support for Match Conditions for IPv4 Traffic When you configure a firewall filter, you can define a term specifically for IPv4 or IPv6 traffic. To configure a term in a firewall filter configuration specifically for IPv4 traffic: 1.

Perform one of these tasks: •

Define ether-type ipv4 in a term in the configuration.

•

Define ip-version ipv4 in a term in the configuration.


4257

®


•

Define both ether-type ipv4 and ip-version ipv4 in a term in the configuration.

•

Verify that neither ether-type or ip-version is specified in a term in the configuration—By default, a configuration that does not contain either ether-type or ip-version in a term applies to IPv4 traffic.

For all preceding tasks—Do not include either ether-type ipv6 or ip-version ipv6 in the term configuration. If you include them, the term applies to IPv6 traffic. 2. Ensure that other match conditions in the term are valid for IPv4 traffic.

To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic. You can define port, VLAN, and router firewall filters for ingress and egress IPv4 traffic on all EX Series switches. Table 458 on page 4258 summarizes support for match conditions on different bind points for ingress and egress IPv4 traffic.

Table 458: Firewall Filter Match Conditions Supported for IPv4 Traffic on Switches Supported Bind Points Match Condition

Switch

Ingress

Egress


EX2200

Ports, VLANs, and Layer 3 interfaces


EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs


4258



Table 458: Firewall Filter Match Conditions Supported for IPv4 Traffic on Switches (continued) Supported Bind Points Match Condition

Switch

Ingress

Egress


EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Not supported


dot1q-tag number


4259

®



Switch

Ingress

Egress


EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs

EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Not supported

dscp number

ether-type (aarp | appletalk | arp | ipv4 | ipv6 | mpls-multicast | mpls-unicast | oam | ppp | pppoe-discovery | pppoe-session | sna |value)

4260




Switch

Ingress

Egress

fragment-flags fragment-flags

EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300


Not supported

EX4500


Not supported

EX6200


Not supported

EX8200


Not supported

EX2200



EX3200 and EX4200


Ports and Layer 3 interfaces

EX3300



EX4500



EX6200



EX8200



icmp-code number


4261

®



Switch

Ingress

Egress

icmp-type number

EX2200



EX3200 and EX4200


Layer 3 interfaces

EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200




4262




Switch

Ingress

Egress

ip-options

EX2200

Layer 3 interfaces

Not supported

EX3200 and EX4200


Ports and VLANs

EX3300


Ports and VLANs

EX4500

Layer 3 interfaces

Not supported

EX6200



EX8200

Layer 3 interfaces

Not supported

EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs

EX2200


Not supported

EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200


Not supported

ip-version version

[match_condition(s) ]

is-fragment


4263

®



Switch

Ingress

Egress

precedence precedence

EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



protocol list of protocols

4264




Switch

Ingress

Egress


EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs

EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200




source-port number


4265

®



Switch

Ingress

Egress


EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



tcp-established

4266




Switch

Ingress

Egress


EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Layer 3 interfaces

Not supported

EX3200 and EX4200

Layer 3 interfaces

Not supported

EX3300

Layer 3 interfaces

Not supported

EX4500

Layer 3 interfaces

Not supported

EX6200

Layer 3 interfaces

Not supported

EX8200

Layer 3 interfaces

Not supported

tcp-initial

ttl value


4267

®



Switch

Ingress

Egress

vlan (vlan-name | vlan-id)

EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs

Platform Support for Match Conditions for IPv6 Traffic When you configure a firewall filter, you can define a term specifically for IPv4 or IPv6 traffic. To configure a term in a port or VLAN firewall filter configuration specifically for IPv6 traffic: 1.

Perform these tasks: •

For EX3200 and EX4200 switches—Define ether-type ipv6 in a term in the firewall filter configuration.

•

For EX8200 switches—Define ether-type ipv6 or ip-version ipv6 in a term or define both ether-type ipv6 and ip-version ipv6 in a term in the firewall filter configuration.

2. Ensure that other match conditions in the term are valid for IPv6 traffic.

If the term contains the match condition ether-type ipv6 or ip-version ipv6, with no other IPv6 match condition specified, all IPv6 traffic is matched. To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic. You can define port, VLAN, and router firewall filters for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches, and router firewall filters for ingress and egress IPv6 traffic on EX4500 switches. Table 459 on page 4269 summarizes support for match conditions on different bind points for ingress and egress IPv6 traffic.

4268



Table 459: Firewall Filter Match Conditions Supported For IPv6 Traffic on Switches Supported Bind Points Match Condition

Switch

Ingress

Egress


EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200


Layer 3 interfaces

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Not supported

Not supported

EX8200



EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Not supported

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Ports and VLANs.




dot1q-tag number


ether-type (ipv6)value


4269

®


Table 459: Firewall Filter Match Conditions Supported For IPv6 Traffic on Switches (continued) Supported Bind Points Match Condition

Switch

Ingress

Egress

icmp-code number

EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200



EX4500

Not supported

Not supported

EX8200



EX3200 and EX4200

Not supported

Not supported

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Not supported

Not supported

EX4500

Not supported

Not supported

EX8200

Layer 3 interfaces

Not supported

icmp-type number


ip-version version [

match_condition(s) ]

next-header bytes

packet-length bytes

4270




Switch

Ingress

Egress


EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200

Ports, VLANs, Layer 3 interfaces


EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Not supported

Not supported

EX8200



EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200




source-port number


tcp-established



4271

®



Switch

Ingress

Egress

tcp-initial

EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Layer 3 interfaces

Layer 3 interfaces

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Not supported

traffic-class number

vlan (vlan-id | vlan-name)

Platform Support for Match Conditions for Non-IP Traffic You can define port, VLAN, and router firewall filters for ingress and egress non-IP traffic on all EX Series switches. Table 460 on page 4272 summarizes support for match conditions on different bind points for ingress and egress non-IP traffic.

Table 460: Firewall Filter Match Condition Supported For Non-IP Traffic on Switches Supported Bind Points Match Condition

Switch

Ingress

Egress

l2-encap-type llc-non-snap

EX2200

Ports and VLANs

Ports and VLANs

EX3200 and EX4200

Ports and VLANs

Ports and VLANs

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports and VLANs

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Ports and VLANs

4272



Platform Support for Actions for IPv4 Traffic Table 461 on page 4273 summarizes the support for actions on different bind points for ingress and egress IPv4 traffic. You can define actions listed in Table 461 on page 4273 in a port, VLAN, and router firewall filter for ingress and egress IPv4 traffic on all EX Series switches.

Table 461: Firewall Filter Actions Supported For IPv4 Traffic on Switches Supported Bind Points Action

Switch

Ingress

Egress

accept

EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



discard


4273

®


Table 461: Firewall Filter Actions Supported For IPv4 Traffic on Switches (continued) Supported Bind Points Action

Switch

Ingress

Egress

reject message-type

EX2200

Not supported

Not supported

EX3200 and EX4200

Layer 3 interfaces

Not supported

EX3300

Layer 3 interfaces

Not supported

EX4500

Not supported

Not supported

EX6200

Layer 3 interfaces

Not supported

EX8200

Layer 3 interfaces

Not supported

EX2200

Not supported

Not supported

EX3200 and EX4200

Layer 3 interfaces

Not supported

EX3300

Not supported

Not supported

EX4500

Not supported

Not supported

EX6200

Layer 3 interfaces

Not supported

EX8200

Layer 3 interfaces

Not supported

EX2200

Ports and VLANs

Not supported

EX3200 and EX4200

Ports and VLANs

Not supported

EX3300

Ports and VLANs

Ports and VLANs

EX4500

Ports and VLANs

Ports

EX6200

Ports and VLANs

Ports and VLANs

EX8200

Ports and VLANs

Not supported

routing-instance routing-instance-name

vlan vlan-name

NOTE: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs.

4274



Platform Support for Actions for IPv6 Traffic Table 462 on page 4275 summarizes support for actions on different bind points for ingress and egress IPv6 traffic. You can define actions listed in Table 462 on page 4275 in a port, VLAN, and router firewall filter for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches.

Table 462: Firewall Filter Actions Supported For IPv6 Traffic on Switches Supported Bind Points Action

Switch

Ingress

Egress

accept

EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Layer 3 interfaces

Not supported

EX4500

Not supported

Not supported

EX8200

Layer 3 interfaces

Not supported

EX3200 and EX4200

Layer 3 interfaces

Not supported

EX4500

Not supported

Not supported

EX8200

Layer 3 interfaces

Not supported

EX3200 and EX4200

Ports and VLANs

Not supported

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Not supported

discard

reject message-type

routing-instance routing-instance-name

vlan vlan-name

NOTE: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs.


4275

®


Platform Support for Action Modifiers for IPv4 Traffic Table 463 on page 4276 summarizes support for action modifiers on different bind points for ingress and egress IPv4 traffic. You can define action modifiers listed in Table 463 on page 4276 in a port, VLAN, and router firewall filter for ingress and egress IPv4 traffic on all EX Series switches.

Table 463: Firewall Filter Action Modifiers Supported For IPv4 Traffic on Switches Supported Bind Points Action Modifier

Switch

Ingress

Egress

analyzer

EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300


Not supported

EX4500


Layer 3 interfaces

EX6200


Not supported

EX8200


Not supported

EX2200

VLANs

Not supported

EX3200 and EX4200



EX3300

Layer 3 interfaces


EX4500



EX6200



EX8200


Not supported

count

4276



Table 463: Firewall Filter Action Modifiers Supported For IPv4 Traffic on Switches (continued) Supported Bind Points Action Modifier

Switch

Ingress

Egress


EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200



EX2200

Not supported

Not supported

EX3200 and EX4200

Ports and VLANs

Not supported

EX3300

Not supported

Not supported

EX4500

Ports and VLANs

Not supported

EX6200

Ports and VLANs

Not supported

EX8200

Ports and VLANs

Not supported


NOTE: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs.


4277

®



Switch

Ingress

Egress

log

EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300


Not supported

EX4500


Not supported

EX6200


Not supported

EX8200


Not supported

EX2200



EX3200 and EX4200



EX3300



EX4500



EX6200



EX8200




4278




Switch

Ingress

Egress


EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300


Not supported

EX4500


Not supported

EX6200


Not supported

EX8200


Not supported

EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300


Not supported

EX4500


Not supported

EX6200


Not supported

EX8200


Not supported

syslog


4279

®



Switch

Ingress

Egress

three-color-policer

EX2200


Not supported

EX3200 and EX4200


Not supported

EX3300

Not supported

Not supported

EX4500


Not supported

EX6200



EX8200

Not supported

Not supported

Platform Support for Action Modifiers for IPv6 Traffic Table 464 on page 4280 summarizes support for action modifiers on different bind points for ingress and egress IPv6 traffic. You can define action modifiers listed in Table 464 on page 4280 in a port, VLAN, and router firewall filter for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches.

Table 464: Firewall Filter Action Modifiers Supported For IPv6 Traffic on Switches Supported Bind Points Action Modifier

Switch

Ingress

Egress

analyzer

EX3200 and EX4200


Not supported

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200


Not supported

EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200


Not supported

count

4280




Switch

Ingress

Egress


EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200

Ports and VLANs

Not supported

EX4500

Not supported

Not supported

EX8200

Ports and VLANs

Not supported


NOTE: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs. log



EX3200 and EX4200


Not supported

EX4500

Not supported

Not supported

EX8200


Not supported

EX3200 and EX4200



EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200



EX3200 and EX4200


Not supported

EX4500

Layer 3 interfaces

Layer 3 interfaces

EX8200


Not supported


4281

®



Switch

Ingress

Egress

syslog

EX3200 and EX4200


Not supported

EX4500

Not supported

Not supported

EX8200


Not supported

EX3200 and EX4200

Not Supported

Not Supported

EX4500

Not supported

Not supported

EX8200

Not Supported

Not Supported

three-color-policer


•


•

Support for Match Conditions and Actions for Loopback Firewall Filters on Switches on page 4282

•


•


•


•


Support for Match Conditions and Actions for Loopback Firewall Filters on Switches On EX Series Ethernet switches, a loopback interface is a gateway for all the control traffic that enters the Routing Engine of the switch. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0). Loopback firewall filters are applied only to packets that are sent to the Routing Engine CPU for further processing. Therefore, you can apply a firewall filter only in the ingress direction on the loopback interface. Each term in a firewall filter consists of match conditions and an action. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default. The string that defines a match condition is called a match statement. The action is the action that the switch takes if a packet matches the match conditions

4282



for the specific term. Action modifiers are optional and specify one or more actions that the switch takes if a packet matches the match conditions for the specific term. The following tables list match conditions, actions, and action modifiers that are supported for a firewall filter configured on a loopback interface on a switch: •


•


•


For information on match conditions, actions, and action modifiers supported for a firewall filter configured on a network interface, see “Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches” on page 4256.

Table 465: Match Conditions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch Match Condition

EX2200

EX3200, EX4200

EX3300

EX4500

EX6200

EX8200

Match conditions for IPv4 traffic: destination-address

✓

✓

✓

✓

✓

✓

destination-port

✓

✓

✓

✓

✓

✓


✓

✓

✓

✓

✓

✓

dscp

✓

✓

✓

✓

✓

✓

icmp-code

✓

✓

✓

✓

✓

✓

icmp-type

✓

✓

✓

✓

✓

✓

interface

✓

✓

✓

✓

✓

✓

is-fragment

✓

✓

✓

✓

–

–

packet-length

–

–

–

–

–

✓

precedence

✓

✓

✓

✓

✓

✓

protocol

✓

✓

✓

✓

✓

✓

source-address

✓

✓

✓

✓

✓

✓

source-port

✓

✓

✓

✓

✓

✓

source-prefix-list

✓

✓

✓

✓

✓

✓

Match conditions for IPv6 traffic:


4283

®


Table 465: Match Conditions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch (continued) Match Condition

EX2200

EX3200, EX4200

EX3300

EX4500

EX6200

EX8200

destination-address

–

✓

–

✓

–

✓

destination-port

–

✓

–

✓

–

✓


–

✓

–

–

–

✓

icmp-code

–

✓

–

✓

–

✓

icmp-type

–

✓

–

✓

–

✓

interface

–

✓

–

–

–

✓

next-header

–

✓

–

✓

–

✓

packet-length

–

–

–

–

–

✓

source-address

–

✓

–

✓

–

✓

source-port

–

✓

–

✓

–

✓

source-prefix-list

–

✓

–

–

–

✓

tcp-established

–

✓

–

–

–

–

tcp-flags

–

✓

–

–

–

–

tcp-initial

–

✓

–

–

–

–

traffic-class

–

✓

–

✓

–

✓

Table 466: Actions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch Match Condition

EX2200

EX3200, EX4200

EX3300

EX4500

EX6200

EX8200

Actions for IPv4 traffic: accept

✓

✓

✓

✓

✓

✓

discard

✓

✓

✓

✓

✓

✓

✓

–

–

–

✓

Actions for IPv6 traffic: accept

4284

–



Table 466: Actions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch (continued) Match Condition

EX2200

EX3200, EX4200

EX3300

EX4500

EX6200

EX8200

discard

–

✓

–

–

–

✓

Table 467: Action Modifiers for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch Match Condition

EX2200

EX3200, EX4200

EX3300

EX4500

EX6200

EX8200

Action modifiers for IPv4 traffic: count

✓

✓

–

–

✓

–

forwarding-class

✓

✓

✓

✓

–

✓

loss-priority

✓

✓

✓

✓

–

✓

Action modifiers for IPv6 traffic: count

–

✓

–

–

–

–

forwarding-class

–

✓

–

–

–

✓

loss-priority

–

✓

–

–

–

✓

NOTE: On EX8200 switches, if an implicit or explicit discard action is configured on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule to allow the neighbor discovery IPv6 resolve packets to pass through the switch.


•


•


•


•


•


•



4285

®


Understanding How Firewall Filters Are Evaluated A firewall filter consists of one or more terms, and the order of the terms within a firewall filter is important. Before you configure firewall filters, you should understand how Juniper Networks EX Series Ethernet Switches evaluate the terms within a firewall filter and how packets are evaluated against the terms. When a firewall filter consists of a single term, the filter is evaluated as follows: •

If the packet matches all the conditions, the action in the then statement is taken.

•

If the packet matches all the conditions, and no action is specified in the then statement, the default action accept is taken.

When a firewall filter consists of more than one term, the firewall filter is evaluated sequentially: 1.

The packet is evaluated against the conditions in the from statement in the first term.

2. If the packet matches all the conditions in the term, the action in the then statement

is taken and the evaluation ends. Subsequent terms in the filter are not evaluated. 3. If the packet does not match all the conditions in the term, the packet is evaluated

against the conditions in the from statement in the second term. This process continues until either the packet matches the conditions in the from statement in one of the subsequent terms or there are no more terms in the filter. 4. If a packet passes through all the terms in the filter without a match, the packet is

discarded. Figure 127 on page 4287 shows how an EX Series switch evaluates the terms within a firewall filter.

4286



Figure 127: Evaluation of Terms Within a Firewall Filter

If a term does not contain a from statement, the packet is considered to match and the action in the then statement of the term is taken. If a term does not contain a then statement, or if an action has not been configured in the then statement, and the packet matches the conditions in the from statement of the term, the packet is accepted. Every firewall filter contains an implicit deny statement at the end of the filter, which is equivalent to the following explicit filter term: term implicit-rule { then discard; }

Consequently, if a packet passes through all the terms in a filter without matching any conditions, the packet is discarded. If you configure a firewall filter that has no terms, all packets that pass through the filter are discarded.

NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.


•


•


•


•



4287

®


Understanding Firewall Filter Match Conditions Before you define terms for firewall filters, you must understand how the match conditions that you specify in a term are handled and how to specify various types of match conditions to achieve the desired filtering results. A match condition consists of a string (called a match statement) that defines the match condition. Match conditions are the values or fields that a packet must contain. This topic describes: •

Filter Match Conditions on page 4288

•

Numeric Filter Match Conditions on page 4288

•

Interface Filter Match Conditions on page 4289

•

IP Address Filter Match Conditions on page 4289

•

MAC Address Filter Match Conditions on page 4290

•

Bit-Field Filter Match Conditions on page 4290

Filter Match Conditions In the from statement of a firewall filter term, you specify the packet conditions that trigger the action in one of the then statements: then with various options, then interface or then vlan. All conditions in the from statement must match for the action to be taken. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur. If you specify no match conditions in a term, that term matches all packets. An individual condition in a from statement cannot contain a list of values. For example, you cannot specify numeric ranges or multiple source or destination addresses. Individual conditions in a from statement cannot be negated. A negated condition is an explicit mismatch.

Numeric Filter Match Conditions Numeric filter conditions match packet fields that are identified by a numeric value, such as port and protocol numbers. For numeric filter match conditions, you specify a keyword that identifies the condition and a single value that a field in a packet must match. You can specify the numeric value in one of the following ways: •

Single number—A match occurs if the value of the field matches the number. For example: source-port 25;

•

Text synonym for a single number— A match occurs if the value of the field matches the number that corresponds to the synonym. For example: source-port http;

4288



To specify more than one value in a filter term, you enter each value in its own match statement, which is a string that defines a match condition. For example, a match occurs in the following term if the value of vlan is 10 or 30. [edit firewall family family-name filter filter-name term term-name from] vlan 10; vlan 30;

The following restrictions apply to numeric filter match conditions: •

You cannot specify a range of values.

•

You cannot specify a list of comma-separated values.

•

You cannot exclude a specific value in a numeric filter match condition. For example, you cannot specify a condition that would match only if the match condition was not equal to a given value.

Interface Filter Match Conditions Interface filter match conditions can match interface name values in a packet. For interface filter match conditions, you specify the name of the interface, for example: [edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/0/1

Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter that is applied to a router interface can specify the logical unit number in the interface filter match condition, for example: [edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/1/0.0

You can include the * wildcard as part of the interface name, for example: [edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/*/1 user@switch# set interface ge-0/1/* user@switch# set interface ge-*

IP Address Filter Match Conditions Address filter match conditions can match prefix values in a packet, such as IP source and destination prefixes. For address filter match conditions, you specify a keyword that identifies the field and one prefix of that type that a packet must match. You specify the address as a single prefix. A match occurs if the value of the field matches the prefix. For example: [edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10.2.1.0/28;

Each prefix contains an implicit 0/0 except statement, which means that any prefix that does not match the prefix that is specified is explicitly considered not to match. To specify the address prefix, use the notation prefix/prefix-length. If you omit prefix-length, it defaults to /32. For example: [edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10


4289

®


[edit firewall family family-name filter filter-name term term-name from] user@switch# show destination-address 10.0.0.0/32;

To specify more than one IP address in a filter term, you enter each address in its own match statement. For example, a match occurs in the following term if the value of the source-address field matches either of the following source-address prefixes: [edit firewall family family-name filter filter-name term term-name from] user@switch# set source-address 10.0.0.0/8 user@switch# set source-address 10.1.0.0/16

MAC Address Filter Match Conditions MAC address filter match conditions can match source and destination MAC address values in a packet. For MAC address filter match conditions, you specify a keyword that identifies the field and one value of that type that a packet must match. You can specify the MAC address as six hexadecimal bytes in the following formats: [edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 0011.2233.4455 [edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 00:11:22:33:44:55 [edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 001122334455

To specify more than one MAC address in a filter term, you enter each MAC address in its own match statement. For example, a match occurs in the following term if the value of the source-mac-address field matches either of the following addresses. [edit firewall family family-name filter filter-name term term-name from] user@switch# set source-mac-address 00:11:22:33:44:55 user@switch# set source-mac-address 00:11:22:33:20:15

Bit-Field Filter Match Conditions Bit-field filter conditions match packet fields if particular bits in those fields are or are not set. You can match the IP options, TCP flags, and IP fragmentation fields. For bit-field filter match conditions, you specify a keyword that identifies the field and tests to determine that the option is present in the field. To specify the bit-field value to match, enclose the value in double quotation marks. For example, a match occurs if the RST bit in the TCP flags field is set: [edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "rst"

Typically, you specify the bits to be tested by using keywords. Bit-field match keywords always map to a single bit value. You also can specify bit fields as hexadecimal or decimal numbers. To match multiple bit-field values, use the logical operators, which are described in Table 468 on page 4291. The operators are listed in order from highest precedence to lowest precedence. Operations are left-associative.

4290



Table 468: Logical Operators for Matching Multiple Bit-Field Operators Logical Operators

Description

!

Negation.

&

Logical AND.

|

Logical OR.

To negate a match, precede the value with an exclamation point. For example, a match occurs only if the RST bit in the TCP flags field is not set: [edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "!rst"

In the following example of a logical AND operation, a match occurs if the packet is the initial packet on a TCP session: [edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn&!ack"

In the following example of a logical OR operation, a match occurs if the packet is not the initial packet on a TCP session: [edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn|ack"

For a logical OR operation, you can specify a maximum of two match conditions in a single term. If you need to match more than two bit-field values in a logical OR operation, configure the same match condition in consecutive terms with additional bit-field values. In the following example, the two terms configured match the SYN, ACK, FIN, or RST bit in the TCP flags field: [edit firewall family family-name filter filter-name term term-name1 from] user@switch# set tcp-flags "syn|ack" [edit firewall family family-name filter filter-name term term-name2 from] user@switch# set tcp-flags "fin|rst"

You can use text synonyms to specify some common bit-field matches. You specify these matches as a single keyword. In the following example of a text synonym, a match occurs if the packet is the initial packet on a TCP session: [edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags tcp-initial


•


•


•


•


•



4291

®


Understanding How Firewall Filters Test a Packet's Protocol When examining match conditions, Juniper Networks Junos operating system (Junos OS) for Juniper Networks EX Series Ethernet Switches tests only the field that is specified. The software does not implicitly test the IP header to determine whether a packet is an IP packet. Therefore, in some cases, you must specify protocol field match conditions in conjunction with other match conditions to ensure that the filters are performing the expected matches. If you specify a protocol match condition or a match of the ICMP type or TCP flags field, there is no implied protocol match. For the following match conditions, you must explicitly specify the protocol match condition in the same term: •

destination-port—Specify the match protocol tcp or protocol udp.

•

source-port—Specify the match protocol tcp or protocol udp.

If you do not specify the protocol when using the preceding fields, design your filters carefully to ensure that they perform the expected matches. For example, if you specify a match of destination-port ssh, the switch deterministically matches any packets that have a value of 22 in the two-byte field that is two bytes beyond the end of the IP header without ever checking the IP protocol field. Related Documentation

•


•


•


Understanding the Use of Policers in Firewall Filters Policing, or rate limiting, is an important component of firewall filters that lets you control the amount of traffic that enters an interface on Juniper Networks EX Series Ethernet Switches. This topic describes: •

Policers Overview on page 4292

•

Policer Types on page 4293

•

Policer Actions on page 4294

•

Policer Levels on page 4294

•

Color Modes on page 4294

•

Naming Conventions for Policers on page 4295

Policers Overview A single firewall filter configured with a policer permits only traffic within a specified set of rate limits to provide protection from denial-of-service (DoS) attacks. Traffic that

4292



exceeds the rate limits specified by the policer is either discarded immediately or is marked as lower priority than traffic that is within the rate limits. The switch discards the lower-priority traffic if traffic becomes congested. A policer applies two types of rate limits on traffic: •

Bandwidth—The number of bits per second permitted, on average.

•

Maximum burst size—The maximum size permitted for bursts of data that exceed the given bandwidth limit.

Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value. You can define specific classes of traffic on an interface and apply a set of rate limits to each class. After you name and configure a policer, it is stored as a template. You can then use a policer in a firewall filter configuration. Each policer that you configure includes an implicit counter that counts the number of packets that exceed the rate limits that are specified for the policer. To get filter-specific or term-specific packets counts, you must configure a different policer for each filter or term that performs policing.

Policer Types Switches support three types of policers: •

Single-rate two-color—A two-color policer (sometimes called simply “policer”) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit or simply discard them. A two-color policer is most useful for metering traffic at the port (physical interface) level.

•

Single-rate three-color—This type of policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and the excess burst size (EBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets arriving are below the CBS (green), exceed the CBS (yellow) but not the EBS, or exceed the EBS (red). A single-rate three-color policer is most useful when a service is structured according to packet length and not according to peak arrival rate.

•

Two-rate three-color—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and peak information rate (PIR), along with their associated burst sizes, the CBS and peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets arriving are below the CIR (green), exceed the CIR (yellow) but not the PIR, or exceed the PIR (red). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not to packet length.


4293

®


Policer Actions Policer actions are implicit or explicit and vary by policer type. The term implicit means that Junos OS assigns a loss-priority value automatically; explicit means that you configure the action. Table 469 on page 4294 lists policer actions.

Table 469: Policer Actions Policer

Marking

Implicit Action

Configurable Action

Single-rate two-color

Green (Conforming)

Assign low loss priority

None

Red (Nonconforming)

None

Assign low or high loss priority, assign a forwarding class, or discard

Green (Conforming)

Assign low loss None priority

None

Red (Above the EBS)

Assign high loss priority

Discard

Green (Conforming)

Assign low loss priority

None

Red (Above the PIR and PBS)

Assign high loss priority

Discard

Single-rate three-color

Two-rate three-color

Policer Levels You can configure policers at the queue level, logical interface level, or Layer 2 (MAC) level. Only a single policer is applied to a packet at the egress queue, and the search for policers occurs in this order: •

Queue level

•

Logical interface level

•

Layer 2 (MAC) level

Color Modes Tricolor marking (TCM) policers are not bound by a green-yellow-red coloring convention. Packets are marked with low or high PLP bit configurations based on color, so both three-color policer types extend the functionality of class-of-service (CoS) traffic policing by providing three levels of drop precedence (loss priority) instead of the two normally available in policers. Both single-rate and two-rate three-color policer types can operate in two modes:

4294

•

Color-blind—In color-blind mode, the three-color policer operates without reference to whether the examined packets have been previously marked or metered. In other words, the three-color policer is “blind” to any previous coloring a packet might have had.

•

Color-aware—In color-aware mode, the three-color policer operates with reference to any previous marking or metering of the examined packets. In other words, the



three-color policer is “aware” of the previous coloring a packet might have had. In color-aware mode, the three-color policer can increase the PLP of a packet but can never decrease it. For example, if a color-aware three-color policer meters a packet with a low PLP marking, it can raise the PLP level to high. But, a high PLP level cannot be reduced to low.

Naming Conventions for Policers We recommend you use the naming convention policernumber-TCMnumber-colortype when configuring three-color policers and policernumber when configuring two-color policers. TCM stands for tricolor marking. Because policers can be numerous and must be applied correctly to work, a simple naming convention makes it easier to apply the policers properly. For example, if the first policer you configure is a single-rate, color-aware, three-color policer, name it srTCM1-ca. If the second policer you configure is a two-rate, color-blind, three-color policer, name it trTCM2-cb. Related Documentation

•


•


•


•


Understanding Tricolor Marking Architecture Tricolor marking (TCM) policers provide two functions: metering and marking. A policer meters each packet and passes the packet and the metering result to the marker. The meter operates in two modes. In the color-blind mode, the meter treats the packet stream as uncolored. Any preset loss priorities are ignored. In the color-aware mode, the meter inspects the packet loss priority (PLP) field, which has been set by an upstream device as high or low; in other words, the PLP field has already been set by a behavior aggregate (BA) or multifield (MF) classifier. The marker changes the PLP of each incoming IP packet according to the results of the meter. Single-rate TCM is so called because traffic is policed according to one rate—the committed burst rate (CBR)—and two burst sizes: the committed burst size (CBS) and the excess burst size (EBS). The configured information rate (CIR) specifies the average rate at which bits are admitted to the network. The CBS specifies the usual burst size in bytes and the EBS specifies the maximum burst size in bytes for packets that are admitted to the network. The EBS is greater than or equal to the CBS, and neither can be 0. As each packet enters the network, its bytes are counted. Packets that do not exceed the CBS are marked low PLP. Packets that exceed the peak information rate (PIR) are marked high PLP.


4295

®


Two-rate TCM is so called because traffic is policed according to two rates: the CIR and the PIR. The PIR is greater than or equal to the CIR. The CIR specifies the average rate at which bits are admitted to the network, and the PIR specifies the maximum rate at which bits are admitted to the network. As each packet enters the network, its bits are counted. Bits in packets that do not exceed the CIR have their packets marked low PLP. Bits in packets that exceed the PIR have their packets marked high PLP. Related Documentation

•


•

Configuring Tricolor Marking Policers on page 4337

Understanding Filter-Based Forwarding for EX Series Switches Administrators of Juniper Networks EX Series Ethernet Switches can use firewall filters in conjunction with virtual routing instances to specify different routes for packets to travel in their networks. To set up this feature, which is called filter-based forwarding, you specify a filter and match criteria and then specify the virtual routing instance to send packets to. You might want to use filter-based forwarding to route specific types of traffic through a firewall or security device before the traffic continues on its path. You can also use filter-based forwarding to give certain types of traffic preferential treatment or to improve load balancing of switch traffic. Related Documentation

4296

•


•


•



CHAPTER 112

Examples of Firewall Filters Configuration •


•


•


Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches This example shows how to configure and apply firewall filters to control traffic that is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3 interface on the switch. Firewall filters define the rules that determine whether to forward or deny packets at specific processing points in the packet flow. •


•


•

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic on page 4301

•

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic on page 4306

•

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN on page 4308

•

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN on page 4310

•

Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet on page 4312

•


Requirements This example uses the following software and hardware components:


4297

®


•


•

Two Juniper Networks EX3200-48T switches: one to be used as an access switch, the other to be used as a distribution switch

•

One Juniper Networks EX-UM-4SFP uplink module

•

One Juniper Networks J-series router

Before you configure and apply the firewall filters in this example, be sure you have: •

An understanding of firewall filter concepts, policers, and CoS

•

Installed the uplink module in the distribution switch. See Installing an Uplink Module in an EX3200 Switch.

Overview This configuration example show how to configure and apply firewall filters to provide rules to evaluate the contents of packets and determine when to discard, forward, classify, count, and analyze packets that are destined for or originating from the EX Series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic. Table 470 on page 4298 shows the firewall filters that are configured for the EX Series switches in this example.

Table 470: Configuration Components: Firewall Filters Component

Purpose/Description

Port firewall filter,

This firewall filter performs two functions:

ingress-port-voip-class-limit-tcp-icmp •

Assigns priority queueing to packets with a source MAC address that matches the phone MAC addresses. The forwarding class expedited-forwarding provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan traffic.

•

Performs rate limiting on packets that enter the ports for employee-vlan. The traffic rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000 bytes.

This firewall filter is applied to port interfaces on the access switch. VLAN firewall filter, ingress-vlan-rogue-block

Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that manages call registration, admission, and call status for VoIP calls. Only TCP or UDP ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on TCP ports should be destined for the gatekeeper device. This firewall filter applies to all phones on voice-vlan, including communication between any two phones on the VLAN and all communication between the gatekeeper device and VLAN phones. This firewall filter is applied to VLAN interfaces on the access switch.

VLAN firewall filter, egress-vlan-watch-employee

Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this traffic. Employee traffic destined for the Web is counted and analyzed. This firewall filter is applied to vlan interfaces on the access switch.

4298


Chapter 112: Examples of Firewall Filters Configuration

Table 470: Configuration Components: Firewall Filters (continued) Component

Purpose/Description

VLAN firewall filter,

Prevents guests (non-employees) from talking with employees or employee hosts on employee-vlan. Also prevents guests from using peer-to-peer applications on guest-vlan, but allows guests to access the Web.

ingress-vlan-limit-guest

This firewall filter is applied to VLAN interfaces on the access switch. Router firewall filter,

Prioritizes employee-vlan traffic, giving highest forwarding-class priority to employee traffic destined for the corporate subnet.

egress-router-corp-class

This firewall filter is applied to a routed port (Layer 3 uplink module) on the distribution switch.

Figure 128 on page 4299 shows the application of port, VLAN, and Layer 3 routed firewall filters on the switch.

Figure 128: Application of Port, VLAN, and Layer 3 Routed Firewall Filters

Network Topology The topology for this configuration example consists of one EX-3200-48T switch at the access layer, and one EX-3200-48T switch at the distribution layer. The distribution switch's uplink module is configured to support a Layer 3 connection to a J-series router.


4299

®


The EX Series switches are configured to support VLAN membership. Table 471 on page 4300 shows the VLAN configuration components for the VLANs.

Table 471: Configuration Components: VLANs VLAN Name

VLAN ID

voice-vlan

10

VLAN Subnet and Available IP Addresses

VLAN Description

192.0.2.0/28 192.0.2.1 through 192.0.2.14

Voice VLAN used for employee VoIP traffic

192.0.2.15 is subnet’s broadcast address employee-vlan

20

192.0.2.16/28 192.0.2.17 through 192.0.2.30 192.0.2.31

is subnet’s broadcast address

guest-vlan

30

192.0.2.32/28 192.0.2.33 through 192.0.2.46 192.0.2.47


camera-vlan

40

192.0.2.48/28 192.0.2.49 through 192.0.2.62 192.0.2.63

VLAN standalone PCs, PCs connected to the network through the hub in VoIP telephones, wireless access points, and printers. This VLAN completely includes the voice VLAN. Two VLANs (voice-vlan and employee-vlan) must be configured on the ports that connect to the telephones. VLAN for guests’ data devices (PCs). The scenario assumes that the corporation has an area open to visitors, either in the lobby or in a conference room, that has a hub to which visitors can plug in their PCs to connect to the Web and to their company’s VPN. VLAN for the corporate security cameras.


Ports on the EX Series switches support Power over Ethernet (PoE) to provide both network connectivity and power for VoIP telephones connecting to the ports. Table 472 on page 4300 shows the switch ports that are assigned to the VLANs and the IP and MAC addresses for devices connected to the switch ports:

Table 472: Configuration Components: Switch Ports on a 48-Port All-PoE Switch Switch and Port Number

VLAN Membership

IP and MAC Addresses

Port Devices

ge-0/0/0, ge-0/0/1

voice-vlan, employee-vlan

IP addresses: 192.0.2.1 through

Two VoIP telephones, each connected to one PC.

192.0.2.2

MAC addresses: 00.05.85.00.00.01, 00.05.85.00–00.02

4300



Table 472: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued) Switch and Port Number

VLAN Membership

IP and MAC Addresses

Port Devices

ge-0/0/2, ge-0/0/3

employee-vlan

192.0.2.17 through 192.0.2.18

Printer, wireless access points

ge-0/0/4, ge-0/0/5

guest-vlan

192.0.2.34 through 192.0.2.35

Two hubs into which visitors can plug in their PCs. Hubs are located in an area open to visitors, such as a lobby or conference room

ge-0/0/6, ge-0/0/7

camera-vlan

192.0.2.49 through 192.0.2.50

Two security cameras

ge-0/0/9

voice-vlan

IP address: 192.0.2.14

Gatekeeper device. The gatekeeper manages call registration, admission, and call status for VoIP phones.

MAC address:00.05.85.00.00.0E ge-0/1/0

IP address: 192.0.2.65

Layer 3 connection to a router; note that this is a port on the switch’s uplink module

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks: CLI Quick Configuration

To quickly configure and apply a port firewall filter to prioritize voice traffic and rate-limit packets that are destined for the employee-vlan subnet, copy the following commands and paste them into the switch terminal window: [edit] set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m set firewall policer tcp-connection-policer then discard set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m set firewall policer icmp-connection-policer then discard set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address 00.05.85.00.00.01 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address 00.05.85.00.00.02 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class expedited-forwarding set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control from precedence net-control set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control then forwarding-class network-control set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control then loss-priority low set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection from destination-address 192.0.2.16/28


4301

®


set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection from protocol tcp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then policer tcp-connection-policer set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then count tcp-counter set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then loss-priority high set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection from protocol icmp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then policer icmp-connection-policer set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then count icmp-counter set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then loss-priority high set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term best-effort then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term best-effort then loss-priority high set interfaces ge-0/0/0 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp set interfaces ge-0/0/1 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp set class-of-service schedulers voice-high buffer-size percent 15 set class-of-service schedulers voice-high priority high set class-of-service schedulers net-control buffer-size percent 10 set class-of-service schedulers net-control priority high set class-of-service schedulers best-effort buffer-size percent 75 set class-of-service schedulers best-effort priority low set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class expedited-forwarding scheduler voice-high set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class network-control scheduler net-control set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class best-effort scheduler best-effort


To configure and apply a port firewall filter to prioritize voice traffic and rate-limit packets that are destined for the employee-vlan subnet: 1.

Define the policers tcp-connection-policer and icmp-connection-policer: [edit] user@switch# set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m user@switch# set firewall policer tcp-connection-policer then discard user@switch# set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m user@switch# set firewall policer icmp-connection-policer then discard

2.

4302

Define the firewall filter ingress-port-voip-class-limit-tcp-icmp:



[edit firewall] user@switch# set family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp 3.

Define the term voip-high: [edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp ] user@switch# set term voip-high from source-mac-address 00.05.85.00.00.01 user@switch# set term voip-high from source-mac-address 00.05.85.00.00.02 user@switch# set term voip-high from protocol udp user@switch# set term voip-high then forwarding-class expedited-forwarding user@switch# set term voip-high then loss-priority low

4.

Define the term network-control: [edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp ] user@switch# set term network-control from precedence net-control user@switch# set term network-control then forwarding-class network-control user@switch# set term network-control then loss-priority low

5.

Define the term tcp-connection to configure rate limits for TCP traffic: [edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term tcp-connection from destination-address 192.0.2.16/28 user@switch# set term tcp-connection from protocol tcp user@switch# set term tcp-connection then policer tcp-connection-policer user@switch# set term tcp-connection then count tcp-counter user@switch# set term tcp-connection then forwarding-class best-effort user@switch# set term tcp-connection then loss-priority high

6.

Define the term icmp-connection to configure rate limits for ICMP traffic: [edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term icmp-connection from destination-address 192.0.2.16/28 user@switch# set term icmp-connection from protocol icmp user@switch# set term icmp-connection then policer icmp-policer user@switch# set term icmp-connection then count icmp-counter user@switch# set term icmp-connection then forwarding-class best-effort user@switch# set term icmp-connection then loss-priority high

7.

Define the term best-effort with no match conditions for an implicit match on all packets that did not match any other term in the firewall filter: [edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term best-effort then forwarding-class best-effort user@switch# set term best-effort then loss-priority high

8.

Apply the firewall filter ingress-port-voip-class-limit-tcp-icmp as an input filter to the port interfaces for employee-vlan : [edit interfaces] user@switch# set ge-0/0/0 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp user@switch# set ge-0/0/1 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp

9.

Configure the parameters that are desired for the different schedulers.


4303

®


NOTE: When you configure parameters for the schedulers, define the numbers to match your network traffic patterns.

[edit class-of-service] user@switch# set schedulers (CoS) voice-high buffer-size percent 15 user@switch# set schedulers voice-high priority high user@switch# set schedulers network—control buffer-size percent 10 user@switch# set schedulers network—control priority high user@switch# set schedulers best-effort buffer-size percent 75 user@switch# set schedulers best-effort priority low 10.

Assign the forwarding classes to schedulers with a scheduler map: [edit class-of-service] user@switch# set scheduler-maps ethernet-diffsrv-cos-map user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class expedited-forwarding scheduler voice-high user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class network-control scheduler net-control user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class best-effort scheduler best-effort

11.

Associate the scheduler map with the outgoing interface: [edit class-of-service] user@switch# set interfaces ge–0/1/0 scheduler-map ethernet-diffsrv-cos-map

Results

Display the results of the configuration: user@switch# show firewall { policer tcp-connection-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 30k; } then { discard; } } policer icmp-connection-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 30k; } then { discard; } } family ethernet-switching { filter ingress-port-voip-class-limit-tcp-icmp { term voip-high { from { destination-mac-address 00.05.85.00.00.01; destination-mac-address 00.05.85.00.00.02; protocol udp;

4304



} then { forwarding-class expedited-forwarding; loss-priority low; } } term network-control { from { precedence net-control ; } then { forwarding-class network-control; loss-priority low; } } term tcp-connection { from { destination-address 192.0.2.16/28; protocol tcp; } then { policer tcp-connection-policer; count tcp-counter; forwarding-class best-effort; loss-priority high; } } term icmp-connection from { protocol icmp; } then { policer icmp-connection-policer; count icmp-counter; forwarding-class best-effort; loss-priority high; } } term best-effort { then { forwarding-class best-effort; loss-priority high; } } } } } interfaces { ge-0/0/0 { description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port"; unit 0 { family ethernet-switching { filter { input ingress-port-voip-class-limit-tcp-icmp; } }


4305

®


} } ge-0/0/1 { description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port"; unit 0 { family ethernet-switching { filter { input ingress-port-voip-class-limit-tcp-icmp; } } } } } scheduler-maps { ethernet-diffsrv-cos-map { forwarding-class expedited-forwarding scheduler voice-high; forwarding-class network-control scheduler net-control; forwarding-class best-effort scheduler best-effort; } } interfaces { ge/0/1/0 { scheduler-map ethernet-diffsrv-cos-map; } }

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks: CLI Quick Configuration

To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy the following commands and paste them into the switch terminal window: [edit] set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from destination-address 192.0.2.14 set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from destination-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper then accept set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper from source-address 192.0.2.14 set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper from source-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper then accept set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper from destination-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper then count rogue-counter set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper then discard set vlans voice-vlan description "block rogue devices on voice-vlan" set vlans voice-vlan filter input ingress-vlan-rogue-block

4306




To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices from using HTTP to mimic the gatekeeper device that manages VoIP traffic: 1.

Define the firewall filter ingress-vlan-rogue-block to specify filter matching on the traffic you want to permit and restrict: [edit firewall] user@switch# set family ethernet-switching filter ingress-vlan-rogue-block

2.

Define the term to-gatekeeper to accept packets that match the destination IP address of the gatekeeper: [edit firewall family ethernet-switching filter ingress-vlan-rogue-block] user@switch# set term to-gatekeeper from destination-address 192.0.2.14 user@switch# set term to-gatekeeper from destination-port 80 user@switch# set term to-gatekeeper then accept

3.

Define the term from-gatekeeper to accept packets that match the source IP address of the gatekeeper: [edit firewall family ethernet-switching filter ingress-vlan-rogue-block] user@switch# set term from-gatekeeper from source-address 192.0.2.14 user@switch# set term from-gatekeeper from source-port 80 user@switch# set term from-gatekeeper then accept

4.

Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is destined for the gatekeeper device: [edit firewall family ethernet-switching filter ingress-vlan-rogue-block] user@switch# set term not-gatekeeper from destination-port 80 user@switch# set term not-gatekeeper then count rogue-counter user@switch# set term not-gatekeeper then discard

5.

Apply the firewall filter ingress-vlan-rogue-block as an input filter to the VLAN interface for the VoIP telephones: [edit] user@switch# set vlans voice-vlan description "block rogue devices on voice-vlan" user@switch# set vlans voice-vlan filter input ingress-vlan-rogue-block

Results

Display the results of the configuration: user@switch# show firewall { family ethernet-switching { filter ingress-vlan-rogue-block { term to-gatekeeper { from { destination-address 192.0.2.14/32 destination-port 80; } then { accept; } } term from-gatekeeper { from { source-address 192.0.2.14/32 source-port 80; } then { accept;


4307

®


} } term not-gatekeeper { from { destination-port 80; } then { count rogue-counter; discard; } } } vlans { voice-vlan { description "block rogue devices on voice-vlan"; filter { input ingress-vlan-rogue-block; } } }

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks: CLI Quick Configuration

A firewall filter is configured and applied to VLAN interfaces to filter employee-vlan egress traffic. Employee traffic destined for the corporate subnet is accepted but not monitored. Employee traffic destined for the Web is counted and analyzed. To quickly configure and apply a VLAN firewall filter, copy the following commands and paste them into the switch terminal window: [edit] set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web then count employee-web-counter set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web then analyzer employee-monitor set vlans employee-vlan description "filter at egress VLAN to count and analyze employee to Web traffic" set vlans employee-vlan filter output egress-vlan-watch-employee

4308




To configure and apply an egress port firewall filter to count and analyze employee-vlan traffic that is destined for the Web: 1.

Define the firewall filter egress-vlan-watch-employee: [edit firewall] user@switch# set family ethernet-switching filter egress-vlan-watch-employee

2.

Define the term employee-to-corp to accept but not monitor all employee-vlan traffic destined for the corporate subnet: [edit firewall family ethernet-switching filter egress-vlan-watch-employee] user@switch# set term employee-to-corp from destination-address 192.0.2.16/28 user@switch# set term employee-to-corp then accept

3.

Define the term employee-to-web to count and monitor all employee-vlan traffic destined for the Web: [edit firewall family ethernet-switching filter egress-vlan-watch-employee] user@switch# set term employee-to-web from destination-port 80 user@switch# set term employee-to-web then count employee-web-counter user@switch# set term employee-to-web then analyzer employee-monitor

NOTE: See “Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches” on page 5073 for information about configuring the employee-monitor analyzer.

4.

Apply the firewall filter egress-vlan-watch-employee as an output filter to the port interfaces for the VoIP telephones: [edit] user@switch# set vlans employee-vlan description "filter at egress VLAN to count and analyze employee to Web traffic" user@switch# set vlans employee-vlan filter output egress-vlan-watch-employee

Results

Display the results of the configuration: user@switch# show firewall { family ethernet-switching { filter egress-vlan-watch-employee { term employee-to-corp { from { destination-address 192.0.2.16/28 } then { accept; } } term employee-to-web { from { destination-port 80; } then { count employee-web-counter: analyzer employee-monitor; }


4309

®


} } } } vlans { employee-vlan { description "filter at egress VLAN to count and analyze employee to Web traffic"; filter { output egress-vlan-watch-employee; } } }

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks: CLI Quick Configuration

In the following example, the first filter term permits guests to talk with other guests but not employees on employee-vlan. The second filter term allows guests Web access but prevents them from using peer-to-peer applications on guest-vlan. To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking guests from talking with employees or employee hosts on employee-vlan or attempting to use peer-to-peer applications on guest-vlan, copy the following commands and paste them into the switch terminal window: [edit] set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest from destination-address 192.0.2.33/28 set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest then accept set firewall family ethernet-switching filter ingress-vlan-limit-guest term no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF set firewall family ethernet-switching filter ingress-vlan-limit-guest term no-guest-employee-no-peer-to-peer then accept set vlans guest-vlan description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN" set vlans guest-vlan filter input ingress-vlan-limit-guest


To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and peer-to-peer applications on guest-vlan: 1.

Define the firewall filter ingress-vlan-limit-guest: [edit firewall] set firewall family ethernet-switching filter ingress-vlan-limit-guest

2.

Define the term guest-to-guest to permit guests on the guest-vlan to talk with other guests but not employees on the employee-vlan: [edit firewall family ethernet-switching filter ingress-vlan-limit-guest] user@switch# set term guest-to-guest from destination-address 192.0.2.33/28 user@switch# set term guest-to-guest then accept

3.

4310

Define the term no-guest-employee-no-peer-to-peer to allow guests on guest-vlan Web access but prevent them from using peer-to-peer applications on the guest-vlan.



NOTE: The destination-mac-address is the default gateway, which for any host in a VLAN is the next-hop router.

[edit firewall family ethernet-switching filter ingress-vlan-limit-guest] user@switch# set term no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF user@switch# set term no-guest-employee-no-peer-to-peer then accept 4.

Apply the firewall filter ingress-vlan-limit-guest as an input filter to the interface for guest-vlan : [edit] user@switch# set vlans guest-vlan description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN" user@switch# set vlans guest-vlan filter input ingress-vlan-limit-guest

Results

Display the results of the configuration: user@switch# show firewall { family ethernet-switching { filter ingress-vlan-limit-guest { term guest-to-guest { from { destination-address 192.0.2.33/28; } then { accept; } } term no-guest-employee-no-peer-to-peer { from { destination-mac-address 00.05.85.00.00.DF; } then { accept; } } } } } vlans { guest-vlan { description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN"; filter { input ingress-vlan-limit-guest; } } }


4311

®


Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks: CLI Quick Configuration

To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter employee-vlan traffic, giving highest forwarding-class priority to traffic destined for the corporate subnet, copy the following commands and paste them into the switch terminal window: [edit] set firewall family inet filter egress-router-corp-class term corp-expedite from destination-address 192.0.2.16/28 set firewall family inet filter egress-router-corp-class term corp-expedite then forwarding-class expedited-forwarding set firewall family inet filter egress-router-corp-class term corp-expedite then loss-priority low set firewall family inet filter egress-router-corp-class term not-to-corp then accept set interfaces ge-0/1/0 description "filter at egress router to expedite destined for corporate network" set ge-0/1/0 unit 0 family inet address 103.104.105.1 set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class


To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to give highest priority to employee-vlan traffic destined for the corporate subnet: 1.

Define the firewall filter egress-router-corp-class: [edit] user@switch# set firewall family inet filter egress-router-corp-class

2.

Define the term corp-expedite: [edit firewall] user@switch# set family inet filter egress-router-corp-class term corp-expedite from destination-address 192.0.2.16/28 user@switch# set family inet filter egress-router-corp-class term corp-expedite then forwarding-class expedited-forwarding user@switch# set family inet filter egress-router-corp-class term corp-expedite then loss-priority low

3.

Define the term not-to-corp: [edit firewall] user@switch# set family inet filter egress-router-corp-class term not-to-corp then accept

4.

Apply the firewall filter egress-router-corp-class as an output filter for the port on the switch's uplink module, which provides a Layer 3 connection to a router: [edit interfaces] user@switch# set ge-0/1/0 description "filter at egress router to expedite employee traffic destined for corporate network" user@switch# set ge-0/1/0 unit 0 family inet address 103.104.105.1 user@switch# set ge-0/1/0 unit 0 family inet filter output egress-router-corp-class

Results

Display the results of the configuration: user@switch# show firewall { family inet { filter egress-router-corp-class {

4312



term corp-expedite { from { destination-address 192.0.2.16/28; } then { forwarding-class expedited-forwarding; loss-priority low; } } term not-to-corp { then { accept; } } } } } interfaces { ge-0/1/0 { unit 0 { description "filter at egress router interface to expedite employee traffic destined for corporate network"; family inet { source-address 103.104.105.1 filter { output egress-router-corp-class; } } } } }

Verification To confirm that the firewall filters are working properly, perform the following tasks: •

Verifying that Firewall Filters and Policers are Operational on page 4313

•

Verifying that Schedulers and Scheduler-Maps are Operational on page 4314

Verifying that Firewall Filters and Policers are Operational Purpose

Action

Verify the operational state of the firewall filters and policers that are configured on the switch. Use the operational mode command: user@switch> show firewall Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter tcp-counter Policers: Name icmp-connection-policer tcp-connection-policer


Packets 0 0 Packets 0 0

4313

®


Filter: ingress-vlan-rogue-block Filter: egress-vlan-watch-employee Counters: Name employee-web—counter

Meaning

Packets 0

The show firewall command displays the names of the firewall filters, policers, and counters that are configured on the switch. The output fields show byte and packet counts for all configured counters and the packet count for all policers.

Verifying that Schedulers and Scheduler-Maps are Operational Purpose Action

Verify that schedulers and scheduler-maps are operational on the switch. Use the operational mode command: user@switch> show class-of-service scheduler-map Scheduler map: default, Index: 2 Scheduler: default-be, Forwarding class: Transmit rate: 95 percent, Rate Limit: Priority: low Drop profiles: Loss priority Protocol Index Low non-TCP 1 Low TCP 1 High non-TCP 1 High TCP 1

best-effort, Index: 20 none, Buffer size: 95 percent,

Name default-drop-profile default-drop-profile default-drop-profile default-drop-profile

Scheduler: default-nc, Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: low Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 default-drop-profile Low TCP 1 default-drop-profile High non-TCP 1 default-drop-profile High TCP 1 default-drop-profileScheduler map: ethernet-diffsrv-cos-map, Index: 21657 Scheduler: best-effort, Forwarding class: best-effort, Index: 61257 Transmit rate: remainder, Rate Limit: none, Buffer size: 75 percent, Priority: low Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 Low TCP 1 High non-TCP 1 High TCP 1 Scheduler: voice-high, Forwarding class: expedited-forwarding, Index: 3123 Transmit rate: remainder, Rate Limit: none, Buffer size: 15 percent, Priority: high Drop profiles: Loss priority Protocol Index Name Low non-TCP 1

4314



Low High High

TCP non-TCP TCP

1 1 1

Scheduler: net-control, Forwarding class: network-control, Index: 2451 Transmit rate: remainder, Rate Limit: none, Buffer size: 10 percent, Priority: high Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 Low TCP 1 High non-TCP 1 High TCP 1

Meaning


Displays statistics about the configured schedulers and schedulers-maps.

•

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches on page 5078

•


•


•


•


•


•

[edit firewall] Configuration Statement Hierarchy on EX Series Switches on page 88

Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches Administrators can configure filter-based forwarding on an EX Series switch by using a firewall filter to forward matched traffic to a specific virtual routing instance. This example describes how to set up filter-based forwarding: •


•


•


•




•



4315

®


Overview and Topology In this example, traffic from one application server that is destined for a different application server is matched by a firewall filter based on the IP address. Any matching packets are routed to a particular virtual routing instance that first sends all traffic to a security device, then forwards it to the designated destination address.

Configuration To configure filter-based forwarding: CLI Quick Configuration

To quickly create and configure filter-based forwarding, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24 set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24 set firewall family inet filter fil term t1 from source-address 1.1.1.1/32 set firewall family inet filter fil term t1 from protocol tcp set interfaces ge-0/0/0 unit 0 family inet filter input fil set routing-instances vrf01 instance-type virtual-router set routing-instances vrf01 interface ge-0/0/1.0 set routing-instances vrf01 interface ge-0/0/3.0 set routing-instances vrf01 routing-options static route 12.34.56.0/24 next-hop 10.1.3.254 set firewall family inet filter fil term t1 then routing-instance vrf01


To configure filter-based forwarding: 1.

Create interfaces to the application servers: [edit] user@switch# set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24 user@switch# set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24

2.

Create a firewall filter that matches the correct source address: [edit] user@switch# set firewall family inet filter fil term t1 from source-address 1.1.1.1/32 user@switch# set firewall family inet filter fil term t1 from protocol tcp

3.

Associate the filter with the source application server’s interface: [edit] user@switch# set interfaces ge-0/0/0 unit 0 family inet filter input fil

4.

Create a virtual router: [edit] user@switch# set routing-instances vrf01 instance-type virtual-router

5.

Associate the interfaces with the virtual router: [edit] user@switch# set routing-instances vrf01 interface (Routing Instances) ge-0/0/1.0 user@switch# set routing-instances vrf01 interface ge-0/0/3.0

6.

Configure the routing information for the virtual routing instance: [edit] user@switch# set routing-instances vrf01 routing-options static route 12.34.56.0/24 next-hop 10.1.3.254

7.

Set the filter to forward packets to the virtual router you created: [edit] user@switch# set firewall family inet filter fil term t1 then routing-instance vrf01

4316



Check the results of the configuration: user@switch> show configuration interfaces { ge-0/0/0 { unit 0 { family inet { filter { input fil; } address 10.1.0.1/24; } } } ge-0/0/3 { unit 0 { family inet { address 10.1.3.1/24; } } } } firewall { family inet { filter fil { term t1 { from { source-address { 1.1.1.1/32; } protocol tcp; } then { routing-instance vrf01; } } } } } routing-instances { vrf01 { instance-type virtual-router; interface ge-0/0/1.0; interface ge-0/0/3.0; routing-options { static { route 12.34.56.0/24 next-hop 10.1.3.254; } } } }


4317

®



Verifying That Filter-Based Forwarding Was Configured on page 4318

Verifying That Filter-Based Forwarding Was Configured Purpose Action

Verify that filter-based forwarding was properly enabled on the switch. 1.

Use the show interfaces filters command: user@switch> show interfaces filters ge-0/0/0.0 Interface Admin Link Proto Input Filter ge-0/0/0.0 up down inet fil

Output Filter

2. Use the show route forwarding-table command: user@switch> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef default user 1 default perm 0 0.0.0.0/32 perm 0 10.1.0.0/24 ifdn 0 10.1.0.0/32 iddn 0 10.1.0.1/32 user 0 10.1.0.1/32 intf 0 10.1.0.1/32 iddn 0 10.1.0.255/32 iddn 0 10.1.1.0/26 ifdn 0 10.1.1.0/32 iddn 0 10.1.1.1/32 user 0 10.1.1.1/32 intf 0 10.1.1.1/32 iddn 0 10.1.1.63/32 iddn 0 255.255.255.255/32 perm 0 Routing table: vrf01.inet Internet: Destination Type RtRef default perm 0 0.0.0.0/32 perm 0 10.1.3.0/24 ifdn 0 10.1.3.0/32 iddn 0 10.1.3.1/32 user 0 10.1.3.1/32 intf 0 10.1.3.1/32 iddn 0 10.1.3.255/32 iddn 0 224.0.0.0/4 perm 0 224.0.0.1/32 perm 0 255.255.255.255/32 perm 0

Next hop 0:12:f2:21:cf:0

10.1.0.0 10.1.0.1 10.1.0.1 10.1.0.255 10.1.1.0 10.1.1.1 10.1.1.1 10.1.1.63

Next hop

10.1.3.0 10.1.3.1 10.1.3.1 10.1.3.255 224.0.0.1

Routing table: default.iso ISO: Destination Type RtRef Next hop default perm 0

4318

Type Index NhRef Netif ucst 331 4 me0.0 rjct 36 3 dscd 34 1 rslv 613 1 ge-0/0/0.0 recv 611 1 ge-0/0/0.0 rjct 36 3 locl 612 2 locl 612 2 bcst 610 1 ge-0/0/0.0 rslv 583 1 vlan.0 recv 581 1 vlan.0 rjct 36 3 locl 582 2 locl 582 2 bcst 580 1 vlan.0 bcst 32 1

Type Index NhRef Netif rjct 559 2 dscd 545 1 rslv 617 1 ge-0/0/3.0 recv 615 1 ge-0/0/3.0 rjct 559 2 locl 616 2 locl 616 2 bcst 614 1 ge-0/0/3.0 mdsc 546 1 mcst 529 1 bcst 543 1

Type Index NhRef Netif rjct 60 1



Routing table: vrf01.iso ISO: Destination Type RtRef Next hop default perm 0

Meaning


Type Index NhRef Netif rjct 600 1

The output indicates that the filter was created on the interface and that the virtual routing instance is forwarding matching traffic to the correct IP address.

•


•


•


•


Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch You can configure a firewall filter on a management interface on an EX Series switch to filter ingress or egress traffic on the management interface on the switch. You can use utilities such as SSH or Telnet to connect to the management interface over the network and then use management protocols such as SNMP to gather statistical data from the switch. This example discusses how to configure a firewall filter on a management interface to filter SSH packets egressing from an EX Series switch: •


•


•


•



One EX Series switch and one management PC

•


Overview and Topology In this example, a management PC establishes an SSH connection with the management interface on a switch to remotely manage the switch. The IP address configured for the management interface is 10.204.33.103/20. A firewall filter is configured on the management interface to count the number of packets egressing from a source SSH port on the management interface. When the management PC establishes the SSH session with the management interface, the management interface returns SSH packets to the management PC to confirm that the session is established. These SSH packets


4319

®


are filtered based on the match condition specified in the firewall filter before they are forwarded to the management PC. As these packets are generated from the source SSH port on the management interface, they fulfill the match condition specified for the management interface. The number of matched SSH packets provides a count of the number of packets that have traversed the management interface. A system administrator can use this information to monitor the management traffic and take any action if required. Figure 129 on page 4320 shows the topology for this example in which a management PC establishes an SSH connection with the switch.

Figure 129: SSH Connection From a Management PC to an EX Series Switch Management PC

g040550

10.204.33.103/20 me0 SSH connection

Switch

Configuration To configure a firewall filter on a management interface, perform these tasks: CLI Quick Configuration

To quickly create and configure a firewall filter on the management interface to filter SSH packets egressing from the management interface, copy the following commands and paste them into the switch terminal window: [edit] set firewall family inet filter mgmt_fil1 term t1 from source-port ssh set firewall family inet filter mgmt_fil1 term t1 then count c1 set firewall family inet filter mgmt_fil1 term t2 then accept set interfaces me0 unit 0 family inet filter output mgmt_fil1


To configure a firewall filter on the management interface to filter SSH packets: 1.

Configure the firewall filter that matches SSH packets from the source port: [edit] user@switch# set firewall family inet filter (Firewall Filters) mgmt_fil1 term t1 from source-port ssh user@switch# set firewall family inet filter mgmt_fil1 term t1 then count c1 user@switch# set firewall family inet filter mgmt_fil1 term t2 then accept

These statements set a counter c1 to count the number of SSH packets that egress from the source SSH interface on the management interface. 2.

Set the firewall filter for the management interface: [edit] user@switch# set interfaces me0 unit 0 family inet filter output mgmt_fil1

NOTE: You can also set the firewall filter for a VME interface.

Results

4320




[edit] user@switch# show interfaces { me0 { unit 0 { family inet { filter { output mgmt_fil1; } address 10.93.54.6/24; } } } } firewall { family inet { filter mgmt_fil1{ term t1 { from { source-port ssh; then (Firewall Filters) count c1; } } term t2 { then accept; } } } }


Verifying That the Firewall Filter Is Configured on a Management Interface on page 4321

Verifying That the Firewall Filter Is Configured on a Management Interface Purpose

Verify that the firewall filter has been enabled on the management interface on the switch.


4321

®


Action

1.

Verify that the firewall filter is applied to the management interface: [edit] user@switch# show interfaces me0 unit 0 { family inet { filter { output mgmt_fil1; } address 10.204.33.103/20; } }

2. Check the counter value that is associated with the firewall filter: user@switch> show firewall Filter: mgmt_fil1 Counters: Name c1

Bytes 0

Packets 0

3. From the management PC, establish a secure shell session with the switch: [user@management-pc ~]$ ssh [email protected] 4. Check counter values after SSH packets are generated from the switch in response

to the secure shell session request by the management PC: user@switch> show firewall Filter: mgmt_fil1 Counters: Name c1

Meaning


4322

Bytes 3533

Packets 23

The output indicates that the firewall filter has been applied to the management interface and the counter value indicates that 23 SSH packets were generated from the switch.

•


•



CHAPTER 113

Configuring Firewall Filters •


•


•


•


•

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) on page 4339

•

Configuring Routing Policies (J-Web Procedure) on page 4340

Configuring Firewall Filters (CLI Procedure) You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface. This topic describes: •

Configuring a Firewall Filter on page 4323

•

Applying a Firewall Filter to a Port on a Switch on page 4327

•

Applying a Firewall Filter to a Management Interface on a Switch on page 4328

•

Applying a Firewall Filter to a VLAN on a Network on page 4329

•

Applying a Firewall Filter to a Layer 3 (Routed) Interface on page 4329

Configuring a Firewall Filter Before you can apply a firewall filter to a port, VLAN, or Layer 3 interface, you must configure a firewall filter with the required details, such as type of family for the firewall filter, firewall filter name, and match conditions. A match condition in the firewall filter configuration can contain multiple terms that define the criteria for the match condition. For each term, you must specify an action to be performed if a packet matches the conditions in the term. For information on different match conditions and actions, see “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. To configure a firewall filter:


4323

®


1.

Configure the family address type for the firewall filter: •

For a firewall filter that is applied to a port or VLAN, specify the family address type ethernet-switching to filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets, for example: [edit firewall] user@switch# set family ethernet-switching

•

For a firewall filter that is applied to a Layer 3 (routed) interface: •

To filter IPv4 packets, specify the family address type inet, for example: [edit firewall] user@switch# set family inet

•

To filter IPv6 packets, specify the family address type inet6, for example: [edit firewall] user@switch# set family inet6

NOTE: You can configure firewall filters for both IPv4 and IPv6 traffic on the same Layer 3 interface.

2. Specify the filter name: [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) ingress-port-filter

The filter name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters. Each filter name must be unique. 3. If you want to apply a firewall filter to multiple interfaces and name individual firewall

counters specific to each interface, configure the interface-specific option: [edit firewall family ethernet-switching filter ingress-port-filter] user@switch# set interface-specific 4. Specify a term name: [edit firewall family ethernet-switching filter ingress-port-filter] user@switch# set term term-one

The term name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters. A firewall filter can contain one or more terms. Each term name must be unique within a filter.

4324


Chapter 113: Configuring Firewall Filters

NOTE: The maximum number of terms allowed per firewall filter for EX Series switches is: •


•


NOTE: On EX3300 switches, if you add and delete filters with a large number of terms (on the order of 1000 or more) in the same commit operation, not all the filters are installed. You must add filters in one commit operation, and delete filters in a separate commit operation.

•

7168 for EX3200 and EX4200 switches

•


•


•


If you attempt to configure a firewall filter that exceeds these limits, the switch returns an error message when you commit the configuration. The error message is something like “Number of filter terms exceeded,” with the filter term limit for that switch indicated.

5. In each firewall filter term, specify the match conditions to use to match components

of a packet. To specify match conditions to match on packets that contain a specific source-address and source-port—for example: [edit firewall family ethernet-switching filter ingress-port-filter term term-one] user@switch# set from source-address 192.0.2.14 user@switch# set from source-port 80

You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if included in a term, the from statement cannot be empty. If you omit the from statement, all packets are considered to match. 6. In each firewall filter term, specify the actions to take if the packet matches all the

conditions in that term. You can specify an action and/or action modifiers: accept, discard, reject message-type, routing-instance routing-instance, or vlan vlan-name. •

To specify a filter action, for example, to discard packets that match the conditions of the filter term:


4325

®


[edit firewall family ethernet-switching filter ingress-port-filter term term-one] user@switch# set then discard

You can specify no more than one action (accept, discard, reject message-type, routing-instance routing-instance, or vlan vlan-name) per filter term. •

To specify an action modifier, for example, to count and classify packets in a forwarding class: [edit firewall family ethernet-switching filter ingress-port-filter term term-one] user@switch# set then (Firewall Filters) count counter-one user@switch# set then forwarding-class expedited-forwarding

In a then statement, you can specify any of the following action modifiers: •

analyzer analyzer-name—Mirror port traffic to a specified destination port or VLAN

that is connected to a protocol analyzer application. An analyzer must be configured under the ethernet-switching family address type. See “Configuring Port Mirroring to Analyze Traffic (CLI Procedure)” on page 5104. •

count counter-name—Count the number of packets that pass this filter term.

NOTE: We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

•

forwarding-class class—Classify packets in a forwarding class.

•

loss-priority priority—Set the priority of dropping a packet.

•

policer policer-name—Apply rate-limiting to the traffic.

•

interface interface-name—Forward the traffic to the specified interface, bypassing

the switching lookup. •

log—Log the packet's header information in the Routing Engine.

If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you must always explicitly configure an action and/or action modifier in the then statement. You can include no more than one action, but you can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.

4326



NOTE: Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0. On Juniper Networks EX8200 Ethernet Switches, if an implicit or explicit discard action is configured on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule to allow the neighbor discovery IPv6 resolve packets to pass through the switch.

Applying a Firewall Filter to a Port on a Switch You can apply a firewall filter to a port on a switch to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic. To apply a firewall filter to a port to filter ingress or egress traffic:

NOTE: For applying a firewall filter to a management interface, see “Applying a Firewall Filter to a Management Interface on a Switch” on page 4328

1.

Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied: [edit interfaces] user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter at trunk port for employee-vlan and voice-vlan applied on the interface"

NOTE: Providing the description is optional.

2. Specify the unit number and family address type for the interface: [edit interfaces] user@switch# set ge-0/0/1 unit 0 family ethernet-switching

For firewall filters that are applied to ports, the family address type must be ethernet-switching. 3. To apply a firewall filter to filter packets that are entering a port: [edit interfaces] user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filter

To apply a firewall filter to filter packets that are exiting a port: [edit interfaces] user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter output egress-port-filter


4327

®


NOTE: You can apply no more than one firewall filter per port, per direction.

Applying a Firewall Filter to a Management Interface on a Switch You can configure and apply a firewall filter to a management interface to control traffic that is entering or exiting the interface on a switch. You can use utilities such as SSH or Telnet to connect to the management interface over the network and then use management protocols such as SNMP to gather statistical data from the switch. Similar to configuring a firewall filter on other types of interfaces, you can configure a firewall filter on a management interface using any match condition, action, and action modifier specified in “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246 except for the following action modifiers: •

loss-priority

•

forwarding-class

You can apply a firewall filter to the management Ethernet interface on any EX Series switch. You can also apply a firewall filter to the virtual management Ethernet (VME) interface on the EX4200 switch. For more information on the management Ethernet interface and the VME interface, see “EX Series Switches Interfaces Overview” on page 1769. To apply a firewall filter on the management interface to filter ingress or egress traffic: 1.

Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied: [edit interfaces] user@switch# set me0 description "filter to limit tcp traffic filter at management interface"


2. Specify the unit number and family address type for the management interface: [edit interfaces] user@switch# set me0 unit 0 family inet

NOTE: For firewall filters that are applied to management interfaces, the family address type can be either inet or inet6.

3. To apply a firewall filter to filter packets that are entering a management interface: [edit interfaces] user@switch# set me0 unit 0 family inet filter input ingress-port-filter

To apply a firewall filter to filter packets that are exiting a management interface: [edit interfaces] user@switch# set me0 unit 0 family inet filter output egress-port-filter

4328



NOTE: You can apply no more than one firewall filter per management interface, per direction.

Applying a Firewall Filter to a VLAN on a Network You can apply a firewall filter to a VLAN on a network to filter ingress or egress traffic on the network. To apply a firewall filter to a VLAN, specify the VLAN name and ID, and then apply the firewall filter to the VLAN. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic. To apply a firewall filter to a VLAN: 1.

Specify the VLAN name and VLAN ID and provide a meaningful description of the firewall filter and the VLAN to which the filter is applied: [edit vlans] user@switch# set employee-vlan vlan-id (802.1Q Tagging) 20 vlan-description "filter to rate limit traffic applied on employee-vlan"


2. Apply firewall filters to filter packets that are entering or exiting the VLAN: •

To apply a firewall filter to filter packets that are entering the VLAN: [edit vlans] user@switch# set employee-vlan vlan-id (802.1Q Tagging) 20 filter (VLANs) input ingress-vlan-filter

•

To apply a firewall filter to filter packets that are exiting the VLAN: [edit vlans] user@switch# set employee-vlan vlan-id (802.1Q Tagging) 20 filter output egress-vlan-filter

NOTE: You can apply no more than one firewall filter per VLAN, per direction.

Applying a Firewall Filter to a Layer 3 (Routed) Interface You can apply a firewall filter to a Layer 3 (routed) interface to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.


4329

®


To apply a firewall filter to a Layer 3 interface on a switch: 1.

Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied: [edit interfaces] user@switch# set ge-0/1/0 description "filter to count and monitor employee-vlan traffic applied on layer 3 interface"


2. Specify the unit number, family address type, and address for the interface: [edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24

For firewall filters applied to Layer 3 interfaces, the family address type must be inet (for IPv4 traffic) or inet6 (for IPv6 traffic). 3. You can apply firewall filters to filter packets that are entering or exiting a Layer 3

(routed) interface: •

To apply a firewall filter to filter packets that are entering a Layer 3 interface: [edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter input ingress-router-filter

•

To apply a firewall filter to filter packets that are exiting a Layer 3 interface: [edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter output egress-router-filter

NOTE: You can apply no more than one firewall filter per Layer 3 interface, per direction.


4330

•


•


•


•


•

Verifying That Firewall Filters Are Operational on page 4347

•

Monitoring Firewall Filter Traffic on page 4348

•




Configuring Firewall Filters (J-Web Procedure) You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface. To configure firewall filter settings using the J-Web interface: 1.

Select Configure > Security > Filters. The Firewall Filter Configuration page displays a list of all configured port/VLAN or router filters and the ports or VLANs associated with a particular filter.


2. Click one: •

Add—Select this option to create a new filter. Enter information as specified in Table 473 on page 4331.

•

Edit—Select this option to edit an existing filter. Enter information as specified in Table 473 on page 4331.

•

Delete—Select this option to delete a filter.

•

Term Up—Select this option to move a term up in the filter term list.

•

Term Down—Select this option to move a term down in the filter term list.

Table 473: Create a New Filter Field

Function

Your Action

Filter type

Specifies the filter type: port/VLAN firewall filter or router firewall filter.

Select the filter type.

Filter name

Specifies the name for the filter.

Enter a name.

Select terms to be part of the filter

Specifies the terms to be associated with the filter. Add new terms or edit existing terms.

Click Add to add new terms. Enter information as specified in Table 474 on page 4332 and Table 475 on page 4333.

Filter tab

Association tab


4331

®


Table 473: Create a New Filter (continued) Field

Function

Your Action

Port Associations

Specifies the ports with which the filter is associated.

1.

NOTE: For a port/VLAN filter type, only Ingress direction is supported for port association.

2. Select the direction: Ingress or Egress.

Click Add.

3. Select the ports. 4. Click OK.

VLAN Associations

Specifies the VLANs with which the filter is associated.

1.

Click Add.

NOTE: Because router firewall filters can be associated with ports only, this section is not displayed for a router firewall filter.

2. Select the direction: Ingress or Egress. 3. Select the VLANs. 4. Click OK.

Table 474: Create a New Term Field

Function

Your Action

Term Name

Specifies the name of the term.

Enter a name.

Protocols

Specifies the protocols to be associated with the term.

1.

Click Add.

2. Select the protocols. 3. Click OK.

Source

Specifies the source IP address, MAC address, and available ports.

To specify the IP address, click Add > IP and enter the IP address.

NOTE: MAC address is specified only for port/VLAN filters.

To specify the MAC address, click Add > MAC and enter the MAC address. To specify the ports (interfaces), click Add > Ports and enter the port number. To delete the IP address, MAC address, or port details, select it and click Remove.

Destination

Specifies the destination IP address, MAC address, and available ports.

To specify the IP address, click Add > IP and enter the IP address.

NOTE: MAC address is specified only for port/VLAN filters.

To specify the MAC address, click Add > MAC and enter the MAC address. To specify the ports (interfaces), click Add > Ports and enter the port number. To delete the IP address, MAC address, or port details, select it and click Remove.

Action

4332

Specifies the packet action for the term.

Select one: •

Accept

•

Discard



Table 474: Create a New Term (continued) Field

Function

Your Action

More

Specifies advanced configuration options for the filter.

Select the match conditions as specified in Table 475 on page 4333. Select the packet action for the term as specified in Table 475 on page 4333.

Table 475: Advanced Options for Terms Table

Function

Your Action

ICMP Type

Specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port.

Select the option from the list.

ICMP Code

Specifies more specific information than ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify icmp-type along with icmp-code. The keywords are grouped by the ICMP type with which they are associated.


DSCP

Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

Select the DSCP number from the list.

Precedence

Specifies IP precedence.


NOTE: IP precedence and DSCP number cannot be specified together for the same term. IP Options

Specifies the presence of the options field in the IP header.


Interface

Specifies the interface on which the packet is received.

Select the interface from the list.

Ether type

Specifies the Ethernet type field of a packet.


NOTE: This option is not applicable for a routing filter.


4333

®


Table 475: Advanced Options for Terms (continued) Table

Function

Your Action

Dot 1q user priority

Specifies the user-priority field of the tagged Ethernet packet. User-priority values can be 0–7.


In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed) •

background (1)—Background

•

best-effort (0)—Best effort

•

controlled-load (4)—Controlled load

•

excellent-load (3)—Excellent load

•

network-control (7)—Network control reserved traffic

•

standard (2)—Standard or Spare

•

video (5)—Video

•

voice (6)—Voice

NOTE: This option is not applicable for a routing filter. VLAN

Specifies the VLAN to be associated with the packet.

Select the VLAN from the list.

NOTE: This option is not applicable for a routing filter. TCP Flags

Specifies one or more TCP flags.

Select the option TCP Initial or enter a combination of TCP flags.

NOTE: TCP flags are supported on ingress ports, VLANs, and router interfaces. Fragmentation Flags

Specifies the IP fragmentation flags.

Select either the option is-fragment or enter a combination of fragment action flags.

NOTE: Fragmentation flags are supported on ingress ports, VLANs, and router interfaces. Dot1q tag

Specifies the value for tag field in the Ethernet header. Values can be from 1 through 4095.

Enter the value.

NOTE: This option is not applicable for a routing filter. Action Counter name

Specifies the count of the number of packets that pass this filter, term, or policer.

Enter a value.

Forwarding class

Classifies the packet into one of the following forwarding classes:


4334

•

assured-forwarding

•

best-effort

•


•

network-control

•

user-defined



Table 475: Advanced Options for Terms (continued) Table

Function

Your Action

Loss priority

Specifies the packet loss priority.

Enter the value.

NOTE: Forwarding class and loss priority should be specified together for the same term. Analyzer

Specifies whether to perform port-mirroring on packets. Port-mirroring copies all packets entering one switch port to a network monitoring connection on another switch port.


Select the analyzer (port mirroring configuration) from the list.

•


•


•


•


•


Configuring Policers to Control Traffic Rates (CLI Procedure) You can configure policers to rate limit traffic on EX Series switches. After you configure a policer, you can include it in an ingress firewall filter configuration. When you configure a firewall filter, you can specify a policer action for any term or terms within the filter. All traffic that matches a term that contains a policer action goes through the policer that the term references. Each policer that you configure includes an implicit counter. To get term-specific packet counts, you must configure a new policer for each filter term that requires policing. The following policer limits apply on the switch: •

A maximum of 512 policers can be configured for port firewall filters.

•

A maximum of 512 policers can be configured for VLAN and Layer 3 firewall filters.

If the policer configuration exceeds these limits, the switch returns the following message after the commit operation: Cannot assign policers: Max policer limit reached 1.

Configuring Policers on page 4335

2. Specifying Policers in a Firewall Filter Configuration on page 4336 3. Applying a Firewall Filter That Is Configured with a Policer on page 4336

Configuring Policers To configure a policer:


4335

®


1.

Specify the name of the policer: [edit firewall] user@switch# set policer policer-one

The policer name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. 2. Specify the filter-specific statement to configure a policer to act as a filter-specific

policer else proceed to step 3: [edit firewall] user@switch# set policer policer-one filter-specific

If you do not specify the filter-specific statement, the policer acts as a term-specific policer by default. 3. Configure rate limiting for the policer: a. Specify the bandwidth limit in bits per second (bps) to control the traffic rate on

an interface: [edit firewall policer policer-one] user@switch# set if-exceeding bandwidth-limit 300k

The range for the bandwidth limit is 1k through 102.3g bps. b. Specify the maximum allowed burst size to control the amount of traffic bursting: [edit firewall policer policer-one] user@switch# set if-exceeding burst-size-limit 500k

To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur: burst size = bandwidth * allowable time for burst traffic The range for the burst-size limit is 1 through 2,147,450,880 bytes. 4. Specify the policer action discard to discard packets that exceed the rate limits: [edit firewall policer] user@switch# set policer-one then (Policer Action) discard

Discard is the only supported policer action.

Specifying Policers in a Firewall Filter Configuration To reference a policer for a single firewall, configure a filter term that includes the policer action: [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) limit-hosts term term-one from source-address 192.0.2.16/28 userswitch# set filter limit-hosts term term-one then policer policer-one

Applying a Firewall Filter That Is Configured with a Policer A firewall filter that is configured with one or more policer actions, like any other filter, must be applied to a port, VLAN, or Layer 3 interface. For information about applying firewall filters, see the sections on applying firewall filters in “Configuring Firewall Filters (CLI Procedure)” on page 4323.

4336



NOTE: You can include policer actions on ingress firewall filters only.


•


•


•


•

Verifying That Policers Are Operational on page 4348

•


Configuring Tricolor Marking Policers You can rate-limit traffic on EX Series switches by configuring a policer and specifying it as an action modifier for a term in a firewall filter. By default, if you specify the same policer in multiple terms, Junos OS creates a separate policer instance for each term and applies rate limiting separately for each instance. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, each policer instance enforces a 1-Gbps limit. In this case, the total bandwidth allowed by the filter is 3 Gbps. You can also configure a policer to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps. This topic describes how to configure single-rate and two-rate tricolor marking (TCM) policers, also known as single-rate and two-rate three-color policers. If you want to configure a single-rate two-color policer (also known just as a "policer"), see “Configuring Policers to Control Traffic Rates (CLI Procedure)” on page 4335. This topic includes: •

Configuring a Tricolor Marking Policer on page 4337

•

Applying Tricolor Marking Policers to Firewall Filters on page 4338

Configuring a Tricolor Marking Policer A tricolor marking policer polices traffic on the basis of metering rates, including the configured information rate (CIR), the peak information rate (PIR), their associated burst sizes, and any policing actions configured for the traffic. With tri-color marking, you can configure traffic policing according to two separate modes—color-blind and color-aware. In color-blind mode, the current packet loss priority (PLP) value is ignored. In color-aware mode, the current PLP values are considered by the policer, and the policer can increase those values but cannot decrease them. To configure a tricolor marking (TCM) policer:


4337

®


1.

Specify the name of the policer and (optionally) whether to automatically discard packets with high loss priority (PLP): [edit firewall] user@switch# set three-color-policer policer-name user@switch# set three-color-policer policer-name action loss-priority high then discard

2. Specify the policer as either single-rate or two-rate and as color-aware or color-blind: [edit firewall three-color-policer policer-name] user@switch# set rate mode

For example: [edit firewall three-color-policer srTCm-1a] user@switch# set single-rate color-aware [edit firewall three-color-policer trTCM2-cb] user@switch# set two-rate color-blind 3. For a single-rate TCM policer, configure the CIR, committed burst size (CBS), and

excess burst size (EBS): [edit firewall three-color-policer policer-name single-rate] user@switch# set committed-information-rate bps user@switch# set committed-burst-size bytes user@switch# set excess-burst-size bytes 4. For a two-rate TCM policer, configure the CIR, CBS, PIR, and peak burst size (PBS): [edit firewall three-color-policer policer-name single-rate] user@switch# set committed-information-rate bps user@switch# set committed-burst-size bytes user@switch# set peak-information-rate bps user@switch# set peak-burst-size bytes

Applying Tricolor Marking Policers to Firewall Filters To rate-limit traffic by applying a tricolor marking (TCM) policer to a firewall filter: [edit firewall family family filter filter-name term term-name then] user@switch# set three-color-policer rate stTCM1-ca

For example: [edit firewall family inet filter test1 term term1 then] user@switch# set three-color-policer single-rate policer1

You must include either the single-rate statement or the two-rate statement in the reference to the policer in the firewall filter configuration, and this statement must match the configured TCM policer. Otherwise, an error message appears in the configuration listing. For example, if you configure srTCM1-ca as a single-rate TCM policer and try to apply it as a two-rate policer, the following message appears: [edit firewall] user@switch# show three-color-policer srTCM1-ca single-rate { color-aware; ... } user@switch# show filter TESTER term A { then {

4338



three-color-policer { ## ## Warning: Referenced two-rate policer does not exist ## two-rate srTCM; } } }


•


•


Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) You can configure firewall filters with multifield classifiers to classify packets transiting a port, VLAN, or Layer 3 interface on an EX Series switch. You specify multifield classifiers in a firewall filter configuration to set the forwarding class and packet loss priority (PLP) for incoming or outgoing packets. By default, the data traffic that is not classified is assigned to the best-effort class associated with queue 0. You can specify any of the following default forwarding classes: Forwarding class

Queue

best-effort

0

assured-forwarding

1


5

network-control

7

To assign multifield classifiers in firewall filters: 1.

Configure the family name and filter name for the filter at the [edit firewall] hierarchy level, for example: [edit firewall] user@switch# set family ethernet-switching user@switch# set family ethernet-switching filter (Firewall Filters) ingress-filter

2. Configure the terms of the filter, including the forwarding-class and loss-priority action

modifiers as appropriate. When you specify a forwarding class you must also specify the packet loss priority. For example, each of the following terms examines different packet header fields and assigns an appropriate classifier and the packet loss priority: •

The term voice-traffic matches packets on the voice-vlan and assigns the forwarding class expedited-forwarding and packet loss priority low: [edit firewall family ethernet-switching filter ingress-filter]


4339

®


user@switch# set term voice-traffic from vlan-id voice-vlan user@switch# set term voice-traffic then forwarding-class expedited-forwarding user@switch# set term voice-traffic then loss-priority low •

The term data-traffic matches packets on employee-vlan and assigns the forwarding class assured-forwarding and packet loss priority low: [edit firewall family ethernet-switching filter ingress-filter] user@switch# set term data-traffic from vlan-id employee-vlan user@switch# set term data-traffic then forwarding-class assured-forwarding user@switch# set term data-traffic then loss-priority low

•

Because loss of network-generated packets can jeopardize proper network operation, delay is preferable to discard of packets. The following term, network-traffic, assigns the forwarding class network-control and packet loss priority low: [edit firewall family ethernet-switching filter ingress-filter] user@switch# set term network-traffic from precedence net-control user@switch# set term network-traffic then forwarding-class network user@switch# set term network-traffic then loss-priority low

•

The last term accept-traffic matches any packets that did not match on any of the preceding terms and assigns the forwarding class best-effort and packet loss priority low: [edit firewall family ethernet-switching filter ingress-filter] user@switch# set term accept-traffic from precedence net-control user@switch# set term accept-traffic then forwarding-class best-effort user@switch# set term accept-traffic then loss-priority low

3. Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information about

applying the filter, see “Configuring Firewall Filters (CLI Procedure)” on page 4323. Related Documentation

•


•


•


•

Defining CoS Classifiers (CLI Procedure) on page 4487

•

Defining CoS Classifiers (J-Web Procedure) on page 4489

•


•


Configuring Routing Policies (J-Web Procedure) All routing protocols use the Junos OS routing table to store the routes that they learn and to determine which routes are advertised in the protocol packets. Routing policy allows you to control which routes the routing protocols store in and retrieve from the routing table on the routing device. To configure routing policies for an EX Series switch using the J-Web interface:

4340



1.

Select Configure > Routing > Policies.


2. Click one: •

Global Options—Configures global options for policies. Enter information into the configuration page as described in Table 306 on page 2597.

•

Add—Configures a new policy. Select New and specify a policy name. To add terms, enter information into the configuration page as described in Table 307 on page 2597. Select Clone to create a copy of an existing policy.

•

Edit—Edits an existing policy. To modify an existing term, enter information into the configuration page as described in Table 307 on page 2597.

•

Term Up—Moves a term up in the list.

•

Term Down—Moves a term down in the list.

•

Delete—Deletes the selected policy.

•

Test Policy—Tests the policy. Use this option to check whether the policy produces the results that you expect.

Table 476: Policies Global Configuration Parameters Field

Function

Your Action

Prefix List

Specifies a list of IPv4 address prefixes for use in a routing policy statement.

To add a prefix list: 1.

Click Add.

2. Enter a name for the prefix list. 3. To add an IP address, click Add. 4. Enter the IP address and the subnet mask and click OK. 5. Click OK. To edit a prefix list, click Edit. Edit the settings and click OK. To delete a prefix list, select it and click Delete.


4341

®


Table 476: Policies Global Configuration Parameters (continued) Field

Function

Your Action

BGP Community

Specifies a BGP community.

To add a BGP community: 1.

Click Add.

2. Enter a name for the community. 3. To add a community, click Add. 4. Enter the community ID and click OK. 5. Click OK. To edit a BGP community, click Edit. Edit the settings and click OK. To delete a BGP community, select it and click Delete. AS Path

Specifies an AS path. This is applicable to BGP only.

To add an AS path: 1.

Click Add.

2. Enter the AS path name. 3. Enter the regular expression and click OK. 4. Click OK. To edit an AS path, click Edit. Edit the settings and click OK. To delete an AS path, select it and click Delete.

Table 477: Terms Configuration Parameters Field

Function

Your Action

Term Name

Specifies a term name.


Family



Routing Instance



RIB


Select a value from the list

Preference



Metric

Specifies a metric value. You can specify up to four metric values.


Interface



Source tab

To add an address, select Add > Address. Select the address from the list. To remove an interface, select it and click Remove.

4342




Function

Your Action

Prefix List

Specifies a named list of IP addresses. You can specify an exact match with incoming routes.

Click Add. Select the prefix list from the list and click OK. To remove a prefix list, select it and click Remove.

Protocol


Click Add and select the protocol from the list. To remove a protocol, select it and click Remove.

Policy

Specifies the name of a policy to evaluate as a subroutine.

Click Add. Select the policy from the list. To remove a policy, select it and click Remove.

More

Specifies advanced configuration options for policies.

Click More for advanced configuration.

OSPF Area ID

Specifies the area identifier.

Type the IP address.

BGP Origin

Specifies the origin of the AS path information.


Local Preference

Specifies the BGP local preference.

Type a value.

Route

Specifies the type of route.

Select External. Select the OSPF type from the list.

AS Path

Specifies the name of an AS path regular expression.

Click Add. Select the AS path from the list.

Community

Specifies the name of one or more communities.

Click Add. Select the community from the list.

Family



Routing Instance



RIB



Preference


Type a value.

Metric

Specifies a metric value.

Type a value.

Destination tab


4343

®



Function

Your Action

Interface


To add an interface, select Add > Interface. Select the interface from the list. To add an address, select Add > Address. Select the address from the list. To delete an interface, select it and click Remove.

Protocol


Click Add and select the protocol from the list. To delete a protocol, select it and click Remove.

Action tab Action

Specifies the action to take if the conditions match.


Default Action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also nonterminating, so that various policy terms can be evaluated before the policy is terminated.


Next

Specifies the default control action if a match occurs, and there are no further terms in the current routing policy.


Priority

Specifies a priority for prefixes included in an OSPF import policy. Prefixes learned through OSPF are installed in the routing table based on the priority assigned to the prefixes.


BGP Origin

Specifies the BGP origin attribute.


AS Path Prepend

Affixes an AS number at the beginning of the AS path. The AS numbers are added after the local AS number has been added to the path. This action adds an AS number to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS number is placed within a confederation sequence. Otherwise, the affixed AS number is placed with a nonconfederation sequence.

Enter a value.

AS Path Expand

Extracts the last AS number in the existing AS path and affixes that AS number to the beginning of the AS path n times, where n is a number from 1 through 32. The AS number is added before the local AS number has been added to the path. This action adds AS numbers to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS numbers are placed within a confederation sequence. Otherwise, the affixed AS numbers are placed within a nonconfederation sequence. This option is typically used in non-IBGP export policies.

Select the type and type a value.

4344




Function

Your Action

Load Balance Per Packet

Specifies that all next-hop addresses in the forwarding table must be installed and have the forwarding table perform per-packet load balancing. This policy action allows you to optimize VPLS traffic flows across multiple paths.

Select the check box to enable the option.

Tag

Specifies the tag value. The tag action sets the 32-bit tag field in OSPF external link-state advertisement (LSA) packets.


Metric

Changes the metric (MED) value by the specified negative or positive offset. This action is useful only in an external BGP (EBGP) export policy.


Route

Specifies whether the route is external.

Select the External check box to enable the option, and select the OSPF type.

Preference

Specifies the preference value.

Select the preference action and type a value.

Local Preference

Specifies the BGP local preference attribute.


Class of Service

Specifies and applies the class-of-service parameters to routes installed into the routing table.

Type the source class. Type the destination class.

•

Source class The value entered here maintains the packet counts for a route passing through your network, based on the source address.

•

Type the forwarding class.

Destination class The value entered here maintains packet counts for a route passing through your network, based on the destination address in the packet.

•

Forwarding class


•


•


•


•


•



4345

®


4346


CHAPTER 114

Verifying Firewall Filter Configuration •


•


•


Verifying That Firewall Filters Are Operational Purpose

After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces, you can perform the following task to verify that the firewall filters configured on EX Series switches are working properly.

Action

Use the operational mode command to verify that the firewall filters on the switch are working properly: user@switch> show firewall Filter: egress-vlan-watch-employee Counters: Name counter-employee-web Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest

Meaning


Bytes 0

Packets 0

Bytes 0

Packets 0

Packets 0 0

The show firewall command displays the names of all firewall filters, policers, and counters that are configured on the switch. For each counter that is specified in a filter configuration, the output field shows the byte count and packet count for the term in which the counter is specified. For each policer that is specified in a filter configuration, the output field shows the packet count for packets that exceed the specified rate limits.

•


•


•



4347

®


•


•


Verifying That Policers Are Operational Purpose

Action

After you configure policers and include them in firewall filter configurations, you can perform the following tasks to verify that the policers configured on EX Series switches are working properly. Use the operational mode command to verify that the policers on the switch are working properly: user@switch> show policer Filter: egress-vlan-watch-employee Filter: ingress-port-filter Filter: ingress-port-voip-class-limit-tcp-icmp Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest

Meaning


Packets 0 0

The show policer command displays the names of all firewall filters and policers that are configured on the switch. For each policer that is specified in a filter configuration, the output field shows the current packet count for all packets that exceed the specified rate limits.

•


•


•


•


•


Monitoring Firewall Filter Traffic You can monitor firewall filter traffic on EX Series switches.

4348

•

Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch on page 4349

•

Monitoring Traffic for a Specific Firewall Filter on page 4349

•

Monitoring Traffic for a Specific Policer on page 4349


Chapter 114: Verifying Firewall Filter Configuration

Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch Purpose

Action

Perform the following task to monitor the number of packets and bytes that matched the firewall filters and monitor the number of packets that exceeded policer rate limits: Use the operational mode command: user@switch> show firewall Filter: egress-vlan-watch-employee Counters: Name counter-employee-web Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest

Meaning

Bytes 3348

Packets 27

Bytes 4100

Packets 49

Packets 0 0

The show firewall command displays the names of all firewall filters, policers, and counters that are configured on the switch. The output fields show byte and packet counts for counters and packet count for policers.

Monitoring Traffic for a Specific Firewall Filter Purpose

Action

Perform the following task to monitor the number of packets and bytes that matched a firewall filter and monitor the number of packets that exceeded the policer rate limits. Use the operational mode command: user@switch> show firewall filter ingress-vlan-rogue-block Filter: ingress-vlan-rogue-block Counters: Name rogue-counter

Meaning

Bytes 2308

Packets 20

The show firewall filter filter-name command displays the name of the firewall filter, the packet and byte count for all counters configured with the filter, and the packet count for all policers configured with the filter.

Monitoring Traffic for a Specific Policer Purpose

Action

Perform the following task to monitor the number of packets that exceeded policer rate limits: Use the operational mode command: user@switch> show policer tcp-connection-policer


4349

®


Filter: ingress-port-voip-class-limit-tcp-icmp Policers: Name tcp-connection-policer

Meaning


4350

Packets 0

The show policer policer-name command displays the name of the firewall filter that specifies the policer-action and displays the number of packets that exceeded rate limits for the specified filter.

•


•


•


•


•



CHAPTER 115

Troubleshooting Firewall Filters •

Troubleshooting Firewall Filters on page 4351

Troubleshooting Firewall Filters Troubleshooting issues with firewall filters on EX Series switches: 1.

A Firewall Filter Configuration Returns a “No Space Available in TCAM” Message on page 4351

A Firewall Filter Configuration Returns a “No Space Available in TCAM” Message Problem

When a firewall filter configuration exceeds the amount of available ternary content addressable memory (TCAM) space, the switch returns the following system log (syslogd) message: No space available in tcam. Rules for filter filter-name will not be installed.

The switch returns this error message during the commit operation in the following instances: •

If the firewall filter that you have applied to a port, VLAN, or Layer 3 interface requires more than the amount of available TCAM space.

•

If you delete and add large firewall filters in the same commit operation. In this case, the large firewall filter might not be deleted from the TCAM space, because of which there will be no TCAM space freed up for the new firewall filter to be added to it. In addition to the syslogd message, the following error message is displayed in the CLI: fpc dfw_grph_merge_dfw_bind: rules for filter filter-name will not be installed

However, in both these instances, the commit operation for the firewall filter configuration is completed in the CLI. Solution

When a firewall filter configuration exceeds the amount of available TCAM table space, you must configure a new firewall filter with fewer filter terms or, if you had deleted and created a firewall filter with a large number of terms (on the order of 1000 or more), you must delete and add the large firewall filters in separate commit operations.


4351

®


The first procedure (set of steps) in this Solution section tells you how to delete a firewall filter and its bind point and associate a new firewall filter with that existing bind point. The second procedure in this Solution section tells you how to create a new firewall filter with fewer terms (without deleting the bind point) and bind the new firewall filter with the existing bind point, when you want to create a firewall filter with fewer terms. Do not use the second procedure if you need to replace one large firewall filter with another large firewall filter—you must delete the original large firewall filter and commit that delete operation, and then add the new large firewall filter. To delete the firewall filter and its bind point and apply a new firewall filter to the same bind point: 1.

Delete the firewall filter configuration and its bind points to ports, VLANs, or Layer 3 interfaces—for example: [edit] user@switch# delete firewall family ethernet-switching filter mini-filter-ingress-vlan user@switch# delete vlans voice-vlan description "filter to block rogue devices on voice-vlan" user@switch# delete vlans voice-vlan filter input mini-filter-ingress-vlan

2. Commit the operation: [edit] user@switch# commit

NOTE: Use separate commit operations for deleting and adding large firewall filters.

3. Configure a firewall filter with fewer terms (if the error message appeared when you

tried to create a new filter) or configure a large filter (if the error message appeared when you tried to delete and add large firewall filters)—for example: [edit] user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan ...

NOTE: See “Firewall Filters for EX Series Switches Overview” on page 4237 to ascertain the maximum number of terms allowed for various firewall filters on EX Series switches.

4. Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interface—for example: [edit] user@switch# set vlans voice-vlan description "filter to block rogue devices on voice-vlan" user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan 5. Commit the operation: [edit] user@switch# commit

To create a new firewall filter and attach it to the existing bind point: 1.

4352

Configure a firewall filter with fewer terms than the original filter:


Chapter 115: Troubleshooting Firewall Filters

[edit] user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan... 2. Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the bind

points of the original filter—for example: [edit] user@switch# set vlans voice-vlan description "smaller filter to block rogue devices on voice-vlan" user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan

As a bind point can be attached to only one firewall filter, this configuration detaches the bind point from the previous firewall filter that contained many terms and attaches the bind point to the new firewall filter. 3. Commit the operation: [edit] user@switch# commit


•


•


•


•



4353

®


4354


CHAPTER 116

Configuration Statements for Firewall Filters •

[edit firewall] Configuration Statement Hierarchy on page 4355

•


[edit firewall] Configuration Statement Hierarchy firewall { family family-name { filter (Firewall Filters) filter-name { interface-specific; term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } } } policer policer-name { filter-specific; if-exceeding { bandwidth-limit bps; burst-size-limit bytes; } then (Policer Action) { policer-action; } } } three-color-policer policer-name { action { loss-priority high then discard; } single-rate { (color-aware | color-blind);


4355

®


committed-burst-size bytes; committed-information-rate bps; excess-burst-size bytes; } two-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; peak-information-rate bps; peak-burst-size bytes; } }


•


•


•


•


•


Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches You configure firewall filters to filter packets based on their components and to perform an action on packets that match the filter. Table 478 on page 4356 lists the options that are supported for the firewall statement in Junos OS for EX Series switches.

Table 478: Supported Options for Firewall Filter Statements Statement and Option family family-name { }

Description The family-name option specifies the version or type of addressing protocol: •

any—Filter packets based on protocol-independent match

conditions. •

ethernet-switching—Filter Layer 2 (Ethernet) packets and

Layer 3 (IP) packets •

inet—Filter IPv4 packets

•

inet6—Filter IPv6 packets

filter filter-name { }

The filter-name option identifies the filter. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

interface-specific

The interface-specific statement configures unique names for individual firewall counters specific to each interface.

4356


Chapter 116: Configuration Statements for Firewall Filters

Table 478: Supported Options for Firewall Filter Statements (continued) Statement and Option

Description

term term-name { }

The term-name option identifies the term. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (" " ). Each term name must be unique within a filter.

from { match-conditions; }

The from statement is optional. If you omit it, all packets are considered to match.

then { action; action-modifiers; }

For information about the action and action-modifiers options, see “Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches” on page 4246.

policer policer-name { }

The policer-name option identifies the policer. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

filter-specific

The filter-specific statement configures policers and counters for a specific filter name.

if-exceeding { bandwidth-limit bps burst-size-limit bytes }

The bandwidth-limit bps option specifies the traffic rate in bits per second (bps). You can specify bps as a decimal value or as a decimal number followed by one of the following abbreviations: •

k (thousand)

•

m (million)

•

g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps The burst-size-limit bytes option specifies the maximum allowed burst size to control the amount of traffic bursting. To determine the value for the burst-size limit, you can multiply the bandwidth of the interface on which the filter is applied by the amount of time (in seconds) to allow a burst of traffic at that bandwidth to occur: burst size = bandwidth * allowable time for burst traffic You can specify a decimal value or a decimal number followed by k (thousand) or m (million). Range: 1 through 2,147,450,880 bytes then { policer-action }


Use the policer-action option to specify discard to discard traffic that exceeds the rate limits.

4357

®


Junos OS for EX Series switches does not support some of the firewall filter statements that are supported by other Junos OS packages. Table 479 on page 4358 shows the firewall filter statements that are not supported by Junos OS for EX Series switches.

Table 479: Firewall Filter Statements That Are Not Supported by Junos OS for EX Series Switches Statements Not Supported

Statement Hierarchy Level

•

interface-set interface-set-name { }

•

load-balance-group group-name { }

•

three-color-policer name { }

•

logical-interface-policer;

•

single-rate { }

•

two-rate { }

•

prefix-action name { }

•

prefix-policer { }

•

service-filter filter-name { }

•

simple-filter simple-filter-name { }

•

accounting-profile name;

[edit firewall family family-name filter filter-name]

•

logical-bandwidth-policer;

[edit firewall policer policer-name]

•

logical-interface-policer;

[edit firewall family family-name]

bandwidth-percent number;


4358

[edit firewall]

[edit firewall policer policer-name if-exceeding]

•


•


•


•


•




action Syntax


action { loss-priority high then discard; } [edit firewall three-color-policer name]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Discard traffic on a logical interface using tricolor marking policing. The remaining statement is explained separately.


firewall—To view this statement in the configuration. firewall-control—To add this statement to the configuration. •


apply-path Syntax Hierarchy Level

apply-path path; [edit logical-systems logical-system-name policy-options prefix-list name], [edit policy-options prefix-list name]

Release Information


Description

Expand a prefix list to include all prefixes pointed to by a defined path.

Options

path—String of elements composed of identifiers or configuration keywords that points

to a set of prefixes. You can include wildcards (enclosed in angle brackets) to match more than one identifier. You cannot add a path element, including wildcards, after a leaf statement. Path elements, including wildcards, can only be used after a container statement. Required Privilege Level Related Documentation


Configuring Prefix Lists


4359

®


as-path Syntax Hierarchy Level

Release Information

Description

Options

as-path name regular-expression; [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for configuration in the dynamic database introduced in Junos OS Release 9.5. Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches. Define an autonomous system (AS) path regular expression for use in a routing policy match condition. name—Name that identifies the regular expression. The name can contain letters, numbers,

and hyphens (-) and can be up to 65,536 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). regular-expression—One or more regular expressions used to match the AS path.


4360


Configuring AS Path Regular Expressions to Use as Routing Policy Match Conditions

•

Configuring Routing Policies and Policy Objects in the Dynamic Database

•

dynamic-db on page 4371



as-path-group Syntax

Hierarchy Level

Release Information

Description

Options

as-path-group group-name { as-path name regular-expression; } [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for dynamic database configuration introduced in Junos OS Release 9.5. Support for dynamic database configuration introduced in Junos OS Release 9.5 for EX Series switches. Define a group containing multiple AS path regular expressions for use in a routing policy match condition. group-name—Name that identifies the AS path group. One or more AS path regular

expressions must be listed below the as-path-group hierarchy. name—Name that identifies the regular expression. The name can contain letters, numbers,

and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). regular-expression—One or more regular expressions used to match the AS path.



Configuring AS Path Regular Expressions to Use as Routing Policy Match Conditions

•


•



4361

®


bandwidth-limit Syntax Hierarchy Level

Release Information

Description Options

bandwidth-limit bps; [edit firewall policer policer-name if-exceeding] [edit logical-systems logical-system-name firewall policer policer-name if-exceeding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Logical systems support introduced in Junos OS Release 9.3. Specify the traffic rate in bits per second. bps —Traffic rate to be specified in bits per second. Specify bps as a decimal value or

as a decimal number followed by one of the following abbreviations: •

k (thousand)

•

m (million)

•

g (billion, which is also called a thousand million)

Range:


4362

•

1000 (1k) through 102,300,000,000 (102.3g) bps (EX Series switches)

•

8000 (8k) through 40,000,000,000 (40g) bps (routers)



•


•


•

Basic Single-Rate Two-Color Policers



burst-size-limit Syntax Hierarchy Level

Release Information

Description Options

burst-size-limit bytes; [edit firewall policer policer-name if-exceeding] [edit logical-systems logical-system-name firewall policer policer-name if-exceeding]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Logical systems support introduced in Junos OS Release 9.3. Specify the maximum allowed burst size to control the amount of traffic bursting. bytes —Decimal value or a decimal number followed by k (thousand) or m (million).

Range:


•

1 through 2,147,450,880 bytes (EX Series switches)

•

1500 through 1,00,000,000,000 bytes (routers)



•


•


•



4363

®


color-aware Syntax Hierarchy Level



color-aware; [edit firewall three-color-policer policer-name single-rate] [edit firewall three-color-policer policer-name two-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the way preclassified packets are metered. In color-aware mode, the local switch can assign a higher packet loss priority but cannot assign a lower packet loss priority. If you omit the color-aware statement, the default behavior is color-aware mode. firewall—To view this statement in the configuration. firewall-control—To add this statement to the configuration. •


color-blind Syntax Hierarchy Level



4364

color-blind; [edit firewall three-color-policer policer-name single-rate] [edit firewall three-color-policer policer-name two-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the way preclassified packets are metered. In color-blind mode, the local switch ignores the preclassification of packets and can assign a higher or lower packet loss priority. If you omit the color-blind statement, the default behavior is color-aware mode. firewall—To view this statement in the configuration. firewall-control—To add this statement to the configuration. •




committed-burst-size Syntax Hierarchy Level


committed-burst-size bytes; [edit firewall three-color-policer policer-name single-rate], [edit firewall three-color-policer policer-name two-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the maximum number of bytes allowed for incoming packets to burst above the committed information rate (CIR) and still be marked with low packet loss priority (green).

NOTE: When you include the committed-burst-size statement in the configuration, you must also include the committed-information-rate statement at the same hierarchy level.

Options

bytes—Number of bytes. You can specify a value in bytes either as a complete decimal

number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 1500 through 100,000,000,000 bytes Required Privilege Level Related Documentation




4365

®


committed-information-rate Syntax Hierarchy Level


committed-information-rate bps; [edit firewall three-color-policer policer-name single-rate], [edit firewall three-color-policer policer-name two-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the guaranteed bandwidth under normal line conditions and the average rate up to which packets are marked with low packet loss priority (green).

NOTE: When you include the committed-information-rate statement in the configuration, you must also include the committed-burst-size statement at the same hierarchy level.

Options

bps—Number of bits per second. You can specify a value in bits per second either as a

complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 32,000 through 40,000,000,000 bps Required Privilege Level Related Documentation

4366





community Syntax

Hierarchy Level

Release Information

community name { invert-match; members [ community-ids ]; } [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for configuration in the dynamic database introduced in Junos OS Release 9.5. Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches.

Description

Define a community or extended community for use in a routing policy match condition.

Options

name—Name that identifies the regular expression. The name can contain letters, numbers,

and hyphens (-) and can be up to 255 characters. To include spaces in the name, enclose it in quotation marks (“ ”). invert-match—Invert the results of the community expression matching. members community-ids—One or more community members. If you specify more than

one member, you must enclose all members in brackets. The format for community-ids is: as-number:community-value as-number is the AS number and can be a value in the range from 0 through 65,535. community-value is the community identifier and can be a number in the range from 0

through 65,535. You also can specify community-ids for communities as one of the following well-known community names, which are defined in RFC 1997, BGP Communities Attribute: •

no-export—Routes containing this community name are not advertised outside a BGP

confederation boundary. •

no-advertise—Routes containing this community name are not advertised to other

BGP peers. •

no-export-subconfed—Routes containing this community name are not advertised to

external BGP peers, including peers in other members' ASs inside a BGP confederation. You can explicitly exclude BGP community information with a static route using the none option. Include none when configuring an individual route in the route portion of the static statement to override a community option specified in the defaults portion of the statement.


4367

®


The format for extended community-ids is the following: type:administrator:assigned-number type is the type of extended community and can be either a bandwidth, target, origin, domain-id, src-as, or rt-import community or a 16-bit number that identifies a specific

BGP extended community. The target community identifies the destination to which the route is going. The origin community identifies where the route originated. The domain-id community identifies the OSPF domain from which the route originated. The src-as community identifies the autonomous system from which the route originated. The rt-import community identifies the route to install in the routing table.

NOTE: For src-as, you can specify only an AS number and not an IP address. For rt-import, you can specify only an IP address and not an AS number.

administrator is the administrator. It is either an AS number or an IPv4 address prefix,

depending on the type of extended community. assigned-number identifies the local provider.

The format for linking a bandwidth with an AS number is: bandwidth:as-number:bandwidth as-number specifies the AS number and bandwidth specifies the bandwidth in bytes per

second.

NOTE: In Junos OS Release 9.1 and later, you can specify 4-byte AS numbers as defined in RFC 4893, BGP Support for Four-octet AS Number Space, as well as the 2-byte AS numbers that are supported in earlier releases of the Junos OS. In plain-number format, you can configure a value in the range from 1 through 4,294,967,295. To configure a target or origin extended community that includes a 4-byte AS number in the plain-number format, append the letter “L” to the end of number. For example, a target community with the 4-byte AS number 334,324 and an assigned number of 132 is represented as target:334324L:132. In Junos OS Release 9.2 and later, you can also use AS-dot notation when defining a 4-byte AS number for the target and origin extended communities. Specify two integers joined by a period: 16-bit high-order value in decimal.16-bit low-order value in decimal. For example, the 4-byte AS number represented in plain-number format as 65546 is represented in AS-dot notation as 1.10.


4368





•

Overview of BGP Communities and Extended Communities as Routing Policy Match Conditions

•

Defining BGP Communities and Extended Communities for Use in Routing Policy Match Conditions

•


•


condition Syntax

Hierarchy Level

Release Information

Description

Options

condition condition-name { if-route-exists address table table-name; } [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced in Junos OS Release 9.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for configuration in the dynamic database introduced in Junos OS Release 9.5. Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches. Define a policy condition based on the existence of routes in specific tables for use in BGP export policies. if-route-exists address—Specify the address of the route in question. table table-name—Specify a routing table.



Configuring Routing Policy Match Conditions Based on Routing Table Entries

•


•



4369

®


damping Syntax

Hierarchy Level

Release Information

Description Options

damping name { disable; half-life minutes; max-suppress minutes; reuse number; suppress number; } [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define route flap damping properties to set on BGP routes. disable—Disable damping on a per-prefix basis. Any damping state that is present in the

routing table for a prefix is deleted if damping is disabled. half-life minutes—Decay half-life. minutes is the interval after which the accumulated

figure-of-merit value is reduced by half if the route remains stable. Range: 1 through 45 Default: 15 minutes

NOTE: For the half-life, configure a value that is less than the max-suppress. If you do not, the configuration is rejected.

max-suppress minutes—Maximum hold-down time. minutes is the maximum time that

a route can be suppressed no matter how unstable it has been. Range: 1 through 720 Default: 60 minutes

NOTE: For the max-suppress, configure a value that is greater than the half-life. If you do not, the configuration is rejected.

name—Name that identifies the set of damping parameters. The name can contain letters,

numbers, and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). reuse number—Reuse threshold. number is the figure-of-merit value below which a

suppressed route can be used again. Range: 1 through 20,000 Default: 750 (unitless)

4370



suppress number—Cutoff (suppression) threshold. number is the figure-of-merit value

above which a route is suppressed for use or inclusion in advertisements. Range: 1 through 20,000 Default: 3000 (unitless) Required Privilege Level Related Documentation


Configuring BGP Flap Damping Parameters

dynamic-db Syntax Hierarchy Level

Release Information

Description


dynamic-db; [edit logical-systems logical-system-name policy-options as-path path-name], [edit logical-systems logical-system-name policy-options as-path-group group-name], [edit logical-systems logical-system-name policy-options community community-name], [edit logical-systems logical-system-name policy-options condition condition-name], [edit logical-systems logical-system-name policy-options policy-statement policy-statement-name], [edit logical-systems logical-system-name policy-options prefix-list prefix-list-name], [edit policy-options as-path path-name], [edit policy-options as-path-group group-name], [edit policy-options community community-name], [edit policy-options condition condition-name], [edit policy-options policy-statement policy-statement-name], [edit policy-options prefix-list prefix-list-name]

Statement introduced in Junos OS Release 9.5. Statement introduced in Junos OS Release 9.5 for EX Series switches. Define routing policies and policy objects that reference policies configured in the dynamic database at the [edit dynamic] hierarchy level. routing—To view this statement in the configuration. routing-control-level—To add this statement to the configuration. •

Configuring Routing Policies Based on Dynamic Database Configuration


4371

®


excess-burst-size Syntax Hierarchy Level Release Information Description

excess-burst-size bytes; [edit firewall three-color-policer policer-name single-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the maximum number of bytes allowed for incoming packets to burst above the committed information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the excess burst size (EBS) are marked with high packet loss priority (red).

NOTE: When you include the excess-burst-size statement in the configuration, you must also include the committed-burst-size and committed-information-rate statements at the same hierarchy level.

Options



4372





family (Firewall Filter) Syntax


Description Options

family family-name { filter (Firewall Filters) filter-name { interface-specific; term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } } } [edit firewall]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Option interface-specific introduced in Junos OS Release 9.5 for EX Series switches. Configure a firewall filter for IP version 4 or IP version 6. family-name—Version or type of addressing protocol: •

any—Filter packets based on protocol-independent match conditions.

•

ethernet-switching—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.

•

inet—Filter IPv4 packets.

•

inet6—Filter IPv6 packets.




•


•


•


•



4373

®


filter Syntax


Description Options

filter filter-name { interface-specific; term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } } [edit firewall family family-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Option interface-specific introduced in Junos OS Release 9.5 for EX Series switches. Configure firewall filters. filter-name—Name that identifies the filter. The name can contain letters, numbers, and

hyphens (-), and can be up to 64 characters long. To include spaces in the name, enclose it in quotation marks. The remaining statements are explained separately. Required Privilege Level Related Documentation

4374



•


•


•


•




filter Syntax Hierarchy Level Release Information Description Default

Options


filter (input | output) filter-name; [edit vlans vlan-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply a firewall filter to traffic coming into or exiting from the VLAN. All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is sent unmodified from the VLAN. filter-name —Name of a firewall filter defined in a filter statement. •

input—Apply a firewall filter to VLAN ingress traffic.

•

output—Apply a firewall filter to VLAN egress traffic.



•


•


•


filter-specific Syntax Hierarchy Level Release Information Description


filter-specific; [edit firewall policer policer-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure a policer to act as a filter-specific policer. If you do not specify the filter-specific statement, the policer acts as a term-specific policer by default. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration •


•


•



4375

®


firewall Syntax

firewall { family family-name { filter (Firewall Filters) filter-name { interface-specific; term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } } } policer policer-name { filter-specific; if-exceeding { bandwidth-limit bps; burst-size-limit bytes; } then (Policer Action) { policer-action; } } } three-color-policer policer-name { action { loss-priority high then discard; } single-rate { (color-aware | color-blind); committed-information-rate bps; committed-burst-size bytes; excess-burst-size bytes; } two-rate { (color-aware | color-blind); committed-information-rate bps; committed-burst-size bytes; peak-information-rate bps; peak-burst-size bytes; } }


4376

[edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Options interface-specific and filter-specific introduced in Junos OS Release 9.5 for EX Series switches.



Description

Configure firewall filters and policers. The remaining statements are explained separately.




•


•


•


•


from Syntax


from { match-conditions; } [edit firewall family family-name filter (Firewall Filters) filter-name term term-name]


Description

Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.

Options

match-conditions —Conditions that define the values or fields that the incoming or outgoing

packets must contain for a match. You can specify one or more match conditions. If you specify more than one, they all must match for a match to occur and for the action in the then statement to be taken. Required Privilege Level Related Documentation



•


•


•


•



4377

®


if-exceeding Syntax

Hierarchy Level

Release Information

Description

if-exceeding { bandwidth-limit bps; bandwidth-percentpercent burst-size-limit bytes; } [edit firewall policer policer-name] [edit logical-systems logical-system-name firewall policer policer-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Logical systems support introduced in Junos OS Release 9.3. Configure policer rate limits. The bandwidth-percent statement is supported on routers only. The remaining statements are explained separately.


4378



•


•


•




interface-specific Syntax Hierarchy Level Release Information Description


interface-specific; [edit firewall family family-name filter (Firewall Filters) filter-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure firewall counters that are interface-specific. You can configure an interface-specific firewall filter only on a port or a Layer 3 interface as an interface-specific firewall filter is not supported for a VLAN. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•


loss-priority high then discard (Three-Color Policer) Syntax Hierarchy Level Release Information Description

loss-priority high then discard; [edit firewall three-color-policer policer-name action]

Statement introduced in Junos OS Release 11.2 for EX Series switches. For packets with high loss priority, discard the packets. The loss priority setting is implicit and cannot be configured. Include this statement if you do not want the local switch to forward packets that have high packet loss priority. For single-rate three-color policers, Junos OS assigns high loss priority to packets that exceed the committed information rate and the excess burst size. For two-rate three-color policers, Junos OS assigns high loss priority to packets that exceed the peak information rate and the peak burst size.





4379

®


peak-burst-size Syntax Hierarchy Level Release Information Description

peak-burst-size bytes; [edit firewall three-color-policer policer-name two-rate]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure the maximum number of bytes allowed for incoming packets to burst above the peak information rate (PIR) and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size (PBS) are marked with high packet loss priority (red).

NOTE: When you include the peak-burst-size statement in the configuration, you must also include the committed-burst-size and peak-information-rate statements at the same hierarchy level.

Options



4380





policer Syntax

Hierarchy Level

Release Information

Description

Options

policer policer-name { filter-specific; if-exceeding { bandwidth-limit bps; bandwidth-percent percent burst-size-limit bytes; } then (Policer Action) { policer-action; } } [edit firewall] [edit logical-systems logical-system-name firewall]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Logical systems support introduced in Junos OS Release 9.3. Configure policer rate limits and actions. To activate a policer, you must include the policer action modifier in the then statement in a firewall filter term. Each policer that you configure includes an implicit counter. To ensure term-specific packet counts, you configure a policer for each term in the filter that requires policing. policer-name—Name that identifies the policer. The name can contain letters, numbers,

hyphens (-), and can be up to 64 characters long. The remaining statements are explained separately. Required Privilege Level Related Documentation



•


•


•

Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure) on page 4879

•

Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure) on page 4875

•


•



4381

®


policy-statement Syntax

Hierarchy Level

Release Information

Description

policy-statement policy-name { term term-name { from { family family-name; match-conditions; policy subroutine-policy-name; prefix-list prefix-list-name; prefix-list-filter prefix-list-name match-type ; route-filter destination-prefix match-type ; source-address-filter source-prefix match-type ; } to { match-conditions; policy subroutine-policy-name; } then actions; } } [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for configuration in the dynamic database introduced in Junos OS Release 9.5. Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches. inet-mdt option introduced in Junos OS Release 10.0R2. Statement introduced in Junos OS Release 11.3 for the QFX Series. Define a routing policy, including subroutine policies. To list the routing policies under the [edit policy-options] hierarchy level by policy-statement policy-name in alphabetical order, enter the show policy-options configuration command.

Options

actions—(Optional) One or more actions to take if the conditions match. The actions are

described in Configuring Flow Control Actions. family family-name—(Optional) Specify an address family protocol. Specify inet for IPv4.

Specify inet6 for 128-bit IPv6, and to enable interpretation of IPv6 router filter addresses. For IS-IS traffic, specify iso. For IPv4 multicast VPN traffic, specify inet-mvpn. For IPv6 multicast VPN traffic, specify inet6-mvpn. For multicast-distribution-tree (MDT) IPv4 traffic, specify inet-mdt.

NOTE: When family is not specified, the routing device uses the default IPv4 setting.

4382



from—(Optional) Match a route based on its source address. match-conditions—(Optional in from statement; required in to statement) One or more

conditions to use to make a match. The qualifiers are described in Configuring Match Conditions in Routing Policy Terms. policy subroutine-policy-name—Use another policy as a match condition within this policy.

The name identifying the subroutine policy can contain letters, numbers, and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). For information about how to configure subroutines, see Configuring Subroutines in Routing Policy Match Conditions. policy-name—Name that identifies the policy. The name can contain letters, numbers,

and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). prefix-list prefix-list-name —Name of a list of IPv4 or IPv6 prefixes. prefix-list-filter prefix-list-name—Name of a prefix list to evaluate using qualifiers; match-type is the type of match (see Configuring Prefix List Filters), and actions is

the action to take if the prefixes match. route-filter destination-prefix match-type —(Optional) List of routes on which

to perform an immediate match; destination-prefix is the IPv4 or IPv6 route prefix to match, match-type is the type of match (see Configuring Route Lists), and actions is the action to take if the destination-prefix matches. source-address-filter source-prefix match-type —(Optional) Unicast source

addresses in multiprotocol BGP (MBGP) and Multicast Source Discovery Protocol (MSDP) environments on which to perform an immediate match. source-prefix is the IPv4 or IPv6 route prefix to match, match-type is the type of match (see Configuring Route Lists), and actions is the action to take if the source-prefix matches. term term-name—Name that identifies the term. to—(Optional) Match a route based on its destination address or the protocols into which

the route is being advertised. then—(Optional) Actions to take on matching routes. The actions are described in

Configuring Flow Control Actions and Configuring Actions That Manipulate Route Characteristics. Required Privilege Level Related Documentation


Defining Routing Policies

•


•



4383

®


prefix-list Syntax

Hierarchy Level

Release Information

Description

prefix-list name { ip-addresses; apply-path path; } [edit dynamic policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Support for configuration in the dynamic database introduced in Junos OS Release 9.5. Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches. Support for the vpls protocol family introduced in Junos OS Release 10.2. Define a list of IPv4 or IPv6 address prefixes for use in a routing policy statement or firewall filter statement. You can configure up to 85,325 prefixes in each prefix list. To configure more than 85,325 prefixes, configure multiple prefix lists and apply them to multiple firewall filter terms.

Options

name—Name that identifies the list of IPv4or IPv6 address prefixes. ip-addresses—List of IPv4 or IPv6 address prefixes, one IP address per line in the

configuration. The remaining statement is explained separately. Required Privilege Level Related Documentation


Configuring Prefix Lists for Use in Routing Policy Match Conditions

•


•


•

”Firewall Filter Match Conditions Based on Address Fields” in the Junos OS Firewall Filter and Policer Configuration Guide

•

4384

“Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List” in the Junos OS Firewall Filter and Policer Configuration Guide




Release Information Description Options Required Privilege Level Related Documentation

routing-instance routing-instance-name; [edit firewall family inet filter (Firewall Filters) filter-name term term-name then (Firewall Filters)]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify a specific virtual routing instance to which the switch sends matched packets. routing-instance-name —Name of a virtual routing instance.



•


•



4385

®


single-rate Syntax


single-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; excess-burst-sizebytes; } [edit firewall three-color-policer policer-name]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure a single-rate three-color policer in which marking is based on the committed information rate (CIR), committed burst size (CBS), and excess burst size (EBS). Packets that conform to the CIR or the CBS are assigned low loss priority (green). Packets that exceed the CIR and the CBS but do not exceed the EBS are assigned medium-high loss priority (yellow). Packets that exceed the EBS are assigned high loss priority (red). Green and yellow packets are always forwarded; this action is not configurable. You can configure red packets to be discarded. By default, red packets are forwarded. The remaining statements are explained separately.


4386





term Syntax


term term-name { from { match-conditions; } then (Firewall Filters) { action; action-modifiers; } } [edit firewall family family-name filter (Firewall Filters) filter-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define a firewall filter term. term-name—Name that identifies the term. The name can contain letters, numbers, and

hyphens (-), and can be up to 64 characters long. To include spaces in the name, enclose it in quotation marks. The remaining statements are explained separately. Required Privilege Level Related Documentation



•


•


•


•



4387

®


then Syntax


then { action; action-modifiers; } [edit firewall family family-name filter (Firewall Filters) filter-name term term-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a filter action. action—Action to accept, discard, or forward packets that match all match conditions

specified in a filter term. action-modifiers—Additional actions to analyze, classify, count, or police packets that

match all conditions specified in a filter term. Required Privilege Level Related Documentation

4388



•


•


•


•


•




then Syntax

then { policer-action; }

Hierarchy Level

[edit firewall policer policer-name] [edit logical-systems logical-system-name firewall policer policer-name]

Release Information


Description Options

Configure a policer action. policer-action—Actions to take are: •

discard—Discard traffic that exceeds the rate limits defined by the policer.

•

forwarding-class class-name—For routers only, classify traffic that exceeds the rate

limits defined by the policer. •

loss-priority—Set the loss priority for traffic that exceeds the rate limits defined by the

policer. Required Privilege Level Related Documentation

firewall—To view this statement in the configuration. firewall -control—To add this statement to the configuration. •


•


•


•


•


•

Example: Configuring CoS for a PBB Network on MX Series Routers

•



4389

®


three-color-policer (Configuring) Syntax


three-color-policer policer-name { action { loss-priority high then discard; } single-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; excess-burst-size bytes; } two-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; peak-burst-size bytes; peak-information-rate bps; } } [edit firewall]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure a three-color policer. policer-name—Name of the three-color policer. Reference this name when you apply the

policer to an interface. The remaining statements are explained separately. Required Privilege Level Related Documentation

4390





two-rate Syntax


two-rate { (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; peak-burst-size bytes; peak-information-rate bps; } [edit firewall three-color-policer policer-name],

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure a two-rate three-color policer in which marking is based on the committed information rate (CIR), committed burst size (CBS), peak information rate (PIR), and peak burst size (PBS). Packets that conform to the CIR or the CBS are assigned low loss priority (green). Packets that exceed the PIR and the PBS are assigned high loss priority (red). Green packets are always forwarded; this action is not configurable. You can configure red packets to be discarded. By default, red packets are forwarded. The remaining statements are explained separately.





4391

®


4392


CHAPTER 117

Operational Commands for Firewall Filters


4393

®


clear firewall Syntax


Description

clear firewall (all | counter counter-name | filter filter-name | logical-system logical-system-name) clear firewall (all | counter counter-name | filter filter-name)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. logical-system option introduced in Junos OS Release 9.3. Clear statistics about configured firewall filters.

NOTE: The clear firewall command cannot be used to clear the Routing Engine filter counters on a backup Routing Engine that is enabled for GRES.

If you clear statistics for firewall filters that are applied to Trio-based DPCs and that also use the prefix-action action on matched packets, wait at least 5 seconds before you enter the show firewall prefix-action-stats command. A 5-second pause between issuing the clear firewall and show firewall prefix-action-stats commands avoids a possible timeout of the show firewall prefix-action-stats command. Options

all—Clear the packet and byte counts for all filters. counter counter-name—Clear the packet and byte counts for a filter counter that has been

configured with the counter firewall filter action. filter filter-name—Clear the packet and byte counts for the specified firewall filter. logical-system logical-system-name—Clear the packet and byte counts for the specified

logical system. Required Privilege Level Related Documentation List of Sample Output Output Fields

clear

•

show firewall on page 4396

clear firewall all on page 4394 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear firewall all

4394

user@host> clear firewall all


Chapter 117: Operational Commands for Firewall Filters

clear firewall Syntax


clear firewall

Command introduced in Junos OS Release 9.0 for EX Series switches. Clear statistics about configured firewall filters. none—Clear the packet and byte counts for all firewall filter counters and clear the packet

counts for all policer counters. all—(Optional) Clear the packet and byte counts for all firewall filter counters and clear

the packet counts for all policer counters. counter counter-name —(Optional) Clear the packet and byte counts for the specified

firewall filter counter. filter filter-name —(Optional) Clear the packet and byte counts for the specified firewall

filter. Required Privilege Level Related Documentation

clear

•


•


•


•


•


Sample Output clear firewall (all) clear firewall (counter counter-name) clear firewall (filter filter-name)

user@host> clear firewall all user@host> clear firewall counter port-filter-counter

user@host> clear firewall filter ingress-port-filter


4395

®


show firewall Syntax


Release Information

Description Options

show firewall show firewall

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. logical-system option introduced in Junos OS Release 9.3. terse option introduced in Junos OS Release 9.4. Display statistics about configured firewall filters. none—(Optional) Display statistics about configured firewall filters. filter filter-name—(Optional) Name of a configured filter. counter counter-name—(Optional) Name of a filter counter. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular system. log—(Optional) Display log entries for firewall filters. terse—(Optional) Display firewall filter names only.


Output Fields

4396

view

•

clear firewall on page 4394

show firewall filter on page 4398 show firewall filter (Dynamic Input Filter) on page 4398 show firewall (Logical Systems) on page 4398 Table 480 on page 4397 lists the output fields for the show firewall command. Output fields are listed in the approximate order in which they appear.



Table 480: show firewall Output Fields Field Name

Field Description

Filter

Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. When an interface-specific filter is displayed, the name of the filter is followed by the full interface name and by either -i for an input filter or -o for an output filter. When dynamic filters are displayed, the name of the filter is followed by the full interface name and by either -in for an input filter or -out for an output filter. When a logical system–specific filter is displayed, the name of the filter is prefixed with two underscore (__) characters and the name of the logical system (for example, __ls1/filter1).

Counters

Policers

Display filter counter information: •

Name—Name of a filter counter that has been configured with the counter firewall filter action.

•

Bytes—Number of bytes that match the filter term under which the counter action is specified.

•

Packets—Number of packets that matched the filter term under which the counter action is specified.

Display policer information: •

Name—Name of policer.

•

Bytes—(I-chip DPCs only) Number of bytes that match the filter term under which the policer action

is specified. This is only the number out-of-specification (out-of-spec) byte counts, not all the bytes in all packets policed by the policer. •

Packets—Number of packets that matched the filter term under which the policer action is specified.

This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.


4397

®


Sample Output show firewall filter

show firewall filter (Dynamic Input Filter)

show firewall (Logical Systems)

user@host> show firewall filter test Filter: test Counters: Name Counter-1 Counter-2 Policers: Name Policer-1

Packets 0 0

Bytes 2770

Packets 70

user@host> show firewall filter dfwd-ge-5/0/0.1-in Filter: dfwd-ge-5/0/0.1-in Counters: Name c1-ge-5/0/0.1-in

Bytes 0

Packets 0

Bytes 420

Packets 5

Bytes 0 0

Packets 0 0

Bytes 0 0

Packets 0 0

Bytes 0 0

Packets 0 0

user@host>show firewall Filter: __lr1/test Counters: Name icmp Filter: __default_bpdu_filter__ Filter: __lr1/inet_filter1 Counters: Name inet_tcp_count inet_udp_count Filter: __lr1/inet_filter2 Counters: Name inet_icmp_count inet_pim_count Filter: __lr2/inet_filter1 Counters: Name inet_tcp_count inet_udp_count

4398

Bytes 0 0



show firewall Syntax


show firewall log (detail | interface interface-name) terse

Command introduced in Junos OS Release 9.0 for EX Series switches. Display statistics about configured firewall filters. none—Display statistics about all configured firewall filters, counters, and policers. counter counter-name—(Optional) Display statistics about a particular firewall filter

counter. filter filter-name—(Optional) Display statistics about a particular firewall filter. log (detail | interface interface-name)—(Optional) Display detailed log entries of firewall

activity or log information about a specific interface. terse—(Optional) Display firewall filter names only.



Output Fields

view

•


•


•


•


•


show firewall on page 4400 show firewall (filter filter-name) on page 4400 show firewall (counter counter-name) on page 4400 show firewall log on page 4400 Table 481 on page 4399 lists the output fields for the show firewall command. Output fields are listed in the approximate order in which they appear.

Table 481: show firewall Output Fields Field Name

Field Description

Level of Output

Filter

Name of the filter that is configured with the filter statement at the [edit firewall] hierarchy level.

All levels


4399

®


Table 481: show firewall Output Fields (continued) Field Name

Field Description

Level of Output

Counters

Display filter counter information:

All levels

•

Name—Name of a filter counter that has been configured with the counter firewall filter action

•

Bytes—Number of bytes that match the filter term where the counter action was specified.

•

Packets—Number of packets that matched the filter term where the counter action was specified.

Display policer information:

Policers

All levels

•


•

Packets—Number of packets that matched the filter term where the policer action was specified. This is the number of packets that exceed the rate limits that the policer specifies.

Sample Output show firewall

show firewall (filter filter-name)

show firewall (counter counter-name)

show firewall log

user@host> show firewall Filter: egress-vlan-filter Counters: Name employee-web-counter Filter: ingress-port-filter Counters: Name ingress-port-counter Filter: ingress-port-voip-class-filter Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer

Packets 0

Bytes 0

Packets 0

Bytes 0

Packets 0

Packets 0 0

user@host> show firewall filter egress-vlan-filter Filter: egress-vlan-filter Counters: Name employee-web-counter

Bytes 0

Packets 0

user@host> show firewall counter icmp-counter Filter: ingress-port-voip-class-filter Counters: Name icmp-counter

Bytes 0

Packets 0

user@host> show firewall log Log : Time

4400

Bytes 0

Filter Action Interface Dest Addr

Protocol

Src Addr



08:00:53

pfe R 192.168.3.4 08:00:52 pfe R 192.168.3.4 08:00:51 pfe R 192.168.3.4 08:00:50 pfe R 192.168.3.4 08:00:49 pfe R 192.168.3.4 08:00:48 pfe R 192.168.3.4 08:00:47 pfe R 192.168.3.4


ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

ge-1/0/1.0

ICMP

192.168.3.5

4401

®


show firewall log Syntax


Release Information

Description Options

show firewall log show firewall log

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. logical-system option introduced in Junos OS Release 9.3. Display log information about firewall filters. none—Display log information about firewall filters. detail—(Optional) Display detailed information. interface interface-name—(Optional) Display log information about a specific interface. logical-system (logical-system-name | all)—(Optional) Perform this operation on all logical

systems or on a particular system. Required Privilege Level List of Sample Output

Output Fields

view

show firewall log on page 4403 show firewall log detail on page 4403 Table 482 on page 4402 lists the output fields for the show firewall log command. Output fields are listed in the approximate order in which they appear.

Table 482: show firewall log Output Fields

4402

Field Name

Field Description

Time of Log

Time that the event occurred.

Filter

Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. •

A hyphen (-) indicates that the packet was handled by the Packet Forwarding Engine.

•

A space (no hyphen) indicates the packet was handled by the Routing Engine.

•

The notation pfe indicates packets logged by the Packet Forwarding Engine hardware filters.



Table 482: show firewall log Output Fields (continued) Field Name

Field Description

Filter Action

Filter action: •

A—Accept

•

D—Discard

•

R—Reject

Name of Interface

Ingress interface for the packet.

Name of protocol

Packet’s protocol name: egp, gre, icmp, ipip, ospf, pim, rsvp, tcp, or udp.

Packet length

Length of the packet.

Source address

Packet’s source address.

Destination address

Packet’s destination address and port.

Sample Output show firewall log

show firewall log detail

user@host>show firewall log Time Filter Action Interface

Protocol

Src Addr

Dest Addr

13:10:12

pfe

D

rlsq0.902

ICMP

180.1.177.2

180.1.177.1

13:10:11

pfe

D

rlsq0.902

ICMP

180.1.177.2

180.1.177.1

user@host> show firewall log detail Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0Name of protocol: TCP, Packet Length: 50824, Source address: 172.17.22.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 1020, Source address: 172.17.22.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 172.17.22.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 172.17.22.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 172.17.22.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 172.17.22.108:829,


4403

®


Destination address: 192.168.70.66:513 ....

4404



show interfaces filters Syntax


show interfaces filters

Command introduced in Junos OS Release 9.0 for EX Series switches. Display firewall filters that are configured on each interface in a system. none—Display firewall filter information about all interfaces. interface-name—(Optional) Display firewall filter information about a particular interface.



Output Fields

view

•

show interfaces policers on page 4407

•

show firewall on page 4399

show interfaces filters on page 4405 show interfaces filters on page 4406 Table 483 on page 4405 lists the output fields for the show interfaces filters command. Output fields are listed in the approximate order in which they appear.

Table 483: show interfaces filters Output Fields Field Name

Field Description

Level of Output

Interface


All levels

Admin

Interface state: up or down.

All levels

Link

Link state: up or down.

All levels

Proto

Protocol that is configured on the interface.

All levels

Input Filter

Name of the firewall filter to be evaluated when packers are received on the interface.

All levels

Output Filter

Name of the firewall filter to be evaluated when packets are transmitted on the interface.

All levels

Sample Output show interfaces filters

user@host> show interfaces filters Interface Admin Link Proto Input Filter ge-0/0/0 up down ge-0/0/0.0 up down eth-switch unknown ge-0/0/1 up down ge-0/0/1.0 up down eth-switch unknown


Output Filter

4405

®


ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/10.0

show interfaces filters

4406

up up up up up up up up up up

down down down down down down down down down down

user@host> show interfaces filters ge-0/0/0 Interface Admin Link Proto Input Filter ge-0/0/0 up down ge-0/0/0.0 up down eth-switch unknown

Output Filter



show interfaces policers Syntax


show interfaces policers

Command introduced before Junos OS Release 9.0 for EX Series switches. Display all policers that are configured on each interface in a system. none—Display policer information about all interfaces. interface-name—(Optional) display firewall filters information about a particular interface.



Output Fields

view

•

show interfaces filters on page 4405

•

show policer on page 4409

show interfaces policers on page 4407 show interfaces policers on page 4408 show interfaces policers ( interface-name) on page 4408 Table 484 on page 4407 lists the output fields for the show interfaces policers command. Output fields are listed in the approximate order in which they appear.

Table 484: show interfaces policers Output Fields Field Name

Field Description

Level of Output

Interface


All levels

Admin

Interface state: up or down.

All levels

Link

Link state: up or down.

All levels

Proto

Protocol configured on the interface.

All levels

Input Policer

Policer to be evaluated when packets are received on the interface. It has the format interface-name-in-policer.

All levels

Output Policer

Policer to be evaluated when packets are transmitted on the interface. It has the format interface-name-out-policer.

All levels

Sample Output show interfaces policers

user@host> show interfaces policers Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down


Output Policer

4407

®


eth-switch Interface ge-0/0/1 ge-0/0/1.0 Interface ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/10.0

show interfaces policers

user@host> show interfaces policers Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down eth-switch Interface ge-0/0/1 ge-0/0/1.0 Interface ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/10.0

show interfaces policers ( interface-name)

4408

Admin Link Proto Input Policer up down up down eth-switch Admin Link Proto Input Policer up down up down up down up down up down up down up down up down up down up down eth-switch

Admin Link Proto Input Policer up down up down eth-switch Admin Link Proto Input Policer up down up down up down up down up down up down up down up down up down up down eth-switch

user@host> show interfaces policers ge-0/0/1 Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down eth-switch

Output Policer

Output Policer

Output Policer

Output Policer

Output Policer

Output Policer



show policer Syntax


show policer

Command introduced in Junos OS Release 9.0 for EX Series switches. Display statistics about configured policers. none—Display the count of policed packets for all configured policers in the system. policer-name—(Optional) Display the count of policed packets for the specified policer.



Output Fields

view

•


•


•


•


•


show policer on page 4409 show policer (policer-name) on page 4410 Table 485 on page 4409 lists the output fields for the show policer command. Output fields are listed in the approximate order in which they appear.

Table 485: show policer Output Fields Field Name

Field Description

Level of Output

Filter

Name of filter that is configured with the filter statement at the [edit firewall] hierarchy level.

All levels

Policers

Display policer information:

All levels

•

Filter—Name of filter that specifies the policer action.

•


•

Packets—Number of packets that matched the filter term where the policer action is specified. This is the number of packets that exceed the rate limits that the policer specifies.

Sample Output show policer

user@host> show policer Filter: egress-vlan-filter Filter: ingress-port-filter


4409

®


Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block

show policer (policer-name)

4410

user@host> show policer tcp-connection-policer Filter: ingress-port-filter Policers: Name tcp-connection-policer

Packets 0 0

Packets 0



show policy Syntax


Description Options

show policy show policy

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about configured routing policies. none—List the names of all configured routing policies. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. policy-name—(Optional) Show the contents of the specified policy.


Output Fields

view

•


show policy on page 4411 show policy policy-name on page 4412 show policy (Multicast Scoping) on page 4412 Table 486 on page 4411 lists the output fields for the show policy command. Output fields are listed in the approximate order in which they appear.

Table 486: show policy Output Fields Field Name

Field Description

policy-name

Name of the policy listed.

term

Policy term listed.

from

Match condition for the policy.

then

Action for the policy.

Sample Output show policy

user@host> show policy Configured policies: __vrf-export-red-internal__ __vrf-import-red-internal__


4411

®


red-export all_routes

show policy policy-name

user@host> show policy test-statics Policy test-statics: from 3.0.0.0/8 accept 3.1.0.0/16 accept then reject

show policy (Multicast Scoping)

user@host> show policy test-statics Policy test-statics: from multicast-scoping == 8

4412



show policy conditions Syntax


Release Information

Description

Options

show policy conditions show policy conditions

Command introduced in Junos OS Release 9.0. Command introduced in Junos OS Release 9.0 for EX Series switches. Display all the configured conditions as well as the routing tables with which the configuration manager is interacting. If the detail keyword is included, the output also displays dependent routes for each condition. none—Display all configured conditions and associated routing tables. condition-name—(Optional) Display information about the specified condition only. detail—(Optional) Display the specified level of output. dynamic—(Optional) Display information about the conditions in the dynamic database. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show policy conditions detail on page 4414 Table 487 on page 4413 lists the output fields for the show policy conditions command. Output fields are listed in the approximate order in which they appear.

Table 487: show policy conditions Output Fields Field Name

Field Description

Level of Output

Condition

Name of configured condition.

All levels

event

Condition type. If the if-route-exists option is configured, the event type is: Existence of a route in a specific routing table.

All levels

Dependent routes

List of routes dependent on the condition, along with the latest generation number.

detail

Condition tables

List of routing tables associated with the condition, along with the latest generation number and number of dependencies.

All levels


4413

®


Table 487: show policy conditions Output Fields (continued) Field Name

Field Description

Level of Output

If-route-exists conditions

List of conditions configured to look for a route in the specified table.

All levels

Sample Output show policy conditions detail

user@host> show policy conditions detail Configured conditions: Condition cond1, event: Existence of a route in a specific routing table Dependent routes: 4.4.4.4/32, generation 3 6.6.6.6/32, generation 3 10.10.10.10/32, generation 3 Condition cond2, event: Existence of a route in a specific routing table Dependent routes: None Condition tables: Table inet.0, generation 4, dependencies 3, If–route-exists conditions: cond1 (static) cond2 (static)

4414



test policy Syntax Release Information

Description Options

test policy policy-name prefix

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Test a policy configuration to determine which prefixes match routes in the routing table. policy-name—Name of a policy. prefix—Destination prefix to match.



All prefixes in the default unicast routing table (inet.0) that match prefixes that are the same as or longer than the specific prefix are processed by the from clause in the specified policy. All prefixes accepted by the policy are displayed. The test policy command evaluates a policy differently from the Border Gateway Protocol (BGP) import process. When testing a policy that contains an interface match condition in the from clause, the test policy command uses the match condition. In contrast, BGP does not use the interface match condition when evaluating the policy against routes learned from internal BGP (IBGP) or external BGP (EGBP) multihop peers. view

•


test policy on page 4415 For information about output fields, see the output field tables for the show route command, the show route detail command, the show route extensive command, or the show route terse command.

Sample Output test policy

user@host> test policy test-statics 3.0.0.1/8 inet.0: 44 destinations, 44 routes (44 active, 0 holddown, 0 hidden) Prefixes passing policy: 3.0.0.0/8

3.3.3.1/32 3.3.3.2/32 3.3.3.3/32 3.3.3.4/32


*[BGP/170] 16:22:46, localpref 100, from 10.255.255.41 AS Path: 50888 I > to 10.11.4.32 via en0.2, label-switched-path l2 *[IS-IS/18] 2d 00:21:46, metric 0, tag 2 > to 10.0.4.7 via fxp0.0 *[IS-IS/18] 2d 00:21:46, metric 0, tag 2 > to 10.0.4.7 via fxp0.0 *[IS-IS/18] 2d 00:21:46, metric 0, tag 2 > to 10.0.4.7 via fxp0.0 *[IS-IS/18] 2d 00:21:46, metric 0, tag 2

4415

®


> to 10.0.4.7 via fxp0.0 Policy test-statics: 5 prefixes accepted, 0 prefixes rejected

4416


PART 23

Class of Service •

Class of Service (CoS)—Overview on page 4419

•

Examples: CoS Configuration on page 4455

•

Configuring CoS on page 4483

•

Verifying CoS Configuration on page 4513

•

Troubleshooting CoS Configuration on page 4521

•

Configuration Statements for CoS on page 4525

•

Operational Commands for CoS on page 4559


4417

®


4418


CHAPTER 118

Class of Service (CoS)—Overview •


•


•

Understanding CoS Code-Point Aliases on page 4424

•

Understanding CoS Classifiers on page 4427

•

Understanding CoS Forwarding Classes on page 4430

•

Understanding CoS Tail Drop Profiles on page 4433

•

Understanding CoS Schedulers on page 4434

•

Understanding CoS Two-Color Marking on page 4439

•

Understanding CoS Rewrite Rules on page 4440

•

Understanding Port Shaping and Queue Shaping for CoS on EX Series Switches on page 4442

•

Understanding Junos OS EZQoS for CoS Configurations on EX Series Switches on page 4442

•

Understanding Using CoS with MPLS Networks on EX Series Switches on page 4443

•

Understanding CoS Queues on EX8200 Line Cards That Include Oversubscribed Ports on page 4448

•

Understanding Priority-Based Flow Control on page 4451


4419

®


Junos OS CoS for EX Series Switches Overview When a network experiences congestion and delay, some packets must be dropped. Junos operating system (Junos OS) class of service (CoS) divides traffic into classes to which you can apply different levels of throughput and packet loss when congestion occurs. This allows packet loss to happen according to rules that you configure. For interfaces that carry IPv4, IPv6, and MPLS traffic, you can configure Junos OS CoS features to provide multiple classes of service for different applications. CoS also allows you to rewrite the Differentiated Services code point (DSCP), IP precedence, 802.1p, or EXP CoS bits of packets egressing out of an interface, thus allowing you to tailor packets for the remote peers’ network requirements. See “Understanding Using CoS with MPLS Networks on EX Series Switches” on page 4443 for more information about CoS for MPLS networks. CoS provides multiple classes of service for different applications. You can configure multiple forwarding classes for transmitting packets, define which packets are placed into each output queue, and schedule the transmission service level for each queue. In designing CoS applications, you must give careful consideration to your service needs and thoroughly plan and design your CoS configuration to ensure consistency and interoperability across all platforms in a CoS domain. Because Juniper Networks EX Series Ethernet Switches implement CoS in hardware rather than in software, you can experiment with and deploy CoS features without affecting packet-forwarding and switching performance.

NOTE: CoS policies can be enabled or disabled on each interface of an EX Series switch. Also, each physical and logical interface on the switch can have custom CoS rules associated with it. When CoS is used in an MPLS network, there are some additional restrictions. See “Understanding Using CoS with MPLS Networks on EX Series Switches” on page 4443.

•

How Junos OS CoS Works on page 4420

•

Default CoS Behavior on EX Series Switches on page 4421

How Junos OS CoS Works Junos OS CoS works by examining traffic entering at the edge of your network. The switches classify traffic into defined service groups to provide the special treatment of traffic across the network. For example, voice traffic can be sent across certain links, and data traffic can use other links. In addition, the data traffic streams can be serviced differently along the network path. As the traffic leaves the network at the far edge, you can rewrite the traffic to meet the policies of the targeted peer. To support CoS, you must configure each switch in the network. Generally, each switch examines the packets that enter it to determine their CoS settings. These settings then dictate which packets are transmitted first to the next downstream switch. Switches at

4420


Chapter 118: Class of Service (CoS)—Overview

the edges of the network might be required to alter the CoS settings of the packets that enter the network to classify the packets into the appropriate service groups. Figure 130 on page 4421 represents the network scenario of an enterprise. Switch A is receiving traffic from various network nodes such as desktop computers, servers, surveillance cameras, and VoIP telephones. As each packet enters, Switch A examines the packet’s CoS settings and classifies the traffic into one of the groupings defined by the enterprise. This definition allows Switch A to prioritize resources for servicing the traffic streams it receives. Switch A might alter the CoS settings of the packets to better match the enterprise’s traffic groups. When Switch B receives the packets, it examines the CoS settings, determines the appropriate traffic groups, and processes the packets according to those settings. It then transmits the packets to Switch C, which performs the same actions. Switch D also examines the packets and determines the appropriate groups. Because Switch D sits at the far end of the network, it can rewrite the CoS bits of the packets before transmitting them.

Figure 130: Packet Flow Across the Network

Default CoS Behavior on EX Series Switches If you do not configure any CoS settings on the switch, the software performs some CoS functions to ensure that user traffic and protocol packets are forwarded with minimum delay when the network is experiencing congestion. Some CoS settings, such as classifiers, are automatically applied to each logical interface that you configure. Other settings, such as rewrite rules, are applied only if you explicitly associate them with an interface. Related Documentation

•


•


•


•

Example: Combining CoS with MPLS on EX Series Switches on page 4470


4421

®


Understanding Junos OS CoS Components for EX Series Switches This topic describes the Juniper Networks Junos operating system (Junos OS) class-of-service (CoS) components for Juniper Networks EX Series Ethernet Switches: •

Code-Point Aliases on page 4422

•

Policers on page 4422

•

Classifiers on page 4422

•

Forwarding Classes on page 4423

•

Tail Drop Profiles on page 4423

•

Schedulers on page 4423

•

Rewrite Rules on page 4423

Code-Point Aliases A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules.

Policers Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets exceeding the policer limits can be discarded. You define policers with filters that can be associated with input interfaces. For more information about policers, see “Understanding the Use of Policers in Firewall Filters” on page 4292.

NOTE: You can configure policers to discard packets that exceed the rate limits. If you want to configure CoS parameters such as loss-priority and forwarding-class, you must use firewall filters.

Classifiers Packet classification associates incoming packets with a particular CoS servicing level. In Juniper Networks Junos operating system (Junos OS), classifiers associate packets with a forwarding class and loss priority and assign packets to output queues based on the associated forwarding class. Junos OS supports two general types of classifiers:

4422

•

Behavior aggregate or CoS value traffic classifiers—Examines the CoS value in the packet header. The value in this single field determines the CoS settings applied to the packet. BA classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services code point (DSCP) value, IP precedence value, and IEEE 802.1p value.

•

Multifield traffic classifiers—Examines multiple fields in the packet such as source and destination addresses and source and destination port numbers of the packet. With



multifield classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules.

Forwarding Classes Forwarding classes group the packets for transmission. Based on forwarding classes, you assign packets to output queues. Forwarding classes affect the forwarding, scheduling, and marking policies applied to packets as they transit a switch. By default, four categories of forwarding classes are defined: best effort, assured forwarding, expedited forwarding, and network control. For EX Series switches, 16 forwarding classes are supported, providing granular classification capability.

Tail Drop Profiles Drop profile is a mechanism that defines parameters that allow packets to be dropped from the network. Drop profiles define the meanings of the loss priorities. When you configure drop profiles you are essentially setting the value for queue fullness. The queue fullness represents a percentage of the queue used to store packets in relation to the total amount that has been allocated for that specific queue. Loss priorities set the priority of dropping a packet. Loss priority affects the scheduling of a packet without affecting the packet’s relative ordering. You can use the loss priority setting to identify packets that have experienced congestion. Typically you mark packets exceeding some service level with a high loss priority.

Schedulers Each switch interface has multiple queues assigned to store packets. The switch determines which queue to service based on a particular method of scheduling. This process often involves determining which type of packet should be transmitted before another. You can define the priority, bandwidth, delay buffer size, and tail drop profiles to be applied to a particular queue for packet transmission. A scheduler map associates a specified forwarding class with a scheduler configuration. You can associate up to four user-defined scheduler maps with the interfaces.

Rewrite Rules A rewrite rule sets the appropriate CoS bits in the outgoing packet, thus allowing the next downstream device to classify the packet into the appropriate service group. Rewriting, or marking, outbound packets is useful when the switch is at the border of a network and must alter the CoS values to meet the policies of the targeted peer.

NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not applied when the packets are forwarded. Egress firewall filters can also assign forwarding class and loss priority so that the packets are rewritten based on forwarding class and loss priority.


4423

®



•


•


•


•


•


•

Understanding CoS Two-Color Marking on page 4439

•


•


Understanding CoS Code-Point Aliases A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules. Behavior aggregate classifiers use class-of-service (CoS) values such as Differentiated Services code points (DSCPs), IP precedence, and IEEE 802.1p bits to associate incoming packets with a particular CoS servicing level. On a switch, you can assign a meaningful name or alias to the CoS values and use this alias instead of bits when configuring CoS components. These aliases are not part of the specifications but are well known through usage. For example, the alias for DSCP 101110 is widely accepted as ef (expedited forwarding). When you configure classes and define classifiers, you can refer to the markers by alias names. You can configure user-defined classifiers in terms of alias names. If the value of an alias changes, it alters the behavior of any classifier that references it. This topic covers: •

Default Code-Point Aliases on page 4424

Default Code-Point Aliases Table 488 on page 4424 shows the default mappings between the bit values and standard aliases.

Table 488: Default Code-Point Aliases CoS Value Types

Mapping

DSCP CoS Values ef

101110

af11

001010

af12

001100

4424



Table 488: Default Code-Point Aliases (continued) CoS Value Types

Mapping

af13

001110

af21

010010

af22

010100

af23

010110

af31

011010

af32

011100

af33

011110

af41

100010

af42

100100

af43

100110

be

000000

cs1

001000

cs2

010000

cs3

011000

cs4

100000

cs5

101000

nc1/cs6

110000

nc2/cs7

111000

IEEE 802.1p CoS Values be

000

be1

001

ef

100

ef1

101

af11

010


4425

®


Table 488: Default Code-Point Aliases (continued) CoS Value Types

Mapping

af12

011

nc1/cs6

110

nc2/cs7

111

Legacy IP Precedence CoS Values be

000

be1

001

ef

010

ef1

011

af11

100

af12

101

nc1/cs6

110

nc2/cs7

111


4426

•


•


•

Defining CoS Code-Point Aliases (CLI Procedure) on page 4486

•

Defining CoS Code-Point Aliases (J-Web Procedure) on page 4484



Understanding CoS Classifiers Packet classification associates incoming packets with a particular class-of-service (CoS) servicing level. Classifiers associate packets with a forwarding class and loss priority, and packets are associated to an output queue based on the forwarding class. There are two general types of classifiers: •

Behavior aggregate (BA) classifiers

•

Multifield (MF) classifiers

You can configure both a BA classifier and an MF classifier on an interface. If you do this, the BA classification is performed first and then the MF classification. If the two classification results conflict, the MF classification result overrides the BA classification result. On Juniper Networks EX8200 Ethernet Switches, you can specify BA classifiers for bridged multidestination traffic and for IP multidestination traffic. A BA classifier for multicast packets is applied to all interfaces on the EX8200 switch.

NOTE: EX8200 switches implement the on-demand allocation of memory space for ternary content addressable memory (TCAM) so that when additional TCAM space is required for CoS classifiers, it is allocated from the free TCAM space or from the unused TCAM space. An error log message is generated when you configure CoS classifiers to use memory space that exceeds the available TCAM space that includes both the free and unused space.


Behavior Aggregate Classifiers on page 4427

•

Multifield Classifiers on page 4429

Behavior Aggregate Classifiers The behavior aggregate classifier maps packets to a forwarding class and a loss priority. The forwarding class determines the output queue for a packet. The loss priority is used by a scheduler to control packet discard during periods of congestion. There are three types of BA classifiers: •

Differentiated Services Code Point (DSCP) for IP DiffServ

•

IP precedence bits

•

IEEE 802.1p CoS bits

BA classifiers are based on fixed-length fields, which makes them computationally more efficient than MF classifiers. Therefore core devices, which handle high traffic volumes, are normally configured to perform BA classification.


4427

®


Default Behavior Aggregate Classification Juniper Networks Junos operating system (Junos OS) automatically assigns implicit default BA classifiers to logical interfaces based on the type of interface. Table 489 on page 4428 lists different types of interfaces and the corresponding implicit default BA classification.

Table 489: Default BA Classification Type of Interface

Default BA Classification

Trunk and Circuit Cross-Connect (CCC) interfaces

ieee8021p-default

NOTE: This BA classification for a CCC interface is applicable only for EX8200 switches. Layer 3 interface (IPv4)

dscp-default

Layer 3 interface (IPv6)

dscp-ipv6-default

Access interface

Untrusted


No default classification

MPLS

EXP NOTE: This BA classification is applicable only for EX8200 switches.

When you explicitly associate a BA classifier with a logical interface, you are overriding the implicit (default) BA classifier with an explicit BA classifier. Table 490 on page 4428 describes the BA classifier types you can configure on Layer 2 and Layer 3 interfaces.

Table 490: Allowed BA Classification Type of Interface

Allowed BA Classification

Layer 2 interface

IEEE 802.1p, IP precedence, DSCP, DSCP IPv6


IEEE 802.1p, IP precedence, DSCP


IEEE 802.1p, IP precedence, DSCP IPv6

You can configure all the allowed classifier types on the same logical interface or on different logical interfaces. If you need to apply all classifier rules on the same logical interface, configure the classifier rules allowed for both IPv4 and IPv6 on the logical interface.

4428



If you have not explicitly configured a classifier on a logical interface, the default classifiers are assigned and classification works as follows: •

To a logical interface configured with an IPv4 address, a DSCP classifier is assigned by default, and IPv4 and IPv6 packets are classified using the DSCP classifier.

•

To logical interface configured with an IPv6 address, a DSCP IPv6 classifier is assigned by default, and IPv4 and IPv6 packets are classified using the DSCP IPv6 classifier.

NOTE: On EX8200 switches, you can configure either one classifier of type DSCP or IEEE802.1p, or you can configure one classifier each of type DSCP and IEEE802.1p.

You can configure routed VLAN interfaces (RVIs) to classify packets. After you do this, the User Priority (UP) bits in the incoming packets are rewritten according to the default IEEE 802.1p rewrite rule, except on EX8200 switches. On EX8200 switches, you must explicitly assign the default IEEE 802.1p rewrite rule to RVIs.

NOTE: By default, all BA classifiers classify traffic into either the best-effort forwarding class or the network-control forwarding class.

Multifield Classifiers Multifield classifiers examine multiple fields in a packet such as source and destination addresses and source and destination port numbers of the packet. With MF classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules. MF classification is normally performed at the network edge because of the general lack of support for DSCP or IP precedence classifiers in end-user applications. On an edge switch, an MF classifier provides the filtering functionality that scans through a variety of packet fields to determine the forwarding class for a packet. Typically, any classifier performs matching operations on the selected fields against a configured value. Related Documentation

•


•


•


•



4429

®


Understanding CoS Forwarding Classes Class-of-Service (CoS) forwarding classes can be thought of as output queues. In effect, the result of classifying packets is the identification of an output queue for a particular packet. For a classifier to assign an output queue to a packet, it must associate the packet with one of the following forwarding classes: •

best-effort (be)—Provides no service profile. Loss priority is typically not carried in a CoS value.

•

expedited-forwarding (ef)—Provides a low loss, low latency, low jitter, assured bandwidth, end-to-end service.

•

assured-forwarding (af)—Provides a group of values you can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with two drop probabilities: low and high.

•

network-control (nc)—Supports protocol control and thus is typically high priority.

•

multicast best-effort (mcast-be)—Provides no service profile for multicast packets.

•

multicast expedited forwarding (mcast-ef)—Supports high-priority multicast packets.

•

multicast assured-forwarding (mcast-af)—Provides two drop profiles; high, and low, for multicast packets.

NOTE: The forwarding classes multicast expedited-forwarding, multicast assured-forwarding, and multicast best-effort are applicable only to Juniper Networks EX8200 Ethernet Switches.

Juniper Networks EX Series Ethernet Switches support up to 16 forwarding classes, thus allowing granular packet classification. For example, you can configure multiple classes of expedited forwarding (EF) traffic such as EF, EF1, and EF2. EX Series switches support up to eight output queues. Therefore, if you configure more than eight forwarding classes, you must map multiple forwarding classes to single output queues. On EX8200 Virtual Chassis, you can configure only eight forwarding classes and you can assign only one forwarding class to each output queue.

NOTE: On EX8200 Virtual Chassis, the queue number seven carries Virtual Chassis port (VCP) traffic and can also carry high-priority user traffic.


Default Forwarding Classes on page 4430

Default Forwarding Classes Table 491 on page 4431 shows the four default forwarding classes defined for unicast traffic, and Table 492 on page 4431 shows the three default forwarding classes defined for multicast traffic.

4430



NOTE: The default forwarding classes for multicast traffic are applicable only to EX8200 switches.

You can rename the forwarding classes associated with the queues supported on your switch. Assigning a new class name to an output queue does not alter the default classification or scheduling that is applicable to that queue. However, because CoS configurations can be quite complicated, we recommend that you avoid altering the default class names or queue number associations.

Table 491: Default Forwarding Classes for Unicast Traffic Forwarding Class Name

Comments

best-effort (be)

The software does not apply any special CoS handling to packets with 000000 in the DiffServ field. This is a backward compatibility feature. These packets are usually dropped under congested network conditions.

expedited-forwarding (ef)

The software delivers assured bandwidth, low loss, low delay, and low delay variation (jitter) end-to-end for packets in this service class. The software accepts excess traffic in this class, but in contrast to the assured forwarding class, the out-of-profile expedited-forwarding class packets can be forwarded out of sequence or dropped.

assured-forwarding (af)

The software offers a high level of assurance that the packets are delivered as long as the packet flow from the customer stays within a certain service profile that you define. The software accepts excess traffic, but it applies a tail drop profile to determine that excess packets are dropped, and not forwarded. Two drop probabilities (low and high) are defined for this service class.

network-control (nc)

The software delivers packets in this service class with a high priority. (These packets are not delay-sensitive.) Typically, these packets represent routing protocol hello or keep alive messages. Because loss of these packets jeopardizes proper network operation, packet delay is preferable to packet discard for these packets.

Table 492: Default Forwarding Classes for Multicast Traffic Forwarding Class Name

Comments

multicast best-effort (mcast-be)

The software does not apply any special CoS handling to multicast packets. These packets are usually dropped under congested network conditions.

multicast expedited-forwarding (mcast-ef)

The software delivers assured bandwidth, low loss, low delay, and low delay variation (jitter) end-to-end for multicast packets in this service class. The software accepts excess traffic in this class, but in contrast to the multicast assured forwarding class, out-of-profile multicast expedited-forwarding class packets can be forwarded out of sequence or dropped.


4431

®


Table 492: Default Forwarding Classes for Multicast Traffic (continued) Forwarding Class Name

Comments

multicast assured-forwarding (mcast-af)

The software offers a high level of assurance that the multicast packets are delivered as long as the packet flow from the customer stays within a certain service profile that you define. The software accepts excess traffic, but it applies a tail drop profile to determine if the excess packets are dropped and not forwarded. Two drop probabilities (low and high) are defined for this service class.

The following rules govern queue assignment:


4432

•

CoS configurations that specify more queues than the switch can support are not accepted. If you commit such a configuration, the commit fails and a message displays that states the number of queues available.

•

All default CoS configurations are based on queue number. The name of the forwarding class that is displayed in the default configuration for a queue number is that of the forwarding class currently associated with that queue.

•


•


•


•


•




Understanding CoS Tail Drop Profiles Tail drop profile is a congestion management mechanism that allows switch to drop arriving packets when queue buffers become full or begin to overflow. Tail drop profiles define the meanings of the loss priorities. When you configure tail drop profiles you are essentially setting the value for queue fullness. The queue fullness represents a percentage of the memory used to store packets in relation to the total amount that has been allocated for that specific queue. The queue fullness defines the delay-buffer bandwidth, which provides packet buffer space to absorb burst traffic up to the specified duration of delay. Once the specified delay buffer becomes full, packets with 100 percent drop probability are dropped from the tail of the buffer. On Juniper Networks EX Series Ethernet Switches, drop probability is implicitly set to 100 percent and it cannot be modified. You specify drop probabilities in the drop profile section of the CoS configuration hierarchy and reference them in each scheduler configuration. By default, if you do not configure any drop profile, tail drop profile is in effect and functions as the primary mechanism for managing congestion. In the default tail drop profile, when the fill level is 0 percent, the drop probability is 0 percent. When the fill level is 100 percent, the drop probability is 100 percent.

NOTE: The default drop profile associated with the packets whose loss priority is low cannot be modified. You can configure custom drop profile only for those packets whose loss priority is high.


•


•


•



4433

®


Understanding CoS Schedulers You use class-of-service (CoS) schedulers to define the properties of output queues on Juniper Networks EX Series Ethernet Switches. These properties include the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the drop profiles associated with the queue. You associate the schedulers with forwarding classes by means of scheduler maps. You can then associate each scheduler map with an interface, thereby configuring the queues, packet schedulers, and tail drop processes that operate according to this mapping. This topic describes: •

Default Schedulers on page 4434

•

Transmission Rate on page 4435

•

Scheduler Buffer Size on page 4435

•

Priority Scheduling on page 4435

•

Scheduler Drop-Profile Maps on page 4436

•

Scheduler Maps on page 4436

Default Schedulers Each forwarding class has an associated scheduler priority. On EX Series switches other than Juniper Networks EX8200 Ethernet switches, only two forwarding classes, best-effort (queue 0) and network-control (queue 7) are used in the default configuration. On EX8200 switches three forwarding classes—best-effort (queue 0), multicast best-effort (queue 2), and network-control (queue 7)—are used in the default configuration. By default on EX Series switches other than EX8200 switches, the best-effort forwarding class (queue 0) receives 95 percent of the bandwidth and the buffer space for the output link, and the network-control forwarding class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill completely and then to discard all incoming packets until it has free space. On EX8200 switches, by default, the best-effort forwarding class (queue 0) receives 75 percent of the bandwidth, the multicast best-effort forwarding class (queue 2) receives 20 percent, and the network-control forwarding class (queue 7) receives 5 percent of the bandwidth and buffer space for the output link. The expedited-forwarding (queue 5) and assured-forwarding (queue 1) classes have no scheduler because no resources are assigned to queue 5 and queue 1, by default. However, you can manually configure resources for the expedited-forwarding and assured-forwarding classes. Also by default, each queue can exceed the assigned bandwidth if additional bandwidth is available from other queues. When a forwarding class does not fully use the allocated transmission bandwidth, the remaining bandwidth can be used by other forwarding classes if they have a traffic load that exceeds their allocated bandwidth.

4434



Transmission Rate Transmission-rate control determines the actual traffic bandwidth from each forwarding class you configure. The transmission rate is specified in bits per second. Each queue is allocated some portion of the bandwidth of the interface. This bandwidth can be a fixed value, such as 1 megabit per second (Mbps), a percentage of the total available bandwidth, or the rest of the available bandwidth. In case of congestion, a configured transmission rate is guaranteed for the queue. Transmission-rate control allows you to ensure that each queue receives the bandwidth appropriate to its level of service.

Scheduler Buffer Size To control congestion at the output stage, you can configure the delay-buffer bandwidth by using the buffer-size configuration statement. The delay-buffer bandwidth provides packet buffer space to absorb burst traffic up to the specified duration of delay. Once the specified delay buffer becomes full, packets with 100 percent drop probability are dropped from the tail of the buffer. On EX Series switches other than EX8200 switches, the default scheduler transmission rates for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent of the total available bandwidth. The default buffer-size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent of the total available buffer. On EX8200 switches, the default scheduler transmission rates for queues 0 through 7 are 75, 0, 20, 0, 0, 0, 0, and 5 percent of the total available bandwidth, and the default buffer-size percentages for queues 0 through 7 are 75, 0, 20, 0, 0, 0, 0, and 5 percent of the total available buffer. For each scheduler on EX Series switches other than EX8200 switches, you can configure the buffer size as one of the following: •

The exact buffer size.

•

A percentage of the total buffer.

•

The remaining buffer available. The remainder is the buffer percentage that is not assigned to other queues. For example, if you assign 40 percent of the delay buffer to queue 0, allow queue 2 to keep the default allotment of 20 percent, allow queue 7 to keep the default allotment of 5 percent, and assign the remainder to queue 3, then queue 3 uses 35 percent of the delay buffer.

On EX8200 switches, you can configure the buffer size as a temporal value (in microseconds), percentage of the total buffer, or the remaining buffer available.

Priority Scheduling Priority scheduling determines the order in which an interface transmits traffic from the queues, thus ensuring that queues containing important traffic are provided better access to the interface. Priority scheduling is accomplished through a procedure in which the scheduler examines the priority of the queue. The Juniper Networks Junos operating system (Junos OS) supports two levels of transmission priority:


4435

®


•

Low—The scheduler determines whether the individual queue is within its defined bandwidth profile. This binary decision, which is re-evaluated on a regular time cycle, compares the amount of data transmitted by the queue against the bandwidth allocated to it by the scheduler. When the transmitted amount is less than the allocated amount, the queue is considered to be in profile. A queue is out of profile when the amount of traffic that it transmits is larger than the queue’s allocated limit. An out-of-profile queue is transmitted only if bandwidth is available. Otherwise, it is buffered. A queue from a set of queues is selected based on the shaped deficit weighted round robin (SDWRR) algorithm, which operates within the set.

•

Strict-high—A strict-high priority queue receives preferential treatment over a low-priority queue. Unlimited bandwidth is assigned to a strict-high priority queue. Queues are scheduled according to the queue number, starting with the highest queue, 7, with decreasing priority down through queue 0. Traffic in higher-numbered queues is always scheduled prior to traffic in lower-numbered queues. In other words, in case of two high-priority queues, the queue with the higher queue number is processed first.

Packets in low-priority queues are transmitted only when strict-high priority queues are empty.

Scheduler Drop-Profile Maps Drop-profile maps associate drop profiles with a scheduler. A drop-profile map sets the drop profile for a specific packet loss priority (PLP) and protocol type. The inputs for a drop-profile map are the PLP and the protocol type. The output is the drop profile.

Scheduler Maps A scheduler map associates a specified forwarding class with a scheduler configuration. After configuring a scheduler, you must include it in a scheduler map and then associate the scheduler map with an output interface. If you configure more than the supported number of scheduler maps on a switch or for a port group in a line card, an error is logged in the system log (syslog). On any interface in a port group on a line card or on a switch, if you configure a scheduler map that causes the number of scheduler maps for that port group to exceed the maximum number supported, the default scheduler map is bound to that interface. We recommend that you check the system log for errors (if any) after the commit operation to verify that you have not configured more than the maximum permitted number of scheduler maps.

NOTE: On EX Series switches, you cannot configure a scheduler map on an individual interface that is a member of a link aggregation group (LAG). Instead, you must configure the scheduler map on the LAG itself (that is, on the aggregated Ethernet (ae) interface).

Table 493 on page 4437 shows the number of scheduler maps supported for each port group in a switch or line card.

4436



Table 493: Support for Scheduler Maps on Switches and Line Cards Number of Scheduler Maps Supported for Each Port Group

Switch/Line Card

Number of Port Groups

Port Grouping Details

EX2200-24T and EX2200-24P switches

1

Ports 0–23 and 4 uplink SFP ports form a port group

5


2

•

Ports 0–23 and uplink SFP ports 0 and 1 form a port group

5

•

Ports 24–47 and uplink SFP ports 2 and 3 form a port group

•

Ports 0–23 and the uplink ports form a port group


1

4

NOTE: Uplink ports include 2 uplink SFP+ or XFP ports, or 4 uplink SFP ports EX2200-C-12T and EX2200-C-12P switches

1

Port 0-11 and 2 uplink ports for a port group

6


1

•

4

Ports 0–23 and the uplink ports form a port group

NOTE: Uplink ports include 2 uplink SFP+ or XFP ports or 4 uplink SFP ports



2

3


2

EX4500-40F switch

2


•

Ports 0-23 and 1 uplink SFP+ or XFP port or 4 uplink SFP ports form a port group

•

Ports 24–47 and 1 uplink SFP+ or XFP port form a port group

•

Ports 0–23 form a port group

•


•

2 uplink SFP+ or XFP ports or 4 uplink SFP ports form a port group

•


•

2 uplink SFP+ or XFP ports or 4 uplink SFP ports form a port group

•

SFP or SFP+ ports 0–19 and First uplink SFP or SFP+ ports 0–4 form a port group

•

SFP or SFP+ ports 20-39 and Second uplink SFP or SFP+ ports 0-4 form a port group

4

4

4

4

4437

®


Table 493: Support for Scheduler Maps on Switches and Line Cards (continued)

Switch/Line Card



Number of Scheduler Maps Supported for Each Port Group

EX6200-48T (48-port RJ-45) and EX6200-48P (48-port PoE+) line cards

2

•

Ports 0-23 form a port group

5

•

Ports 24-47 form a port group

EX6210-SRE

1

SFP+ ports 0-3 form a port group

4

EX8200-8XS (8-port SFP+) line card

4

•

SFP+ ports 0 and 1 form a port group

6

•


•


•


•

SFP+ ports 0–4 form a port group

•


•


•


•


•


•


•


•

SFP or RJ-45 ports 0–23 form a port group

•

SFP or RJ-45 ports 24–47 form a port group

•

Ports 0–19 and SFP ports 0 and 1 form a port group

•


•

2 SFP+ ports form a port group

EX8200-40XS (40-port SFP+) line card

8

EX8200-48-F (48-port SFP) and EX8200-48T (48-port RJ-45) line cards

2

EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+) line card

3

4438

6

6

5

6



Table 493: Support for Scheduler Maps on Switches and Line Cards (continued)

Switch/Line Card



Number of Scheduler Maps Supported for Each Port Group

EX8200-2XS-40T (40-port RJ-45 with 4-port SFP and 2-port SFP+) line card

3

•

Ports 0–19 and SFP ports 0–1 form a port group

5

•


•

2 SFP+ ports form a port group

6

•

PoE+ or RJ-45 ports 0–23 form a port group

5

•

PoE+ or RJ-45 ports 24–47 form a port group

EX8200-48PL (48-port PoE+ 20 Gbps) and EX8200-48TL (48-port RJ-45 20 Gbps) line cards


2

•


•


•


•

Defining CoS Schedulers (J-Web Procedure) on page 4494

Understanding CoS Two-Color Marking Networks police traffic by limiting the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Policing traffic allows you to control the maximum rate of traffic sent or received on an interface and to partition a network into multiple priority levels or classes of service. Policers require you to apply limits to the traffic flow and set a consequence for packets that exceed these limits—usually a higher loss priority, so that packets exceeding the policer limits are discarded first. Juniper Networks EX Series Ethernet Switches support a single-rate two-color marking type of policer, which is a simplified version of Single-Rate-Three-Color marking, defined in RFC 2697, A Single Rate Three Color Marker. This type of policer meters traffic based on the configured committed information rate (CIR) and committed burst size (CBS). The single-rate two-color marker meters traffic and marks incoming packets depending on whether they are smaller than the committed burst size (CBS)—marked green—or exceed it— marked red. The single-rate two-color marking policer operates in color-blind mode. In this mode, the policer's actions are not affected by any previous marking or metering of the examined packets. In other words, the policer is “blind? to any previous coloring a packet might have had.


4439

®



•


•


•


Understanding CoS Rewrite Rules As packets enter or exit a network, edge switches might be required to alter the class-of-service (CoS) settings of the packets. This topic describes how to use rewrite rules to alter the CoS settings. It covers: This topic covers: •

How Rewrite Rules Work on page 4440

•

Default Rewrite Rule on page 4441

How Rewrite Rules Work Rewrite rules set the value of the CoS bits within a packet’s header. Each rewrite rule reads the current forwarding class and loss priority associated with the packet, locates the chosen CoS value from a table, and writes this CoS value into the packet header. For rewrites to occur, rewrite rules must be explicitly assigned to an interface. Only tagged Layer 3 interfaces and tagged routed VLAN interfaces (RVIs) automatically rewrite packets by using the default IEEE 802.1p rewrite rule. Multiple rewrite rules of different types can be assigned to a single interface.

NOTE: On Juniper Networks EX8200 Ethernet Switches, tagged Layer 3 interfaces and tagged RVIs do not automatically rewrite packets using the default IEEE 802.1p rewrite rule. You must explicitly assign the IEEE 802.1p rewrite rule to these interfaces for rewrites to occur. Also, only one rewrite rule of each type can be assigned to any interface on an EX8200 switch.

In effect, the rewrite rule performs the opposite function of the behavior aggregate (BA) classifier, which is used when the packet enters the switch. As the packet leaves the switch, the final CoS action is generally the application of a rewrite rule. You configure rewrite rules to alter CoS values in outgoing packets on the outbound interfaces of an edge switch to meet the policies of a targeted peer. This allows the downstream switch in a neighboring network to classify each packet into the appropriate service group.

NOTE: When an IP precedence rewrite rule is active, bits 3, 4, and 5 of the type-of-service (ToS) byte are always reset to zero when code points are rewritten.

4440



Default Rewrite Rule To define a rewrite rule on an interface, you can either create your own rewrite rule and enable it on the interface or enable a default rewrite rule. See “Defining CoS Rewrite Rules (CLI Procedure)” on page 4500. Table 494 on page 4441 shows the default rewrite-rule mappings. These are based on the default bit definitions of Differentiated Services code point (DSCP), IEEE 802.1p, and IP precedence values and the default forwarding classes. You can configure multiple CoS rewrite rules for DSCP, IP precedence and IEEE 802.1p.

NOTE: By default, rewrite rules are not assigned to an interface. You must explicitly assign a user-defined or system-defined rewrite rule to an interface for the rewrites to occur.

When the CoS values of a packet match the forwarding class and packet-loss-priority (PLP) values, the switch rewrites markings on the packet based on the rewrite table.

Table 494: Default Packet Header Rewrite Mappings Map from Forwarding Class

PLP Value

Map to DSCP/IEEE 802.1p/IP Precedence Value


low

ef


high

ef

assured-forwarding

low

af11

assured-forwarding

high

af12 (DSCP)

best-effort

low

be

best-effort

high

be

network-control

low

nc1/cs6

network-control

high

nc2/cs7


•


•


•

Defining CoS Rewrite Rules (CLI Procedure) on page 4500

•

Defining CoS Rewrite Rules (J-Web Procedure) on page 4501


4441

®


Understanding Port Shaping and Queue Shaping for CoS on EX Series Switches If the amount of traffic on a switch's network interface is more than the maximum bandwidth allowed on the interface, it leads to congestion. Port shaping and queue shaping can be used to manage the excess traffic and avoid congestion. Port shaping defines the maximum bandwidth allocated to a port, while queue shaping defines a limit on excess-bandwidth usage per queue. This topic covers: •

Port Shaping on page 4442

•

Queue Shaping on page 4442

Port Shaping Port shaping enables you to shape the aggregate traffic through a port or channel to a rate that is less than the line or port rate. When you configure a shaping rate on an aggregated Ethernet (ae) interface, all members of the ae interface are shaped at the configured shaping rate. For example, consider an ae0 interface that consists of ge-0/0/0, ge-0/0/1, and ge-0/0/2 interfaces. If a shaping rate of X Mpbs is configured on ae0, traffic at the rate of X Mpbs flows through each of the three interfaces. Therefore, the total traffic flowing through ae0 would be 3X Mbps.

Queue Shaping Queue shaping throttles the rate at which queues transmit packets. For example, using queue shaping, you can rate-limit a strict-priority queue so that the strict-priority queue does not lock out (or starve) low-priority queues. Similarly, for any queue, you can configure queue shaping. Related Documentation

•


•


Understanding Junos OS EZQoS for CoS Configurations on EX Series Switches Junos operating system (Junos OS) EZQoS on Juniper Networks EX Series Ethernet Switches eliminates the complexities involved in configuring class of service (CoS) across the network. EZQoS offers templates for key traffic classes. Junos OS CoS allows you to divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs. You can use CoS to ensure that different types of traffic (voice, video, and data) get the bandwidth and consideration they need to meet user expectations and business objectives. Configuring CoS requires careful consideration of your service needs and thorough planning and design to ensure consistency across all switches in a CoS domain. To configure CoS manually, you must define and fine-tune all CoS components such as classifiers, rewrite rules, forwarding classes, schedulers, and scheduler-maps and then apply these

4442



components to the interfaces. Therefore, configuring CoS can be a fairly complex and time-consuming task. EZQoS works by automatically assigning preconfigured values to all CoS parameters based on the typical application requirements. These preconfigured values are stored in a template with a unique name. You can change the preconfigured values of these parameters to suit your particular application needs. For using EZQoS, you must identify which switch ports are being used for a specific application (such as VoIP, video, and data) and manually apply the corresponding application-specific EZQoS template to these switch ports.

NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP.

NOTE: We recommend that you do not use the term EZQoS for defining a classifier.


•


•

Configuring Junos OS EZQoS for CoS (CLI Procedure) on page 4505

Understanding Using CoS with MPLS Networks on EX Series Switches You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. See EX Series Switch Software Features Overview for a complete list of the Junos OS MPLS features that are supported on specific EX Series switches. Juniper Networks EX Series Ethernet Switches support Differentiated Service Code Point (DSCP) or IP precedence and IEEE 802.1p CoS classifiers on the customer-edge interfaces of the ingress provider edge (PE) switch. DSCP or IP precedence classifiers are used for Layer 3 packets. IEEE 802.1p is used for Layer 2 packets. When a packet enters a customer-edge interface of the ingress PE switch, the switch associates the packet with a particular CoS servicing level before putting the packet onto the label-switched path (LSP). The switches within the LSP utilize the CoS value set at the ingress PE switch. The CoS value that was embedded in the classifier is translated and encoded in the MPLS header by means of the EXP or experimental bits. EX Series switches enable a default EXP classifier and a default EXP rewrite rule. For more information about EXP classifiers and EXP rewrite rules, see EXP Classifiers and EXP rewrite Rules. This topic includes: •

EXP Classifiers and EXP rewrite Rules on page 4444

•

Guidelines for Using CoS Classifiers on CCCs on page 4444


4443

®


•

Using CoS Classifiers with IP over MPLS on page 4445

•

Setting CoS Bits in an MPLS Header on page 4445

•

EXP Rewrite Rules on page 4446

•

Policer on page 4447

•


EXP Classifiers and EXP rewrite Rules EX Series switches enable a default EXP classifier and a default EXP rewrite rule. You can configure a custom EXP classifier and a custom EXP rewrite rule if you prefer. However, the switch supports only one type of EXP classifier (default or custom) and only one EXP rewrite rule (default or custom). You do not bind the EXP classifier or the EXP rewrite rule to individual interfaces. The switch automatically and implicitly applies the default or the custom EXP classifier and the default or the custom EXP rewrite rule to the appropriate MPLS-enabled interfaces. Because rewrite rules affect only egress interfaces, the switch applies the EXP rewrite rule only to those MPLS interfaces that are transmitting MPLS packets (not to the MPLS interfaces that are receiving the packets).

Guidelines for Using CoS Classifiers on CCCs When you are configuring CoS for MPLS over circuit cross-connect (CCC), there are some additional guidelines, as follows:

4444

•

You must explicitly bind a CoS classifier to the CCC interface on the ingress PE switch.

•

You must use the same DSCP, IP precedence, or IEEE 802.1p classifier on CCC interfaces. However, if the CCC interfaces are on the same switch, you cannot configure both a DSCP and an IP precedence classifier on these interfaces. Thus, if you configure one CCC interface to use a DSCP classifier DSCP1, you cannot configure another CCC interface to use another DSCP classifier DSCP2. All the CCC interfaces on the switch must use the same DSCP (or IP precedence) classifier and the same IEEE 802.1p classifier.

•

You cannot configure one CCC interface to use a DSCP classifier and another CCC interface to use an IP precedence classifier, because these classifier types overlap.

•

You can configure one CCC interface to use a DSCP classifier and another CCC interface to use IEEE 802.1p classifier.

•

You can configure one CCC interface to use both a DSCP and an IEEE 802.1p classifier. If you configure a CCC interface to use both these classifiers, the DSCP classifier is used for routing Layer 3 packets and the IEEE 802.1p classifier is used for routing Layer 2 packets.

•

You can configure one CCC interface to use both an IP precedence and an IEEE 802.1p classifier. If you configure a CCC interface to use both these classifiers, the IP precedence classifier is used for routing Layer 3 packets and the IEEE 802.1p classifier is used for routing Layer 2 packets.



NOTE: These guidelines are not applicable to Juniper Networks EX8200 Ethernet Switches (standalone or Virtual Chassis).

You can define multiple DSCP, IP precedence, and IEEE 802.1p classifiers for the non-CCC interfaces on a switch.

Using CoS Classifiers with IP over MPLS When you are configuring CoS for IP over MPLS, the customer-edge interface uses the CoS configuration for the switch as the default. You do not have to bind a classifier to the customer-edge interface in this case. There are no restrictions on using multiple DSCP, IP precedence, and IEEE 802.1p classifiers on the same switch. •

You can modify the CoS classifier for a particular interface, but it is not required.

•

You can configure a DSCP classifier, DSCP1 on the first interface, another DSCP classifier, DSCP2 on the second interface, and an IP precedence classifier on a third interface, and so forth.

Setting CoS Bits in an MPLS Header When traffic enters an LSP tunnel, the CoS bits in the MPLS header are set in one of two ways: •

The number of the output queue into which the packet was buffered and the packet loss priority (PLP) bit are written into the MPLS header and are used as the packet’s CoS value. This behavior is the default, and no configuration is required. The Junos OS Class of Service Configuration Guide explains the IP CoS values, and summarizes how the CoS bits are treated.

•

You set a fixed CoS value on all packets entering the LSP tunnel. A fixed CoS value means that all packets entering the LSP receive the same class of service.

The CoS value can be a decimal number from 0 through 7. This number corresponds to a 3-bit binary number. The high-order 2 bits of the CoS value select which transmit queue to use on the outbound interface card. The low-order bit of the CoS value is treated as the PLP bit and is used to select the RED drop profile to use on the output queue. If the low-order bit is 0, the non-PLP drop profile is used, and if the low-order bit is 1, the PLP drop profile is used. It is generally expected that random early detection (RED) will more aggressively drop packets that have the PLP bit set. For more information about RED and drop profiles, see the Junos OS Class of Service Configuration Guide.

NOTE: Configuring the PLP drop profile to drop packets more aggressively (for example, setting the CoS value from 6 to 7) decreases the likelihood of traffic getting through.


4445

®


Table 495 on page 4446 summarizes how MPLS CoS values correspond to the transmit queue and PLP bit. Note that in MPLS, the mapping between the CoS bit value and the output queue is hard-coded. You cannot configure the mapping for MPLS; you can configure it only for IPv4 traffic flows, as described in the Junos OS Class of Service Configuration Guide.

Table 495: MPLS CoS Values MPLS CoS Value

Bits

Transmit Queue

PLP Bit

0

000

0

Not set

1

001

0

Set

2

010

1

Not set

3

011

1

Set

4

100

2

Not set

5

101

2

Set

6

110

3

Not set

7

111

3

Set

Because the CoS value is part of the MPLS header, the value is associated with the packets only while they travel through the LSP tunnel. The value is not copied back to the IP header when the packets exit from the LSP tunnel.

NOTE: On EX8200 switches that run MPLS-based Layer 2 virtual private networks (VPNs): •

If you configure an LSP CoS, the EXP bits of the MPLS packet continue to use the same CoS values that are configured at the interface level.

•

For Virtual Chassis, if the input and output interfaces are on different line cards, then the loss priority value that you configured on the first line card is not carried to the subsequent line cards. The loss priority for the outgoing traffic from the subsequent line cards is always set to low.

EXP Rewrite Rules When traffic passes from the customer-edge interface to an MPLS interface, the DSCP, IP precedence, or IEEE 802.1p CoS classifier is translated into the EXP bits within the MPLS header. You cannot disable the default EXP rewrite rule, but you can configure your own custom EXP classifier and a custom EXP rewrite rule. You cannot bind the EXP classifier to individual MPLS interfaces; the switch applies it globally to all the MPLS-enabled interfaces on the switch.

4446



Only one EXP rewrite rule (either default or custom) is supported on a switch. The switch applies it to all the egress interfaces on which MPLS is enabled.. This is, however, not the case with EX8200 switches. With EX8200 switches, you must explicitly apply the rewrite rule on each of the egress interfaces.

Policer Policing helps to ensure that the amount of traffic forwarded through an LSP never exceeds the requested bandwidth allocation. During periods of congestion (when the total rate of queuing packets exceeds the rate of transmission), any new packets being sent to an interface can be dropped because there is no place to store them. You can configure a policer on the ingress PE switch to prevent this: •

If you are using MPLS over CCC, you bind the policer to the LSP. You cannot bind a policer to a CCC interface.

•

If you are using IP over MPLS, you bind the policer to the inet-family customer-edge interface. You cannot bind a policer to the LSP when you are using IP over MPLS.

NOTE: You cannot configure LSP policers on EX8200 switches.

Schedulers The schedulers for using CoS with MPLS are the same as for the other CoS configurations on EX Series switches. Default schedulers are provided for best-effort and network-control forwarding classes. If you are using assured-forwarding, expedited-forwarding, or any custom forwarding class, we recommend that you configure a scheduler to support that forwarding class. See “Understanding CoS Schedulers” on page 4434. Related Documentation

•


•


•

Configuring CoS on an MPLS Provider Edge Switch Using Circuit Cross-Connect (CLI Procedure) on page 4507

•

Configuring CoS on an MPLS Provider Edge Switch Using IP Over MPLS (CLI Procedure) on page 4506

•

Configuring Rewrite Rules for EXP Classifiers on MPLS Networks (CLI Procedure)

•

Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) on page 4511 Configuring CoS Bits for an MPLS Network (CLI Procedure) on page 4887


4447

®


Understanding CoS Queues on EX8200 Line Cards That Include Oversubscribed Ports Some line cards available for Juniper Networks EX8200 Ethernet Switches include oversubscribed ports that are combined in logical port groups that share bandwidth. These oversubscribed ports handle traffic differently than ports that provide continuous line-rate bandwidth. You might need to configure CoS queues differently for oversubscribed ports than for line-rate ports. This topic describes: •

Oversubscribed Ports on Line Cards on page 4448

•

EX8200 Line Cards That Include Oversubscribed Ports on page 4448

•

Ingress Queueing on page 4449

•

Egress Queues on page 4450

Oversubscribed Ports on Line Cards Oversubscribed ports on a line card are grouped into logical port groups. A port group collectively supports a certain bandwidth. An EX8200 switch supports different line cards that provide line-rate and oversubscribed ports. Based on your requirement, you can choose the appropriate line card for an EX8200 switch. Line cards are field-replaceable units (FRUs) that can be installed in the line card slots in an EX8200 switch. In a line-rate EX8200 line card, each port in the line card supports the same amount of bandwidth and a single port can utilize that complete bandwidth. In an oversubscribed line card, a group of ports collectively support a certain total bandwidth and each port in that group can use either a portion or all of the available bandwidth. However, the total utilization of bandwidth by the ports in the group cannot exceed the bandwidth available for that group. Because the port groups share bandwidth, class-of-service (CoS) ingress and egress queues are handled differently for these shared-bandwidth ports in logical port groups than they are for ports that individually support line-rate bandwidth. Some EX8200 line cards combine both port types, those that share bandwidth across port groups and those that individually support line-rate bandwidth.

EX8200 Line Cards That Include Oversubscribed Ports Table 496 on page 4448 lists EX8200 line cards that include oversubscribed ports in logical port groups.

Table 496: EX8200 Line Cards That Include Oversubscribed Ports Line Card Model

Name

Number of Oversubscribed Ports/Port Connector

EX8200-40XS

40-port SFP+

40 oversubscribed 10-gigabit SFP+ ports

4448



Table 496: EX8200 Line Cards That Include Oversubscribed Ports (continued) Number of Oversubscribed Ports/Port Connector

Line Card Model

Name

EX8200-2XS-40P

40-port PoE+ with 4-port SFP and 2-port SFP+

40 oversubscribed 10/100/1000 Gigabit Ethernet ports with RJ-45 connectors, four small form-factor pluggable (SFP) ports (in which you can install 1-gigabit SFP transceivers) and two SFP+ ports

EX8200-2XS-40T

40-port RJ-45 with 4-port SFP and 2-port SFP+

40 oversubscribed 10/100/1000 Gigabit Ethernet ports with RJ-45 connectors, four SFP ports (in which you can install 1-gigabit small form-factor pluggable (SFP) transceivers) and two SFP+ ports

EX8200-48PL

48-port PoE+ 20 Gbps

48 oversubscribed 10/100/1000 Gigabit Ethernet ports with RJ-45 connectors

EX8200-48TL

48-port RJ-45 20 Gbps

48 oversubscribed 10/100/1000 Gigabit Ethernet ports with RJ-45 connectors

Ingress Queueing Classification of packets occurs in two phases for the oversubscribed ports in the port groups. •

Preclassification of Packets and Port Ingress Queuing on page 4449

•

Full Classification of Packets and Fabric Ingress Queuing on page 4450

Preclassification of Packets and Port Ingress Queuing Packets entering ports are forwarded to one of the ingress queues. The ingress queues schedule traffic from ports into the Packet Forwarding Engine. The ingress queues are: •

Low-priority queue—Each interface in the line card has one low-priority queue. Traffic on these queues is scheduled using the shaped deficit weighted round-robin (SDWRR) algorithm, with each interface’s queue having equal weight.

•

High-priority queue—A set of interfaces in the line card shares a single high-priority queue. Traffic on this queue is scheduled by strict-high priority. The switch always sends critical network control packets on the high-priority queue.

•

Line-rate priority queue—The packets entering line-rate ports are forwarded to this queue. Traffic on this queue is scheduled by strict priority and is always given higher priority than the traffic on the high-priority queue. This queue is used only in the following oversubscribed lines cards for an EX8200 switch: •

EX8200-2XS-40P

•

EX8200-2XS-40T


4449

®


For the purpose of port ingress queuing on oversubscribed ports, packets are classified only by behavior aggregate (BA) classification. To control the ingress queue (high priority or low priority) to which packets are sent, configure a BA classifier on the physical port and specify switch fabric priorities for the forwarding classes. On EX8200 switches, fabric priority determines the priority of packets ingressing the switch fabric. For the EX8200-40XS line card, fabric priority also determines the priority of packets ingressing the port group. By default, the fabric priority for all forwarding classes is low. To direct packets belonging to a forwarding class to the high-priority ingress queue, set the fabric priority to high for that class. Critical network-control packets and line-rate packets are handled differently from other packets. Instead of using the BA classifier to classify critical network-control packets, the switch always sends critical network packets to the high-priority queue. The line-rate packets are always sent to the line-rate priority queue. This difference in handling of network-control packets and line-rate packets ensures that these packets are not dropped because of congestion on the shared-bandwidth ports.

Full Classification of Packets and Fabric Ingress Queuing When packets (apart from line-rate and critical network-control packets) from an oversubscribed port reach the Packet Forwarding Engine, it performs full packet classification, along with other actions, such as multifield (MF) classification, traffic policing, and storm control. It then schedules and queues the packets for ingressing the fabric. The fabric priority associated with the forwarding class determines whether packets are sent to the low priority or high-priority ingress queues.

Egress Queues Each EX Series switch interface supports eight egress CoS queues. You can map up to 16 forwarding classes to these queues. In the EX8200-40XS line card, all interfaces in a port group share a single set of eight egress queues at the Packet Forwarding Engine. Egress traffic is fanned out from the Packet Forwarding Engine queues to the corresponding queues for the individual ports. For this reason, the interfaces in a port group must share the same scheduler map configuration. If you configure different scheduler map configurations for the different interfaces in a port group, an error is logged in the system log and the default scheduler map is used for all ports in the port group. Related Documentation

4450

•


•


•


•


•




Understanding Priority-Based Flow Control Priority-based flow control (PFC), IEEE standard 802.1Qbb, is a link-level flow control mechanism. The flow control mechanism is similar to that used by IEEE 802.3x Ethernet PAUSE, but it operates on individual priorities. Instead of pausing all traffic on a link, PFC allows you to selectively pause traffic according to its class. This topic describes: •

Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks on page 4451

•

Calculations for Buffer Requirements When Using PFC PAUSE on page 4451

•

How PFC and Congestion Notification Profiles Work With or Without DCBX on page 4452

Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks Standard Ethernet does not guarantee that a packet injected into the network will arrive at its intended destination. Reliability is provided by upper-layer protocols. Generally, a network path consists of multiple hops between the source and destination. A problem arises when transmitters send packets faster than receivers can accept them. When receivers run out of available buffer space to hold incoming flows, they silently drop additional incoming packets. This problem is generally resolved by upper-layer protocols that detect the drops and request retransmission. Applications that require reliability in Layer 2 must have flow control that includes feedback from a receiver to a sender regarding buffer availability. Using IEEE 802.3x Ethernet PAUSE control frames, a receiver can generate a MAC control frame and send a PAUSE request to a sender when a specified threshold of receiver buffer has been filled to prevent buffer overflow. Upon receiving a PAUSE request, the sender stops transmission of any new packets until the receiver notifies the sender that it has sufficient buffer space to accept them again. The disadvantage of using Ethernet PAUSE is that it operates on the entire link, which might be carrying multiple traffic flows. Some traffic flows do not need flow control in Layer 2, because they are carrying applications that rely on upper-layer protocols for reliability. PFC enables you to configure Layer 2 flow control selectively for the traffic that requires it, such as Fibre Channel over Ethernet (FCoE) traffic, without impacting other traffic on the link. You can also enable PFC for other traffic types, such as iSCSI.

Calculations for Buffer Requirements When Using PFC PAUSE The receive buffer must be large enough to accommodate all data that is received while the system is responding to a PFC PAUSE frame. When you calculate buffer requirements, consider the following factors:


4451

®


•

Processing and queuing delay of the PFC PAUSE—In general, the time to detect the lack of sufficient buffer space and to transmit the PFC PAUSE is negligible. However, delays can occur if the switch detects a reduction in buffer space just as the transmitter is beginning to transmit a maximum length frame.

•

Propagation delay across the media—The delay amount depends on the length and speed of the physical link.

•

Response time to the PFC PAUSE frame

•

Propagation delay across the media on the return path

NOTE: We recommend that you configure at least 20 percent of the buffer size for the queue that is using PFC and that you do not specify the exact option. Because it is mandatory to explicitly configure a certain percentage of buffer size for PFC, you must also explicity configure some buffer size for any other forwarding classes that you are planning to use (including the default forwarding classes and the user-defined forwarding classes). The percentage that you allocate depends on the usage of the respective classes.

How PFC and Congestion Notification Profiles Work With or Without DCBX PFC can be applied to an interface regardless of whether the Data Center Bridging Capability Exchange protocol (DCBX) is enabled (DCBX is enabled by default for 10-Gigabit Ethernet interfaces on EX4500 CEE-enabled switches). However, automatic control and advertisement of PFC requires DCBX: •

When DCBX is enabled—DCBX detects the data center bridging (DCB) neighbor’s PFC configuration, uses autonegotiation to advertise local and peer PFC configuration, and then enables or disables PFC depending on whether the configurations are compatible or not. When PFC is enabled, it uses the congestion notification profile, which you have configured and applied to the interface.

•

When DCBX is not enabled—Class of service (CoS) triggers PFC when the incoming frame has a User Priority (UP) field that matches the three-bit pattern specified for the congestion notification profile.

To manually control the use of PFC on the interface regardless of the configuration of the peer data center devices, you can explicitly change the configuration of DCBX on the interface to disable PFC autonegotiation. See “Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure)” on page 4726. When PFC autonegotiation is disabled, PFC is triggered by the congestion notification profile for PFC regardless of the configuration of the DCB peer.

4452



NOTE: PFC functions effectively only when the peer devices connected to the local interface are also using PFC and are configured compatibly with the local interface. PFC must be symmetrical—if PFC is not configured to use the same traffic class (code point) on both the local and the peer interface, it does not have any impact on the traffic.

Table 497 on page 4453 shows the one-to-one mapping between the UP field of an IEEE 802.1Q tagged frame, the traffic class, and the egress queue. In addition to setting a PFC congestion notification profile on an ingress port, you must set a forwarding class to match the priority specified in the PFC congestion notification profile and to forward the frame to the appropriate queue. Juniper Networks EX Series Ethernet Switches support up to six traffic classes and allow you to associate those classes with six different congestion notification profiles. (The switches support up to 16 forwarding classes.)

Table 497: Input for PFC Congestion Notification Profile and Mapping to Traffic Class and Egress Queue UP Field of IEEE-802.1Q Tagged Frame

Traffic Class

Egress Queue

000

TC 0

queue 0

001

TC 1

queue 1

010

TC 2

queue 2

011

TC 3

queue 3

100

TC4

queue 4

101

TC 5

queue 5


•


•


•

Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure) on page 4723

•

schedulers on page 4554

•

congestion-notification-profile on page 4743


4453

®


4454


CHAPTER 119

Examples: CoS Configuration •


•


Example: Configuring CoS on EX Series Switches Configure class of service (CoS) on your switch to manage traffic so that when the network experiences congestion and delay, critical applications are protected. Using CoS, you can divide traffic on your switch into classes and provide various levels of throughput and packet loss. This is especially important for traffic that is sensitive to jitter and delay, such as voice traffic. This example shows how to configure CoS on a single EX Series switch in the network. •


•


•


•




•

One Juniper Networks EX3200 switch

Overview and Topology This example uses the topology shown in Figure 131 on page 4456.


4455

®


Figure 131: Topology for Configuring CoS

The topology for this configuration example consists of one EX Series switch at the access layer. The EX Series access switch is configured to support VLAN membership. Switch ports ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the servers hosting various applications such as those provided by Citrix, Microsoft, Oracle, and SAP. Table 498 on page 4457 shows the VLAN configuration components.

4456


Chapter 119: Examples: CoS Configuration

Table 498: Configuration Components: VLANs VLAN Name

VLAN ID

voice-vlan

10

VLAN Subnet and Available IP Addresses 192.168.1.0/32 192.168.1.1 through 192.168.1.11

VLAN Description Voice VLAN used for employee VoIP communication.

192.168.1.12 is the subnet’s

broadcast address. camera-vlan

20

192.168.1.13/32 192.168.1.14 through 192.168.1.20

VLAN for the surveillance cameras.


broadcast address. server-vlan

30

192.168.1.22/32 192.168.1.23 through 192.168.1.35

VLAN for the servers hosting enterprise applications.


broadcast address.

Ports on the EX Series switches support Power over Ethernet (PoE) to provide both network connectivity and power for VoIP telephones connecting to the ports. Table 499 on page 4457 shows the switch interfaces that are assigned to the VLANs and the IP addresses for devices connected to the switch ports:

Table 499: Configuration Components: Switch Ports on a 48-Port All-PoE Switch Interfaces

VLAN Membership

IP Addresses

Port Devices

ge-0/0/0, ge-0/0/1

voice-vlan

192.168.1.1 through 192.168.1.2

Two VoIP telephones.

ge-0/0/2

camera-vlan

192.168.1.14

Surveillance camera.

ge-0/0/3, ge-0/0/4, ge-0/0/5, ge-0/0/6

sevrer-vlan

192.168.1.23 through 192.168.1.26

Four servers hosting applications such as those provided by Citrix, Microsoft, Oracle, and SAP.


4457

®


NOTE: This example shows how to configure CoS on a single EX Series switch. This example does not consider across-the-network applications of CoS in which you might implement different configurations on ingress and egress switches to provide differentiated treatment to different classes across a set of nodes in a network.


To quickly configure CoS, copy the following commands and paste them into the switch terminal window: [edit] set class-of-service forwarding-classes class app queue-num 5 set class-of-service forwarding-classes class mail queue-num 1 set class-of-service forwarding-classes class db queue-num 2 set class-of-service forwarding-classes class erp queue-num 3 set class-of-service forwarding-classes class video queue-num 4 set class-of-service forwarding-classes class best-effort queue-num 0 set class-of-service forwarding-classes class voice queue-num 6 set class-of-service forwarding-classes class network-control queue-num 7 set firewall family ethernet-switching filter voip_class term voip from source-address 192.168.1.1/32 set firewall family ethernet-switching filter voip_class term voip from source-address 192.168.1.2/32 set firewall family ethernet-switching filter voip_class term voip from protocol udp set firewall family ethernet-switching filter voip_class term voip from source-port 2698 set firewall family ethernet-switching filter voip_class term voip then forwarding-class voice loss-priority low set firewall family ethernet-switching filter voip_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter voip_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter voip_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/0 description phone1–voip-ingress-port set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class set interfaces ge-0/0/1 description phone2–voip-ingress-port set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class set firewall family ethernet-switching filter video_class term video from source-address 192.168.1.14/32 set firewall family ethernet-switching filter video_class term video from protocol udp set firewall family ethernet-switching filter video_class term video from source-port 2979 set firewall family ethernet-switching filter video_class term video then forwarding-class video loss-priority low set firewall family ethernet-switching filter video_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter video_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter video_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/2 description video-ingress-port set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class set firewall family ethernet-switching filter app_class term app from source-address 192.168.1.23/32 set firewall family ethernet-switching filter app_class term app from protocol tcp set firewall family ethernet-switching filter app_class term app from source-port [1494 2512 2513 2598 2897]

4458



set firewall family ethernet-switching filter app_class term app then forwarding-class app loss-priority low set firewall family ethernet-switching filter app_class term mail from source-address 192.168.1.24/32 set firewall family ethernet-switching filter app_class term mail from protocol tcp set firewall family ethernet-switching filter app_class term mail from source-port [25 143 389 691 993 3268 3269] set firewall family ethernet-switching filter app_class term mail then forwarding-class mail loss-priority low set firewall family ethernet-switching filter app_class term db from source-address 192.168.1.25/32 set firewall family ethernet-switching filter app_class term db from protocol tcp set firewall family ethernet-switching filter app_class term db from source-port [1521 1525 1527 1571 1810 2481] set firewall family ethernet-switching filter app_class term db then forwarding-class db loss-priority low set firewall family ethernet-switching filter app_class term erp from source-address 192.168.1.26/32 set firewall family ethernet-switching filter app_class term erp from protocol tcp set firewall family ethernet-switching filter app_class term erp from source-port [3200 3300 3301 3600] set firewall family ethernet-switching filter app_class term erp then forwarding-class erp loss-priority low set firewall family ethernet-switching filter app_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter app_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter app_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/3 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/4 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/5 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/6 unit 0 family ethernet-switching filter input app_class set class-of-service schedulers voice-sched buffer-size percent 10 set class-of-service schedulers voice-sched priority strict-high set class-of-service schedulers voice-sched transmit-rate percent 10 set class-of-service schedulers video-sched buffer-size percent 15 set class-of-service schedulers video-sched priority low set class-of-service schedulers video-sched transmit-rate percent 15 set class-of-service schedulers app-sched buffer-size percent 10 set class-of-service schedulers app-sched priority low set class-of-service schedulers app-sched transmit-rate percent 10 set class-of-service schedulers mail-sched buffer-size percent 5 set class-of-service schedulers mail-sched priority low set class-of-service schedulers mail-sched transmit-rate percent 5 set class-of-service schedulers db-sched buffer-size percent 10 set class-of-service schedulers db-sched priority low set class-of-service schedulers db-sched transmit-rate percent 10 set class-of-service schedulers erp-sched buffer-size percent 10 set class-of-service schedulers erp-sched priority low set class-of-service schedulers erp-sched transmit-rate percent 10 set class-of-service schedulers nc-sched buffer-size percent 5 set class-of-service schedulers nc-sched priority strict-high set class-of-service schedulers nc-sched transmit-rate percent 5 set class-of-service schedulers be-sched buffer-size percent 35 set class-of-service schedulers be-sched priority low set class-of-service schedulers be-sched transmit-rate percent 35 set class-of-service scheduler-maps ethernet-cos-map forwarding-class voice scheduler voice-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class video scheduler video-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class app scheduler app-sched


4459

®


set class-of-service scheduler-maps ethernet-cos-map forwarding-class mail scheduler mail-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class db scheduler db-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class erp scheduler erp-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class network-control scheduler nc-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class best-effort scheduler be-sched set class-of-service interfaces ge-0/0/20 scheduler-map ethernet-cos-map


To configure and apply CoS: 1.

Configure one-to-one mapping between eight forwarding classes and eight queues: [edit class-of-service] user@switch# set forwarding-classes class app queue-num 5 user@switch# set forwarding-classes class mail queue-num 1 user@switch# set forwarding-classes class db queue-num 2 user@switch# set forwarding-classes class erp queue-num 3 user@switch# set forwarding-classes class video queue-num 4 user@switch# set forwarding-classes class best-effort queue-num 0 user@switch# set forwarding-classes class voice queue-num 6 user@switch# set forwarding-classes class network-control queue-num 7

2.

Define the firewall filter voip_class to classify the VoIP traffic: [edit firewall] user@switch# set family ethernet-switching filter (Firewall Filters) voip_class

3.

Define the term voip: [edit firewall] user@switch# set family ethernet-switching filter voip_class term voip from source-address 192.168.1.1/32 user@switch# set family ethernet-switching filter voip_class term voip from source-address 192.168.1.2/32 user@switch# set family ethernet-switching filter voip_class term voip protocol udp user@switch# set family ethernet-switching filter voip_class term voip source-port 2698 user@switch# set family ethernet-switching filter voip_class term voip then forwarding-class voice loss-priority low

4.

Define the term network_control: [edit firewall] user@switch# set family ethernet-switching filter voip_class term network_control from precedence [net-control internet-control] user@switch# set family ethernet-switching filter voip_class term network_control then forwarding-class network-control loss-priority low

5.

Define the term best_effort_traffic with no match conditions: [edit firewall] user@switch# set family ethernet-switching filter voip_class term best_effort_traffic then forwarding-class best-effort loss-priority low

6.

Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP phones: [edit interfaces] user@switch# set ge-0/0/0 description phone1–voip-ingress-port user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input voip_class user@switch# set ge-0/0/1 description phone2–voip-ingress-port user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input voip_class

7.

Define the firewall filter video_class to classify the video traffic: [edit firewall] user@switch# set family ethernet-switching filter video_class

4460



8.

Define the term video: [edit firewall] user@switch# set family ethernet-switching filter video_class term video from source-address 192.168.1.14/32 user@switch# set family ethernet-switching filter video_class term video protocol udp user@switch# set family ethernet-switching filter video_class term video source-port 2979 user@switch# set family ethernet-switching filter video_class term video then forwarding-class video loss-priority low

9.

Define the term network_control (for the video_class filter): [edit firewall] user@switch# set family ethernet-switching filter video_class term network_control from precedence [net-control internet-control] user@switch# set family ethernet-switching filter video_class term network_control then forwarding-class network-control loss-priority low

10.

Define the term best_effort_traffic (for the video_class filter): [edit firewall] user@switch# set family ethernet-switching filter video_class term best_effort_traffic then forwarding-class best-effort loss-priority low

11.

Apply the firewall filter video_class as an input filter to the interface for the surveillance camera: [edit interfaces] user@switch# set ge-0/0/2 description video-ingress-port user@switch# set ge-0/0/2 unit 0 family ethernet-switching filter input video_class

12.

Define the firewall filter app_class to classify the application server traffic: [edit firewall] user@switch# set family ethernet-switching filter app_class

13.

Define the term app: [edit firewall] user@switch# set family ethernet-switching filter app_class term app from source-address 192.168.1.23/32 user@switch# set family ethernet-switching filter app_class term app protocol tcp user@switch# set family ethernet-switching filter app_class term app source-port [1494 2512 2513 2598 2897] user@switch# set family ethernet-switching filter app_class term app then forwarding-class app loss-priority low

14.

Define the term mail: [edit firewall] user@switch# set family ethernet-switching filter app_class term mail from source-address 192.168.1.24/32 user@switch# set family ethernet-switching filter app_class term mail protocol tcp user@switch# set family ethernet-switching filter app_class term mail source-port [25 143 389 691 993 3268 3269] user@switch# set family ethernet-switching filter app_class term mail then forwarding-class mail loss-priority low

15.

Define the term db: [edit firewall] user@switch# set family ethernet-switching filter app_class term db from source-address 192.168.1.25/32 user@switch# set family ethernet-switching filter app_class term db protocol tcp user@switch# set family ethernet-switching filter app_class term db source-port [1521 1525 1527 1571 1810 2481] user@switch# set family ethernet-switching filter app_class term db then forwarding-class db loss-priority low


4461

®


16.

Define the term erp: [edit firewall] user@switch# set family ethernet-switching filter app_class term erp from source-address 192.168.1.26/32 user@switch# set family ethernet-switching filter app_class term erp protocol tcp user@switch# set family ethernet-switching filter app_class term erp source-port [3200 3300 3301 3600] user@switch# set family ethernet-switching filter app_class term erp then forwarding-class erp loss-priority low

17.

Define the term network_control (for the app_class filter): [edit firewall] user@switch# set family ethernet-switching filter app_class term network_control from precedence [net-control internet-control] user@switch# set family ethernet-switching filter app_class term network_control then forwarding-class network-control loss-priority low

18.

Define the term best_effort_traffic (for the app_class filter): [edit firewall] user@switch# set family ethernet-switching filter app_class term best_effort_traffic then forwarding-class best-effort loss-priority low

19.

Apply the firewall filter app_class as an input filter to the interfaces for the servers hosting applications: [edit interfaces] user@switch# set ge-0/0/3 unit 0 family ethernet-switching filter input app_class user@switch# set ge-0/0/4 unit 0 family ethernet-switching filter input app_class user@switch# set ge-0/0/5 unit 0 family ethernet-switching filter input app_class user@switch# set ge-0/0/6 unit 0 family ethernet-switching filter input app_class

20.

Configure schedulers: [edit class-of-service] user@switch# set schedulers (CoS) voice-sched buffer-size percent 10 user@switch# set schedulers voice-sched priority strict-high user@switch# set schedulers voice-sched transmit-rate percent 10 user@switch# set schedulers video-sched buffer-size percent 15 user@switch# set schedulers video-sched priority low user@switch# set schedulers video-sched transmit-rate percent 15 user@switch# set schedulers app-sched buffer-size percent 10 user@switch# set schedulers app-sched priority low user@switch# set schedulers app-sched transmit-rate percent 10 user@switch# set schedulers mail-sched buffer-size percent 5 user@switch# set schedulers mail-sched priority low user@switch# set schedulers mail-sched transmit-rate percent 5 user@switch# set schedulers db-sched buffer-size percent 10 user@switch# set schedulers db-sched priority low user@switch# set schedulers db-sched transmit-rate percent 10 user@switch# set schedulers erp-sched buffer-size percent 10 user@switch# set schedulers erp-sched priority low user@switch# set schedulers erp-sched transmit-rate percent 10 user@switch# set schedulers nc-sched buffer-size percent 5 user@switch# set schedulers nc-sched priority strict-high user@switch# set schedulers nc-sched transmit-rate percent 5 user@switch# set schedulers be-sched buffer-size percent 35 user@switch# set schedulers be-sched priority low user@switch# set schedulers be-sched transmit-rate percent 35

21.

4462

Assign the forwarding classes to schedulers with the scheduler map ethernet-cos-map:



[edit class-of-service] user@switch# set scheduler-maps ethernet-cos-map forwarding-class voice scheduler voice-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class video scheduler video-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class app scheduler app-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class mail scheduler mail-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class db scheduler db-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class erp scheduler erp-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class network-control scheduler nc-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class best-effort scheduler be-sched 22.

Associate the scheduler map with the outgoing interface: [edit class-of-service interfaces] user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map

Results

Display the results of the configuration: user@switch# show firewall firewall family ethernet-switching { filter voip_class { term voip { from { source-address { 192.168.1.1/32; 192.168.1.2/32; } protocol udp; source-port 2698; } then { forwarding-class voice; loss-priority low; } } term network control { from { precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } } }


4463

®


filter video_class { term video { from { source-address { 192.168.1.14/32; } protocol udp; source-port 2979; } then { forwarding-class video; loss-priority low; } } term network control { from { precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } } } filter app_class { term app { from { source-address { 192.168.1.23/32; } protocol tcp; source-port [1491 2512 2513 2598 2897]; } then { forwarding-class app; loss-priority low; } } term mail { from { source-address { 192.168.1.24/32; } protocol tcp; source-port [25 143 389 691 993 3268 3269]; } then { forwarding-class mail; loss-priority low; }

4464



} term db { from { source-address { 192.168.1.25/32; } protocol tcp; source-port [1521 1525 1527 1571 1810 2481]; } then { forwarding-class db; loss-priority low; } } term erp { from { source-address { 192.168.1.26/32; } protocol tcp; source-port [3200 3300 3301 3600]; } then { forwarding-class erp; loss-priority low; } } term network control { from { precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } } } } user@switch# show class-of-service forwarding-classes { class app queue-num 5; class mail queue-num 1; class db queue-num 2; class erp queue-num 3; class video queue-num 4; class best-effort queue-num 0; class voice queue-num 6; class network-control queue-num 7; }


4465

®


schedulers { voice-sched { buffer-size percent 10; priority strict-high; transmit-rate percent 10; } video-sched { buffer-size percent 15; priority low; transmit-rate percent 15; } app-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } mail-sched { buffer-size percent 5; priority low; transmit-rate percent 5; } db-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } erp-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } nc-sched { buffer-size percent 5; priority strict-high; transmit-rate percent 5; } be-sched { buffer-size percent 35; priority low; transmit-rate percent 35; } } scheduler-maps { ethernet-cos-map { forwarding-class voice scheduler voice-sched; forwarding-class video scheduler video-sched; forwarding-class app scheduler app-sched; forwarding-class mail scheduler mail-sched; forwarding-class db scheduler db-sched; forwarding-class erp scheduler erp-sched; forwarding-class network-control scheduler nc-sched; forwarding-class best-effort scheduler be-sched; } } user@switch# show interfaces

4466



ge-0/0/0 { unit 0 { family ethernet { filter { input voip_class; } } } } ge-0/0/1 { unit 0 { family ethernet { filter { input voip_class; } } } } ge-0/0/2 { unit 0 { family ethernet { filter { input video_class; } } } } ge-0/0/3 { unit 0 { family ethernet { filter { input app_class; } } } } ge-0/0/4 { unit 0 { family ethernet { filter { input app_class; } } } } ge-0/0/5 { unit 0 { family ethernet { filter { input app_class; } } } } ge-0/0/6 { unit 0 {


4467

®


family ethernet { filter { input app_class; } } } }


Verifying That the Defined Forwarding Classes Exist and Are Mapped to Queues on page 4468

•

Verifying That the Forwarding Classes Have Been Assigned to Schedulers on page 4468

•

Verifying That the Scheduler Map Has Been Applied to the Interface on page 4469

Verifying That the Defined Forwarding Classes Exist and Are Mapped to Queues Purpose

Action

Meaning

Verify that the following forwarding classes app, db, erp, mail, video, and voice have been defined and mapped to queues. user@switch> show class-of-service forwarding-class Forwarding class ID Queue app 0 5 db 1 2 erp 2 3 best-effort 3 0 mail 4 1 voice 5 6 video 6 4 network-control 7 7

This output shows that the forwarding classes have been defined and mapped to appropriate queues.

Verifying That the Forwarding Classes Have Been Assigned to Schedulers Purpose Action

Verify that the forwarding classes have been assigned to schedulers. user@switch> show class-of-service scheduler-map Scheduler map: ethernet-cos-map, Index: 2 Scheduler: voice-sched, Forwarding class: voice, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 15 percent, Priority: Strict-high Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: video-sched, Forwarding class: video, Index: 22 Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Priority: low Drop profiles: Loss priority Protocol Index Name

4468



High High

non-TCP TCP

1 1

Scheduler: app-sched, Forwarding class: app, Index: 22 Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: mail-sched, Forwarding class: mail, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: db-sched, Forwarding class: db, Index: 22 Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: erp-sched, Forwarding class: erp, Index: 22 Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: be-sched, Forwarding class: best-effort, Index: 20 Transmit rate: 35 percent, Rate Limit: none, Buffer size: 35 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: nc-sched, Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: Strict-high Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1

Meaning

This output shows that the forwarding classes have been assigned to schedulers.

Verifying That the Scheduler Map Has Been Applied to the Interface Purpose

Verify that the scheduler map has been applied to the interface.


4469

®


Action

Meaning


user@switch> show class-of-service interface ... Physical interface: ge-0/0/20, Index: 149 Queues supported: 8, Queues in use: 8 Scheduler map: ethernet-cos-map, Index: 43366 Input scheduler map: , Index: 3 ...

This output shows that the scheduler map (ethernet-cos-map) has been applied to the interface (ge-0/0/20).

•


•


•


•


•


•


•

Assigning CoS Components to Interfaces (CLI Procedure) on page 4503

•


Example: Combining CoS with MPLS on EX Series Switches You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. The CoS value is included within the MPLS label, which is passed through the network, enabling end-to-end CoS across the network. MPLS services are often used to ensure better performance for low-latency applications such as VoIP and other business-critical functions. These applications place specific demands on a network for successful transmission. CoS gives you the ability to control the mix of bandwidth, delay, jitter, and packet loss while taking advantage of the MPLS labeling mechanism. This example shows how to configure CoS on an MPLS network that is using a unidirectional circuit cross-connect (CCC) from the ingress provider edge (PE) switch to the egress PE switch. for the customer-edge interface of the ingress provider edge (PE) switch. It describes adding the configuration of CoS components to the ingress PE switch, the egress PE switch, and the core provider switches of the existing MPLS network. Because of the unidirectional configuration, the DSCP classifier needs to be configured only on the ingress PE switch.

4470

•


•


•

Configuring the Local PE Switch on page 4473

•

Configuring the Remote PE Switch on page 4475



•

Configuring the Provider Switch on page 4476

•




•


Before you configure CoS with MPLS, be sure you have: Configured an MPLS network with two PE switches and one provider switch. See “Example: Configuring MPLS on EX Series Switches” on page 4819. This example assumes that an MPLS network has been configured using a cross circuit-connect (CCC).

Overview and Topology This example describes adding custom classifiers and custom rewrite rules to switches in an MPLS network that is using MPLS over CCC. It is a unidirectional configuration. Therefore, you need to configure custom classifiers and custom rewrite rules as follows: •

On the ingress PE switch: custom DSCP classifier and custom EXP rewrite rule

•

On the egress PE switch: custom EXP classifier

•

On the provider switch: customer EXP classifier and custom EXP rewrite rule

NOTE: You can also configure schedulers and shapers as needed. If you are using assured-forwarding, expedited-forwarding, or other custom forwarding classes, we recommend that you configure a scheduler to support that forwarding class. See “Defining CoS Schedulers (CLI Procedure)” on page 4493.

The example creates a custom DSCP classifier (dscp1) on the ingress PE switch and binds this classifier to the CCC interface. It includes configuration of a policer on the ingress PE switch. The policer is applied as a filter on the label-switched path (LSP) lsp_to_pe2_ge1(created in “Example: Configuring MPLS on EX Series Switches” on page 4819) to ensure that the amount of traffic forwarded through the LSP never exceeds the requested bandwidth allocation. This example creates a custom EXP rewrite rule (exp1) on the ingress PE switch, specifying a loss-priority and code point to be used for the expedited-forwarding class as the packet travels through the LSP. The switch applies this custom rewrite rule on the core interfaces ge-0/0/5.0 and ge-0/0/6.0, which are the egress interfaces for this switch. Table 500 on page 4472 shows the CoS configuration components added to the ingress PE switch.


4471

®


Table 500: CoS Configuration Components on the Ingress PE Switch Property

Settings

Description

Local PE switch hardware

EX Series switch

PE-1

Policing filter configured and applied to the LSP.

policing filter mypolicer

Name of the rate-limiting policer.

filter myfilter

Name of the filter, which refers to the policer

Custom DSCP classifier

dscp1

Specifies the name of the custom DSCP classifier

Custom EXP rewrite rule

e1

Name of the custom EXP rewrite rule.

Customer-edge interface

ge-0/0/1.0

Interface that receives packets from devices outside the network. The custom DSCP classifier must be specified on this CCC interface.

Core interfaces

ge-0/0/5.0 and ge-0/0/6.0

Interfaces that transmit MPLS packets to other switches within the MPLS network. The EXP rewrite rule is applied implicitly to these interfaces.

Table 501 on page 4472 shows the CoS configuration components added to the egress PE switch in this example.

Table 501: CoS Configuration Components of the Egress PE Switch Property

Settings

Description

Remote provider edge switch hardware

EX Series switch

PE-2

Custom EXP classifier

exp1

Name of custom EXP classifier

Customer-edge interface

ge-0/0/1.0

Interface that transmits packets from this network to devices outside the network. No CoS classifier is specified for this interface. A scheduler can be specified.

Core interfaces

ge-0/0/7.0 and ge-0/0/8.0

Core interfaces on PE-2 that receive MPLS packets from the provider switch. The EXP classifier is enabled by default on the switch and applied implicitly to these interfaces.

Table 502 on page 4473 shows the MPLS configuration components used for the provider switch in this example.

4472



Table 502: CoS Configuration Components of the Provider Switch Property

Settings

Description

Provider switch hardware

EX Series switch

Transit switch within the MPLS network configuration.

Custom EXP classifier

exp1

Name of the custom EXP classifier.

Custom EXP rewrite rule

e1

Name of the custom EXP rewrite rule.

Core interfaces receiving packets from other MPLS switches.

ge-0/0/5.0 and ge-0/0/6.0

Interfaces that connect the provider switch to the ingress PE switch (PE-1). The EXP classifier is enabled by default on the switch and applied implicitly to these interfaces.

Core interfaces transmitting packets to other switches within the MPLS network.

ge-0/0/7.0 and ge-0/0/8.0

Interfaces that transmit packets to the egress PE (PE-2). The EXP rewrite rule is applied implicitly on these interfaces. Schedulers can also be specified and will be applied to these interfaces.

Configuring the Local PE Switch CLI Quick Configuration

To quickly configure a custom DSCP classifier, custom EXP rewrite rule, and a policer on the local PE switch, copy the following commands and paste them into the switch terminal window of PE-1: [edit] set class-of-service classifiers dscp dscp1 import default set class-of-service classifiers dscp dscp1 forwarding-class expedited-forwarding loss-priority low code-points 000111 set class-of-service rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111 set class-of-service interfaces ge-0/0/1 unit 0 classifier dscp1 set firewall policer mypolicer if-exceeding bandwidth-limit 500m set firewall policer mypolicer if-exceeding burst-size-limit 33553920 set firewall policer mypolicer then discard set firewall family any filter myfilter term t1 then policer mypolicer set protocols mpls label-switched-path lsp_to_pe2_ge1 to 127.1.1.3 policing filter myfilter


To configure a custom DSCP classifier, custom EXP rewrite rule, and a policer on the ingress PE switch: 1.

Import the default DSCP classifier classes to the custom DSCP classifier that you are creating: [edit class-of-service] user@switch# set classifiers dscp dscp1 import default

2.

Add the expedited-forwarding class to this custom DSCP classifier, specifying a loss priority and code point: [edit class-of-service] user@switch# set classifiers dscp dscp1 forwarding-class expedited-forwarding loss-priority low code-points 000111

3.

Specify the values for the custom EXP rewrite rule, e1:


4473

®


[edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111 4.

Bind the DSCP classifier to the CCC interface: [edit ] user@switch# set class-of-service interfaces ge-0/0/1 unit 0 classifier dscp1

5.

Specify the number of bits per second permitted, on average, for the firewall policer, which will later be applied to the LSP: [edit firewall] set policer mypolicer if-exceeding bandwidth-limit 500m

6.

Specify the maximum size permitted for bursts of data that exceed the given bandwidth limit for this policer: [edit firewall policer] set mypolicer if-exceeding burst-size-limit 33553920

7.

Discard traffic that exceeds the rate limits for this policer: [edit firewall policer] set mypolicer then (Policer Action) discard

8.

To reference the policer, configure a filter term that includes the policer action: [edit firewall] user@switch# set family any filter (Firewall Filters) myfilter term t1 then policer mypolicer

9.

Apply the filter to the LSP: [edit protocols mpls] set label-switched-path lsp_to_pe2_ge1 policing filter myfilter

Results

Display the results of the configuration: [edit] user@switch# show class-of-service { classifiers { dscp dscp1 { import default; forwarding-class expedited-forwarding { loss-priority low code-points 000111; } } } interfaces { ge-0/0/1 { unit 0 { classifiers { dscp dscp1; } } } } rewrite-rules { exp e1 { forwarding-class expedited-forwarding { loss-priority low code-point 111; } } }

4474



} firewall { family any { filter myfilter { term t1 { then policer mypolicer; } } } policer mypolicer { if-exceeding { bandwidth-limit 500m; burst-size-limit 33553920; } then discard; } }

Configuring the Remote PE Switch CLI Quick Configuration

To quickly configure a custom EXP classifier on the remote PE switch, copy the following commands and paste them into the switch terminal window of PE-2: [edit] set class-of-service classifiers exp exp1 import default set class-of-service classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010


To configure a custom EXP classifier on the egress PE switch: 1.

Import the default EXP classifier classes to the custom EXP classifier that you are creating: [edit class-of-service] user@switch# set classifiers exp exp1 import default

2.

Add the expedited-forwarding class to this custom EXP classifier, specifying a loss priority and code point: [edit class-of-service] user@switch# set classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010

Results

Display the results of the configuration: [edit] user@switch# show class-of-service { classifiers { exp exp1 { import default; forwarding-class expedited-forwarding { loss-priority low code-points 010; } }


4475

®


Configuring the Provider Switch CLI Quick Configuration

To quickly configure a custom EXP classifier and a custom EXP rewrite rule on the provider switch, copy the following commands and paste them into the switch terminal window of the provider switch: [edit] set class-of-service classifiers exp exp1 import default set class-of-service classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010 set class-of-service rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111


To configure a custom EXP classifier and a custom EXP rewrite rule on the provider switch: 1.


2.

Add the expedited-forwarding class to this custom EXP classifier, specifying a loss priority and code point: [edit class-of-service] user@switch# set classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010

3.

Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111

Results

Display the results of the configuration: [edit] user@switch# show class-of-service { classifiers { exp exp1 { import default; forwarding-class expedited-forwarding { loss-priority low code-points 010; } } } rewrite-rules { exp e1 { forwarding-class expedited-forwarding { loss-priority low code-point 111; } } } }

4476




Verifying That the Policer Firewall Filter Is Operational on page 4477

•

Verifying That the CoS Classifiers Are Going to the Right Queue on page 4477

•

Verifying the CoS Forwarding Table Mapping on page 4480

•

Verifying the Rewrite Rules on page 4480

Verifying That the Policer Firewall Filter Is Operational Purpose Action

Meaning

Verify the operational state of the policer that is configured on the ingress PE switch. user@switch> show firewall Filter: myfilter Policers: Name mypolicer-t1

Packets 0

This output shows that the firewall filter mypolicer has been created.

Verifying That the CoS Classifiers Are Going to the Right Queue Purpose Action

Verify that the CoS classifiers are going to the right queue. user@switch> show class-of-service forwarding-table classifier Classifier table index: 7, # entries: 64, Table type: DSCP Entry # Code point Forwarding-class # PLP 0 000000 0 0 1 000001 0 0 2 000010 0 0 3 000011 0 0 4 000100 0 0 5 000101 0 0 6 000110 0 0 7 000111 0 0 8 001000 0 0 9 001001 0 0 10 001010 0 0 11 001011 0 0 12 001100 0 0 13 001101 0 0 14 001110 0 0 15 001111 0 0 16 010000 0 0 17 010001 0 0 18 010010 0 0 19 010011 0 0 20 010100 0 0 21 010101 0 0 22 010110 0 0 23 010111 0 0 24 011000 0 0 25 011001 0 0


4477

®


26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

011010 011011 011100 011101 011110 011111 100000 100001 100010 100011 100100 100101 100110 100111 101000 101001 101010 101011 101100 101101 101110 101111 110000 110001 110010 110011 110100 110101 110110 110111 111000 111001 111010 111011 111100 111101 111110 111111

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Classifier table index: 11, # entries: 8, Table type: IEEE 802.1 Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 3 0 7 111 3 0 Classifier table index: 12, # entries: 8, Table type: IPv4 precedence Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 3 0 7 111 3 0

4478



Classifier table index: 16, # entries: 8, Table type: Untrust Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 0 0 7 111 0 0 Classifier table index: 9346, # entries: 64, Table type: DSCP Entry # Code point Forwarding-class # PLP 0 000000 0 0 1 000001 0 0 2 000010 0 0 3 000011 0 0 4 000100 0 0 5 000101 0 0 6 000110 0 0 7 000111 1 0 8 001000 0 0 9 001001 0 0 10 001010 0 0 11 001011 0 0 12 001100 0 0 13 001101 0 0 14 001110 0 0 15 001111 0 0 16 010000 0 0 17 010001 0 0 18 010010 0 0 19 010011 0 0 20 010100 0 0 21 010101 0 0 22 010110 0 0 23 010111 0 0 24 011000 0 0 25 011001 0 0 26 011010 0 0 27 011011 0 0 28 011100 0 0 29 011101 0 0 30 011110 0 0 31 011111 0 0 32 100000 0 0 33 100001 0 0 34 100010 0 0 35 100011 0 0 36 100100 0 0 37 100101 0 0 38 100110 0 0 39 100111 0 0 40 101000 0 0 41 101001 0 0 42 101010 0 0 43 101011 0 0 44 101100 0 0 45 101101 0 0 46 101110 0 0 47 101111 0 0


4479

®


48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

Meaning

110000 110001 110010 110011 110100 110101 110110 110111 111000 111001 111010 111011 111100 111101 111110 111111

3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This output shows that a new DSCP classifier has been created, index 9346, on the ingress PE switch (PE-1).

Verifying the CoS Forwarding Table Mapping Purpose

Action

For each logical interface, display either the table index of the classifier for a given code point type or the queue number (if it is a fixed classification) in the forwarding table. user@switch>show class-of-service forwarding-table classifier mapping

Interface ge-0/0/1.0

Meaning

Index 92

Table Index/ Q num 9346

Table type DSCP

The results show that the new DSCP classifier, index number 9346, is bound to interface ge-0/0/1.0.

Verifying the Rewrite Rules Purpose

Action

Display mapping of the queue number and loss priority to code point value for each rewrite rule as it exists in the forwarding table. user@switch>show class-of-service forwarding-table rewrite-rule Rewrite FC# 0 1 2 3

table index: 31, # entries: 4, Table type: DSCP Low bits State High bits State 000000 Enabled 000000 Enabled 101110 Enabled 101110 Enabled 001010 Enabled 001100 Enabled 110000 Enabled 111000 Enabled

Rewrite table index: 34, # entries: 4, Table type: IEEE 802.1 FC# Low bits State High bits State 0 000 Enabled 001 Enabled 1 010 Enabled 011 Enabled 2 100 Enabled 101 Enabled 3 110 Enabled 111 Enabled

4480



Rewrite table index: 35, # entries: 4, Table type: IPv4 precedence FC# Low bits State High bits State 0 000 Enabled 000 Enabled 1 101 Enabled 101 Enabled 2 001 Enabled 001 Enabled 3 110 Enabled 111 Enabled Rewrite table index: 9281, # entries: 1, Table type: EXP FC# Low bits State High bits State 1 111 Enabled 000 Disabled

Meaning


This output shows that a new EXP classifier with the index number 9281 has been created.

•


•


•


•

Monitoring CoS Forwarding Classes on page 4514


4481

®


4482


CHAPTER 120

Configuring CoS •

Configuring CoS (J-Web Procedure) on page 4483

•


•


•


•


•


•


•


•


•

Defining CoS Scheduler Maps (J-Web Procedure) on page 4496

•

Defining CoS Drop Profiles (J-Web Procedure) on page 4497

•


•


•


•


•

Assigning CoS Components to Interfaces (J-Web Procedure) on page 4503

•

Configuring Junos OS EZQoS for CoS (CLI Procedure) on page 4505

•


•


•


•

Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) on page 4511

Configuring CoS (J-Web Procedure) The Class of Service Configuration pages allow you to configure the Junos CoS components. You can configure forwarding classes for transmitting packets, define which packets are placed into each output queue, and schedule the transmission service level


4483

®


for each queue. After defining the CoS components you must assign classifiers to the required physical and logical interfaces. Using the Class of Service Configuration pages, you can configure various CoS components individually or in combination to define particular CoS services. To configure CoS components : 1.

In the J-Web interface, select Configure>Class of Service.

2. On the Class of Service Configuration page, select one of the following options

depending on the CoS component that you want to define. Enter information into the pages as described in the respective table: •

To define or edit CoS value aliases, select CoS Value Aliases .

•

To define or edit forwarding classes and assign queues, select Forwarding Classes.

•

To define or edit classifiers, select Classifiers .

•

To define or edit rewrite rules, select Rewrite Rules.

•

To define or edit schedulers, select Schedulers.

•

To define or edit virtual channel groups, select Interface Associations.

3. Click Apply after completing configuration on any Configuration page.


•


•


•


•


•


•


Defining CoS Code-Point Aliases (J-Web Procedure) You can use the J-Web interface to define CoS code-point aliases on an EX Series switch. By defining aliases you can assign meaningful names to a particular set of bit values and refer to them when configuring CoS components. To define CoS code-point aliases: 1.

4484

Select Configure > Class of Service > CoS Value Aliases.


Chapter 120: Configuring CoS


2. Click one: •

Add—Adds a code-point alias. Enter information into the code point alias page as described in Table 503 on page 4485.

•

Edit—Modifies an existing code-point alias. Enter information into the code point alias page as described in Table 503 on page 4485.

•

Delete—Deletes an existing code-point alias.

Table 503 on page 4485 describes the related fields.

Table 503: CoS Value Aliases Configuration Fields Field

Function

Your Action

Code point name

Specifies the name for a code-point—for example, af11 or be.

Enter a name.

Code point type

Specifies a code-point type. The code-point type can be DSCP or IP precedence.

Select a value.

Code point value bits

Specifies the CoS value for which an alias is defined.

To specify a CoS value, type it in the appropriate format:

Changing this value alters the behavior of all classifiers that refer to this alias.

•

For DSCP CoS values, use the format xxxxxx, where x is 1 or 0—for example, 101110.

•

For IP precedence CoS values, use the format xxx, where x is 1 or 0—for example, 111.


•


•

Monitoring CoS Value Aliases on page 4519

•



4485

®


Defining CoS Code-Point Aliases (CLI Procedure) You can use code-point aliases to streamline the process of configuring CoS features on your EX Series switch. A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules. You can configure code-point aliases for the following CoS marker types: •

dscp and dscp-ipv6—Handles incoming IPv4 and IPv6 packets, respectively.

•

ieee-802.1—Handles Layer 2 CoS.

•

inet-precedence—Handles incoming IPv4 packets. IP precedence mapping requires

only the higher order three bits of the DSCP field. To configure a code-point alias for a specified CoS marker type (dscp), assign an alias (my1) to the code-point (110001): [edit class-of-service code-point-aliases] user@switch# set dscp my1 110001

The my1 alias will be applicable for incoming IPv4 packets. Related Documentation

4486

•


•


•


•




Defining CoS Classifiers (CLI Procedure) Packet classification associates incoming packets with a particular CoS servicing level. Classifiers associate packets with a forwarding class and loss priority and assign packets to output queues based on the associated forwarding class. Junos OS supports two general types of classifiers: •

Behavior aggregate (BA) classifier—Examine the CoS value in the packet header. The value in this single field determines the CoS settings applied to the packet. BA classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services code point (DSCP) value, IP precedence value, or IEEE 802.1p value. You can configure BA classifiers for the following CoS marker types: •


•


•


only the higher order three bits of the DSCP field. •

Multifield (MF) classifier—Examine multiple fields in the packet such as source and destination addresses and source and destination port numbers of the packet. With MF classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules.

NOTE: Juniper Networks EX8200 Ethernet Switches implement the on-demand ternary content addressable memory (TCAM) allocation of memory so that when additional TCAM space is required for CoS, the space is allocated from the free TCAM space or from the unused TCAM space. An error log message is generated when you configure CoS classifiers beyond the available TCAM space that includes both the free and unused space.

The following example describes how to configure a BA classifier (ba-classifier) as the default DSCP map for handling IPv4 traffic and to apply the BA classifier to either a specific Gigabit Ethernet interface or to all the Gigabit Ethernet interfaces on the switch. The BA classifier assigns loss priorities, as shown in Table 504 on page 4487, to incoming packets in the four forwarding classes. You can use the same procedure to set MF classifiers (except that you would use firewall filter rules).

Table 504: BA-classifier Loss Priority Assignments Forwarding Class

For CoS Traffic Type

ba-classifier Assignment

be

Best-effort traffic

High-priority code point: 000001

ef

Expedited-forwarding traffic



4487

®


Table 504: BA-classifier Loss Priority Assignments (continued) af

Assured-forwarding traffic


nc

Network-control traffic


To configure a DSCP BA classifier named ba-classifier as the default DSCP map: •

Associate code point 000001 with forwarding class be and loss priority high: [edit class-of-service classifiers] user@switch# set dscp ba-classifier import default forwarding-class be loss-priority high code-points 000001

•

Associate code point 101110 with forwarding class ef and loss priority high: [edit class-of-service classifiers] user@switch# set dscp ba-classifier forwarding-class ef loss-priority high code-points 101110

•

Associate code point 001100 with forwarding class af and loss priority high: [edit class-of-service classifiers] user@switch# set dscp ba-classifier forwarding-class af loss-priority high code-points 001100

•

Associate code point 110001 with forwarding class nc and loss priority high: [edit class-of-service classifiers] user@switch# set dscp ba-classifier forwarding-class nc loss-priority high code-points 110001

•

Apply the classifier to a specific interface or to all Gigabit Ethernet interfaces on the switch. •

To apply the classifier to a specific interface: [edit class-of-service interfaces] user@switch# set ge-0/0/0 unit 0 classifiers dscp ba-classifier

•

To apply the classifier to all Gigabit Ethernet interfaces on the switch, use wildcards for the interface name and the logical-interface (unit) number: [edit class-of-service interfaces] user@switch# set ge-* unit * classifiers dscp ba-classifier

NOTE: On EX8200 switches, it can take a long time to install code-point classifiers on multiple interfaces (for example, approximately 25 minutes to install 64 code-point classifiers on multiple interfaces in the order of 280 or more).


4488

•


•


•


•

Monitoring CoS Classifiers on page 4513

•


•

Troubleshooting a CoS Classifier Configuration for a TCAM Space Error on page 4522



Defining CoS Classifiers (J-Web Procedure) You can use the J-Web interface to define CoS classifiers on an EX Series switch. Classifiers examine the CoS value or alias of an incoming packet and assign the packet a level of service by setting its forwarding class and loss priority. To define CoS classifiers: 1.

Select Configure > Class of Service > Classifiers.


2. Click one: •

Add—Adds a classifier. Enter information into the classifier page as described in Table 505 on page 4489.

•

Edit—Modifies an existing classifier. Enter information into the classifier page as described in Table 505 on page 4489.

•

Delete—Deletes an existing classifier.

Table 505: Classifiers Configuration Fields Field

Function

Your Action

Classifier Name

Specifies the name for a classifier.

To name a classifier, type the name—for example, ba-classifier.

Classifier Type

Specifies the type of classifier: dscp, ieee-802.1, or inet-precedence.



4489

®


Table 505: Classifiers Configuration Fields (continued) Field

Function

Your Action

Code Point Mapping

Sets the forwarding classes and the packet loss priorities (PLPs) for specific CoS values and aliases.

To add a code point mapping: 1.

Click Add.

2. Select the code point. 3. Select a forwarding class from the following list: •

expedited-forwarding—Provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service. Packets can be forwarded out of sequence or dropped.

•

best-effort—Provides no special CoS handling of packets. Typically, RED drop profile is aggressive and no loss priority is defined.

•

assured-forwarding—Provides high assurance for packets within the specified service profile. Excess packets are dropped.

•

network-control—Packets can be delayed but not dropped.

4. Select the loss priority. To assign a loss priority, select one:


4490

•

high—Packet has a high loss priority.

•

low—Packet has a low loss priority.

•


•


•


•




Defining CoS Forwarding Classes (CLI Procedure) Forwarding classes allow you to group packets for transmission. Based on forwarding classes, you assign packets to output queues. By default, four categories of forwarding classes are defined: best effort, assured forwarding, expedited forwarding, and network control. EX Series switches support up to 16 forwarding classes. You can configure forwarding classes in one of the following ways: •

Using class statement—You can configure up to 16 forwarding classes and you can map multiple forwarding classes to single queue.

•

Using queue statement—You can configure up to 8 forwarding classes and you can map one forwarding class to one queue. This example uses the class statement to configure forwarding classes.

To configure CoS forwarding classes, map the forwarding classes to queues: [edit class-of-service forwarding-classes] user@switch# set class be queue—num 0 user@switch# set class ef queue—num 1 user@switch# set class af queue—num 2 user@switch# set class nc queue—num 3 user@switch# set class ef1 queue—num 4 user@switch# set class ef2 queue—num 5 user@switch# set class af1 queue—num 6 user@switch# set class nc1 queue—num 7


•


•


•


•


•


•


Defining CoS Forwarding Classes (J-Web Procedure) You can define CoS forwarding classes on an EX Series switch using the J-Web interface. Assigning a forwarding class to a queue number affects the scheduling and marking of a packet as it transits a switch. To define forwarding classes: 1.

Select Configure > Class of Service > Forwarding Classes.


4491

®



2. Click one: •

Add—Adds a forwarding class. Enter information into the forwarding class page as described in Table 506 on page 4492.

•

Edit—Modifies an existing forwarding class. Enter information into the forwarding class page as described in Table 506 on page 4492.

•

Delete—Deletes an existing forwarding class.

Table 506: Forwarding Classes Configuration Fields Field

Function

Your Action

Forwarding Class Summary Queue #

Specifies the internal queue numbers to which forwarding classes are assigned.

To specify an internal queue number, select an integer from 0 through 7, appropriate for your platform.

By default, if a packet is not classified, it is assigned to the class associated with queue 0. You can have more than one forwarding class to a queue number. Forwarding Class Name

Specifies the forwarding class names assigned to specific internal queue numbers.

Type the name—for example, be-class.

By default, four forwarding classes are assigned to queue numbers 0 (best-effort), 1 (assured-forwarding), 5 (expedited-forwarding), and 7 (network-connect).


4492

•


•


•


•


•


•




Defining CoS Schedulers (CLI Procedure) You use schedulers to define the class-of-service (CoS) properties of output queues. These properties include the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the tail drop profiles associated with the queue. You associate the schedulers with forwarding classes by means of scheduler maps. You can then associate each scheduler map with an interface, thereby configuring the queues and packet schedulers that operate according to this mapping.


You can associate up to four user-defined scheduler maps with the interfaces. This topic describes: •

Configuring CoS Schedulers on page 4493

•

Assigning Scheduler Maps to Interfaces on a 40-port SFP+ Line Card on page 4494

Configuring CoS Schedulers To configure CoS schedulers: 1.

Create a scheduler (be-sched) and assign it a priority: [edit class-of-service schedulers] user@switch# set be-sched priority (Schedulers) low

2. Configure a scheduler map (be-map) that associates the scheduler (be-sched) with

the forwarding class (best-effort): [edit class-of-service scheduler-maps] user@switch# set be-map forwarding-class best-effort scheduler be-sched 3. Assign the scheduler map (be-map) to one or more Ethernet interfaces: •

To assign the scheduler map to one interface (ge-0/0/1): [edit class-of-service interfaces] user@switch# set ge-0/0/1 scheduler-map be-map

•

To assign the scheduler map to more than one interface by using a wildcard (all Gigabit Ethernet interfaces): [edit class-of-service interfaces] user@switch# set ge-* scheduler-map be-map


4493

®


Assigning Scheduler Maps to Interfaces on a 40-port SFP+ Line Card For interfaces on a 40-port SFP+ line card, you use the same procedure to configure CoS schedulers as you do for other interfaces. However, you must assign the same scheduler map to all the interfaces in a port group. When you assign a scheduler map to one interface in a port group, you do not need to assign the scheduler map to the remaining interfaces. The switch automatically uses that scheduler map for the interfaces in the port group when you bring the interfaces up. If you assign different scheduler maps to different interfaces in a port group, you do not receive an error when you commit the configuration. Instead, an error is logged to the system log. When you bring an interface in the port group up, the default scheduler map is used. If you assign a scheduler map to an interface that is down that is different from the scheduler map being used by the currently operating interfaces in a port group, the default scheduler map is used by all interfaces in a port group, even the currently operating ones, when you bring the interface up. To change the scheduler map assigned to a port group: 1.

Delete the current scheduler map from the interfaces (xe-0/0/1 and xe-0/0/2) it is currently assigned to: [edit class-of-service interfaces] user@switch# delete xe-0/0/1 scheduler-map [edit class-of-service interfaces] user@switch# delete xe-0/0/2 scheduler-map

2. Assign the new scheduler map (ef-map) to at least one interface in the port group: [edit class-of-service interfaces] user@switch# set xe-0/0/1 scheduler-map ef-map


•


•


•


•

Monitoring CoS Scheduler Maps on page 4517

•


Defining CoS Schedulers (J-Web Procedure) You can use the J-Web interface to define CoS schedulers on an EX Series switch. Using schedulers, you can assign attributes to queues and thereby provide congestion control for a particular class of traffic. These attributes include the amount of interface bandwidth, memory buffer size, transmit rate, and schedule priority. To configure schedulers: 1.

4494

Select Configure > Class of Service > Schedulers.




2. Click one: •

Add—Adds a scheduler. Enter information into the schedulers page as described in

Table 507 on page 4495. •

Edit—Modifies an existing scheduler. Enter information into the schedulers page as

described in Table 507 on page 4495. •

Delete—Deletes an existing scheduler.

Table 507: Schedulers Configuration Page Field

Function

Your Action

Scheduler Name

Specifies the name for a scheduler.

To name a scheduler, type the name—for example, be-scheduler.

Scheduling Priority

Sets the transmission priority of the scheduler, which determines the order in which an output interface transmits traffic from the queues.

To set a priority, select one: •

low—Packets in this queue are transmitted last.

You can set scheduling priority at different levels in the order of increasing priority from low to high.

•

strict-high—Packets in this queue are transmitted first.

•

To specify no scheduling priority, select the blank.

A high-priority queue with a high transmission rate might lock out lower-priority traffic. Buffer Size

Defines the size of the delay buffer. By default, queues 0 through 7 are allotted the following percentage of the total available buffer space: •

Queue 0—95 percent

•

Queue 1—0 percent

•

Queue 2—0 percent

•

Queue 3—0 percent

•

Queue 4—0 percent

•

Queue 5—0 percent

•

Queue 6—0 percent

•

Queue 7—5 percent

To define a delay buffer size for a scheduler, select the appropriate option: •

To specify no buffer size, select the blank.

•

To specify buffer size as a percentage of the total buffer, select Percent and type an integer from 1 through 100.

•

To specify buffer size as the remaining available buffer, select Remainder.

NOTE: On EX8200 switches, you can specify the buffer size as a temporal value. The queuing algorithm will then drop packets once it has queued a computed number of bytes. This number is the product of the logical interface speed and the configured temporal value.

NOTE: A large buffer size value correlates with a greater possibility of packet delays. Such a value might not be practical for sensitive traffic such as voice or video.


4495

®


Table 507: Schedulers Configuration Page (continued) Field

Function

Your Action

Shaping Rate

Specifies the rate at which queues transmit packets.

•

To specify shaping rate as a percentage, select Percent and type an integer from 1 through 100.

•

To specify shaping rate as a number, select Rate and enter a value.

•

To specify no shaping rate, select the blank.

Transmit Rate

Defines the transmission rate of a scheduler. The transmit rate determines the traffic bandwidth from each forwarding class you configure. By default, queues 0 through 7 are allotted the following percentage of the transmission capacity:


•

Queue 0—95 percent

•

Queue 1—0 percent

•

Queue 2—0 percent

•

Queue 3—5 percent

•

Queue 4—0 percent

•

Queue 6—0 percent

•

Queue 7—5 percent

To define a transmit rate, select the appropriate option: •

To enforce the exact transmission rate, select Rate and enter a value.

•

To specify the remaining transmission capacity, select Remainder Available.

•

To specify a percentage of transmission capacity, select Percent and type an integer from 1 through 100.

•

To specify no transmit rate, select the blank.

•


•


•


Defining CoS Scheduler Maps (J-Web Procedure) You can use the J-Web interface to configure CoS scheduler maps on an EX Series switch.


To configure scheduler maps: 1.

4496

Select Configure > Class of Service > Scheduler Maps.




2. Click one: •

Add—Adds a scheduler map. Enter information into the scheduler map page as described in Table 508 on page 4497.

•

Edit—Modifies an existing scheduler map. Enter information into the scheduler map page as described in Table 508 on page 4497.

•

Delete—Deletes an existing scheduler map.

Table 508: Scheduler Maps Configuration Fields Field

Function

Your Action

Scheduler Map Name

Specifies the name for a scheduler map.

To name a map, type the name—for example, be-scheduler-map.

Scheduler Mapping

Allows you to associate a preconfigured scheduler with a forwarding class.

To associate a scheduler with a forwarding class, locate the forwarding class and select the scheduler in the box next to it.

After scheduler maps have been applied to an interface, they affect the hardware queues and packet schedulers.


For example, for the best-effort forwarding class, select the configured scheduler from the list.

•


•


•


•


Defining CoS Drop Profiles (J-Web Procedure) You can use the J-Web interface to define CoS drop profiles on EX4500 and EX8200 switches. To configure CoS drop profiles: 1.

Select Configure > Class of Service > Drop Profile.


4497

®



2. Click one: •

Add—Adds a drop profile. Enter information into the drop profiles page as described in Table 509 on page 4498.

•

Edit—Modifies an existing drop file. Enter information into the drop profiles page as described in Table 509 on page 4498.

•

Delete—Deletes an existing drop profile.

Table 509: Drop Profiles Configuration parameters Field

Function

Your Action

Drop Profile Name

Specifies the name for a drop profile.

Type the name.

Drop profile graph

Specifies the drop profile graph type

Select one: Segmented or Interpolated.

Drop profile values

Specifies values for the following two parameters of the drop profile: the queue fill level and the drop probability.

To add new values:

The queue fill level represents a percentage of the memory used to store packets in relation to the total amount that has been allocated for that specific queue. The drop probability is a percentage value that correlates to the likelihood that an individual packet is dropped from the network.

1.

Click Add.

2. Enter the fill level. 3. Enter the drop probability. 4. Click OK. To edit an existing value, click Edit and modify the fill level and drop probability. To delete a value, select it and click Delete.


4498

•

Monitoring CoS Drop Profiles on page 4519

•




Configuring CoS Tail Drop Profiles (CLI Procedure) Tail drop is a simple and effective traffic congestion avoidance mechanism. When you apply this mechanism to manage congestion, packets are dropped when the output queue is full. To configure CoS tail-drop profiles, create a drop profile name (be-dp) and assign a fill level (25): [edit class-of-service drop-profiles] user@switch# set be-dp fill-level 25


•


•



4499

®


Defining CoS Rewrite Rules (CLI Procedure) You configure rewrite rules to alter CoS values in outgoing packets on the outbound interfaces of an EX Series switch to match the policies of a targeted peer. Policy matching allows the downstream routing platform or switch in a neighboring network to classify each packet into the appropriate service group. To configure a CoS rewrite rule, create the rule by giving it a name and associating it with a forwarding class, loss priority, and a code point, thus creating a rewrite table. After the rewrite rule is created, enable it on an interface. You can also apply an existing rewrite rule on an interface. You can configure CoS rewrite rules for DSCP, IP precedence and IEEE 802.1p. You can configure rewrite rules for the following CoS marker types: •


•


•


only the higher order three bits of the DSCP field.

NOTE: To replace an existing rewrite rule on the interface with a new rewrite rule of the same type, first explicitly remove the rewrite rule and then apply the new rule.

NOTE: Custom rewrite-rule bindings are implemented through filters. And custom rewrite rules cannot be bound to routed VLAN interfaces (RVIs).

To create IEEE 802.1p rewrite rules and enable them on Layer 2 interfaces: •

To create an IEEE 802.1p rewrite rule named customup-rw in the rewrite table for all Layer 2 interfaces: [edit class-of-service rewrite-rules] user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority low code-point 000 user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority high code-point 001 user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority low code-point 010 user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority high code-point 011 user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority low code-point 100 user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority high code-point 101 user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority low code-point 110

4500



user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority high code-point 111 •

To enable an IEEE 802.1p rewrite rule named customup-rw on a Layer 2 interface: [edit] user@switch# set class-of-service interfaces ge-0/0/0 unit 0 rewrite-rules ieee-802.1 customup-rw

•

To enable an IEEE 802.1p rewrite rule named customup-rw on all Gigabit Ethernet interfaces on the switch, use wildcards for the interface name and logical-interface (unit) number: [edit] user@switch# set class-of-service interfaces ge-* unit * rewrite-rules customup-rw


•


•


•

Monitoring CoS Rewrite Rules on page 4516

•


Defining CoS Rewrite Rules (J-Web Procedure) You can use the J-Web interface to define CoS rewrite rules. Use the rewrite rules to alter the CoS values in outgoing packets to meet the requirements of the targeted peer. A rewrite rule examines the forwarding class and loss priority of a packet and sets its bits to a corresponding value specified in the rule. To define rewrite rules: 1.

Select Configure > Class of Service > Rewrite Rules.


2. Click one: •

Add—Adds a rewrite rule. Enter information into the rewrite rule page as described in Table 510 on page 4502.

•

Edit—Modifies an existing rewrite rule. Enter information into the rewrite rule page as described in Table 510 on page 4502.

•

Delete—Deletes an existing rewrite rule.


4501

®


Table 510: Rewrite Rules Configuration Page Summary Field

Function

Your Action

Rewrite Rule Name

Specifies the name for the rewrite rule.

To name a rule, type the name—for example, rewrite-dscps.

Rewrite rule type

Specifies the type of rewrite rule: dscp, ieee-802.1, or inet-precedence.


Code Point Mapping

Rewrites outgoing CoS values of a packet based on the forwarding class and loss priority.

To configure a CoS value assignment, follow these steps:

Allows you to remove a code point mapping entry.

To add a code point mapping: 1.

Click Add.

2. Select the code point. 3. Select a forwarding class from the following list: •

expedited-forwarding—Provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service. Packets can be forwarded out of sequence or dropped.

•

best-effort—Provides no special CoS handling of packets. Typically, RED drop profile is aggressive and no loss priority is defined.

•

assured-forwarding—Provides high assurance for packets within the specified service profile. Excess packets are dropped.

•


4. Select the loss priority. To assign a loss priority, select one: •

high—Packet has a high loss priority.

•

low—Packet has a low loss priority.

To edit an existing code point mapping, select it and click Edit. To remove a code point mapping entry, select it and click Remove.


4502

•


•


•


•




Assigning CoS Components to Interfaces (CLI Procedure) After you have defined the following CoS components, you must assign them to logical or physical interfaces. •

Forwarding classes—Assign only to logical interfaces.

•

Classifiers—Assign only to logical interfaces.

•

Scheduler maps—Assign to either physical or logical interfaces.

•

Rewrite rules—Assign to either physical or logical interfaces.

You can assign a CoS component to a single interface or to multiple interfaces using wild cards. To assign CoS components to interfaces: •

To assign CoS components to a single interface, associate a CoS component (for example a scheduler map named ethernet-cos-map) with an interface: [edit class-of-service interfaces] user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map

•

To assign a CoS component to multiple interfaces, associate a CoS component (for example, a rewrite rule named customup-rw) to all Gigabit Ethernet interfaces on the switch, use wild characters for the interface name and logical-interface (unit) number: [edit class-of-service interfaces] user@switch# set ge-* unit * rewrite-rules ieee-802.1 customup-rw


•


•


•


•


Assigning CoS Components to Interfaces (J-Web Procedure) After you have defined CoS components on an EX Series switch, you must assign them to logical or physical interfaces. You can use the J-Web interface to assign scheduler maps to physical or logical interfaces and to assign forwarding classes or classifiers to logical interfaces. To assign CoS components to interfaces:


4503

®


1.

Select Configure > Class of Service > Assign to Interface.


2. To configure interface association, select an interface from the list and click Edit. 3. Select one: •

Associate system default scheduler map—Associates the interface with the default scheduler map.

•

Select the scheduler map—Associates the interface with a configured scheduler map. Select the scheduler map from the list.

NOTE: On the 40-port SFP+ line card for EX8200 switches, the J-Web interface does not allow you to commit your changes unless you assign the same scheduler map or the default scheduler map to all interfaces in a port group.

4. Click OK. 5. To manage a CoS service assignment on a logical interface, click one: •

Add—Adds a CoS service to a logical interface on a specified physical interface. Enter information as described in Table 511 on page 4504.

•

Edit—Modifies a CoS service assignment to a logical interface. Enter information as described in Table 511 on page 4504.

•

Delete—Deletes the CoS service assignment to a logical interface.

Table 511: Assigning CoS Components to Logical Interfaces Field

Function

Your Action

Unit

Specifies the name of a logical interface. Allows you to assign CoS components while configuring a logical interface on a physical interface at the same time.

Type the interface name.

Forwarding Class

Assigns a predefined forwarding class to incoming packets on a logical interface.

To assign a forwarding class to an interface, select the forwarding class.

Classifiers

Allows you to apply classification maps to a logical interface. Classifiers assign a forwarding class and loss priority to an incoming packet based on its CoS value.

To assign a classification map to an interface, select an appropriate classifier for each CoS value type used on the interface.

4504

To assign CoS services to all logical interfaces configured on this physical interface, type the wildcard character (*).



Table 511: Assigning CoS Components to Logical Interfaces (continued) Field

Function

Your Action

Rewrite Rules

Allows you to alter the CoS values in outgoing packets to meet the requirements of the targeted peer. A rewrite rule examines the forwarding class and loss priority of a packet and sets its bits to a corresponding value specified in the rule.

To assign rewrite rules to the interface, select the appropriate rewrite rule for each CoS value type used on the interface.


•


•


•


Configuring Junos OS EZQoS for CoS (CLI Procedure) You use Junos OS EZQoS on EX Series switches to eliminate the complexities involved in configuring class of service (CoS) across the network. EZQoS offers templates for key traffic classes. When you configure EZQoS on EX Series switches, preconfigured values are assigned to all CoS parameters based on the typical application requirements. These preconfigured values are stored in a template with a unique name.

NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP applications. The EZQoS VoIP template is stored in /etc/config/ezqos-voip.conf.

To configure EZQoS using the CLI: 1.

Load the EZQoS configuration file (/etc/config/ezqos-voip.conf): [edit] user@switch# load merge /etc/config/ezqos-voip.conf

2. Apply the EZQoS group (ezqos-voip): [edit] user@switch# set apply-groups ezqos-voip 3. Apply the DSCP classifier (ezqos-dscp-classifier) to a Gigabit Ethernet interface

(ge-0/0/0): [edit class-of-service interfaces] user@switch# set ge-0/0/0 unit 0 classifiers dscp ezqos-dscp-classifier 4. Apply the scheduler map (ezqos-voip-sched-maps) to a Gigabit Ethernet interface

(ge-0/0/1): [edit class-of-service interfaces] user@switch# set ge-0/0/1 scheduler-map ezqos-voip-sched-maps


•



4505

®


•


Configuring CoS on an MPLS Provider Edge Switch Using IP Over MPLS (CLI Procedure) You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. This topic describes configuring CoS components on a provider edge (PE) switch that is using IP Over MPLS. This task describes how to create a custom DSCP classifier and a custom EXP rewrite rule on the ingress PE switch. It includes configuring a policer firewall filter and applying it to the customer-edge interface of the ingress PE switch. The policer firewall filter ensures that the amount of traffic forwarded through the MPLS tunnel never exceeds the requested bandwidth allocation. Before you begin, configure the basic components for an MPLS network: •

Configure two PE switches. See “Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure)” on page 4879.

•

Configure one or more provider switches. See “Configuring MPLS on Provider Switches (CLI Procedure)” on page 4870.

This topic includes: 1.


2. Configuring an LSP Policer on page 4507

Configuring CoS To configure CoS on a provider edge switch: 1.

Import the default DSCP classifier classes to the custom DSCP classifier that you are creating: [edit class-of-service] user@switch# set classifiers dscp classifier-nameimport default

2. Add a forwarding class to this custom DSCP classifier and specify a loss priority and

code point: [edit class-of-service] user@switch# set classifiers dscp classifier-name forwarding-class forwarding-class loss-priority loss-priority code-points code-point 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class forwarding-class loss-priority loss-priority code-points code-point 4. On EX8200 switches only, bind the custom EXP rewrite rule to the interface: [edit class-of-service] user@switch# set class-of-service interfaces interface unit unit rewrite-rules exp e1

4506



Configuring an LSP Policer To configure an LSP policer:

NOTE: You cannot configure LSP policers on EX8200 switches. EX8200 switches do not support LSP policers.

1.

Specify the number of bits per second permitted, on average, for the firewall policer, which will later be applied to the customer-edge-interface: [edit firewall] user@switch# set policer mypolicer if-exceeding bandwidth-limit 500m

2. Specify the maximum size permitted for bursts of data that exceed the given

bandwidth limit for this policer: [edit firewall policer] user@switch# set mypolicer if-exceeding burst-size-limit 33553920 3. Discard traffic that exceeds the rate limits for this policer: [edit firewall policer] user@switch# set mypolicer then (Policer Action) discard 4. To reference the policer, configure a filter term that includes the policer action: [edit firewall] user@switch# set family inet filter (Firewall Filters) myfilter term t1 then policer mypolicer 5. Apply the filter to the customer-edge interface: [edit interfaces] user@switch# set ge-2/0/3 unit 0 family inet address 121.121.121.1/16 policing filter myfilter

NOTE: You can also configure schedulers and shapers as needed. See “Defining CoS Schedulers (CLI Procedure)” on page 4493.


•


•


•


•


Configuring CoS on an MPLS Provider Edge Switch Using Circuit Cross-Connect (CLI Procedure) You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. This topic describes configuring CoS components on a provider edge (PE) switch that is using MPLS over circuit-cross connect (CCC).


4507

®


NOTE: On EX Series switches other than EX8200 switches, if you are using MPLS over CCC, you can use only one DSCP or IP precedence classifier and only one IEEE 802.1p classifier on the CCC interfaces.

This procedure is for creating a custom DSCP classifier and a custom EXP rewrite rule on the ingress PE. It also includes enabling a policer on the label-switched path (LSP) of the ingress PE to ensure that the amount of traffic forwarded through the LSP never exceeds the requested bandwidth allocation. This topic includes: 1.





2. Add the expedited-forwarding class to this custom DSCP classifier, specifying a loss

priority and code point: [edit class-of-service] user@switch# set classifiers dscp classifier-name forwarding-class forwarding-class loss-priority loss-priority code-points code-point 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class forwarding-class loss-priority loss-priority code-point code-point 4. Bind the DSCP classifier to the CCC interface: [edit ] user@switch# set class-of-service interfaces interface unit unit classifier classifier-name 5. On EX8200 switches only, bind the custom EXP rewrite rule to the interface: [edit class-of-service] user@switch# set class-of-service interfaces interface unit unit rewrite-rules exp e1

4508





1.

Specify the number of bits per second permitted, on average, for the policer, which will later be applied to the LSP: [edit firewall] set policer mypolicer if-exceeding bandwidth-limit 500m


bandwidth limit for this policer: [edit firewall policer] set mypolicer if-exceeding burst-size-limit 33553920 3. Discard traffic that exceeds the rate limits for this policer: [edit firewall policer] set mypolicer then (Policer Action) discard 4. To reference the policer, configure a filter term that includes the policer action: [edit firewall] user@switch# set family any filter (Firewall Filters) myfilter term t1 then policer mypolicer 5. Apply the filter to the LSP: [edit protocols mpls] set label-switched-path lsp_to_pe2_ge1 policing filter myfilter



•


•


•


•



4509

®


Configuring CoS Traffic Classification for Ingress Queuing on Oversubscribed Ports on EX8200 Line Cards (CLI Procedure) EX8200 switches provide certain line cards that include oversubscribed ports. These ports are logically grouped into a port group and each port group share a certain fixed bandwidth. Because oversubscribed ports handle traffic differently than ports that provide continuous line-rate bandwidth, configuring CoS queues is different for oversubscribed ports than for line-rate ports. Packets arriving on an oversubscribed port in a line card are directed to a high-priority, low priority, or line-rate queue. These queues are used for scheduling traffic from the port into the Packet Forwarding Engine. The fabric priority associated with the packet’s forwarding class determines which queue the packet is sent to. The forwarding class of the packet in turn is determined by the behavior aggregate (BA) classifier assigned to the port. By default, the fabric priority of all forwarding classes is low. Thus all packets, with the exception of critical network packets and line-rate packets, are sent to the low-priority ingress queue by default. The critical network packets and line-rate packets do not need a BA classifier as they are always sent on the high-priority and line-rate queues, respectively. This procedure describes how you can direct traffic into the high-priority ingress queue and thus avoid congestion at the port group. To direct traffic to the high-priority ingress queue for a port group: 1.

Create the BA classifier for the forwarding class: [edit class-of-service] user@switch# set classifiers classifier-type classifier-name forwarding-class class-name loss-priority level code-points code-point

2. Assign a queue number and fabric priority to the forwarding class: [edit class-of-service] user@switch# set forwarding-classes class class-name queue-num number priority level 3. Assign the BA classifier to the physical interface: [edit class-of-service] user@switch# set interfaces interface-name unit 0 classifiers classifier-type classifier-name

For example, to direct voice traffic to the high-priority ingress queue for interface xe-1/0/2: [edit class-of-service] user@switch# set classifiers dscp dscp1 forwarding-class cos-voice loss-priority low code-points ef [edit class-of-service] user@switch# set forwarding-classes class cos-voice queue-num 5 priority high [edit class-of-service] user@switch# set interfaces xe-1/0/2 unit 0 classifiers dscp dscp1

4510



NOTE: You must use a BA classifier to classify traffic for ingress queuing. Multifield (MF) classification and port classification (that is, assigning a forwarding class to the interface) are not supported for classifying traffic for ingress queuing. The BA classifier must be assigned to a physical interface, not a Layer 3 tagged interface or a routed VLAN interface (RVI).


•


Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) You can add class-of-service (CoS) components to your MPLS networks on EX Series switches to achieve end-to-end Differentiated Services to match your specific business requirements. The configuration of CoS components on the provider switches is the same regardless of whether the provider edge (PE) switches are using MPLS over CCC or IP over MPLS. This task shows how to configure a custom EXP classifier and custom EXP rewrite rule on the provider switch. 1.


2. Add the expedited-forwarding class to this custom EXP classifier, specifying a loss

priority and code point: [edit class-of-service] user@switch# set classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111 4. On EX8200 switches only, bind the custom EXP rewrite rule to the interface: [edit class-of-service] user@switch# set class-of-service interfaces ge-0/0/2 unit 0 rewrite-rules exp e1



•



4511

®


4512


CHAPTER 121

Verifying CoS Configuration •


•


•


•


•


•


•

Monitoring CoS Drop Profiles on page 4519

Monitoring CoS Classifiers Purpose

Action

Use the monitoring functionality to display the mapping of incoming CoS values to forwarding class and loss priority for each classifier. To monitor CoS classifiers in the J-Web interface, select Monitor > Class of Service > Classifiers. To monitor CoS classifiers in the CLI, enter the following CLI command: show class-of-service classifier

Meaning

Table 512 on page 4513 summarizes key output fields for CoS classifiers.

Table 512: Summary of Key CoS Classifier Output Fields Field

Values


Classifier Name

Name of a classifier.

To display classifier assignments, click the plus sign (+).

CoS Value Type

The classifiers are displayed by type: •

dscp—All classifiers of the DSCP type.

•

ieee-802.1—All classifiers of the IEEE 802.1

type. •

inet-precedence—All classifiers of the IP

precedence type. Index


Internal index of the classifier.

4513

®


Table 512: Summary of Key CoS Classifier Output Fields (continued) Field

Values

Incoming CoS Value

CoS value of the incoming packets, in bits. These values are used for classification.

Assign to Forwarding Class

Forwarding class that the classifier assigns to an incoming packet. This class affects the forwarding and scheduling policies that are applied to the packet as it transits the switch.

Assign to Loss Priority

Loss priority value that the classifier assigns to the incoming packet based on its CoS value.



•


•


•


Monitoring CoS Forwarding Classes Purpose

Action

View the current assignment of class-of-service (CoS) forwarding classes to queues on the switch. To monitor CoS forwarding classes in the J-Web interface, select Monitor > Class of Service > Forwarding Classes. To monitor CoS forwarding classes in the CLI, enter the following CLI command: show class-of-service forwarding-class

Meaning

4514

Table 513 on page 4515 summarizes key output fields for CoS forwarding classes.


Chapter 121: Verifying CoS Configuration

Table 513: Summary of Key CoS Forwarding Class Output Fields Field

Values

Forwarding Class

Names of forwarding classes assigned to queue numbers. The following are the default forwarding classes: •

best-effort—Provides no special CoS handling of packets. Loss priority is typically not

carried in a CoS value. •

expedited-forwarding—Provides low loss, low delay, low jitter, assured bandwidth, and

end-to-end service. •

assured-forwarding—Provides high assurance for packets within specified service profile.

Excess packets are dropped. •


EX8200 switches have the following additional default forwarding classes: •

mcast-be—Provides no special CoS handling of packets.

•

mcast-ef—Provides low loss, low delay, low jitter, assured bandwidth, and end-to-end

service. •

mcast-af—Provides high assurance for packets within the specified service profile. Excess

packets are dropped. Queue number corresponding to the forwarding class name. The default forwarding classes are assigned as follows:

Queue

•

best-effort—0

•

expedited-forwarding—5

•

assured-forwarding—1

•

network-control—7

•

mcast-be—2

•

mcast-ef—4

•

mcast-af—6

(EX8200 switches only) Fabric priority for the forwarding class, either high or low. The fabric priority determines the priority of packets ingressing the switch fabric.

Fabric Priority


•


•


•


•


Monitoring Interfaces That Have CoS Components Purpose

Use the monitoring functionality to display details about the physical and logical interfaces and the CoS components assigned to them.

Action

To monitor interfaces that have CoS components in the J-Web interface, select Monitor > Class of Service > Interface Association.


4515

®


To monitor interfaces that have CoS components in the CLI, enter the following command: show class-of-service interface interface

Meaning

Table 514 on page 4516 summarizes key output fields for CoS interfaces.

Table 514: Summary of Key CoS Interfaces Output Fields Field

Values


Interface

Name of a physical interface to which CoS components are assigned.

To display names of logical interfaces configured on this physical interface, click the plus sign (+).

Scheduler Map

Name of the scheduler map associated with this interface.

Queues Supported

Number of queues you can configure on the interface.

Queues in Use

Number of queues currently configured.

Logical Interface

Name of a logical interface on the physical interface to which CoS components are assigned.

Object

Category of an object—for example, classifier, scheduler-map, or rewrite.

Name

Name that you have given to an object—for example, ba-classifier.

Type

Type of an object—for example, dscp for a classifier.

Index

Index of this interface or the internal index of a specific object.


•


•


•


Monitoring CoS Rewrite Rules

4516

Purpose

Use the monitoring functionality to display information about CoS value rewrite rules, which are based on the forwarding class and loss priority.

Action

To monitor CoS rewrite rules in the J-Web interface, select Monitor > Class of Service > Rewrite Rules.



To monitor CoS rewrite rules in the CLI, enter the following command: show class-of-service rewrite-rules

Meaning

Table 515 on page 4517 summarizes key output fields for CoS rewrite rules.

Table 515: Summary of Key CoS Rewrite Rules Output Fields Field

Values

Rewrite Rule Name

Names of rewrite rules.

CoS Value Type

Rewrite rule type: •

dscp—For IPv4 DiffServ traffic.

•

exp—For MPLS traffic.

•

ieee-802.1—For Layer 2 traffic.

•

inet-precedence—For IPv4 traffic.

Index

Internal index for this particular rewrite rule.

Forwarding Class

Forwarding class that is used to determine CoS values for rewriting in combination with loss priority.

Loss Priority

Loss priority that is used to determine CoS values for rewriting in combination with forwarding class.

Rewrite CoS Value To

Value that the CoS value is rewritten to.



To display forwarding classes, loss priorities, and rewritten CoS values, click the plus sign (+).

Rewrite rules are applied to CoS values in outgoing packets based on forwarding class and loss priority setting.

•


•


•


Monitoring CoS Scheduler Maps Purpose

Action

Use the monitoring functionality to display assignments of CoS forwarding classes to schedulers. To monitor CoS scheduler maps in the J-Web interface, select Monitor > Class of Service > Scheduler Maps. To monitor CoS scheduler maps in the CLI, enter the following CLI command: show class-of-service scheduler-map

Meaning

Table 516 on page 4518 summarizes key output fields for CoS scheduler maps.


4517

®


Table 516: Summary of Key CoS Scheduler Maps Output Fields Field

Values


Scheduler Map

Name of a scheduler map.

For details, click the plus sign (+).

Index

Index of a specific object—scheduler maps, schedulers, or drop profiles.

Scheduler Name

Name of a scheduler.

Forwarding Class

Forwarding classes this scheduler is assigned to.

Transmit Rate

Configured transmit rate of the scheduler in bits per second (bps). The rate value can be either of the following: •

A percentage—The scheduler receives the specified percentage of the total interface bandwidth.

•

remainder— The scheduler receives the

remaining bandwidth of the interface after bandwidth allocation to other schedulers. Buffer Size

Delay buffer size in the queue or the amount of transmit delay (in milliseconds). The buffer size can be either of the following: •

A percentage—The buffer is a percentage of the total buffer allocation.

•

remainder—The buffer is sized according

to what remains after other scheduler buffer allocations. Priority

Scheduling priority of a queue: •

strict-high—Packets in this queue are

transmitted first. •

low—Packets in this queue are

transmitted last. Drop Profiles

Name and index of a drop profile that is assigned to a specific loss priority and protocol pair.

Loss Priority

Packet loss priority corresponding to a drop profile.

Protocol

Transport protocol corresponding to a drop profile.

Drop Profile Name

Name of the drop profile.

Index

Index of a specific object—scheduler maps, schedulers, or drop profiles.

4518




•


•


•


Monitoring CoS Value Aliases Purpose

Action

Use the monitoring functionality to display information about the CoS value aliases that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4 precedence bits. To monitor CoS value aliases in the J-Web interface, select Monitor > Class of Service > CoS Value Aliases. To monitor CoS value aliases in the CLI, enter the following command: show class-of-service code-point-aliases

Meaning

Table 517 on page 4519 summarizes key output fields for CoS value aliases.

Table 517: Summary of Key CoS Value Alias Output Fields Field

Values


CoS Value Type

Type of the CoS value:

To display aliases and bit patterns, click the plus sign (+).

•

dscp—Examines Layer 3 packet headers

for IP packet classification. •

ieee-802.1—Examines Layer 2 packet

headers for packet classification. •

inet-precedence—Examines Layer 3

packet headers for IP packet classification. CoS Value Alias

Name given to a set of bits—for example, af11 is a name for 001010 bits.

CoS Value

Set of bits associated with an alias.


•


•


•


Monitoring CoS Drop Profiles Purpose

Action

Use the monitoring functionality to view data point information for each CoS random early detection (RED) drop profile on the EX8200 switch. To monitor CoS RED drop profiles in the J-Web interface, select Monitor > Class of Service > RED Drop Profiles.


4519

®


To monitor CoS RED drop profiles in the CLI, enter the following CLI command: show class-of-service drop-profile

Meaning

Table 518 on page 4520 summarizes the key output fields for CoS RED drop profiles.

Table 518: Summary of the Key Output Fields for CoS Red Drop Profiles Field

Values


RED Drop Profile Name

Name of the RED drop profile.

To display profile values, click the plus sign (+).

A drop profile consists of pairs of values between 0 and 100, one for queue buffer fill level and the other for drop probability, that determine the relationship between a buffer's fullness and the likelihood it will drop packets. Graph RED Profile

Links to a graph of a RED curve that the system uses to determine the drop probability based on queue buffer fullness.

Type

Type of a specific drop profile: •

The x axis represents the queue buffer fill level, and the y axis represents the drop probability.

interpolated—The two coordinates (x and y) of the graph are

interpolated to produce a smooth profile. •

segmented—The two coordinates (x and y) of the graph are

represented by line fragments to produce a segmented profile. Index

Internal index of this drop profile.

Fill Level

Percentage fullness of a buffer queue. This value is the x coordinate of the RED drop profile graph.

Drop Probability

Drop probability of a packet corresponding to a specific queue buffer fill level. This value is the y coordinate of the RED drop profile graph.


4520

•

Defining CoS Drop Profiles (J-Web Procedure) on page 4497

•



CHAPTER 122

Troubleshooting CoS Configuration •

Troubleshooting CoS Schedulers on a 40-port SFP+ Line Card in an EX8200 Switch on page 4521

•

Troubleshooting a CoS Classifier Configuration for a TCAM Space Error on page 4522

Troubleshooting CoS Schedulers on a 40-port SFP+ Line Card in an EX8200 Switch Problem

After you configure a scheduler map on an interface on the 40-port SFP+ line card, you notice one or both of the following: •

All packets are being dropped on a class-of-service queue configured on the interface.

•

A message in the system log states that the interface is using the default scheduler map, not the scheduler map you configured. For example: Sep 19 21:26:50 hostname cosd[907]: COSD_SCHED_MAP_GROUP_CONFLICT: Interface xe-5/0/15 cannot be bound to scheduler-map m1. It will be bound to default scheduler-map

Cause

Solution

The ports in a 40-port SFP+ line card are divided into eight groups, each group comprising five ports. The ports in a port group share 10 gigabits of bandwidth. Because the port groups share bandwidth, only one scheduler map can be active at a time in a port group. If you configure different scheduler maps for different interfaces in a port group, you do not receive an error when you commit the configuration. Instead, default scheduler map becomes the active scheduler map for all interfaces in the port group, and messages in the system log report that the default scheduler map is in use for the affected interfaces. If the default scheduler map does not define a queue, all traffic is dropped on that queue. Check your CoS configuration for the interfaces in the port group. If you have different scheduler maps assigned to different interfaces in the port group: 1.

Delete the scheduler map configuration for all interfaces in the port group.

2. Determine the scheduler map that you want all interfaces in the port group to use. 3. Assign that scheduler map to at least one interface in the port group. The remaining

interfaces in the port group will adopt this scheduler map.


4521

®


BEST PRACTICE: To prevent confusion and future configuration conflicts, explicitly assign the scheduler map to each interface in the port group.

4. After you commit the configuration, verify that the scheduler map is the active

scheduler map for the interfaces in the port group by using the show class-of-service forwarding-table scheduler-map command.


•


•


•


Troubleshooting a CoS Classifier Configuration for a TCAM Space Error Problem

When a CoS classifier configuration exceeds the amount of available ternary content addressable memory (TCAM) space, the switch returns the following system log message: rules for class will not be installed, key: . no space in tcam db()

The switch returns this message during the commit operation if the number of classifiers defined in the CoS configuration or the number of bind points (interfaces) to which classifiers are bound causes the CoS configuration to exceed the amount of available TCAM space. However, the commit operation for the CoS configuration is completed in the CLI module. Solution

4522

When a CoS configuration exceeds the amount of available TCAM table space, you must either define fewer classifiers or bind them to fewer interfaces, or both, so that the space requirements for the CoS configuration do not exceed the available space in TCAM.


Chapter 122: Troubleshooting CoS Configuration

To delete classifier definitions and bind points in a CoS configuration, and to apply a new CoS classifier definition to fewer bind points: 1.

Delete either the CoS classifier definition or the bind points: •

To delete the CoS classifier definition: •

For behavioral classifiers: [edit class-of-service] user@switch# delete classifier dscp d1

•

For multifield classifiers: [edit] user@switch# delete interfaces ge-3/0/2 unit 0 family ethernet-switching filter input ipacl

This command deletes a multifield classifier defined for a port. Similarly, you can delete a multifield classifier defined for a VLAN or router. You can also delete terms defined in a single multifield classifier: [edit] user@switch# delete firewall family inet filter f1 term t1

In both these examples (for behavioral and multifield classifiers), the assumption is that too many classifier definitions resulted in the error message. •

To delete the bind points: [edit class-of-service] user@switch# delete class-of-service interfaces ge-0/0/0 user@switch# delete class-of-service interfaces ge-0/0/1 user@switch# delete class-of-service interfaces ge-0/0/2 user@switch# delete class-of-service interfaces ge-0/0/3 user@switch# delete class-of-service interfaces ge-0/0/4 user@switch# delete class-of-service interfaces ge-0/0/5 user@switch# delete class-of-service interfaces ge-0/0/6 user@switch# delete class-of-service interfaces ge-0/0/7 user@switch# delete class-of-service interfaces ge-0/0/8

Here the assumption is that too many bind points (nine) in the configuration resulted in the error message. 2. Commit the operation: [edit] user@switch# commit 3. Define fewer classifiers in the CoS configuration or bind classifiers to fewer interfaces,

or both, so that the CoS classifier configuration does not exceed the amount of available TCAM space on the switch: •

To define CoS classifiers: •

For behavioral classifiers: [edit] user@switch# set class-of-service classifiers dscp d2 forwarding-class fc1 loss-priority low code-points 000001 user@switch# set class-of-service classifiers dscp d2 forwarding-class fc2 loss-priority low code-points 000010


4523

®


user@switch# set class-of-service classifiers dscp d2 forwarding-class fc3 loss-priority low code-points 000011 user@switch# set class-of-service classifiers dscp d2 forwarding-class fc4 loss-priority low code-points 000100 user@switch# set class-of-service classifiers dscp d2 forwarding-class fc5 loss-priority low code-points 000101 user@switch# set class-of-service classifiers dscp d2 forwarding-class fc6 loss-priority low code-points 000110 user@switch# set class-of-service classifiers dscp d2 forwarding-class fc7 loss-priority low code-points 000111 •

For multifield Classifiers: [edit] user@switch# set firewall family inet filter f1 term t1 from protocol tcp user@switch# set firewall family inet filter f1 term t1 then loss-priority high user@switch# set firewall family inet filter f1 term t1 then forwarding-class best-effort user@switch# set firewall family inet filter f1 term t2 from protocol udp user@switch# set firewall family inet filter f1 term t2 then loss-priority high user@switch# set firewall family inet filter f1 term t2 then forwarding-class assured-forwarding user@switch# set firewall family inet filter f1 term t3 from source-port ssh user@switch# set firewall family inet filter f1 term t3 then loss-priority low user@switch# set firewall family inet filter f1 term t3 then forwarding-class fc8 user@switch#set class-of-service forwarding-classes best-effort, assured-forwarding, fc8

•

To bind classifiers to fewer interfaces: [edit] user@switch# set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp d2 user@switch# set class-of-service interfaces ge-0/0/1 unit 0 classifiers dscp d2 user@switch# set class-of-service interfaces ge-0/0/2 unit 0 forwarding-class best-effort user@switch# set class-of-service interfaces ge-0/0/3 unit 0 forwarding-class assured-forwarding user@switch# set class-of-service interfaces ge-0/0/4 unit 0 forwarding-class fc8

4. Commit the operation: [edit] user@switch# commit 5. Check system log for an error message. If an error message is not logged, then your

classifier configuration has not exceeded the TCAM space limit. If an error message is logged, then repeat this procedure by defining fewer classifiers or binding classifiers to fewer bind points.


4524

•


•



CHAPTER 123

Configuration Statements for CoS •


[edit class-of-service] Configuration Statement Hierarchy class-of-service { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) classifier-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority { code-points [aliases] [6 bit-patterns]; } } import (classifier-name | default); } } code-point-aliases { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) { alias-name bits; } } congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } forwarding-classes { class class-name queue-num queue-number priority ( high | low ); } interfaces { interface-name { congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } scheduler-map map-name; unit logical-unit-number {


4525

®


classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) (classifier-name | default); } forwarding-class class-name; } } } multi-destination { family { ethernet (CoS for Multidestination Traffic) { broadcast forwarding-class-name; } inet (CoS) { classifiers { (dscp | dscp-ipv6 | inet-precedence) classifier-name; } } } scheduler-map map-name; } rewrite-rules { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) rewrite-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority code-point (alias | bits); } import (rewrite-name | default); } } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers (CoS) { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map drop-profile profile-name; loss-priority (Classifiers and Rewrite Rules) loss-priority; priority (Schedulers) priority; protocol (Drop Profiles) protocol; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }


4526

•


•


•


•



Chapter 123: Configuration Statements for CoS

•


•


•


•


•


broadcast Syntax Hierarchy Level Release Information Description Options


broadcast forwarding-class-name; [edit class-of-service multi-destination family ethernet (CoS for Multidestination Traffic)]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify the forwarding class for the broadcast traffic belonging to the Ethernet family. forwarding-class-name —Name of the forwarding class: •

mcast-af—Default forwarding class for assured forwarding of multicast traffic.

•

mcast-be—Default best-effort forwarding class for multicast traffic.

•

mcast-ef—Default forwarding class for expedited forwarding of multicast traffic.



•


•



4527

®


buffer-size Syntax Hierarchy Level Release Information Description

buffer-size (exact | percent percentage | remainder); [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify buffer size.

Default

If you do not include this statement, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.

Options

exact—Enforce the exact buffer size. When this option is configured, sharing is disabled

on the queue, restricting the usage to guaranteed buffers only. percentpercentage—Buffer size as a percentage of total buffer. remainder—Remaining buffer available.


4528



•


•




class Syntax Hierarchy Level Release Information Description

class class-name queue-num queue-number priority ( high | low ); [edit class-of-service forwarding-classes]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure up to 16 forwarding classes with multiple forwarding classes mapped to single queues. If you want to configure up to eight forwarding classes with one-to-one mapping to output queues, use the queue statement instead of the class statement at the [edit class-of-service forwarding-classes] hierarchy level. On EX8200 switches, you can assign a fabric priority to a forwarding class. The fabric priority determines scheduling priority of packets ingressing the switch fabric. In addition, for interfaces on the 40-port SFP+ line card, the fabric priority determines whether packets are sent to the high or low priority queue for ingressing the port group. The primary use of this option is to prevent high priority input traffic from being dropped due to congestion on the port group of a 40-port SFP+ line card.

Options

class-name—Name of forwarding class. priority (high | low)—(Optional) (EX8200 switches only) Fabric priority.

Values: high or low Default: low queue-num queue-number—Output queue number.




•


•



4529

®


class-of-service Syntax

4530

class-of-service { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [aliases] [6 bit-patterns]; } } } } code-point-aliases { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) { alias-name bits; } } forwarding-classes { class class-name queue-num queue-number priority (high | low); } interfaces { interface-name { scheduler-map map-name; unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) (classifier-name | default); } } } } multi-destination { family { ethernet (CoS for Multidestination Traffic) { broadcast forwarding-class-name; } inet (CoS) { classifiers { (dscp | dscp-ipv6 | inet-precedence) classifier-name; } } } scheduler-map map-name; } rewrite-rules { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) rewrite-name { import (rewrite-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) priority code-point (alias | bits); } } } scheduler-maps {



map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers (CoS) { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority (Classifiers and Rewrite Rules) loss-priority protocol (Drop Profiles) protocol drop-profile profile-name; priority (Schedulers) priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }


[edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure class-of-service (CoS) parameters on EX Series switches. The remaining statements are explained separately.


If you do not configure any CoS features, the default CoS settings are used. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •


•


•


•


•


•


•


•


•



4531

®


classifiers Syntax

classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence | exp) classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [aliases] [6–bit-patterns]; } } } }

Hierarchy Level

[edit class-of-service], [edit class-of-service interfaces interface-name unit logical-unit-number]

Release Information

Description

Statement introduced in Junos OS Release 9.0 for EX Series switches. Expanded to include EXP classifiers in Junos OS Release 10.1 for EX Series switches. Apply a CoS aggregate behavior classifier to a logical interface. You can apply a default classifier or a custom classifier. The remaining statements are explained separately.


4532



•


•


•


•




code-point-aliases Syntax


code-point-aliases { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) |{ alias-name bits; } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define an alias for a CoS marker. The remaining statement is explained separately.




•


•


code-points Syntax Hierarchy Level


Options

code-points [ aliases ] [ 6 bit-patterns ]; [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) forwarding-class class-name loss-priority (Classifiers and Rewrite Rules) level]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify one or more DSCP code-point aliases or bit sets for association with a forwarding class. aliases —Name of the DSCP alias. 6 bit-patterns —Value of the code-point bits, in decimal form.




•


•



4533

®


drop-profile-map Syntax


drop-profile-map loss-priority (Classifiers and Rewrite Rules) loss-priority protocol (Drop Profiles) protocol drop-profile profile-name; [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define the loss priority value for the specified drop profile. drop-profile profile-name —Name of the drop profile.


4534



•


•




dscp Syntax

Hierarchy Level


Options

dscp classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 6–bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define the Differentiated Services code point (DSCP) mapping that is applied to the packets. classifier-name—Name of the classifier.




•


•


•


•


•



4535

®


dscp-ipv6 Syntax

Hierarchy Level


Options

dscp-ipv6 classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [aliases] [6–bit-patterns]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [edit class-of-service interfaces interface-name unit logical-unit-number classifiers] [edit class-of-service interfaces interface-name unit logical-unit-number rewrite-rules] [edit class-of-service rewrite-rules]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Define the Differentiated Services code point (DSCP) mapping that is applied to the IPv6 packets. classifier-name—Name of the classifier.


4536



•


•


•


•


•




ethernet Syntax


ethernet { broadcast forwarding-class-name; } [edit class-of-service multi-destination family]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify the Ethernet broadcast traffic family. The remaining statement is explained separately.




•


•



4537

®


exp Syntax


exp classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 3–bit-patterns ]; } } } [edit class-of-service classifiers]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Define the experimental bits (EXP) code point mapping that is applied to the MPLS packets. EX Series switches support only one EXP code mapping on the switch (either default or custom). It is applied globally and implicitly to all the MPLS-enabled interfaces on the switch. You cannot bind it to an individual interface and you cannot disable it.

Options

classifier-name—Name of the classifier.


4538



•


•


•




family Syntax


family { ethernet (CoS for Multidestination Traffic) { broadcast forwarding-class-name; } inet (CoS) { classifiers{ (dscp | ieee-802.1 | inet-precedence) classifier-name; } } } [edit class-of-service multi-destination]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify the multidestination traffic family. The remaining statements are explained separately.




•


•



4539

®


forwarding-class Syntax

Hierarchy Level


forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 6–bit-patterns ]; } } [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name], [edit class-of-service interfaces interface-name unit logical-unit-number], [edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name], [edit class-of-service scheduler-maps map-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define forwarding class name and option values. class-name —Name of the forwarding class.


4540



•


•




forwarding-classes Syntax


forwarding-classes { class class-name queue-num queue-number; } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate the forwarding class with a queue name and number. The statement is explained separately.




•


•



4541

®


ieee-802.1 Syntax

Hierarchy Level


ieee-802.1 classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 6 bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply an IEEE-802.1 rewrite rule. classifier-name —Name of the classifier.


4542



•


•


•


•


•





import (classifier-name | default); [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name], [edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name]


Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a default or previously defined classifier. classifier-name —Name of the classifier mapping configured at the [edit class-of-service classifiers] hierarchy level. default—Default classifier mapping.




•


•


•


•



4543

®


inet Syntax


Description

inet { classifiers { (dscp | ieee-802.1 | inet-precedence) classifier-name ; } } [edit class-of-service multi-destination family]

Option inet introduced in Junos OS Release 9.5 for EX Series switches. The remaining statements are explained separately. Specify the IP multicast family. The remaining statements are explained separately.


4544



•


•




inet-precedence Syntax

Hierarchy Level


inet-precedence classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 6–bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply an IPv4 precedence rewrite rule. classifier-name—Name of the classifier. The remaining statements are explained separately.




•


•


•


•


•



4545

®


interfaces Syntax


interfaces { interface-name { congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } } scheduler-map map-name; unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure interface-specific class-of-service (CoS) properties for incoming packets. interface-name—Name of the interface.


4546



•


•


•


•




loss-priority Syntax

Hierarchy Level

Release Information

Description Options

loss-priority level { code-points [ aliases ] [ 6–bit-patterns | 3–bit-patterns ]; } [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence | exp) classifier-name forwarding-class class-name], [edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence | exp) rewrite-name forwarding-class class-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement expanded to apply to EXP classifiers in Junos OS Release 10.1 for EX Series switches. Specify packet loss priority value for a specific set of code-point aliases and bit patterns. level —Can be one of the following: •

high—Packet has high loss priority.

•

low—Packet has low loss priority.




•


•


•


•



4547

®


multi-destination Syntax


multi-destination { classifiers { dscp classifier-name; } family { ethernet (CoS for Multidestination Traffic) { broadcast (forwarding-class-name ); } inet (CoS) { classifiers { (dscp | inet-precedence) classifier-name; } } inet6 (CoS Multidestination) { classifiers { dscp-ipv6 classifier-name; } } } scheduler-map map-name; } [edit class-of-service]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Define the CoS configuration for multidestination traffic. The remaining statements are explained separately.


4548



•


•




policing Syntax Hierarchy Level


Options

policing (filter filter-name | no-automatic-policing); [edit protocols mpls label-switched-path lsp-name] [edit interfaces interface-id unit number-of-logical-unit family inet address ip-address]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Apply a rate-limiting policer as the specified policing filter: •

To the LSP for MPLS over CCC.

•

To the customer-edge interface for IP over MPLS.

filter filter-name—Specify the name of the policing filter. no-automatic-policing—Disable automatic policing on this LSP.



policer on page 4381

•


•


•



4549

®


priority Syntax Hierarchy Level Release Information Description Options


priority priority; [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify packet-scheduling priority value. priority —It can be one of the following: •

low—Scheduler has low priority.

•

strict-high—Scheduler has strictly high priority.



•


•


protocol Syntax Hierarchy Level Release Information Description Options

protocol protocol drop-profile profile-name; [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the protocol type for the specified drop profile. drop-profile profile-name —Name of the drop profile. protocol —Type of protocol. It can be: •


4550

any—Accept any protocol type.



•


•




rewrite-rules Syntax


Description

rewrite-rules { (dscp | dscp-ipv6 | exp |ieee-802.1 | inet-precedence ) rewrite-name { import ( default | rewrite-name); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level code-point (alias | bits); } } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement expanded for use with global EXP classifiers in Junos OS Release 10.1 for EX Series switches. Specify a rewrite-rules mapping for the traffic that passes through all queues on the interface. The remaining statements are explained separately.




•


•


•



4551

®


scheduler-map Syntax Hierarchy Level



4552

scheduler-map map-name; [edit class-of-service interfaces], [edit class-of-service multi-destination]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate a scheduler map name with an interface or with a multidestination traffic configuration. map-name —Name of the scheduler map.



•


•


•




scheduler-maps Syntax


Options

scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a scheduler map name and associate it with the scheduler configuration and forwarding class. map-name —Name of the scheduler map.




•


•


•



4553

®


schedulers Syntax


schedulers { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority (Classifiers and Rewrite Rules) loss-priority protocol (Drop Profiles) protocol drop-profile profile-name; priority (Schedulers) priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify scheduler name and parameter values. scheduler-name —Name of the scheduler.


4554



•


•




shaping-rate Syntax Hierarchy Level Release Information Description

shaping-rate (percent percentage | rate); [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure shaping rate to throttle the rate at which queues transmit packets. We recommend that you configure the shaping rate as an absolute maximum usage and not as additional usage beyond the configured transmit rate.

Default

If you do not include this statement, the default shaping rate is 100 percent, which is the same as no shaping at all.

Options

percentpercentage —Shaping rate as a percentage of the available interface bandwidth.

Range: 0 through 100 percent rate—Peak rate, in bits per second (bps). You can specify a value in bits per second either

as a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 3200 through 32,000,000,000 bps Required Privilege Level Related Documentation



•



4555

®


shared-buffer Syntax Hierarchy Level Release Information Description Options

shared-buffer percent percentage [edit class-of-service],

Statement introduced in Junos OS Release 10.1 for EX Series switches. Configure the buffer allocation for the shared buffer pool. percent percentage—Size of the shared buffer as a percentage of the buffer allocated to

the shared buffer pool. Required Privilege Level Related Documentation

4556



•




transmit-rate Syntax Hierarchy Level Release Information Description Default

Options

transmit-rate (rate | percent percentage | remainder); [edit class-of-service schedulers (CoS) scheduler-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the transmit rate or percentage for a scheduler. If you do not include this statement, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent. rate —Transmission rate, in bps. You can specify a value in bits per second either as a

complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 3200 through 160,000,000,000 bps percent percentage —Percentage of transmission capacity. A percentage of zero drops

all packets in the queue. Range: 0 through 100 percent remainder—Remaining rate available




•


•



4557

®


unit Syntax


Options

unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } [edit class-of-service interfaces interface-name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device. logical-unit-number —Number of the logical unit.

Range: 0 through 16,385 The remaining statements are explained separately. Required Privilege Level Related Documentation

4558



•



CHAPTER 124

Operational Commands for CoS


4559

®


show class-of-service Syntax Release Information



Output Fields

show class-of-service

Command introduced in Junos OS Release 9.0 for EX Series switches. EXP classifiers added in Junos OS Release 10.1 for EX Series switches. Display the class-of-service (CoS) information. view

•


•


•


•


•


•


show class-of- service on page 4561 show class-of-service rewrite-rule on page 4564 Table 519 on page 4560 lists the output fields for the show class-of-service command. Output fields are listed in the approximate order in which they appear.

Table 519: show class-of-service Output Fields Field Name

Field Description

Level of Output

Forwarding class

The forwarding class configuration:

All levels

•

Forwarding class—Name of the forwarding class.

•

ID—Forwarding class ID.

•

Queue—Queue number.

•

Fabric Priority—(EX8200 switches only) Fabric priority: either high or low. The

fabric priority determines which CoS ingress queues packets are sent to. Code point type

The type of code-point alias: •

dscp—Aliases for DiffServ code point (DSCP) values.

•

ieee–802.1—Aliases for IEEE 802.1p values.

•

inet-precedence—Aliases for IP precedence values.

•

exp—Aliases for experimental (EXP) values.

All levels

Alias

Names given to CoS values.

All levels

Bit pattern

Set of bits associated with an alias.

All levels

Classifier

Name of the classifier.

All levels

4560


Chapter 124: Operational Commands for CoS

Table 519: show class-of-service Output Fields (continued) Field Name

Field Description

Level of Output

Code point

Code-point values.

All levels

Loss priority

Loss priority assigned to specific CoS values and aliases of the classifier.

All levels

Rewrite rule

Name of the rewrite-rule.

All levels

Drop profile


All levels

Type

Type of drop profile. EX Series switches support only the discrete type of drop profile.

All levels

Fill level

Percentage of queue buffer fullness of high packets beyond which high packets are dropped.

All levels

Scheduler

Name of the scheduler.

All levels

Transmit rate

Transmission rate of the scheduler.

All levels

Buffer size

Delay buffer size in the queue.

All levels

Drop profiles

Drop profiles configured for the specified scheduler.

All levels

Protocol

Transport protocol corresponding to the drop profile.

All levels

Name


All levels

Queues supported

Number of queues that can be configured on the interface.

All levels

Queues in use


All levels

Physical interface


All levels

Scheduler map

Name of the scheduler map.

All levels

Index

Internal index of a specific object.

All levels

Sample Output show class-of- service

user@switch> show class-of-service Forwarding class best-effort expedited-forwarding assured-forwarding network-control

ID 0 1 2 3

Queue 0 5 1 7

Code point type: dscp Alias Bit pattern af11 001010


4561

®


af12 ...

001100 ...

Code point type: ieee-802.1 Alias Bit pattern af11 010 ... ... Code point type: inet-precedence Alias Bit pattern af11 001 ... ... Classifier: dscp-default, Code point type: dscp, Index: 7 Code point Forwarding class Loss priority 000000 best-effort low 000001 best-effort low ... ... ... Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 network-control low 111 network-control low Classifier: ipprec-default, Code point type: inet-precedence, Index: 12 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 network-control low 111 network-control low Classifier: ieee8021p-untrust, Code point type: ieee-802.1, Index: 16 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 best-effort low 111 best-effort low Rewrite rule: dscp-default, Code point type: dscp, Index: Forwarding class Loss priority best-effort low best-effort high expedited-forwarding low expedited-forwarding high assured-forwarding low assured-forwarding high network-control low

4562

27 Code point 000000 000000 101110 101110 001010 001100 110000



network-control

high

111000

Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 30 Forwarding class Loss priority Code point best-effort low 000 best-effort high 001 expedited-forwarding low 100 expedited-forwarding high 101 assured-forwarding low 010 assured-forwarding high 011 network-control low 110 network-control high 111 Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 31 Forwarding class Loss priority Code point best-effort low 000 best-effort high 000 expedited-forwarding low 101 expedited-forwarding high 101 assured-forwarding low 001 assured-forwarding high 001 network-control low 110 network-control high 111 Drop profile:, Type: discrete, Index: 1 Fill level 100 Scheduler map: , Index: 2 Scheduler: , Forwarding class: best-effort, Index: 20 Transmit rate: 95 percent, Rate Limit: none, Buffer size: 95 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Scheduler: , Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 High TCP 1 Physical interface: ge-0/0/0, Index: 129 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 Physical interface: ge-0/0/1, Index: 130 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 ...

...

...

Fabric priority: low Scheduler: , Index: 23 Drop profiles: Loss priority Protocol Index High non-TCP 1


Name

4563

®


High

TCP

1

Fabric priority: high Scheduler: , Index: 23 Drop profiles: Loss priority Protocol Index High non-TCP 1 High TCP 1

show class-of-service rewrite-rule

Name

user@switch> show class-of-service rewrite-rule Rewrite rule: dscp-default, Code point type: dscp, Index: Forwarding class Loss priority best-effort low best-effort high expedited-forwarding low expedited-forwarding high fw-class low fw-class high network-control low network-control high

31 Code point 000000 000000 101110 101110 001010 001100 110000 111000

Rewrite rule: exp-default, Code point type: exp, Index: 33 Forwarding class Loss priority Code point best-effort low 000 best-effort high 001 expedited-forwarding low 010 expedited-forwarding high 011 fw-class low 100 fw-class high 101 network-control low 110 network-control high 111 Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 34 Forwarding class Loss priority Code point best-effort low 000 best-effort high 001 expedited-forwarding low 010 expedited-forwarding high 011 fw-class low 100 fw-class high 101 network-control low 110 network-control high 111 Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 35 Forwarding class Loss priority Code point best-effort low 000 best-effort high 000 expedited-forwarding low 101 expedited-forwarding high 101 fw-class low 001 fw-class high 001 network-control low 110 network-control high 111

4564



show class-of-service classifier Syntax

Release Information

Description

Options

show class-of-service classifier

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. For each class-of-service (CoS) classifier, display the mapping of code point value to forwarding class and loss priority. none—Display all classifiers. name name—(Optional) Display named classifier. type dscp—(Optional) Display all classifiers of the Differentiated Services code point

(DSCP) type. type dscp-ipv6—(Optional) Display all classifiers of the DSCP for IPv6 type. type exp—(Optional) Display all classifiers of the MPLS experimental (EXP) type. type ieee-802.1—(Optional) Display all classifiers of the ieee-802.1 type. type inet-precedence—(Optional) Display all classifiers of the inet-precedence type.


Output Fields

view

show class-of-service classifier type ieee-802.1 on page 4566 show class-of-service classifier type ieee-802.1 (QFX Series) on page 4566 Table 520 on page 4565 describes the output fields for the show class-of-service classifier command. Output fields are listed in the approximate order in which they appear.

Table 520: show class-of-service classifier Output Fields Field Name

Field Description

Classifier

Name of the classifier.

Code point type

Type of the classifier: exp (not on EX Series switch), dscp, dscp-ipv6 (not on EX Series switch), ieee-802.1, or inet-precedence.

Index

Internal index of the classifier.

Code point

Code point value used for classification

Forwarding class

Classification of a packet affecting the forwarding, scheduling, and marking policies applied as the packet transits the router.


4565

®


Table 520: show class-of-service classifier Output Fields (continued) Field Name

Field Description

Loss priority

Loss priority value used for classification. For most platforms, the value is high or low. For some platforms, the value is high, medium-high, medium-low, or low.

Sample Output show class-of-service classifier type ieee-802.1

user@host> show class-of-service classifier type ieee-802.1 Classifier: ieee802.1-default, Code point type: ieee-802.1, Index: 3 Code Point Forwarding Class Loss priority 000 best-effort low 001 best-effort high 010 expedited-forwarding low 011 expedited-forwarding high 100 assured-forwarding low 101 assured-forwarding medium-high 110 network-control low 111 network-control high Classifier: users-ieee802.1, Code point type: ieee-802.1 Code point Forwarding class Loss priority 100 expedited-forwarding low

show class-of-service classifier type ieee-802.1 (QFX Series)

user@switch> show class-of-service classifier type ieee-802.1 Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 fcoe low 100 no-loss low 101 best-effort low 110 network-control low 111 network-control low Classifier: ieee-mcast, Code point type: ieee-802.1, Index: 46 Code point Forwarding class Loss priority 000 mcast low 001 mcast low 010 mcast low 011 mcast low 100 mcast low 101 mcast low 110 mcast low 111 mcast low

4566



show class-of-service code-point-aliases Syntax

Release Information

Description

Options

show class-of-service code-point-aliases

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display the mapping of class-of-service (CoS) code point aliases to corresponding bit patterns. none—Display code point aliases of all code point types. dscp—(Optional) Display Differentiated Services code point (DSCP) aliases. dscp-ipv6—(Optional) Display IPv6 DSCP aliases. exp—(Optional) Display MPLS EXP code point aliases. ieee-802.1—(Optional) Display IEEE-802.1 code point aliases. inet-precedence—(Optional) Display IPv4 precedence code point aliases.


view

show class-of-service code-point-aliases exp on page 4568 Table 521 on page 4567 describes the output fields for the show class-of-service code-point-aliases command. Output fields are listed in the approximate order in which they appear.

Table 521: show class-of-service code-point-aliases Output Fields Field Name

Field Description

Code point type

Type of the code points displayed: dscp, dscp-ipv6 (not on EX Series switch or the QFX Series), exp (not on EX Series switch or the QFX Series), ieee-802.1, or inet-precedence (not on the QFX Series).

Alias

Alias for a bit pattern.

Bit pattern

Bit pattern for which the alias is displayed.


4567

®


Sample Output show class-of-service code-point-aliases exp

4568

user@host> show class-of-service code-point-aliases exp Code point type: exp Alias Bit pattern af11 100 af12 101 be 000 be1 001 cs6 110 cs7 111 ef 010 ef1 011 nc1 110 nc2 111



show class-of-service drop-profile Syntax

Release Information

Description

Options

show class-of-service drop-profile

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display data points for each class-of-service (CoS) random early detection (RED) drop profile. none—Display all drop profiles. profile-name profile-name—(Optional) Display the specified profile only.


Output Fields

view

show class-of-service drop-profile on page 4570 show class-of-service drop-profile (EX4200 Switch) on page 4570 show class-of-service drop-profile (EX8200 Switch) on page 4570 Table 522 on page 4569 describes the output fields for the show class-of-service drop-profile command. Output fields are listed in the approximate order in which they appear.

Table 522: show class-of-service drop-profile Output Fields Field Name

Field Description

Drop profile

Name of a drop profile.

Type

Type of drop profile: •

discrete (default)

•

interpolated (EX8200 switches only)

Index

Internal index of this drop profile.

Fill Level

Percentage fullness of a queue.

Drop probability

Drop probability at this fill level.


4569

®


Sample Output show class-of-service drop-profile

user@host> show class-of-service drop-profile Drop profile: , Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: user-drop-profile, Type: interpolated, Index: 2989 Fill level Drop probability 0 0 1 1 2 2 4 4 5 5 6 6 8 8 10 10 12 15 14 20 15 23 ... 64 entries total 90 96 92 96 94 97 95 98 96 98 98 99 99 99 100 100

show class-of-service drop-profile (EX4200 Switch)

user@switch> show class-of-service drop-profile Drop profile: , Type: discrete, Index: 1 Fill level 100 Drop profile: dp1, Type: discrete, Index: 40496 Fill level 10

show class-of-service drop-profile (EX8200 Switch)

user@switch> show class-of-service drop-profile Drop profile: , Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: dp1, Type: interpolated, Index: 40496 Fill level Drop probability 0 0 1 80 2 90 4 90 5 90 6 90 8 90 10 90 12 91 14 91 15 91 16 91 18 91 20 91 22 92 24 92 25 92

4570



26 92 28 92 30 92 32 93 34 93 35 93 36 93 38 93 40 93 42 94 44 94 45 94 46 94 48 94 49 94 51 95 52 95 54 95 55 95 56 95 58 95 60 95 62 96 64 96 65 96 66 96 68 96 70 96 72 97 74 97 75 97 76 97 78 97 80 97 82 98 84 98 85 98 86 98 88 98 90 98 92 99 94 99 95 99 96 99 98 99 99 99 100 100 Drop profile: dp2, Type: discrete, Index: 40499 Fill level Drop probability 10 5 50 50


4571

®


show class-of-service forwarding-class Syntax Release Information

Description



Output Fields

show class-of-service forwarding-class

Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display information about forwarding classes, including the mapping of forwarding classes to queue numbers. view

•


•


•


•


show class-of-service forwarding-class on page 4572 show class-of-service forwarding-class (EX8200 Switch) on page 4573 show class-of-service forwarding-class (QFX Series) on page 4573 Table 523 on page 4572 describes the output fields for the show class-of-service forwarding-class command. Output fields are listed in the approximate order in which they appear.

Table 523: show class-of-service forwarding-class Output Fields Field Name

Field Description

Forwarding class

Name of forwarding class.

ID

Forwarding class identifier.

Queue

CoS queue mapped to the forwarding class.

Policing priority

Not supported on EX Series switches or the QFX Series and can be ignored.

Fabric priority

(EX8200 switches only) Fabric priority for the forwarding class, either high or low. Determines the priority of packets ingressing the switch fabric.

Sample Output show class-of-service forwarding-class

4572

user@switch> show class-of-service forwarding-class Forwarding class ID best-effort 0

Queue

Policing priority normal

0



expedited-forwarding assured-forwarding network-control

1 2 3

5 1 7

normal normal normal

Sample Output show class-of-service forwarding-class (EX8200 Switch)

user@switch> show class-of-service forwarding-class Forwarding class ID Queue best-effort 0 0 expedited-forwarding 1 5 assured-forwarding 2 1 network-control 3 7 mcast-be 4 2 mcast-ef 5 4 mcast-af 6 6

Fabric priority low low low low low low low

Sample Output show class-of-service forwarding-class (QFX Series)

user@switch> show class-of-service forwarding-class Forwarding class ID best-effort fcoe no-loss network-control mcast


0 1 2 3 8

Queue 0 3 4 7 8

Policing priority normal normal normal normal normal

4573

®


show class-of-service interface Syntax

Release Information

Description

Options

show class-of-service interface

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Forwarding class map information added in Junos OS Release 9.4. Command introduced in Junos OS Release 11.1 for the QFX Series. Options detail and comprehensive introduced in Junos OS Release 11.4. Display the logical and physical interface associations for the classifier, rewrite rules, and scheduler map objects. comprehensive—(M Series, MX Series, and T Series routers) (Optional) Display

comprehensive quality-of-service (QoS) information about all physical and logical interfaces. detail—(M Series, MX Series, and T Series routers) (Optional) Display QoS and CoS

information based on the interface. If the interface interface-name is a physical interface, the output includes: •

Brief QoS information about the physical interface

•

Brief QoS information about the logical interface

•

CoS information about the physical interface

•

Brief information about filters or policers of the logical interface

•

Brief CoS information about the logical interface

If the interface interface-name is a logical interface, the output includes: •

Brief QoS information about the logical interface

•

Information about filters or policers for the logical interface

•

CoS information about the logical interface

interface-name—(Optional) Display class-of-service (CoS) associations for the specified

interface. none—Display CoS associations for all physical and logical interfaces.


4574

view

show class-of-service interface (Physical) on page 4585 show class-of-service interface (Logical) on page 4585 show class-of-service interface (Gigabit Ethernet) on page 4585 show class-of-service interface (PPPoE Interface) on page 4586 show class-of-service interface detail on page 4586



show class-of-service interface comprehensive on page 4587 Output Fields

Table 524 on page 4575 describes the output fields for the show class-of-service interface command. Output fields are listed in the approximate order in which they appear.

Table 524: show class-of-service interface Output Fields Field Name

Field Description

Physical interface

Name of a physical interface.

Index

Index of this interface or the internal index of this object.

Dedicated Queues

Status of dedicated queues configured on an interface. Supported only on Trio MPC/MIC interfaces on MX Series routers.

Queues supported

Number of queues you can configure on the interface.

Queues in use


Total non-default queues created

Number of queues created in addition to the default queues. Supported only on Trio MPC/MIC interfaces on MX Series routers.

Shaping rate

Maximum transmission rate on the physical interface. You can configure the shaping rate on the physical interface, or on the logical interface, but not on both. Therefore, the Shaping rate field is displayed for either the physical interface or the logical interface.

Scheduler map

Name of the output scheduler map associated with this interface.

Input shaping rate

For Gigabit Ethernet IQ2 PICs, maximum transmission rate on the input interface.

Input scheduler map

For Gigabit Ethernet IQ2 PICs, name of the input scheduler map associated with this interface.

Chassis scheduler map

Name of the scheduler map associated with the packet forwarding component queues.

Rewrite

Name and type of the rewrite rules associated with this interface.

Classifier

Name and type of classifiers associated with this interface.

Forwarding-class-map

Name of the forwarding map associated with this interface.

Congestion-notification

Congestion notification state, enabled or disabled (QFX Series only).

Logical interface

Name of a logical interface.

Object

Category of an object: Classifier, Fragmentation-map (for LSQ interfaces only), Scheduler-map, Rewrite, or Translation Table (for IQE PICs only).

Name

Name of an object.

Type

Type of an object: dscp, dscp-ipv6, exp, ieee-802.1, ip, or inet-precedence.


4575

®


Table 524: show class-of-service interface Output Fields (continued) Field Name

Field Description

Link-level type

Encapsulation on the physical interface.

MTU

MTU size on the physical interface.

Speed


Loopback

Whether loopback is enabled and the type of loopback.

Source filtering

Whether source filtering is enabled or disabled.

Flow control

Whether flow control is enabled or disabled.

Auto-negotiation

(Gigabit Ethernet interfaces) Whether autonegotiation is enabled or disabled.

Remote-fault

(Gigabit Ethernet interfaces) Remote fault status.

Device flags

•

Online—Autonegotiation is manually configured as online.

•

Offline—Autonegotiation is manually configured as offline.

The Device flags field provides information about the physical device and displays one or more of the following values: •

Down—Device has been administratively disabled.

•

Hear-Own-Xmit—Device receives its own transmissions.

•

Link-Layer-Down—The link-layer protocol has failed to connect with the remote endpoint.

•

Loopback—Device is in physical loopback.

•

Loop-Detected—The link layer has received frames that it sent, thereby detecting a physical loopback.

•

No-Carrier—On media that support carrier recognition, no carrier is currently detected.

•

No-Multicast—Device does not support multicast traffic.

•

Present—Device is physically present and recognized.

•

Promiscuous—Device is in promiscuous mode and recognizes frames addressed to all physical

addresses on the media. •

Quench—Transmission on the device is quenched because the output buffer is overflowing.

•

Recv-All-Multicasts—Device is in multicast promiscuous mode and therefore provides no multicast

filtering. •

4576

Running—Device is active and enabled.




Field Description

Interface flags

The Interface flags field provides information about the physical interface and displays one or more of the following values: •

Admin-Test—Interface is in test mode and some sanity checking, such as loop detection, is disabled.

•


•


•

Hardware-Down—Interface is nonfunctional or incorrectly connected.

•

Link-Layer-Down—Interface keepalives have indicated that the link is incomplete.

•

No-Multicast—Interface does not support multicast traffic.

•

No-receive No-transmit—Passive monitor mode is configured on the interface.

•

Point-To-Point—Interface is point-to-point.

•

Pop all MPLS labels from packets of depth—MPLS labels are removed as packets arrive on an interface that has the pop-all-labels statement configured. The depth value can be one of the

following:

•

•

1—Takes effect for incoming packets with one label only.

•

2—Takes effect for incoming packets with two labels only.

•

[ 1 2 ]—Takes effect for incoming packets with either one or two labels.

Promiscuous—Interface is in promiscuous mode and recognizes frames addressed to all physical

addresses.

Flags

•

Recv-All-Multicasts—Interface is in multicast promiscuous mode and provides no multicast filtering.

•


•


The Logical interface flags field provides information about the logical interface and displays one or more of the following values: •

ACFC Encapsulation—Address control field Compression (ACFC) encapsulation is enabled

(negotiated successfully with a peer). •

Device-down—Device has been administratively disabled.

•


•


•

Clear-DF-Bit—GRE tunnel or IPsec tunnel is configured to clear the Don't Fragment (DF) bit.

•

Hardware-Down—Interface protocol initialization failed to complete successfully.

•

PFC—Protocol field compression is enabled for the PPP session.

•

Point-To-Point—Interface is point-to-point.

•


•


Encapsulation


Admin

Administrative state of the interface (Up or Down)

Link

Status of physical link (Up or Down).

Proto

Protocol configured on the interface.


4577

®



Field Description

Input Filter

Names of any firewall filters to be evaluated when packets are received on the interface, including any filters attached through activation of dynamic service.

Output Filter

Names of any firewall filters to be evaluated when packets are transmitted on the interface, including any filters attached through activation of dynamic service.

Link flags

Provides information about the physical link and displays one or more of the following values: •

ACFC—Address control field compression is configured. The Point-to-Point Protocol (PPP) session

negotiates the ACFC option. •

Give-Up—Link protocol does not continue connection attempts after repeated failures.

•

Loose-LCP—PPP does not use the Link Control Protocol (LCP) to indicate whether the link protocol

is operational. •

Loose-LMI—Frame Relay does not use the Local Management Interface (LMI) to indicate whether

the link protocol is operational. •

Loose-NCP—PPP does not use the Network Control Protocol (NCP) to indicate whether the device

is operational. •

Keepalives—Link protocol keepalives are enabled.

•

No-Keepalives—Link protocol keepalives are disabled.

•

PFC—Protocol field compression is configured. The PPP session negotiates the PFC option.

Hold-times


CoS queues


Last flapped

Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour:minute:second:timezone (hour:minute:second ago). For example, Last flapped: 2002-04-26 10:52:40 PDT (04:33:20 ago).



4578

Number and rate of bytes and packets received and transmitted on the physical interface. •


•


•


•


Number of IPv6 transit bytes and packets received and transmitted on the logical interface if IPv6 statistics tracking is enabled.




Field Description

Input errors

Input errors on the interface. The labels are explained in the following list: •


•

Drops—Number of packets dropped by the input queue of the I/O Manager ASIC. If the interface is

saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism. •

Framing errors—Number of packets received with an invalid frame checksum (FCS).

•


•

Giants—Number of frames received that are larger than the giant threshold.

•

Bucket Drops—Drops resulting from the traffic load exceeding the interface transmit or receive

leaky bucket configuration. •

Policed discards—Number of frames that the incoming packet match code discarded because they

were not recognized or not of interest. Usually, this field reports protocols that Junos OS does not handle. •

L3 incompletes—Number of incoming packets discarded because they failed Layer 3 (usually IPv4)

sanity checks of the header. For example, a frame with less than 20 bytes of available IP header is discarded. Layer 3 incomplete errors can be ignored by configuring the ignore-l3-incompletes statement. •

L2 channel errors—Number of times the software did not find a valid logical interface for an incoming

frame. •

L2 mismatch timeouts—Number of malformed or short packets that caused the incoming packet

handler to discard the frame as unreadable. •

HS link CRC errors—Number of errors on the high-speed links between the ASICs responsible for

handling the router interfaces. •

HS link FIFO overflows—Number of FIFO overflows on the high-speed links between the ASICs

responsible for handling the router interfaces. Output errors

Output errors on the interface. The labels are explained in the following list: •

Carrier transitions—Number of times the interface has gone from down to up. This number does not

normally increment quickly, increasing only when the cable is unplugged, the far-end system is powered down and up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC is malfunctioning. •


•

Drops—Number of packets dropped by the output queue of the I/O Manager ASIC. If the interface

is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism. •

Aged packets—Number of packets that remained in shared packet SDRAM so long that the system

automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possibly malfunctioning hardware. •

HS link FIFO underflows—Number of FIFO underflows on the high-speed links between the ASICs

responsible for handling the router interfaces. •

Egress queues

MTU errors—Number of packets whose size exceeds the MTU of the interface.



4579

®



Field Description

Queue counters

CoS queue number and its associated user-configured forwarding class name. •

Queued packets—Number of queued packets.

•


•


SONET defects

(SONET) SONET media-specific alarms and defects that prevent the interface from passing packets. When a defect persists for a certain period, it is promoted to an alarm. Based on the router configuration, an alarm can ring the red or yellow alarm bell on the router or light the red or yellow alarm LED on the craft interface. See these fields for possible alarms and defects: SONET PHY, SONET section, SONET line, and SONET path.

SONET PHY

Counts of specific SONET errors with detailed information.

SONET alarms

•

Seconds—Number of seconds the defect has been active.

•

Count—Number of times that the defect has gone from inactive to active.

•

State—State of the error. A state other than OK indicates a problem.

The SONET PHY field has the following subfields:

SONET section

•

PLL Lock—Phase-locked loop

•

PHY Light—Loss of optical signal

Counts of specific SONET errors with detailed information. •


•


•


The SONET section field has the following subfields:

4580

•

BIP-B1—Bit interleaved parity for SONET section overhead

•

SEF—Severely errored framing

•

LOS—Loss of signal

•

LOF—Loss of frame

•

ES-S—Errored seconds (section)

•

SES-S—Severely errored seconds (section)

•

SEFS-S—Severely errored framing seconds (section)




Field Description

SONET line

Active alarms and defects, plus counts of specific SONET errors with detailed information. •


•


•


The SONET line field has the following subfields:

SONET path

•

BIP-B2—Bit interleaved parity for SONET line overhead

•

REI-L—Remote error indication (near-end line)

•

RDI-L—Remote defect indication (near-end line)

•

AIS-L—Alarm indication signal (near-end line)

•

BERR-SF—Bit error rate fault (signal failure)

•

BERR-SD—Bit error rate defect (signal degradation)

•

ES-L—Errored seconds (near-end line)

•

SES-L—Severely errored seconds (near-end line)

•

UAS-L—Unavailable seconds (near-end line)

•

ES-LFE—Errored seconds (far-end line)

•

SES-LFE—Severely errored seconds (far-end line)

•

UAS-LFE—Unavailable seconds (far-end line)

Active alarms and defects, plus counts of specific SONET errors with detailed information. •


•


•


The SONET path field has the following subfields: •

BIP-B3—Bit interleaved parity for SONET section overhead

•

REI-P—Remote error indication

•

LOP-P—Loss of pointer (path)

•

AIS-P—Path alarm indication signal

•

RDI-P—Path remote defect indication

•

UNEQ-P—Path unequipped

•

PLM-P—Path payload (signal) label mismatch

•

ES-P—Errored seconds (near-end STS path)

•

SES-P—Severely errored seconds (near-end STS path)

•

UAS-P—Unavailable seconds (near-end STS path)

•

ES-PFE—Errored seconds (far-end STS path)

•

SES-PFE—Severely errored seconds (far-end STS path)

•

UAS-PFE—Unavailable seconds (far-end STS path)


4581

®



Field Description

Received SONET overhead

Values of the received and transmitted SONET overhead: •

Transmitted SONET overhead

C2—Signal label. Allocated to identify the construction and content of the STS-level SPE and for

PDI-P. •

F1—Section user channel byte. This byte is set aside for the purposes of users.

•

K1 and K2—These bytes are allocated for APS signaling for the protection of the multiplex section.

•

J0—Section trace. This byte is defined for STS-1 number 1 of an STS-N signal. Used to transmit a

1-byte fixed-length string or a 16-byte message so that a receiving terminal in a section can verify its continued connection to the intended transmitter.

Received path trace Transmitted path trace

HDLC configuration

Packet Forwarding Engine configuration

CoS information

•

S1—Synchronization status. The S1 byte is located in the first STS-1 number of an STS-N signal.

•

Z3 and Z4—Allocated for future use.

SONET/SDH interfaces allow path trace bytes to be sent inband across the SONET/SDH link. Juniper Networks and other router manufacturers use these bytes to help diagnose misconfigurations and network errors by setting the transmitted path trace message so that it contains the system hostname and name of the physical interface. The received path trace value is the message received from the router at the other end of the fiber. The transmitted path trace value is the message that this router transmits. Information about the HDLC configuration. •

Policing bucket—Configured state of the receiving policer.

•

Shaping bucket—Configured state of the transmitting shaper.

•

Giant threshold—Giant threshold programmed into the hardware.

•

Runt threshold—Runt threshold programmed into the hardware.


Destination slot—FPC slot number.

•

PLP byte—Packet Level Protocol byte.

Information about the CoS queue for the physical interface. •

CoS transmit queue—Queue number and its associated user-configured forwarding class name.

•

Bandwidth %—Percentage of bandwidth allocated to the queue.

•

Bandwidth bps—Bandwidth allocated to the queue (in bps).

•

Buffer %—Percentage of buffer space allocated to the queue.

•

Buffer usec—Amount of buffer space allocated to the queue, in microseconds. This value is nonzero

only if the buffer size is configured in terms of time. •

Priority—Queue priority: low or high.

•

Limit—Displayed if rate limiting is configured for the queue. Possible values are none and exact. If exact is configured, the queue transmits only up to the configured bandwidth, even if excess bandwidth is available. If none is configured, the queue transmits beyond the configured bandwidth

if bandwidth is available. Forwarding classes

Total number of forwarding classes supported on the specified interface.

Egress queues


4582




Field Description

Queue

Queue number.

Forwarding classes

Forwarding class name.

Queued Packets

Number of packets queued to this queue.

Queued Bytes

Number of bytes queued to this queue. The byte counts vary by PIC type.

Transmitted Packets

Number of packets transmitted by this queue. When fragmentation occurs on the egress interface, the first set of packet counters shows the postfragmentation values. The second set of packet counters (displayed under the Packet Forwarding Engine Chassis Queues field) shows the prefragmentation values.

Transmitted Bytes

Number of bytes transmitted by this queue. The byte counts vary by PIC type.

Tail-dropped packets

Number of packets dropped because of tail drop.

RED-dropped packets

Number of packets dropped because of random early detection (RED). •

•

RED-dropped bytes

•

Low, non-TCP—Number of low-loss priority non-TCP packets dropped because of RED.

•

Low, TCP—Number of low-loss priority TCP packets dropped because of RED.

•

High, non-TCP—Number of high-loss priority non-TCP packets dropped because of RED.

•

High, TCP—Number of high-loss priority TCP packets dropped because of RED.

(MX Series routers with enhanced DPCs, and T Series routers with enhanced FPCs only) The output classifies dropped packets into the following categories: •

Low—Number of low-loss priority packets dropped because of RED.

•

Medium-low—Number of medium-low loss priority packets dropped because of RED.

•

Medium-high—Number of medium-high loss priority packets dropped because of RED.

•

High—Number of high-loss priority packets dropped because of RED.

Number of bytes dropped because of RED. The byte counts vary by PIC type. •

Transmit rate

(M Series and T Series routers only) On M320 and M120 routers and the T Series routers, the total number of dropped packets is displayed. On all other M Series routers, the output classifies dropped packets into the following categories:

(M Series and T Series routers only) On M320 and M120 routers and the T Series routers, only the total number of dropped bytes is displayed. On all other M Series routers, the output classifies dropped bytes into the following categories: •

Low, non-TCP—Number of low-loss priority non-TCP bytes dropped because of RED.

•

Low, TCP—Number of low-loss priority TCP bytes dropped because of RED.

•

High, non-TCP—Number of high-loss priority non-TCP bytes dropped because of RED.

•

High, TCP—Number of high-loss priority TCP bytes dropped because of RED.

Configured transmit rate of the scheduler. The rate is a percentage of the total interface bandwidth.


4583

®



Field Description

Rate Limit

Rate limiting configuration of the queue. Possible values are : •

None—No rate limit.

•

exact—Queue transmits at the configured rate.

Buffer size

Delay buffer size in the queue.

Priority

Scheduling priority configured as low or high.

Excess Priority

Priority of the excess bandwidth traffic on a scheduler: low, medium-low, medium-high, high, or none.

Drop profiles

Display the assignment of drop profiles. •

Loss priority—Packet loss priority for drop profile assignment.

•

Protocol—Transport protocol for drop profile assignment.

•

Index—Index of the indicated object. Objects that have indexes in this output include schedulers

and drop profiles. •

Name—Name of the drop profile.

•

Type—Type of the drop profile: discrete or interpolated.

•

Fill Level—Percentage fullness of a queue.

•

Drop probability—Drop probability at this fill level.

Excess Priority

Priority of the excess bandwidth traffic on a scheduler.

Drop profiles

Display the assignment of drop profiles. •

Loss priority—Packet loss priority for drop profile assignment.

•

Protocol—Transport protocol for drop profile assignment.

•

Index—Index of the indicated object. Objects that have indexes in this output include schedulers

and drop profiles.

4584

•

Name—Name of the drop profile.

•

Type—Type of the drop profile: discrete or interpolated.

•

Fill Level—Percentage fullness of a queue.

•

Drop probability—Drop probability at this fill level.




Field Description

Adjustment information

Display the assignment of shaping-rate adjustments on a scheduler node or queue. •

Adjusting application—Application that is performing the shaping-rate adjustment. •

The adjusting application can appear as ancp LS-0, which is the Junos OS Access Node Control Profile process (ancpd) that performs shaping-rate adjustments on schedule nodes.

•

The adjusting application can also appear as pppoe, which adjusts the shaping-rate and overhead-accounting class-of-service attributes on dynamic subscriber interfaces in a broadband access network based on access line parameters in Point-to-Point Protocol over Ethernet (PPPoE) Tags [TR-101]. This feature is supported on MPC/MIC interfaces on MX Series routers. The shaping rate is based on the actual-data-rate-downstream attribute. The overhead accounting value is based on the access-loop-encapsulation attribute and specifies whether the access loop uses Ethernet (frame mode) or ATM (cell mode).

•

Adjustment type—Type of adjustment: absolute or delta.

•

Configured shaping rate—Shaping rate configured for the scheduler node or queue.

•

Adjustment value—Value of adjusted shaping rate.

•

Adjustment mode—Level of shaping-rate adjustment performed: node or queue.

Sample Output show class-of-service interface (Physical)

user@host> show class-of-service interface so-0/2/3 Physical interface: so-0/2/3, Index: 135 Queues supported: 8, Queues in use: 4 Total non—default queues created: 4 Scheduler map: , Index: 2032638653 Logical interface: fe-0/0/1.0, Index: 68, Dedicated Queues: no Shaping rate: 32000 Object Name Type Scheduler-map Rewrite exp-default exp Classifier exp-default exp Classifier ipprec-compatibility ip Forwarding—class—map exp-default exp

show class-of-service interface (Logical)

show class-of-service interface (Gigabit Ethernet)

user@host> show class-of-service interface so-0/2/3.0 Logical interface: so-0/2/3.0, Index: 68, Dedicated Shaping rate: 32000 Object Name Scheduler-map Rewrite exp-default Classifier exp-default Classifier ipprec-compatibility Forwarding—class—map exp-default

Index 27 21 5 8 5

Queues: no Type exp exp ip exp

Index 27 21 5 8 5

user@host> show class-of-service interface ge-6/2/0 Physical interface: ge-6/2/0, Index: 175 Queues supported: 4, Queues in use: 4 Scheduler map: , Index: 2 Input scheduler map: , Index: 3 Chassis scheduler map: , Index: 4


4585

®


show class-of-service interface (PPPoE Interface)

user@host> show class-of-service interface pp0.1 Logical interface: pp0.1, Index: 85 Object Name Traffic-control-profile tcp-pppoe.o.pp0.1 Classifier ipprec-compatibility

Type Output ip

Index 2726446535 13

Adjusting application: PPPoE Adjustment type: absolute Adjustment value: 5000000 Adjustment overhead-accounting mode: cell Adjustment target: node

show class-of-service interface detail

user@host> show class-of-service interface ge-0/3/0 detail Physical interface: ge-0/3/0, Enabled, Physical link is Up Link-level type: Ethernet, MTU: 1518, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 Physical interface: ge-0/3/0, Index: 138 Queues supported: 4, Queues in use: 5 Shaping rate: 50000 bps Scheduler map: interface-schedular-map, Index: 58414 Input shaping rate: 10000 bps Input scheduler map: schedular-map, Index: 15103 Chassis scheduler map: , Index: 4 Congestion-notification: Disabled Logical interface ge-0/3/0.0 Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.1 ] inet mpls Interface Admin Link Proto Input Filter ge-0/3/0.0 up up inet mpls Interface Admin Link Proto Input Policer ge-0/3/0.0 up up inet mpls Logical interface: ge-0/3/0.0, Index: 68 Object Name Rewrite exp-default Classifier exp-default Classifier ipprec-compatibility

4586

Output Filter

Output Policer

Type exp (mpls-any) exp ip

Logical interface ge-0/3/0.1 Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2 ] inet Interface Admin Link Proto Input Filter ge-0/3/0.1 up up inet Interface Admin Link Proto Input Policer ge-0/3/0.1 up up inet Logical interface: ge-0/3/0.1, Index: 69 Object Name Classifier ipprec-compatibility

Encapsulation: ENET2

Index 33 10 13

Encapsulation: ENET2 Output Filter Output Policer

Type ip

Index 13



show class-of-service interface comprehensive

user@host> show class-of-service interface so-1/3/0 comprehensive Physical interface: ge-0/3/0, Enabled, Physical link is Up Interface index: 138, SNMP ifIndex: 601, Generation: 141 Link-level type: Ethernet, MTU: 1518, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 CoS queues : 4 supported, 4 maximum usable queues Schedulers : 256 Hold-times : Up 0 ms, Down 0 ms Current address: 00:14:f6:f4:b4:5d, Hardware address: 00:14:f6:f4:b4:5d Last flapped : 2010-09-07 06:35:22 PDT (15:14:42 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 total statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Ingress traffic statistics at Packet Forwarding Engine: Input bytes : 0 0 bps Input packets: 0 0 pps Drop bytes : 0 0 bps Drop packets: 0 0 pps Label-switched interface (LSI) traffic statistics: Input bytes : 0 0 bps Input packets: 0 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 5, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Ingress queues: 4 supported, 5 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 af3

0

0

0

1 af2

0

0

0

2 ef2

0

0

0

3 ef1

0

0

0

Egress queues: 4 supported, 5 in use Queue counters: Queued packets

Transmitted packets

Dropped packets

0 af3

0

0

0

1 af2

0

0

0

2 ef2

0

0

0

3 ef1

0

0

0


4587

®


Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 0 0 Total packets 0 0 Unicast packets 0 0 Broadcast packets 0 0 Multicast packets 0 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex, Flow control: Symmetric/Asymmetric, Remote fault: OK Local resolution: Flow control: Symmetric, Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 2 ef2 39 19500 0 120 high none Direction : Input CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 af3 30 3000 45 0 low none Physical interface: ge-0/3/0, Enabled, Physical link is Up Interface index: 138, SNMP ifIndex: 601 Forwarding classes: 16 supported, 5 in use Ingress queues: 4 supported, 5 in use Queue: 0, Forwarding classes: af3 Queued: Packets : 0 Bytes : 0 Transmitted: Packets : 0 Bytes : 0

4588

0 pps 0 bps 0 pps 0 bps



Tail-dropped packets : Not Available RED-dropped packets : RED-dropped bytes : Queue: 1, Forwarding classes: af2 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RED-dropped packets : RED-dropped bytes : Queue: 2, Forwarding classes: ef2 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RED-dropped packets : RED-dropped bytes : Queue: 3, Forwarding classes: ef1 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RED-dropped packets : RED-dropped bytes : Forwarding classes: 16 supported, 5 in use Egress queues: 4 supported, 5 in use Queue: 0, Forwarding classes: af3 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RL-dropped packets : RL-dropped bytes : RED-dropped packets : RED-dropped bytes : Queue: 1, Forwarding classes: af2 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RL-dropped packets : RL-dropped bytes : RED-dropped packets : RED-dropped bytes : Queue: 2, Forwarding classes: ef2 Queued:


0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0 0 0

0 0 0 0

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0 0 0

0 0 0 0

pps bps pps bps

pps bps pps bps

4589

®


Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RL-dropped packets : RL-dropped bytes : RED-dropped packets : RED-dropped bytes : Queue: 3, Forwarding classes: ef1 Queued: Packets : Bytes : Transmitted: Packets : Bytes : Tail-dropped packets : Not Available RL-dropped packets : RL-dropped bytes : RED-dropped packets : RED-dropped bytes :

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0 0 0

0 0 0 0

0 0

0 pps 0 bps

0 0

0 pps 0 bps

0 0 0 0

0 0 0 0

Packet Forwarding Engine Chassis Queues: Queues: 4 supported, 5 in use Queue: 0, Forwarding classes: af3 Queued: Packets : 0 Bytes : 0 Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : Not Available RED-dropped bytes : Not Available Queue: 1, Forwarding classes: af2 Queued: Packets : 0 Bytes : 0 Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : Not Available RED-dropped bytes : Not Available Queue: 2, Forwarding classes: ef2 Queued: Packets : 0 Bytes : 0 Transmitted: Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped packets : Not Available RED-dropped bytes : Not Available Queue: 3, Forwarding classes: ef1 Queued: Packets : 108546 Bytes : 12754752 Transmitted: Packets : 108546

4590

pps bps pps bps

pps bps pps bps

0 pps 0 bps 0 pps 0 bps 0 pps



0 pps 376 bps 0 pps



Bytes Tail-dropped packets RED-dropped packets RED-dropped bytes

: 12754752 : 0 : Not Available : Not Available

376 bps 0 pps

Physical interface: ge-0/3/0, Index: 138 Queues supported: 4, Queues in use: 5 Shaping rate: 50000 bps Scheduler map: interface-schedular-map, Index: 58414 Scheduler: ef2, Forwarding class: ef2, Index: 39155 Transmit rate: 39 percent, Rate Limit: none, Buffer size: 120 us, Buffer Limit: none, Priority: high Excess Priority: unspecified Drop profiles: Loss priority Protocol Index Name Low any 1 < default-drop-profile> Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 1 < default-drop-profile> Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Input shaping rate: 10000 bps Input scheduler map: schedular-map Scheduler map: schedular-map, Index: 15103 Scheduler: af3, Forwarding class: af3, Index: 35058 Transmit rate: 30 percent, Rate Limit: none, Buffer size: 45 percent, Buffer Limit: none, Priority: low Excess Priority: unspecified Drop profiles: Loss priority Protocol Index Name Low any 40582 green Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 18928 yellow Drop profile: green, Type: discrete, Index: 40582 Fill level Drop probability 50 0 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: yellow, Type: discrete, Index: 18928 Fill level Drop probability 50 0


4591

®


100 100 Chassis scheduler map: < default-drop-profile> Scheduler map: < default-drop-profile>, Index: 4 Scheduler: < default-drop-profile>, Forwarding class: af3, Index: 25 Transmit rate: 25 percent, Rate Limit: none, Buffer size: 25 percent, Buffer Limit: none, Priority: low Excess Priority: low Drop profiles: Loss priority Protocol Index Name Low any 1 < default-drop-profile> Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 1 < default-drop-profile> Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Scheduler: < default-drop-profile>, Forwarding class: af2, Index: 25 Transmit rate: 25 percent, Rate Limit: none, Buffer size: 25 percent, Buffer Limit: none, Priority: low Excess Priority: low Drop profiles: Loss priority Protocol Index Name Low any 1 < default-drop-profile> Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 1 < default-drop-profile> Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Scheduler: < default-drop-profile>, Forwarding class: ef2, Index: 25 Transmit rate: 25 percent, Rate Limit: none, Buffer size: 25 percent, Buffer Limit: none, Priority: low Excess Priority: low Drop profiles: Loss priority Protocol Index Name Low any 1 < default-drop-profile> Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 1 < default-drop-profile> Drop profile: < default-drop-profile>, Type: discrete, Index: 1

4592



Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Scheduler: < default-drop-profile>, Forwarding class: ef1, Index: 25 Transmit rate: 25 percent, Rate Limit: none, Buffer size: 25 percent, Buffer Limit: none, Priority: low Excess Priority: low Drop profiles: Loss priority Protocol Index Name Low any 1 < default-drop-profile> Medium low any 1 < default-drop-profile> Medium high any 1 < default-drop-profile> High any 1 < default-drop-profile> Drop profile: , Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Drop profile: < default-drop-profile>, Type: discrete, Index: 1 Fill level Drop probability 100 100 Congestion-notification: Disabled Forwarding class ID Queue Restricted queue Fabric priority Policing priority af3 0 0 0 low normal af2 1 1 1 low normal ef2 2 2 2 high normal ef1 3 3 3 high normal af1 4 4 0 low normal Logical interface ge-0/3/0.0 (Index 68) (SNMP ifIndex 152) (Generation 159) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.1 ] Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics:


4593

®


Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, MTU: 1500, Generation: 172, Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter-in-ge-0/3/0.0-i, Policer: Input: p1-ge-0/3/0.0-inet-i Protocol mpls, MTU: 1488, Maximum labels: 3, Generation: 173, Route table: 0 Flags: Is-Primary Output Filters: exp-filter,,,,, Logical interface ge-0/3/0.0 (Index 68) (SNMP ifIndex 152) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.1 ] Encapsulation: ENET2 Input packets : 0 Output packets: 0 Interface ge-0/3/0.0 Interface ge-0/3/0.0

Admin Link Proto up up inet mpls Admin Link Proto up up inet mpls

Input Filter Output Filter filter-in-ge-0/3/0.0-i exp-filter Input Policer Output Policer p1-ge-0/3/0.0-inet-i

Filter: filter-in-ge-0/3/0.0-i Counters: Name count-filter-in-ge-0/3/0.0-i Filter: exp-filter Counters: Name count-exp-seven-match count-exp-zero-match Policers: Name p1-ge-0/3/0.0-inet-i

exp-default

Rewrite rule: exp-default, Code point Forwarding class af3 af3 af2 af2 ef2 ef2 ef1 ef1 Object Name Classifier

Packets 0

Bytes 0 0

Packets 0 0

Packets 0

Logical interface: ge-0/3/0.0, Index: 68 Object Name Rewrite

Bytes 0

Type exp (mpls-any)

type: exp, Index: 33 Loss priority Code point low 000 high 001 low 010 high 011 low 100 high 101 low 110 high 111 Type

exp-default

exp

Index 33

Index 10

Classifier: exp-default, Code point type: exp, Index: 10

4594



Code point 000 001 010 011 100 101 110 111 Object Classifier

Forwarding class af3 af3 af2 af2 ef2 ef2 ef1 ef1 Name ipprec-compatibility

Loss priority low high low high low high low high Type

Index

ip

13

Classifier: ipprec-compatibility, Code point type: inet-precedence, Index: 13 Code point Forwarding class Loss priority 000 af3 low 001 af3 high 010 af3 low 011 af3 high 100 af3 low 101 af3 high 110 ef1 low 111 ef1 high Forwarding class ID Queue Restricted queue Fabric priority Policing priority af3 0 0 0 low normal af2 1 1 1 low normal ef2 2 2 2 high normal ef1 3 3 3 high normal af1 4 4 0 low normal Logical interface ge-0/3/0.1 (Index 69) (SNMP ifIndex 154) (Generation 160) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2 ] Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, MTU: 1500, Generation: 174, Route table: 0 Flags: Sendbcast-pkt-to-re Logical interface ge-0/3/0.1 (Index 69) (SNMP ifIndex 154) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2 ] Encapsulation: ENET2 Input packets : 0 Output packets: 0


4595

®


Interface ge-0/3/0.1 Interface ge-0/3/0.1

Admin up Admin up

Link Proto Input Filter up mpls Link Proto Input Policer up mpls

Logical interface: ge-0/3/0.1, Index: 69 Object Name Classifier

ipprec-compatibility

Output Filter Output Policer

Type ip

Index 13

Classifier: ipprec-compatibility, Code point type: inet-precedence, Index: 13 Code point Forwarding class Loss priority 000 af3 low 001 af3 high 010 af3 low 011 af3 high 100 af3 low 101 af3 high 110 ef1 low 111 ef1 high Forwarding class ID Queue Restricted queue Fabric priority Policing priority af3 0 0 0 low normal af2 1 1 1 low normal ef2 2 2 2 high normal ef1 3 3 3 high normal af1 4 4 0 low normal

4596



show pfe statistics traffic Syntax

show pfe statistics traffic

Release Information


Description

Display the packet forwarding engine traffic statistics.

Options

none—Display statistics about all the traffic handled by the packet forwarding engine.


admin


show pfe statistics traffic on page 4598

Output Fields

Table 525 on page 4597 lists the output fields for the show pfe statistics traffic command. Output fields are listed in the approximate order in which they appear.

Table 525: show pfe statistics traffic Output Fields Field Name

Field Description

Packet Forwarding Engine Traffic statistics

Information about Packet Forwarding Engine traffic:

Packet Forwarding Engine Local Traffic statistics

•

Input Packets—Number and rate of input packets.

•

Output Packets—Number and rate of output packets.

Information about Packet Forwarding Engine local traffic: •

Local packets input—Number of local input packets.

•

Local packets output—Number of local output packets.

•

Software input high drops—Number of software input high-priority drops.

•

Software input medium drops—Number of software input medium-priority drops.

•

Software input low drops—Number of software input low-priority drops.

•

Software output drops—Number of software output drops.

•

Hardware input drops—Number of hardware input drops.


4597

®


Table 525: show pfe statistics traffic Output Fields (continued) Field Name

Field Description

Packet Forwarding Engine Local Protocol statistics

Information about the Packet Forwarding Engine Local Protocol: •

HDLC keepalives—Number of HDLC keepalive packets.

•

ATM OAM—Number of Asynchronous Transfer Mode (ATM) Operation, Administration, and

Maintenance (OAM) packets. •

Frame Relay LMI—Number of Frame Relay Local Management Interface (LMI) packets.

•

PPP LCP/NCP—Number of Point-to-Point Protocol (PPP) Link Control Protocol (LCP) or Network

Control Protocol (NCP) packets.

Packet Forwarding Engine Hardware Discard statistics

•

OSPF hello—Number of Open Shortest Path First (OSPF) hello packets.

•

OSPF3 hello—Number of Open Shortest Path First version 3 (OSPFv3) hello packets.

•

RSVP hello—Number of Reservation Setup Protocol (RSVP) hello packets.

•

LDP hello—Number of Label Distribution Protocol (LDP) hello packets.

•

BFD—Number of Bidirectional Forwarding Detection Protocol (BFD) hello packets.

•

IS-IS IIH—Number of Intermediate System-to-Intermediate System Hello (IIH) packets.

•

LACP—Number of Link Aggregation Control Protocol (LACP) packets.

•

ARP—Number of Address Resolution Protocol (ARP) packets.

•

ETHER OAM—Number of Ethernet Operations, Administration, and Management (OAM) packets.

•

Unknown—Number of unknown packets not matching any of the packet types listed above.

Information about Packet Forwarding Engine hardware discards: •

Timeout—Number of packets discarded because of timeouts.

•

Truncated key—Number of packets discarded because of truncated keys.

•

Bits to test—Number of bits to test.

•

Data error—Number of packets discarded because of data errors.

•

Stack underflow—Number of packets discarded because of stack underflows.

•

Stack overflow—Number of packets discarded because of stack overflows.

•

Normal discard—Number of packets discarded because of discard routes.

•

Extended discard—Number of packets discarded because of illegal next hops.

•

Invalid interface—Number of packets discarded because of invalid incoming interfaces.

•

Info cell drops—Number of information cell drops.

•

Fabric drops—Number of fabric drops.

Sample Output show pfe statistics traffic

4598

user@host> show pfe statistics traffic Packet Forwarding Engine traffic statistics: Input packets: 102682 Output packets: 58033 Packet Forwarding Engine local traffic statistics: Local packets input : Local packets output : Software input control plane drops : Software input high drops : Software input medium drops : Software input low drops : Software output drops : Hardware input drops :

5 pps 4 pps 44628 46146 0 0 0 0 0 0



Packet Forwarding Engine local protocol statistics: HDLC keepalives : 0 ATM OAM : 0 Frame Relay LMI : 0 PPP LCP/NCP : 5597 OSPF hello : 3195 OSPF3 hello : 0 RSVP hello : 0 LDP hello : 7478 BFD : 0 IS-IS IIH : 0 LACP : 0 ARP : 0 ETHER OAM : 0 Unknown : 8 Packet Forwarding Engine hardware discard statistics: Timeout : 0 Truncated key : 0 Bits to test : 0 Data error : 0 Stack underflow : 0 Stack overflow : 0 Normal discard : 0 Extended discard : 0 Invalid interface : 0 Info cell drops : 0 Fabric drops : 0 Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error statistics: Input Checksum : 0 Output MTU : 0


4599

®


show pfe statistics traffic cpu Syntax Release Information Description

show pfe statistics traffic cpu

Command introduced in Junos OS Release 9.5 for EX Series switches. (On EX8200 switches only) Display count of multidestination packets ingressing from the physical interface to the CPU.

NOTE: Multidestination packets include unknown unicast, broadcast, and multicast packets.

Options

none—Displays the count of packets ingressing from all the physical interfaces (line

cards) to the CPU. fpc fpc-slot—(Optional) Displays the count of packets ingressing from the physical

interface, referred to by the slot number, to the CPU. On an EX8200 switch, the FPC slot number is the slot number for the line card. Possible values are 0 through 7 on the EX8208 switch and 0 through 15 on the EX8216 switch. Required Privilege Level Related Documentation


view

•

show pfe statistics traffic multicast on page 4606

•

show pfe statistics traffic egress-queues on page 4604

•

show interfaces queue on page 2032

•


•


show pfe statistics traffic cpu (EX8208 Switch) on page 4601 Table 526 on page 4600 lists the output fields for the show pfe statistics traffic cpu command. Output fields are listed in the approximate order in which they appear.

Table 526: show pfe statistics traffic cpu Output Fields Field Name

Field Description

Queue

CoS queue number.

Forwarding classes


Queued Packets


4600



Table 526: show pfe statistics traffic cpu Output Fields (continued) Field Name

Field Description

Queued Bytes

Number of bytes queued to this queue.

Packets

Number of packets transmitted by this queue.

Bytes

Number of bytes transmitted by this queue.


Count of packets dropped at the tail end of the queue because of lack of buffer space.

RED-dropped packets

Number of packets dropped because of Random Early Discard (RED): •


•


Number of bytes dropped because of Random Early Discard (RED):

RED-dropped bytes

•

Low—Number of low-loss priority bytes dropped because of RED.

•

High—Number of high-loss priority bytes dropped because of RED.

Sample Output show pfe statistics traffic cpu (EX8208 Switch)

user@switch> show pfe statistics traffic cpu Queue: 0, Forwarding classes: best-effort Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 1, Forwarding classes: expedited-forwarding Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 2, Forwarding classes: assured-forwarding Queued: Packets : Not Available Bytes : Not Available Packets : 0


0 pps 0 bps 0 0 0 0 0 0

bps bps bps pps pps pps

0 pps 0 bps 0 0 0 0 0 0


0 pps

4601

®


Bytes : Tail-dropped packets : RED-dropped bytes : Low : High : RED-dropped packets : Low : High : Queue: 3, Forwarding classes: network-control Queued: Packets : Not Available Bytes : Not Available Packets : Bytes : Tail-dropped packets : RED-dropped bytes : Low : High : RED-dropped packets : Low : High : Queue: 4 Packets : Not Available Bytes : Not Available Packets : Bytes : Tail-dropped packets : RED-dropped bytes : Low : High : RED-dropped packets : Low : High : Queue: 5 Packets : Not Available Bytes : Not Available Packets : Bytes : Tail-dropped packets : RED-dropped bytes : Low : High : RED-dropped packets : Low : High : Queue: 6 Packets : Not Available Bytes : Not Available Packets : Bytes : Tail-dropped packets : RED-dropped bytes : Low : High : RED-dropped packets : Low : High : Queue: 7 Packets : Not Available Bytes : Not Available Packets :

4602

0 0 0 0 0 0 0 0

0 bps

0 0 0 0 0 0 0 0 0

0 pps 0 bps

0 0 0 0 0 0 0 0 0

0 pps 0 bps

0 0 0 0 0 0 0 0 0

0 pps 0 bps

0 0 0 0 0 0 0 0 0

0 pps 0 bps

0

0 pps

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 0 0 0








Bytes Tail-dropped packets RED-dropped bytes Low High RED-dropped packets Low High


: : : : : : : :

0 0 0 0 0 0 0 0

0 bps 0 0 0 0 0 0


4603

®


show pfe statistics traffic egress-queues Syntax Release Information Description

show pfe statistics traffic egress-queues

Command introduced in Junos OS Release 9.5 for EX Series switches. (On EX8200 switches only) Display count of multidestination packets dropped on egress ports when the egress queues are oversubscribed due to multidestination traffic.


Options

none—Displays count of packets dropped on egress ports of all physical interfaces (line

cards) when egress queues are oversubscribed due to multidestination traffic. fpc fpc-slot—(Optional) Displays count of packets dropped on egress ports of the physical

interface (line card) referred to by the slot number.

NOTE: On an EX8200 switch, the FPC slot number is the slot number for the line card. Possible values are 0 through 7 on the EX8208 switch and 0 through 15 on the EX8216 switch.



view

•

show pfe statistics traffic cpu on page 4600

•

show pfe statistics traffic multicast on page 4606

•


•


•


show pfe statistics traffic egress-queues fpc 4 (EX8208 Switch) on page 4605 Table 527 on page 4604 lists the output fields for the show pfe statistics traffic egress-queues command. Output fields are listed in the approximate order in which they appear.

Table 527: show pfe statistics traffic egress-queues Output Fields Field Name

Field Description


Number of arriving packets dropped because the output queue buffers are full.

4604



Sample Output show pfe statistics traffic egress-queues fpc 4 (EX8208 Switch)

user@switch> show pfe statistics traffic egress-queues fpc 4 Tail-dropped packets : 0


4605

®


show pfe statistics traffic multicast Syntax Release Information Description

show pfe statistics traffic multicast

Command introduced in Junos OS Release 9.5 for EX Series switches. (On EX8200 switches only) Display class-of-service (CoS) queue information for multidestination traffic on a physical interface (line card).


NOTE: To view statistical information for unicast traffic, use the show interfaces queue command.

Options

fpc fpc-slot dev-number—(Optional) Displays class-of-service (CoS) queue information

for multidestination traffic on the physical interface (line card) referred to by the slot number and device number.

NOTE: On an EX8200 switch, the FPC slot number is the slot number for the line card. Possible values for the FPC slot number are 0 through 7 on the EX8208 switch and 0 through 15 on the EX8216 switch. The value for the device number ranges from 0–5, where 0–4 values correspond to the statistics only from that specific device and the value 5 corresponds to the combined statistics from all the devices in the FPC.



4606

view

•

show pfe statistics traffic cpu on page 4600

•

show pfe statistics traffic egress-queues on page 4604

•


•


•


show pfe statistics traffic multicast fpc 0 2(EX8208 Switch) on page 4607 Table 528 on page 4607 lists the output fields for the show pfe statistics traffic multicast command. Output fields are listed in the approximate order in which they appear.



Table 528: show pfe statistics traffic multicast Output Fields Field Name

Field Description

Queue

CoS queue number.

Forwarding classes


Queued Packets


Queued Bytes

Number of bytes queued to this queue.

Packets

Number of packets transmitted by this queue.

Bytes

Number of bytes transmitted by this queue.


Count of packets dropped at the tail end of the queue because of lack of buffer space.

RED-dropped packets

Number of packets dropped because of Random Early Discard (RED): •


•


Number of bytes dropped because of Random Early Discard (RED):

RED-dropped bytes

•

Low—Number of low-loss priority bytes dropped because of RED.

•

High—Number of high-loss priority bytes dropped because of RED.

Sample Output show pfe statistics traffic multicast fpc 0 2(EX8208 Switch)

user@switch> show pfe statistics traffic multicast fpc 0 2 Queue: 0, Forwarding classes: best-effort Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 1, Forwarding classes: expedited-forwarding Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0


0 pps 0 bps 0 0 0 0 0 0


0 pps 0 bps 0 0 0 0

bps bps bps pps

4607

®


Low : 0 High : 0 Queue: 2, Forwarding classes: assured-forwarding Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 3, Forwarding classes: network-control Queued: Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 4 Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 5 Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0 RED-dropped packets : 0 Low : 0 High : 0 Queue: 6 Packets : Not Available Bytes : Not Available Packets : 0 Bytes : 0 Tail-dropped packets : 0 RED-dropped bytes : 0 Low : 0 High : 0

4608

0 pps 0 pps

0 pps 0 bps 0 0 0 0 0 0


0 pps 0 bps 0 0 0 0 0 0


0 pps 0 bps 0 0 0 0 0 0


0 pps 0 bps 0 0 0 0 0 0


0 pps 0 bps 0 bps 0 bps 0 bps



RED-dropped packets Low High Queue: 7 Packets Bytes Packets Bytes Tail-dropped packets RED-dropped bytes Low High RED-dropped packets Low High


: : :

0 0 0

0 pps 0 pps 0 pps

: Not Available : Not Available : : : : : : : : :

0 0 0 0 0 0 0 0 0

0 pps 0 bps 0 0 0 0 0 0


4609

®


4610


PART 24

Power over Ethernet •

Power over Ethernet (PoE)—Overview on page 4613

•

Examples: PoE Configuration on page 4619

•

Configuring PoE on page 4635

•

Administering PoE on page 4645

•

Troubleshooting PoE Configuration on page 4655

•

Configuration Statements for PoE on page 4657

•

Operational Commands for PoE on page 4673


4611

®


4612


CHAPTER 125

Power over Ethernet (PoE)—Overview •

PoE and EX Series Switches Overview on page 4613

PoE and EX Series Switches Overview Power over Ethernet (PoE) permits electric power, along with data, to be passed over a copper Ethernet LAN cable. Powered devices, such as voice over IP (VoIP) telephones, wireless access points, video cameras, and point-of-sale devices, that support PoE can receive power safely from the same access ports that are used to connect personal computers to the network. This topic describes PoE on Juniper Networks EX Series Ethernet Switches. It covers: •

PoE, PoE+, and Enhanced PoE on page 4613

•

PoE Power Management on page 4614

PoE, PoE+, and Enhanced PoE PoE was first defined in the IEEE 802.3af standard. In this standard, the amount of power that can be supplied to a powered device is limited to 15.4 W. A later standard, IEEE 802.3at, defined PoE+, which increases the amount of power to 30 W. The PoE+ standard provides support for legacy PoE devices—an IEEE 802.3af powered device can operate normally when connected to IEEE 802.3at (PoE+) power sourcing equipment. Beginning at Juniper Networks Junos operating system (Junos OS) Release 11.1, Juniper Networks provides enhanced PoE on EX3200 and EX4200 switches. Enhanced PoE is a Juniper Networks extension to the IEEE 802.3af standard that allows up to 18.6 W per PoE port. Table 529 on page 4613 lists EX Series switches and line cards and the version of PoE they support.

Table 529: PoE Version Support Switch or Line Card

PoE Version

EX2200 switch

PoE+ (IEEE 802.3at)


4613

®


Table 529: PoE Version Support (continued) Switch or Line Card

PoE Version

EX3200 switch

Enhanced PoE

EX3300 switch

PoE+ (IEEE 802.3at)

EX4200 switch—P and T models

Enhanced PoE

(EX4200-24P, EX4200-24T, EX4200-48P, EX4200-48T) EX4200 switch—PX models

PoE+ (IEEE 802.3at)

(EX4200-24PX and EX4200-48PX) EX6200-48P (48-port PoE+) line card

PoE+ (IEEE 802.3at)

EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+) line card

PoE+ (IEEE 802.3at)—Ports 0 through 11 PoE (IEEE 802.3af)—Remaining PoE ports

EX8200-48PL (2-port SFP+ and 48-port PoE+ 20 Gbps) line card

NOTE: This topic and its related topics use the term PoE as a generic term to refer to PoE, PoE+, and enhanced PoE.

PoE Power Management A switch or line card that supports PoE has a PoE controller that keeps track of the PoE power consumption on the switch and allocates power to the PoE ports. The following factors determine how the PoE controller allocates power to the PoE ports: •

PoE Power Budget on page 4614

•

Power Management Mode on page 4616

•

PoE Interface Power Priority on page 4617

PoE Power Budget The PoE power budget is the total amount of power that the PoE controller has available to allocate to its PoE ports. The PoE controller cannot exceed its PoE power budget and does not allocate power to a PoE port if the allocation would exceed the PoE power budget. How the PoE power budget is determined depends on the switch model:

4614

•

PoE Power Budget on EX2200, EX3200, EX3300, and EX4200 Switches on page 4615

•

PoE Power Budget on EX6200 and EX8200 Switches on page 4615


Chapter 125: Power over Ethernet (PoE)—Overview

PoE Power Budget on EX2200, EX3200, EX3300, and EX4200 Switches The PoE power budget on EX2200, EX3200, EX3300, and EX4200 switches varies according to switch model and the capacities of power supplies installed. For example: •

A 24-port or 48-port EX2200 switch, with its fixed power supply of 550 W, has a set PoE budget of 405 W.

•

A 12-port EX2200-C switch, with its fixed power supply of 180 W, has a set PoE budget of 100 W.

•

An EX3200 switch with a 320 W power supply installed has a PoE power budget of 130 W, while an EX3200 switch with a 600 W power supply installed has a PoE power budget of 410 W.

Use the show poe controller command to display a switch’s PoE power budget. If your switch supports power supplies of different capacities, keep the following points in mind: •

If you change your existing power supply to a lower-capacity power supply, the PoE power budget might no longer be sufficient to power all the PoE ports on the switch.

•

If your switch supports redundant power supplies and you have installed power supplies of different capacities, the PoE power budget is based on the wattage of the lower-capacity power supply.

•

You cannot increase the number of PoE-capable ports on a switch by installing a larger power supply.

PoE Power Budget on EX6200 and EX8200 Switches For EX6200 and EX8200 switches, each line card that supports PoE has its own PoE controller and PoE power budget. The PoE power budget is allocated to a line card by the switch power management. Because EX6200 and EX8200 switches can differ in the number and capacity of power supplies installed and in the number and types of line cards installed, the amount of power available for PoE power can vary for different switches of the same model. Power management allocates PoE power to line cards that support PoE only after it has allocated base power to and powered on all line cards. It then allocates the remaining power to the PoE power budgets of PoE line cards in order of line card power priority. (In a default configuration, power priority is determined by line card slot number, with slot 0 having the highest priority.) If the remaining power is insufficient to provide PoE power to all PoE line cards, a low priority line card might receive no PoE power or partial PoE power. By default, power management allocates enough PoE power to a line card to power all PoE ports at their maximum supported power. If the connected powered devices require less power than that, you can configure a smaller PoE power budget for the line card. For example, power management normally allocates 915 W of PoE power to a 48-port PoE+ 20 Gbps (EX8200-48PL) line card. If the connected powered devices consume no more than a total of 250 W, you can set the PoE power budget for the line card to 250


4615

®


W. Doing so frees up 665 W, which then can be used to fulfill the PoE power needs of lower-priority line cards. Power management adjusts PoE power allocations as power availability and demand in a switch changes. As a general rule, power management allocates power to powering line cards before it allocates PoE power. For example, if you add a line card and there is insufficient power available to power it on, power management reduces the PoE power it provides to line cards, starting with the lowest priority line card, until it frees up enough power to power on the new line card. When power management reduces the PoE power budget for a line card because of insufficient power, it logs a message in the system log. Note that the actual power consumed by the powered devices does not affect power management’s power allocation for a line card. If you have set the PoE budget for a line card to 500 W, power management allocates 500 W even if the powered devices are consuming less power than that. Similarly, the PoE power budget is not increased if you add additional powered devices: if the powered devices require more than the 500 W PoE budget you have configured, lower priority devices will not receive power. You can display the switch power budget maintained by power management, including its PoE power allocations, by using the show chassis power-budget-statistics command. You can also display the PoE power budget for each line card in a switch by using the show poe controller command. For more information on how power management allocates power, including PoE power, see “Understanding Power Management on EX Series Switches” on page 1673.

Power Management Mode EX Series switches support two power management modes: class (the default) and static. The mode you configure for your switch determines how the maximum power for a PoE interface is derived and how power is allocated to the PoE interfaces: •

Class mode—In this mode, the maximum power for an interface is determined by the class of connected powered device. Table 530 on page 4616 lists the classes of powered devices and associated power levels.

Table 530: Class of Powered Device and Power Levels Standard

Class

Maximum Power Delivered by PoE Port

Power Range of Powered Device

IEEE 802.3af (PoE) and IEEE 802.3at (PoE+)

0

15.4 W

0.44 through 12.95 W

1

4.0 W

0.44 through 3.84 W

2

7.0 W

3.84 through 6.49 W

3

15.4 W


4

30.0 W


IEEE 802.3at (PoE+)

4616


Chapter 125: Power over Ethernet (PoE)—Overview

To account for line loss, the power range of the powered device is less than the maximum power delivered at the PoE port for each class. Line loss is influenced by cable length, quality, and other factors and is typically less than 16 percent. The powered device communicates to the PoE controller which class it belongs to when it is connected. The PoE controller then allocates to the interface the maximum power required by the class (see Table 530 on page 4616). It does not allocate power to an interface until a powered device is connected. Class 0 is the default class for powered devices that do not provide class information. Class 4 powered devices are supported only by PoE ports that support IEEE 802.3at (PoE+). •

Static mode—In this mode, you specify the maximum power for each PoE interface. The PoE controller then allocates this amount of power to the interface from its total budget. For example, if you specify a maximum value of 8.0 W for ge-0/0/3, the PoE controller allocates 8.0 W out of its total power budget for the interface. This amount is allocated to the interface whether or not a powered device is connected to the interface or whether the connected powered device uses less power than 8.0 W. Because of line loss, the power received by the powered device can be less than the power available at the PoE port. Table 531 on page 4617 shows the maximum power available at a PoE port and the resulting power guaranteed to the powered device.

Table 531: Maximum Power Per Port in Static Mode Switch or Line Card

Maximum Power Delivered by PoE Port

Guaranteed Power to Powered Devices

EX2200 switches, EX3300 switches, and EX4200 PX model switches

30 W

25.5 W

EX3200 switches and EX4200 P and T model switches running Junos OS Release 10.4 or earlier

15.4 W

12.95 W

EX3200 switches and EX4200 P and T model switches running Junos OS Release 11.1 or later

18.6 W

15.64 W

NOTE: Switches that are upgraded to Junos OS Release 11.1 from a previous release require an upgrade of the PoE controller software to obtain 18.6 W. EX6200-48P line cards

30 W

25.5 W

EX8200-2XS-40P line cards and EX8200-48PL line cards

30 W (ports 0 through 11)

25.5 W

15.4 W (remaining PoE ports)

12.95 W

In both class and static mode, if the power consumption of a powered device exceeds the maximum power allocated to the interface, the switch turns off power to the interface.

PoE Interface Power Priority You can configure a PoE interface to have either a high or low power priority. The power priority determines which interfaces receive power if PoE power demands are greater than the PoE power budget. If the total power allocated for all interfaces exceeds the


4617

®


switch budget, PoE power to lower-priority interfaces is turned off and the power allocated to those interfaces drops to 0. Thus you should set interfaces that connect to critical powered devices, such as security cameras and emergency phones, to high priority. Among PoE interfaces that have the same assigned priority, power priority is determined by the port number, with lower-numbered ports having higher priority. For EX6200 and EX8200 switches, interface power priority determines the relative priority of the interfaces on a line card, not on the switch as a whole. The relative priority of interfaces residing on different line cards is determined by line card priority. For example, if line card 1 has a higher power priority than line card 2 and a power shortage occurs, power is removed from the PoE interfaces in this order:


4618

•

Low priority interfaces on line card 2

•

High priority interfaces on line card 2

•

Low priority interfaces on line card 1

•

High priority interfaces on line card 1

•

Example: Configuring PoE Interfaces on an EX Series Switch on page 4619

•


•


•

Upgrading the PoE Controller Software on page 4652


CHAPTER 126

Examples: PoE Configuration •


•


•


Example: Configuring PoE Interfaces on an EX Series Switch Power over Ethernet (PoE) ports supply electric power over the same ports that are used to connect network devices and allow you to plug in devices that require both network connectivity and electric power, such as voice over IP (VoIP) phones, wireless access points, and some IP cameras. You do not need to configure PoE unless you wish to modify the default values or disable PoE on a specific interface. This example describes a default configuration of PoE interfaces on an EX Series switch: •


•


•


•




•

One EX Series switch that supports PoE

Before you configure PoE, be sure you have:


4619

®


•

Performed the initial switch configuration. See “Connecting and Configuring an EX Series Switch (CLI Procedure)” on page 257 or “Connecting and Configuring an EX Series Switch (J-Web Procedure)” on page 259 for details.

Overview and Topology The topology used in this example consists of a switch that has 24 ports. Eight of the ports support PoE (IEEE 802.3af), which means they provide both network connectivity and electric power for powered devices such as VoIP telephones, wireless access points, and IP security cameras that require 12.95 W or less. The remaining 16 ports provide only network connectivity. You use the standard ports to connect devices that have their own power sources, such as desktop and laptop computers, printers, and servers. Table 532 on page 4620 details the topology used in this configuration example.

Table 532: Components of the PoE Configuration Topology Property

Settings

Switch hardware

EX Series switch with 24 Gigabit Ethernet ports: 8 PoE interfaces (ge-0/0/0 through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to a wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephones with integrated hubs that allow phone and desktop PC to connect to a single port (requires PoE)


Direct connections to desktop PCs, file servers, integrated printer/fax/copier machines (no PoE required)




Configuration To enable the default PoE configuration on the switch: CLI Quick Configuration

To quickly enable the default configuration on the switch: Simply connect the powered devices to the PoE ports.


4620

To use the PoE interfaces with default values: 1.

Make sure the switch is powered on.

2.

Connect the wireless access point to interface ge-0/0/0.

3.

Connect the Avaya phones to interfaces ge-0/0/1 through ge-0/0/7.


Chapter 126: Examples: PoE Configuration

Verification To verify that PoE interfaces have been created and are operational, perform this task: •

Verifying That the PoE Interfaces Have Been Created on page 4621

Verifying That the PoE Interfaces Have Been Created Purpose Action

Verify that the PoE interfaces have been created on the switch. List all the PoE interfaces configured on the switch: user@switch> show poe interface Interface ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7

Meaning


Admin status Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

Oper status Max power ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W

Priority Low Low Low Low Low Low Low Low

Power consumption Class 7.9W 0 3.2W 2 3.2W 2 3.2W 2 3.2W 2 3.2W 2 3.2W 2 3.2W 2

The show poe interface command lists PoE interfaces configured on the switch, with their status, priority, power consumption, and class. This output shows that eight interfaces have been created with default values and are consuming power at the expected rates.

•


•


•

Troubleshooting PoE Interfaces on page 4655

Example: Configuring PoE Interfaces with Different Priorities on an EX Series Switch Power over Ethernet (PoE) ports supply electric power over the same ports that are used to connect network devices. These ports allow you to plug in devices that need both network connectivity and electric power, such as voice over IP (VoIP) phones, wireless access points, and some IP cameras. By default, PoE ports on EX Series switches are set to low power priority. You can configure a PoE port to have a high power priority setting. If a situation arises where there is not sufficient power for all the PoE ports, the available power is directed to the higher priority ports, while power to the lower priority ports is shut down as needed. Thus you should set ports that connect to security cameras, emergency phones, and other high priority powered devices to high priority.


4621

®


This example describes how to configure a few high priority PoE interfaces. •


•


•


•




•

One EX Series switch that supports PoE

Before you configure PoE, be sure you have: •


Overview and Topology The topology used in this example consists of a switch that has 24 ports. Eight of the ports support PoE (IEEE 802.3af), which means they provide both network connectivity and electric power for powered devices such as VoIP telephones, wireless access points, and IP security cameras that require 12.95 W or less. The remaining 16 ports provide only network connectivity. You use the standard ports to connect devices that have their own power sources, such as desktop and laptop computers, printers, and servers. Table 533 on page 4622 details the topology used in this configuration example.

Table 533: Components of the PoE Configuration Topology Property

Settings

Switch hardware

Switch with 24 Gigabit Ethernet ports: 8 PoE interfaces (ge-0/0/0 through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to a wireless access point (requires PoE)

ge-0/0/0

Security IP Cameras (require PoE)

ge-0/0/1 and ge-0/0/2 high

Emergency VoIP phone (requires PoE)

ge-0/0/3 high

VoIP phone in Executive Office (requires PoE)

ge-0/0/4 high

Other VoIP phones (require PoE)


Direct connections to desktop PCs, file servers, integrated printer/fax/copier machines (no PoE required)


4622



Table 533: Components of the PoE Configuration Topology (continued) Property

Settings



Configuration To configure PoE interfaces: CLI Quick Configuration

By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default priority for PoE interfaces is low. To quickly set some interfaces to high priority and to include descriptions of the interfaces, copy the following commands and paste them into the switch terminal window: [edit] set poe interface ge-0/0/1 priority high telemetries set poe interface ge-0/0/2 priority high telemetries set poe interface ge-0/0/3 priority high telemetries set poe interface ge-0/0/4 priority high telemetries set interfaces ge-0/0/0 description "wireless access point" set interfaces ge-0/0/1 description "security camera front door" set interfaces ge-0/0/2 description "security camera back door" set interfaces ge-0/0/3 description "emergency phone" set interfaces ge-0/0/4 description "Executive Office VoIP phone" set interfaces ge-0/0/5 description "staff VoIP phone" set interfaces ge-0/0/6 description "staff VoIP phone" set interfaces ge-0/0/7 description "staff VoIP phone"


To configure PoE interfaces with different priorities: 1.

Set the interfaces connected to high priority powered devices to high priority. Include the telemetries statement for the high priority interfaces, thus enabling the logging of power consumption on those interfaces: [edit poe] user@switch# user@switch# user@switch# user@switch#

2.

set interface ge-0/0/1 priority high telemetries set interface ge-0/0/2 priority high telemetries set interface ge-0/0/3 priority high telemetries set interface ge-0/0/4 priority high telemetries

Provide descriptions for the PoE interfaces: [edit interfaces] user@switch# set ge-0/0/0 description "wireless access point" user@switch# set ge-0/0/1 description "security camera front door" user@switch# set ge-0/0/2 description "security camera back door" user@switch# set ge-0/0/3 description "emergency phone" user@switch# set ge-0/0/4 description "Executive Office VoIP phone" user@switch# set ge-0/0/5 description "staff VoIP phone" user@switch# set ge-0/0/6 description "staff VoIP phone" user@switch# set ge-0/0/7 description "staff VoIP phone"

3.

Connect the wireless access point to interface ge-0/0/0. This interface uses the default PoE settings.

4.

Connect the two security cameras to interfaces ge-0/0/1 and ge-0/0/2. These interfaces are set to high priority with telemetries enabled.


4623

®


5.

Connect the emergency VoIP phone to interface ge-0/0/3. This interface is set to high priority with telemetries enabled.

6.

Connect the Executive Office VoIP phone to interface ge-0/0/4. This interface is set to high priority with telemetries enabled.

7.

Connect the staff VoIP phones to ge-0/0/5, ge-0/0/6, and ge-0/0/7. These interfaces use the default PoE settings.


[edit] user@switch# show interfaces { ge-0/0/0 { description "wireless access point"; unit 0 { family ethernet-switching; } } ge-0/0/1 { description "security camera front door"; unit 0 { family ethernet-switching; } } ge-0/0/2 { description "security camera back door"; unit 0 { family ethernet-switching; } } ge-0/0/3 { description "emergency phone"; unit 0 { family ethernet-switching; } } ge-0/0/4 { description "Executive Office VoIP phone"; unit 0 { family ethernet-switching; } } ge-0/0/5 { description "staff VoIP phone"; unit 0 { family ethernet-switching; } } ge-0/0/6 { description "staff VoIP phone"; unit 0 { family ethernet-switching;

4624



} } ge-0/0/7 { description "staff VoIP phone"; unit 0 { family ethernet-switching; } } } poe { interface all; interface ge-0/0/1 { priority high; telemetries; } interface ge-0/0/2 { priority high; telemetries; } interface ge-0/0/3 { priority high; telemetries; } interface ge-0/0/4 { priority high; telemetries; } }

Verification To verify that PoE interfaces have been created and are operational, perform the following tasks: •

Verifying That the PoE Interfaces Have Been Created with the Correct Priorities on page 4625

Verifying That the PoE Interfaces Have Been Created with the Correct Priorities Purpose Action

Verify that the PoE interfaces on the switch are now set to the correct priority settings. List all the PoE interfaces configured on the switch: user@switch> show poe interface Interface Admin status Oper status ge-0/0/0 Enabled ON ge-0/0/1 Enabled ON ge-0/0/2 Enabled ON ge-0/0/3 Enabled ON ge-0/0/4 Enabled ON ge-0/0/5 Enabled ON ge-0/0/6 Enabled ON ge-0/0/7 Enabled ON

Meaning

Max power 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W

Priority Low High High High High Low Low Low


The show poe interface command lists PoE interfaces configured on the switch, with their status, priority, power consumption, and class. This output shows that eight PoE interfaces


4625

®


are enabled. Interfaces ge-0/0/1 through ge-0/0/4 are configured as priority high. The remaining PoE interfaces are configured with the default priority value of low.


•


•


•


Example: Configuring PoE on an EX6200 or EX8200 Switch Power over Ethernet (PoE) ports supply electric power over the same ports that are used to connect network devices. These ports allow you to plug in devices that need both network connectivity and electric power, such as voice over IP (VoIP) phones, wireless access points, and IP cameras. On EX6200 and EX8200 switches, the PoE power budget—that is, the total amount of PoE power that is available to the PoE ports on the switch—can vary according to the number and type of power supplies installed and the power requirements of other components, such as line cards. To make the most efficient use of the PoE power budget for the switch, you can configure the PoE power budget for each PoE line card so that the line card power budget is tailored to the power requirements of the connected powered devices. This example shows how to configure PoE on an EX8200 switch. The principles illustrated by this example apply to EX6200 switches as well. This example covers: •


•


•


•




•

An EX8208 switch with the following components installed: •

Six 2000 W AC power supplies using low-line power inputs

•

Two EX8200-48T (48-port RJ-45) line cards

•

Two EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+) line cards

•

Three EX8200-48PL (48-port PoE+ 20 Gbps) line cards

Before you configure PoE, be sure you have:

4626



•


Overview and Topology For EX6200 and EX8200 switches, each line card that supports PoE has its own PoE controller and PoE power budget. The PoE power budget for a line card is allocated by the switch power management out of the total power available on the switch. By default, power management allocates to each PoE card the maximum power for that card—that is, the amount of power needed to supply all PoE ports on the cards with their maximum supported power. Depending on the number and capacity of power supplies installed and the power requirements of the installed line cards in a switch, there might not be enough power available to provide the maximum power to all PoE line cards. Because power management by default allocates maximum power to each line card in priority order until available power runs out, lower-priority PoE line cards might receive partial or no PoE power, while higher-priority PoE line cards might receive more PoE power than the connected powered devices require. To avoid this issue, you can configure smaller power budgets for line cards than the maximum. For example, power management allocates 915 W of PoE power to a EX8200-48PL line card by default. If the connected powered devices consume no more than a total of 250 W, you can set the PoE power budget for the line card to 250 W. Doing so frees up 665 W, which then can be used to fulfill the PoE power needs of lower-priority line cards. The topology used in this example consists of a switch that has a mixture of line cards installed, some of which support PoE and some of which do not. Table 534 on page 4627 details the topology used in this configuration example.

Table 534: Components of the PoE Configuration Topology Comments Component

Description

Power supplies

Six 2000 W power supplies with low-line power inputs

1200 W capacity each

Line card 0

EX8200-48T line card (no PoE ports)

Ports 0 through 47—Access ports for non-PoE devices, such as print and file servers or workstations not connected through VoIP phones

Line card 1

EX8200-48PL line card

Ports 0 through 47—Access ports for PoE class 2 VoIP phones

Line card 2




4627

®


Table 534: Components of the PoE Configuration Topology (continued) Comments Component

Description

Line card 3

EX8200-2XS-40P line card

Ports 0 through 11—Access ports for high-priority PoE+ class

4 devices, such as door access control devices, pan-tilt-zoom security cameras, and high-power wireless access points. Ports 12 through 22—Access ports for high-priority PoE class

3 devices, such as static security cameras, executive video VoIP phones, and wireless access points. Ports 22 through 40—Access ports for PoE class 2 devices,

such as VoIP phones. SFP+ ports 44 and 45—Uplink ports to the distribution

switch, link aggregated with the uplink ports on line card 4. Line card 4

EX8200-2XS-40P line card

Ports 0 through 11—Access ports for high-priority PoE+ class

4 devices Ports 12 through 40—Access ports for PoE class 2 devices SFP+ ports 44 and 45—Uplinks ports to the distribution

switch, link aggregated with the uplink ports on line card 3 Line card 5

EX8200-48T line card (no PoE ports)

Ports 0 through 47—Access ports for non-PoE devices

Line card 6



The following output from the show chassis power-budget-statistics command shows how power is being allocated to the switch components before PoE is configured: user@switch# show chassis power-budget-statistics PSU 0 (EX8200-AC2K) : 1200 W PSU 1 (EX8200-AC2K) : 1200 W PSU 2 (EX8200-AC2K) : 1200 W PSU 3 (EX8200-AC2K) : 1200 W PSU 4 (EX8200-AC2K) : 1200 W PSU 5 (EX8200-AC2K) : 1200 W Total Power supplied by all Online PSUs : 7200 W Power Redundancy Configuration : N+1 Power Reserved for the Chassis : 1600 W FPC Statistics Base power FPC FPC FPC FPC FPC FPC FPC

0 1 2 3 4 5 6

(EX8200-48T) (EX8200-48PL) (EX8200-48PL) (EX8200-2XS-40P) (EX8200-2XS-40P) (EX8200-48T) (EX8200-48PL)

Total (non-PoE) Power allocated Total Power allocated for PoE

4628

: : : : : : : : :

350 267 267 387 387 350 267

W W W W W W W


PoE power 0 915 915 792 792 0 96

W W W W W W W

Priority 7 7 7 7 7 7 7

3875 W 3510 W



Power Available (Redundant case) Total Power Available

: :

2675 W 0 W

The Total Power Available field shows that all available power is being used. Because there is not enough power, the line card in slot 6 is allocated a PoE power budget of only 96 W, which is insufficient to meet the requirements of the connected VoIP phones. In addition, the assigned power priorities of the line cards do not align with their actual power priority. Line cards 3 and 4 should have the highest power priorities because they provide PoE power to critical security devices and because they provide the connections to the distribution switch. Because the default configuration gives all line cards the same assigned priority (the lowest priority), the power priority for line cards is determined by their slot numbers. Under the default configuration, line card 0 has the highest power priority, not line card 3. To solve these issues, this example configures the PoE power budgets and power priorities for the line cards as shown in Table 535 on page 4629.

Table 535: Line Card PoE Power Budget and Power Priority FPC

Power Requirements of Powered Devices

PoE Power Budget for Line Card

Power Priority of Line Card

0

Not applicable

Not applicable

7

1

48 class 2 devices (maximum of 7 W each)

336 W

7

2


336 W

7

3


640 W

0

556 W

1

10 class 3 devices (maximum of 15.4 W each) 18 class 2 devices (maximum of 7 W each) 4

12 class 4 devices (maximum of 30 W each) 28 class 2 devices (maximum of 7 W each)

5

Not applicable

Not applicable

7

6


336 W

7

Other than ensuring that the PoE interfaces are enabled for PoE, this example performs no configuration of the PoE interfaces because the default settings for the PoE interfaces are acceptable in this example. You can, however, configure the PoE interfaces on an


4629

®


EX6200 or EX8200 switch as described in “Configuring PoE (CLI Procedure)” on page 4635 or as shown in “Example: Configuring PoE Interfaces with Different Priorities on an EX Series Switch” on page 4621.

Configuration To configure PoE on an EX8200 switch: CLI Quick Configuration

To quickly configure the PoE power budget for PoE line cards and to set the power priority for high-priority line cards, copy the following commands and paste them into the switch terminal window: [edit] set poe interface all set poe fpc 3 maximum-power 640 set poe fpc 4 maximum-power 556 set poe fpc 1 maximum-power 336 set poe fpc 2 maximum-power 336 set poe fpc 6 maximum-power 336 set chassis fpc 3 power-budget-priority 0 set chassis fpc 4 power-budget-priority 1


To configure PoE on an EX8200 switch: 1.

Verify that PoE is enabled on all PoE interfaces by entering the [edit poe] hierarchy and showing the current configuration: [edit] user@switch# edit poe [edit poe] user@switch# show interface all;

If the interface all statement does not appear, enable PoE on all PoE interfaces: [edit poe] user@switch# set interface all 2.

Set the PoE power budget for line card 3 to 640 W: [edit poe] user@switch# set fpc 3 maximum-power 640

3.

Set the PoE power budget for line card 4 to 556 W: [edit poe] user@switch# set fpc 4 maximum-power 556

4.

Set the PoE power budgets to 336 W for the remaining PoE line cards: [edit poe] user@switch# set fpc 1 maximum-power 336 [edit poe] user@switch# set fpc 2 maximum-power 336 [edit poe] user@switch# set fpc 6 maximum-power 336

5.

4630

Enter the [edit chassis] hierarchy and set the line card power priority to 0 and 1 for line cards 3 and 4:



[edit poe] user@switch# top edit chassis [edit chassis] user@switch# set fpc 3 power-budget-priority 0 [edit chassis] user@switch# set fpc 4 power-budget-priority 1

Check the results of the configuration: [edit] user@switch# show chassis { fpc 3 { power-budget-priority 0; } fpc 4 { power-budget-priority 1; } } poe { fpc 3 { maximum-power 640; } fpc 4 { maximum-power 556; } fpc 1 { maximum-power 336; } fpc 2 { maximum-power 336; } fpc 6 { maximum-power 336; } interface all; }

Verification To verify that the PoE line cards have been configured correctly and that their PoE power budgets have been fully allocated, perform the following tasks: •

Verifying the Poe Line Card Configuration and Power Budgets on page 4631

•

Verifying the Power Budget for the Switch and Line Card Power Priorities on page 4632

Verifying the Poe Line Card Configuration and Power Budgets Purpose Action

Verify that the line card PoE power budgets have been allocated correctly. Show the PoE controller settings for the line cards: user@switch> show poe controller Controller Maximum Power index power consumption


Guard band

Management

Status

4631

®


1 2 3 4 6

Meaning

336.00W 336.00W 640.00W 556.00W 336.00W

0.00W 0.00W 0.00W 0.00W 0.00W

0W 0W 0W 0W 0W

Class Class Class Class Class

AT/AF AT/AF AT/AF AT/AF AT/AF

COMBO COMBO COMBO COMBO COMBO

As shown by the Maximum power field, the PoE power budgets for the PoE line cards have been correctly configured and power management was able to allocate the configured PoE power budgets to the line cards.

Verifying the Power Budget for the Switch and Line Card Power Priorities Purpose Action

Verify the overall power budget for the switch and the line card power priorities. Show the power budget for the switch: user@switch# show chassis power-budget-statistics PSU 0 (EX8200-AC2K) : 1200 W PSU 1 (EX8200-AC2K) : 1200 W PSU 2 (EX8200-AC2K) : 1200 W PSU 3 (EX8200-AC2K) : 1200 W PSU 4 (EX8200-AC2K) : 1200 W PSU 5 (EX8200-AC2K) : 1200 W Total Power supplied by all Online PSUs : 7200 W Power Redundancy Configuration : N+1 Power Reserved for the Chassis : 1600 W FPC Statistics Base power FPC FPC FPC FPC FPC FPC FPC Total Total Power Total

0 1 2 3 4 5 6

Meaning

(EX8200-48T) (EX8200-48PL) (EX8200-48PL) (EX8200-2XS-40P) (EX8200-2XS-40P) (EX8200-48T) (EX8200-48PL) (non-PoE) Power allocated Power allocated for PoE Available (Redundant case) Power Available

: : : : : : :

350 267 267 387 387 350 267

W W W W W W W

: : : :

3875 2204 2675 1306

W W W W


PoE power 0 336 336 640 556 0 336

W W W W W W W

Priority 7 7 7 0 1 7 7

After each PoE line card has been allocated its configured PoE power budget, 1306 W remain unallocated on the switch. If one of the 1200 W power supplies fails, the PoE line cards will still receive their configured PoE power budgets. Line cards 3 and 4 have the highest priorities, priority 0 and 1 respectively. The remaining line cards have the same assigned priority, 7. Within the group of line cards of the same assigned priority, power priority is determined by slot number, with lower-numbered slots having higher priority. Thus PoE line cards are allocated PoE power in this order: line card 3, 4, 1, 2, 6. If two or more power supplies fail, PoE power is removed from the line cards in reverse priority order, starting with line card 6.


4632

•




•


•


•



4633

®


4634


CHAPTER 127

Configuring PoE •


•

Configuring PoE (J-Web Procedure) on page 4641

Configuring PoE (CLI Procedure) Power over Ethernet (PoE) ports on EX Series switches supply electric power over the same ports that are used to connect network devices. These ports allow you to plug in devices that require both network connectivity and electric power, such as voice over IP (VoIP) phones, wireless access points, and some IP cameras. This topic describes: •

PoE Configurable Options on page 4636

•

Configuring the PoE Controller on EX2200, EX3200, EX3300, and EX4200 Switches on page 4638

•

Configuring the PoE Controllers on EX6200 and EX8200 Switches on page 4639

•

Configuring PoE Interfaces on page 4640


4635

®


PoE Configurable Options For EX Series switches that support PoE ports, the factory default configuration enables PoE on the PoE-capable ports, with default settings in effect. You might not have to do any additional configuration if the default settings work for you. Table 536 on page 4636 shows the configurable PoE options and their default settings for the PoE controller and for the PoE interfaces.

NOTE: On EX8200 switches, the factory default configuration enables PoE on all interfaces starting at Junos OS Release 11.2. Switches that have been upgraded to Release 11.2 from a previous release might not have PoE enabled by default.To enable PoE on all PoE-capable ports on a switch, use the set poe interface all configuration command.

Table 536: Configurable PoE Options and Default Settings Option

Default

Description

0W

Reserves a specified amount of power from the PoE power budget to be used in the case of a spike in PoE power consumption:

PoE Controller Options guard-band

management

class

•

Up to 15 W on EX6200 and EX8200 switches

•

Up to 19 W on all other switches

Sets the PoE power management mode for the switch or line card: •

class—The maximum power delivered by an interface is determined

by the class of the connected powered device. No power is allocated to the interface until a powered device is connected. •

static—The maximum power delivered by an interface is statically

configured and independent of the class of the connected powered device. The maximum power is allocated to the interface even if a powered device is not connected. maximum-power

792 W for the

EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+) line card 915 W for the

(EX6200 and EX8200 switches only) Sets the PoE power budget for the line card: •

37 W through 792 W for the EX8200-2XS-40P line card

•

37 W through 915 W for the EX8200-48PL line card

•

37 W through 1440 W for the EX6200-48P line card

EX8200-48PL (48-port PoE+ 20 Gbps) line card 1440 W for the

EX6200-48P (48-port PoE+) line card notification-control

4636

Not included in default configuration

When included in the configuration, enables the PoE controller to send PoE SNMP traps.


Chapter 127: Configuring PoE

Table 536: Configurable PoE Options and Default Settings (continued) Option

Default

Description

af-mode


(EX6200 switches only) When included in the configuration, restricts a PoE interface to supporting IEEE 802.3af only. The maximum power that can be delivered by the PoE interface is 15.4 W.

disable (Power over Ethernet)


When included in the configuration, disables PoE on the interface. The interface maintains network connectivity but no longer supplies power to a connected powered device. Power is not allocated to the interface.

maximum-power (Interface)

30.0 W for interfaces that

Sets the maximum power that can be delivered by a PoE interface when the power management mode is static:

Interface Options

support PoE+ (IEEE 802.3at)

•

Up to 30 W for EX2200, EX3300, EX4200, EX6200, and EX8200 switches

•

Up to 18.6 W for EX3200 switches

15.4 W for interfaces that

support PoE (IEEE 802.3af)

This setting is ignored if the power management mode is class. NOTE: The maximum-power setting permitted by the CLI might be greater than the maximum power a given PoE port can deliver. For example, the CLI permits you to set any port on an EX8200 line card to 30 W; however, only ports 0 through 11 support 30 W. Similarly, the CLI permits you to set any port on an EX4200 switch to 30 W, but some EX4200 models support only 18.6 W per port. If you configure a maximum-power value that is greater than the maximum power supported by a port, the power allocated to the port will be the maximum supported. priority (Power over Ethernet)

low

Sets an interface’s power priority to either low or high. If power is insufficient for all PoE interfaces, the PoE power to low priority interfaces is shut down before power to high priority interfaces is shut down. Among interfaces that have the same assigned priority, the power priority is determined by port number, with lower-numbered ports having higher priority. On EX6200 and EX8200 switches, priority determines the interface’s power priority relative to the other interfaces on the line card, not the interfaces on the switch as a whole. If power management cannot provide the line card with its full PoE power budget, PoE power to interfaces with low priority is shut down first.

telemetries



When included in the configuration, enables the logging of power consumption records on an interface. Logging occurs every 5 minutes for 1 hour unless you specify a different value for interval (Power over Ethernet) or duration.

4637

®


Configuring the PoE Controller on EX2200, EX3200, EX3300, and EX4200 Switches To configure the PoE controller on EX2200, EX3200, EX3300, and EX4200 switches: •

To change the management mode or to configure a guard band setting for a standalone switch or for all members of an EX3300 Virtual Chassis, an EX4200 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis that supports PoE: [edit] user@switch# set poe management mode guard-band watts

For example, to set the management mode to static and to configure a guard band of 15 W: [edit] user@switch# set poe management static guard-band 15

NOTE: If the PoE power budget for the switch is insufficient to provide maximum power to all the PoE ports, we recommend that you do not change the management mode from class to static. If you change the power management mode to static and do not change the other default settings, the PoE controller allocates maximum power to the PoE ports in the order of port number, which means PoE will be disabled on higher-numbered ports when the PoE power budget runs out. In class mode, on the other hand, the PoE controller does not allocate power to a port until a powered device is connected. The class of the connected device determines the amount of power allocated. Thus in class mode, any PoE port can be used to power a device and all the PoE ports on the switch can be used as long as the combined power demand does not exceed the PoE power budget.

NOTE: On EX3200 and EX4200 switches that support enhanced PoE, you must change the management mode from class mode to static mode to take advantage of the higher per-port power limits of enhanced PoE.

•

To enable PoE SNMP traps on a standalone switch or on an specific member of a Virtual Chassis: [edit] user@switch# set poe notification-control fpc number

For example, to enable PoE SNMP traps on a standalone switch or on member 0 of a Virtual Chassis: [edit] user@switch# set poe notification-control fpc 0

4638



Configuring the PoE Controllers on EX6200 and EX8200 Switches On EX6200 and EX8200 switches, each line card that supports PoE has its own PoE controller. This means that the PoE controller options are configured separately for each line card. In addition, each line card has its own separate, configurable PoE power budget. The default power budget for a line card is the amount of power needed to supply all PoE ports on the line card with their maximum supported power. Because there might not be enough power available in a switch to supply each PoE line card with the default PoE power budget, you can configure smaller power budgets for one or more line cards, freeing up power for other line cards. To configure the line card PoE controllers in an EX6200 or EX8200 switch: •

To configure a guard band setting, to change the management mode, or to configure the PoE power budget for a specific line card: [edit] user@switch# set poe fpc number guard-band watts management mode maximum-power watts

For example, to configure a PoE budget of 350 W and a guard band of 15 W on line card 1: [edit] user@switch# set poe fpc 1 guard-band 15 maximum-power 350

NOTE: If you configure a PoE power budget for a line card that is smaller than the default power budget, we recommend that you do not change the management mode from class to static. If you change the power management mode to static and do not change the interface default settings, the PoE controller allocates maximum power to the PoE ports in the order of port number. As a result, PoE will be disabled on higher-numbered ports when the PoE power budget runs out. In class mode, on the other hand, the PoE controller does not allocate power to a port until a powered device is connected. The class of the connected device determines the amount of power allocated. Thus in class mode, any PoE port can be used to power a device and all the PoE ports on the switch can be used as long as the combined power demand does not exceed the PoE power budget.

•

To configure the same guard band value, management mode, or PoE power budget for all line cards in a switch: [edit] user@switch# set poe fpc all guard-band watts management mode maximum-power watts

For example, to configure a PoE budget of 1000 W and static management mode for all line cards in a switch:


4639

®


[edit] user@switch# set poe fpc all management static maximum-power 1000

If you configure different settings for a specific line card, those settings override the settings configured with the fpc all statement. •

To enable PoE SNMP traps on a line card: [edit] user@switch# set poe notification-control fpc number

For example, to enable PoE SNMP traps on line card 7: [edit] user@switch# set poe notification-control fpc 7

Configuring PoE Interfaces To configure the PoE interfaces on a switch that supports PoE: •

To configure all PoE interfaces with the same setting or settings: [edit] user@switch# set poe interface all options

For example, to enable telemetry collection on all interfaces, using the default collection duration and interval: [edit] user@switch# set poe interface all telemetries

NOTE: For PoE to be enabled on all PoE-capable interfaces, the configuration must include the interface all statement in the [edit poe] hierarchy. With the exception of EX8200 switches that were shipped from the factory with a Junos OS release earlier than Release 11.2, the factory default configurations of switches that support PoE include this statement.

•

To configure individual PoE interfaces with different settings: [edit] user@switch# set poe interface interface-name options

For example: [edit] user@switch# set poe interface ge-0/0/0 priority high telemetries duration 24 [edit] user@switch# set poe interface ge-0/0/1 [edit] user@switch# set poe interface ge-0/0/5 maximum-power 18.6 [edit] user@switch# set poe interface ge-5/0/7 disable

4640



When you configure an individual interface, its configuration overrides any settings you configure with the set poe interface all command. For example, ge-0/0/1 in the preceding example retains the default settings, regardless of any settings configured with the set poe interface all command. Related Documentation

•


•


•


•

Verifying PoE Configuration and Status (CLI Procedure) on page 4649

•


Configuring PoE (J-Web Procedure) Power over Ethernet (PoE) ports supply electric power over the same ports that are used to connect network devices to EX Series switches. These ports allow you to plug in devices that require both network connectivity and electric power, such as VoIP phones, wireless access points, and some IP cameras. Using the Power over Ethernet (PoE) Configuration page in the J-Web interface, you can modify the settings of all interfaces that are PoE-enabled. This topic includes: •

Configuring PoE on EX2200, EX2200-C, EX3200, EX3300, EX4200, EX4500 Switches on page 4641

•

Configuring PoE on EX6200 Switches on page 4642

Configuring PoE on EX2200, EX2200-C, EX3200, EX3300, EX4200, EX4500 Switches To configure PoE: 1.

Select Configure > Power over Ethernet. The page displays a list of all PoE-capable interfaces except uplink ports. Specific operational details about an interface are displayed in the Details section of the page. The details include the PoE Operational Status and Port class.


2. Click one: •

Edit—Changes PoE settings for the selected port as described in Table 537 on page 4642.


4641

®


•

System Settings—Modifies general PoE settings as described in Table 538 on page 4642.

Table 537: PoE Edit Settings Field

Description

Your Action

Enable PoE

Specifies that PoE is enabled on the interface.

Select this option to enable PoE or PoE+ on the interface.

Priority

Lists the power priority (Low or High) configured on the interface enabled for PoE.

Set the priority as High or Low.

Maximum Power

Specifies the maximum PoE wattage available to provision the active PoE interface on the switch.

Select a value in watts. If no value is specified, the default is 15.4 for PoE interfaces and 30.0 for PoE+ interfaces.

Table 538: System Settings Field

Description

Your Action

PoE Management

Specifies the power management mode. The options are: static and class.

By default the power management mode is class. Select static to change the power management mode.

NOTE: When the power management mode is set to class, the maximum power value is overridden by the maximum power value of the class of powered device that is connected to the switch on the PoE port. Guard Band (watts)

Specifies the amount of power reserved for power spikes from the switch PoE power budget.

Enter a value to set the guard band value in watts. The default value is 0.

Configuring PoE on EX6200 Switches To configure PoE: 1.

Select Configure > Power over Ethernet. The page displays a list of all PoE-capable interfaces for each FPC. Specific operational details about an interface are displayed in the Details section of the page. The details include the PoE Operational Status and Port class.


2. Click one: •

4642

Edit—Changes PoE settings for the selected port as described in Table 539 on page 4643.



•

FPC Settings—Changes PoE settings of PoE-capable FPCs. To configure FPC settings, click one: •

Add—Adds a PoE setting for an FPC as described in Table 540 on page 4643.

•

Edit—Modifies a PoE setting for an FPC as described in Table 540 on page 4643.

•

Delete—Deletes an existing PoE settings for an FPC.

Table 539: Edit PoE Settings Field

Description

Your Action

Enable PoE

Specifies that PoE is enabled on the interface.

Select this option to enable PoE or PoE+ on the interface.

Type

Specifies whether the interface is PoE or PoE+.

Select an option from the list.

Priority

Lists the power priority (Low or High) configured on the interface enabled for PoE.

Set the priority as High or Low.

Maximum Power

Specifies the maximum PoE wattage available to provision active PoE ports on the switch.

Select a value in watts. If no value is specified, the default is 15.4 for PoE interfaces and 30.0 for PoE+ interfaces.

Table 540: FPC PoE Settings Field

Description

Your Action

FPC

Specifies the FPC number.


PoE Management

Specifies the power management mode. The options are: static and class.

By default the power management mode is class. Select static to change the power management mode.

NOTE: When the power management mode is set to class, the maximum power value is overridden by the maximum power value for the interface that is connected to the switch on the PoE port. Guard Band (watts)

Specifies the band to control power availability on the switch.

Enter a value to set the guard band value in watts. The default value is 0.

Maximum Power

Specifies the maximum PoE wattage available to provision active PoE ports on the FPC. For example, if you specify 1000W, the PoE controller is limited to a power budget of 1000W to distribute to the PoE ports.

Select a value in watts.


•


•


•



4643

®


4644

•


•

Monitoring PoE on page 4645

•



CHAPTER 128

Administering PoE •

Monitoring PoE on page 4645

•

Monitoring PoE Power Consumption (CLI Procedure) on page 4646

•


•


Monitoring PoE Purpose

Use the monitoring functionality to view real-time data of the power consumed by each PoE interface, and to enable and configure telemetry values. When telemetry is enabled, the software measures the power consumed by each interface and stores the data for future reference.

NOTE: If you are configuring a Virtual Chassis, the PoE monitoring option is displayed if any member of the Virtual Chassis supports PoE, even if the Virtual Chassis master does not support PoE.

Action

To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet. To monitor PoE power consumption with CLI commands in the CLI Terminal in the J-Web interface: 1.

Select Troubleshoot > CLI Terminal.

2. Type a CLI command: •

show poe controller

•

show poe interface

•

show poe telemetries

For detailed information about using these CLI commands to monitor PoE power consumption, see Monitoring PoE Power Consumption (CLI Procedure) in the EX Series documentation at http://www.juniper.net/techpubs.


4645

®


Meaning

In the J-Web interface the PoE Monitoring screen is divided into two parts. The top half of the screen displays real-time data of the power consumed by each PoE-capable interface and a list of ports that utilize maximum power. Select a particular interface to view a graph of the power consumed by the selected interface. The bottom half of the screen displays telemetry information for interfaces. The Telemetry Status field displays whether telemetry has been enabled on the interface. Click the Show Graph button to view a graph of the telemetries. The graph can be based on power or voltage. To modify telemetry values, click Edit. Specify Interval in minutes, Duration in hours, and select Log Telemetries to enable telemetry on the selected interface.


•


•


•


•


•


•


Monitoring PoE Power Consumption (CLI Procedure) You can monitor Power over Ethernet (PoE) power consumption, both for the switch as a whole and for individual PoE interfaces. This topic describes how to monitor: •

PoE Power Consumption on a Switch on page 4646

•

Current Power Consumption for PoE Interfaces on page 4647

•

Power Consumption for PoE Interfaces over Time on page 4648

PoE Power Consumption on a Switch Purpose Action

Determine the current PoE power consumption on a switch. Enter the following command: user@switch> show poe controller Controller Maximum Power index power consumption 0 405.00W 130.00W

Meaning

4646

Guard band 0W

Management

Status

Class

AT_MODE

At the time the command was executed, the PoE interfaces on the switch were consuming 130 W out of the PoE power budget of 405 W.


Chapter 128: Administering PoE

Current Power Consumption for PoE Interfaces Purpose Action

Determine the current power consumption for individual PoE interfaces. To monitor the power consumption of all PoE interfaces on the switch, use the following command: user@switch> show poe interface Interface Admin status Oper status ge-0/0/0 Enabled ON ge-0/0/1 Enabled ON ge-0/0/2 Enabled ON ge-0/0/3 Enabled ON ge-0/0/4 Enabled ON ge-0/0/5 Enabled ON ge-0/0/6 Enabled ON ge-0/0/7 Disabled Disabled applicable


Priority Low High Low Low Low Low Low Low

Power consumption Class 7.4W 0 12.0W 0 12.4W 0 5.3W 2 4.0W 1 6.1W 2 12.3W 3 0.0W not-

To monitor the power consumption of the PoE interfaces on a specific EX6200 or EX8200 line card, use the following command: user@switch> show poe interface fpc-slot 3 Interface Admin status Oper status Max power ge-3/0/0 Enabled ON 30.0W ge-3/0/1 Enabled ON 30.0W ge-3/0/2 Enabled ON 30.0W ge-3/0/3 Enabled ON 30.0W ge-3/0/4 Enabled ON 30.0W ge-3/0/5 Enabled ON 30.0W ge-3/0/6 Enabled ON 30.0W ge-3/0/7 Enabled ON 30.0W ge-3/0/8 Enabled ON 30.0W ge-3/0/9 Enabled ON 30.0W ge-3/0/10 Enabled ON 30.0W ge-3/0/11 Enabled ON 30.0W ge-3/0/12 Enabled ON 15.4W ge-3/0/13 Enabled ON 15.4W ge-3/0/14 Enabled ON 15.4W ge-3/0/15 Enabled ON 15.4W ge-3/0/16 Enabled ON 15.4W ge-3/0/17 Enabled ON 15.4W ge-3/0/18 Enabled ON 15.4W ge-3/0/19 Enabled ON 15.4W ge-3/0/20 Enabled ON 15.4W ge-3/0/21 Enabled ON 15.4W ge-3/0/22 Enabled ON 15.4W ge-3/0/23 Enabled ON 15.4W ge-3/0/24 Enabled ON 15.4W ge-3/0/25 Enabled ON 15.4W ge-3/0/26 Enabled ON 15.4W ge-3/0/27 Enabled ON 15.4W ge-3/0/28 Enabled ON 15.4W ge-3/0/29 Enabled ON 15.4W ge-3/0/30 Enabled ON 15.4W ge-3/0/31 Enabled ON 15.4W ge-3/0/32 Enabled ON 15.4W ge-3/0/33 Enabled ON 15.4W ge-3/0/34 Enabled ON 15.4W ge-3/0/35 Enabled ON 15.4W


Priority Low Low High High Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low

Power consumption Class 20.3W 4 17.8W 4 16.3W 4 16.2W 4 25.9W 4 10.1W 4 16.2W 4 6.4W 4 5.2W 4 5.2W 4 21.5W 4 21.7W 4 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 7.0W 0 2.2W 1 2.2W 1 2.2W 1 2.0W 1 2.0W 1 2.2W 1 2.2W 1

4647

®


ge-3/0/36 ge-3/0/37 ge-3/0/38 ge-3/0/39

Enabled Enabled Enabled Enabled

ON ON ON ON

15.4W 15.4W 15.4W 15.4W

Low Low Low Low

2.2W 2.2W 2.2W 2.2W

1 1 1 1

To monitor the power consumption of an individual PoE interface (for example, ge-0/0/3), use the following command: user@switch> show poe interface ge-0/0/3 PoE interface status: PoE interface : ge-0/0/3 Administrative status : Enabled Operational status : ON Power limit on the interface : 7.0W Priority : Low Power consumed : 5.3W Class of power device : 2 PoE Mode : 802.3at

Meaning

At the time the command was executed, the individual PoE ports were consuming the amount of power shown. For example, interface ge-0/0/3 was consuming 5.3 W at the time the command was executed.

Power Consumption for PoE Interfaces over Time Purpose

Monitor the power consumption of a PoE interface over a period of time. The records collected remain available for future viewing. You can specify the intervals at which power consumption data is collected, from once every minute to once every 30 minutes. The default is once every 5 minutes. You can also specify the duration over which the records are collected, from 1 hour (default) to 24 hours.

Action

To collect historical records of PoE interface power consumption and display those records: 1.

Add the telemetries statement to the PoE interface configuration: [edit] user@switch# set poe interface ge-0/0/5 telemetries interval (Power over Ethernet) 10

When you commit the configuration, record collection begins. 2. Display the collected records: user@switch> show poe telemetries ge-0/0/5 all Sl No Timestamp Power 1 03-19-2010 13:00:07 UTC 3.9W 2 03-19-2010 12:50:07 UTC 3.9W 3 03-19-2010 12:40:07 UTC 3.9W 4 03-19-2010 12:30:07 UTC 3.9W 5 03-19-2010 12:20:07 UTC 3.9W 6 03-19-2010 12:10:07 UTC 3.9W

Meaning

4648

Voltage 50.9V 50.9V 50.9V 50.9V 50.9V 50.9V

Over the hour in which the PoE power consumption data on ge-0/0/5 was collected, the connected powered device consistently consumed 3.9 W.




•


•


•


•


•


Verifying PoE Configuration and Status (CLI Procedure) You can verify the Power over Ethernet (PoE) configuration and status on an EX Series switch. This topic describes how to verify: •

PoE Controller Configuration and Status on page 4649

•

PoE Interface Configuration and Status on page 4650

•

PoE SNMP Trap Generation Status on page 4651

PoE Controller Configuration and Status Purpose

Action

Verify the PoE controller configuration and status, such as the PoE power budget, total PoE power consumption, power management mode, and the supported PoE standard. Enter the following command: user@switch> show poe controller

Example output for an EX2200 switch: Controller index 0

Maximum power 405.00W

Power consumption 130.00W

Guard band 19W

Management

Status

Class

AT_MODE

Guard band 0W 15W

Management

Status

Example output for an EX8200 switch: Controller index 3 4

Meaning

Maximum power 540.00W 915.00W

Power consumption 435.25W 627.01W

Static Class

AT/AF COMBO AT/AF COMBO

•

For the EX2200 switch—The switch has a PoE power budget of 405 W, of which 130 W were being used by the PoE ports at the time the command was executed. The Guard band field shows that 19 W is reserved out of the PoE power budget to protect against spikes in power demand. The power management mode is class. The PoE ports on the switch support PoE+ (IEEE 802.3at).

•

For the EX8200 switch—Line card 3 has a PoE power budget of 540 W, of which 435.25 W were being used by the PoE ports on the line card at the time the command was executed. The management mode for line card 3 is static and the line card has a mix of PoE (IEEE 802.3af) and PoE+ (IEEE 802.3at) ports.


4649

®


Line card 4 has a PoE power budget of 915 W, of which 627.01 W were being used by the PoE ports on the line card at the time the command was executed. The Guard band field shows that 15 W is reserved out of the PoE power budget to protect against spikes in power demand. The management mode for line card 4 is class and the line card has a mix of PoE (IEEE 802.3af) and PoE+ (IEEE 802.3at) ports.

PoE Interface Configuration and Status Purpose

Action

Verify that PoE interfaces are enabled and set to the correct maximum power and priority settings. Also verify current operational status and power consumption. To view configuration and status for all PoE interfaces, enter: user@switch> show poe interface Interface Admin status Oper status ge-0/0/0 Enabled ON ge-0/0/1 Enabled ON ge-0/0/2 Enabled ON ge-0/0/3 Enabled ON ge-0/0/4 Enabled ON ge-0/0/5 Enabled ON ge-0/0/6 Enabled ON ge-0/0/7 Enabled OFF applicable


Priority Low High High High Low Low Low Low

Power consumption Class 7.9W 3 4.8W 0 4.8W 0 3.3W 2 3.3W 2 3.2W 2 3.3W 2 0.0W not-

To view the configuration and status for the PoE interfaces on an EX6200 or EX8200 line card: user@switch> show poe interface fpc-slot 3 Interface Admin status Oper status Max power ge-3/0/0 Enabled ON 30.0W ge-3/0/1 Enabled ON 30.0W ge-3/0/2 Enabled ON 30.0W ge-3/0/3 Enabled ON 30.0W ge-3/0/4 Enabled ON 30.0W ge-3/0/5 Enabled ON 30.0W ge-3/0/6 Enabled ON 30.0W ge-3/0/7 Enabled ON 30.0W ge-3/0/8 Enabled ON 30.0W ge-3/0/9 Enabled ON 30.0W ge-3/0/10 Enabled ON 30.0W ge-3/0/11 Enabled ON 30.0W ge-3/0/12 Enabled ON 15.4W ge-3/0/13 Enabled ON 15.4W ge-3/0/14 Enabled ON 15.4W ge-3/0/15 Enabled ON 15.4W ge-3/0/16 Enabled ON 15.4W ge-3/0/17 Enabled ON 15.4W ge-3/0/18 Enabled ON 15.4W ge-3/0/19 Enabled ON 15.4W ge-3/0/20 Enabled ON 15.4W ge-3/0/21 Enabled ON 15.4W ge-3/0/22 Enabled ON 15.4W ge-3/0/23 Enabled ON 15.4W ge-3/0/24 Enabled ON 15.4W ge-3/0/25 Enabled ON 15.4W ge-3/0/26 Enabled ON 15.4W ge-3/0/27 Enabled ON 15.4W

4650

Priority Low Low High High Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low

Power consumption Class 20.3W 4 17.8W 4 16.3W 4 16.2W 4 25.9W 4 10.1W 4 16.2W 4 6.4W 4 5.2W 4 5.2W 4 21.5W 4 21.7W 4 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0 9.4W 0



ge-3/0/28 ge-3/0/29 ge-3/0/30 ge-3/0/31 ge-3/0/32 ge-3/0/33 ge-3/0/34 ge-3/0/35 ge-3/0/36 ge-3/0/37 ge-3/0/38 ge-3/0/39

Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

ON ON ON ON ON ON ON ON ON ON ON ON

15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W

Low Low Low Low Low Low Low Low Low Low Low Low

7.0W 2.2W 2.2W 2.2W 2.0W 2.0W 2.2W 2.2W 2.2W 2.2W 2.2W 2.2W

0 1 1 1 1 1 1 1 1 1 1 1

To view configuration and status for a single PoE interface, enter: user@switch> show poe interface ge-0/0/3 PoE interface status: PoE interface : ge-0/0/3 Administrative status : Enabled Operational status : ON Power limit on the interface : 7.0W Priority : High Power consumed : 3.3W Class of power device : 2 PoE Mode : 802.3at

Meaning

The command output shows the status and configuration of interfaces. For example, the interface ge-0/0/3 is administratively enabled. Its operational status is ON; that is, the interface is currently delivering power to a connected powered device. The maximum power allocated to the interface is 7.0 W. The interface has a high power priority. At the time the command was executed, the powered device was consuming 3.3 W. The IEEE 802.3af class of the powered device is class 2. If the PoE power management mode is class, the class of the powered device determines the maximum power allocated to the interface, which is 7 W in the case of class 2 devices. The PoE Mode field indicates that the interface supports IEEE 802.3at.

PoE SNMP Trap Generation Status Purpose

Action

Verify the status of the notification-control option, which determines whether or not PoE SNMP traps are enabled. Enter the following command: user@switch> show poe notification-control FPC slot Notification-control-status 0 OFF

Meaning


PoE SNMP traps are not enabled.

•


•


•



4651

®


•


Upgrading the PoE Controller Software Each Junos OS image for an EX Series switch that supports PoE contains the most recent version of the PoE controller software at the time the Junos OS image was built. When you upgrade Junos OS on your switch, the new image might contain a more recent version of the PoE controller software than is currently running on the PoE controller. You can upgrade your PoE controller software by requesting that the more recent version of the software contained in the Junos OS image be downloaded to the controller.

NOTE: Powered devices are not guaranteed to receive power while the new software is being downloaded to the PoE controller, a process that can take up to 10 minutes. In addition, during the software download, some PoE operational commands, such as show poe interface, might not show correct output. We recommend that you upgrade your PoE controller software during a regularly scheduled maintenance window.

NOTE: On an EX8200 Virtual Chassis, you cannot execute PoE commands on the XRE200 External Routing Engine. You can execute PoE commands only on the member EX8200 switches. Use the request session member member-id command to open a CLI session on a member switch.


Determining Whether the PoE Controller Software Needs Upgrading on page 4652

•


•

Monitoring the Upgrade Progress on page 4653

Determining Whether the PoE Controller Software Needs Upgrading To determine if the version of the PoE controller software supplied with Junos OS is more recent than the version of the software currently running on the PoE controller, enter the following command: user@switch> show poe controller Controller Maximum Power Guard Management Status index power consumption band 0** 130.00W 0.00W 0W Class AF_MODE **New PoE software upgrade available. Use 'request system firmware upgrade poe fpc-slot ' This procedure will take around 10 minutes (recommended to be performed during maintenance)

The New PoE software upgrade available text in the output indicates that the PoE controller software is out-of-date and should be upgraded.

4652



For Virtual Chassis or switches with PoE line cards, the output of the show poe controller command indicates which members of a Virtual Chassis or which PoE line cards have PoE controllers with out-of-date software: user@switch> show poe controller Controller Maximum Power index power consumption

Guard band

Management

Status

2 130.00W 120.34W 0W Class AF_ENHANCE 4** 410.00W 182.80W 0W Class AF_MODE **New PoE software upgrade available. Use 'request system firmware upgrade poe fpc-slot slot' This procedure will take around 10 minutes (recommended to be performed during maintenance)

In the preceding example, member 4 of the Virtual Chassis has out-of-date PoE controller software.

NOTE: We recommend that all member switches of a Virtual Chassis or all line cards in a switch run the same version of the PoE controller software.

Upgrading the PoE Controller Software To upgrade the PoE controller software for a standalone switch with built-in PoE interfaces, enter: user@switch> request system firmware upgrade poe Firmware upgrade initiated. Poe Upgrade takes about 10 minutes Use 'show poe controller' to get the download status

To upgrade the PoE controller software on Virtual Chassis or on switches with line cards, use the fpc-slot option to specify the Virtual Chassis member or line card. For example: user@switch> request system firmware upgrade poe fpc-slot 8 Firmware upgrade initiated. Poe Upgrade takes about 10 minutes Use 'show poe controller' to get the download status

Monitoring the Upgrade Progress Use the show poe controller command to monitor the progress of the controller software upgrade: user@switch> show poe controller Controller Maximum Power Guard Management Status index power consumption band 0** 130.00W 0.00W 0W SW_DOWNLOAD(14%) **New PoE software upgrade available. Use 'request system firmware upgrade poe fpc-slot ' This procedure will take around 10 minutes (recommended to be performed during maintenance)

The Status field is updated during the download process to show the following stages of the download: •

DOWNLOAD_INIT


4653

®


•

SW_DOWNLOAD (n%)

When the software upgrade is complete, the New PoE software upgrade available text is no longer displayed for the particular FPC.

NOTE: If you are upgrading the PoE controller software to enable enhanced PoE, the Status field for the controller shows AF_ENHANCE after the upgrade completes, indicating that the controller now supports enhanced PoE. The default maximum power per port is not automatically increased as a result of the upgrade—it is still 15.4 W per port. You must explicitly set the maximum power for a port to 18.6 W. Enhanced PoE is supported in Junos OS Release 11.1 or later on EX3300 switches and on EX4200 P or T model switches.


4654

•


•



CHAPTER 129

Troubleshooting PoE Configuration •


Troubleshooting PoE Interfaces Problem

A Power over Ethernet (PoE) interface is not supplying power to the powered device.

Solution

Check for the items shown in Table 541 on page 4655.

Table 541: Troubleshooting a PoE Interface


Items to Check

Explanation

Is the switch a full PoE model or a partial PoE model?

If you are using a partial PoE model, only interfaces ge-0/0/0 through ge-0/0/7 can function as PoE ports.

Has PoE capability been disabled for that interface?

Use the show poe interface command to check PoE interface status.

Is the cable properly seated in the port socket?

Check the hardware.

Has the PoE power budget been exceeded for the switch?

Use the show poe controller command to check the PoE power budget and consumption for the switch.

Does the powered device require more power than is available on the interface?

Use the show poe interface command to check the maximum power provided by the interface.

If the telemetries option has been enabled for the interface, check the history of power consumption.

Use the show poe telemetries command to display the history of power consumption.

•


•


•


•



4655

®


4656


CHAPTER 130

Configuration Statements for PoE •

[edit poe] Configuration Statement Hierarchy on page 4657

[edit poe] Configuration Statement Hierarchy For switches other than EX6200 and EX8200 switches: poe { guard-band watts; interface (Power over Ethernet) (all | interface-name) { disable (Power over Ethernet); maximum-power (Interface) watts; priority (Power over Ethernet) (high | low); telemetries { disable (Power over Ethernet); duration hours; interval (Power over Ethernet) minutes; } } management (class | static); notification-control { fpc slot-number { disable (Power over Ethernet); } } }

For EX6200 and EX8200 switches: poe { fpc (all | slot-number) { guard-band watts; management (class | static); maximum-power watts; } interface (Power over Ethernet) (all | interface-name) { af-mode; disable (Power over Ethernet); maximum-power (Interface) watts; priority (Power over Ethernet) (high | low); telemetries { disable (Power over Ethernet); duration hours;


4657

®


interval (Power over Ethernet) minutes; } } notification-control { fpc slot-number { disable (Power over Ethernet); } } }


•


•


•


•


af-mode Syntax Hierarchy Level Release Information Description


4658

af-mode; [edit poe interface (Power over Ethernet) (all | interface-name)]

Statement introduced in Junos OS Release 11.3 for EX Series switches. Configure a PoE port on an EX6200 switch to support IEEE 802.3af only. The maximum power the port can deliver in either class or static mode is 15.4 W. PoE ports on an EX6200 switch support IEEE 802.3at (PoE+) by default. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •



Chapter 130: Configuration Statements for PoE




disable; [edit poe interface (Power over Ethernet) (all | interface-name)], [edit poe interface (Power over Ethernet) (all | interface-name) telemetries], [edit poe notification-control fpc slot-number]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Disable a PoE interface, disable the collection of power consumption data for a PoE interface, or disable the generation of the PoE SNMP traps. The action of the disable statement depends on which statement it is used with: •

When used with interface—Disable the PoE capability of this interface. The interface operates as a standard network access interface, and power is no longer allocated to it from the PoE power budget. Although the PoE capability is disabled, the PoE configuration for the interface is retained. To re-enable the PoE capability of this interface, delete the disable statement from the interface entry in the configuration.

•

When used with telemetries—Disable the collection of PoE power consumption records for this interface. Any previously collected records are deleted. However, the telemetries configuration is retained, including the values for interval (Power over Ethernet) and duration. To re-enable record collection, delete the disable statement from the telemetries entry in the configuration.

•

When used with notification-control—Disable the generation of PoE SNMP traps. To re-enable PoE traps, delete the disable statement from the notification-control entry in the configuration.



•



4659

®


duration Syntax Hierarchy Level Release Information Description

Options

duration hours; [edit poe interface (Power over Ethernet) (all | interface-name) telemetries]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Modify the duration over which data is collected when you are monitoring the power consumption of a PoE interface. hours —Number of hours over which the data is to be collected.


4660



•




fpc (Line Card) Syntax


fpc ( all | slot-number) { guard-band watts; management (class | static); maximum-power watts; } [edit poe]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Configure PoE options for an EX6200 or EX8200 line card. all—All line cards that support PoE that have not been individually configured for PoE. If

a line card has been individually configured for PoE, that configuration overrides any settings specified with all. slot-number—The line card slot number.




•



4661

®


fpc (Notification Control) Syntax


fpc slot-number { disable (Power over Ethernet); } [edit poe notification-control]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable the specified PoE controller to generate PoE traps. PoE traps are disabled by default. slot-number—Indicates the PoE controller by FPC slot number, where slot-number is: •

0—On an EX2200, EX3200, standalone EX3300, or standalone EX4200 switch

•

Member ID—On an EX3300 or EX4200 switch in a Virtual Chassis

•

Line card slot number—On an EX6200 or EX8200 switch


4662





guard-band Syntax Hierarchy Level


Options

guard-band watts; [edit poe], [edit poe (all | fpc slot-number)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Reserve a specified amount of power from the PoE power budget for the switch or the line card in case of a spike in PoE consumption. watts—Amount of power to be reserved in case of a spike in PoE consumption.

Range: 0 through 15 for EX6200 and EX8200 switches and 0 through 19 for all other switches Default: 0 Required Privilege Level Related Documentation




4663

®


interface Syntax


interface (all | interface-name) { af-mode; disable (Power over Ethernet); maximum-power watts; priority (Power over Ethernet) (high | low); telemetries { disable (Power over Ethernet); duration hours; interval (Power over Ethernet) minutes; } } [edit poe]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a PoE interface to be configured. all—All PoE interfaces on the switch that have not been individually configured for PoE.

If a PoE interface has been individually configured, that configuration overrides any settings specified with all. interface-name—Name of the specific interface being configured.

If you use the interface statement without any substatements, PoE is enabled on all interfaces or the specified interface with default values for the remaining statements. The remaining statements are explained separately. Required Privilege Level Related Documentation

4664



•




interval Syntax Hierarchy Level Release Information Description

Options

interval minutes; [edit poe interface (Power over Ethernet) (all | interface-name) telemetries]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Modify the interval at which data is collected when you are monitoring the power consumption of a PoE interface. minutes—Frequency of data collection.




•


•



4665

®


management Syntax Hierarchy Level

Release Information Description Default Options

management (class | static); [edit poe], [edit poe (all | fpc slot-number)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Designate how the PoE controller allocates power to the PoE interfaces. class •

class—The amount of power allocated to the interface is determined by the class of

the connected powered device. If no powered device is connected, no power is allocated to the interface. See “Understanding PoE on EX Series Switches” on page 4613 for more information about classes of powered devices. •

static—The amount of power allocated to the interface is determined by the value of

the maximum-power statement, not the class of the connected powered device. This amount is allocated even when a powered device is not connected to the interface, ensuring that power is available when needed. Required Privilege Level Related Documentation

4666



•




maximum-power (Interface) Syntax Hierarchy Level Release Information Description

maximum-power watts; [edit poe interface (Power over Ethernet) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the maximum amount of power that the switch can supply to the PoE port.

NOTE: Although you can set this value when PoE power management is in class mode, it does not establish the maximum power for the port. Instead, the IEEE 802.3af (PoE) or IEEE 802.3at (PoE+) class of the connected device determines the maximum power for the port.

Options

watts—The maximum number of watts that can be supplied to the port.

For EX2200 switches, EX3300 switches, EX4200 switches, EX6200 switches, and EX8200 switches: Range: 0.0 through 30.0 Default: 15.4 W for ports that support IEEE 802.3af and 30 W for ports that support IEEE 802.3at For EX3200 switches: Range: 0.0 through 18.6 Default: 15.4 W

NOTE: The maximum-power setting permitted by the CLI might be greater than the maximum power a given PoE port can deliver. For example, the CLI permits you to set any PoE port on an EX8200 line card to 30 W; however, only ports 0 through 11 support 30 W. Similarly, the CLI permits you to set any PoE port on an EX4200 switch to 30 W, but some models of EX4200 switch support only 18.6 W per port. If you configure a maximum-power value that is greater than the maximum power supported by a port, the power allocated to the port will be the maximum supported. If you use the all option to set maximum-power to a value greater than 15.4 W on all interfaces on an EX8200 line card, the maximum power allocated to all ports is 15.4 W.

NOTE: Support for a maximum of 18.6 W per port instead of 15.4 W per port on EX3200 switches and P and T models of EX4200 switch requires Junos OS Release 11.1 or later. In addition to requiring an upgrade of Junos OS to


4667

®


Release 11.1 or later, switches that are running a previous Junos OS release require the PoE controller software be upgraded as described in “Upgrading the PoE Controller Software” on page 4652. If the controller software is not upgraded and you set maximum-power to a value greater than 15.4 W, the configuration is accepted when you commit it, but the actual power allocated to the port will be 15.4 W.


4668





maximum-power (Line Card) Syntax Hierarchy Level Release Information Description Options

maximum-power watts; [edit poe fpc (all | slot-number)]

Statement introduced in Junos OS Release 11.2 for EX Series switches. Set the PoE power budget for an EX6200 or an EX8200 line card. watts—The maximum number of watts that is supplied to the line card for its PoE power

budget. For the EX6200-48P (48-port PoE+) line card: Range: 37 through 1440 Default: 1440 For the EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+) line card: Range: 37 through 792 Default: 792 For the EX8200-48PL (48-port PoE+ 20 Gbps) line card: Range: 37 through 915 Default: 915

NOTE: If you configure a value for watts that is greater than the maximum value supported by the line card, the power budget for the line card is set to its supported maximum. If you configure a value for watts that is lower than 37 W, the power budget for the line card is set at 37 W. Because of a hardware constraint, at least 37 W of PoE power must always be allocated to the PoE line cards.




•



4669

®


notification-control Syntax


notification-control { fpc slot-number { disable (Power over Ethernet); } } [edit poe]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable or disable the generation of PoE SNMP traps. If PoE traps are enabled, an SNMP trap is sent whenever a PoE interface is enabled or disabled. The remaining statements are explained separately.


4670



•




priority Syntax Hierarchy Level Release Information Description

Default Options

priority (low | high); [edit poe interface (Power over Ethernet) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the power priority for individual interfaces when there is insufficient power for all PoE interfaces. If the switch needs to shut down powered devices because PoE demand exceeds the PoE budget, low priority devices are shut down before high priority devices. Among interfaces that have the same assigned priority, priority is determined by port number, with lower-numbered ports having higher priority. low value—high or low: •

high—Specifies that this interface is to be treated as high priority in terms of power

allocation. If the switch needs to shut down powered devices because PoE demand exceeds the PoE budget, power is not shut down on this interface until it has been shut down on all the low priority interfaces. •

low—Specifies that this interface is to be treated as low priority in terms of power

allocation. If the switch needs to shut down powered devices because PoE demand exceeds the PoE budget, power is shut down on this interface before it is shut down on high priority interfaces. Required Privilege Level Related Documentation



•



4671

®


telemetries Syntax


telemetries { disable (Power over Ethernet); duration hours; interval (Power over Ethernet) minutes; } [edit poe interface (Power over Ethernet) (all | interface-name)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Enable the logging of power consumption of a PoE interface over time. If you want to log the power consumption of a PoE interface, you must explicitly specify the telemetries statement. When you commit the configuration, logging begins, with data being collected at the specified intervals. Logging stops at the end of the specified duration. If you did not specify the duration and interval statements, data is collected at five minute intervals for one hour. The remaining statements are explained separately.


4672

Logging of power consumption is disabled. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•



CHAPTER 131

Operational Commands for PoE


4673

®


request system firmware upgrade poe Syntax Release Information Description

request system firmware upgrade poe fpc-slot number

Command introduced in Junos OS Release 12.1 for EX Series switches. Upgrade the PoE controller software on switches and line cards. The Junos OS image running on the switch contains a copy of the PoE controller software. This command compares the Junos OS version with the version of the software running on the PoE controller. If the Junos OS version is a more recent version, the command downloads the more recent version to the controller. For all Virtual Chassis except EX8200 Virtual Chassis, execute this command on the master. The master itself does not have to support PoE for this command to work—for example, you can execute this command on the master of a mixed EX4200 and EX4500 Virtual Chassis when the master is an EX4500 switch. On an EX8200 Virtual Chassis, you must execute this command on the member switch, not the master XRE200 External Routing Engine. We recommend that all members of a Virtual Chassis run the same version of the PoE controller software. Upgrading the controller software can take up to 10 minutes. Use the show poe controller command to monitor the progress of the software download. You cannot downgrade the PoE controller software.

NOTE: When you enter the request system firmware upgrade poe command, a message advises you that the controller software upgrade has started and that it will take about 10 minutes to complete. This message appears even if the FPC you have specified does not have a PoE controller or if the PoE controller software is up-to-date. To determine whether or not the controller software upgrade has actually started, use the show poe controller command.

NOTE: While the upgrade is in progress, power to the powered devices is not guaranteed. We recommend that you upgrade the controller software during a regularly scheduled maintenance window.

Options

fpc-slot number—Upgrade the PoE controller firmware for the Virtual Chassis member

or line card specified by number. Required Privilege Level

4674

maintenance


Chapter 131: Operational Commands for PoE



•

show poe controller on page 4676

•


request system firmware upgrade poe fpc-slot 8 on page 4675 When you enter this command, you are provided feedback on the status of your request.

Sample Output request system firmware upgrade poe fpc-slot 8

user@switch> request system firmware upgrade poe fpc-slot 8 Firmware upgrade initiated. Poe Upgrade takes about 10 minutes Use 'show poe controller' to get the download status


4675

®


show poe controller Syntax Release Information Description Required Privilege Level Related Documentation


Output Fields

show poe controller

Command introduced in Junos OS Release 9.0 for EX Series switches. Display configuration and status of the PoE controllers. view

•

show poe interface on page 4678

•

request system firmware upgrade poe on page 4674

•


•


•


show poe controller (EX3200 Switch) on page 4677 show poe controller (EX8200 Switch) on page 4677 show poe controller (Controller Software Upgrade in Progress) on page 4677 Table 542 on page 4676 lists the output fields for the show poe controller command. Output fields are listed in the approximate order in which they appear.

Table 542: show poe controller Output Fields

4676

Field Name

Field Description

Controller index

PoE controller number: •

0 for EX2200, EX3200, standalone EX3300, and standalone EX4200 switches.

•

Member ID for switches in an EX3300 Virtual Chassis, EX4200 Virtual Chassis, or a mixed EX4200 and EX4500 Virtual Chassis.

•

Slot number for line cards with a PoE controller in an EX6200 or EX8200 switch.

Maximum power

The PoE power budget for the switch or line card. The PoE controller allocates power to the PoE ports from this budget.

Power consumption

Total amount of power being used by the PoE ports at the time the command is executed.

Guard Band

Amount of power that has been placed in reserve for power demand spikes and that cannot be allocated to a PoE interface.

Management

Power management mode: either Class or Static .



Table 542: show poe controller Output Fields (continued) Field Name

Field Description

Status

Status of the PoE controller: •

AF_ENHANCE—Controller supports enhanced PoE. The maximum power per

PoE port is 18.6 W in static mode (15.4 W in class mode). •

DEVICE FAIL—Software download to the controller has failed or the PoE

controller is not initialized because of a hardware failure. •

DOWNLOAD_INIT—Software download to the controller is in the initial phase.

•

AF_MODE—Controller supports standard IEEE 802.3af. The maximum power

per PoE port is 15.4 W. •

AT/AF COMBO—Controller supports a mix of standard IEEE 802.3af and IEEE

802.3at (PoE+) ports. The maximum power per port is 30 W for IEEE 802.3at (PoE+) ports and 15.4 W for the IEEE 802.3af ports. •

AT_MODE—Controller supports IEEE 802.3at (PoE+). The maximum power

per PoE port is 30 W. •

SW_DOWNLOAD (n%)—Software download to the controller is in progress.

Sample Output show poe controller (EX3200 Switch)

user@switch> show poe controller Controller index 0

show poe controller (EX8200 Switch)

show poe controller (Controller Software Upgrade in Progress)

Maximum power 130.00W

Power consumption 81.20W

Guard band 10W

Management

Status

Static

AF_ENHANCE

user@switch> show poe controller Controller Maximum Power index power consumption 0 792.00W 603.50W 4 915.00W 781.00W 7 915.00W 0.00W

Guard band 0W 0W 0W

Management

Status

Class Class Class

AT/AF COMBO AT/AF COMBO AT/AF COMBO

user@switch> show poe controller Controller Maximum Power Guard Management Status index power consumption band 0 130.00W 0.00W 0W Static AF_ENHANCE 8** 130.00W 0.00W 0W Static SW_DOWNLOAD(10%) **New PoE software upgrade available. Use 'request system firmware upgrade poe fpc-slot ' This procedure will take around 10 minutes (recommended to be performed during maintenance)


4677

®


show poe interface Syntax


show poe interface

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the status of PoE interfaces. none—Display status of all PoE interfaces on the switch. fpc-slot number—(Optional) (EX6200 or EX8200 switches only) Display the status of

the PoE interfaces on the specified line card. interface-name—(Optional) Display the status of a specific PoE interface on the switch.



Output Fields

view

•


•


•


•


show poe interface on page 4679 show poe interface ge-0/0/3 on page 4679 show poe interface fpc-slot 3 on page 4679 Table 543 on page 4678 lists the output fields for the show poe interface command. Output fields are listed in the approximate order in which they appear.

Table 543: show poe interface Output Fields Field Name (All Interfaces Output)

Field Name (Single Interface Output)

Field Description

Interface

PoE Interface

Interface name.

Admin status

Administrative status

Administrative state of the PoE interface: Enabled or Disabled. If the PoE interface is disabled, it can provide network connectivity, but it cannot provide power to connected devices.

Oper status

Operational status

Operational state of the PoE interface: •

ON—The interface is currently supplying power to a powered device.

•

OFF—PoE is enabled on the interface, but the interface is not currently supplying

power to a powered device. •

4678

Disabled—PoE is disabled on the interface.



Table 543: show poe interface Output Fields (continued) Field Name (All Interfaces Output)

Field Name (Single Interface Output)

Max power

Power limit on the interface

Maximum power that can be provided by the interface.

Priority

Priority

Interface power priority: either High or Low.

Power consumption

Power consumed

Amount of power being used by the interface at the time the command is executed.

Class

Class of power device

IEEE 802.3af (PoE) or IEEE 802.3at (PoE+) class of the powered device. Class 0 is the default class and is used when the class of the powered device is unknown. If no powered device is connected, this field contains not applicable.

PoE Mode

IEEE PoE standard supported by the interface—either 802.3af or 802.3at.

Field Description

Sample Output show poe interface

user@switch> show poe interface Interface ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7

Admin status Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

Oper status Max power ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W ON 15.4W

show poe interface ge-0/0/3

user@switch> show poe interface ge-0/0/3 PoE interface status: PoE interface : ge-0/0/3 Administrative status : Enabled Operational status : ON Power limit on the interface : 7.0W Priority : Low Power consumed : 5.3W Class of power device : 2 PoE Mode : 802.3af

show poe interface fpc-slot 3

user@switch> show poe interface fpc-slot 3 Interface Admin status Oper status Max power ge-3/0/0 Enabled ON 30.0W ge-3/0/1 Enabled ON 30.0W ge-3/0/2 Enabled ON 30.0W ge-3/0/3 Enabled ON 30.0W ge-3/0/4 Enabled ON 30.0W ge-3/0/5 Enabled ON 30.0W ge-3/0/6 Enabled ON 30.0W ge-3/0/7 Enabled ON 30.0W ge-3/0/8 Enabled ON 30.0W


Priority Low Low Low Low Low Low Low Low


Priority Low Low High High Low Low Low Low Low

Power consumption Class 20.3W 4 17.8W 4 16.3W 4 16.2W 4 25.9W 4 10.1W 4 16.2W 4 6.4W 4 5.2W 4

4679

®


ge-3/0/9 ge-3/0/10 ge-3/0/11 ge-3/0/12 ge-3/0/13 ge-3/0/14 ge-3/0/15 ge-3/0/16 ge-3/0/17 ge-3/0/18 ge-3/0/19 ge-3/0/20 ge-3/0/21 ge-3/0/22 ge-3/0/23 ge-3/0/24 ge-3/0/25 ge-3/0/26 ge-3/0/27 ge-3/0/28 ge-3/0/29 ge-3/0/30 ge-3/0/31 ge-3/0/32 ge-3/0/33 ge-3/0/34 ge-3/0/35 ge-3/0/36 ge-3/0/37 ge-3/0/38 ge-3/0/39

4680

Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON

30.0W 30.0W 30.0W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W

Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low Low

5.2W 21.5W 21.7W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 9.4W 7.0W 2.2W 2.2W 2.2W 2.0W 2.0W 2.2W 2.2W 2.2W 2.2W 2.2W 2.2W

4 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1



show poe notification-control Syntax Release Information Description



show poe notification-control

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the state of the PoE notification-control option, which enables or disables PoE SNMP traps. view

•


•


•


show poe notification-control on page 4682 Table 544 on page 4681 lists the output fields for the show poe notification-control command. Output fields are listed in the approximate order in which they appear.

Table 544: show poe notification-control Output Fields Field Name

Field Description

FPC slot

FPC slot number:

Notification-control-status


•

0 for a standalone switch

•

Member ID for a Virtual Chassis

Status of notification control: •

ON—PoE traps are enabled.

•

OFF—PoE traps are disabled.

4681

®


Sample Output show poe notification-control

4682

user@switch> show poe notification-control FPC slot Notification-control-status 0 OFF



show poe telemetries interface Syntax Release Information Description

show poe telemetries interface (all | interface-name) (all | n)

Command introduced in Junos OS Release 9.0 for EX Series switches. Display a history of power consumption on the specified interface or on all interfaces. Telemetries must be enabled on the interface before you can display a history of power consumption.

Options

(all | interface-name)—Display power consumption records for the specified PoE interface

or for all PoE interfaces. (all | n)—Display all power consumption records or the specified number of records. The

records displayed are the most recent. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


show poe telemetries interface all 2 on page 4684 show poe telemetries interface ge-0/0/0 all on page 4684 Table 545 on page 4683 lists the output fields for the show poe telemetries interface command. Output fields are listed in the approximate order in which they appear.

Table 545: show poe telemetries interface Output Fields Field Name

Field Description

Interface


S1 No

Number of the record for the specified interface. Record number 1 is the most recent.

Timestamp

Date and time when the power-consumption data was gathered.

Power

Amount of power provided by the specified interface at the time the data was gathered.

Voltage

Maximum voltage provided by the specified interface at the time the data was gathered.


4683

®


Sample Output show poe telemetries interface all 2

show poe telemetries interface ge-0/0/0 all

4684

user@switch> show poe telemetries interface all 2 Interface Sl No Timestamp ge-0/0/1 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/2 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/3 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/4 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/5 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/6 1 03-09-2012 11:52:03 UTC 2 03-09-2012 11:47:03 UTC ge-0/0/7 1 03-09-2012 11:52:03 UTC

Power 4.2W 4.2W 4.2W 4.1W 4.2W 4.3W 0.0W 0.0W 4.2W 4.2W 4.2W 4.2W 4.2W

Voltage 54.9V 54.8V 54.9V 54.8V 54.9V 54.8V 54.9V 54.8V 54.9V 54.8V 54.9V 54.8V 54.9V

user@switch> show poe telemetries interface ge-0/0/0 all Sl No Timestamp Power Voltage 1 01-27-2008 18:19:58 UTC 15.4W 51.6V 2 01-27-2008 18:18:58 UTC 15.4W 51.6V 3 01-27-2008 18:17:58 UTC 15.4W 51.6V 4 01-27-2008 18:16:58 UTC 15.4W 51.6V 5 01-27-2008 18:15:58 UTC 15.4W 51.6V 6 01-27-2008 18:14:58 UTC 15.4W 51.6V 7 01-27-2008 18:13:58 UTC 15.4W 51.6V 8 01-27-2008 18:12:57 UTC 15.4W 51.6V 9 01-27-2008 18:11:57 UTC 15.4W 51.6V 10 01-27-2008 18:10:57 UTC 15.4W 51.6V 11 01-27-2008 18:09:57 UTC 15.4W 51.6V 12 01-27-2008 18:08:57 UTC 15.4W 51.6V 13 01-27-2008 18:07:57 UTC 15.4W 51.6V 14 01-27-2008 18:06:57 UTC 15.4W 51.6V 15 01-27-2008 18:05:57 UTC 15.4W 51.6V 16 01-27-2008 18:04:56 UTC 15.4W 51.6V 17 01-27-2008 18:03:56 UTC 15.4W 51.6V 18 01-27-2008 18:02:56 UTC 15.4W 51.6V 19 01-27-2008 18:01:56 UTC 15.4W 51.6V 20 01-27-2008 18:00:56 UTC 15.4W 51.6V 21 01-27-2008 17:59:56 UTC 15.4W 51.6V


PART 25

Converged Networks (LAN and SAN) •

Converged Networks (LAN and SAN)—Overview on page 4687

•

Example: Converged Networks (LAN and SAN) Configuration on page 4703

•

Configuring Converged Networks (LAN and SAN) on page 4721

•

Configuration Statements for Converged Networks (LAN and SAN) on page 4731

•

Operational Commands for Converged Networks (LAN and SAN) on page 4767


4685

®


4686


CHAPTER 132

Converged Networks (LAN and SAN)—Overview •


•

Understanding Using an FCoE Transit Switch on page 4690

•


•


•

Understanding DCB Features and Requirements on EX Series Switches on page 4697

•

Understanding DCBX Application Protocol TLV Exchange on EX Series Switches on page 4699

Understanding FIP Snooping Fibre Channel over Ethernet (FCoE) Initialization Protocol (FIP) snooping is a security mechanism that is designed to prevent unauthorized access and data transmission to a Fibre Channel (FC) network. It works by filtering traffic to permit only servers that have logged in to the FC network to access the network. You enable FIP snooping on FCoE VLANs when the switch is being used as an FCoE transit switch connecting FC initiators (servers) on the Ethernet network to FCoE forwarders (FCFs) at the FC storage area network (SAN) edge. Through the FIP process, servers that have a converged network adapter (CNA) present an FCoE Node (ENode) that can log in to the FC network. The login process establishes a dedicated virtual link between the ENode and the FCF to emulate a point-to-point connection that passes transparently through the FCoE transit switch. The FCoE transit switch applies FIP snooping firewall filters at the edge access ports associated with the FCoE VLANs on which you enable FIP snooping. FIP snooping provides security for virtual links by automatically creating firewall filters based on information gathered (snooped) about FC devices during FIP transactions. This topic describes: •

FC Network Security on page 4688

•

FIP Snooping Functions on page 4688

•

FIP Snooping Firewall Filters on page 4688


4687

®


•

FIP Snooping Implementation on page 4689

•

T11 FIP Snooping Specification on page 4690

FC Network Security In traditional pure FC networks, the FCF is a trusted entity and server ENodes connect directly to the FCF. After an ENode gains access to the network through the fabric login (FLOGI) process, the FCF enforces zoning configurations, ensures that the ENode uses valid addresses, monitors the connection, and performs other security functions to prevent unauthorized access. FIP snooping firewall filters emulate these security functions by preventing unauthorized access to the FCF through the transit switch and by ensuring the security of the virtual link between each ENode and the FCF. FIP snooping also prevents man-in-the-middle attacks.

FIP Snooping Functions When you enable FIP snooping, the FCoE transit switch monitors FIP logins, solicitations, and advertisements that pass through it and gathers information about the ENode address and the address of the FCF. The transit switch uses the information to construct firewall filters that permit access only to logged-in ENodes. All other traffic on the VLAN is denied. For example, when an ENode on an FCoE VLAN performs a successful login, the FCoE transit switch snoops the FIP information, constructs a firewall filter that permits access for the ENode, and adds the filter on all transit switch access ports associated with the FCoE VLAN. The firewall filters allow FCoE frames to pass through the transit switch only between the server ENode FCoE port and the FCF FCoE port to which the server ENode has logged in. This ensures that ENodes can only connect to the FCFs they have successfully logged in to and that only valid FCoE traffic is transmitted. FIP snooping maintains the filters by tracking FCoE sessions.

FIP Snooping Firewall Filters The FIP snooping firewall filters deny any FCoE traffic on the VLAN except for traffic originating from ENodes that have already logged in to the FCF. FIP snooping performs these actions and checks to ensure that FCoE traffic is valid:

4688

•

Denies ENodes that use the FCF media access control (MAC) address as the source address.

•

Denies all traffic from the ENode other than traffic addressed to the FCF that the Enode has logged into.

•

Restricts the ENode to sending only FCoE protocol traffic on the virtual link.

•

Allows the ENode to transmit only FIP and FCoE frames to the FCF address.

•

Ensures that the FCoE source address an ENode uses after fabic login and fabric discovery (FDISC) is the address the FCF assigned to that ENode.


Chapter 132: Converged Networks (LAN and SAN)—Overview

•

Ensures that the FCoE source address the FCF assigns or accepts is only used for FCoE traffic.

•

Ensures that FCoE frames are only addressed to the accepting FCF.

FIP Snooping Implementation You enable FIP snooping on a per-VLAN basis. The FCoE transit switch snoops FIP frames at the access ports associated with the FIP snooping-enabled VLANs, then installs the resulting firewall filters on the access ports to ensure that all snooping occurs on the FCoE transit switch network edge. FCoE VLANs can include both access ports and trunk ports. Access ports face the hosts (FCoE servers and other FCoE initiators), and trunk ports face the FCF. When FIP snooping is enabled, the FCoE transit switch inspects both FIP frames and FCoE frames. The FIP snooping implementation includes these considerations: •

Server ENode-Facing Interfaces on page 4689

•

FCF-Facing Interfaces on page 4689

•

FCoE Mapped Address Prefix on page 4689

Server ENode-Facing Interfaces We recommend that you enable FIP snooping on all FCoE access ports to ensure secure connections to FCFs. After you enable FIP snooping on an FCoE VLAN, the transit switch denies FCoE traffic from any server on that VLAN until the server performs a valid fabric login with an FCF.

FCF-Facing Interfaces You must configure the interface that you are using to connect to an FCF as FCoE trusted interface, and it must be a 10 Gigabit Ethernet interface. An FCoE trusted interface receives FCoE traffic only from an FCF. The following conditions apply to FCFs and FCF-facing interfaces: •

By default, FCFs are trusted entities.

•

The FCoE transit switch always processes FCF frames because they come from a trusted source.

FCoE Mapped Address Prefix When you enable FIP snooping on a VLAN, optionally you can specify the FCoE Mapped Address Prefix (FC-MAP) value for that VLAN if the network uses the fabric-provided MAC address (FPMA) addressing scheme. The FC-MAP value is a 24-bit value that identifies the FCF. The FCF combines the FC-MAP value with a unique 24-bit Fibre Channel ID (FCID) value for the server during the fabric login process, creating a unique 48-bit identifier. The FCF assigns the 48-bit value to the server ENode as its MAC address and unique identifier for the session. Each server session the ENode establishes with the FCF


4689

®


receives a unique FCID, so a server can host multiple virtual links to an FCF, each with a unique 48-bit address identifier. The FIP snooping filter compares the configured FC-MAP value with the FC-MAP value in the header of frames coming from the server. If the values do not match, the FCoE transit switch denies access.

T11 FIP Snooping Specification For more details about FIP snooping, see the Technical Committee T11 organization document Increasing FCoE Robustness using FIP Snooping at http://www.t11.org/ftp/t11/pub/fc/bb-5/08-264v3.pdf. Related Documentation

•


•


•

Configuring FIP Snooping on an FCoE Transit Switch on page 4721

Understanding Using an FCoE Transit Switch You can use an EX4500 switch as a Fibre Channel over Ethernet (FCoE) transit switch. An FCoE transit switch is a Layer 2 data center bridging (DCB) switch that can transport FCoE frames and implement FCoE Initialization Protocol (FIP) snooping. The switch can transport both FCoE and Ethernet LAN traffic over the same network infrastructure while preserving the class of service (CoS) that Fibre Channel (FC) traffic requires. An FCoE transit switch does not encapsulate or decapsulate FC frames in Ethernet. It is an access switch that transports FC frames that have already been encapsulated in Ethernet between FCoE initiators such as servers and an FCoE forwarder (FCF), which is in an FC storage area network (SAN). The transit switch acts as a passthrough switch and is transparent to the FCF, which detects each connection to an FCoE server as a direct point-to-point link. When the switch acts as a transit switch, the VLANs you configure for FCoE traffic can use any of the switch ingress and egress ports, because the traffic in both directions is Ethernet traffic. FCoE traffic must use a VLAN dedicated only to FCoE traffic that does not carry any other traffic. When the switch acts as a transit switch, you must enable priority-based flow control (PFC, IEEE standard 802.1Qbb) as a link-level flow control mechanism. See “Understanding Priority-Based Flow Control” on page 4451 for additional information. FIP snooping adds security by filtering access so that only traffic from servers that have successfully logged in to the FC network passes through the transit switch and reaches the FC network. The transit switch transparently connects FCoE-capable servers in an Ethernet LAN to an FCF, which has both FCoE and FC interfaces and processes both the FCoE and FC protocol stacks. The transit switch acts as a transparent access layer between FCoE servers and the FCF.

4690



Encapsulated FCoE server traffic flows through the transit switch to the FCoE ports on the FCF. The FCF removes the Ethernet encapsulation from the FCoE frames to restore the native FC frames. Native FC traffic travels out FCF FC ports to storage devices in the FC SAN. Native FC traffic from storage devices flows to the FCF FC ports, and the FCF encapsulates that traffic in Ethernet as FCoE traffic. The FCoE traffic flows through the transit switch to the appropriate server, and the server decapsulates the traffic. Related Documentation

•


Understanding Priority-Based Flow Control Priority-based flow control (PFC), IEEE standard 802.1Qbb, is a link-level flow control mechanism. The flow control mechanism is similar to that used by IEEE 802.3x Ethernet PAUSE, but it operates on individual priorities. Instead of pausing all traffic on a link, PFC allows you to selectively pause traffic according to its class. This topic describes: •

Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks on page 4691

•

Calculations for Buffer Requirements When Using PFC PAUSE on page 4692

•

How PFC and Congestion Notification Profiles Work With or Without DCBX on page 4692

Reliability of Packet Delivery in Standard Ethernet Networks and in Layer 2 Networks Standard Ethernet does not guarantee that a packet injected into the network will arrive at its intended destination. Reliability is provided by upper-layer protocols. Generally, a network path consists of multiple hops between the source and destination. A problem arises when transmitters send packets faster than receivers can accept them. When receivers run out of available buffer space to hold incoming flows, they silently drop additional incoming packets. This problem is generally resolved by upper-layer protocols that detect the drops and request retransmission. Applications that require reliability in Layer 2 must have flow control that includes feedback from a receiver to a sender regarding buffer availability. Using IEEE 802.3x Ethernet PAUSE control frames, a receiver can generate a MAC control frame and send a PAUSE request to a sender when a specified threshold of receiver buffer has been filled to prevent buffer overflow. Upon receiving a PAUSE request, the sender stops transmission of any new packets until the receiver notifies the sender that it has sufficient buffer space to accept them again. The disadvantage of using Ethernet PAUSE is that it operates on the entire link, which might be carrying multiple traffic flows. Some traffic flows do not need flow control in Layer 2, because they are carrying applications that rely on upper-layer protocols for reliability. PFC enables you to configure Layer 2 flow control selectively for the traffic that requires it, such as Fibre Channel over Ethernet (FCoE) traffic, without impacting other traffic on the link. You can also enable PFC for other traffic types, such as iSCSI.


4691

®


Calculations for Buffer Requirements When Using PFC PAUSE The receive buffer must be large enough to accommodate all data that is received while the system is responding to a PFC PAUSE frame. When you calculate buffer requirements, consider the following factors: •

Processing and queuing delay of the PFC PAUSE—In general, the time to detect the lack of sufficient buffer space and to transmit the PFC PAUSE is negligible. However, delays can occur if the switch detects a reduction in buffer space just as the transmitter is beginning to transmit a maximum length frame.

•

Propagation delay across the media—The delay amount depends on the length and speed of the physical link.

•

Response time to the PFC PAUSE frame

•

Propagation delay across the media on the return path

NOTE: We recommend that you configure at least 20 percent of the buffer size for the queue that is using PFC and that you do not specify the exact option. Because it is mandatory to explicitly configure a certain percentage of buffer size for PFC, you must also explicity configure some buffer size for any other forwarding classes that you are planning to use (including the default forwarding classes and the user-defined forwarding classes). The percentage that you allocate depends on the usage of the respective classes.

How PFC and Congestion Notification Profiles Work With or Without DCBX PFC can be applied to an interface regardless of whether the Data Center Bridging Capability Exchange protocol (DCBX) is enabled (DCBX is enabled by default for 10-Gigabit Ethernet interfaces on EX4500 CEE-enabled switches). However, automatic control and advertisement of PFC requires DCBX: •

When DCBX is enabled—DCBX detects the data center bridging (DCB) neighbor’s PFC configuration, uses autonegotiation to advertise local and peer PFC configuration, and then enables or disables PFC depending on whether the configurations are compatible or not. When PFC is enabled, it uses the congestion notification profile, which you have configured and applied to the interface.

•

When DCBX is not enabled—Class of service (CoS) triggers PFC when the incoming frame has a User Priority (UP) field that matches the three-bit pattern specified for the congestion notification profile.

To manually control the use of PFC on the interface regardless of the configuration of the peer data center devices, you can explicitly change the configuration of DCBX on the interface to disable PFC autonegotiation. See “Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure)” on page 4726. When PFC

4692



autonegotiation is disabled, PFC is triggered by the congestion notification profile for PFC regardless of the configuration of the DCB peer.

NOTE: PFC functions effectively only when the peer devices connected to the local interface are also using PFC and are configured compatibly with the local interface. PFC must be symmetrical—if PFC is not configured to use the same traffic class (code point) on both the local and the peer interface, it does not have any impact on the traffic.

Table 497 on page 4453 shows the one-to-one mapping between the UP field of an IEEE 802.1Q tagged frame, the traffic class, and the egress queue. In addition to setting a PFC congestion notification profile on an ingress port, you must set a forwarding class to match the priority specified in the PFC congestion notification profile and to forward the frame to the appropriate queue. Juniper Networks EX Series Ethernet Switches support up to six traffic classes and allow you to associate those classes with six different congestion notification profiles. (The switches support up to 16 forwarding classes.)

Table 546: Input for PFC Congestion Notification Profile and Mapping to Traffic Class and Egress Queue UP Field of IEEE-802.1Q Tagged Frame

Traffic Class

Egress Queue

000

TC 0

queue 0

001

TC 1

queue 1

010

TC 2

queue 2

011

TC 3

queue 3

100

TC4

queue 4

101

TC 5

queue 5


•


•


•


•

schedulers on page 4554

•

congestion-notification-profile on page 4743


4693

®


Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches Data Center Bridging Capability Exchange protocol (DCBX) is a discovery and exchange protocol for communicating configuration and capabilities among neighbors to ensure consistent configuration across the data center bridging (DCB) network. It is an extension of Link Layer Discovery Protocol (LLDP). DCB devices use DCBX to exchange configuration information with directly connected peers (switches and data center devices such as servers). On Juniper Networks EX Series Ethernet Switches, you can use DCBX to: •

Discover the DCB capabilities of peers

•

Detect DCB feature misconfiguration or mismatches between peers

•

Automatically enable or disable priority-based flow control (PFC) on an interface depending on whether the PFC configuration of the local interface is the same as the PFC configuration of the DCB peer


Basic DCBX Functioning on page 4694

•

DCBX and PFC on page 4695

•

DCBX and FCoE on page 4695

•

DCBX and iSCSI on page 4695

•

How DCBX Is Implemented on the Switches on page 4696

•

Features That Are Not Supported in DCBX on the Switches on page 4696

Basic DCBX Functioning DCBX features support PFC, the Fibre Channel over Ethernet (FCoE) application, and other Layer 2 or Layer 4 applications (such as iSCSI). DCBX is enabled or disabled on a per-interface basis. The default autonegotiation behavior is: DCBX is enabled if the peer device connected to the interface also supports DCBX. If the peer device connected to the interface does not support DCBX, DCBX remains enabled on the switch, but the switch detects that DCBX is not enabled on the peer and reports a misconfiguration for that interface when you issue the show dcbx neighbors command. During negotiation of capabilities, the switch pushes the PFC configuration to an attached peer if the peer is configured as “willing” to learn the PFC configuration from other peers. The switch does not support autoprovisioning and does not change its configuration during autonegotiation to match the peer configuration—that is, the switch is not “willing” to learn the PFC configuration from peers.

4694



DCBX and PFC After you enable PFC on a switch interface, DCBX uses autonegotiation to control the operational state of PFC functionality. DCB devices must use the same traffic class (code point) on both the local and peer device. If the peer device connected to the interface supports PFC and is provisioned for the same traffic class as the switch interface, DCBX sets the PFC operational state to enabled. If the peer device connected to the interface does not support PFC or is not provisioned for the same traffic class, DCBX sets the operational state to disabled. If the peer advertises that it is “willing” to learn its PFC configuration from the switch, DCBX pushes the switch’s PFC configuration to the peer and does not check the peer’s administrative state. You can manually override DCBX control of the PFC operational state on a per-interface basis by disabling autonegotiation. If you disable autonegotiation on an interface on which you have configured PFC, then PFC remains enabled on that interface regardless of the peer configuration. To disable PFC on an interface, delete any PFC configuration on the interface.

DCBX and FCoE DCBX is mandatory for running FCoE applications, because FCoE traffic requires PFC to ensure lossless transport and PFC is a component of DCBX. The FCoE application is configured by default on DCBX interfaces. Due to the FCoE requirement for lossless transport, we recommend that you configure the interfaces that carry FCoE traffic for PFC. See “Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure)” on page 4723. DCBX advertisement of the FCoE application functions as follows: •

If you configure the fcoe forwarding class and PFC congestion notification profile and assign these components to the interfaces that carry FCoE traffic, DCBX advertises their FCoE capability and assigned 802.1p code points to the DCB peer, and DCBX reports the FCoE capability and assigned 802.1p code points of the DCB peer to the switch.

DCBX and iSCSI DCBX is not essential for iSCSI applications. These applications provide a method for linking data storage facilities over IP networks. Unlike Fibre Channel (FC) communications, which require special-purpose cabling, iSCSI can be run over long distances by using existing network infrastructure. You might want to use iSCSI over DCB to reduce latency in a network that is oversubscribed. You might also want to use it to provide predictable and certain application responsiveness, eliminating Ethernet’s dependence on TCP/IP for the retransmission of dropped Ethernet frames.


4695

®


DCBX advertises switch interfaces that are configured to support the iSCSI application, their PFC capability, and their assigned 802.1p code points.

How DCBX Is Implemented on the Switches On the switches, the implementation of DCBX is: •

Supported on EX4500 switches only (See “EX4500 Switch Models” on page 58 for a list of CEE-capable models.)

•

Supported on aggregated Ethernet interfaces composed of 10-Gigabit Ethernet interfaces

•

Enabled by default on all 10-Gigabit Ethernet interfaces

On the switches, DCBX supports the application TLV—thus, DCBX interfaces on the switch can exchange information with their DCB peers about application capability, PFC capability, and 802.1p code-point settings. This implementation includes the following: •

The FCoE application is enabled by default on DCBX interfaces on the switch. Therefore, you do not must configure an application map for the default FCoE application. The switches do not have a default FCoE forwarding class—therefore, you must explicitly configure a forwarding class with the name fcoe and associate that class with the interfaces carrying FCoE traffic. If PFC is enabled, the 802.1p code points are assigned, and the interfaces are associated with a forwarding class, the switch negotiates FCoE application capability on the DCBX interface.

•

Do not explicitly configure an FCoE application map, because that generates a commit error.

•

You can configure additional Layer 2 or Layer 4 applications to be supported by the DCBX application TLV feature. To do this, you must explicitly configure an application map and associate the application map with one of the DCBX interfaces. DCBX then advertises the application capabilities of the associated interface and checks the capabilities of the connected peer device.

•

If the peer device connected to the local interface does not support PFC or the peer’s PFC configuration is not the same as the local interface’s PFC configuration, DCBX automatically disables PFC for the local interface.

NOTE: You can manually override DCBX control of the PFC operational state on a per-interface basis. See “Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure)” on page 4726.

Features That Are Not Supported in DCBX on the Switches DCBX on the switches does not support: •

4696

Enhanced transmission selection (ETS) (IEEE 802.1Qaz)—Two-tier hierarchical scheduling that defines the CoS properties for each priority group and for each priority



•

A default FCoE forwarding class—The switch does not have a default FCoE forwarding class with default mapping to a priority queue for FCoE traffic.

NOTE: Because the switches do not support a default FCoE forwarding class, you must explicitly configure a forwarding class and name it fcoe.


•


•


•


Understanding DCB Features and Requirements on EX Series Switches Data center bridging (DCB) is a set of enhancements to the IEEE 802.1 bridge specifications. DCB modifies and extends Ethernet behavior to support I/O convergence in the data center. I/O convergence includes but is not limited to the transport of Ethernet LAN traffic and Fibre Channel (FC) storage area network (SAN) traffic on the same physical Ethernet network infrastructure. A converged architecture saves cost by reducing the number of networks and switches required to support both types of traffic, reducing the number of interfaces required, reducing cable complexity, and reducing administration activities. You can use DCB features on Juniper Networks EX4500 CEE-enabled switches to transport converged Ethernet and FC traffic while providing the class-of-service (CoS) characteristics and other characteristics FC requires for transmitting storage traffic. This topic describes: •

EX Series Switch DCB Features Overview on page 4697

•

Physical Interfaces on page 4698

•

DCBX on page 4698

•

Lossless Transport on page 4698

EX Series Switch DCB Features Overview To accommodate FC traffic, DCB specifications provide: •

High-bandwidth interface

•

A discovery and exchange protocol for communicating configuration and capabilities among neighbors to ensure consistent configuration across the network, called Data Center Bridging Capability Exchange protocol (DCBX), which is an extension of Link Layer Discovery Protocol (LLDP, described in IEEE 802.1AB).

•

A flow control mechanism called priority-based flow control (PFC, described in IEEE 802.1Qbb) to help provide lossless transport.


4697

®


NOTE: The switches support the DCBX standards and PFC, but do not support enhanced transmission selection (ETS) and quantized congestion notification (QCN).

Physical Interfaces The switches provide the high-bandwidth interfaces (10-Gigabit Ethernet interfaces) required to support DCB and converged traffic. Your switch can have both 1-gigabit and 10-gigabit interfaces, depending on the configuration. DCBX works only on 10-gigabit, full-duplex interfaces. However, LLDP and DCBX are enabled by default on all the interfaces.

DCBX DCB devices use DCBX to exchange configuration information with directly connected peers (switches and data center devices such as servers). DCBX is an extension of LLDP. See “Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches” on page 4694 for details.

Lossless Transport FC traffic requires lossless transport (defined as no frames dropped because of congestion). Standard Ethernet does not support lossless transport, but the DCB extensions to Ethernet along with proper buffer management enable an Ethernet network to provide the level of CoS necessary to transport FC frames encapsulated in Ethernet over an Ethernet network. This section describes these factors in creating lossless transport over Ethernet: •

PFC on page 4698

•

Buffer Management on page 4698

PFC PFC is a link-level flow control mechanism similar to Ethernet PAUSE (described in IEEE 802.3x). Ethernet PAUSE stops all traffic on a link for a specified period of time. PFC allows you to assign special priority to a specific traffic class for a specified period of time without stopping the traffic assigned to other priorities on the link. You assign this priority by using a congestion notification profile. The switches support up to six traffic classes and allow you to associate those classes with six different congestion notification profiles. PFC enables you to provide lossless transport for traffic assigned to use the PFC congestion notification profile and to use standard Ethernet transport for the rest of the link traffic.

Buffer Management Buffer management is critical to the proper functioning of PFC, because if buffers are allowed to overflow, frames are dropped and transport is not lossless.

4698



For each lossless flow priority, the switch requires sufficient buffer space to: •

Store frames sent during the time it takes to send the PFC PAUSE across the cable between devices

•

Store frames that are already on the wire when the sender receives the PFC PAUSE

The amount of buffer space needed to prevent frame loss due to congestion depends on the cable length, cable speed, and processing speed. The switch automatically sets the threshold for sending a PFC PAUSE frame to accommodate delay from cables as long as 984 feet (300 meters) and to accommodate large frames that might be on the wire when the switch sends the PAUSE. This ensures that the switch sends PAUSEframes early enough to allow the sender to stop transmitting before the receive buffers on the switch overflow. Related Documentation

•


•


Understanding DCBX Application Protocol TLV Exchange on EX Series Switches Data Center Bridging Capability Exchange protocol (DCBX) discovers the data center bridging (DCB) capabilities of connected peers. DCBX also advertises the capabilities of applications on interfaces by exchanging application protocol information through application type, length, and value (TLV) elements. DCBX is an extension of Link Layer Discovery Protocol (LLDP). LLDP must remain enabled on every interface on which you want to use DCBX.

NOTE: LLDP and DCBX are enabled by default on all 10-Gigabit Ethernet interfaces of EX4500 CEE-enabled switches.


Basic Steps for Setting Up Application Protocol TLV Exchange on page 4699

•

Applications on page 4700

•

Application Maps on page 4700

•

Classifying and Prioritizing Application Traffic on page 4701

•

Requirements for Interfaces in Non-FCoE Applications to Exchange Application Protocol Information on page 4701

Basic Steps for Setting Up Application Protocol TLV Exchange Setting up application protocol exchange for FCoE applications consists of: •

Configuring the fcoe forwarding class for IEEE 802.1p code point 011

•

Configuring PFC tfor IEEE 802.1p code point 011


4699

®


We recommend that you use code point 011 for the fcoe forwarding class, because this is the conventional IEEE 802.1p code point for FCoE traffic. We recommend that you configure PFC to use the same code point. See “Example: Configuring an FCoE Transit Switch” on page 4703. Setting up application protocol exchange for non-FCoE applications consists of: •

Defining applications

•

Mapping the applications to IEEE 802.1p code points

•

Configuring classifiers to prioritize incoming traffic map and map the incoming traffic to the application by the traffic code points

•

Applying the application maps and classifiers to interfaces

Except for FCoE applications, you must explicitly define and map all applications that you want an interface to advertise.

NOTE: Do not explicitly configure an FCoE application map, because doing that generates a commit error.

Applications Before an interface can exchange application protocol information, you must define the applications that you want to advertise, except for the FCoE application, which is defined by default. You can define: •

Layer 2 applications by EtherType

•

Layer 4 applications (such as iSCSI applications) by a combination of protocol (TCP or UDP) and destination port

The EtherType is a two-octet field in the Ethernet frame that denotes the protocol encapsulated in the frame. For a list of common EtherTypes, see http://standards.ieee.org/develop/regauth/ethertype/eth.txt on the IEEE standards organization website. For a list of port numbers and protocols, see the Service Name and Transport Protocol Port Number Registry at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

on the Internet Assigned Numbers Authority (IANA) website. The switch automatically defines the FCoE application as EtherType 0x8906.

Application Maps An application map maps defined applications to one or more IEEE 802.1p code points. Each application map contains one or more applications. DCBX includes the configured application code points in the protocol TLVs exchanged with the connected peer. To exchange protocol TLVs for an application, you must include the application in an application map (with the exception of the FCoE application).

4700



Mapping an application to code points does two things: •

Maps incoming traffic with the same code points to that application.

•

Allows you to configure classifiers that map incoming application traffic, by code point, to a forwarding class and a loss priority to apply class of service (CoS) to application traffic and prioritize application traffic.

You apply an application map to an interface to enable DCBX application protocol exchange on that interface for each application specified in the application map. Applications that you want an interface to advertise must be configured in the application map that you apply to the interface (except the FCoE application). Do not explicitly configure an FCoE application map, because doing that generates a commit error.

Classifying and Prioritizing Application Traffic When traffic arrives at an interface, the interface classifies the incoming traffic based on its code points. Classifiers map code points to loss priorities and forwarding classes. The loss priority prioritizes the traffic. The forwarding class determines the traffic output queue and CoS service level. When you map an application to an IEEE 802.1p code point in an application map and apply the application map to an interface, incoming traffic on the interface that matches the application code points is mapped to the appropriate application. The application receives the loss priority and the CoS associated with the forwarding class for those code points, and its trafffic is placed in the output queue associated with the forwarding class. You can use the default classifier or you can configure a classifier to map the application code points defined in the application map to forwarding classes and loss priorities. Traffic for the FCoE application is classified and prioritized by your configuration of the fcoe forwarding class.

Requirements for Interfaces in Non-FCoE Applications to Exchange Application Protocol Information For non-FCoE applications, interfaces on which you want to exchange application protocol TLVs must include the following two items: •

The application map that contains the application

•

A classifier

See “Defining an Application for DCBX Application Protocol TLV Exchange” on page 4727 and “Configuring an Application Map for DCBX Application Protocol TLV Exchange” on page 4728. Related Documentation

•


•


•



4701

®


•

4702

Disabling DCBX Application Protocol Exchange on EX Series Switches (CLI Procedure) on page 4726


CHAPTER 133

Example: Converged Networks (LAN and SAN) Configuration •


•

Example: Configuring DCBX to Support an iSCSI Application on page 4715

Example: Configuring an FCoE Transit Switch You can use an EX4500 CEE-enabled switch as a Fibre Channel over Ethernet (FCoE) transit switch, enabling it to transport both FCoE and Ethernet LAN traffic. Using the same switch to support both your storage network and traditional IP-based data communications reduces the costs of powering, cooling, provisioning, maintaining, and managing your network. This example includes: •

FIP snooping for security

•

Priority-based flow control (PFC) for lossless transport

•

The FCoE forwarding class for the DCBX application protocol type, length, value (TLV) exchange

•

A trusted port connecting to the FCoE forwarder (FCF)

•

Enlarged maximum transmission unit (MTU) size for handling FCoE traffic

This example shows how to configure an FCoE transit switch: •


•


•


•



One EX4500 switch (CEE-capable model)

•



4703

®


•

One FCoE Node (ENode)

•

One FCoE forwarder (FCF)


Configured the VLAN fcoe-vlan on the switch. See “Configuring VLANs for EX Series Switches (CLI Procedure)” on page 2220.

Overview and Topology FCoE transmissions are vulnerable to address spoofing and man-in-the-middle attacks, because they are not actually sent through point-to-point links. This example describes how to configure the switch so that it provides security similar to that provided by traditional Fibre Channel (FC) networks. The switch is transparent to the ENode and the FCF, so the ENode and FCF communicate just as they would for a point-to-point link. FIP snooping is disabled by default. You enable FIP snooping on a per-VLAN basis for VLANs that carry FCoE traffic. Ensure that a VLAN that carries FCoE traffic carries only FCoE traffic, because enabling FIP snooping denies access for all other Ethernet traffic. This example shows how to configure FIP snooping on a VLAN of the EX4500 switch that is connected with one ENode, that is, a server equipped with converged network adapters (CNAs). The setup for this example includes the VLAN fcoe-vlan on the switch. This example also shows how to configure PFC on the interfaces that are being used for FCoE traffic and how to configure an FCoE trusted port to handle traffic between the switch and the FCF gateway to the storage area network (SAN). You must configure PFC properties for the interfaces that are carrying FCoE traffic, because flow control must be implemented on the link level for this type of traffic.

NOTE: Data Center Bridging Capability Exchange protocol (DCBX) is enabled by default on all 10-Gigabit Ethernet interfaces on EX4500 switches. DCBX automatically controls whether PFC is enabled or disabled on the interface. However, you must configure the PFC properties selecting the traffic class and queue. See “Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure)” on page 4723.

You configure trunk interfaces that connect to the FCF as trusted interfaces. The switch must use the same FCoE MAC Address Prefix (FC-MAP) value that is being used by the FCF. Therefore, if the FCF is using a nondefault FC-MAP value, you must configure the FC-MAP value on the switch to match that value. You must also enlarge the MTU size for all interfaces (both access and trunk) that are handling FCoE traffic to accommodate the maximum FC frame and Ethernet header sizes. This example also includes configuring the fcoe forwarding class to be used for the FCoE traffic, so that it can take advantage of DCBX support for the Application Protocol TLV

4704


Chapter 133: Example: Converged Networks (LAN and SAN) Configuration

Exchange. See “Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches” on page 4694 for additional information.

NOTE: Configuring and applying PFC and a forwarding class fcoe on the DCBX interfaces automatically enables the DCBX FCoE application protocol exchange on those interfaces. Do not explicitly configure an FCoE application map, because doing that generates a commit error. See “Understanding Data Center Bridging Capability Exchange Protocol for EX Series Switches” on page 4694 for additional information.

NOTE: PFC is supported only on 10-Gigabit Ethernet interfaces.

NOTE: We recommend that you also: •

Configure the PFC congestion notification profile for the same 802.1p code points that you are using for the fcoe forwarding class. We recommend code point 011, because this is the conventional IEEE 802.1p code point for FCoE traffic.

•

Configure at least 20 percent of the buffer for the queue that is using PFC.

•

Do not specify the exact option when configuring the buffer for the queue that is using PFC.

•

Configure the loss-priority statement to low for a traffic class that is using PFC.

•

Configure an appropriate percent of the buffer for any other forwarding classes (default forwarding classes and the user-defined forwarding classes) that you are using


Table 547: Components of the FCoE Security Topology Properties

Settings

Switch hardware

One EX4500 CEE-enabled switch

VLAN name and ID

fcoe-vlan, tag 20

Forwarding class for FCoE traffic

fcoe, code point 011

Interfaces in fcoe-vlan

xe-0/0/1 xe-0/0/2 xe-0/0/3 xe-0/0/30

FCoE trusted port to the FCF

xe-0/0/30


4705

®


Table 547: Components of the FCoE Security Topology (continued) Properties

Settings

PFC interfaces

xe-0/0/1 xe-0/0/2 xe-0/0/3 xe-0/0/30

CoS forwarding-class interface

xe-0/0/30

CoS scheduler-map interface

xe-0/0/30

Interfaces configured with MTU of 2500

xe-0/0/1 xe-0/0/2 xe-0/0/3 xe-0/0/30



•

DCBX is enabled by default on all 10-Gigabit Ethernet interfaces.

•

The port connecting the switch to the FCF is configured as a trunk port.

Configuration To configure an FCoE transit switch, perform these tasks: CLI Quick Configuration

To quickly configure an FCoE transit switch, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options secure-access-port vlan fcoe-vlan examine-fip fc-map 0x0EFC03 set ethernet-switching-options secure-access-port interface xe-0/0/30 fcoe-trusted set interfaces xe-0/0/1 ether-options no-flow-control set interfaces xe-0/0/2 ether-options no-flow-control set interfaces xe-0/0/3 ether-options no-flow-control set interfaces xe-0/0/30 ether-options no-flow-control set class-of-service congestion-notification-profile cn-profile input ieee-802.1 code-point 011 pfc set class-of-service interfaces xe-0/0/1 congestion-notification-profile cn-profile set class-of-service interfaces xe-0/0/2 congestion-notification-profile cn-profile set class-of-service interfaces xe-0/0/3 congestion-notification-profile cn-profile set class-of-service interfaces xe-0/0/30 congestion-notification-profile cn-profile set class-of-service classifiers ieee-802.1 pfc-class import default set class-of-service classifiers ieee-802.1 pfc-class forwarding-class fcoe loss-priority low code-points 011 set class-of-service interfaces xe-0/0/1 unit 0 classifiers ieee-802.1 pfc-class set class-of-service interfaces xe-0/0/2 unit 0 classifiers ieee-802.1 pfc-class set class-of-service interfaces xe-0/0/3 unit 0 classifiers ieee-802.1 pfc-class set class-of-service interfaces xe-0/0/30 unit 0 classifiers ieee-802.1 pfc-class set class-of-service forwarding-classes class fcoe queue-num 3 set class-of-service schedulers pfc-sched buffer-size percent 25 set class-of-service schedulers default-sched buffer-size percent 17

4706



set class-of-service scheduler-maps pfc-map forwarding-class fcoe scheduler pfc-sched set class-of-service scheduler-maps pfc-map forwarding-class assured-forwarding scheduler default-sched set class-of-service scheduler-maps pfc-map forwarding-class best-effort scheduler default-sched set class-of-service scheduler-maps pfc-map forwarding-class network-control scheduler default-sched set class-of-service scheduler-maps pfc-map forwarding-class expedited-forwarding scheduler default-sched set class-of-service interfaces xe-0/0/30 scheduler-map pfc-map set interfaces xe-0/0/1 mtu 2500 set interfaces xe-0/0/2 mtu 2500 set interfaces xe-0/0/3 mtu 2500 set interfaces xe-0/0/30 mtu 2500


To configure an FCoE transit switch: 1.

Enable FIP snooping on the VLAN and modify the FC-MAP value to match the FC-MAP value being used by the FCF: [edit ethernet-switching-options secure-access-port] user@switch# set vlan fcoe-vlan examine-fip fc-map 0x0EFC03

2.

Set the FCF-facing interface (xe-0/0/30) as FCoE-trusted: [edit ethernet-switching-options secure-access-port] user@switch# set interface xe-0/0/30 fcoe-trusted

3.

Configure a congestion notification profile, specifying the name of the profile and applying it to the traffic class that is indicated by the User Priority bits in the 802.1Q tagged frame of an incoming packet:

NOTE: The ENode and the switch must use the same traffic class for the FCoE traffic. DCBX advertises the traffic class being used by the switch and detects the traffic class being used by the ENode. If there is a mismatch, the switch disables the PFC capability of the switch interface.

[edit class-of-service] user@switch# set congestion-notification-profile cn-profile input ieee-802.1 code-point 011 pfc

NOTE: The configuration of PFC includes two different ieee-802.1 configuration statements:

4.

•

ieee-802.1 (Congestion Notification)—Use to configure the congestion notification profile.

•

ieee-802.1—Use to configure the CoS classifier.

Disable standard flow control on the interfaces that you want to use for the FCoE VLAN.


4707

®


NOTE: PFC and standard flow control cannot be enabled on the same interface, and you must use PFC for FCoE traffic.

[edit interfaces] user@switch# set xe-0/0/1 ether-options no-flow-control user@switch# set xe-0/0/2 ether-options no-flow-control user@switch# set xe-0/0/3 ether-options no-flow-control user@switch# set xe-0/0/30 ether-options no-flow-control 5.

Bind the congestion notification profile to all interfaces of the FCoE VLAN: [edit class-of-service] user@switch# set interface xe-0/0/1 congestion-notification-profile cn-profile user@switch# set interface xe-0/0/2 congestion-notification-profile cn-profile user@switch# set interface xe-0/0/3 congestion-notification-profile cn-profile user@switch# set interface xe-0/0/30 congestion-notification-profile cn-profile

6.

Create a CoS classifier for the fcoe forwarding class: [edit class-of-service] user@switch# set forwarding-classes fcoe queue-num 3

7.

Configure this forwarding class (fcoe) to use a low loss priority value and to use the same code point that is used for PFC:

NOTE: We recommend that you use code point 011, because this is the conventional IEEE 802.1p code point for FCoE traffic.

[edit class-of-service] user@switch# set classifiers ieee-802.1 pfc-class forwarding-class fcoe loss-priority (Classifiers and Rewrite Rules) low code-points 011 8.

Bind the pfc-class classifier to all interfaces of the FCoE VLAN: [edit class-of-service] user@switch# set interfaces xe-0/0/1 unit 0 classifiers ieee-802.1 pfc-class user@switch# set interfaces xe-0/0/2 unit 0 classifiers ieee-802.1 pfc-class user@switch# set interfaces xe-0/0/3 unit 0 classifiers ieee-802.1 pfc-class user@switch# set interfaces xe-0/0/30 unit 0 classifiers ieee-802.1 pfc-class

9.

Assign forwarding-class fcoe to an egress queue: [edit class-of-service] user@switch# set forwarding-classes fcoe queue-num 3

10.

Set a scheduler for this queue, allocating at least 20 percent of the buffer to pfc-sched: [edit class-of-service] user@switch# set schedulers pfc-sched buffer-size percent 25

11.

Set a scheduler for the default queue, allocating 17 percent of the buffer to that queue: [edit class-of-service] uuser@switch# set schedulers default-sched buffer-size percent 17

12.

4708

Configure a scheduler map (pfc-map) that associates the scheduler (pfc-sched) with the fcoe forwarding class and associates the default forwarding classes (assured-forwarding, best-effort and network-control) with the default schedule:



[edit class-of-service] user@switch# set scheduler-maps pfc-map forwarding-class fcoe scheduler pfc-sched user@switch# set scheduler-maps pfc-map forwarding-class assured-forwarding schedulerdefault-sched user@switch# set scheduler-maps pfc-map forwarding-class best-effort scheduler default-sched user@switch# set scheduler-maps pfc-map forwarding-class network-control scheduler default-sched user@switch# set scheduler-maps pfc-map forwarding-class expedited-forwarding scheduler default-sched 13.

Assign the scheduler map (pfc-map) to the FCF-facing interface (xe-0/0/30): [edit class-of-service] user@switch# set interfaces xe-0/0/30 scheduler-map pfc-map

14.

Enlarge the MTU size to 2500 bytes for all the interfaces (both access and trunk) that are handling FCoE traffic: [edit interfaces] user@switch# set xe-0/0/1 mtu 2500 user@switch# set xe-0/0/2 mtu 2500 user@switch# set xe-0/0/3 mtu 2500 user@switch# set xe-0/0/30 mtu 2500

Results

Display the results of the configuration: [edit] user@switch#show

interfaces { xe-0/0/1 { mtu 2500; ether-options { no-flow-control; } unit 0 { family ethernet-switching { vlan { members fcoe-vlan; } } } } xe-0/0/2 { mtu 2500; ether-options { no-flow-control; } unit 0 { family ethernet-switching { vlan { members fcoe-vlan; } } } } xe-0/0/3 { mtu 2500; ether-options {


4709

®


no-flow-control; } unit 0 { family ethernet-switching { vlan { members fcoe-vlan; } } } } xe-0/0/30 { mtu 2500; ether-options { no-flow-control; } unit 0 { family ethernet-switching { port-mode trunk; vlan { members fcoe-vlan; } } } } } class-of-service { classifiers { ieee-802.1 pfc-class { import default; forwarding-class fcoe { loss-priority low code-points 011; } forwarding-classes { class fcoe queue-num 3; } congestion-notification-profile { cn-profile { input { ieee-802.1 { code-point 011 { pfc; } } } } } interfaces { xe-0/0/1 { congestion-notification-profile cn-profile; unit 0 { classifiers { ieee-802.1 pfc-class; } } } xe-0/0/2 {

4710



congestion-notification-profile cn-profile; unit 0 { classifiers { ieee-802.1 pfc-class; } } xe-0/0/3 { congestion-notification-profile cn-profile; unit 0 { classifiers { ieee-802.1 pfc-class; } } } xe-0/0/30 { congestion-notification-profile cn-profile; scheduler-map pfc-map; unit 0 { classifiers { ieee-802.1 pfc-class; } } } scheduler-maps { pfc-map { forwarding-class fcoe scheduler pfc-sched; forwarding-class assured-forwarding scheduler default-sched; forwarding-class best-effort scheduler default-sched; forwarding-class network-control scheduler default-sched; forwarding-class expedited-forwarding scheduler default-sched; } } schedulers { pfc-sched { buffer-size percent 25; } default-sched { buffer-size percent 17; } } } } ethernet-switching-options { secure-access-port { interface xe-0/0/30.0 { fcoe-trusted; } vlan fcoe-vlan { examine-fip { fc-map 0x0EFC03; } } } }


4711

®


Verification Confirm that the configuration of the FCoE transit switch is working properly: •

Verifying That FIP Snooping Is Working Correctly on the Switch on page 4712

•

Verifying That PFC is Enabled, That the FCoE Application Is Advertised, and That the Switch Interface and DCB Peer Are Using the Same 802.1p Code Points on page 4712

Verifying That FIP Snooping Is Working Correctly on the Switch Purpose Action

Verify that FIP snooping is being implemented on the appropriate VLAN. Send some requests from ENodes to the switch. Display the FIP snooping information : user@switch> show fip snooping vlan detail fcoe-vlan VLAN: fcoe-vlan, FC-MAP: 0e:fc:03 FCF Information FCF-MAC : 30:10:94:01:00:00 Active Sessions : 2 Configured FKA-ADV : 195 Running FKA-ADV : 73 Enode Information Enode-MAC: 10:10:94:01:00:01, Interface: xe-0/0/1 Configured FKA-ADV : 195 Running FKA-ADV : 103 Session Information VN-Port MAC: 0E:FC:03:01:0A:01, FKA-ADV : 178 VN-Port MAC: 0E:FC:03:01:0B:01, FKA-ADV : 194 FCF Information FCF-MAC : 40:10:94:01:00:00 Active Sessions : 2 Configured FKA-ADV : 258 Running FKA-ADV : 212 Enode Information Enode-MAC: 20:10:94:01:00:02, Interface: xe-0/0/0 Configured FKA-ADV : 258 Running FKA-ADV : 242 Session Information VN-Port MAC: 0E:FC:03:02:0C:02, FKA-ADV : 254 VN-Port MAC: 0E:FC:03:02:0D:02, FKA-ADV : 269

Meaning

The output for this VLAN (fcoe-vlan) includes the FC MAP value that you configured. It shows the MAC addresses of the FCF and the ENode that are transmitting FCoE traffic through the switch.

Verifying That PFC is Enabled, That the FCoE Application Is Advertised, and That the Switch Interface and DCB Peer Are Using the Same 802.1p Code Points Purpose

Action

4712

Verify that PFC is enabled on the local switch interface and on the peer interface, and that the local interface and the peer interface are using the same code point. Send some requests from ENodes to the switch.



Display the DCBX information advertised by the configured CoS forwarding class interface (xe-0/0/30) and detected by the switch: user@switch> show dcbx neighbors interface xe-0/0/30 Interface : xe-0/0/30.0 Protocol-State: in-sync Local-Advertisement: Operational version: 0 sequence-number: 1, acknowledge-id: 1 Peer-Advertisement: Operational version: 0 sequence-number: 1, acknowledge-id: 1 Feature: PFC, Protocol-State: in-sync Operational State: Enabled Local-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 6 Code Point 000 001 010 011 100 011 110 111

Admin Mode Disabled Disabled Disabled Disabled Disabled Enabled Disabled Disabled

Peer-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 6

Code Point 000 001 010 011 100 011 110 111

Admin Mode Disabled Disabled Disabled Disabled Disabled Enabled Disabled Disabled

Feature: Application, Protocol-State: in-sync Local-Advertisement: Enable: Yes, Willing: No, Error: No

Appl-Name


Ethernet-Type

Socket-Number

Priority-Map

Status

4713

®


FCoE

0x8906

00001000

Enabled

Peer-Advertisement: Enable: Yes, Willing: No, Error: No

Appl-Name FCoE

Meaning

Ethernet-Type 0x8906

Socket-Number

Priority-Map 00001000

Status Enabled

PFC is a requirement for transmitting FCoE traffic and PFC works only when the local and peer devices are both enabled for PFC and are both using the same traffic class (code point) for transmitting the PFC traffic. In the output for Feature: PFC, check the status of Local-Advertisement to verify that PFC is enabled. If DCBX detects a misconfiguration with the DCB peer, it disables the PFC capability. In this example, the PFC Operational State is enabled, because PFC is configured symmetrically on the switch and the DCB peer. Both devices are using code point 011 for forwarding the traffic. If the results show that PFC is disabled, you van use the information provided by this command to reconfigure the congestion notification profile to match the code point being used for PFC by the peer device. See “Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure)” on page 4723. Appl-Name shows the default FCoE application. The FCoE application always indicates Ethernet-Type 0x8906. The Priority-Map for the FCoE application shows the 8-bit format

of the code-point setting that was specified for the PFC congestion notification profile. In this case, the three bit code point is 3, 011. So the Priority-Map for the default FCoe application is 00001000. The fcoe forwarding-class and PFC were configured; and the configuration of the application on the switch and on the DCB are synchronized. Therefore, the Status of the FCoE application is Enabled. If the configuration of the FCoE application on the switch did not match the FCoE application of the DCB peer, the status of the application would appear as Disabled.


4714

•


•


•




Example: Configuring DCBX to Support an iSCSI Application Data Center Bridging Capability Exchange protocol (DCBX) support for the application protocol type, length, and value (TLV) enables you to implement DCBX for various Layer 2 and Layer 4 applications. Internet small computer system interface (iSCSI) is a Layer 4 storage application that can benefit from DCBX. Implementing iSCSI over data center bridging (DCB) reduces latency in networks that are oversubscribed and provides a predictable and certain application responsiveness, eliminating Ethernet’s dependence on TCP/IP for the retransmission of dropped Ethernet frames. Although DCBX is not a requirement for such applications, it adds the reliability required for enterprise data storage.

NOTE: You can configure and apply priority flow control (PFC) for any DCBX interfaces, but it is not a requirement for applications other than Fiber Channel over Ethernet (FCoE).

This example shows how to configure DCBX to support an iSCSI application: •


•


•


•



One EX4500 switch (CEE-capable model)

•


Overview and Topology You can use the same switch to support your LAN traffic and your storage area network (SAN) traffic—including both FCoE and iSCSI traffic. The DCBX application protocol TLV allows you to associate a specific DCBX interface with a specific application map. DCBX discovers the DCB capabilities of peers by exchanging feature configuration information, detects feature misconfiguration and mismatches, and can configure DCB on peers. DCBX is an extension of Link Layer Discovery Protocol (LLDP). LLDP must remain enabled on every interface for which you want to use DCBX. The switch supports DCBX information exchange for other applications, such as iSCSI, as specified in your configuration by EtherType or by the destination port and protocol. To take advantage of this feature for non-FCoE applications, you must configure the application and application map and associate the application map with the interface


4715

®


that is carrying the application’s traffic. This configuration includes specifying the 802.1 code points to be used for this application. When you configure an iSCSI application, you must always designate destination-port 3260.

NOTE: DCBX is enabled by default on all 10-Gigabit Ethernet interfaces on EX4500 switches (CEE-capable models).

This example shows how to configure an iSCSI application on a DCBX interface of the EX4500 switch that is connected to an iSCSI storage device. The components of the topology for this example are shown in Table 548 on page 4716.

Table 548: Components of the DCBX iSCSI Topology Properties

Settings

Switch hardware

One EX4500 switch (CEE capable model)

Application

iSCSI

Application map code points

101

Interface for iSCSI application

xe-0/0/37

Destination port

3260


DCBX is enabled by default on all 10-Gigabit Ethernet interfaces.

Configuration To configure DCBX to support an iSCSI application, perform these tasks: CLI Quick Configuration

To quickly configure a DCBX interface for an iSCSI application, copy the following commands and paste them into the switch terminal window: [edit] set applications application iscsi protocol tcp destination-port 3260 set policy-options application-maps iscsi-map application iscsi code-points 101 set protocols dcbx interface xe-0/0/37 application-map iscsi-map


Configure a DCBX interface for an iSCSI application: 1.

Create the application: [edit] user@switch# set applications application iscsi protocol tcp destination-port 3260

2.

Create the application map: [edit policy-options] user@switch# set application-maps iscsi-map application iscsi code-points 101

4716



3.

Apply the application map to the DCBX interface that you want to use for iSCSI: [edit protocols] user@switch# set dcbx interface xe-0/0/37 application-map iscsi-map

Results

Check the results of the configuration: user@switch> show configuration protocols { dcbx { interface all; interface xe-0/0/37.0 { application-map iscsi-map; } } lldp { interface all; } } policy-options { application-maps { iscsi-map { application iscsi code-points 101; } } } applications { application iscsi { protocol tcp; destination-port 3260; } }


Verifying That the iSCSI Application Is Advertised and That the Switch Interface and DCB Peer Are Using the Same 802.1p Code Points on page 4717

Verifying That the iSCSI Application Is Advertised and That the Switch Interface and DCB Peer Are Using the Same 802.1p Code Points Purpose

Action

Verify that both the switch and the DCB peer are using a DCBX iSCSI application configured for the same 802.1p code points. Send some requests from the switch to the DCB peer. Display the DCBX information advertised by DCBX interface (xe-0/0/37) and detected by the switch: user@switch> show dcbx neighbors interface Interface : xe-0/0/37.0 Protocol-State: in-sync


4717

®


Active-application-map: iscsi-map

Local-Advertisement: Operational version: 0 sequence-number: 1, acknowledge-id: 1 Peer-Advertisement: Operational version: 0 sequence-number: 1, acknowledge-id: 1 Feature: PFC, Protocol-State: in-sync Operational State: Disabled Local-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 6 Code Point 000 001 010 011 100 101 110 111

Admin Mode Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled


Code Point 000 001 010 011 100 101 110 111

Admin Mode Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled

Feature: Application, Protocol-State: in-sync Local-Advertisement: Enable: Yes, Willing: No, Error: No

Appl-Name

Ethernet-Type

iscsi

Socket-Number

Priority-Map

Status

3260

00100000

Enabled

Peer-Advertisement:

4718



Enable: Yes, Willing: No, Error: No

Appl-Name

iscsi

Meaning

Ethernet-Type

Socket-Number

Priority-Map

Status

3260

00100000

Enabled

Check the status for Local-Advertisement in the section Feature: Application. If there is misconfiguration between the switch and the DCB peer, the status displays Error: Yes. In this example, there is no error. The output for Feature: Application, Protocol-State, displays a list of DCBX applications under Appl-Name. This field displays information for the user-configured application iscsi. When you configure an iSCSI application, you must always designate the destination port as 3260. The output displays this as the Socket-Number . The Priority-Map for the iSCSI application reflects the 802.1p code points that were specified in this example for the iSCSI-map. The example specified 101 for the iSCSI application map code points. The Priority-Map is an 8-bit code point format of the 802.1p code points; thus, 0010000. The Status of the iSCSI application is Enabled, because the switch and the DCB are using the same code points for the iSCI application.


•


•

Defining an Application for DCBX Application Protocol TLV Exchange on page 4727

•

Configuring an Application Map for DCBX Application Protocol TLV Exchange on page 4728

•

Applying an Application Map to an Interface for DCBX Application Protocol TLV Exchange on page 4729

•



4719

®


4720


CHAPTER 134

Configuring Converged Networks (LAN and SAN) •


•


•

Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure) on page 4726

•

Disabling DCBX Application Protocol Exchange on EX Series Switches (CLI Procedure) on page 4726

•


•


•


Configuring FIP Snooping on an FCoE Transit Switch Fibre Channel over Ethernet (FCoE) Initialization Protocol (FIP) snooping uses information gathered during FIP discovery and login to create firewall filters that provide security against unauthorized access to the FC switch or FCoE forwarder (FCF) through the EX4500 or QFX Series when the switch is acting as an FCoE transit switch. The firewall filters allow only FCoE devices that succeed at logging in to the FC fabric to access the FCF through the transit switch. FIP snooping provides security for the point-to-point virtual links that connect host FCoE Nodes (ENodes) and FCFs in the FCoE VLAN by denying access to any device that does not successfully log in to the FCF. FIP snooping is disabled by default. You enable FIP snooping on a per-VLAN basis for VLANs that carry FCoE traffic. Ensure that a VLAN that carries FCoE traffic carries only FCoE traffic, because enabling FIP snooping will deny access for all other Ethernet traffic.


4721

®


NOTE: All of the transit switch ports are untrusted by default. If an ENode on an FCoE device logs in to an FCF before you enable FIP snooping on the VLAN and you then enable FIP snooping, the transit switch denies traffic from the ENode because the transit switch has not snooped (learned) the ENode state. The following process automatically logs the ENode back in to the FCF to reestablish the connection: 1.

FIP snooping is enabled on an FCoE VLAN on the switch.

2. The switch denies existing connections between servers and the FCF on

the FCoE VLAN by filtering the FCoE traffic and FIP traffic, so no keepalive messages from the ENodes reach the FCF. 3. The FCF port timer for each ENode and for each VN_Port on each ENode

expires. 4. The FCF sends each ENode whose port timer has expired a Clear Virtual

LInks (CVL) message. 5. The CVL message causes the ENode to log in again.

Because the FCF is a trusted source, you configure interfaces that connect to the FCF as trusted interfaces. FIP snooping continues to run on trusted interfaces so that the switch learns the FCF state.

NOTE: Do not configure ENode-facing interfaces both with FIP snooping enabled and as trusted interfaces. FCoE VLANs with interfaces that are directly connected to FCoE hosts should be configured with FIP snooping enabled and the interfaces should not be trusted interfaces. Ethernet interfaces that are connected to an FCF should be configured as trusted interfaces and should not have FIP snooping enabled. Interfaces that are connected to a transit switch that is performing FIP snooping can be configured as trusted interfaces if the FCoE VLAN is not enabled for FIP snooping.

Optionally, you can specify an FC-MAP value for each FCoE VLAN. On a given FCoE VLAN, the switch learns only FCFs that have a matching FC-MAP value. The default FC-MAP value is 0EFC00h for all FC devices. (Enter hexadecimal values for FC-MAP preceded by the hexadecimal indicator “0x”—for example, 0x0EFC00.) If you change the FC-MAP value of an FCF, change the FC-MAP value for the FCoE VLAN it belongs to on the switch and on the servers you want to communicate with the FCF. An FCoE VLAN can have one and only one FC-MAP value. To enable FIP snooping: •

To enable FIP snooping on a single VLAN and specify the optional FC-MAP value: [edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name examine-fip fc-map fc-map-value

4722


Chapter 134: Configuring Converged Networks (LAN and SAN)

For example, to enable FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03: [edit ethernet-switching-options secure-access-port] user@switch# set vlan san1_vlan examine-fip fc-map 0x0EFC03

NOTE: Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.

•

To enable FIP snooping on all VLANs and use the default FC-MAP value: [edit ethernet-switching-options secure-access-port] user@switch# set vlan all examine-fip

•

To configure an interface as a trusted interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface interface-name fcoe-trusted

For example, to configure interface xe-0/0/30 as a trusted interface: [edit ethernet-switching-options secure-access-port] user@switch# set interface xe-0/0/30 fcoe-trusted


•


•


•

Understanding FIP Snooping on an FCoE Transit Switch

Configuring Priority-Based Flow Control for an EX Series Switch (CLI Procedure) You can configure priority-based flow control (PFC) on EX4500 switches to apply link-level flow control on a specific traffic class so that different types of traffic can efficiently use the same network interface card (NIC). You must configure PFC for all interfaces carrying Fibre Channel over Ethernet (FCoE) traffic. You can also configure PFC on interfaces carrying other traffic types, such as Internet small computer system interface (iSCSI) traffic. Using PFC is optional for traffic types other than FCoE.

NOTE: •

PFC is supported only on 10-Gigabit Ethernet interfaces.

•

If you are using PFC for a non-FCoE DCBX application, use the same 802.1p code points for the PFC congestion notification profile and for the application map that is carrying that application traffic.

Data Center Bridging Capability Exchange protocol (DCBX) is enabled by default on all 10-Gigabit Ethernet interfaces on EX4500 switches. DCBX enables or disables PFC on the local interface depending on whether the PFC configuration on that interface is the same as the PFC configuration of the connected interface on the data center bridging (DCB) peer.


4723

®


NOTE: When you configure PFC, we recommend that you: •

Configure at least 20 percent of the buffer for the queue that is using PFC.

•

Configure an appropriate percent of the buffer for any other forwarding classes (default forwarding classes and the user-defined forwarding classes) that you are using.

•

Do not specify the exact option when configuring the buffer for the queue that is using PFC.

•

Configure the loss-priority statement to low for a traffic class that is using PFC.

•

Verify that the PFC configurations of the local interfaces are the same as the PFC configurations of the connected interfaces on the DCB peer. See show dcbx neighbors.

EX Series switches support up to six congestion notification profiles for PFC. To configure PFC: 1.

Configure a congestion notification profile, specifying the name of the profile and specifying the three-bit pattern of the User Priority bits in an incoming frame that will trigger the priority-based flow control on that traffic class: [edit class-of-service] user@switch# set congestion-notification-profile profile-name input ieee-802.1 code-point up-bits pfc

2. Disable standard Ethernet flow control on the interfaces that will be used for the

traffic class that you have selected for PFC: [edit interfaces] user@switch# set interface-name ether-options no-flow-control

NOTE: You cannot apply PFC to interfaces that are using standard Ethernet flow control. You must first disable flow control on those interfaces.

3. Bind the congestion notification profile to the interfaces that will be used for the traffic

class that you have selected for PFC: [edit class-of-service] user@switch# set interfaces interface-name congestion-notification-profile profile-name 4. Create a CoS classifier for a traffic class that will use PFC: [edit class-of-service] user@switch# set classifiers ieee-802.1 classifier-name import default 5. Configure this traffic class (classifier-name) to use a user-defined or default forwarding

class with a low loss priority value and specify the 802.1p code points:: [edit class-of-service] user@switch# set classifiers ieee-802.1 classifier-name forwarding-class class-name loss-priority (Classifiers and Rewrite Rules) low code-points 3 bit-patterns 6. Bind the classifier-name classifier to all interfaces that require PFC:

4724



[edit class-of-service] user@switch# set interfaces interface-name unit logical-unit-number classifiers ieee-802.1 classifier-name 7. Assign the specified forwarding-class to an egress queue: [edit class-of-service] user@switch# set forwarding-classes class-name queue-number 8. Set a scheduler for this queue, allocating at least 20 percent of the buffer to be used

for FCoE traffic: [edit class-of-service] user@switch# set schedulers scheduler-name buffer-size percent 9. Set a scheduler to allocate buffer space for forwarding classes carrying other traffic:

NOTE: You must explicitly allocate some buffer space for the other forwarding classes. The default allocation of buffer space for forwarding classes is overridden when you manually configure the requisite amount of buffer space for the FCoE traffic.

[edit class-of-service] user@switch# set scheduler-name buffer-size percent 10. Configure a scheduler map that associates the specified scheduler with the specified

forwarding class: [edit class-of-service] user@switch# set scheduler-maps map-name forwarding-class class-name scheduler scheduler-name

For example: [edit class-of-service] user@switch# set scheduler-maps pfc-map forwarding-class af2 scheduler pfc-sched user@switch# set scheduler-maps pfc-map forwarding-class best-effort scheduler default-sched user@switch# set scheduler-maps pfc-map forwarding-class network-control scheduler default-sched user@switch# set scheduler-maps pfc-map forwarding-class expedited-forwarding scheduler default-sched 11. Assign the scheduler map to the egress interface: [edit class-of-service] user@switch# set interfaces interface-name scheduler-map pfc-map


•


•



4725

®


Disabling DCBX to Disable PFC Autonegotiation on EX Series Switches (CLI Procedure) As part of its autonegotiation capabilities, the Data Center Bridging Capability Exchange protocol (DCBX) automatically does the following: •

Advertises the priority flow control (PFC) configuration of the local interfaces to directly connected peers (switches and data center devices such as servers)

•

Detects the PFC capabilities of the connected peers

•

Enables the local interface’s PFC capabilities if DCBX detects that the peer interface’s PFC configuration is the same as the PFC configuration of the local interface.

•

Disables the local interface’s PFC capabilities if DCBX detects that the peer interface’s PFC configuration is not the same as the PFC configuration of the local interface.

DCBX is enabled by default on all 10-Gigabit Ethernet interfaces on EX4500 switches. You can manually override DCBX control of the PFC operational state on a per-interface basis. You might want to disable autonegotiation if the DCB peer does not support PFC. To disable the DCBX control of the PFC operational state: •

On an individual interface: [edit protocols] user@switch# set dcbx interface interface-name priority-flow-control no-auto-negotiation

•

On all 10-Gigabit Ethernet interfaces: [edit protocols] user@switch# set dcbx interface all priority-flow-control no-auto-negotiation


•

show dcbx neighbors on page 4771

•


•


Disabling DCBX Application Protocol Exchange on EX Series Switches (CLI Procedure) You can disable the Data Center Bridging Capability Exchange protocol (DCBX) Application Protocol exchange on a specific interface or on all interfaces. To disable the DCBX application protocol exchange for any DCBX application, do the following:

NOTE: The format of the configuration statement specifies the fcoe application, however, this applies to any DCBX application (both FCoE applications and non-FCoE applications) on that interface.

•

4726

For a specific interface:



[edit protocols] user@switch# set dcbx interface interface-name applications fcoe no-auto-negotiation •

For all interfaces: [edit protocols] user@switch# set dcbx interface all applications fcoe no-auto-negotiation

NOTE: If you disable the DCBX application protocol exchange, the show dcbx neighbors command displays Feature: Application, Protocol-State: not-applicable.


•


•


•


Defining an Application for DCBX Application Protocol TLV Exchange Define each application for which you want DCBX to exchange application protocol information. You can define Layer 2 and Layer 4 applications. After you define applications, you map them to IEEE 802.1p code points, and then apply the application map to the interfaces on which you want DCBX to exchange application protocol information with connected peers. (See Related Documentation for how to configure application maps and apply them to interfaces, and for a example of the entire procedure that also includes classifier configuration.)

NOTE: The FCoE application is configured by default, so you do not need to configure it.

Define Layer 2 applications by mapping an application name to an EtherType. Define Layer 4 applications by mapping an application name to a protocol (TCP or UDP) and a destination port. •

To define a Layer 2 application, specify the name of the application and its EtherType: [edit applications] user@switch# set application application-name ether-type ether-type

For example, to configure an application named PTP (for Precision Time Protocol) that uses the EtherType 0x88F7: user@switch# set applications application ptp ether-type 0x88F7 •

To define a Layer 4 application, specify the name of the application, its protocol (TCP or UDP), and its destination port: [edit] user@switch# set applications application application-name protocol (tcp | udp) destination-port port-value


4727

®


For example, to configure an application named iscsi (for Internet Small Computer System Interface) that uses the protocol TCP and the destination port 3260: user@switch# set applications application iscsi protocol tcp destination-port 3260


•


•


•

Configuring DCBX Autonegotiation

•

Example: Configuring DCBX Application Protocol TLV Exchange

•


•


Configuring an Application Map for DCBX Application Protocol TLV Exchange After you define applications for which you want to exchange DCBX application protocol information, map the applications to IEEE 802.1p code points. The IEEE 802.1p code points identify incoming traffic and allow you to map that traffic to the desired application. You then apply the application map to the interfaces on which you want DCBX to exchange application protocol information with connected peers. (See Related Documentation for how to define applications and apply the application map to interfaces, and for a example of the entire procedure that also includes classifier configuration.)

NOTE: The FCoE application map is configured by default, so you do not need to configure it.

Configure an application map by creating an application map name and mapping an application to one or more IEEE 802.1p code points. •

To define an application map, specify the name of the application map, the name of the application, and the IEEE 802.1p code points of the incoming traffic that you want to associate with the application in the application map: [edit policy-options] user@switch# set application-maps application-map-name application application-name code-points [ aliases ] [ bit-patterns ]

For example, to configure an application map named ptp-app-map that includes an application named PTP (for Precision Time Protocol) and map the application to IEEE 802.1p code points 001 and 101: user@switch# set policy-options application-maps ptp-app-map application ptp code points [ 001 101 ]


4728

•




•


•


•


•


•


Applying an Application Map to an Interface for DCBX Application Protocol TLV Exchange After to you define applications and map them to IEEE 802.1p code points in an application map, apply the application map to the interfaces on which you want DCBX to exchange the application protocol information with connected peers. (See Related Documentation for how to define applications and configure application maps to interfaces, and for a example of the entire procedure that also includes classifier configuration.)

NOTE: The FCoE application map is configured and applied by default to interfaces that carry FCoE traffic, so you do not need to configure it or apply it explicitly to interfaces.

•

To apply an application map to a DCBX interface, specify the DCBX interface and the application map name: [edit protocols] user@switch# set dcbx interface interface-name application-map application-map-name

For example, to apply an application map named ptp-app-map on interface xe-0/0/11: user@switch# set protocols dcbx interface xe-0/0/11 application-map ptp-app-map


•


•


•


•


•


•



4729

®


4730


CHAPTER 135

Configuration Statements for Converged Networks (LAN and SAN) •


•


[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); }


4731

®


mac-notification { notification-interval seconds; } mac-table-aging-time seconds; nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name;

4732


Chapter 135: Configuration Statements for Converged Networks (LAN and SAN)

} examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


•


•


•


•


•


•



4733

®


•


•


•


•


•


•


[edit class-of-service] Configuration Statement Hierarchy class-of-service { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) classifier-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority { code-points [aliases] [6 bit-patterns]; } } import (classifier-name | default); } } code-point-aliases { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) { alias-name bits; } } congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } forwarding-classes { class class-name queue-num queue-number priority ( high | low ); } interfaces { interface-name { congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } scheduler-map map-name; unit logical-unit-number { classifiers { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) (classifier-name | default); } forwarding-class class-name;

4734



} } } multi-destination { family { ethernet (CoS for Multidestination Traffic) { broadcast forwarding-class-name; } inet (CoS) { classifiers { (dscp | dscp-ipv6 | inet-precedence) classifier-name; } } } scheduler-map map-name; } rewrite-rules { (dscp | dscp-ipv6 | ieee-802.1 | inet-precedence) rewrite-name { forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) loss-priority code-point (alias | bits); } import (rewrite-name | default); } } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers (CoS) { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map drop-profile profile-name; loss-priority (Classifiers and Rewrite Rules) loss-priority; priority (Schedulers) priority; protocol (Drop Profiles) protocol; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }


•


•


•


•


•


•



4735

®


•


•


•


application (Applications) Syntax


Description Options

application application-name { destination-port port-value; protocol (tcp | udp); ether-type type; } [edit applications]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Configure properties to define an application. application-name—Name of the application.


4736



•


•


•

Understanding DCBX Application Protocol TLV Exchange

•




application (Application Maps) Syntax


Description Options

application application-name { code-points [ aliases ] [ bit-patterns ]; } [edit policy-options application-maps application-map-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Add an application to an application map and define the application’s code points. application-name—Name of the application.




•


•


•


•



4737

®


applications (Applications) Syntax


[edit]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series.

Description

Define applications that DCBX advertises.

Options

The statements are explained separately.


4738

applications { application application-name { destination-port port-value; protocol (tcp | udp); ether-type type; } }



•


•


•


•




application-map Syntax Hierarchy Level Release Information


application-map application-map-name; [edit protocols dcbx interface interface-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Specify an application map to apply to an interface. application-map-name—Name of the application map.



•


•


•


•


•



4739

®


application-maps Syntax


Description

Options

application-maps application-map-name { application application-name { code-points [ aliases ] [ bit-patterns ]; } } [edit policy-options]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Define an application map by specifying the applications that belong to the application map. application-map-name—Name of the application map.


4740



•


•


•


•




code-point (Congestion Notification) Syntax Hierarchy Level


Options


code-point up-bits pfc; [edit class-of-service congestion-notification-profile (Priority-Based Flow Control) profile-name input ieee-802.1], [edit class-of-service interfaces interface-name congestion-notification-profile profile-name input ieee-802.1]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Configure the IEEE 802.1p (User Priority) code point bits as input for creating the priority-based flow control (PFC) congestion notification profile, which you will associate with a particular traffic class. •

pfc—PFC flow control method

•

up-bits—Three-bit pattern of the User Priority field in an IEEE 802.1Q tag



•



4741

®


code-points (Application Maps) Syntax Hierarchy Level Release Information

Description Options

code-points [ aliases ] [ bit-patterns ]; [edit policy-options application-maps application-map-name application application-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Define one or more code-point aliases or bit sets for an application. aliases—Name of the alias or aliases. bit-patterns—Value of the code-point bits, in decimal form.


4742



•


•


•


•




congestion-notification-profile Syntax

Hierarchy Level


congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; [edit class-of-service], [edit class-of-service interfaces interface-name]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Configure a congestion notification profile for priority-based flow control (PFC).

NOTE: You must configure PFC for FCoE traffic. The interface where PFC is enabled must be a 10-Gigabit Ethernet interface.




•



4743

®


dcbx Syntax



4744

dcbx { disable; interface (interface-name | all) { disable; application-map application-map-name; applications { fcoe { no-auto-negotiation; } } enhanced-transmission-selection { no-auto-negotiation; } priority-flow-control { no-auto-negotiation; } } } [edit protocols]

Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced in Junos OS Release 11.3 for EX Series switches. Configure DCBX properties. The statements are explained separately. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•

Understanding DCB Features and Requirements

•


•


•




destination-port (Applications) Syntax Hierarchy Level Release Information

Description

destination-port port-value; [edit applications application application-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) destination port number, which combines with protocol to identify an application type. The Internet Assigned Numbers Authority (IANA) assigns port numbers. See the IANA Service Name and Transport Protocol Port Number Registry at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

for a list of assigned port numbers.

NOTE: To create an application for iSCSI, use the protocol tcp with the destination port number 3260.


port-value—Identifier for the port.



•


•


•


•



4745

®


disable (DCBX) Syntax Hierarchy Level

disable [edit protocols dcbx] [edit protocols dcbx interface interface-name]

Release Information

Description

Default

Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced in Junos OS Release 11.3 for EX Series switches. Disable Data Center Bridging Capability Exchange protocol (DCBX) on one or more 10-Gigabit Ethernet interfaces. DCBX is enabled by default on all 10-Gigabit or higher Ethernet interfaces. DCBX is enabled by default on all 10-Gigabit Ethernet interfaces on EX4500 CEE-enabled switches.


4746



•


•


•







4747

®



4748





[edit]





•


•


•


•


•


•


•


•


•


•



4749

®


ether-type Syntax Hierarchy Level Release Information

Description

ether-type ether-type; [edit applications application application-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Two-octet field in an Ethernet frame that defines the protocol encapsulated in the frame payload. See http://standards.ieee.org/develop/regauth/ethertype/eth.txt for a list of Institute of Electrical and Electronics Engineers (IEEE) EtherTypes.

NOTE: To create a FIP application, use the EtherType 0x8914.


4750

type—Identifier for the EtherType.



•


•




examine-fip Syntax


Description

examine-fip { fc-map fc-map-value; } [edit ethernet-switching options secure-access-port vlan (all | vlan-name)]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Enable FIP snooping on a specified VLAN. Ensure that the VLAN is a dedicated FCoE VLAN that transports only FCoE traffic. The remaining statement is explained separately.



vlan on page 4217

•


•



4751

®


fc-map Syntax Hierarchy Level

fc-map fc-map-value; [edit ethernet-switching options secure-access-port vlan (all | vlan-name) examine-fip]

For the QFX Series only: [edit fc-fabrics fc-fabric-name protocols fip]

Release Information

Description

Statement introduced in Junos OS Release 10.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Set the FCoE mapped address prefix (FC-MAP) value for the FCoE VLAN to match the FC switch (or FCoE forwarder) FC-MAP value for the FC fabric. The FC-MAP value is a unique MAC address prefix an FC switch uses to identify FCoE traffic for a given FC fabric (traffic on a particular FCoE VLAN). You can configure the FC-MAP value or use the default value. The FC switch provides the FC-MAP value to FCoE nodes (ENodes) in the FIP discovery advertisement message. If the EX Series switch or the QFX Series FCoE VLAN FC-MAP value does not match the FC switch FC-MAP value, neither device discovers the FC switch on that VLAN, and the ENodes on that VLAN cannot access the FC switch. The FC switch accepts only FCoE traffic that uses the correct FC-MAP value as part of the VN_Port MAC address. When the QFX Series acts as an FCoE-FC gateway, the FC-MAP value for the gateway and the FCoE devices must match the FC switch FC-MAP value in order to communicate with the FC switch.

NOTE: Changing the FC-MAP value causes all logins to drop and forces the ENodes to log in again.

Options

fc-map-value—FC-MAP value, hexadecimal value preceded by “0x”.

Range: 0x0EFC00 through 0x0EFCFF Default: 0xEFC00 Required Privilege Level Related Documentation

4752


examine-fip on page 4751

•

show fip snooping on page 4785

•


•




fcoe Syntax


Description


fcoe { no-auto-negotiation; } [edit protocols dcbx interface interface-name applications]

Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced in Junos OS Release 12.1 for the EX Series switches. Disable advertising the FCoE state of the interface to the peer. To disable FCoE on the interface, do not configure the FCoE forwarding class on the interface. no-auto-negotiate—Disable automatic negotiation of FCoE capability.



•


•



4753

®


fcoe-trusted Syntax Hierarchy Level

fcoe-trusted; [edit ethernet-switching options secure-access-port interface interface-name]

For the QFX Series only: [edit fc-fabrics fc-fabric-name protocols fip]

Release Information

Description

Statement introduced in Junos OS Release 10.4 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced for the FC fabric in Junos OS Release 11.3 for the QFX Series. Configure the specified 10-Gigabit Ethernet interface to trust Fibre Channel over Ethernet (FCoE) traffic. If an interface is connected to another switch such as an FCoE forwarder (FCF) or a transit switch, you can configure the interface as trusted so that the interface forwards FCoE traffic from the switch to the FCoE devices without installing FIP snooping filters. (QFX Series only) Configure the specified local Fibre Channel fabric to trust FCoE traffic on all ports in the fabric. Changing the fabric ports from untrusted to trusted removes any existing FIP snooping filters from the ports. Changing the fabric ports from trusted to untrusted by removing the fcoe-trusted configuration from the fabric forces all of the FCoE sessions on those ports to log out so that when the ENodes and VN_Ports log in again, the switch can build the appropriate FIP snooping filters.


4754



•


•




ieee-802.1 (Congestion Notification) Syntax

Hierarchy Level


ieee-802.1 { code-point up-bits pfc ; } [edit class-of-service congestion-notification-profile profile-name], [edit class-of-service interfaces interface-name congestion-notification-profile profile-name]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Set an association between the traffic class and the congestion notification profile. The remaining statement is explained separately.



[edit class-of-service] Configuration Statement Hierarchy on EX Series Switches on page 83

•


•


input (Congestion Notification) Syntax

Hierarchy Level


input { ieee-802.1 { code-point up-bits pfc ; } } [edit class-of-service congestion-notification-profile (Priority-Based Flow Control) profile-name], [edit class-of-service interfaces interface-name congestion-notification-profile profile-name]

Statement introduced in Junos OS Release 10.4 for EX Series switches. Identify the three-bit pattern of the User Priority field that triggers the priority-based congestion notification profile for a specified traffic class. The remaining statements are explained separately.




•



4755

®


interface Syntax

interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } }

Hierarchy Level

[edit ethernet-switching-options secure-access-port]


Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply port security features to all interfaces or to the specified interface. all—Apply port security features to all interfaces. interface-name —Apply port security features to the specified interface.


4756



•


•


•


•


•


•


•




interface (DCBX) Syntax


Description Options

interface (interface-name | all) { disable; application-map application-map-name; applications { fcoe { no-auto-negotiation; } } enhanced-transmission-selection { no-auto-negotiation; } priority-flow-control { no-auto-negotiation; } } [edit protocols dcbx]

Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced in Junos OS Release 11.3 for the EX Series switches. Configure DCBX properties on an interface. interface-name—Name of the interface.




•


•


•


•


•



4757

®


interfaces Syntax


interfaces { interface-name { congestion-notification-profile profile-name { input { ieee-802.1 { code-point up-bits pfc; } } } } scheduler-map map-name; unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } } } [edit class-of-service]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure interface-specific class-of-service (CoS) properties for incoming packets. interface-name—Name of the interface.


4758



•


•


•


•




policy-options Syntax


Description


policy-options application-maps application-map-name { application application-name { code-points [ aliases ] [ bit-patterns ]; } } policy-statement policy-name { term term-name { from { family family-name; match-conditions; policy subroutine-policy-name; prefix-list prefix-list-name; prefix-list-filter prefix-list-name match-type ; route-filter destination-prefix match-type ; source-address-filter source-prefix match-type ; } to { match-conditions; policy subroutine-policy-name; } then actions; } } [edit]

Statement introduced in Junos OS Release 12.1 for the QFX Series. Statement introduced in Junos OS Release 12.1 for the EX Series. Configure options such as application maps for DCBX application protocol exchange and policy statements. storage—To view this statement in the configuration. storage-control—To add this statement to the configuration. •


•


•


•


•



4759

®


priority-flow-control Syntax


Description

[edit protocols dcbx interface (all | interface-name)]

Statement introduced in Junos OS Release 11.1 for the QFX Series. Statement introduced in Junos OS Release 11.3 for EX Series switches. Disable autonegotiation of priority-based flow control (PFC) on one or more Ethernet interfaces. Autonegotiation enables PFC on an interface only if the switch and the peer device connected to the switch both support PFC and have the same PFC configuration. Disabling autonegotiation on an interface forces the interface to use the PFC state (enabled or disabled) that is configured on the switch by the configuration and assignment of the congestion notification profile.

Options

no-auto-negotiation—Disable automatic negotiation of PFC.




4760

priority-flow-control { no-auto-negotiation; }

•


•

Configuring CoS Priority-Based Flow Control

•


•


•

Example: Configuring CoS PFC for FCoE Traffic

•


•


•




protocol (Applications) Syntax Hierarchy Level Release Information

Description

protocol (tcp | udp); [edit applications application application-name]

Statement introduced in Junos OS Release 12.1 for EX Series switches. Statement introduced in Junos OS Release 12.1 for the QFX Series. Networking protocol type, which combines with destination-port to identify an application type.

NOTE: To create an application for iSCSI, use the protocol tcp with the destination port number 3260.

Options

tcp—Transmission Control Protocol udp—User Datagram Protocol




•


•


•


•



4761

®


secure-access-port Syntax


4762

secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } [edit ethernet-switching-options]




Description

Configure port security features, including MAC limiting, dynamic ARP inspection, whether interfaces can receive DHCP responses, DHCP snooping, IP source guard, DHCP option 82, MAC move limiting, and FIP snooping. The remaining statements are explained separately.




•


•


•


•



4763

®


vlan Syntax


vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id ; } (examine-dhcp | no-examine-dhcp); examine-fip { fc-map fc-map-value; } (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } [edit ethernet-switching-options secure-access-port]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Apply any of the following security options to a VLAN: •

DHCP snooping

•

DHCP option 82

•


•

FIP snooping

•

IP source guard

•

MAC move limiting



Options

4764

all—Apply the feature to all VLANs.



vlan-name—Apply the feature to the specified VLAN.




•


•


•



4765

®


4766


CHAPTER 136

Operational Commands for Converged Networks (LAN and SAN)


4767

®


clear fip snooping enode Syntax

Release Information

Description

Options

clear fip snooping enode enode-mac

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear FIP snooping information for the specified FCoE Node (ENode) or (optionally) only on a specified VLAN. This operation deletes the ENode state from the switch database and from the FIP snooping firewall filters, which causes the ENode to lose its connection to the FCoE forwarder (FCF) and to log in to the FCF again. enode-mac—MAC address of the ENode. vlan vlan-name—(Optional) Name of the VLAN.


view

•

show fip snooping enode on page 4788

clear fip snooping enode enode-mac on page 4768

Sample Output clear fip snooping enode enode-mac

4768

user@switch> clear fip snooping enode 00:10:94:00:00:02


Chapter 136: Operational Commands for Converged Networks (LAN and SAN)

clear fip snooping statistics Syntax

Release Information

Description Required Privilege Level Related Documentation List of Sample Output

clear fip snooping statistics

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear FIP snooping statistics globally or on a specified VLAN. view

•

show fip snooping statistics on page 4792

clear fip snooping statistics on page 4769

Sample Output clear fip snooping statistics

user@switch> clear fip snooping statistics


4769

®


clear fip snooping vlan Syntax Release Information

Description

Options Required Privilege Level Related Documentation List of Sample Output

clear fip snooping vlan vlan-name

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear FIP snooping information for the specified VLAN. This operation deletes all ENode and FCF information for the VLAN from the switch database and causes the ENodes to lose their connections to the FCFs. After clearing a VLAN, the switch relearns all of the FCFs and ENodes on the VLAN, and the ENodes must log in to the FCF again. vlan-name—Name of the VLAN.

view

•

show fip snooping vlan on page 4794

clear fip snooping vlan vlan-name on page 4770

Sample Output clear fip snooping vlan vlan-name

4770

user@switch> clear fip snooping vlan fcoevlan1



show dcbx neighbors Syntax

Release Information

Description

Options

show dcbx neighbors

Command introduced in Junos OS Release 11.1 for the QFX Series. Command introduced in Junos OS Release 11.3 for EX Series switches. Display information about Data Center Bridging Capability Exchange protocol (DCBX) neighbor interfaces. none—Display information about all DCBX neighbor interfaces. interface-name—(Optional) Display information for the specified interface. terse—Display the specified level of output. (On the EX Series switch, ETS values appear

in the output but are not applicable to the switch; ignore these values.) Required Privilege Level Related Documentation


Output Fields

view

•


•


•


•


•


•


•

dcbx on page 4744

show dcbx neighbors interface (QFX Series) on page 4780 show dcbx neighbors terse (QFX Series) on page 4782 show dcbx neighbors (EX4500 Switch: FCoE Interfaces on Both Local and Peer with PFC Configured Compatibly) on page 4782 show dcbx neighbors (EX4500 Switch: DCBX Interfaces on Local and Peer Are Configured Compatibly with iSCSI Application) on page 4783 Table 549 on page 4771 lists the output fields for the show dcbx neighbors command. Output fields are listed in the approximate order in which they appear.

Table 549: show dcbx neighbors Output Fields Field Name

Field Description

Interface



4771

®


Table 549: show dcbx neighbors Output Fields (continued) Field Name

Field Description

Parent Interface

Name of the link aggregation group (LAG) interface to which the DCBX interface belongs.

Protocol-State

DCBX protocol state synchronization status: •

in-sync—The local interface received an acknowledge

message from the peer to indicate that the peer received a state change message sent by the local interface. •

ack-pending—The local interface has not yet received

an acknowledge message from the peer to indicate that the peer received a state change message sent by the local interface. Active-application-map

Name of the application map applied to the interface.

Local-Advertisement

Status of advertisements that the local interface sends to the peer. Operational version

Version of the DCBX standard used.

sequence-number

Number of state change messages sent to the peer. If the interface Protocol-State value is in-sync, this number should match the acknowledge-id number in the Peer-Advertisement section. If the interface Protocol-State value is ack-pending, this number does not match the acknowledge-id number in the Peer-Advertisement section.

acknowledge-id

Number of acknowledge messages received from the peer. If the Protocol-State value is in-sync, this number should match the sequence-number value in the Peer-Advertisement section. If the Protocol-State value is ack-pending, this number does not match the sequence-number value in the Peer-Advertisement section.

4772




Field Description

Peer-Advertisement

Status of advertisements that the peer sends to the local interface. Operational version

Version of the DCBX standard used.

sequence-number

Number of state change messages the peer sent to the local interface. If this number matches the acknowledge-id number in the Local-Advertisement field, this indicates that the local interface has acknowledged all of the peer’s state change messages and is in synchronization. If this number does not match the acknowledge-id number in the Local-Advertisement field, this indicates that the peer has not yet received an acknowledgment for a state change message from the local interface.

acknowledge-id

Number of acknowledge messages the peer has received from the local interface. If this number matches the sequence-number value in the Local-Advertisement field, this indicates that the peer has acknowledged all of the local interface’s state change messages and is in synchronization. If this number does not match the sequence-number value in the Local-Advertisement field, this indicates that the peer has not yet sent an acknowledgment for a state change message from the local interface.


4773

®



Field Description

Feature: PFC

Priority-based flow control (PFC) feature DCBX state information. DCBX protocol state synchronization status:

Protocol-State

•


an acknowledge message from the peer to indicate that the peer received a PFC state change message sent by the local interface. •


message from the peer to indicate that the peer received a PFC state change message sent by the local interface. •

not-applicable—PFC autonegotiation is disabled.

Operational State

Operational state of the feature: enabled or disabled.

Local-Advertisement

Status of advertisements that the local interface sends to the peer. Enable

Willing

State that the local interface advertises to the peer: •

Yes—The feature is enabled.

•

No—The feature is disabled.

Willingness of the local interface to learn the PFC configuration from the peer using DCBX: •

Yes—The local interface is willing to learn the PFC

configuration from the peer. •

No—The local interface is not willing to learn the PFC

configuration from the peer. Error

Configuration compatibility error status: •

No—No error detected. Local and peer configuration

are compatible. •

Yes—Error detected. Local and peer configuration are

not compatible. Maximum Traffic Classes capable to support PFC

Code Point

Largest number of traffic classes the local interface supports for PFC: •

6 (EX Series switches)

•

8 (QFX Series)

PFC code point, which is specified in the 3-bit class of service field in the VLAN header.

Admin Mode

4774




Field Description PFC administrative state for each code point on the local interface: •

Enabled—PFC is enabled for the code point.

•

Disabled—PFC is disabled for the code point.

Status of advertisements that the peer sends to the local interface.

Peer-Advertisement

Enable

Willing

State that the peer advertises to the local interface: •


•


Willingness of the peer to learn the PFC configuration from the local interface using DCBX: •

Yes—The peer is willing to learn the PFC configuration

from the local interface. •

No—The peer is not willing to learn the PFC

configuration from the local interface. Error



are compatible. •


not compatible. Maximum Traffic Classes capable to support PFC


Largest number of traffic classes the peer supports for PFC: •

6 (EX Series switches)

•

8 (QFX Series)

Code Point


Admin Mode

PFC administrative state for each code point on the peer: •

Enabled—PFC is enabled for the code point.

•

Disabled—PFC is disabled for the code point.

4775

®



Field Description

Feature: Application

State information for the DCBX application. DCBX protocol state synchronization status:

Protocol-State

•


message from the peer to indicate that the peer received an FCoE state change message sent by the local interface. •


an acknowledge message from the peer to indicate that the peer received an FCoE state change message sent by the local interface. •

not-applicable—The local interface is set to no-auto-negotiation (autonegotiation is disabled). If

the interface is associated with an FCoE forwarding class, the interface advertises FCoE capability even if the connected peer does not advertise FCoE capability. Status of advertisements that the local interface sends to the peer.

Local-Advertisement

If the local interface is set to no-auto-negotiation (autonegotiation is disabled), the local advertisement portion of the output is not shown. Enable

Willing



•


Willingness of the local interface to learn the FCoE interface state from the peer using DCBX: •

Yes—The local interface is willing to learn the FCoE

interface state from the peer. •

No—The local interface is not willing to learn the FCoE

interface state from the peer. Error


No—No error detected. The local and peer configuration

are compatible. •

Yes—Error detected. The local and peer configuration

are not compatible.

4776

Appl-Name

Name of the application:

Ethernet-Type

Ethernet Type (EtherType) of the application. For example, 0x8906 indicates the EtherType for the FCoE application. Either the EtherType (for Layer 2 applications) or the Socket-Number (for Layer 4 applications) of the application is displayed in the output.




Field Description Socket-Number

Destination port socket number of the application, if applicable. Either the EtherType (for Layer 2 applications) or the Socket Number (for Layer 4 applications) of the application is displayed in the output.

Priority-Map

Priority assigned to the application. For EX Series switches, the priority of the FCoE application is determined by the PFC congestion notification profile that has been configured and associated with the FCoE interface. For other applications, the priority is based on the application map.

Status

Local status when autonegotiation is enabled: •

Enabled—The application feature is enabled on both

the local interface and the peer interface. (The local configuration and the peer configuration match.) •

Disabled—The local configuration and the peer

configuration do not match. NOTE: If there is a configuration mismatch in one application between the switch and the peer, all the other applications including FCoE are disabled. Status of advertisements that the peer sends to the local interface.

Peer-Advertisement

Enable

Willing



•


Willingness of the peer to learn the FCoE interface state from the local interface using DCBX: •

Yes—The peer is willing to learn the FCoE interface

state from the local interface. •

No—The peer is not willing to learn the FCoE interface

state from the local interface. Error



are compatible. •


not compatible. Appl-Name

Name of the application: •

FCoE—Fibre Channel over Ethernet

Ethernet-Type


4777

®



Field Description Ethernet Type (EtherType) of the application. For example, 0x8906 indicates the EtherType for the FCoE application. Either the EtherType (for Layer 2 applications) or the Socket-Number (for Layer 4 applications) of the application is displayed in the output. Socket-Number

Destination port socket number of the application, if applicable. Either the EtherType (for Layer 2 applications) or the Socket Number (for Layer 4 applications) of the application is displayed in the output.

Priority-Map

Priority assigned to the application.

Status

Peer interface status: •

Enabled—The application feature is enabled on both

the local interface and the peer interface. (The local configuration and the peer configuration match.) •

Disabled—The local configuration and the peer

configuration do not match.

4778




Field Description

Feature: ETS

(QFX Series only) Enhanced Transmission Selection (ETS) DCBX state information. ETS protocol state synchronization status:

Protocol-State

•


message from the peer to indicate that the peer received an ETS state change message sent by the local interface. •


an acknowledge message from the peer to indicate that the peer received an ETS state change message sent by the local interface. Operational State

Operational state of the feature, enabled or disabled.

Local-Advertisement

Status of advertisements that the local interface sends to the peer. Enable

Willing



•


Willingness of the local interface to learn the ETS state from the peer using DCBX: •

Yes—Local interface is willing to learn the ETS state

from the peer. •

No—Local interface is not willing to learn the ETS state

from the peer. Error

Configuration error status: •

No—No error. This should always be the switch ETS

error state. •


Yes—Error detected.

Maximum Traffic Classes capable to support PFC

Largest number of traffic classes the local interface supports for ETS.

Code Point


Priority-Group

Class-of-service (CoS) priority group (forwarding class set) identification number.

Percentage B/W

Configured percentage of link bandwidth allocated to the priority group.

4779

®



Field Description Status of advertisements that the peer sends to the local interface.

Peer-Advertisement

Enable

Willing



•


Willingness of the peer to learn the ETS state from the local interface using DCBX: •

Yes—Peer is willing to learn the ETS state from the local

interface. •

No—Peer is not willing to learn the ETS state from the

local interface. Error

Configuration error status of the peer: •

No—No error in peer ETS TLV.

•

Yes—Error in peer ETS TLV.

Maximum Traffic Classes capable to support PFC

Largest number of traffic classes the peer supports for ETS.

Code Point


Priority-Group

CoS priority group (forwarding class set) identification number.

Percentage B/W

Configured percentage of link bandwidth allocated to the priority group.

Sample Output show dcbx neighbors interface (QFX Series)

user@switch> show dcbx neighbors interface xe-0/0/0 Interface : xe-0/0/0.0 - Parent Interface: ae0.0 Protocol-State: in-sync Active-application-map: app-map-1 Local-Advertisement: Operational version: 1 sequence-number: 130, acknowledge-id: 102 Peer-Advertisement: Operational version: 1 sequence-number: 102, acknowledge-id: 130 Feature: PFC, Protocol-State: in-sync

4780



Operational State: Enabled Local-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 8 Code Point 000 001 010 011 100 101 110 111

Admin Mode Enabled Enabled Disabled Enabled Disabled Disabled Disabled Disabled

Peer-Advertisement: Enable: Yes, Willing: Yes, Error: No Maximum Traffic Classes capable to support PFC: 8 Code Point 000 001 010 011 100 101 110 111

Admin Mode Enabled Enabled Disabled Enabled Disabled Disabled Disabled Disabled

Feature: Application, Protocol-State: in-sync Local-Advertisement: Enable: Yes, Willing: No, Error: No Appl-Name FCoE


Socket-Number

iSCSI

3260

Priority-Map 00001110 10000000

Status Enabled Enabled

Peer-Advertisement: Enable: Yes, Willing: Yes, Error: No Appl-Name FCoE


Socket-Number N/A

Priority-Map 00001110

Status Enabled

Feature: ETS, Protocol-State: in-sync Operational State: Enabled Local-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 8 Code Point 000 001 010


Priority-Group 0 7 7

4781

®


011 100 101 110 111 Priority-Group 0 1

7 0 1 1 7 Percentage B/W 40% 5%


show dcbx neighbors terse (QFX Series)

show dcbx neighbors (EX4500 Switch: FCoE Interfaces on Both Local and Peer with PFC Configured Compatibly)

Code Point 000 001 010 011 100 101 110 111

Priority-Group 0 7 7 7 0 1 1 7

Priority-Group 0 1

Percentage B/W 40% 5%

user@switch> show dcbx neighbors terse Interface Parent Interface xe-0/0/23.0 ae0.0 xe-0/0/24.0 ae0.0 xe-0/0/25.0 ae0.0 xe-0/0/26.0 ae0.0

PFC Disabled Disabled Disabled Disabled

App Disabled Disabled Disabled Disabled

ETS Enabled Enabled Enabled Enabled

user@switch> show dcbx neighbors interface xe-0/0/14 Interface : xe-0/0/14.0 - Parent Interface: ae0.0 Protocol-State: in-sync Local-Advertisement: Operational version: 0 sequence-number: 6, acknowledge-id: 6 Peer-Advertisement: Operational version: 0 sequence-number: 6, acknowledge-id: 6 Feature: PFC, Protocol-State: in-sync Operational State: Enabled Local-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 6 Code Point

4782

Admin Mode



000 001 010 011 100 101 110 111

Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled

Peer-Advertisement: Enable: Yes, Willing: No, Error: No Maximum Traffic Classes capable to support PFC: 6 Code Point 000 001 010 011 100 101 110 111

Admin Mode Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled

Feature: Application, Protocol-State: in-sync Local-Advertisement: Enable: Yes, Willing: No, Error: No show fip snooping VLAN : fcoevlan1 FC-MAP : 0e:fc:00 FCF : 00:10:94:00:00:01 Session Count : 2 Enode-MAC : 00:10:94:00:00:02 VN-Port-MAC : 0E:FC:00:00:00:05 VN-Port-MAC : 0E:FC:00:00:00:01

show fip snooping detail

user@switch> show fip snooping detail VLAN : fcoevlan1 FC-MAP : 0e:fc:00 FCF Information FCF-MAC : 00:10:94:00:00:01 Active Sessions : 2 Configured FKA-ADV : 258 Running FKA-ADV : 244 Enode Information Enode-MAC : 00:10:94:00:00:02 Interface : xe-0/0/1 Configured FKA-ADV : 258 Running FKA-ADV : 248 Session Information VN-Port MAC : 0E:FC:00:00:00:05 FKA-ADV : 264 VN-Port MAC : 0E:FC:00:00:00:01 FKA-ADV : 260


4787

®


show fip snooping enode Syntax

Release Information

Description Options

show fip snooping enode enode-mac

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display FIP snooping FCoE node (ENode) information. brief | detail—(Optional) Display the specified level of output. enode-mac—Display information for the ENode specified by the MAC address. vlan vlan-name—(Optional) Display FIP snooping information for the ENode on only the



Output Fields

view

•


•


•


•

show fip snooping fcf on page 4790

•

show fip snooping interface

•


•


show fip snooping enode on page 4789 show fip snooping enode detail on page 4789 Table 551 on page 4788 lists the output fields for the show fip snooping enode command. Output fields are listed in the approximate order in which they appear.

Table 551: show fip snooping enode Output Fields Field Name

Field Description

Level of Output

ENode and ENode MAC

MAC address of the ENode.

All

VLAN

Name of the VLAN.

All

Interface

Interface connected to the ENode.

All

4788



Table 551: show fip snooping enode Output Fields (continued) Field Name

Field Description

Configured FKA-ADV

FIP keepalive interval in seconds configured on the FCoE forwarder (FCF) multiplied by three. For example, if the FKA_ADV period configured on the FCF is 86 seconds, the value of this field is 258. This value remains constant.

Level of Output detail

For the QFX Series only, the output of this field is always 0 (zero) if the VLAN is an FCoE-FC gateway VLAN. If the VLAN is a FIP snooping VLAN (a transit switch VLAN), then the output is accurate. This is because for an FCoE-FC gateway VLAN, FIP snooping is performed internally and the keepalive advertisements are not tracked by the switch’s Ethernet module. Runtime interval in seconds of the last FIP keepalive advertisement the ENode sent to the FCF. This value changes every time the ENode sends an FKA_ADV to the FCF.

Running FKA-ADV

detail

For the QFX Series only, the output of this field is always 0 (zero) if the VLAN is an FCoE-FC gateway VLAN. If the VLAN is a FIP snooping VLAN (a transit switch VLAN), then the output is accurate. This is because for an FCoE-FC gateway VLAN, FIP snooping is performed internally and the keepalive advertisements are not tracked by the switch’s Ethernet module. VN-Port or VN-Port-MAC

MAC address of a VN_Port on the ENode.

All

FKA-ADV

Runtime interval in seconds of the last FIP keepalive advertisement the ENode sent to the FCF on behalf of the VN_Port (VN_Port FKA_ADV). This value changes every time the ENode sends a VN_Port FKA_ADV to the FCF.

detail

FCF or FCF-MAC

MAC address of the FCF to which the VN_Port is connected.

All

Sample Output show fip snooping enode

user@switch> show fip snooping enode 00:10:94:00:00:02 Enode : 00:10:94:00:00:02 VLAN : vlan1 Interface : xe-0/0/1 VN-Port-MAC FCF-MAC 0E:FC:00:00:00:05 00:10:94:00:00:01 0E:FC:00:00:00:01 00:10:94:00:00:01

show fip snooping enode detail

user@switch> show fip snooping enode 00:10:94:00:00:02 detail Enode MAC : 00:10:94:00:00:02 VLAN : vlan1 Interface : xe-0/0/1 Configured FKA-ADV : 258 Running FKA-ADV : 213 Session Information VN-Port : 0E:FC:00:00:00:05 FKA-ADV : 229 FCF : 00:10:94:00:00:01 VN-Port : 0E:FC:00:00:00:01 FKA-ADV : 225 FCF : 00:10:94:00:00:01


4789

®


show fip snooping fcf Syntax

Release Information

Description Options

show fip snooping fcf fcf-mac

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display FIP snooping FCoE forwarder (FCF) information. brief | detail—(Optional) Display the specified level of output. fcf-mac—Display information for the FCF specified by the MAC address. vlan-name—(Optional) Display FIP snooping information for the FCF on only the specified



Output Fields

view

•


•


•


•


•


•


•


show fip snooping fcf on page 4791 show fip snooping fcf detail on page 4791 Table 552 on page 4790 lists the output fields for the show fip snooping fcf command. Output fields are listed in the approximate order in which they appear.

Table 552: show fip snooping fcf Output Fields Field Name

Field Description

Level of Output

FCF or FCF-MAC

MAC address of the FCoE forwarder.

All

VLAN

Name of the VLAN.

All

Session Count

Current number of virtual link sessions with VN_Ports.

None

4790



Table 552: show fip snooping fcf Output Fields (continued) Field Name

Field Description

Level of Output

Configured FKA-ADV

FIP keepalive interval in seconds configured on the FCF multiplied by three. For example, if the FKA_ADV period configured on the FCF is 86 seconds, the value of this field is 258.

detail

Running FKA-ADV

Runtime interval in seconds of the last FIP keepalive advertisement the FCF received. This value changes every time the FCF receives an FKA_ADV.

detail

ENode-MAC

MAC address of the connected ENode.

All

•

Interface


detail

•

Configured FKA-ADV

FIP keepalive interval in seconds configured on the FCF multiplied by three. For example, if the FKA_ADV period configured on the FCF is 86 seconds, the value of this field is 258. This value remains constant.

detail

•

Running FKA-ADV

Runtime interval in seconds of the last FIP keepalive advertisement the ENode sent to the FCF. This value changes every time the ENode sends an FKA_ADV to the FCF.

detail

•

VN-Port MAC


All

•

FKA-ADV


detail

Sample Output show fip snooping fcf

user@switch> show fip snooping fcf 00:10:94:00:00:01 FCF : 00:10:94:00:00:01 VLAN : vlan1 Session Count : 2 Enode-MAC : 00:10:94:00:00:02 VN-Port-MAC : 0E:FC:00:00:00:05 VN-Port-MAC : 0E:FC:00:00:00:01

show fip snooping fcf detail

user@switch> show fip snooping fcf 00:10:94:00:00:01 detail FCF-MAC : 00:10:94:00:00:01 VLAN : vlan1 Configured FKA-ADV : 258 Running FKA-ADV : 222 Enode Information Enode-MAC : 00:10:94:00:00:02 Interface: xe-0/0/1 Configured FKA-ADV : 258 Running FKA-ADV : 226 Session Information VN-Port MAC : 0E:FC:00:00:00:05 FKA-ADV : 242 VN-Port MAC : 0E:FC:00:00:00:01 FKA-ADV : 238


4791

®


show fip snooping statistics Syntax

Release Information



show fip snooping statistics

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display FIP snooping statistics. vlan vlan-name—(Optional) Display FIP snooping statistics for the specified VLAN.

view

•


•


•


•


•


•


•


show fip snooping statistics on page 4793 Table 553 on page 4792 lists the output fields for the show fip snooping statistics command. Output fields are listed in the approximate order in which they appear.

Table 553: show fip snooping statistics Output Fields Field Name

Field Description

VLAN

Name of the VLAN for which a set of statistics is displayed.

Number of MDS

Number of multicast discovery solicitation messages sent on the VLAN.

Number of UDS

Number of unicast discovery solicitation messages sent on the VLAN.

Number of FLOGI

Number of fabric logins on the VLAN.

Number of FDISC

Number of fabric discovery logins on the VLAN.

Number of LOGO

Number of fabric logouts on the VLAN.

Number of ENode-keep-alive

Number of ENode keepalive messages sent on the VLAN.

Number of VNPort-keep-alive

Number of VN_Port keepalive messages sent on the VLAN.

4792



Table 553: show fip snooping statistics Output Fields (continued) Field Name

Field Description

Number of MDA

Number of multicast discovery advertisement messages sent on the VLAN.

Number of UDA

Number of unicast discovery advertisement messages sent on the VLAN.

Number of FLOGI_ACC

Number of fabric logins accepted on the VLAN.

Number of FLOGI_RJT

Number of fabric logins rejected on the VLAN.

Number of FDISC_ACC

Number of fabric discoveries accepted on the VLAN.

Number of FDISC_RJT

Number of fabric discoveries rejected on the VLAN.

Number of LOGO_ACC

Number of fabric logouts accepted on the VLAN.

Number of LOGO_RJT

Number of fabric logouts rejected on the VLAN.

Number of CVL

Number of clear virtual links (CVL) actions on the VLAN.

Sample Output show fip snooping statistics

user@switch> show fip snooping statistics VLAN: fcoevlan1 Number Number Number Number Number Number Number

of of of of of of of

MDS: UDS: FLOGI: FDISC: LOGO: Enode-keep-alive: VNPort-keep-alive:

2 2 2 2 0 200 200

Number Number Number Number Number Number Number Number Number

of of of of of of of of of

MDA: UDA: FLOGI_ACC: FLOGI_RJT: FDISC_ACC: FDISC_RJT: LOGO_ACC: LOGO_RJT: CVL:

25 2 2 0 2 0 0 0 0


4793

®


show fip snooping vlan Syntax

Release Information

Description Options

show fip snooping vlan vlan-name

Command introduced in Junos OS Release 10.4 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display FIP snooping VLAN information. brief | detail—(Optional) Display the specified level of output. vlan-name—Display information for the specified VLAN.



Output Fields

view

•


•


•


•


•


•


•


show fip snooping vlan on page 4795 show fip snooping vlan detail on page 4795 Table 554 on page 4794 lists the output fields for the show fip snooping vlan command. Output fields are listed in the approximate order in which they appear.

Table 554: show fip snooping vlan Output Fields Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All

FC-MAP

FCoE mapped address prefix of the FCoE forwarder for the VLAN.

All

FCF or FCF-MAC

MAC address of the FCF.

All

Session Count or Active Sessions

Current number of virtual link sessions with VN_Ports.

All

Configured FKA-ADV

FIP keepalive interval in seconds configured on the FCF multiplied by three. For example, if the FKA_ADV period configured on the FCF is 86 seconds, the value of this field is 258.

detail

4794



Table 554: show fip snooping vlan Output Fields (continued) Field Name

Field Description

Level of Output

Running FKA-ADV

Runtime interval in seconds of the last FIP keepalive advertisement the FCF received. This value changes every time the FCF receives an FKA_ADV.

detail

ENode-MAC

MAC address of the connected ENode.

All

•

Interface


detail

•

Configured FKA-ADV

FIP keepalive interval in seconds configured on the FCF multiplied by three. For example, if the FKA_ADV period configured on the FCF is 86 seconds, the value of this field is 258. This value remains constant.

detail

•

Running FKA-ADV

Runtime interval in seconds of the last FIP keepalive advertisement the ENode sent to the FCF. This value changes every time the ENode sends an FKA_ADV to the FCF.

detail

•

VN-Port MAC


All

•

FKA-ADV


detail

Sample Output show fip snooping vlan

user@switch> show fip snooping vlan fcoevlan1 VLAN : fcoevlan1 FC-MAP : 0e:fc:00 FCF : 00:10:94:00:00:01 Session Count : 2 Enode-MAC : 00:10:94:00:00:02 VN-Port-MAC : 0E:FC:00:00:00:05 VN-Port-MAC : 0E:FC:00:00:00:01

show fip snooping vlan detail

user@switch> show fip snooping vlan fcoevlan1 detail VLAN : fcoevlan1 FC-MAP : 0e:fc:00 FCF Information FCF-MAC : 00:10:94:00:00:01 Active Sessions : 2 Configured FKA-ADV : 258 Running FKA-ADV : 235 Enode Information Enode-MAC : 00:10:94:00:00:02 Interface : xe-0/0/1 Configured FKA-ADV : 258 Running FKA-ADV : 239 Session Information VN-Port MAC : 0E:FC:00:00:00:05 FKA-ADV : 255 VN-Port MAC : 0E:FC:00:00:00:01 FKA-ADV : 251


4795

®


4796


PART 26

MPLS •

MPLS—Overview on page 4799

•

Examples of MPLS Configuration on page 4819

•

Configuring MPLS on page 4869

•

Verifying MPLS on page 4905

•

Configuration Statements for MPLS on page 4911

•

Operational Commands for MPLS on page 4953


4797

®


4798


CHAPTER 137

MPLS—Overview •

Junos OS MPLS for EX Series Switches Overview on page 4799

•

Understanding Junos OS MPLS Components for EX Series Switches on page 4801

•

Understanding MPLS and Path Protection on EX Series Switches on page 4806

•


•

Understanding MPLS Label Operations on EX Series Switches on page 4811

•

Understanding Using MPLS-Based Layer 2 and Layer 3 VPNs on EX Series Switches on page 4815

Junos OS MPLS for EX Series Switches Overview You can configure Junos OS MPLS on Juniper Networks EX Series Ethernet Switches to increase transport efficiency in the network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as voice over IP (VoIP) and other business-critical functions.

NOTE: MPLS configurations on EX Series switches are compatible with configurations on other Juniper Networks devices that support MPLS and MPLS-based circuit cross-connect (CCC). MPLS features available on the switches depend upon which switch you are using. See “EX Series Switch Software Features Overview” on page 3 for a complete list of the Junos OS MPLS features that are supported on specific switches.

NOTE: MPLS configurations on the switches do not support: •

Q-in-Q tunneling


Benefits of MPLS on page 4800

•

Additional Benefits of MPLS and Traffic Engineering on page 4800


4799

®


Benefits of MPLS MPLS has the following advantages over conventional packet forwarding: •

Packets arriving on different ports can be assigned different labels.

•

A packet arriving at a particular provider edge (PE) switch can be assigned a label that is different from that of the same packet entering the network at a different PE switch. As a result, forwarding decisions that depend on the ingress PE switch can be easily made.

•

Sometimes it is desirable to force a packet to follow a particular route that is explicitly chosen at or before the time the packet enters the network, rather than letting it follow the route chosen by the normal dynamic routing algorithm as the packet travels through the network. In MPLS, a label can be used to represent the route so that the packet need not carry the identity of the explicit route.

Additional Benefits of MPLS and Traffic Engineering MPLS is the packet-forwarding component of the Junos OS traffic engineering architecture. Traffic engineering provides the capabilities to do the following:


4800

•

Route primary paths around known bottlenecks or points of congestion in the network.

•

Provide precise control over how traffic is rerouted when the primary path is faced with single or multiple failures.

•

Provide efficient use of available aggregate bandwidth and long-haul fiber by ensuring that certain subsets of the network are not overutilized while other subsets of the network along potential alternate paths are underutilized.

•

Maximize operational efficiency.

•

Enhance the traffic-oriented performance characteristics of the network by minimizing packet loss, minimizing prolonged periods of congestion, and maximizing throughput.

•

Enhance statistically bound performance characteristics of the network (such as loss ratio, delay variation, and transfer delay) required to support a multiservice Internet.

•


•


•


•


•

Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure) on page 4893

•

Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit (CLI Procedure) on page 4896


Chapter 137: MPLS—Overview

Understanding Junos OS MPLS Components for EX Series Switches Juniper Networks Junos operating system (Junos OS) MPLS for Juniper Networks EX Series Ethernet Switches includes a number of components. Some components are required for all MPLS implementations and other components are required or not depending on the specific implementation or the specific switch. See “EX Series Switch Software Features Overview” on page 3 for a complete list of the Junos OS MPLS features that are supported on specific EX Series switches. This topic includes: •

Provider Edge Switches on page 4801

•

Provider Switch on page 4803

•

Components Required for All Switches in the MPLS Network on page 4803

Provider Edge Switches To implement MPLS on the switches, you must configure two provider edge (PE) switches—that is, an ingress (local) PE switch and an egress (remote) PE switch. The ingress PE switch (the entry point to the MPLS tunnel) receives a packet, analyzes it, and pushes an MPLS label onto it. This label places the packet in a forwarding equivalence class (FEC) and determines its handling and destination through the MPLS tunnel. The egress PE switch (the exit point from the MPLS tunnel) pops the MPLS label off the outgoing packet. MPLS traffic is bidirectional. Therefore, each PE switch can be configured to be both an ingress switch and an egress switch, depending on the direction of the traffic. The following MPLS components are configured on the PE switches but not on the provider switches: •

MPLS Protocol and Label-Switched Paths on page 4801

•

Circuit Cross-Connect for Customer Edge Interfaces on page 4802

•

IP Over MPLS for Customer Edge Interfaces on page 4802

•

BGP for Layer 2 VPN and Layer 3 VPN Configurations (EX8200 Switches Only) on page 4803

•

Routing Instances for Layer 2 VPN and Layer 3 VPN (EX8200 Switches Only) on page 4803

•

Ethernet Encapsulation for Layer 2 VPN (EX8200 Switches Only) on page 4803

•

LDP for Layer 2 Circuits (EX8200 Switches Only) on page 4803

MPLS Protocol and Label-Switched Paths Each PE switch must be configured to support the MPLS protocol. The configuration of a label-switched path (LSP) depends upon which signaling protocol is used: •

If the RSVP signaling protocol is used, the LSPs must be explicitly configured at the [edit protocols mpls] hierarchy level.


4801

®


•

If the LDP signaling protocol is used, LSP configuration is not required. (LDP signaling is used with Layer 2 circuit configurations.)

Circuit Cross-Connect for Customer Edge Interfaces You can configure the customer edge interface of the PE switches as a circuit cross-connect (CCC) to create a transparent connection between two circuits. When you configure an interface as a CCC, the interface is removed from the default VLAN if it was a member of that VLAN. The interface becomes an MPLS tunnel—used exclusively for MPLS packets. You can create different CCCs for different customers or for segregating different traffic streams over different MPLS tunnels. Using a CCC configuration, you can connect the following types of circuits: •

Local interface with remote interface or VLAN

•

Local VLAN with remote interface or VLAN

NOTE: To configure a VLAN circuit as a CCC, you must enable VLAN tagging and specify a VLAN ID. You must specify the same VLAN ID on both ends of the CCC. The VLAN CCC configuration must use the same type of switch for both PE switches. For example, you cannot use an EX8200 switch for one PE switch and an EX3200 or EX4200 switch for the other PE switch.

MPLS on EX Series switches does not support the following types of CCC configurations: •

Routed VLAN interfaces (RVIs) on switches other than EX8200 switches

•

Q-in-Q tunneling

On EX8200 switches only, the following types of CCC configurations are supported: •

Local switching—Connecting interfaces on the same switch

•

MPLS tunneling—Using LSPs as the conduit to connect two distant interface circuits

•

LSP stitching—Connecting LSPs that fall into two different traffic engineering database areas

•

Routed VLAN interfaces (RVIs) on customer edge interfaces

IP Over MPLS for Customer Edge Interfaces You can configure the customer edge interfaces of the PE switches for IP over MPLS using a Layer 3 interface and a static route from the ingress PE switch to the egress PE switch. See “Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure)” on page 4875.

4802



BGP for Layer 2 VPN and Layer 3 VPN Configurations (EX8200 Switches Only) If you are implementing a Layer 2 virtual private network (VPN) or a Layer 3 VPN, you must configure the BGP routing protocol on the PE switches.

Routing Instances for Layer 2 VPN and Layer 3 VPN (EX8200 Switches Only) If you are implementing a Layer 2 virtual private network (VPN) or a Layer 3 VPN, you must configure a routing instance. A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The set of interfaces belongs to the routing tables, and the routing protocol parameters control the information in the routing tables. EX Series switches support the following types of routing instances: •

Layer 2 virtual private network (VPN)—To support a Layer 2 VPN

•

VPN routing and forwarding (VRF)—To support a Layer 3 VPN

Each routing instance has a unique name and a corresponding IP unicast table. For example, if you configure a routing instance with the name my-instance, its corresponding IP unicast table will be my-instance.inet.0. All routes for my-instance are installed in my-instance.inet.0.

Ethernet Encapsulation for Layer 2 VPN (EX8200 Switches Only) If you are implementing a Layer 2 VPN, you must also configure the physical layer encapsulation type on the customer edge interface and within the routing instance.

LDP for Layer 2 Circuits (EX8200 Switches Only) If you are implementing a Layer 2 circuit configuration, you must configure LDP as the signaling protocol on the PE switches.

Provider Switch You must configure one or more provider switches as transit switches within the network to support the forwarding of MPLS packets. You can add provider switches without changing the configuration of the PE switches. A provider switch does not analyze the packets. It refers to an MPLS label forwarding table and swaps one label for another. The new label determines the next hop along the MPLS tunnel. A provider switch cannot perform push or pop operations.

Components Required for All Switches in the MPLS Network The following MPLS components are configured on both the PE switches and the provider switches: •

Routing Protocol on page 4804

•

Traffic Engineering on page 4804

•

MPLS Protocol on page 4804

•

RSVP on page 4804


4803

®


•

LDP on page 4805

•

Family mpls on page 4805

Routing Protocol MPLS works in coordination with the interior gateway protocol (IGP). Therefore, you must configure OSPF or IS-IS as the routing protocol on the loopback interface and core interfaces of both the PE switches and the provider switches. The core interfaces can be either Gigabit Ethernet or 10-Gigabit Ethernet interfaces, and they can be configured as either individual interfaces or aggregated Ethernet interfaces.

NOTE: These core interfaces cannot be configured with VLAN tagging or a VLAN ID. When you configure them to belong to family mpls, they are removed from the default VLAN if they were members of that VLAN. They operate as an exclusive tunnel for MPLS traffic.

Traffic Engineering Traffic engineering maps traffic flows onto an existing physical topology and provides the ability to move traffic flow away from the shortest path selected by the IGP and to a potentially less congested physical path across a network. Traffic engineering enables the selection of specific end-to-end paths to send given types of traffic through your network. The configuration of traffic engineering depends upon which routing protocol is being used: •

With OSPF—Traffic engineering needs to be enabled.

•

With IS-IS—Traffic engineering is enabled by default.

MPLS Protocol You must enable the MPLS protocol on all switches that participate in the MPLS network and apply it to the core interfaces of both the PE and provider switches. You do not need to apply it to the loopback interface, because the MPLS protocol uses the framework established by the signaling protocol to create LSPs. On the PE switches, the configuration of the MPLS protocol must also include the definition of an LSP.

RSVP RSVP is a signaling protocol that allocates and distributes labels throughout an MPLS network. RSVP sets up unidirectional paths between the ingress PE switch and the egress PE switch. RSVP makes the LSPs dynamic; it can detect topology changes and outages and establish new LSPs to allow traffic to move around a failure. You must enable RSVP and apply it to the loopback interface and the core interface of both the PE and provider switches. The path message contains the configured information about the resources required for the LSP to be established.

4804



When the egress switch receives the path message, it sends a reservation message back to the ingress switch. This reservation message is passed along from switch to switch along the same path as the original path message. Once the ingress switch receives this reservation message, an RSVP path is established. The established LSP stays active as long as the RSVP session remains active. RSVP continues activity through the transmissions and responses to RSVP path and reservation messages. If the messages stop for three minutes, the RSVP session terminates and the LSP is lost. RSVP runs as a separate software process in the Junos OS and is not in the packet-forwarding path.

LDP LDP is a signaling protocol available on EX8200 switches only. LDP is a simple, fast-acting signaling protocol that automatically establishes LSP adjacencies within an MPLS network. Switches then share LSP updates such as hello packets and LSP advertisements across the adjacencies. Because LDP runs on top of an interior gateway protocol (IGP) such as IS-IS or OSPF, you must configure LDP and the IGP on the same set of interfaces. After both are configured, LDP begins transmitting and receiving LDP messages through all LDP-enabled interfaces. Because of LDP's simplicity, it cannot perform true traffic engineering like RSVP. LDP does not support bandwidth reservation or traffic constraints.

NOTE: LDP can be used with basic MPLS or with MPLS and a Layer 2 circuit configuration.

Family mpls You must configure the core interfaces used for MPLS traffic to belong to family mpls.

NOTE: You can enable family mpls on either individual interfaces or on aggregated Ethernet interfaces. You cannot enable it on tagged VLAN interfaces.


•


•


•


•


•



4805

®


•


•


•

Configuring MPLS on Provider Switches (CLI Procedure) on page 4870

•


•


Understanding MPLS and Path Protection on EX Series Switches Junos OS MPLS for Juniper Networks EX Series Ethernet Switches provides path protection to protect your MPLS network from label switched path (LSP) failures. By default, an LSP routes itself hop-by-hop from the ingress provider edge switch through the provider switches toward the egress provider edge switch. The LSP generally follows the shortest path as dictated by the local routing table, usually taking the same path as destination-based, best-effort traffic. These paths are “soft” in nature because they automatically reroute themselves whenever a change occurs in a routing table or in the status of a node or link. Typically, when an LSP fails, the switch immediately upstream from the failure signals the outage to the ingress provider edge switch. The ingress provider edge switch calculates a new path to the egress provider edge switch, establishes the new LSP, and then directs traffic from the failed path to the new path. This rerouting process can be time-consuming and prone to failure. For example, the outage signals to the ingress switch might get lost or the new path might take too long to come up, resulting in significant packet drops. You can configure path protection by configuring primary and secondary paths on the ingress switch. If the primary path fails, the ingress switch immediately reroutes traffic from the failed path to the standby path, eliminating the need for the ingress switch to calculate a new route and signal a new path. For information about configuring standby LSPs, see “Configuring Path Protection in an MPLS Network (CLI Procedure)” on page 4871. Related Documentation

4806

•

Junos OS MPLS for EX Series Switches Overview on page 4799

•


•


•

Configuring MPLS on Provider Edge Switches (CLI Procedure)

•




Understanding Using CoS with MPLS Networks on EX Series Switches You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. See EX Series Switch Software Features Overview for a complete list of the Junos OS MPLS features that are supported on specific EX Series switches. Juniper Networks EX Series Ethernet Switches support Differentiated Service Code Point (DSCP) or IP precedence and IEEE 802.1p CoS classifiers on the customer-edge interfaces of the ingress provider edge (PE) switch. DSCP or IP precedence classifiers are used for Layer 3 packets. IEEE 802.1p is used for Layer 2 packets. When a packet enters a customer-edge interface of the ingress PE switch, the switch associates the packet with a particular CoS servicing level before putting the packet onto the label-switched path (LSP). The switches within the LSP utilize the CoS value set at the ingress PE switch. The CoS value that was embedded in the classifier is translated and encoded in the MPLS header by means of the EXP or experimental bits. EX Series switches enable a default EXP classifier and a default EXP rewrite rule. For more information about EXP classifiers and EXP rewrite rules, see EXP Classifiers and EXP rewrite Rules. This topic includes: •

EXP Classifiers and EXP rewrite Rules on page 4807

•

Guidelines for Using CoS Classifiers on CCCs on page 4807

•

Using CoS Classifiers with IP over MPLS on page 4808

•

Setting CoS Bits in an MPLS Header on page 4808

•

EXP Rewrite Rules on page 4810

•

Policer on page 4810

•


EXP Classifiers and EXP rewrite Rules EX Series switches enable a default EXP classifier and a default EXP rewrite rule. You can configure a custom EXP classifier and a custom EXP rewrite rule if you prefer. However, the switch supports only one type of EXP classifier (default or custom) and only one EXP rewrite rule (default or custom). You do not bind the EXP classifier or the EXP rewrite rule to individual interfaces. The switch automatically and implicitly applies the default or the custom EXP classifier and the default or the custom EXP rewrite rule to the appropriate MPLS-enabled interfaces. Because rewrite rules affect only egress interfaces, the switch applies the EXP rewrite rule only to those MPLS interfaces that are transmitting MPLS packets (not to the MPLS interfaces that are receiving the packets).

Guidelines for Using CoS Classifiers on CCCs When you are configuring CoS for MPLS over circuit cross-connect (CCC), there are some additional guidelines, as follows:


4807

®


•

You must explicitly bind a CoS classifier to the CCC interface on the ingress PE switch.

•

You must use the same DSCP, IP precedence, or IEEE 802.1p classifier on CCC interfaces. However, if the CCC interfaces are on the same switch, you cannot configure both a DSCP and an IP precedence classifier on these interfaces. Thus, if you configure one CCC interface to use a DSCP classifier DSCP1, you cannot configure another CCC interface to use another DSCP classifier DSCP2. All the CCC interfaces on the switch must use the same DSCP (or IP precedence) classifier and the same IEEE 802.1p classifier.

•

You cannot configure one CCC interface to use a DSCP classifier and another CCC interface to use an IP precedence classifier, because these classifier types overlap.

•

You can configure one CCC interface to use a DSCP classifier and another CCC interface to use IEEE 802.1p classifier.

•

You can configure one CCC interface to use both a DSCP and an IEEE 802.1p classifier. If you configure a CCC interface to use both these classifiers, the DSCP classifier is used for routing Layer 3 packets and the IEEE 802.1p classifier is used for routing Layer 2 packets.

•

You can configure one CCC interface to use both an IP precedence and an IEEE 802.1p classifier. If you configure a CCC interface to use both these classifiers, the IP precedence classifier is used for routing Layer 3 packets and the IEEE 802.1p classifier is used for routing Layer 2 packets.

NOTE: These guidelines are not applicable to Juniper Networks EX8200 Ethernet Switches (standalone or Virtual Chassis).

You can define multiple DSCP, IP precedence, and IEEE 802.1p classifiers for the non-CCC interfaces on a switch.

Using CoS Classifiers with IP over MPLS When you are configuring CoS for IP over MPLS, the customer-edge interface uses the CoS configuration for the switch as the default. You do not have to bind a classifier to the customer-edge interface in this case. There are no restrictions on using multiple DSCP, IP precedence, and IEEE 802.1p classifiers on the same switch. •

You can modify the CoS classifier for a particular interface, but it is not required.

•

You can configure a DSCP classifier, DSCP1 on the first interface, another DSCP classifier, DSCP2 on the second interface, and an IP precedence classifier on a third interface, and so forth.

Setting CoS Bits in an MPLS Header When traffic enters an LSP tunnel, the CoS bits in the MPLS header are set in one of two ways: •

4808

The number of the output queue into which the packet was buffered and the packet loss priority (PLP) bit are written into the MPLS header and are used as the packet’s



CoS value. This behavior is the default, and no configuration is required. The Junos OS Class of Service Configuration Guide explains the IP CoS values, and summarizes how the CoS bits are treated. You set a fixed CoS value on all packets entering the LSP tunnel. A fixed CoS value means that all packets entering the LSP receive the same class of service.

•

The CoS value can be a decimal number from 0 through 7. This number corresponds to a 3-bit binary number. The high-order 2 bits of the CoS value select which transmit queue to use on the outbound interface card. The low-order bit of the CoS value is treated as the PLP bit and is used to select the RED drop profile to use on the output queue. If the low-order bit is 0, the non-PLP drop profile is used, and if the low-order bit is 1, the PLP drop profile is used. It is generally expected that random early detection (RED) will more aggressively drop packets that have the PLP bit set. For more information about RED and drop profiles, see the Junos OS Class of Service Configuration Guide.

NOTE: Configuring the PLP drop profile to drop packets more aggressively (for example, setting the CoS value from 6 to 7) decreases the likelihood of traffic getting through.

Table 495 on page 4446 summarizes how MPLS CoS values correspond to the transmit queue and PLP bit. Note that in MPLS, the mapping between the CoS bit value and the output queue is hard-coded. You cannot configure the mapping for MPLS; you can configure it only for IPv4 traffic flows, as described in the Junos OS Class of Service Configuration Guide.

Table 555: MPLS CoS Values MPLS CoS Value

Bits

Transmit Queue

PLP Bit

0

000

0

Not set

1

001

0

Set

2

010

1

Not set

3

011

1

Set

4

100

2

Not set

5

101

2

Set

6

110

3

Not set

7

111

3

Set


4809

®


Because the CoS value is part of the MPLS header, the value is associated with the packets only while they travel through the LSP tunnel. The value is not copied back to the IP header when the packets exit from the LSP tunnel.

NOTE: On EX8200 switches that run MPLS-based Layer 2 virtual private networks (VPNs): •

If you configure an LSP CoS, the EXP bits of the MPLS packet continue to use the same CoS values that are configured at the interface level.

•

For Virtual Chassis, if the input and output interfaces are on different line cards, then the loss priority value that you configured on the first line card is not carried to the subsequent line cards. The loss priority for the outgoing traffic from the subsequent line cards is always set to low.

EXP Rewrite Rules When traffic passes from the customer-edge interface to an MPLS interface, the DSCP, IP precedence, or IEEE 802.1p CoS classifier is translated into the EXP bits within the MPLS header. You cannot disable the default EXP rewrite rule, but you can configure your own custom EXP classifier and a custom EXP rewrite rule. You cannot bind the EXP classifier to individual MPLS interfaces; the switch applies it globally to all the MPLS-enabled interfaces on the switch. Only one EXP rewrite rule (either default or custom) is supported on a switch. The switch applies it to all the egress interfaces on which MPLS is enabled.. This is, however, not the case with EX8200 switches. With EX8200 switches, you must explicitly apply the rewrite rule on each of the egress interfaces.

Policer Policing helps to ensure that the amount of traffic forwarded through an LSP never exceeds the requested bandwidth allocation. During periods of congestion (when the total rate of queuing packets exceeds the rate of transmission), any new packets being sent to an interface can be dropped because there is no place to store them. You can configure a policer on the ingress PE switch to prevent this: •

If you are using MPLS over CCC, you bind the policer to the LSP. You cannot bind a policer to a CCC interface.

•

If you are using IP over MPLS, you bind the policer to the inet-family customer-edge interface. You cannot bind a policer to the LSP when you are using IP over MPLS.

NOTE: You cannot configure LSP policers on EX8200 switches.

Schedulers The schedulers for using CoS with MPLS are the same as for the other CoS configurations on EX Series switches. Default schedulers are provided for best-effort and network-control

4810



forwarding classes. If you are using assured-forwarding, expedited-forwarding, or any custom forwarding class, we recommend that you configure a scheduler to support that forwarding class. See “Understanding CoS Schedulers” on page 4434. Related Documentation

•


•


•


•


•


•

Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) on page 4511 Configuring CoS Bits for an MPLS Network (CLI Procedure) on page 4887

Understanding MPLS Label Operations on EX Series Switches In the traditional packet-forwarding paradigm, as a packet travels from one switch to the next, an independent forwarding decision is made at each hop. The IP network header is analyzed and the next hop is chosen based on this analysis and on the information in the routing table. In an MPLS environment, the analysis of the packet header is made only once, when a packet enters the MPLS tunnel (that is, the path used for MPLS traffic). When an IP packet enters a label-switched path (LSP), the ingress provider edge (PE) switch examines the packet and assigns it a label based on its destination, placing the label in the packet’s header. The label transforms the packet from one that is forwarded based on its IP routing information to one that is forwarded based on information associated with the label. The packet is then forwarded to the next provider switch in the LSP. This switch and all subsequent switches in the LSP do not examine any of the IP routing information in the labeled packet. Rather, they use the label to look up information in their label forwarding table. They then replace the old label with a new label and forward the packet to the next switch in the path. When the packet reaches the egress PE switch, the label is removed, and the packet again becomes a native IP packet and is again forwarded based on its IP routing information. This topic describes: •

MPLS Label-Switched Paths and MPLS Labels on the Switches on page 4811

•

Reserved Labels on page 4812

•

MPLS Label Operations on the Switches on page 4813

•

Penultimate-Hop Popping and Ultimate-Hop Popping on page 4814

MPLS Label-Switched Paths and MPLS Labels on the Switches When a packet enters the MPLS network, it is assigned to an LSP. Each LSP is identified by a label, which is a short (20-bit), fixed-length value at the front of the MPLS label (32 bits). Labels are used as lookup indexes for the label forwarding table. For each label,


4811

®


this table stores forwarding information. Because no additional parsing or lookup is done on the encapsulated packet, MPLS supports the transmission of any other protocols within the packet payload.

NOTE: The implementation of MPLS on Juniper Networks EX3200 and EX4200 Ethernet Switches supports only single-label packets. However, MPLS on Juniper Networks EX8200 Ethernet Switches supports packets with as many as three labels.

Figure 132 on page 4812 shows the encoding of a single label. The encoding appears after data link layer headers, but before any network layer header.

Figure 132: Label Encoding

Reserved Labels Labels range from 0 through 1,048,575. Labels 0 through 999,999 are for internal use. Some of the reserved labels (in the range 0 through 15) have well-defined meanings. The following reserved labels are used by the switches:

4812

•

0, IPv4 Explicit Null label—This value is valid only when it is the sole label entry (no label stacking). It indicates that the label must be popped on receipt. Forwarding continues based on the IP version 4 (IPv4) packet.

•

1, Router Alert label—When a packet is received with a top label value of 1, it is delivered to the local software module for processing.

•

2, IPv6 Explicit Null label—This value is legal only when it is the sole label entry (no label stacking). It indicates that the label must be popped on receipt.

•

3, Implicit Null label—This label is used in the signaling protocol (RSVP) only to request label popping by the downstream switch. It never actually appears in the encapsulation.



Labels with a value of 3 must not be used in the data packet as real labels. No payload type (IPv4 or IPv6) is implied with this label.

MPLS Label Operations on the Switches EX Series switches support the following label operations: •

Push

•

Pop

•

Swap

The push operation affixes a new label to the top of the IP packet. For IPv4 packets, the new label is the first label. The time to live (TTL) field value in the packet header is derived from the IP packet header. The push operation cannot be applied to a packet that already has an MPLS label. The pop operation removes a label from the beginning of the packet. Once the label is removed, the TTL is copied from the label into the IP packet header, and the underlying IP packet is forwarded as a native IP packet The swap operation removes an existing MPLS label from an IP packet and replaces it with a new MPLS label, based on the following: •

Incoming interface

•

Label

•

Label forwarding table

Figure 133 on page 4813 shows an IP packet without a label arriving on the customer edge interface (ge-0/0/1) of the ingress PE switch. The ingress PE switch examines the packet and identifies that packet’s destination as the egress PE switch. The ingress PE switch applies label 100 to the packet and sends the MPLS packet to its outgoing MPLS core interface (ge-0/0/5). The MPLS packet is transmitted on the MPLS tunnel through the provider switch, where it arrives at interface ge-0/0/5 with label 100. The provider switch swaps label 100 to label 200 and forwards the MPLS packet through its core interface (ge-0/0/7) to the next hop on the tunnel, which is the egress PE switch. The egress PE switch receives the MPLS packet through its core interface (ge-0/0/7), removes the MPLS label, and sends the IP packet out of its customer edge interface (ge-0/0/1) to a destination that is beyond the tunnel.

Figure 133: MPLS Label Swapping

Figure 133 on page 4813 shows the path of a packet as it passes in one direction from the ingress PE switch to the egress PE switch. However, the MPLS configuration also allows


4813

®


traffic to travel in the reverse direction. Thus, each PE switch operates as both an ingress switch and an egress switch.

Penultimate-Hop Popping and Ultimate-Hop Popping The switches enable penultimate-hop popping (PHP) by default with IP over MPLS configurations. With PHP, the penultimate provider switch is responsible for popping the MPLS label and forwarding the traffic to the egress PE switch. The egress PE switch then performs an IP route lookup and forwards the traffic. This reduces the processing load on the egress PE switch, because it is not responsible for popping the MPLS label. On EX8200 switches, you can choose to use either the default, PHP, or to configure ultimate-hop popping.


4814

•

The default advertised label is label 3 (Implicit Null label). If label 3 is advertised, the penultimate-hop switch removes the label and sends the packet to the egress PE switch.

•

If ultimate-hop popping is enabled, label 0 (IPv4 Explicit Null label) is advertised and the egress PE switch of the LSP removes the label.

•


•


•


•


•


•


•




Understanding Using MPLS-Based Layer 2 and Layer 3 VPNs on EX Series Switches On EX8200 switches, you can use MPLS-based Layer 2 and Layer 3 virtual private networks (VPNs) or MPLS Layer 2 circuits, allowing you to securely connect geographically diverse sites across an MPLS network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as voice over IP (VoIP) and other business-critical functions. A VPN uses a public telecommunications infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. VPNs are designed to provide the same level of performance and security as privately owned or leased networks but without the attendant costs. This topic describes: •

MPLS-Based Layer 2 VPNs on page 4815

•

Layer 2 Circuits on page 4816

•

MPLS-Based Layer 3 VPNs on page 4816

•

Comparing an MPLS-Based Layer 3 VPN and an MPLS-Based Layer 2 VPN on page 4817

MPLS-Based Layer 2 VPNs In an MPLS-based Layer 2 VPN, traffic is forwarded by the customer’s customer edge (CE) switch (or router) to the service provider’s provider edge (PE) switch in a Layer 2 format. It is carried by MPLS over the service provider’s network and then converted back to Layer 2 format at the receiving site. On a Layer 2 VPN, routing occurs on the customer’s switches, typically on the CE switch. The CE switch connected to a service provider on a Layer 2 VPN must select the appropriate circuit on which to send traffic. The PE switch receiving the traffic sends it across the service provider’s network to the PE switch connected to the receiving site. The PE switches do not store or process the customer’s routes; the switches must be configured to send data to the appropriate tunnel. For a Layer 2 VPN, customers must configure their own switches to carry all Layer 3 traffic. The service provider must detect only how much traffic the Layer 2 VPN will need to carry. The service provider’s switches carry traffic between the customer’s sites using Layer 2 VPN interfaces. The VPN topology is determined by policies configured on the PE switches. Customers must know only which VPN interfaces connect to which of their own sites. Figure 134 on page 4816 illustrates a full-mesh Layer 2 VPN in which each site has a VPN interface linked to each of the other customer sites. In a full-mesh topology between all three sites, each site requires two logical interfaces (one for each of the other CE routers or switches), although only one physical link is needed to connect each PE switch to each CE router or switch.


4815

®


Figure 134: Layer 2 VPN Connecting CE Switches

CE

Circuit to Site 1

Circuit to Site 3

g017177

Site 2

Provider Network PE

Site 1

Site 3 Circuit to Site 2

Circuit to Site 2 CE

PE Circuit to Site 3

CE

PE Circuit to Site 1

Layer 2 Circuits A Layer 2 circuit is a point-to-point Layer 2 connection that uses MPLS or another tunneling technology on the service provider’s network. A Layer 2 circuit is similar to a circuit cross-connect (CCC), except that multiple Layer 2 circuits can be transported over a single label-switched path (LSP) tunnel between two provider edge (PE) switches. In contrast, each CCC requires a dedicated LSP. The Junos OS implementation of Layer 2 circuits supports only the remote form of a Layer 2 circuit; that is, a connection from a local customer edge (CE) switch to a remote CE switch. Packets are sent to the remote CE switch by means of an egress virtual private network (VPN) label advertised by the remote PE switch. The VPN label transits over either an RSVP or an LDP LSP (or other type) tunnel to the remote PE switch connected to the remote CE switch. LDP is the signaling protocol used for advertising VPN labels. Return traffic sent from the remote CE switch to the local CE switch uses an ingress VPN label advertised by the local PE switch.

MPLS-Based Layer 3 VPNs In Junos OS, Layer 3 VPNs are based on RFC 4364, BGP/MPLS IP Virtual Private Networks. RFC 4364 defines a mechanism by which service providers can use their IP backbones to provide VPN services to their customers. A Layer 3 VPN is a set of sites that share common routing information and whose connectivity is controlled by a collection of policies. The sites that make up a Layer 3 VPN are connected over a provider’s existing public Internet backbone. Customer networks, because they are private, can use either public or private addresses, as defined in RFC 1918, Address Allocation for Private Internets. When customer networks that use private addresses connect to the public Internet infrastructure, the private addresses might overlap with the same private addresses used by other network users. BGP/MPLS VPNs solve this problem by adding a VPN identifier prefix to each address from a particular VPN site, thereby creating an address that is unique both within the

4816



VPN and on the public Internet. In addition, each VPN has its own VPN-specific routing table that contains the routing information for that VPN only. Two different VPNs can use overlapping addresses. Each route within a VPN is assigned an MPLS label (for example, MPLS-ARCH, MPLS-BGP, or MPLS-ENCAPS). When BGP distributes a VPN route, it also distributes an MPLS label for that route. Before a customer data packet travels across the service provider’s backbone, it is encapsulated along with the MPLS label that corresponds to the route within the customer’s VPN that is the best match based on the packet’s destination address. This MPLS packet is further encapsulated with another MPLS label or with an IP, so that it gets tunneled across the backbone to the egress provider edge (PE) switch. Thus, the backbone core switches do not need to know the VPN routes.

Comparing an MPLS-Based Layer 3 VPN and an MPLS-Based Layer 2 VPN EX8200 switches can support the following kinds of MPLS-based VPNs:


•

Layer 3 VPNs—The service provider participates in the customer’s Layer 3 routing. Layer 3 VPNs allow customers to leverage the service provider’s technical expertise to ensure efficient site-to-site routing. The customer’s CE switch uses a routing protocol such as BGP or OSPF to communicate with the provider’s PE switch to carry IP prefixes across the network. MPLS-based Layer 3 VPNs use IP over MPLS. Other protocol packets are not supported.

•

Layer 2 VPNs—The service provider interconnects customer sites using Layer 2 technology. Layer 2 VPNs give customers complete control over their own routing.

•


•


•

Example: Configuring MPLS-Based Layer 2 VPNs on page 4845

•

Example: Configuring MPLS-Based Layer 3 VPNs on EX Series Switches on page 4858

•


•



4817

®


4818


CHAPTER 138

Examples of MPLS Configuration •


•


•


•


Example: Configuring MPLS on EX Series Switches You can configure MPLS on EX Series switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as voice over IP (VoIP) and other business-critical functions. To implement MPLS on the switches, you must configure two provider edge (PE) switches—an ingress PE switch and an egress PE switch— and at least one provider (transit) switch. You can configure the customer edge (CE) interfaces on the PE switches of the MPLS network as either circuit cross-connect (CCC) or IP (family inet) interfaces. This example shows how to configure an MPLS tunnel using a simple interface as a CCC:

NOTE: This example shows how to configure MPLS using a simple interface as a CCC. For information on configuring a tagged VLAN interface as a CCC, see “Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure)” on page 4893 or “Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit (CLI Procedure)” on page 4896.

•


•


•


•


•

Configuring the Provider Switch on page 4829

•



4819

®




•


Before you begin configuring MPLS, ensure that you have configured the routing protocol (OSPF or IS-IS) on the core interface and the loopback interface on all the switches. This example includes the configuration of OSPF on all the switches. For information on configuring IS-IS as the routing protocol, see the Junos OS Routing Protocols Configuration Guide.

Overview and Topology This example includes an ingress or local PE switch, an egress or remote PE switch, and one provider switch. It includes CCCs that tie the customer edge interface of the local PE switch (PE-1) to the customer edge interface of the remote PE switch (PE-2). It also describes how to configure the core interfaces of the PE switches and the provider switch to support the transmission of the MPLS packets. In this example, the core interfaces that connect the local PE switch and the provider switch are individual interfaces, while the core interfaces that connect the remote PE switch and the provider switch are aggregated Ethernet interfaces.

NOTE: •

Core interfaces cannot be tagged VLAN interfaces.

•

Core interfaces can be aggregated Ethernet interfaces. This example includes a LAG between the provider switch and the remote PE switch because this type of configuration is another option you can implement. For information on configuring LAGs, see “Configuring Aggregated Ethernet Links (CLI Procedure)” on page 1867.

Figure 135 on page 4821 shows the topology used in this example.

4820


Chapter 138: Examples of MPLS Configuration

Figure 135: Configuring MPLS on EX Series Switches Label-switched path Transmit and receive bidirectional

P

PE-1 lo0 127.1.1.1/32 IP packet

ge-0/0/5 10.1.5.1/24 ge-0/0/1 CCC ge-0/0/6 10.1.6.1/24

Egress provider edge switch

Provider switch

PE-2 ae0 10.1.9.1/24

lo0 127.1.1.2/32 MPLS packet

ge-0/0/5 ge-0/0/7 10.1.5.2/24 ge-0/0/8

MPLS packet

ae0 10.1.9.2/24

lo0 127.1.1.3/32 ge-0/0/7

MPLS packets

ge-0/0/6 ge-0/0/9 10.1.6.2/24

ge-0/0/8

ge-0/0/1 CCC

ge-0/0/9

IP packet

g020306

Ingress provider edge switch

Table 556 on page 4821 shows the MPLS configuration components used for the ingress PE switch in this example.

Table 556: Components of the Ingress PE Switch in the Topology for MPLS with Interface-Based CCC Property

Settings

Description


EX Series switch

PE-1

Loopback address

lo0 127.1.1.1/32

Identifies PE-1 for interswitch communications.

Routing protocol

ospf traffic-engineering

Indicates that this switch is using OSPF as the routing protocol and that traffic engineering is enabled.

MPLS protocol and definition of label-switched path

mpls

Indicates that this PE switch is using the MPLS protocol with the specified LSP to reach the other PE switch (specified by the loopback address).

label-switched-path lsp_to_pe2_ge1 to 127.1.13

The statement must also specify the core interfaces to be used for MPLS traffic. RSVP

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback address and the core interfaces that will be used for the RSVP session.

Interface family

family inet

The logical units of the core interfaces are configured to belong to both family inet and family mpls.

family mpls family ccc


The logical unit of the customer edge interface is configured to belong to family ccc.

4821

®


Table 556: Components of the Ingress PE Switch in the Topology for MPLS with Interface-Based CCC (continued) Property

Settings

Description

Customer edge interface

ge-0/0/1

Interface that connects this network to devices outside the network.

Core interfaces

ge-0/0/5.0 and ge-0/0/6.0 with IP addresses 10.1.5.1/24 and 10.1.6.1/24

Interfaces that connect to other switches within the MPLS network.

CCC definition

connections remote-interface-switch ge-1-to-pe2

Associates the circuit cross-connect (CCC), ge-0/0/1, with the LSPs that have been defined on the local and remote PE switches.

interface ge-0/0/1.0 transmit-lsp lsp_to_pe2_ge1 receive-lsp lsp_to_pe1_ge1

Table 557 on page 4822 shows the MPLS configuration components used for the egress PE switch in this example.

Table 557: Components of the Egress PE Switch in the Topology for MPLS with Interface-Based CCC Property

Settings

Description

Remote PE switch hardware

EX Series switch

PE-2

Loopback address

lo0 127.1.1.3/32

Identifies PE-2 for interswitch communications.

Routing protocol



MPLS protocol and definition of label-switched path

mpls

Indicates that this PE switch is using the MPLS protocol with the specified label-switched path (LSP) to reach the other PE switch.

label-switched-path lsp_to_pe1_ge1 to 127.1.1.1

The statement must also specify the core interfaces to be used for MPLS traffic. RSVP

4822

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback address and the core interfaces that will be used for the RSVP session.



Table 557: Components of the Egress PE Switch in the Topology for MPLS with Interface-Based CCC (continued) Property

Settings

Description

Interface family

family inet

The logical unit of the core interface is configured to belong to both family inet and family mpls.

family mpls family ccc

The logical unit of the customer edge interface is configured to belong to family ccc.


ge-0/0/1

Interface that connects this network to devices outside the network.

Core interface

ae0 with IP address 10.1.9.2/24

Aggregated Ethernet interface on PE-2 that connects to aggregated Ethernet interface ae0 of the provider switch and belongs to family mpls.

CCC definition

connections remote-interface-switch ge-1-to-pe1

Associates the CCC, ge-0/0/1, with the LSPs that have been defined on the local and remote PE switches.

interface ge-0/0/1.0 transmit-lsp lsp_to_pe1_ge1; receive-lsp lsp_to_pe2_ge1;

Table 558 on page 4823 shows the MPLS configuration components used for the provider switch in this example.

Table 558: Components of the Provider Switch in the Topology for MPLS with Interface-Based CCC Property

Settings

Description

Provider switch hardware

EX Series switch

Transit switch within the MPLS network configuration.

Loopback address

lo0 127.1.1.2/32

Identifies provider switch for interswitch communications.

Routing protocol



MPLS protocol

mpls

Indicates that this switch is using the MPLS protocol. The statement must specify the core interfaces that will be used for MPLS traffic.


4823

®


Table 558: Components of the Provider Switch in the Topology for MPLS with Interface-Based CCC (continued) Property

Settings

Description

RSVP

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback and the core interfaces that will be used for the RSVP session.

Interface family

family inet

The logical units for the loopback interface and the core interfaces belong to family inet.

family mpls

The logical units of the core interfaces are also configured to belong to family mpls. Core interfaces

ge-0/0/5.0 and ge-0/0/6.0 with IP addresses 10.1.5.1/24 and 10.1.6.1/24 and ae0 with IP address 10.1.9.1/24

Interfaces that connect the provider switch (P) to PE-1. Aggregated Ethernet interface on P that connects to aggregated Ethernet interface ae0 of PE-2.


To quickly configure the local ingress PE switch, copy the following commands and paste them into the switch terminal window of PE-1: [edit] set protocols ospf traffic-engineering set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ge-0/0/5.0 set protocols ospf area 0.0.0.0 interface ge-0/0/6.0 set protocols mpls label-switched-path lsp_to_pe2_ge1 to 127.1.1.3 set protocols mpls interface ge-0/0/5.0 set protocols mpls interface ge-0/0/6.0 set protocols rsvp interface lo0.0 set protocols rsvp interface ge-0/0/5.0 set protocols rsvp interface ge-0/0/6.0 set interfaces lo0 unit 0 family inet address 127.1.1.1/32 set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24 set interfaces ge-0/0/5 unit 0 family mpls set interfaces ge-0/0/6 unit 0 family mpls set interfaces ge-0/0/1 unit 0 family ccc set protocols connections remote-interface-switch ge-1-to-pe2 interface ge-0/0/1.0 set protocols connections remote-interface-switch ge-1-to-pe2 transmit-lsp lsp_to_pe2_ge1 set protocols connections remote-interface-switch ge-1-to-pe2 receive-lsp lsp_to_pe1_ge1


To configure the local ingress PE switch: 1.

Configure OSPF with traffic engineering enabled: [edit protocols] user@switchPE-1# set ospf traffic-engineering

2.

4824

Configure OSPF on the loopback address and the core interfaces:



[edit protocols] user@switchPE-1# set ospf area 0.0.0.0 interface lo0.0 user@switchPE-1# set ospf area 0.0.0.0 interface ge-0/0/5.0 user@switchPE-1# set ospf area 0.0.0.0 interface ge-0/0/6.0 3.

Configure MPLS on this PE switch (PE-1) with a label-switched path (LSP) to the other PE switch (PE-2): [edit protocols] user@switchPE-1# set mpls (EX Series) label-switched-path lsp_to_pe2_ge1 to 127.1.1.3

4.

Configure MPLS on the core interfaces: [edit protocols] user@switchPE-1# set mpls interface (MPLS) ge-0/0/5.0 user@switchPE-1# set mpls interface ge-0/0/6.0

5.

Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switchPE-1# set rsvp interface lo0.0 user@switchPE-1# set rsvp interface ge-0/0/5.0 user@switchPE-1# set rsvp interface ge-0/0/6.0

6.

Configure IP addresses for the loopback interface and the core interfaces: [edit] user@switchPE-1# set interfaces lo0 unit 0 family inet address 127.1.1.1/32 user@switchPE-1# set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 user@switchPE-1# set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24

7.

Configure family mpls on the logical unit of the core interface addresses: [edit] user@switchPE-1# set interfaces ge-0/0/5 unit 0 family mpls user@switchPE-1# set interfaces ge-0/0/6 unit 0 family mpls

8.

Configure the logical unit of the customer edge interface as a CCC: [edit interfaces ge-0/0/1 unit 0] -user@PE-1# set family ccc

9.

Configure the interface-based CCC from PE-1 to PE-2:

NOTE: You can also configure a tagged VLAN interface as a CCC. See “Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure)” on page 4893 or “Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit (CLI Procedure)” on page 4896.

[edit protocols] user@PE-1# set connections (MPLS) remote-interface-switch ge-1-to-pe2 interface ge-0/0/1.0 user@PE-1# set connections remote-interface-switch ge-1-to-pe2 transmit-lsp lsp_to_pe2_ge1 user@PE-1# set connections remote-interface-switch ge-1-to-pe2 receive-lsp lsp_to_pe1_ge1

Results

Display the results of the configuration: user@switchPE-1> show configuration

interfaces { ge-0/0/1 { unit 0 { family ccc; }


4825

®


} ge-0/0/5 { unit 0 { family inet { address 10.1.5.1/24; } family mpls; } } ge-0/0/6 { unit 0 { family inet { address 10.1.6.1/24; } family mpls; } } lo0 { unit 0 { family inet { address 127.1.1.1/32; } } } protocols { rsvp { interface lo0.0; interface ge-0/0/5.0; interface ge-0/0/6.0; } mpls { label-switched-path lsp_to_pe2_ge1 { to 127.1.1.3; } interface ge-0/0/5.0; interface ge-0/0/6.0; } ospf { traffic-engineering; area 0.0.0.0 { interface lo0.0; interface ge-0/0/5.0; interface ge-0/0/6.0; } } connections { remote-interface-switch ge-1-to-pe2 { interface ge-0/0/1.0; transmit-lsp lsp_to_pe2_ge1; receive-lsp lsp_to_pe1_ge1; } }

4826




To quickly configure the remote PE switch, copy the following commands and paste them into the switch terminal window of PE-2: [edit] set protocols ospf traffic-engineering set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ae0 set protocols mpls label-switched-path lsp_to_pe1_ge1 to 127.1.1.1 set protocols mpls interface ae0 set protocols rsvp interface lo0.0 set protocols rsvp interface ae0 set interfaces lo0 unit 0 family inet address 127.1.1.3/32 set interfaces ae0 unit 0 family inet address 10.1.9.2/24 set interfaces ae0 unit 0 family mpls set interfaces ge-0/0/1 unit 0 family ccc set protocols connections remote-interface-switch ge-1-to-pe1 interface ge-0/0/1.0 set protocols connections remote-interface-switch ge-1-to-pe1 transmit-lsp lsp_to_pe1_ge1 set protocols connections remote-interface-switch ge-1-to-pe1 receive-lsp lsp_to_pe2_ge1


To configure the remote PE switch (PE-2): 1.

Configure OSPF with traffic engineering enabled: [edit protocols] user@switchPE-2# set ospf traffic-engineering

2.

Configure OSPF on the loopback interface and the core interface: [edit protocols] user@switchPE-2# set ospf area 0.0.0.0 interface lo0.0 user@switchPE-2# set ospf area 0.0.0.0 interface ae0

3.

Configure MPLS on this switch (PE-2) with a label-switched path (LSP) to the other PE switch (PE-1): [edit protocols] user@switchPE-2# set mpls label-switched-path lsp_to_pe1_ge1 to 127.1.1.1

4.

Configure MPLS on the core interface: [edit protocols] user@switchPE-2# set mpls interface ae0

5.

Configure RSVP on the loopback interface and the core interface: [edit protocols] ser@switchPE-2# set rsvp interface lo0.0 user@switchPE-2# set rsvp interface ae0

6.

Configure IP addresses for the loopback interface and the core interface: [edit] user@switchPE-2# set interfaces lo0 unit 0 family inet address 127.1.1.3/32 user@switchPE-2# set interfaces ae0 unit 0 family inet address 10.1.9.2/24

7.

Configure family mpls on the logical unit of the core interface: [edit] user@switchPE-2# set interfaces ae0 unit 0 family mpls

8.

Configure the logical unit of the customer edge interface as a CCC: [edit interfaces ge-0/0/1 unit 0] user@PE-2# set family ccc

9.

Configure the interface-based CCC from PE-2 to PE-1:


4827

®


[edit protocols] user@PE-2# set connections remote-interface-switch ge-1-to-pe1 interface ge-0/0/1.0 user@PE-2# set connections remote-interface-switch ge-1-to-pe1 transmit-lsp lsp_to_pe1_ge1 user@PE-2# set connections remote-interface-switch ge-1-to-pe1 receive-lsp lsp_to_pe2_ge1

Results

Display the results of the configuration: user@switchPE-2> show configuration

interfaces { ge-0/0/1 { unit 0 { family ccc; } } ae0 { unit 0 { family inet { address 10.1.9.2/24; } family mpls; } } lo0 { unit 0 { family inet { address 127.1.1.3/32; } } } } protocols { rsvp { interface lo0.0; interface ae0.0; } mpls { label-switched-path lsp_to_pe1_ge1 { to 127.1.1.1; } interface ae0.0; } ospf { traffic-engineering; area 0.0.0.0 { interface ae0.0; } } connections { remote-interface-switch ge-1-to-pe1 { interface ge-0/0/1.0; transmit-lsp lsp_to_pe1_ge1; receive-lsp lsp_to_pe2_ge1; } } }

4828



Configuring the Provider Switch CLI Quick Configuration

To quickly configure the provider switch, copy the following commands and paste them into the switch terminal window: [edit] set protocols ospf traffic-engineering set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ge-0/0/5.0 set protocols ospf area 0.0.0.0 interface ge-0/0/6.0 set protocols ospf area 0.0.0.0 interface ae0 set protocols mpls interface ge-0/0/5.0 set protocols mpls interface ge-0/0/6.0 set protocols mpls interface ae0 set protocols rsvp interface lo0.0 set protocols rsvp interface ge-0/0/5.0 set protocols rsvp interface ge-0/0/6.0 set protocols rsvp interface ae0 set interfaces lo0 unit 0 family inet address 127.1.1.2/32 set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24 set interfaces ae0 unit 0 family inet address 10.1.9.1/24 set interfaces ge-0/0/5 unit 0 family mpls set interfaces ge-0/0/6 unit 0 family mpls set interfaces ae0 unit 0 family mpls


To configure the provider switch: 1.

Configure OSPF with traffic engineering enabled: [edit protocols] user@switchP# set ospf traffic-engineering

2.

Configure OSPF on the loopback interface and the core interfaces: [edit protocols] user@switchP# set ospf area 0.0.0.0 interface lo0.0 user@switchP# set ospf area 0.0.0.0 interface ge-0/0/5 user@switchP# set ospf area 0.0.0.0 interface ge-0/0/6 user@switchP# set ospf area 0.0.0.0 interface ae0

3.

Configure MPLS on the core interfaces on the switch: [edit protocols] user@switchP# set mpls interface ge-0/0/5 user@switchP# set mpls interface ge-0/0/6 user@switchP# set mpls interface ae0

4.

Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switchP# set rsvp interface lo0.0 user@switchP# set rsvp interface ge-0/0/5 user@switchP# set rsvp interface ge-0/0/6 user@switchP# set rsvp interface ae0

5.

Configure IP addresses for the loopback interface and the core interfaces: [edit] user@switchP# set interfaces lo0 unit 0 family inet address 127.1.1.2/32 user@switchP# set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 user@switchP# set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24 user@switchP# set interfaces ae0 unit 0 family inet address 10.1.9.1/24

6.

Configure family mpls on the logical unit of the core interface addresses:


4829

®


[edit] user@switchP# set interfaces ge-0/0/5 unit 0 family mpls user@switchP# set interfaces ge-0/0/6 unit 0 family mpls user@switchP# set interfaces ae0 unit 0 family mpls

Results

Display the results of the configuration: user@switchP> show configuration

interfaces { ge-0/0/5 { unit 0 { family inet { address 10.1.5.1/24; } family mpls; } } ge-0/0/6 { unit 0 { family inet { address 10.1.6.1/24; } family mpls; } } } ae0 { unit 0 { family inet { address 10.1.9.1/24; } family mpls; } } lo0 { unit 0 { family inet { address 127.1.1.2/32; } } } protocols { rsvp { interface lo0.0; interface ge-0/0/5.0; interface ge-0/0/6.0; interface ae0.0; } mpls { interface ge-0/0/5.0; interface ge-0/0/6.0; interface ae0.0; } ospf { traffic-engineering; area 0.0.0.0 {

4830



interface lo0.0; interface ge-0/0/5.0; interface ge-0/0/6.0; interface ae0.0; } }


Verifying the Physical Layer on the Switches on page 4831

•

Verifying the Routing Protocol on page 4832

•

Verifying the Core Interfaces Being Used for MPLS Traffic on page 4832

•

Verifying the Status of the RSVP Sessions on page 4832

•

Verifying the Assignment of Interfaces for MPLS Label Operations on page 4833

•

Verifying the Status of the CCC on page 4833

Verifying the Physical Layer on the Switches Purpose Action

Meaning

Verify that the interfaces are up. Perform this verification task on each of the switches. user@switchPE-1> show interfaces terse Interface ge-0/0/0 ge-0/0/0.0 ge-0/0/1 ge-0/0/1.0 ge-0/0/2 ge-0/0/2.0 ge-0/0/3 ge-0/0/3.0 ge-0/0/4 ge-0/0/4.0 ge-0/0/5 ge-0/0/5.0

Admin up up up up up up up up up up up up

ge-0/0/6 ge-0/0/6.0

up up

Link Proto Local up up eth-switch up up ccc up up eth-switch up up eth-switch up up eth-switch up up inet 10.1.5.1/24 mpls up up inet 10.1.6.1/24 mpls

Remote

The show interfaces terse command displays status information about the Gigabit Ethernet interfaces on the switch. This output verifies that the interfaces are up. The output for the protocol family (Proto column) shows that interface ge-0/0/1.0 is configured as a circuit cross-connect. The output for the protocol family of the core interfaces (ge-0/0/5.0 and ge-0/0/6.0) shows that these interfaces are configured as both inet and mpls. The Local column for the core interfaces shows the IP address configured for these interfaces.


4831

®


Verifying the Routing Protocol Purpose

Action

Verify the state of the configured routing protocol. Perform this verification task on each of the switches. The state must be Full. user@switchPE-1> show ospf neighbor Address 127.1.1.2

Meaning

Interface ge—0/0/5

State Full

ID 10.10.10.10

Pri 128

Dead 39

The show ospf neighbor command displays the status of the routing protocol. This output shows that the state is Full, meaning that the routing protocol is operating correctly—that is, hello packets are being exchanged between directly connected neighbors.

Verifying the Core Interfaces Being Used for MPLS Traffic Purpose

Action

Verify that the state of the MPLS interface is Up. Perform this verification task on each of the switches. user@switchPE-1> show mpls interface Interface ge—0/0/5 ge—0/0/6

Meaning

State Up Up

Administrative groups

The show mpls interface command displays the status of the core interfaces that have been configured to belong to family mpls. This output shows that the interface configured to belong to family mpls is Up.

Verifying the Status of the RSVP Sessions Purpose

Action

Verify the status of the RSVP sessions. Perform this verification task on each of the switches. user@switchPE-1> show rsvp session Ingress RSVP: 1 sessions To From State 127.1.13 127.1.1.1 Up Total 1 displayed, Up 1, Down 0

Rt Style Labelin Labelout LSPname 0 1 FF 300064 lsp_to_pe2_ge1

Egress RSVP: 1 sessions To From State 127.1.1.1 127.1.1.3 Up Total 1 displayed, Up 1, Down 0

Rt Style Labelin Labelout LSPname 0 1 FF 299968 lsp_to_pe1_ge1

Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0

Meaning

4832

This output confirms that the RSVP sessions are Up.



Verifying the Assignment of Interfaces for MPLS Label Operations Purpose

Verify which interface is being used as the beginning of the CCC and which interface is being used to push the MPLS packet to the next hop. Perform this task only on the PE switches.

Action

user@switchPE-1> show route forwarding-table family mpls MPLS: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 dscd 50 1 0 user 0 recv 49 3 1 user 0 recv 49 3 2 user 0 recv 49 3 299776 user 0 Pop 541 2 ge-0/0/1.0 ge-0/0/1.0 (CCC) user 0 2.0.0.1 Push 299792 540 2 ge-0/0/5.0

Meaning

This output shows that the CCC has been set up on interface ge-0/0/1.0. The switch receives ingress traffic on ge-0/0/1.0 and pushes label 299792 onto the packet, which goes out through interface ge-0/0/5.0. The output also shows when the switch receives an MPLS packet with label 29976, it pops the label and sends the packet out through interface ge-0/0/1.0 After you have checked the local PE switch, run the same command on the remote PE switch.

Verifying the Status of the CCC Purpose Action

Verify the status of the CCC. Perform this task only on the PE switches. user@switchPE-1> show connections CCC and TCC connections [Link Monitoring On] Legend for status (St) Legend for connection types UN -- uninitialized if-sw: interface switching NP -- not present rmt-if: remote interface switching WE -- wrong encapsulation lsp-sw: LSP switching DS -- disabled tx-p2mp-sw: transmit P2MP switching Dn -- down rx-p2mp-sw: receive P2MP switching -> -- only outbound conn is up show firewall Filter: myfilter Policers: Name mypolicer-t1

Packets 0

This output shows that the firewall filter mypolicer has been created.

Verifying That the CoS Classifiers Are Going to the Right Queue Purpose Action

Verify that the CoS classifiers are going to the right queue. user@switch> show class-of-service forwarding-table classifier Classifier table index: 7, # entries: 64, Table type: DSCP Entry # Code point Forwarding-class # PLP 0 000000 0 0 1 000001 0 0 2 000010 0 0 3 000011 0 0 4 000100 0 0 5 000101 0 0 6 000110 0 0 7 000111 0 0 8 001000 0 0 9 001001 0 0 10 001010 0 0 11 001011 0 0 12 001100 0 0 13 001101 0 0 14 001110 0 0 15 001111 0 0 16 010000 0 0 17 010001 0 0 18 010010 0 0 19 010011 0 0 20 010100 0 0 21 010101 0 0 22 010110 0 0 23 010111 0 0 24 011000 0 0 25 011001 0 0 26 011010 0 0 27 011011 0 0 28 011100 0 0 29 011101 0 0 30 011110 0 0 31 011111 0 0 32 100000 0 0 33 100001 0 0 34 100010 0 0 35 100011 0 0 36 100100 0 0


4841

®


37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

100101 100110 100111 101000 101001 101010 101011 101100 101101 101110 101111 110000 110001 110010 110011 110100 110101 110110 110111 111000 111001 111010 111011 111100 111101 111110 111111

0 0 0 0 0 0 0 0 0 0 0 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Classifier table index: 11, # entries: 8, Table type: IEEE 802.1 Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 3 0 7 111 3 0 Classifier table index: 12, # entries: 8, Table type: IPv4 precedence Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 3 0 7 111 3 0 Classifier table index: 16, # entries: 8, Table type: Untrust Entry # Code point Forwarding-class # PLP 0 000 0 0 1 001 0 0 2 010 0 0 3 011 0 0 4 100 0 0 5 101 0 0 6 110 0 0 7 111 0 0

4842



Classifier table index: 9346, # entries: 64, Table type: DSCP Entry # Code point Forwarding-class # PLP 0 000000 0 0 1 000001 0 0 2 000010 0 0 3 000011 0 0 4 000100 0 0 5 000101 0 0 6 000110 0 0 7 000111 1 0 8 001000 0 0 9 001001 0 0 10 001010 0 0 11 001011 0 0 12 001100 0 0 13 001101 0 0 14 001110 0 0 15 001111 0 0 16 010000 0 0 17 010001 0 0 18 010010 0 0 19 010011 0 0 20 010100 0 0 21 010101 0 0 22 010110 0 0 23 010111 0 0 24 011000 0 0 25 011001 0 0 26 011010 0 0 27 011011 0 0 28 011100 0 0 29 011101 0 0 30 011110 0 0 31 011111 0 0 32 100000 0 0 33 100001 0 0 34 100010 0 0 35 100011 0 0 36 100100 0 0 37 100101 0 0 38 100110 0 0 39 100111 0 0 40 101000 0 0 41 101001 0 0 42 101010 0 0 43 101011 0 0 44 101100 0 0 45 101101 0 0 46 101110 0 0 47 101111 0 0 48 110000 3 0 49 110001 3 0 50 110010 3 0 51 110011 3 0 52 110100 3 0 53 110101 3 0 54 110110 3 0 55 110111 3 0 56 111000 3 0 57 111001 3 0 58 111010 3 0


4843

®


59 60 61 62 63

Meaning

111011 111100 111101 111110 111111

3 3 3 3 3

0 0 0 0 0

This output shows that a new DSCP classifier has been created, index 9346, on the ingress PE switch (PE-1).

Verifying the CoS Forwarding Table Mapping Purpose

Action

For each logical interface, display either the table index of the classifier for a given code point type or the queue number (if it is a fixed classification) in the forwarding table. user@switch>show class-of-service forwarding-table classifier mapping


Meaning

Index 92

Table Index/ Q num 9346

Table type DSCP

The results show that the new DSCP classifier, index number 9346, is bound to interface ge-0/0/1.0.

Verifying the Rewrite Rules Purpose

Action

Display mapping of the queue number and loss priority to code point value for each rewrite rule as it exists in the forwarding table. user@switch>show class-of-service forwarding-table rewrite-rule Rewrite FC# 0 1 2 3

table index: 31, # entries: 4, Table type: DSCP Low bits State High bits State 000000 Enabled 000000 Enabled 101110 Enabled 101110 Enabled 001010 Enabled 001100 Enabled 110000 Enabled 111000 Enabled

Rewrite table index: 34, # entries: 4, Table type: IEEE 802.1 FC# Low bits State High bits State 0 000 Enabled 001 Enabled 1 010 Enabled 011 Enabled 2 100 Enabled 101 Enabled 3 110 Enabled 111 Enabled Rewrite table index: 35, # entries: 4, Table type: IPv4 precedence FC# Low bits State High bits State 0 000 Enabled 000 Enabled 1 101 Enabled 101 Enabled 2 001 Enabled 001 Enabled 3 110 Enabled 111 Enabled Rewrite table index: 9281, # entries: 1, Table type: EXP FC# Low bits State High bits State 1 111 Enabled 000 Disabled

4844



Meaning


This output shows that a new EXP classifier with the index number 9281 has been created.

•


•


•


•


Example: Configuring MPLS-Based Layer 2 VPNs You can implement an MPLS-based Layer 2 virtual private network (VPN) using Junos OS routing devices to interconnect customer sites with Layer 2 technology. Layer 2 VPNs give customers complete control of their own routing. To support an MPLS-based Layer 2 VPN, you need to add components to the configuration of the two provider edge (PE) routing devices. You do not need to change the configuration of the provider devices. This example shows how to configure an MPLS-based Layer 2 VPN.

NOTE: You can configure both an MPLS-based Layer 2 VPN and an MPLS-based Layer 3 VPN on the same device. However, you cannot configure the same customer edge interface to support both a Layer 2 VPN and a Layer 3 VPN. The core interfaces and the loopback interfaces are configured in the same way for Layer 2 VPNs and Layer 3 VPNs.

•


•


•

Configuring the Local PE Routing Device on page 4849

•

Configuring the Remote PE Routing Device on page 4852

•



4845

®



Junos OS Release 11.1 or later if you are using EX Series switches

•

Two PE routing devices

Before you configure the Layer 2 VPN components, configure the basic components for an MPLS network: •

Configure two PE routing devices. See “Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure)” on page 4879.

•

Configure one or more provider devices. See “Configuring MPLS on Provider Switches (CLI Procedure)” on page 4870.

NOTE: A Layer 2 VPN requires that the PE routing devices be configured using circuit cross-connect (CCC). The provider routing devices are configured in the same way for MPLS using CCC and for IP over MPLS.

Overview and Topology A Layer 2 VPN provides complete separation between the provider’s network and the customer’s network—that is, the PE devices and the CE devices do not exchange routing information. Some benefits of a Layer 2 VPN are that it is private, secure, and flexible. This example shows how to configure Layer 2 VPN components on the local and remote PE devices. This example does not include configuring a provider device, because there are no specific Layer 2 VPN components on the provider devices. In the basic MPLS configuration of the PE devices using a circuit cross-connect (CCC), the PE devices are configured to use an interior gateway protocol (IGP), such as OSPF or IS-IS, as the routing protocol between the MPLS devices and LDP or RSVP as the signaling protocol. Traffic engineering is enabled. A label-switched path (LSP) is configured within the [edit protocols] hierarchy. However, unlike the basic MPLS configuration using a CCC, you do not need to associate the LSP with the customer edge interface. When you are configuring a Layer 2 VPN, you must use BGP signaling. The BGP signaling automates the connections, so manual configuration of the association between the LSP and the customer edge interface is not required. The following components must be added to the PE routing devices for an MPLS-based Layer 2 VPN:

4846

•

BGP group with family l2vpn signaling

•

Routing instance using instance type l2vpn

•

The physical layer encapsulation type (ethernet) must be specified on the customer edge interface and the encapsulation type must also be specified in the configuration of the routing instance.



Figure 136 on page 4847 illustrates the topology of this MPLS-based Layer 2 VPN.

Figure 136: MPLS-Based Layer 2 VPN

Table 562 on page 4847 shows the settings of the customer edge interface on the local CE device.

Table 562: Local CE Routing Device in the MPLS-Based Layer 2 VPN Topology Property

Settings

Description

Local CE routing device hardware

Routing device

CE1


ge-0/0/0 unit 0 family inet address 11.0.0.2/16

Interface that connects CE1 to PE1.

Table 563 on page 4847 shows the settings of the customer edge interface on the remote CE routing device.

Table 563: Remote CE Routing Device in the MPLS-Based Layer 2 VPN Topology Property

Settings

Description

Remote CE routing device hardware

Routing device

CE2




Table 564 on page 4848 shows the Layer 2 VPN components of the local PE routing device.


4847

®


Table 564: Layer 2 VPN Components of the Local PE Routing Device Property

Settings

Description

Local PE routing device hardware

Routing device

PE1


ge-5/0/0 encapsulation ethernet-ccc unit 0 family ccc

Connects PE1 to CE1. For the Layer 2 VPN, add ethernet-ccc as the physical layer encapsulation type. NOTE: The family ccc should already have been completed as part of the basic MPLS configuration of a PE routing device for circuit cross-connect. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0 unit 0 family inet address 60.0.0.60/16 family iso family mpls

Connects PE1 to P.

Loopback interface

lo0 unit 0 family inet address 21.21.21.21/32 family iso address 49.0001.2102.2021.0210.00

NOTE: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

BGP

bgp

Added for the Layer 2 VPN configuration.

Routing instance

vpn1


4848




Table 565 on page 4849 shows the Layer 2 VPN components of the remote PE routing device.

Table 565: Layer 2 VPN Components of the Remote PE Routing Device Property

Settings

Description

PE routing device hardware

Routing device

PE2


ge-11/0/0 encapsulation ethernet-ccc unit 0 family ccc

Connects PE2 to CE2. For the Layer 2 VPN, add ethernet-ccc as the physical layer encapsulation type. NOTE: The family ccc should already have been completed as part of the basic MPLS configuration of a PE routing device for circuit cross-connect. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0

Connects PE2 to P.

unit 0 family inet address 60.2.0.61/16 family iso family mpls


Loopback interface



BGP

bgp


Routing instance

vpn1


Configuring the Local PE Routing Device CLI Quick Configuration

To quickly configure the Layer 2 VPN components on the local PE routing device, copy the following commands and paste them into the routing device terminal window: [edit] set interfaces ge-5/0/0 encapsulation ethernet-ccc set protocols bgp local-address 21.21.21.21 family l2vpn signaling set protocols bgp group ibgp type internal set protocols bgp neighbor 22.22.22.22 set routing-instances vpn1 instance-type l2vpn set routing-instances vpn1 interface ge-5/0/0 set routing-instances vpn1 route-distinguisher 21.21.21.21:21 set routing-instances vpn1 vrf-target target:21:21 set routing-instances vpn1 protocols l2vpn encapsulation-type ethernet


4849

®


set routing-instances vpn1 protocols l2vpn interface ge-5/0/0.0 description "BETWEEN PE1 AND PE2" set routing-instances vpn1 protocols l2vpn site JE-V21 site-identifier 21 remote-site-id 26


To configure the Layer 2 VPN components on the local PE routing device: 1.

Configure the customer edge interface to use the physical encapsulation type ethernet-ccc: [edit] user@PE1# set interfaces ge-5/0/0 encapsulation ethernet-ccc

2.

Configure BGP, specifying the loopback address as the local address and enabling family l2vpn signaling: [edit protocols bgp] user@PE1# set local-address 21.21.21.21 family l2vpn signaling

3.

Configure the BGP group, specifying the group name and type: [edit protocols bgp] user@PE1# set group ibgp type internal

4.

Configure the BGP neighbor, specifying the loopback address of the remote PE routing device as the neighbor’s address: [edit protocols bgp] user@PE1# set neighbor 22.22.22.22

5.

Configure the routing instance, specifying the routing-instance name and using l2vpn as the instance type: [edit routing-instances] user@PE1# set vpn1 instance-type l2vpn

6.

Configure the routing instance to apply to the customer edge interface: [edit routing-instances] user@PE1# set vpn1 interface ge-5/0/0

7.

Configure the routing instance to use a route distinguisher: [edit routing-instances] user@PE1# set vpn1 route-distinguisher 21.21.21.21:21

8.

Configure the VPN routing and forwarding (VRF) target of the routing instance: [edit routing-instances] user@PE1# set vpn1 vrf-target target:21:21

NOTE: You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

9.

Configure the protocols and encapsulation type used by the routing instance: [edit routing-instances] user@PE1# set vpn1 protocols l2vpn encapsulation-type ethernet

10.

Apply the routing instance to a customer edge interface and specify a description for it: [edit routing-instances] user@PE1# set vpn1 protocols interface ge-5/0/0.0 description "BETWEEN PE1 AND PE2"

11.

4850

Configure the routing-instance protocols site:



[edit routing-instances] user@PE1# set vpn1 protocols l2vpn site JE-V21 site-identifier 21remote-site-id 26

NOTE: The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE routing device.

Results

Display the results of the configuration: user@PE1# show

interfaces { ge-5/0/0 { encapsulation ethernet-ccc; unit 0 { family ccc; } } xe-6/0/0 { unit 0 { family inet { address 60.0.0.60/16; } family mpls; } } lo0 { unit 0 { family inet { address 21.21.21.21/32; } family iso { 49.0001.2102.2021.0210.00; } } } protocols { rsvp { interface lo0.0; interface xe-0/0/6.0; } mpls { label-switched-path lsp_to_pe2 { to 22.22.22.22; } interface xe-0/0/6.0; } bgp { local-address 21.21.21.21; family l2vpn { signaling; } group ibgp {


4851

®


type internal; neighbor 22.22.22.22; } } routing-instances { vpn1 { instance-type l2vpn; interface ge-5/0/0.0; route-distinguisher 21.21.21.21:21; vrf-target target:21:21; protocols { l2vpn { encapsulation-type ethernet; interface ge-5/0/0.0 { description "BETWEEN PE1 AND PE2"; } site JE-V21 { site-identifier 21; interface ge-5/0/0.0 { remote-site-id 26; } } } } }

Configuring the Remote PE Routing Device CLI Quick Configuration

To quickly configure the Layer 2 VPN components on the remote PE routing device, copy the following commands and paste them into the routing device terminal window: [edit] set interfaces ge-11/0/0 encapsulation ethernet-ccc set protocols bgp local-address 22.22.22.22 family l2vpn signaling set protocols bgp group ibgp type internal set protocols bgp neighbor 21.21.21.21 set routing-instances vpn1 instance-type l2vpn set routing-instances vpn1 interface ge-11/0/0 set routing-instances vpn1 route-distinguisher 21.21.21.21:21 set routing-instances vpn1 vrf-target target:21:21 set routing-instances vpn1 protocols l2vpn encapsulation-type ethernet set routing-instances vpn1 protocols l2vpn interface ge-11/0/0.0 description "BETWEEN PE1 AND PE2" set routing-instances vpn1 protocols l2vpn site T26-VPN1 site-identifier 26 remote-site-id 21


To configure the Layer 2 VPN components on the remote PE routing device: 1.

Configure the customer edge interface to use the physical encapsulation type ethernet-ccc: [edit] user@PE1# set interfaces ge-11/0/0 encapsulation ethernet-ccc

2.

Configure BGP, specifying the loopback address as the local-address and specifying family l2vpn signaling: [edit protocols bgp] user@PE2# set local-address 22.22.22.22 family l2vpn signaling

3.

4852

Configure the BGP group, specifying the group name and type:



[edit protocols bgp] user@PE2# set group ibgp type internal

Configure the BGP neighbor, specifying the loopback address of the remote PE routing device as the neighbor’s address:

4.

[edit protocols bgp] user@PE2# set neighbor 21.21.21.21

Configure the routing instance, specifying the routing-instance name and using l2vpn as the instance-type:

5.

[edit routing-instances] user@PE2# set vpn1 instance-type l2vpn

Configure the routing instance to apply to the customer edge interface:

6.

[edit routing-instances] user@PE2# set vpn1 interface ge-11/0/0.0

Configure the routing instance to use a route distinguisher, using the format ip-address:number:

7.

[edit routing-instances] user@PE2# set vpn1 route-distinguisher 21.21.21.21:21

Configure the VPN routing and forwarding (VRF) target of the routing instance:

8.

[edit routing-instances] user@PE2# set vpn1 vrf-target target:21:21

Configure the protocols and encapsulation type used by the routing instance:

9.

[edit routing-instances] user@PE2# set vpn1 protocols l2vpn encapsulation-type ethernet 10.

Apply the routing instance to a customer edge interface and specify a description for it: [edit routing-instances] user@PE1# set vpn1 protocols interface ge-11/0/0.0 description "BETWEEN PE1 AND PE2"

11.

Configure the routing-instance protocols site: [edit routing-instances] user@PE2# set vpn1 protocols l2vpn site T26-VPN1 site-identifier 26 remote-site-id 21

NOTE: The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE routing device.

Results

Display the results of the configuration: user@PE2# show

interfaces { ge-11/0/0 { encapsulation ethernet-ccc; unit 0 { family ccc; } } xe-6/0/0 { unit 0 {


4853

®


family inet { address 60.2.0.61/16; } family mpls; } } lo0 { unit 0 { family inet { address 22.22.22.22/32; } family iso { address 49.0001.2202.2022.0220.00; } } } protocols { rsvp { interface lo0.0; interface xe-0/0/6.0; mpls { label-switched-path lsp_to_pe1 { to 21.21.21.21; } interface xe-0/0/6.0; bgp { local-address 22.22.22.22; family l2vpn { signaling; } group ibgp { type internal; neighbor 21.21.21.21; } } routing-instances { vpn1 { instance-type l2vpn; interface ge-11/0/0.0; route-distinguisher 21.21.21.21:21; vrf-target target:21:21; protocols { l2vpn { encapsulation-type ethernet; interface ge-11/0/0.0 { description "BETWEEN PE1 AND PE2"; } site T26-VPN1 { site-identifier 26; interface ge-11/0/0.0 { remote-site-id 21; } } } } }

4854



Verification To confirm that the MPLS-based Layer 2 VPN is working properly, perform these tasks: •

Verifying the Layer 2 VPN Connection on page 4855

•

Verifying the Status of MPLS Label-Switched Paths on page 4856

•

Verifying BGP Status on page 4856

•

Verifying the Status of the RSVP Sessions on page 4856

•

Verifying the Routes in the Routing Table on page 4857

•

Pinging the Layer 2 VPN Connections on page 4858

Verifying the Layer 2 VPN Connection Purpose Action

Verify that the Layer 2 VPN connection is up. user@PE1> show l2vpn connections Layer-2 VPN connections: Legend for connection status (St) EI -- encapsulation invalid NC EM -- encapsulation mismatch WE VC-Dn -- Virtual circuit down NP CM -- control-word mismatch -> CN -- circuit not provisioned show mpls lsp Ingress LSP: 1 sessions To 22.22.22.22

From 21.21.21.21

State Rt P Up 0 *

ActivePath

LSPname lsp_to_pe2

Total 1 displayed, Up 1, Down 0

Egress LSP: 1 sessions To

From

State

21.21.21.21

22.22.22.22

Up

Rt Style Labelin Labelout LSPname 0

1 FF

3

- lsp_to_pe1

Total 1 displayed, Up 1, Down 0

Transit LSP: 0 sessions Total 0 displayed, Up 0, Down 0

Meaning

The State field in the output shows that the Ingress LSP to Remote PE (22.22.22.22) is up, and the Egress LSP from the remote PE routing device to this PE routing device (21.21.21.21) is also up.

Verifying BGP Status Purpose Action

Meaning

Verify that BGP is up. user@PE1> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending bgp.l2vpn.0 1 1 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... 22.22.22.22 10 33 34 0 1 13:24 Establ bgp.l2vpn.0: 1/1/1/0 vpn2.l2vpn.0: 1/1/1/0

The output shows that the remote PE routing device (22.22.22.22) is listed as the BGP peer and that a protocol session has been established. It also shows the number of packets received from the remote PE routing device (33) and the number of packets sent (34) to the remote PE routing device.

Verifying the Status of the RSVP Sessions Purpose

4856

Verify that the RSVP sessions (ingress and egress) are up.



Action

user@PE1> show rsvp session Ingress RSVP: 1 sessions To From State 22.22.22.22 21.21.21.21 Up Total 1 displayed, Up 1, Down 0

Egress RSVP: 1 sessions To From State 21.21.21.21 22.22.22.22 Up Total 1 displayed, Up 1, Down 0

Rt Style Labelin Labelout LSPname 0 1 FF 462880 lsp_to_pe2

Rt Style Labelin Labelout LSPname 0 1 FF 3 - lsp_to_pe1


Meaning

The output shows that both the ingress RSVP session and the egress RSVP session are up.

Verifying the Routes in the Routing Table Purpose

Action

On routing device PE 1, use the show route table command to verify that the routing table is populated with the Layer 2 VPN routes used to forward the traffic. user@PE1> show route table bgp.l2vpn.0 bgp.l2vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

2:2:27:27/96 *[BGP/170] 00:13:55, localpref 100, from 22.22.22.22 AS path: I > to 60.2.0.24 via ge-6/0/46.0, label-switched-path lsp_to_pe2 user@PE1> show route table vpn1.l2vpn.0 vpn1.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

2:2:27:27/96 *[BGP/170] 00:14:00, localpref 100, from 22.22.22.22 AS path: I > to 60.2.0.24 via ge-6/0/46.0, label-switched-path lsp_to_pe2 2:2:28:27/96 *[L2VPN/170/-101] 00:15:55, metric2 1 Indirect

Meaning

The command show route table bgp.l2vpn.0 displays all Layer 2 VPN routes that have been created on this routing device. The command show route table vpn1.l2vpn.0 shows the Layer 2 VPN routes that have been created for the routing instance vpn1.


4857

®


Pinging the Layer 2 VPN Connections Purpose Action

Verify connectivity. user@PE1> ping mpls l2vpn interface xe-6/0/0.0 reply-mode ip-udp !!!!! --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss user@PE1> ping mpls l2vpn instance vpn1 remote-site-id 26 local-site-id 21 detail Request for seq 1, to interface 68, labels Reply for seq 1, return code: Egress-ok Request for seq 2, to interface 68, labels Reply for seq 2, return code: Egress-ok Request for seq 3, to interface 68, labels Reply for seq 3, return code: Egress-ok Request for seq 4, to interface 68, labels Reply for seq 4, return code: Egress-ok Request for seq 5, to interface 68, labels Reply for seq 5, return code: Egress-ok --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss

Meaning


The output shows that connectivity is established.

•


•


•

Configuring an MPLS-Based Layer 2 VPN (CLI Procedure) on page 4888

Example: Configuring MPLS-Based Layer 3 VPNs on EX Series Switches You can implement an MPLS-based Layer 3 virtual private network (VPN) on EX8200 switches to interconnect sites for customers who want the service provider to handle all the Layer 3 routing functions. To support an MPLS-based Layer 3 VPN, you need to add components of the Layer 3 VPN to the configuration of the two provider edge (PE) switches. You do not need to change the configuration of the provider switches.

NOTE: The core interfaces and the loopback interfaces are configured in the same way for Layer 2 VPNs and Layer 3 VPNs.

This example shows how to configure an MPLS-based Layer 3 VPN spanning two corporate sites:

4858

•


•


•




•


•




•


Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network: •

Configure two PE switches. See “Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure)” on page 4875.

•


NOTE: A Layer 3 VPN requires that the PE switches be configured using IP over MPLS.

Overview and Topology Layer 3 VPNs allow customers to leverage the service provider’s technical expertise to ensure efficient site-to-site routing. The customer’s customer edge (CE) switch uses a routing protocol such as BGP or OSPF to communicate with the service provider’s provider edge (PE) switch to carry IP prefixes across the network. MPLS-based Layer 3 VPNs use only IP over MPLS; other protocol packets are not supported. This example includes two PE switches, PE1 and PE2. In the basic MPLS configuration of the PE switches using IP over MPLS, the PE switches were configured to use OSPF as the routing protocol between the MPLS switches and RSVP as the signaling protocol. Traffic engineering was enabled. A label-switched path (LSP) was configured.

NOTE: A static path is not configured in this example.

The following components must be added to the PE switches for an MPLS-based Layer 3 VPN: •

BGP group with family inet-vpn unicast

•

Routing instance with instance type vrf

Figure 137 on page 4860 illustrates the topology of this MPLS-based Layer 3 VPN.


4859

®


Figure 137: MPLS-Based Layer 3 VPN

Table 566 on page 4860 shows the settings of the customer edge interface on the local CE switch.

Table 566: Local CE Switch in the MPLS-Based Layer 3 VPN Topology Property

Settings

Description

Local CE switch hardware

EX8200 switch

CE1




Table 567 on page 4860 shows the settings of the customer edge interface on the remote CE switch.

Table 567: Remote CE Switch in the MPLS-Based Layer 3 VPN Topology Property

Settings

Description

Remote CE switch hardware

EX8200 switch

CE2




Table 568 on page 4860 shows the Layer 3 VPN components of the local PE switch.

Table 568: Layer 3 VPN Components of the Local PE Switch Property

Settings

Description


EX8200 switch

PE1



Connects PE1 to CE1.

4860

NOTE: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.



Table 568: Layer 3 VPN Components of the Local PE Switch (continued) Property

Settings

Description

Core interface

xe-6/0/0 unit 0 family inet address 60.0.0.60/16 family iso; family mpls

Connects PE1 to P.

Loopback interface



BGP

bgp


Routing instance

L3VPN-1




4861

®


Table 569 on page 4862 shows the Layer 3 VPN components of the remote PE switch.

Table 569: Layer 3 VPN Components of the Remote PE Switch Property

Settings

Description

Remote PE switch hardware

EX8200 switch

PE2


ge-11/0/14 unit 0 family inet address 11.22.26.14/16 family mpls

Connects PE2 to CE2. For the Layer 3 VPN configuration, added family mpls. NOTE: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0/0 unit 0 family inet address 60.2.0.60/16 family iso family mpls

Connects PE1 to P.

Loopback interface



BGP

bgp


Routing instances

L3VPN-1




To quickly configure the Layer 3 VPN components on the local PE switch, copy the following commands and paste them into the switch terminal window of PE1: [edit] set protocols bgp local-address 21.21.21.21 family inet-vpn unicast set protocols bgp group ibgp type internal set protocols bgp neighbor 22.22.22.22 set routing-instances L3VPN-1 instance-type vrf set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2" set routing-instances L3VPN-1 interface ge-5/0/24.0 set routing-instances L3VPN-1 route-distinguisher 21:21 set routing-instances L3VPN-1 vrf-target target:21:21 set routing-instances L3VPN-1 vrf-table-label; set routing-options router-id 21.21.21.21 set routing-options autonomous-system 10;

4862




To configure the Layer 3 VPN components on the local PE switch: 1.

Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast: [edit protocols bgp] user@switchPE1# set local-address 21.21.21.21 family inet-vpn unicast

2.

Configure the BGP group, specifying the group name and type: [edit protocols bgp] user@switchPE1# set group ibgp type internal

3.

Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address: [edit protocols bgp] user@switchPE1# set neighbor 22.22.22.22

4.

Configure the routing instance, specifying the routing-instance name and using vrf as the instance type: [edit routing-instances] user@switchPE1# set L3VPN-1 instance-type vrf

5.

Configure a description for this routing instance: [edit routing-instances] user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"

6.

Configure the routing instance to use a route distinguisher: [edit routing-instances] user@switchPE1# set L3VPN-1 route-distinguisher 21:21

NOTE: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances require a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

7.

Configure the VPN routing and forwarding (VRF) target of the routing instance: [edit routing-instances] user@switchPE1# set L3VPN-1 vrf-target target:21:21


8.

Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header: [edit routing-instances]


4863

®


user@switchPE1# set L3VPN-1 vrf-table-label 9.

Configure the router ID and autonomous system (AS):

NOTE: We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

[edit routing-options] user@switchPE1# set router-id 21.21.21.21 autonomous-system 10

Results

Display the results of the configuration: user@switchPE1> show configuration

interfaces { ge-5/0/24 { unit 0 { family inet { address 51.51.0.1/16; } } } lo0 { unit 0 { family inet { address 21.21.21.21/32; } } } xe-6/0/0 { unit 0 { family inet { address 60.0.0.60/16; } family iso; family mpls; } } protocols { mpls { label-switched-path 21-22 { from 21.21.21.21; to 22.22.22.22; no-cspf; } interface xe-6/0/0.0; interface lo0.0; bgp { local-address 21.21.21.21; family inet-vpn { unicast; } group ibgp { type internal;

4864



neighbor 22.22.22.22; } } ospf { traffic-engineering; area 0.0.0.0 { interface ge-5/0/24.0; interface lo0.0; interface xe-6/0/0.0; } } } routing-instances { L3VPN-1 { instance-type vrf; description "BETWEEN PE1 AND PE2"; route-distinguisher 21:21; vrf-target target:21:21; vrf-table-label; } routing-options { router-id 21.21.21.21; autonomous-system 10;


To quickly configure the Layer 3 VPN components on the remote PE switch, copy the following commands and paste them into the switch terminal window of PE2: [edit] set protocols bgp local-address 22.22.22.22 family inet-vpn unicast set protocols bgp group ibgp type internal set protocols bgp neighbor 21.21.21.21 set routing-instances L3VPN-1 instance-type vrf set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2" set routing-instances L3VPN-1 interface ge-11/0/14.0 set routing-instances L3VPN-1 route-distinguisher 21:21 set routing-instances L3VPN-1 vrf-target target:21:21 set routing-instances L3VPN-1 vrf-table-label; set routing-options router-id 22.22.22.22; set routing-options autonomous-system 10;


To configure Layer 3 VPN components on the remote PE switch: 1.

Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast: [edit protocols bgp] user@switchPE2# set local-address 22.22.22.22 family inet-vpn unicast

2.

Configure the BGP group, specifying the group name and type: [edit protocols bgp] user@switchPE2# set group ibgp type internal

3.

Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address: [edit protocols bgp] user@switchPE2# set neighbor 21.21.21.21


4865

®


Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:

4.

[edit routing-instances] user@switchPE2# set L3VPN-1 instance-type vrf

Configure a description for this routing instance:

5.

[edit routing-instances] user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"

Configure the routing instance to apply to the customer edge interface:

6.

[edit routing-instances] user@switchPE2# set L3VPN-1 interface ge-11/0/14.0

Configure the routing instance to use a route distinguisher, using the format ip-address:number:

7.

[edit routing-instances] user@switchPE2# set L3VPN-1 route-distinguisher 21:21

Configure the VPN routing and forwarding (VRF) target of the routing instance:

8.

[edit routing-instances] user@switchPE2# set L3VPN-1 vrf-target target:21:21

Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header.

9.

[edit routing-instances] user@switchPE2# set L3VPN-1 vrf-tabel-label 10.

Configure the router ID and autonomous system (AS): [edit routing-options] user@switchPE2# set router-id 22.22.22.22 autonomous-system 10

Results

Display the results of the configuration: user@switchPE2> show configuration

interfaces { ge-11/0/14 { unit 0 { family inet { address 11.22.26.14/16; } } } lo0 { unit 0 { family inet { address 22.22.22.22/32; } } } xe-6/0/0 { unit 0 { family inet { address 60.2.0.60/16; } family iso; family mpls;

4866



} } protocols { mpls { label-switched-path 22-21 { from 22.22.22.22; to 21.21.21.21; no-cspf; } interface xe-6/0/0.0; interface lo0.0; bgp { local-address 22.22.22.22; family inet-vpn { unicast; } group ibgp { type internal; neighbor 21.21.21.21; } } ospf { traffic-engineering; area 0.0.0.0 { interface ge-11/0/14.0; interface lo0.0; interface xe-6/0/0.0; } } } routing-instances { L3VPN-1 { instance-type vrf; description"BETWEEN PE1 AND PE2"; route-distinguisher 21:21; vrf-target target:21:21; vrf-table-label; } routing-options { router-id 22.22.22.22; autonomous-system 10;

Verification To confirm that the MPLS-based Layer 3 VPN is working properly, perform these tasks: •

Verifying Peering and Adjacency on page 4868

•

Verifying That the Local CE Switch Can Ping the Local PE Switch on page 4868

•

Verifying That the Local PE Switch Can Ping the Local CE Switch on page 4868


4867

®


Verifying Peering and Adjacency Purpose

Verify the peering and adjacency along the route from CE1 (the local CE switch or router) to CE2 (the remote CE switch or router), starting with checking the routing protocol adjacency on the local PE switch:

NOTE: Be sure to specify the name of the routing instance.

Action

user@switchPE1> show ospf neighbor instance L3VPN-1 Address Interface State ID Pri Dead 51.51.0.14 ge-5/0/24.0 Full 21.21.21.21 128 38

Meaning

The Address field shows the IP address of the customer edge interface that connects CE1 to PE1. The Interface field shows the interface name of the customer edge interface that connects PE1 to CE1. For our purposes, the State field is the most important. It shows a status of Full, indicating that neighboring routing devices are fully adjacent. These adjacencies appear in router-link and network-link advertisements. (The field Pri indicates the priority of the neighbor to become the designated router. The field Dead indicates the number of seconds until the neighbor becomes unreachable.)

Verifying That the Local CE Switch Can Ping the Local PE Switch Purpose Action

Meaning

Verify that the local CE switch can ping the local PE switch: user@switchCE1> ping 51.51.0.1 PING 51.51.0.1 (51.51.0.1): 56 data bytes 64 bytes from 51.51.0.1: icmp_seq=0 ttl=64 time=3.461 ms 64 bytes from 51.51.0.1: icmp_seq=1 ttl=64 time=3.543 ms

This command specified the IP address of the customer edge interface on PE1. The results indicate that CE1 is receiving packets from PE1.

Verifying That the Local PE Switch Can Ping the Local CE Switch Purpose Action

Meaning


4868

Verify that the local PE switch can ping the local CE switch: user@switchPE1> ping 51.51.0.14 routing-instance L3VPN-1 PING 51.51.0.14 (51.51.0.14): 56 data bytes 64 bytes from 51.51.0.14: icmp_seq=0 ttl=64 time=3.842 ms 64 bytes from 51.51.0.14: icmp_seq=1 ttl=64 time=3.736 ms

The results indicate a successful connection.

•


•



CHAPTER 139

Configuring MPLS •


•

Configuring Path Protection in an MPLS Network (CLI Procedure) on page 4871

•


•


•


•


•


•

Configuring CoS Bits for an MPLS Network (CLI Procedure) on page 4887

•


•


•


•


•

Configuring an MPLS-Based VLAN CCC Using the Connection Method (CLI Procedure) on page 4899

•

Configuring IPv6 Tunneling for MPLS (CLI Procedure) on page 4900

•

Configuring Static Label Switched Paths for MPLS (CLI Procedure) on page 4902


4869

®


Configuring MPLS on Provider Switches (CLI Procedure) You can configure MPLS on EX Series switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as VoIP and other business-critical functions. To implement MPLS on EX Series switches, you must configure at least one provider switch as a transit switch for the MPLS packets. The configuration of all the provider switches remains the same regardless of whether the provider edge (PE) switches are using circuit cross-connect (CCC) or using MPLS over IP for the customer edge interfaces. Likewise, you do not need to change the configuration of the provider switches if you implement an MPLS-based Layer 2 VPN, Layer 3 VPN, or a Layer 2 circuit configuration. MPLS requires the configuration of a routing protocol (OSPF or IS-IS) on the core interfaces and the loopback interface of all the switches. This procedure includes the configuration of OSPF on the provider switch. For information on configuring IS-IS as the routing protocol, see Junos OS Routing Protocols Configuration Guide. To configure the provider switch, complete the following tasks: 1.

Enable the routing protocol (OSPF or IS-IS) on the loopback interface and on the core interfaces:

NOTE: You can use the switch address as an alternative to the loopback interface.

[edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/5.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/6.0 user@switch# set ospf area 0.0.0.0 interface ae0 2. Enable traffic engineering for the routing protocol (traffic engineering must be explicitly

enabled for OSPF): [edit protocols] user@switch# set ospf traffic-engineering 3. Enable MPLS within the protocols stanza and apply it to the core interfaces: [edit protocols] user@switch# set mpls (EX Series) interface (MPLS) ge-0/0/5.0 user@switch# set mpls interface ge-0/0/6.0 user@switch# set mpls interface ae0 4. Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switch# set rsvp interface lo0.0 user@switch# set rsvp interface ge-0/0/5.0 user@switch# set rsvp interface ge-0/0/6.0 user@switch# set rsvp interface ae0 5. Configure an IP address for the loopback interface and for the core interfaces: [edit]

4870


Chapter 139: Configuring MPLS

user@switch# set interfaces lo0 unit 0 family inet address 127.1.1.1/32 user@switch# set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 user@switch# set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24 user@switch# set interfaces ae0 unit 0 family inet address 10.1.9.2/24 6. Configure family mpls on the logical units of the core interfaces: [edit] user@switch# set interfaces ge-0/0/5 unit 0 family mpls user@switch# set interfaces ge-0/0/6 unit 0 family mpls user@switch# set interfaces ae0 unit 0 family mpls

NOTE: You can enable family mpls on either individual interfaces or aggregated Ethernet interfaces. You cannot enable it on tagged VLAN interfaces.


•


•


•


•


•


Configuring Path Protection in an MPLS Network (CLI Procedure) The Junos OS implementation of MPLS on EX Series switches provides path protection as a mechanism for protecting against label switched path (LSP) failures. Path protection reduces the time required to recalculate a route in case of a failure within the MPLS tunnel. You configure path protection on the ingress provider edge switch in your MPLS network. You do not configure the egress provider edge switch or the provider switches for path protection. You can explicitly specify which provider switches are used for the primary and secondary paths, or you can let the software calculate the paths automatically. Before you configure path protection, be sure you have: •

Configured an ingress provider edge switch and an egress provider edge switch. See “Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure)” on page 4875 or “Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure)” on page 4879.

•

Configured at least one provider (transit) switch. See “Configuring MPLS on Provider Switches (CLI Procedure)” on page 4870.

•

Verified the configuration of your MPLS network. See “Verifying That MPLS Is Working Correctly” on page 4905.


4871

®


To configure path protection, complete the following tasks on the ingress provider edge switch: 1.

Configuring the Primary Path on page 4873

2. Configuring the Secondary Path on page 4873 3. Configuring the Revert Timer on page 4874

4872



Configuring the Primary Path The primary statement creates the primary path, which is the LSP’s preferred path. The secondary statement creates an alternative path if the primary path can no longer reach the egress provider edge switch. In the tasks described in this topic, the lsp-name has already been configured on the ingress provider edge switch as lsp_to_240 and the loopback interface address on the remote provider edge switch has already been configured as 127.0.0.8. When the software switches from the primary to the secondary path, it continuously attempts to revert to the primary path, switching back to it when it is again reachable but no sooner than the retry time specified in the revert-timer statement. You can configure zero primary paths or one primary path. If you do not configure a primary path, the first secondary path (if a secondary path has been configured) is selected as the path. If you do not specify any named paths, or if the path that you specify is empty, the software makes all routing decisions necessary for the packets to reach the egress provider edge switch. To configure a primary path: 1.

Create the primary path for the LSP: [edit protocols mpls (EX Series) label-switched-path lsp_to_240 to 127.0.0.8] user@switch# set primary primary_path_lsp_to_240

2. Configure an explicit route for the primary path by specifying the IP address of the

loopback interface or the switch IP address or hostname of each switch used in the MPLS tunnel. You can specify the link types as either strict or loose in each path statement. If the link type is strict, the LSP must go to the next address specified in the path statement without traversing other switches. If the link type is loose, the LSP can traverse through other switches before reaching this switch. This configuration uses the default strict designation for the paths.

NOTE: You can enable path protection without specifying which provider switches are used. If you do not list the specific provider switches to be used for the MPLS tunnel, the switch calculates the route.

TIP: Do not include the ingress provider edge switch in these statements. List the IP address of the loopback interface or switch address or hostname of all other switch hops in sequence, ending with the egress provider edge switch.

[edit protocols mpls label-switched-path lsp_to_240 to 127.0.0.8] user@switch# set path primary_path_lsp_to_240 127.0.0.2 user@switch# set path primary_path_lsp_to_240 127.0.0.3 user@switch# set path primary_path_lsp_to_240 127.0.0.8

Configuring the Secondary Path


4873

®


You can configure zero or more secondary paths. All secondary paths are equal, and the software tries them in the order that they are listed in the configuration. The software does not attempt to switch among secondary paths. If the first secondary path in the configuration is not available, the next one is tried, as so on. To create a set of equal paths, specify secondary paths without specifying a primary path. If you do not specify any named paths, or if the path that you specify is empty, the software makes all routing decisions necessary to reach the egress provider edge switch. To configure the secondary path: 1.

Create a secondary path for the LSP: [edit protocols mpls label-switched-path lsp_to_240 to 127.0.0.8] user@switch# set secondary secondary_path_lsp_to_240 standby

2. Configure an explicit route for the secondary path by specifying the IP address of the

loopback interface or the switch IP address or hostname of each switch used in the MPLS tunnel. You can specify the link types as either strict or loose in each path statement. This configuration uses the default strict designation for the paths.

TIP: Do not include the ingress provider edge switch in these statements. List the IP address of the loopback interface or switch address or hostname of all other switch hops in sequence, ending with the egress provider edge switch.

[edit protocols mpls label-switched-path lsp_to_240 to 127.0.0.8] user@switch# set path secondary_path_lsp_to_240 127.0.0.4 user@switch# set path primary_path_lsp_to_240 127.0.0.8

Configuring the Revert Timer For LSPs configured with both primary and secondary paths, you can optionally configure a revert timer. If the primary path goes down and traffic is switched to the secondary path, the revert timer specifies the amount of time (in seconds) that the LSP must wait before it can revert traffic back to the primary path. If the primary path experiences any connectivity problems or stability problems during this time, the timer is restarted.

TIP: If you do not explicitly configure the revert timer, it is set by default to 60 seconds.

To configure the revert timer for LSPs configured with primary and secondary paths: •

For all LSPs on the switch: [edit protocols mpls] user@switch# set revert-timer 120

•

For a specific LSP on the switch: [edit protocols mpls label-switched-path] user@switch# set lsp_to_240 revert-timer 120

4874




•


Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure) You can configure MPLS on EX Series switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network or to ensure better performance for low-latency applications such as VoIP and other business-critical functions. To implement MPLS on switches, you must configure two provider edge (PE) switches—an ingress PE switch and an egress PE switch—and at least one provider switch. You can configure customer edge (CE) interfaces on the PE switches of the MPLS network by using either IP over MPLS or MPLS over circuit cross-connect (CCC). The main differences between configuring IP over MPLS and configuring MPLS over CCC are that for IP over MLPS you configure the customer edge interfaces to belong to family inet (rather than family ccc) and you configure a static route for the label-switched path (LSP). The configuration of the provider switch is the same regardless of whether you have used IP over MPLS or MPLS over CCC. See “Configuring MPLS on Provider Switches (CLI Procedure)” on page 4870. This topic describes how to configure an ingress PE switch and an egress PE switch using IP over MPLS: 1.

Configuring the Ingress PE Switch on page 4875

2. Configuring the Egress PE Switch on page 4877

Configuring the Ingress PE Switch To configure the ingress PE switch: 1.

Configure an IP address for the loopback interface and for the core interfaces: [edit] user@switch# set interfaces lo0 unit 0 family inet address 100.100.100.100/32 user@switch# set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 user@switch# set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24

2. Configure OSPF on the loopback and core interfaces: [edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/5.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/6.0


4875

®


NOTE: If you want to use routed VLAN interfaces (RVIs) or Layer 3 subinterfaces as the core interfaces, replace ge-0/0/5.0 and ge-0/0/6 each with an RVI name (for example, vlan.logical-interface-number) or a subinterface name (for example, interface-name.logical-unit-number). RVIs function as logical routers, eliminating the need to have both a switch and a router. Layer 3 subinterfaces allow you to route traffic among multiple VLANs along a single trunk line that connects an EX Series switch to a Layer 2 switch.

3. Enable traffic engineering for the routing protocol: [edit protocols] user@switch# set ospf traffic-engineering 4. Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switch# set rsvp interface lo0.0 user@switch# set rsvp interface ge-0/0/5.0 user@switch# set rsvp interface ge-0/0/6.0 5. Configure MPLS traffic engineering: [edit protocols] user@switch# set protocols mpls traffic-engineering bgp-igp 6. Configure MPLS on the core interfaces: [edit protocols] user@switch# set mpls interface (MPLS) ge-0/0/5.0 user@switch# set mpls interface ge-0/0/6.0 7. Configure family mpls on the logical units of the core interfaces, thereby identifying

the interfaces that will be used for forwarding MPLS packets: [edit] user@switch# set interfaces ge-0/0/5 unit 0 family mpls user@switch# set interfaces ge-0/0/6 unit 0 family mpls 8. Configure a customer edge interface as a Layer 3 routed interface, specifying an IP

address: [edit] user@switch# set interfaces ge-2/0/3 unit 0 family inet 121.121.121.1/16 9. Configure this Layer 3 customer edge interface for the routing protocol: [edit] user@switch# set protocols ospf area 0.0.0 interface ge-2/0/3.0 10. Configure an LSP on the ingress PE switch (100.100.100.100) to send IP packets over

MPLS to the egress PE switch (208.208.208.208): [edit protocols mpls] user@switch# set label-switched-path ip_lspjavae_29 from 100.100.100.100 user@switch# set label-switched-path ip_lspjavae_29 to 208.208.208.208 11. Disable constrained-path LSP computation for this LSP: [edit protocols mpls]

4876



user@switch# set label-switched-path ip_lspjavae_29 no-cspf 12. Configure a static route from the ingress PE switch to the egress PE switch, thereby

indicating to the routing protocol that the packets will be forwarded over the MPLS LSP that has been set up to that destination:

NOTE: Do not configure a static route if you are using this procedure to configure an MPLS-based Layer 3 VPN.

[edit] user@switch# set routing-options static route 2.2.2.0/24 next-hop 100.100.100.100 user@switch# set routing-options static route 2.2.2.0/24 resolve

Configuring the Egress PE Switch To configure the egress PE switch: 1.

Configure an IP address for the loopback interface and for the core interfaces: [edit] user@switch# set interfaces lo0 unit 0 family inet address 208.208.208.208/32 user@switch# set interfaces ge-0/0/5 unit 0 family inet address 10.1.20.1/24 user@switch# set interfaces ge-0/0/6 unit 0 family inet address 10.1.21.1/24

2. Configure OSPF on the loopback interface (or switch address) and core interfaces: [edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/5.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/6.0

NOTE: If you want to use routed VLAN interfaces (RVIs) or Layer 3 subinterfaces as the core interfaces, replace ge-0/0/5.0 and ge-0/0/6 each with an RVI name (for example, vlan.logical-interface-number) or a subinterface name (for example, interface-name.logical-unit-number). RVIs function as logical routers, eliminating the need to have both a switch and a router. Layer 3 subinterfaces allow you to route traffic among multiple VLANs along a single trunk line that connects an EX Series switch to a Layer 2 switch.

3. Enable traffic engineering for the routing protocol: [edit protocols] user@switch# set ospf traffic-engineering 4. Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switch# set rsvp interface lo0.0 user@switch# set rsvp interface ge-0/0/5.0 user@switch# set rsvp interface ge-0/0/6.0 5. Configure MPLS traffic engineering on both BGP and IGP destinations: [edit protocols] user@switch# set protocols mpls traffic-engineering bgp-igp 6. Configure MPLS on the core interfaces:


4877

®


[edit protocols] user@switch# set mpls interface (MPLS) ge-0/0/5.0 user@switch# set mpls interface ge-0/0/6.0 7. Configure family mpls on the logical units of the core interfaces, thereby identifying

the interfaces that will be used for forwarding MPLS packets: [edit] user@switch# set interfaces ge-0/0/5 unit 0 family mpls user@switch# set interfaces ge-0/0/6 unit 0 family mpls 8. Configure a customer edge interface as a Layer 3 routed interface, specifying an IP

address: [edit] user@switch# set interfaces ge-2/0/3 unit 0 family inet address 2.2.2.1/16 9. Configure this Layer 3 customer edge interface for the routing protocol: [edit] user@switch# set protocols ospf area 0.0.0 interface ge-2/0/3 10. Configure an LSP on the egress PE switch (208.208.208.208) to send IP packets over

MPLS to the ingress PE switch (100.100.100.100): [edit protocols mpls] user@switch# set label-switched-path ip_lsp29_javae from 208.208.208.208 user@switch# set label-switched-path ip_lspjavae_29 to 100.100.100.100 11. Disable constrained-path LSP computation for this LSP: [edit protocols mpls] user@switch# set label-switched-path ip_lsp29_javae no-cspf 12. Configure a static route from the ingress PE switch to the egress PE switch, thereby

indicating to the routing protocol that the packets will be forwarded over the MPLS LSP that has been set up to that destination:

NOTE: Do not configure a static route if you are using this procedure to configure an MPLS-based Layer 3 VPN.

[edit] user@switch# set routing-options static route 121.121.121.0/24 next-hop 208.208.208.208 user@switch# set routing-options static route 121.121.121.0/24 resolve


4878

•


•


•


•

Verifying That MPLS Is Working Correctly on page 4905

•




Configuring MPLS on Provider Edge Switches Using Circuit Cross-Connect (CLI Procedure) Junos OS MPLS for EX Series switches supports Layer 2 protocols and Layer 2 virtual private networks (VPNs). You can configure MPLS on EX Series switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as VoIP and other business-critical functions. This topic describes configuring provider edge (PE) switches in an MPLS network using a circuit cross-connect (CCC). The customer edge interface can be either a simple interface or a tagged VLAN interface.

NOTE: If you are configuring a CCC on a tagged VLAN interface, you do not specify family ccc. See Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN and Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit.

NOTE: If you are going through this procedure in preparation for configuring an MPLS-based Layer 2 VPN, you do not need to configure the association of the label-switched path (LSP) with the customer edge interface. The BGP signaling automates the connections, so manual configuration of the connections is not required.

The following guidelines apply to CCC configurations: •

When an interface is configured to belong to family ccc, it cannot belong to any other family.

•

You can send any kind of traffic over a CCC, including nonstandard bridge protocol data units (BPDUs) generated by other vendors’ equipment.

•

If you are configuring a CCC on a tagged VLAN interface, you must explicitly enable VLAN tagging and specify a VLAN ID. The VLAN ID cannot be configured on logical interface unit 0. The logical unit number must be 1 or higher. See Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN and Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit.

This procedure shows how to set up two CCCs: •

If you are configuring a CCC on a simple interface (ge-0/0/1), you do not need to enable VLAN tagging or specify a VLAN ID, so you skip those steps.

•

If you are configuring a CCC on a tagged VLAN interface (ge-0/0/2), include all the steps in this procedure.

To configure a PE switch with a CCC:


4879

®


1.

Configure OSPF (or IS-IS) on the loopback (or switch address) and core interfaces: [edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/5.0 user@switch# set ospf area 0.0.0.0 interface ge-0/0/6.0 user@switch# set ospf area 0.0.0.0 interface ae0

2. Enable traffic engineering for the routing protocol: [edit protocols] user@switch# set ospf traffic-engineering 3. Configure an IP address for the loopback interface and for the core interfaces: [edit] user@switch# set interfaces lo0 unit 0 family inet address 127.1.1.1/32 user@switch# set interfaces ge-0/0/5 unit 0 family inet address 10.1.5.1/24 user@switch# set interfaces ge-0/0/6 unit 0 family inet address 10.1.6.1/24 user@switch# set interfaces ae0 unit 0 family inet address 10.1.9.1/24 4. Enable MPLS and define the LSP: [edit protocols] user@switch# set mpls (EX Series) label-switched-path lsp_to_pe2_ge1 to 127.1.1.3

TIP: lsp_to_pe2_ge1 is the LSP name. You will need to use the specified name again when configuring the CCC.

5. Configure MPLS on the core interfaces: [edit protocols] user@switch# set mpls interface (MPLS) ge-0/0/5.0 user@switch# set mpls interface ge-0/0/6.0 user@switch# set mpls interface ae0 6. Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switch# set rsvp interface lo0.0 user@switch# set rsvp interface ge-0/0/5.0 user@switch# set rsvp interface ge-0/0/6.0 user@switch# set rsvp interface ae0 7. Configure family mpls on the logical units of the core interfaces: [edit] user@switch# set interfaces ge-0/0/5 unit 0 family mpls user@switch# set interfaces ge-0/0/6 unit 0 family mpls user@switch# set interfaces ae0 unit 0 family mpls


8. If you are configuring a CCC on a tagged VLAN interface, enable VLAN tagging on the

customer edge interface ge-0/0/2 of the local PE switch: [edit interfaces ge-0/0/2] user@switch# set vlan-tagging

If you are configuring a CCC on a simple interface (ge-0/0/1), omit this step.

4880



9. If you are configuring a CCC on a tagged VLAN interface, configure the logical unit of

the customer edge interface with a VLAN ID: [edit interfaces ge-0/0/2 unit 1] user@switch# set vlan-id (Layer 3 Subinterfaces) 100

If you are configuring a CCC on a simple interface (ge-0/0/1), omit this step. 10. Configure the logical unit of the customer edge interface to belong to family ccc: •

On a simple interface: [edit interfaces ge-0/0/1 unit 0] user@switch# set family ccc

•

On a tagged VLAN interface: [edit interfaces ge-0/0/2 unit 1] user@switch# set family ccc

11. Associate the CCC interface with two LSPs, one for transmitting MPLS packets and

the other for receiving MPLS packets:

NOTE: If you are configuring a Layer 2 VPN, omit this step. The BGP signaling automates the connections, so manual configuration of the connections is not required.

•

On a simple interface: [edit protocols] user@switch# set connections (MPLS) remote-interface-switch ge-1-to-pe2 interface ge-0/0/1.0 user@switch# set connections remote-interface-switch ge-1-to-pe2 transmit-lsp lsp_to_pe2_ge1 user@switch# set connections remote-interface-switch ge-1-to-pe2 receive-lsp lsp_to_pe1_ge1

•

On a tagged VLAN interface: [edit protocols] user@switch# set connections remote-interface-switch ge-1-to-pe2 interface ge-0/0/2.1 user@switch# set connections remote-interface-switch ge-1-to-pe2 transmit-lsp lsp_to_pe2_ge1 user@switch# set connections remote-interface-switch ge-1-to-pe2 receive-lsp lsp_to_pe1_ge1

TIP: The transmit-lsp option specifies the LSP name that was configured on PE-1 (the local PE switch) by the label-switched-path statement within the [edit protocols mpls] hierarchy. The receive-lsp option specifies the LSP name that was configured on PE-2 (the remote PE switch) by the label-switched-path statement within the [edit protocols mpls] hierarchy.

When you have completed configuring one PE switch, follow the same procedures to configure the other PE switch.


4881

®



•


•


•


•


Configuring CoS on an MPLS Provider Edge Switch Using IP Over MPLS (CLI Procedure) You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. This topic describes configuring CoS components on a provider edge (PE) switch that is using IP Over MPLS. This task describes how to create a custom DSCP classifier and a custom EXP rewrite rule on the ingress PE switch. It includes configuring a policer firewall filter and applying it to the customer-edge interface of the ingress PE switch. The policer firewall filter ensures that the amount of traffic forwarded through the MPLS tunnel never exceeds the requested bandwidth allocation. Before you begin, configure the basic components for an MPLS network: •


•


This topic includes: 1.





2. Add a forwarding class to this custom DSCP classifier and specify a loss priority and

code point: [edit class-of-service] user@switch# set classifiers dscp classifier-name forwarding-class forwarding-class loss-priority loss-priority code-points code-point 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class forwarding-class loss-priority loss-priority code-points code-point 4. On EX8200 switches only, bind the custom EXP rewrite rule to the interface:

4882



[edit class-of-service] user@switch# set class-of-service interfaces interface unit unit rewrite-rules exp e1



1.

Specify the number of bits per second permitted, on average, for the firewall policer, which will later be applied to the customer-edge-interface: [edit firewall] user@switch# set policer mypolicer if-exceeding bandwidth-limit 500m


bandwidth limit for this policer: [edit firewall policer] user@switch# set mypolicer if-exceeding burst-size-limit 33553920 3. Discard traffic that exceeds the rate limits for this policer: [edit firewall policer] user@switch# set mypolicer then (Policer Action) discard 4. To reference the policer, configure a filter term that includes the policer action: [edit firewall] user@switch# set family inet filter (Firewall Filters) myfilter term t1 then policer mypolicer 5. Apply the filter to the customer-edge interface: [edit interfaces] user@switch# set ge-2/0/3 unit 0 family inet address 121.121.121.1/16 policing filter myfilter



•


•


•


•


Configuring CoS on an MPLS Provider Edge Switch Using Circuit Cross-Connect (CLI Procedure) You can use class of service (CoS) within MPLS networks to prioritize certain types of traffic during periods of congestion. This topic describes configuring CoS components on a provider edge (PE) switch that is using MPLS over circuit-cross connect (CCC).


4883

®


NOTE: On EX Series switches other than EX8200 switches, if you are using MPLS over CCC, you can use only one DSCP or IP precedence classifier and only one IEEE 802.1p classifier on the CCC interfaces.

This procedure is for creating a custom DSCP classifier and a custom EXP rewrite rule on the ingress PE. It also includes enabling a policer on the label-switched path (LSP) of the ingress PE to ensure that the amount of traffic forwarded through the LSP never exceeds the requested bandwidth allocation. This topic includes: 1.





2. Add the expedited-forwarding class to this custom DSCP classifier, specifying a loss

priority and code point: [edit class-of-service] user@switch# set classifiers dscp classifier-name forwarding-class forwarding-class loss-priority loss-priority code-points code-point 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class forwarding-class loss-priority loss-priority code-point code-point 4. Bind the DSCP classifier to the CCC interface: [edit ] user@switch# set class-of-service interfaces interface unit unit classifier classifier-name 5. On EX8200 switches only, bind the custom EXP rewrite rule to the interface: [edit class-of-service] user@switch# set class-of-service interfaces interface unit unit rewrite-rules exp e1

4884





1.

Specify the number of bits per second permitted, on average, for the policer, which will later be applied to the LSP: [edit firewall] set policer mypolicer if-exceeding bandwidth-limit 500m


bandwidth limit for this policer: [edit firewall policer] set mypolicer if-exceeding burst-size-limit 33553920 3. Discard traffic that exceeds the rate limits for this policer: [edit firewall policer] set mypolicer then (Policer Action) discard 4. To reference the policer, configure a filter term that includes the policer action: [edit firewall] user@switch# set family any filter (Firewall Filters) myfilter term t1 then policer mypolicer 5. Apply the filter to the LSP: [edit protocols mpls] set label-switched-path lsp_to_pe2_ge1 policing filter myfilter



•


•


•


•



4885

®


Configuring CoS on Provider Switches of an MPLS Network (CLI Procedure) You can add class-of-service (CoS) components to your MPLS networks on EX Series switches to achieve end-to-end Differentiated Services to match your specific business requirements. The configuration of CoS components on the provider switches is the same regardless of whether the provider edge (PE) switches are using MPLS over CCC or IP over MPLS. This task shows how to configure a custom EXP classifier and custom EXP rewrite rule on the provider switch. 1.


2. Add the expedited-forwarding class to this custom EXP classifier, specifying a loss

priority and code point: [edit class-of-service] user@switch# set classifiers exp exp1 forwarding-class expedited-forwarding loss-priority low code-points 010 3. Specify the values for the custom EXP rewrite rule, e1: [edit class-of-service] user@switch# set rewrite-rules exp e1 forwarding-class expedited-forwarding loss-priority low code-point 111 4. On EX8200 switches only, bind the custom EXP rewrite rule to the interface: [edit class-of-service] user@switch# set class-of-service interfaces ge-0/0/2 unit 0 rewrite-rules exp e1



4886

•




Configuring CoS Bits for an MPLS Network (CLI Procedure) When traffic enters a labeled-switch path (LSP) tunnel, the CoS bits in the MPLS header are set in one of two ways: •

The number of the output queue into which the packet was buffered and the packet loss priority (PLP) bit are written into the MPLS header and are used as the packet’s CoS value. This behavior is the default, and no configuration is required. The Junos OS Class of Service Configuration Guide explains the IP CoS values, and summarizes how the CoS bits are treated.

•

You set a fixed CoS value on all packets entering the LSP tunnel. A fixed CoS value means that all packets entering the LSP receive the same class of service.

To set a fixed CoS value on all packets entering the LSP: 1.

Specify a class of service value for the LSP:

NOTE: The CoS value set using the class-of-service statement at the [edit protocols mpls] hierarchy level supersedes the CoS value set at the [edit class-of-service] hierarchy level for an interface. Effectively, the CoS value configured for an LSP overrides the CoS value set for an interface.

[edit protocols mpls] user@switch# set class-of-service cos-value


•


•


•


•


•


•


•



4887

®


Configuring an MPLS-Based Layer 2 VPN (CLI Procedure) You can configure MPLS-based Layer 2 virtual private networks (VPNs) on EX8200 switches. Some benefits of a Layer 2 VPN are that it is private, secure and flexible. To configure Layer 2 VPN functionality in your MPLS network, you must configure Layer 2 VPN components on the local and remote provider edge (PE) switches.

NOTE: This topic shows how to add Layer 2 VPN components to a CCC configured on a simple interface. For information on combining Layer 2 VPN components with a tagged VLAN CCC, see “Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure)” on page 4893 .

Before you configure the Layer 2 VPN components, you must configure the basic components for an MPLS network: •


•


NOTE: A Layer 2 VPN requires that the PE switches be configured using a circuit cross-connect (CCC).

Configure the Layer 2 VPN components on both PE switches. This procedure describes how to configure one PE switch. Repeat the procedure to configure the remote PE switch. To configure Layer 2 VPN components on the PE switch: 1.

Configure the customer edge interface to use the physical encapsulation type ethernet-ccc:

NOTE: The customer edge interface is a simple interface.

[edit] user@switch# set interfaces interface-name encapsulation ethernet-ccc 2. Configure BGP, specifying the loopback address of this PE switch as the local address

and specifying family l2vpn signaling: [edit protocols bgp] user@switch# set local-address address family l2vpn signaling 3. Configure the BGP group, specifying the group name and type internal: [edit protocols bgp] user@switch# set group group-name type internal 4. Configure the BGP neighbor, specifying the loopback address of the remote PE switch

as the neighbor’s address:

4888



[edit protocols bgp] user@switch# set neighbor address 5. Configure the routing instance, specifying the routing-instance name and using l2vpn

as the instance type: [edit routing-instances] user@switch# set routing-instance-name instance-type l2vpn 6. Configure the routing instance to apply to the customer edge interface: user@switch# set routing-instances routing-instance-name interface interface-name 7. Configure the routing instance to use a route distinguisher:

NOTE: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances musthave a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

user@switch# set routing-instances routing-instance-name route-distinguisher ip-address:number 8. Configure the VPN routing and forwarding (VRF) target of the routing instance: [edit routing-instances] user@switch# set routing-instance-name vrf-target community

NOTE: If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

9. Configure the protocols and encapsulation type used by the routing instance: [edit routing-instances] user@switch# set routing-instance-name protocols l2vpn encapsulation-type ethernet 10. Apply the routing instance to a customer edge interface and specify a description for

it: [edit routing-instances] user@switch# set routing-instance-name protocols interface interface-name description text 11. Configure the routing instance protocols site: [edit routing-instances] user@switch# set routing-instance-name protocols l2vpn site site-name site-identifier identifierremote-site-id identifier

NOTE: The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE switch.


4889

®



4890

•


•


•




Configuring an MPLS-Based Layer 3 VPN (CLI Procedure) You can configure MPLS-based Layer 3 virtual private networks (VPNs) on EX8200 switches. Layer 3 VPNs leverage the service provider’s technical expertise for site-to-site routing. To configure Layer 3 VPN functionality in your MPLS network, you must enable Layer 3 VPN support on the local and remote provider edge (PE) switches as described in this task. Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network: •

Configure two PE switches. See “Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure)” on page 4875.

•


NOTE: A Layer 3 VPN requires that the PE switches be configured using IP over MPLS.

Configure the Layer 3 VPN components on both PE switches. This procedure describes how to configure one PE switch. Repeat the procedure to configure the remote PE switch.

NOTE: When you configure the remote PE switch, the information specified for the routing instance must be configured the same as the information specified for the routing instance on the local PE switch. You must also specify the same BGP group name. The following statements will have different values on the remote PE switch from those on the local PE switch: •

local-address

•

neighbor

To configure an MPLS-based Layer 3 VPN on the PE switch: 1.

Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast: [edit protocols bgp] user@switch# set local-address address family inet-vpn unicast

2. Configure the BGP group, specifying the group name and type internal: [edit protocols bgp] user@switch# set group group-name type internal 3. Configure the BGP neighbor, specifying the loopback address of the remote PE switch

as the neighbor’s address: [edit protocols bgp]


4891

®


user@switch# set neighbor address 4. Configure the routing instance, specifying the routing-instance name and using vrf as

the instance type: [edit] user@switch# set routing-instances routing-instance-name instance-type vrf 5. Configure a description for this routing instance: [edit] user@switch# set routing-instances routing-instance-name description text 6. Configure the routing instance to use a route distinguisher:

NOTE: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances must have a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

user@switch# set routing-instances routing-instance-name route-distinguisher ip-address:number 7. Configure the VPN routing and forwarding (VRF) target of the routing instance: [edit routing-instances] user@switch# set routing-instance-name vrf-target community

NOTE: If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

8. Configure this routing instance with vrf-table-label, which maps the inner label of a

packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header. [edit routing-instances] user@switch# set routing-instance-name vrf-table-label 9. (Optional) Configure the routing options:

NOTE: We recommend that you configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

[edit routing-options] user@switch# set router-id ip-address autonomous-system as-number


4892

•


•




•


Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure) You can use configure an 802.1Q VLAN as an MPLS-based Layer 2 virtual private network (VPN) using EX8200 switches to interconnect multiple customer sites with Layer 2 technology. This topic describes configuring provider edge (PE) switches in an MPLS network using a circuit cross-connect (CCC) on a tagged VLAN interface (802.1Q VLAN) rather than a simple interface.

NOTE: You do not need to make any changes to existing provider switches in your MPLS network to support this type of configuration. For information on configuring provider switches, see “Configuring MPLS on Provider Switches (CLI Procedure)” on page 4870.

NOTE: You can send any kind of traffic over a CCC, including nonstandard bridge protocol data units (BPDUs) generated by other vendors’ equipment.

To configure a PE switch with a VLAN CCC and an MPLS-based Layer 2 VPN: 1.

Configure OSPF (or IS-IS) on the loopback (or switch address) and core interfaces: [edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface interface-name user@switch# set ospf area 0.0.0.0 interface interface-name user@switch# set ospf area 0.0.0.0 interface interface-name

2. Enable traffic engineering for the routing protocol: [edit protocols] user@switch# set ospf traffic-engineering 3. Configure an IP address for the loopback interface and for the core interfaces: [edit] user@switch# set interfaces lo0 unit logical-unit-number family inet address address user@switch# set interfaces interface-name unit logical-unit-number family inet address address user@switch# set interfaces interface-name unit logical-unit-number family inet address address user@switch# set interfaces interface-name unit logical-unit-number family inet address address 4. Enable the MPLS protocol with cspf disabled:


4893

®


NOTE: CSPF is a shortest-path-first algorithm that has been modified to take into account specific restrictions when the shortest path across the network is calculated. You need to disable CSPF for link protection to function properly on interarea paths.

[edit protocols] user@switch# set mpls (EX Series) no-cspf 5. Define the label switched path (LSP): [edit protocols] user@switch# set mpls label-switched-path lsp_name to address

TIP: You will need to use the specified LSP name again when configuring the CCC.

6. Configure MPLS on the core interfaces: [edit protocols] user@switch# set mpls interface (MPLS) interface-name user@switch# set mpls interface interface-name user@switch# set mpls interface interface-name 7. Configure RSVP on the loopback interface and the core interfaces: [edit protocols] user@switch# set rsvp interface lo0.0 user@switch# set rsvp interface interface-name user@switch# set rsvp interface interface-name user@switch# set rsvp interface interface-name 8. Configure family mpls on the logical units of the core interfaces: [edit] user@switch# set interfaces interface-name unit logical-unit-number family mpls user@switch# set interfaces interface-name unit logical-unit-number family mpls user@switch# set interfaces interface-name unit logical-unit-number family mpls


9. Enable VLAN tagging on the customer edge interface of the local PE switch: [edit] user@switch# set interfaces interface-name vlan-tagging 10. Configure the customer edge interface to use encapsulation vlan-ccc: [edit] user@switch# set interfaces interface-name encapsulation vlan-ccc 11. Configure the logical unit of the customer edge interface with a VLAN ID:

4894



NOTE: The VLAN ID cannot be configured on logical interface unit 0. The logical unit number must be 1 or higher. The same VLAN ID must be used when configuring the customer edge interface on the other PE switch.

[edit ] user@switch# set interfaces interface-name logical-unit-numbervlan-id (Layer 3 Subinterfaces) vlan-id 12. Configure BGP, specifying the loopback address as the local address and enabling

family l2vpn signaling: [edit protocols bgp] user@switchPE1# set local-address address family l2vpn signaling 13. Configure the BGP group, specifying the group name and type: [edit protocols bgp] user@switchPE1# set group ibgp type internal 14. Configure the BGP neighbor, specifying the loopback address of the remote PE switch

as the neighbor’s address: [edit protocols bgp] user@switchPE1# set neighbor address 15. Configure the routing instance, specifying the routing-instance name and using l2vpn

as the instance type: [edit routing-instances] user@switchPE1# set routing-instance-name instance-type l2vpn 16. Configure the routing instance to apply to the customer edge interface: [edit routing-instances] user@switchPE1# set routing-instance-name interface interface-name 17. Configure the routing instance to use a route distinguisher: [edit routing-instances] user@switchPE1# set routing-instance-name route-distinguisher address 18. Configure the VPN routing and forwarding (VRF) target of the routing instance: [edit routing-instances] user@switchPE1# set routing-instance-name vrf-target community


19. Configure the protocols and encapsulation type used by the routing instance: [edit routing-instances] user@switchPE1# set routing-instance-name protocols l2vpn encapsulation-type ethernet-vlan 20. Apply the routing instance to a customer edge interface and specify a description for

it: [edit routing-instances]


4895

®


user@switchPE1# set routing-instance-name protocols interface interface-name description description 21. Configure the routing-instance protocols site: [edit routing-instances] user@switchPE1# set routing-instance-name protocols l2vpn site site-name site-identifier identifier remote-site-id identifier

NOTE: The remote site ID (configured with the remote-site-id statement) corresponds to the site ID (configured with the site-identifier statement) configured on the other PE switch.


NOTE: You must use the same type of switch for the other PE switch. You cannot use an EX8200 as one PE switch and use an EX3200 or EX4200 as the other PE switch.


•


•


•


•


Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit (CLI Procedure) You can use configure an 802.1Q VLAN as an MPLS-based Layer 2 circuit using EX8200 switches to interconnect multiple customer sites with Layer 2 technology. This topic describes configuring provider edge (PE) switches in an MPLS network using a circuit cross-connect (CCC) on a tagged VLAN interface (802.1Q VLAN) rather than a simple interface.



To configure a PE switch with a VLAN CCC and an MPLS-based Layer 2 circuit:

4896



1.




[edit protocols] user@switch# set mpls (EX Series) no-cspf 5. Configure the customer edge interface as a Layer 2 circuit from the local PE switch

to the other PE switch: [edit protocols] user@switch# set l2circuit neighbor address interface interface-name virtual-circuit-id identifier

TIP: Use the switch address of the other switch as the neighbor address.

6. Configure MPLS on the core interfaces: [edit protocols] user@switch# set mpls interface (MPLS) interface-name user@switch# set mpls interface interface-name user@switch# set mpls interface interface-name 7. Configure LDP on the loopback interface and the core interfaces: [edit protocols] user@switch# set ldp interface lo0.0 user@switch# set ldp interface interface-name user@switch# set ldp interface interface-name user@switch# set ldp interface interface-name 8. Configure family mpls on the logical units of the core interfaces: [edit] user@switch# set interfaces interface-name unit logical-unit-number family mpls user@switch# set interfaces interface-name unit logical-unit-number family mpls


4897

®


user@switch# set interfaces interface-name unit logical-unit-number family mpls



NOTE: The VLAN ID cannot be configured on logical interface unit 0. The logical unit number must be 1 or higher. The same VLAN ID must be used when configuring the customer edge interface on the other PE switch.

[edit ] user@switch# set interfaces interface-name logical-unit-number vlan-id (Layer 3 Subinterfaces) vlan-id


NOTE: You must use the same type of switch for the other PE switch. You cannot use an EX8200 as one PE switch and use an EX3200 or EX4200 as the other PE switch.


4898

•


•


•


•




Configuring an MPLS-Based VLAN CCC Using the Connection Method (CLI Procedure) You can configure an 802.1Q VLAN as an MPLS-based connection using EX8200 switches to interconnect multiple customer sites with Layer 2 technology. This topic describes configuring provider edge (PE) switches in an MPLS network using a circuit cross-connect (CCC) on a tagged VLAN interface (802.1Q VLAN) rather than a simple interface.



To configure a PE switch with a VLAN CCC and an MPLS-based connections: 1.




[edit protocols] user@switch# set mpls (EX Series) no-cspf


4899

®



NOTE: The VLAN ID cannot be configured on logical interface unit 0. The same VLAN ID must be used when configuring the customer edge interface on the other PE switch.

[edit ] user@switch# set interfaces interface-name logical-unit-numbervlan-id (Layer 3 Subinterfaces) vlan-id 8. Define the label switched path (LSP): [edit protocols] user@switch# set mpls label-switched-path lsp-name from address user@switch# set mpls label-switched-path lsp-name to address

TIP: You will need to use the specified LSP name again when configuring the CCC.

9. Configure the connection between the two circuits in the CCC connection [edit protocols] user@switch# set connections (MPLS) remote-interface-switch interface-switch interface local-interface user@switch# set connections remote-interface-switch interface-switch transmit-lsp destination-lsp user@switch# set connections remote-interface-switch interface-switch receive-lsp source-lsp


•


•


•


•


Configuring IPv6 Tunneling for MPLS (CLI Procedure) You can configure the IPv6 tunneling for MPLS to tunnel IPv6 traffic over an MPLS-based IPv4 network. This configuration allows you to interconnect a number of smaller IPv6 networks over an IPv4-based network core, giving you the ability to provide IPv6 service without having to upgrade the switches in your core network. BGP is configured to exchange routes between the IPv6 networks, and data is tunneled between these IPv6 networks by means of IPv4-based MPLS.

4900



To configure IPv6 tunneling for MPLS on your EX Series switch: 1.

Configure IPv4 and IPv6 IP addresses for all the core interfaces: [edit] user@switch# set interfaces interface-name unit logical-unit-number family inet address address

2. Configure the number assigned to you by the Network Information Center (NIC) as

the autonomous system (AS) number [edit routing-options] user@switch# set autonomous-system number 3. Advertise label 0 to the egress router of the LSP: [edit protocols] user@switch# set mpls (EX Series) explicit-null 4. Configure the LSP to allow IPv6 routes to be resolved over an MPLS network by

converting all routes stored in the inet3 routing table to IPv4-mapped IPv6 addresses and then copying them into the inet6.3 routing table: [edit protocols] user@switch# set mpls ipv6-tunneling 5. Set the local AS number: [edit protocols bgp] user@switch# set local-as local-autonomous-system-number 6. Configure the default import and export policies: [edit protocols bgp] user@switch# set local-address address user@switch# set import default-import user@switch# set family inet6 labeled-unicast explicit-null user@switch# set export default-export 7. Configure a BGP group that recognizes only the specified BGP systems as peers. Define

a group name, group type, local end of a BGP session, and a neighbor (peer). To configure multiple BGP peers, include multiple neighbor statements: [edit protocols bgp] user@switch# setgroup group-name type internal user@switch# set group group-name local-address address-of-the-local-end-of-a-bgp-session user@switch# set group group-name family inet6 labeled-unicast explicit-null user@switch# set group group-name peer-as peer-autonomous-system-number user@switch# set group group-name neighbor address family inet6 labeled-unicast explicit-null 8. Configure routing options to accept the default import and export policies: [edit policy-options] user@switch# set policy-statement default-import then accept user@switch# set policy-statement default-export then accept


•


•


•



4901

®


Configuring Static Label Switched Paths for MPLS (CLI Procedure) Configuring static label-switched paths (LSPs) for MPLS is similar to configuring static routes on individual switches. As with static routes, there is no error reporting, liveliness detection, or statistics reporting. To configure static LSPs, configure the ingress switch and each provider switch along the path up to and including the egress switch. For the ingress switch, configure which packets to tag (based on the packet’s destination IP address), configure the next switch in the LSP, and the tag to apply to the packet. Manually assigned labels can have values from 0 through 1,048,575. Optionally, you can apply preference, class-of-service (CoS) values, node protection, and link protection to the packets. For the transit switches in the path, configure the next switch in the path and the tag to apply to the packet. Manually assigned labels can have values from 1,000,000 through 1,048,575. Optionally, you can apply node protection and link protection to the packets. For the egress switch, you generally just remove the label and continue forwarding the packet to the IP destination. However, if the previous switch removed the label, the egress switch examines the packet’s IP header and forwards the packet toward its IP destination. Before you configure an LSP, you must configure the basic components for an MPLS network: •


•


This topic describes how to configure an ingress PE switch, one or more provider switches, and an egress PE switch for static LSP: 1.

Configuring the Ingress PE Switch on page 4902

2. Configuring the Provider and the Egress PE Switch on page 4903

Configuring the Ingress PE Switch To configure the ingress PE switch: 1.

Configure an IP address for the core interfaces: [edit] user@switch# set interfaces interface-name unit logical-unit-number family inet address address user@switch# set interfaces interface-name unit logical-unit-number family inet address address

2. Configure the next hop address and the egress router address that you want to bypass,

for the static LSP: [edit]

4902



user@switch# set protocols mpls static-label-switched-path by bypass next-hop address-of-next-hop user@switch# set protocols mpls static-label-switched-path by bypass to address-of-the-egress-switch 3. Configure the name and the traffic rate associated with the LSP: [edit] user@switch# set protocols mpls static-label-switched-path lsp-name ingress bandwidth rate 4. Configure the next hop switch for the LSP: [edit] user@switch# set protocols mpls static-label-switched-path lsp-name ingress next-hop address-of-next-hop 5. Enable link protection on the specified static LSP: [edit] user@switch# set protocols mpls static-label-switched-path lsp-name ingress link-protection bypass-name name 6. Specify the address of the egress switch for the LSP: [edit] user@switch# set protocols mpls static-label-switched-path path1 ingress to address-of-egress-switch 7. Configure the new label that you want to add to the top of the label stack: [edit] user@switch# set protocols mpls static-label-switched-path path1 ingress push out-label

Configuring the Provider and the Egress PE Switch To configure a static LSP for MPLS on the provider and egress provider edge switch: 1.

Configure a transit static LSP: [edit] user@switch# set protocols mpls static-label-switched-path path1 transit incoming-label

2. Configure the next hop switch for the LSP: [edit] user@switch# set protocols mpls static-label-switched-path lsp-name transit incoming-label next-hop address-of-next-hop 3. Only for provider switches, remove the label at the top of the label stack and replace

it with the specified label: [edit] user@switch# set protocols mpls static-label-switched-path lsp-name transit incoming-label swap out-label 4. Only for the egress provider edge switch, remove the label at the top of the label stack:

NOTE: If there is another label in the stack, that label becomes the label at the top of the label stack. Otherwise, the packet is forwarded as a native protocol packet (typically, as an IP packet).

[edit] user@switch# set protocols mpls static-label-switched-path lsp-name transit incoming-label pop


4903

®



4904

•


•


•



CHAPTER 140

Verifying MPLS •


•

Verifying Path Protection in an MPLS Network on page 4908

Verifying That MPLS Is Working Correctly To verify that MPLS is working correctly on EX Series switches, perform the following tasks: 1.

Verifying the Physical Layer on the Switches on page 4905

2. Verifying the Routing Protocol on page 4906 3. Verifying the Core Interfaces Being Used for the MPLS Traffic on page 4906 4. Verifying RSVP on page 4906 5. Verifying the Assignment of Interfaces for MPLS Label Operations on page 4907 6. Verifying the Status of the CCC on page 4907

Verifying the Physical Layer on the Switches Purpose Action

Verify that the interfaces are up. Perform this verification task on each of the switches. user@switch> show interfaces ge- terse Interface ge-0/0/0 ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0

Admin up up up up up up up

Link up up up up up up up

Proto

up

up

inet

Local

Remote

ccc ccc eth-switch eth-switch inet 10.1.5.1/24

mpls ge-0/0/6.0

10.1.6.1/24

mpls

Meaning

The show interfaces terse command displays status information about the Gigabit Ethernet interfaces on the switch. This output verifies that the interfaces are up. The output for the protocol family (Proto column) shows that interfaces ge-0/0/1.0 and ge-0/0/2.0 are configured as circuit cross-connect. The Local and Remote columns do not display


4905

®


IP addresses, because the inet family is not configured for CCC interfaces. The output for the protocol family of the core interfaces (ge-0/0/0.5 and ge-0/0/0.6), shows that these interfaces are configured as both inet and mpls. The Local column for the core interfaces shows the IP address configured for these interfaces.

Verifying the Routing Protocol Purpose

Action

Verify the state of the configured routing protocol. You should perform this verification task on each of the switches. The state should be Full. If you have configured OSPF as the routing protocol, use the show ospf neighbor command to verify that the routing protocol is communicating with the switch neighbors. If you have configured IS-IS as the routing protocol, use the show isis adjacency command to verify that the routing protocol is communicating with the switch neighbors. user@switch> show ospf neighbor Address 127.1.1.2

Meaning

Interface ge—0/0/5

State Full

ID 10.10.10.10

Pri Dead 128 39

The show ospf neighbor command displays the status of the routing protocol that has been configured on this switch. The output shows that the state is full, meaning that the routing protocol is operating correctly—that is, hello packets are being exchanged between directly connected neighbors. For additional information on checking and monitoring routing protocols, see the Junos OS Routing Protocols and Policies Command Reference .

Verifying the Core Interfaces Being Used for the MPLS Traffic Purpose

Action

Verify that the state of the MPLS interface is Up. You should perform this verification task on each of the switches. user@switch> show mpls interface Interface ge—0/05

Meaning

State Up

Administrative groups

The show mpls interface command displays the status of the core interfaces that have been configured to belong to family mpls. This output shows that the interface configured to belong to family mpls is up.

Verifying RSVP Purpose

Action

Verify the state of the RSVP session. You should perform this verification task on each of the switches. user@switch> show rsvp session Ingress RSVP: 1 sessions To From State 127.1.1.3 127.1.1.1 Up lsp_to_pe2_ge1 Total 1 displayed, Up 1, Down 0

4906

Rt Style Labelin Labelout LSPname 0 1 FF 300064


Chapter 140: Verifying MPLS

Egress RSVP: 1 sessions To From State 127.1.1.1 127.1.1.3 Up lsp_to_pe1_ge1 Total 1 displayed, Up 1, Down 0

Rt Style Labelin Labelout LSPname 0 1 FF 299968 -


Meaning

This output confirms that the RSVP sessions are Up.

Verifying the Assignment of Interfaces for MPLS Label Operations Purpose

Action

Meaning

Verify which interface is being used as the beginning of the CCC and which interface is being used to push the MPLS packet to the next hop. You should perform this task only on the provider edge switches. user@switch> show route forwarding-table family mpls MPLS: Destination Type RtRef Next hop default perm 0 0 user 0 1 user 0 2 user 0 299776 user 0 ge-0/0/1.0 (CCC) user 0 127.1.2.1

Type Index NhRef Netif dscd 50 1 recv 49 3 recv 49 3 recv 49 3 Pop 541 2 ge-0/0/1.0 Push 299792 540 2 ge-0/0/5.0

This output shows that CCC has been set up on interface ge-0/0/1.0. The switch receives ingress traffic on ge-0/0/1.0 with label 299776. It pops that label and swaps it to label 299792, which it pushes out on interface ge-0/0/5.0.

Verifying the Status of the CCC Purpose

Action

Verify the status of the CCC. You should perform this task only on the provider edge switches. user@switch> show connections CCC and TCC connections [Link Monitoring On] Legend for status (St) Legend for connection types UN -- uninitialized if-sw: interface switching NP -- not present rmt-if: remote interface switching WE -- wrong encapsulation lsp-sw: LSP switching DS -- disabled tx-p2mp-sw: transmit P2MP switching Dn -- down rx-p2mp-sw: receive P2MP switching -> -- only outbound conn is up show mpls lsp extensive ingress Ingress LSP: 2 sessions 127.1.8.8 From: 127.1.9.9, State: Up, ActiveRoute: 0, LSPname: lsp_to_240 ActivePath: primary_path_lsp_to_240 (primary) LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary primary_path_lsp_to_240 State: Up Priorities: 7 0 SmartOptimizeTimer: 180 Exclude: red Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2) 10.3.3.2 S 10.3.4.2 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID): 10.3.3.2 10.3.4.2 6 Mar 11 23:58:01.684 Selected as active path: due to 'primary' 5 Mar 11 23:57:00.750 Record Route: 10.3.3.2 10.3.4.2 4 Mar 11 23:57:00.750 Up 3 Mar 11 23:57:00.595 Originate Call 2 Mar 11 23:57:00.595 CSPF: computation result accepted 10.3.3.2 10.3.4.2 1 Mar 11 23:56:31.135 CSPF failed: no route toward 10.3.2.2[25 times] Standby secondary_path_lsp_to_240 State: Up Standby secondary_path_lsp_to_240 State: Up Priorities: 7 0 SmartOptimizeTimer: 180 Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 1) 10.3.5.2 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):

4908


Chapter 140: Verifying MPLS

10.3.5.2 7 Mar 11 23:58:01.684 Deselected as active: due to 'primary' 6 Mar 11 23:46:17.298 Selected as active path 5 Mar 11 23:46:17.295 Record Route: 5.5.5.2 4 Mar 11 23:46:17.287 Up 3 Mar 11 23:46:16.760 Originate Call 2 Mar 11 23:46:16.760 CSPF: computation result accepted 10.3.5.2 1 Mar 11 23:45:48.095 CSPF failed: no route toward 10.5.5.5[2 times] Created: Wed Mar 11 23:44:37 2009 [Output truncated]

Meaning

As indicated by the ActivePath in the output, the LSP primary_path_lsp_to_240 is active.

Verifying the RSVP-Enabled Interfaces Purpose

Action

Verify the status of Resource Reservation Protocol (RSVP)-enabled interfaces and packet statistics. user@switch> show rsvp interfaces RSVP interface: 1 active Active Subscr- Static Interface State resv iption BW ge-0/0/20.0 Up 2 100% 1000Mbps

Meaning

Available BW 1000Mbps

Reserved BW 0bps

Highwater mark 0bps

This output verifies that RSVP is enabled and operational on interface ge-0/0/20.0.

Verifying a Secondary Path Purpose Action

Verify that a secondary path is established. Deactivate a switch that is critical to the primary path and then issue the following command: user@switch> show mpls lsp extensive Ingress LSP: 1 sessions 127.0.0.8 From: 127.0.0.1, State: Up, ActiveRoute: 0, LSPname: ActivePath: secondary_path_lsp_to_240 (secondary) LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: Primary primary_path_lsp_to_240 State: Dn Priorities: 7 0 SmartOptimizeTimer: 180 Exclude: red Will be enqueued for recomputation in 8 second(s). 51 Mar 8 12:23:31.268 CSPF failed: no route toward 50 Mar 4 15:35:25.610 Clear Call: CSPF computation 49 Mar 4 15:35:25.610 CSPF: link down/deleted: 127.0.0.2(127.0.0.1:0)(127.0.0.1)-> 0.0.0.0(127.0.0.20:0)(127.0.0.20) 48 Mar 4 15:35:25.576 Deselected as active 47 Mar 4 15:35:25.550 No Route toward dest 46 Mar 4 15:35:25.550 ????? 45 Mar 4 15:35:25.549 127.0.0.12: Down


lsp_to_240

IPv4

127.0.0.11[11420 times] failed

4909

®


44 Mar 4 15:33:29.839 Selected as active path 43 Mar 4 15:33:29.837 Record Route: 127.0.0.20 127.0.0.40 42 Mar 4 15:33:29.835 Up 41 Mar 4 15:33:29.756 Originate Call 40 Mar 4 15:33:29.756 CSPF: computation result accepted 127.0.0.20 127.0.0.40 39 Mar 4 15:33:00.395 CSPF failed: no route toward 127.0.0.11[7 times] 38 Mar 4 15:30:31.412 Clear Call: CSPF computation failed 37 Mar 4 15:30:31.412 CSPF: link down/deleted: 127.0.0.2(127.0.0.1:0)(127.0.0.1)-> 0.0.0.0(127.0.0.20:0)(127.0.0.20) 36 Mar 4 15:30:31.379 Deselected as active 35 Mar 4 15:30:31.350 No Route toward dest 34 Mar 4 15:30:31.350 ????? 33 Mar 4 15:30:31.349 127.0.0.12: Down 32 Mar 4 15:29:05.802 Selected as active path 31 Mar 4 15:29:05.801 Record Route: 127.0.0.20 127.0.0.40 30 Mar 4 15:29:05.801 Up 29 Mar 4 15:29:05.686 Originate Call 28 Mar 4 15:29:05.686 CSPF: computation result accepted 127.0.0.20 127.0.0.40 27 Mar 4 15:28:35.852 CSPF failed: no route toward 127.0.0.11[132 times] 26 Mar 4 14:25:12.113 Clear Call: CSPF computation failed 25 Mar 4 14:25:12.113 CSPF: link down/deleted: 0.0.0.0(127.0.0.20:0)(127.0.0.20)-> 0.0.0.0(10.10.10.10:0)(10.10.10.10) *Standby secondary_path_lsp_to_240 State: Up Priorities: 7 0 SmartOptimizeTimer: 180 Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 1) [Output truncated]

Meaning


4910

As indicated by the ActivePath in the output, the LSP secondary_path_lsp_to_240 is active.

•


•



CHAPTER 141

Configuration Statements for MPLS •




4911

®



4912


Chapter 141: Configuration Statements for MPLS



4913

®



4914





4915

®



4916





4917

®



4918





•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•



4919

®


•


connections Syntax


connections { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; } [edit protocols]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Define the connection between two circuits in a CCC connection. The remaining statements are explained separately.


4920



•


•





Release Information

Description Options

description text; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn site site-name interface interface-name], [edit routing-instances routing-instance-name protocols l2vpn site site-name interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Describe the VPN or virtual private LAN service (VPLS) routing instance. text—Provide a text description. If the text includes one or more spaces, enclose it in

quotation marks (" "). Any descriptive text you include is displayed in the output of the show route instance detail command and has no effect on operation. Required Privilege Level Related Documentation


Configuring the Local Site on PE Routers in Layer 2 VPNs

•



4921

®


encapsulation (Physical Interface) Syntax

Hierarchy Level

Release Information

Description

Default Options

encapsulation (atm-ccc-cell-relay | atm-pvc | cisco-hdlc | cisco-hdlc-ccc | cisco-hdlc-tcc | ethernet-ccc | ethernet-over-atm | ethernet-tcc | ethernet-vpls | ethernet-vpls-fr | ethernet-vpls-ppp | extended-frame-relay-ccc | extended-frame-relay-tcc | extended-vlan-ccc | extended-vlan-tcc | extended-vlan-vpls | flexible-ethernet-services | flexible-frame-relay | frame-relay | frame-relay-ccc | frame-relay-port-ccc | frame-relay-tcc | multilink-frame-relay-uni-nni | ppp | ppp-ccc | ppp-tcc | vlan-ccc | vlan-vpls); [edit interfaces interface-name], [edit logical-systems logical-system-name interfaces interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the physical link-layer encapsulation type. Not all encapsulation types are supported on the switches. See the switch CLI. PPP encapsulation. atm-ccc-cell-relay—Use ATM cell-relay encapsulation. atm-pvc—Use ATM permanent virtual connection (PVC) encapsulation. cisco-hdlc—Use Cisco-compatible HDLC framing. cisco-hdlc-ccc—Use Cisco-compatible HDLC framing on CCC circuits. cisco-hdlc-tcc—Use Cisco-compatible HDLC framing on TCC circuits for connecting unlike

media. ethernet-ccc—Use Ethernet CCC encapsulation on Ethernet interfaces that must accept

packets carrying standard Tag Protocol ID (TPID) values. For example, Ethernet CCC encapsulation can be used to transparently transport any VLANs or other Ethernet frames entering a port across a Layer 2 circuit. ethernet-over-atm—For interfaces that carry IPv4 traffic, use Ethernet over ATM

encapsulation. When you use this encapsulation type, you cannot configure multipoint interfaces. As defined in RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5, this encapsulation type allows ATM interfaces to connect to devices that support only bridged-mode protocol data units (BPDUs). The Junos OS does not completely support bridging, but accepts BPDU packets as a default gateway. If you use the router as an edge device, then the router acts as a default gateway. It accepts Ethernet LLC/SNAP frames with IP or Address Resolution Protocol (ARP) in the payload and drops the rest. For packets destined for the Ethernet LAN, a route lookup is done using the destination IP address. If the route lookup yields a full address match, the packet is encapsulated with an LLC/SNAP and media access control (MAC) header and forwarded to the ATM interface.

4922



ethernet-tcc—For interfaces that carry IPv4 traffic, use Ethernet TCC encapsulation on

interfaces that must accept packets carrying standard TPID values. Ethernet TCC is not currently supported on Fast Ethernet 48-port PICs. ethernet-vpls—Use Ethernet VPLS encapsulation on Ethernet interfaces that have VPLS

enabled and that must accept packets carrying standard TPID values. ethernet-vpls-fr—Use in a VPLS setup when a CE device is connected to a PE device over

a time division multiplexing (TDM) link. This encapsulation type enables the PE device to terminate the outer layer 2 Frame Relay connection, use the 802.1p bits inside the inner Ethernet header to classify the packets, look at the MAC address from the Ethernet header, and use it to forward the packet into a given VPLS instance. ethernet-vpls-ppp—Use in a VPLS setup when a CE device is connected to a PE device

over a time division multiplexing (TDM) link. This encapsulation type enables the PE device to terminate the outer layer 2 PPP connection, use the 802.1p bits inside the inner Ethernet header to classify the packets, look at the MAC address from the Ethernet header, and use it to forward the packet into a given VPLS instance. extended-frame-relay-ccc—Use Frame Relay encapsulation on CCC circuits. This

encapsulation type allows you to dedicate data link connection identifiers (DLCIs) 1 through 1022 to CCC. extended-frame-relay-tcc—Use Frame Relay encapsulation on TCC circuits to connect

unlike media. This encapsulation type allows you to dedicate DLCIs 1 through 1022 to TCC. extended-vlan-ccc—Use extended VLAN encapsulation on CCC circuits with Gigabit

Ethernet and 4-port Fast Ethernet interfaces that must accept packets carrying 802.1Q values. extended-vlan-tcc—For interfaces that carry IPv4 traffic, use extended VLAN encapsulation

on TCC circuits with Gigabit Ethernet interfaces on which you want to use 802.1Q tagging. Extended Ethernet TCC is not currently supported on Fast Ethernet 48-port PICs. extended-vlan-vpls—Use extended VLAN VPLS encapsulation on Ethernet interfaces

that have VLAN 802.1Q tagging and VPLS enabled and that must accept packets carrying TPIDs 0x8100, 0x9100, and 0x9901. flexible-ethernet-services—For Gigabit Ethernet IQ interfaces and Gigabit Ethernet PICs

with small form-factor pluggable transceivers (SFPs) only, use flexible Ethernet services encapsulation when you want to configure multiple per-unit Ethernet encapsulations. This encapsulation type allows you to configure any combination of route, TCC, CCC, and VPLS encapsulations on a single physical port. Aggregated Ethernet bundles cannot use this encapsulation type. If you configure flexible Ethernet services encapsulation on the physical interface, VLAN IDs from 1 through 511 are no longer reserved for normal VLANs.


4923

®


flexible-frame-relay—For IQ interfaces only, use flexible Frame Relay encapsulation when

you want to configure multiple per-unit Frame Relay encapsulations. This encapsulation type allows you to configure any combination of TCC, CCC, and standard Frame Relay encapsulations on a single physical port. Also, each logical interface can have any DLCI value from 1 through 1022. frame-relay—Use Frame Relay encapsulation. frame-relay-ccc—Use Frame Relay encapsulation or Frame Relay encapsulation on CCC

circuits. frame-relay-port-ccc—Use Frame Relay port CCC encapsulation to transparently carry

all the DLCIs between two CE routers without explicitly configuring each DLCI on the two provider edge (PE) routers with Frame Relay transport. When you use this encapsulation type, you can configure the family ccc only. frame-relay-tcc—Use Frame Relay encapsulation on TCC circuits to connect unlike media. multilink-frame-relay-uni-nni—Use MLFR user-to-network interface (UNI)

network-to-network interface (NNI) encapsulation. This encapsulation is used only on link services and voice services interfaces functioning as FRF.16 bundles and their constituent T1 or E1 interfaces. ppp—Use serial PPP encapsulation. ppp-ccc—Use serial PPP encapsulation on CCC circuits. When you use this encapsulation

type, you can configure the family ccc only. ppp-tcc—Use serial PPP encapsulation on TCC circuits for connecting unlike media. When

you use this encapsulation type, you can configure the family tcc only. vlan-ccc—Use Ethernet VLAN encapsulation on CCC circuits. vlan-vpls—Use VLAN VPLS encapsulation on Ethernet interfaces with VLAN tagging and

VPLS enabled. Interfaces with VLAN VPLS encapsulation accept packets carrying standard TPID values only. Required Privilege Level Related Documentation

4924


Configuring CCC Encapsulation for Layer 2 VPNs

•

Configuring TCC Encapsulation for Layer 2 VPNs and Layer 2 Circuits

•




encapsulation-type Syntax

Hierarchy Level

Release Information

Description

Options

encapsulation-type (atm-aal5 | atm-cell | atm-cell-port-mode | atm-cell-vc-mode | atm-cell-vp-mode | cesop | cisco-hdlc | ethernet | ethernet-vlan | frame-relay | frame-relay-port-mode | interworking | ppp | satop-e1 | satop-e3 | satop-t1 | satop-t3); [edit logical-systems logical-system-name protocols l2circuit neighbor address interface interface-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn neighbor address], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls], [edit protocols l2circuit neighbor address interface interface-name], [edit routing-instances routing-instance-name protocols l2vpn], [edit routing-instances routing-instance-name protocols l2vpn neighbor address], [edit routing-instances routing-instance-name protocols vpls]

Statement introduced in Junos OS Release 9.2. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the type of Layer 2 traffic originating from the CE device. Only the ethernet and ethernet-vlan encapsulation types are supported for VPLS. Not all encapsulation types are supported on the switches. See the switch CLI. atm-aal5—ATM Adaptation Layer (AAL/5) atm-cell—ATM cell relay atm-cell-port-mode—ATM cell relay port promiscuous mode atm-cell-vc-mode—ATM VC cell relay nonpromiscuous mode atm-cell-vp-mode—ATM virtual path (VP) cell relay promiscuous mode cesop—CESOP-based Layer 2 VPN cisco-hdlc—Cisco Systems–compatible HDLC ethernet—Ethernet ethernet-vlan—Ethernet VLAN frame-relay—Frame Relay frame-relay-port-mode—Frame Relay port mode interworking—Layer 2.5 interworking VPN ppp—PPP satsop-e1—SATSOP-E1–based Layer 2 VPN


4925

®


satsop-e3—SATSOP-E3–based Layer 2 VPN satsop-t1—SATSOP-T1–based Layer 2 VPN satsop-t3—SATSOP-T3–based Layer 2 VPN

Default: For VPLS networks, the default encapsulation type is ethernet. Required Privilege Level Related Documentation

4926



•

Configuring VPLS Routing Instances

•

Configuring Interfaces for Layer 2 Circuits

•




exp Syntax


exp classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority (Classifiers and Rewrite Rules) level { code-points [ aliases ] [ 3–bit-patterns ]; } } } [edit class-of-service classifiers]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Define the experimental bits (EXP) code point mapping that is applied to the MPLS packets. EX Series switches support only one EXP code mapping on the switch (either default or custom). It is applied globally and implicitly to all the MPLS-enabled interfaces on the switch. You cannot bind it to an individual interface and you cannot disable it.

Options

classifier-name—Name of the classifier.




•


•


•



4927

®


instance-type Syntax

Hierarchy Level

Release Information


instance-type (forwarding |l2backhaul-vpn | l2vpn | layer2-control | no-forwarding | virtual-router | virtual-switch | vpls | vrf); [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Statement introduced before Junos OS Release 7.4. virtual-switch and layer2-control options introduced in Junos OS Release 8.4. Define the type of routing instance. no-forwarding forwarding—Provide support for filter-based forwarding, where interfaces are not

associated with instances. All interfaces belong to the default instance. Other instances are used for populating RPD learned routes. See Example: Configuring Filter-Based Forwarding on the Source Address and Example: Configuring Filter-Based Forwarding on Logical Systems. l2backhaul-vpn—Provide support for Layer 2 wholesale VLAN packets with no existing

corresponding logical interface. When using this instance, the router learns both the outer tag and inner tag of the incoming packets, when the instance-role statement is defined as access, or the outer VLAN tag only, when the instance-role statement is defined as nni. l2vpn—Provide support for Layer 2 VPNs. layer2-control—(MX Series routers only) Provide support for RSTP or MSTP in customer

edge interfaces of a VPLS routing instance. no-forwarding—This is the default routing instance. Do not create a corresponding

forwarding instance. virtual-router—Similar to a VPN routing and forwarding instance type, but used for

non-VPN-related applications. There are no VRF import, VRF export, VRF target, or route distinguisher requirements for this instance type. virtual-switch—(MX Series routers only) Provide support for Layer 2 bridging. Use this

routing instances type to isolate a LAN segment with its Spanning Tree Protocol (STP) instance and separates its VLAN identifier space. vpls—Virtual private local-area network (LAN) service. Use this routing instance type for

point-to-multipoint LAN implementations between a set of sites in a VPN. vrf—VPN routing and forwarding instance. Provides support for Layer 3 VPNs, where

interface routes for each instance go into the corresponding forwarding table only.

4928





OBSOLETE - Specifying the Instance Type for Routing Instances

•


•

Junos OS Layer 2 Configuration Guide

•

Junos OS MX Series 3D Universal Edge Routers Solutions Guide

interface Syntax Hierarchy Level Release Information Description Default Options

interface (all | interface-name); [edit protocols mpls (EX Series)]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Enable MPLS on all interfaces on the switch or on the specified interface. MPLS is disabled. all—All interfaces on the switch. interface-name—Name of an interface:


•

Aggregated Ethernet—aex

•

Gigabit Ethernet—ge-fpc/pic/port



•


•



4929

®


label-switched-path Syntax Hierarchy Level Release Information

label-switched-path lsp-name to remote-provider-edge-switch; [edit protocols mpls (EX Series)]


Description

Define a label-switched path (LSP) to the remote provider edge switch to use for MPLS traffic. You must specify this statement on the provider edge switch.

Options

lsp-name —Name that identifies the LSP. The name can be up to 32 characters and can

contain letters, digits, periods, and hyphens. To include other characters, enclose the name in quotation marks. The name must be unique on the ingress switch. remote-provider-edge-switch —Either the loopback address or the switch address.


4930



•


•




ldp Syntax Hierarchy Level

Release Information

Description

ldp { ... } [edit logical-systems logical-system-name protocols], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Enable LDP routing on the router or switch. You must include the ldp statement in the configuration to enable LDP on the router or switch.


LDP is disabled on the router. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Minimum LDP Configuration

•

Enabling and Disabling LDP


4931

®


l2circuit Syntax

Hierarchy Level

Release Information

Description

l2circuit { local-switching { interface interface-name { description text; end-interface { interface interface-name; protect-interface interface-name; } ignore-mtu-mismatch; protect-interface interface-name; } } neighbor address { interface interface-name { bandwidth (bandwidth | ctnumber bandwidth); community community-name; (control-word | no-control-word); description text; encapsulation-type type; ignore-encapsulation-mismatch; ignore-mtu-mismatch; mtu mtu-number; protect-interface interface-name; pseudowire-status-tlv; psn-tunnel-endpoint address; virtual-circuit-id identifier; } } traceoptions { file filename ; flag flag ; } } [edit logical-systems logical-system-name protocols], [edit protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Enables a Layer 2 circuit. The remaining statements are explained separately.


4932


Configuring ATM Trunking on Layer 2 Circuits

•

Configuring Bandwidth Allocation and Call Admission Control in Layer 2 Circuits

•




•

Configuring LDP for Layer 2 Circuits

•

Configuring Policies for Layer 2 Circuits

•

Configuring Static Layer 2 Circuits

•

Introduction to Configuring Layer 2 Circuits

•

Tracing Layer 2 Circuit Operations

l2vpn Syntax

Hierarchy Level

Release Information

Description

l2vpn { (control-word | no-control-word); encapsulation-type type; traceoptions { file filename ; flag flag ; } site site-name { site-identifier identifier; site-preference preference-value { backup; primary; } interface interface-name { description text; remote-site-id remote-site-id; } } } [edit logical-systems logical-system-name routing-instances routing-instance-name protocols], [edit routing-instances routing-instance-name protocols]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Enable a Layer 2 VPN routing instance on a PE router or switch. The remaining statements are explained separately.




•



4933

®


mpls Syntax

mpls { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string;

4934



next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } }


[edit protocols]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Enable MPLS on the switch. The remaining statements are explained separately.


MPLS is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•



4935

®


neighbor Syntax

Hierarchy Level

Release Information

Description

Options

neighbor address { interface interface-name { bandwidth (bandwidth | ctnumber bandwidth); community community-name; (control-word | no-control-word); description text; ignore-encapsulation-mismatch; ignore-mtu-mismatch; mtu mtu-number; protect-interface interface-name; pseudowire-status-tlv; psn-tunnel-endpoint address; static { incoming-label label; outgoing-label label; } virtual-circuit-id identifier; } } [edit logical-systems logical-system-name protocols l2circuit], [edit protocols l2circuit]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Each Layer 2 circuit is represented by the logical interface connecting the local provider edge (PE) router or switch to the local customer edge (CE) router or switch. All the Layer 2 circuits using a particular remote PE router or switch designated for remote CE routers or switches are listed under the neighbor statement (neighbor designates the PE router or switch). Each neighbor is identified by its IP address and is usually the end-point destination for the LSP tunnel (transporting the Layer 2 circuit). address—IP address of a neighboring router or switch.


4936





path Syntax


path destination { } [edit protocols mpls (EX Series)]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure path protection on your MPLS network. destination —Name of a label switched path (LSP). In addition to specifying the name of

the configured LSP, you can include some other designation such as primary-path. address —(Optional) IP address of each transit switch (or the IP address of the loopback

interface on the switch) in the LSP. If you want to control exactly which switches are selected for the LSP, specify the address or hostname of each transit switch. Specify the addresses in order, starting with the first provider (transit) switch, and continuing sequentially along the path until reaching the egress provider edge switch. Default: If you do not specify the addresses or hostnames of any switches, the LSP is calculated by the switch. hostname —(Optional) See address .

Default: If you do not specify the addresses or hostnames of any switches, the LSP is calculated by the switch. loose—(Optional) Indicates that the next address in the path statement is a loose link.

This means that the LSP can traverse through other switches before reaching this switch. Default: strict strict—(Optional) Indicates that the LSP must go to the next address specified in the path statement without traversing other switches. This is the default.





4937

®


policing Syntax Hierarchy Level


Options

policing (filter filter-name | no-automatic-policing); [edit protocols mpls label-switched-path lsp-name] [edit interfaces interface-id unit number-of-logical-unit family inet address ip-address]

Statement introduced in Junos OS Release 10.1 for EX Series switches. Apply a rate-limiting policer as the specified policing filter: •

To the LSP for MPLS over CCC.

•

To the customer-edge interface for IP over MPLS.

filter filter-name—Specify the name of the policing filter. no-automatic-policing—Disable automatic policing on this LSP.



policer on page 4381

•


•


•


primary Syntax Hierarchy Level Release Information Description


4938

primary path-name; [edit protocols mpls (EX Series) label-switched-path lsp-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify the primary path to use for a label switched path (LSP). You can configure only one primary path. path-name —Name of the primary path that you created with the path statement.





remote-interface-switch Syntax


Options

remote-interface-switch connection-name { interface interface-name.unit-number; receive-lsp label-switched-path; transmit-lsp label-switched-path; } [edit protocols connections (MPLS)]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Configure MPLS LSP tunnel cross-connects. This makes an association between a CCC interface and two LSPs, one for transmitting MPLS packets from the local provider edge switch to the remote provider edge switch and the other for receiving MPLS packets on the local provider edge switch from the remote provider edge switch. connection-name —Connection name. interface interface-name.unit-number —Interface name. Include the logical portion of the

name, which corresponds to the logical unit number of the CCC interface. receive-lsp label-switched-path —Name of the LSP from the connection’s source. This

LSP name was specified by the label-switched-path statement on the remote provider edge switch in the protocols mpls stanza. transmit-lsp label-switched-path —Name of the LSP to the connection’s destination. This

LSP name was specified by the label-switched-path statement on the local provider edge switch in the protocols mpls stanza. Required Privilege Level Related Documentation



•


•


•



4939

®


remote-site-id Syntax Hierarchy Level

Release Information

Description

Options

remote-site-id remote-site-ID; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn site site-name interface interface-name], [edit routing-instances routing-instance-name protocols l2vpn site site-name interface interface-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Control the remote interface to which the interface should connect. If you do not explicitly configure the remote site ID, the order of the interfaces configured for the site determines the default value. This statement is optional. remote-site-ID—Identifier specifying the interface on the remote PE router the Layer 2

VPN routing instance connects to. Required Privilege Level Related Documentation

4940



•




revert-timer Syntax Hierarchy Level


revert-timer seconds; [edit protocols mpls (EX Series)], [edit protocols mpls label-switched-path lsp-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify the amount of time that a label switched path (LSP) must wait before traffic reverts to a primary path. If during this time the primary path experiences any connectivity problem or stability problem, the timer is restarted. If you have configured a value of 0 seconds for the revert-timer statement and traffic is switched to the secondary path, the traffic remains on that path indefinitely. It is never switched back to the primary path unless you intervene.

Default Options

60 seconds seconds —Value in seconds.

Range: 0 through 65,535 seconds Required Privilege Level Related Documentation




4941

®


route-distinguisher Syntax Hierarchy Level

Release Information

Description

Options

route-distinguisher (as-number:number | ip-address:number); [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name], [edit routing-instances routing-instance-name], [edit routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify an identifier attached to a route, enabling you to distinguish to which VPN the route belongs. Each routing instance must have a unique route distinguisher associated with it. The route distinguisher is used to place bounds around a VPN so that the same IP address prefixes can be used in different VPNs without having them overlap. If the instance type is vrf, the route-distinguisher statement is required. as-number:number—as-number is an assigned AS number and number is any 2-byte for

4-byte value. The AS number can be from 1 through 4,294,967,295. If the AS number is a 2-byte value, the administrative number is a 4-byte value. If the AS number is 4-byte value, the administrative number is a 2-byte value. A route distinguisher consisting of a 4-byte AS number and a 2-byte administrative number is defined as a type 2 route distinguisher in RFC 4364 BGP/MPLS IP Virtual Private Networks.

NOTE: In Junos OS Release 9.1 and later, the numeric range for AS numbers is extended to provide BGP support for 4-byte AS numbers, as defined in RFC 4893, BGP Support for Four-octet AS Number Space. All releases of the Junos OS support 2-byte AS numbers. To configure a route distinguisher that includes a 4-byte AS number, append the letter “L” to the end of the number. For example, a route distinguisher with the 4-byte AS number 7,765,000 and an administrative number of 1,000 is represented as 77765000L:1000. In Junos OS Release 9.2 and later, you can also configure a 4-byte AS number using the AS-dot notation format of two integer values joined by a period: .. For example, the 4-byte AS number of 65,546 in plain-number format is represented as 1.10 in the AS-dot notation format.

ip-address:number—ip-address is an IP address in your assigned prefix range (a 4-byte

value) and number is any 2-byte value. Required Privilege Level

4942





•


•

OBSOLETE - Configuring Route Distinguishers for Routing Instances

•


•


•

Understanding 4-Byte AS Numbers and Route Distinguishers in the Using 4-Byte Autonomous System Numbers in BGP Networks Technology Overview

rsvp Syntax Hierarchy Level Release Information Description


rsvp; [edit protocols]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Enable Resource Reservation Protocol (RSVP) signaling. The primary purpose of RSVP in Junos OS for EX Series switches is to support dynamic signaling within label switched paths (LSPs). RSVP is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•



4943

®


secondary Syntax


Options

secondary path-name { standby; } [edit protocols mpls (EX Series) label-switched-path lsp-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Specify one or more secondary paths to use for the label switched path (LSP). You can configure more than one secondary path. All secondary paths are equal, and the first one that is available is chosen. path-name —Name of a secondary path that you created with the path statement.


4944





signaling Syntax Hierarchy Level

Release Information

Description


signaling; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp family inet-mdt], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp family inet-mvpn], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name family inet-mdt], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols bgp group group-name family inet-mvpn], [edit routing-instances routing-instance-name protocols bgp family inet-mdt], [edit routing-instances routing-instance-name protocols bgp family inet-mvpn], [edit routing-instances routing-instance-name protocols bgp group group-name family inet-mdt], [edit routing-instances routing-instance-name protocols bgp group group-name family inet-mvpn]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Enable signaling in BGP. For multicast distribution tree (MDT) subaddress family identifier (SAFI) NLRI signaling, configure signaling under the inet-mdt family. For multiprotocol BGP (MBGP) intra-AS NLRI signaling, configure signaling under the inet-mvpn family. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Example: Configuring Source-Specific Multicast for Draft-Rosen Multicast VPNs

•



4945

®


site Syntax

Hierarchy Level

Release Information

Description

Options

site site-name { site-identifier identifier; site-preference preference-value { backup; primary; } interface interface-name { description text; remote-site-id remote-site-ID; } } [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn], [edit routing-instances routing-instance-name protocols l2vpn]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the site name, site identifier, and interfaces connecting to the site. Allows you to configure a remote site ID for remote sites. site-identifier identifier—Numerical identifier for the site used as a default reference for

the remote site ID. site-name—Name of the site.


4946



•




site-identifier Syntax Hierarchy Level

Release Information

Description Options

site-identifier identifier; [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn site site-name], [edit routing-instances routing-instance-name protocols l2vpn site site-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify the numerical identifier for the local Layer 2 VPN site. identifier—The numerical identifier for the Layer 2 VPN site, which can be any number

from 1 through 65,534. Required Privilege Level Related Documentation



•


standby Syntax Hierarchy Level Release Information Description


standby; [edit protocols mpls (EX Series) label-switched-path lsp-name secondary path-name]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Enable the path to remain up at all times to provide instant switchover if connectivity problems occur. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



4947

®


traffic-engineering Syntax Hierarchy Level Release Information Description Default Required Privilege Level Related Documentation

4948

traffic-engineering; [edit protocols ospf | isis]

Statement introduced in Junos OS Release 9.5 for EX Series switches. Enable the traffic engineering features of the specified routing protocol. Traffic engineering is disabled. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•


•


•


•




traffic-engineering Syntax Hierarchy Level

Release Information

Description

Default Options

traffic-engineering (bgp | bgp-igp | bgp-igp-both-ribs | mpls-forwarding); [edit logical-systems logical-system-name protocols mpls], [edit protocols mpls]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 12.1 for EX Series switches. Select whether MPLS performs traffic engineering on BGP destinations only or on both BGP and IGP destinations. Affects only LSPs originating from this routing device, not transit or egress LSPs. bgp bgp—On BGP destinations only. Ingress routes are installed in the inet.3 routing table. bgp-igp—On both BGP and IGP destinations. Ingress routes are installed in the inet.0

routing table. If IGP shortcuts are enabled, the shortcut routes are automatically installed in the inet.0 routing table. bgp-igp-both-ribs—On both BGP and IGP destinations. Ingress routes are installed in the inet.0 and inet.3 routing tables. This option is used to support VPNs. mpls-forwarding—On both BGP and IGP destinations. Use ingress routes for forwarding

only, not for routing. Required Privilege Level Related Documentation


Configuring Traffic Engineering for LSPs

•



4949

®


vrf-table-label Syntax Hierarchy Level

Release Information

Description


4950

vrf-table-label; [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit routing-instances routing-instance-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Map the inner label of a packet to a specific VPN routing and forwarding (VRF) table. This allows the examination of the encapsulated IP header. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •

Filtering Packets in Layer 3 VPNs Based on IP Headers

•

Configuring EXP-Based Traffic Classification for VPLS

•

Load Balancing and IP Header Filtering for Layer 3 VPNs



vrf-target Syntax

Hierarchy Level

Release Information

Description

vrf-target { community; import community-name; export community-name; } [edit logical-systems logical-system-name routing-instances routing-instance-name], [edit logical-systems logical-system-name routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name] [edit routing-instances routing-instance-name], [edit routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 11.1 for EX Series switches. Specify a VRF target community. If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. The purpose of the vrf-target statement is to simplify the configuration by allowing you to configure most statements at the [edit routing-instances] hierarchy level. You can still create more complex policies by explicitly configuring VRF import and export policies using the import and export options.

Options

community—Community name. import community-name—Communities accepted from neighbors. export community-name—Communities sent to neighbors.



Configuring Policies for the VRF Table on PE Routers in VPNs


4951

®


4952


CHAPTER 142

Operational Commands for MPLS


4953

®


clear mpls lsp Syntax


Release Information

Description

clear mpls lsp clear mpls lsp

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Release the routes and states associated with MPLS label-switched paths (LSPs), and start new LSPs.

CAUTION: This command disconnects existing Resource Reservation Protocol (RSVP) sessions on the ingress routing device. If there is a time lag between the old path being torn down and the new path being set up, this command might impact traffic traveling along the LSPs.

Options

none—Reset and restart all LSPs that originated from this routing device; that is, all LSPs

for which this routing device is the ingress routing device. Depending on the number of LSPs involved, it might take a while to restart all the LSPs. autobandwidth—(Optional) Clear LSP autobandwidth counters. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name name—(Optional) Reset and restart the specified LSP or group of LSPs. You can

include wildcard characters in the interface name, as described in the Junos Network Interfaces Configuration Guide. optimize | optimize-aggressive—(Optional) Run nonpreemptive optimization or aggressive

optimization computation now. path regular-expression—(Optional) Clear the specific LSP path matching the specified

regular expression. statistics—(Optional) Clear LSP statistics.

4954


Chapter 142: Operational Commands for MPLS



clear

•

show mpls lsp on page 5008

•

show rsvp session on page 5041

clear mpls lsp on page 4955 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear mpls lsp

user@host> clear mpls lsp


4955

®


clear rsvp session Syntax


Release Information

Description Options

clear rsvp session clear rsvp session

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Reset and restart Resource Reservation Protocol (RSVP) sessions. none—Reset and restart all RSVP sessions for which this routing device is the ingress,

transit, or egress routing device. connection-source address—(Optional) Source address for GMPLS and MPLS LSPs from

the RSVP sender template. connection-destination address—(Optional) Destination address for GMPLS and MPLS

LSPs from the RSVP sender template. gracefully—(Optional) Gracefully reset an RSVP session for a nonpacket LSP in two

passes. In the first pass, the Admin-Status object is signaled along the path to the other endpoint of the RSVP session. In the second pass, the path used by the RSVP session is torn down. This option can only be used on the ingress or egress routing device of the RSVP session and is only valid for nonpacket LSPs. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. lsp-id identifier—(Optional) LSP identifier (source port) for the RSVP sender template. name name—(Optional) Reset and restart the specified RSVP session. optimize-fast-reroute—(Optional) Begin fast reroute optimization. tunnel-id identifier—(Optional) Tunnel identifier (destination port) for the RSVP session.

4956





clear

•

clear mpls lsp on page 4954

•

show rsvp session on page 5041

clear rsvp session on page 4957 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear rsvp session

user@host> clear rsvp session


4957

®


clear rsvp statistics Syntax


Description Options

clear rsvp statistics clear rsvp statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Clear Resource Reservation Protocol (RSVP) packet and error statistics. none—Clear RSVP packet and error statistics. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


clear

•

show rsvp statistics on page 5049

clear rsvp statistics on page 4958 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear rsvp statistics

4958

user@host> clear rsvp statistics



ping mpls l2circuit Syntax

Release Information

ping mpls l2circuit (interface interface-name | virtual-circuit virtual-circuit-id neighbor address) reply-mode (application-level-control-channel | ip-udp | no-reply)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. The size and sweep options were introduced in Junos OS Release 9.6. The reply-mode option and its suboptions are introduced in Junos OS Release 10.4R1.

Description

Check the operability of the MPLS Layer 2 circuit connections. Type Ctrl+c to interrupt a ping mpls l2circuit command.

Options

count count—(Optional) Number of ping requests to send. If count is not specified, five ping

requests are sent. The range of values is 1 through 1,000,000. The default value is 5. destination address—(Optional) Specify an address other than the default (127.0.0.1/32)

for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. interface interface-name—Ping an interface configured for the Layer 2 circuit on the egress

provider edge (PE) router. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. reply-mode—(Optional) Reply mode for the ping request. This option has the following

suboptions: application-level-control-channel—Reply using an application level control channel. ip-udp—Reply using an IPv4 or IPv6 UDP packet. no-reply—Do not reply to the ping request.

NOTE: The reply-mode option and its suboptions application-level-control-channel, ip-udp, and no-reply are also available in Junos OS Release 10.2R4 and 10.3R2.


4959

®


size bytes—(Optional) Size of the label-switched path (LSP) ping request packet (96

through 65468 bytes). Packets are 4-byte aligned. For example, If you enter a size of 97, 98, 99, or 100, the router or switch uses a size value of 100 bytes. If you enter a packet size that is smaller than the minimum size, an error message is displayed reminding you of the 96-byte minimum. source source-address—(Optional) IP address of the outgoing interface. This address is

sent in the IP source address field of the ping request. If this option is not specified, the default address is usually the loopback interface (lo.0). sweep—(Optional) Automatically determine the size of the maximum transmission unit

(MTU). v1—(Optional) Use the type 9 Layer 2 circuit type, length, and value (TLV). virtual-circuit virtual-circuit-id neighbor address—Ping the virtual circuit identifier on the

egress PE router or switch and the specified neighbor, testing the integrity of the Layer 2 circuit between the ingress and egress PE routers or switches. Additional Information

You must configure MPLS at the [edit protocols mpls] hierarchy level on the egress PE router or switch (the router or switch receiving the MPLS echo packets) to ping a Layer 2 circuit. In asymmetric MTU scenarios, the echo response may be dropped. For example, if the MTU from System A to System B is 1000 bytes, the MTU from System B to System A is 500 bytes, and the ping request packet size is 1000 bytes, the echo response is dropped because the PAD TLV is included in the echo response, making it too large.


Output Fields

network

ping mpls l2circuit interface on page 4960 ping mpls l2circuit virtual-circuit detail on page 4960 ping mpls l2circuit interface reply-mode on page 4961 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code. Packets with an error code are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls l2circuit interface

user@host> ping mpls l2circuit interface so-1/0/0.1 Request for seq 1, to interface 69, labels , packet size 100 Reply for seq 1, return code: Egress-ok, time: 0.439 ms

ping mpls l2circuit virtual-circuit detail

user@host> ping mpls l2circuit virtual-circuit 200 neighbor 10.255.245.122/32 detail Request for seq 1, to interface 68, labels , packet size 100 Reply for seq 1, return code: Egress-ok time: 0.539 ms

4960



ping mpls l2circuit interface reply-mode

user@host> ping mpls l2circuit interface lt-1/2/0.21 reply-mode application-level-control-channel !!!!! --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss


4961

®


ping mpls l2vpn Syntax

Release Information

Description

Options

ping mpls l2vpn (instance instance-name local-site-id local-site-id-number remote-site-id remote-site-id-number | interface interface-name) reply-mode (application-level-control-channel | ip-udp | no-reply)

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. The size and sweep options were introduced in Junos OS Release 9.6. The reply-mode option and its suboptions are introduced in Junos OS Release 10.4R1. Check the operability of MPLS Layer 2 virtual private network (VPN) connections. Type Ctrl+c to interrupt a ping mpls l2vpn command. bottom-label-ttl—(Optional) Display the time-to-live value for the bottom label in the

label stack. count count—(Optional) Number of ping requests to send. If count is not specified, five ping


for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. instance instance-name local-site-id local-site-id-number remote-site-id remote-site-id-number—Ping a combination of the Layer 2 VPN routing instance

name, the local site identifier, and the remote site identifier, testing the integrity of the Layer 2 VPN circuit (specified by the identifiers) between the ingress and egress provider edge (PE) routers or switches. interface interface-name—Ping an interface configured for the Layer 2 VPN on the egress

PE router or switch. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. reply-mode—(Optional) Reply mode for the ping request. This option has the following

suboptions: application-level-control-channel—Reply using an application level control channel.

4962



ip-udp—Reply using an IPv4 or IPv6 UDP packet. no-reply—Do not reply to the ping request.

The reply-mode option and its suboptions application-level-control-channel, ip-udp, and no-reply are also available in Junos OS Release 10.2R4 and 10.3R2. size bytes—(Optional) Size of the label-switched path (LSP) ping request packet (96

through 65468 bytes). Packets are 4-byte aligned. For example, If you enter a size of 97, 98, 99, or 100, the router or switch uses a size value of 100 bytes. If you enter a packet size that is smaller than the minimum size, an error message is displayed reminding you of the 96-byte minimum. source source-address—(Optional) IP address of the outgoing interface. This address is


(MTU). Additional Information



Output Fields

network

ping mpls l2vpn instance on page 4963 ping mpls l2vpn instance detail on page 4963 ping mpls l2vpn interface reply-mode on page 4964 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code these packets are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls l2vpn instance

user@host> ping mpls l2vpn instance vpn1 remote-site-id 1 local-site-id 2 !!!!! --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss

ping mpls l2vpn instance detail

user@host> ping mpls l2vpn instance vpn1 remote-site-id 1 local-site-id 2 detail Request for seq 1, to interface 68, labels Reply for seq 1, return code: Egress-ok Request for seq 2, to interface 68, labels


4963

®


Reply for seq 2, return code: Egress-ok Request for seq 3, to interface 68, labels Reply for seq 3, return code: Egress-ok Request for seq 4, to interface 68, labels Reply for seq 4, return code: Egress-ok Request for seq 5, to interface 68, labels Reply for seq 5, return code: Egress-ok --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss

ping mpls l2vpn interface reply-mode

4964

user@host> ping mpls l2vpn interface lt-1/2/0.21 reply-mode ip-udp !!!!! --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss



ping mpls l3vpn Syntax

Release Information

Description

Options

ping mpls l3vpn prefix prefix-name

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. The size and sweep options were introduced in Junos OS Release 9.6. Check the operability of a MPLS Layer 3 virtual private network (VPN) connection. Type Ctrl+c to interrupt a ping mpls l3vpn command. bottom-label-ttl—(Optional) Display the time-to-live value for the bottom label in the

label stack. count count—(Optional) Number of ping requests to send. If count is not specified, five

ping requests are sent. The range of values is 1 through 1,000,000. The default value is 5. destination address—(Optional) Specify an address other than the default (127.0.0.1/32)

for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. l3vpn-name—(Optional) Layer 3 VPN name. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. prefix prefix-name—Ping to test whether a prefix is present in a provider edge (PE) router’s

or switch's VPN routing and forwarding (VRF) table, by means of a Layer 3 VPN destination prefix. This option does not test the connection between a PE router or switch and a customer edge (CE) router or switch. size bytes—(Optional) Size of the label-switched path (LSP) ping request packet (96

through 65468 bytes). Packets are 4-byte aligned. For example, If you enter a size of 97, 98, 99, or 100, the router or switch uses a size value of 100 bytes. If you enter a packet size that is smaller than the minimum size, an error message is displayed reminding you of the 96-byte minimum.


4965

®


source source-address—(Optional) IP address of the outgoing interface. This address is





Output Fields

network

ping mpls l3vpn on page 4966 ping mpls l3vpn detail on page 4966 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code these packets are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls l3vpn

ping mpls l3vpn detail

4966

user@host> ping mpls l3vpn vpn1 prefix 10.255.245.122/32 !!!!! --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss user@host> ping mpls l3vpn vpn1 prefix 10.255.245.122/32 detail Request for seq 1, to interface 68, labels Reply for seq 1, return code: Egress-ok Request for seq 2, to interface 68, labels Reply for seq 2, return code: Egress-ok Request for seq 3, to interface 68, labels Reply for seq 3, return code: Egress-ok Request for seq 4, to interface 68, labels Reply for seq 4, return code: Egress-ok Request for seq 5, to interface 68, labels Reply for seq 5, return code: Egress-ok --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss



ping mpls ldp Syntax

Release Information

Description

Options

ping mpls ldp fec

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. size and sweep options introduced in Junos OS Release 9.6. instance option introduced in Junos OS Release 10.0. p2mp, root-address, and lsp-id options introduced in Junos OS Release 11.2. Check the operability of MPLS LDP-signaled label-switched path (LSP) connections. Type Ctrl+c to interrupt a ping mpls command. count count—(Optional) Number of ping requests to send. If count is not specified, five ping


for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. fec—Ping an LDP-signaled LSP using the forwarding equivalence class (FEC) prefix and

length. instance routing-instance-name—(Optional) Allows you to ping a combination of the

routing instance and forwarding equivalence class (FEC) associated with an LSP. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. p2mp root-addr ip-address lsp-id identifier—(Optional) Ping the end points of a

point-to-multipoint LSP. Enter the IP address of the point-to-multipoint LSP root and the ID number of the point-to-multipoint LSP. size bytes—(Optional) Size of the LSP ping request packet (88 through 65468 bytes).

Packets are 4-byte aligned. For example, If you enter a size of 89, 90, 91, or 92, the router or switch uses a size value of 92 bytes. If you enter a packet size that is smaller than the minimum size, an error message is displayed reminding you of the 88-byte minimum.


4967

®


source source-address—(Optional) IP address of the outgoing interface. This address is



If the LSP changes, the label and interface information displayed when you issued the ping command continues to be used. You must configure MPLS at the [edit protocols mpls] hierarchy level on the remote router or switch to ping an LSP terminating there. You must configure MPLS even if you intend to ping only LDP forwarding equivalence classes (FECs). You can configure the ping interval for the ping mpls ldp command by specifying a new time in seconds using the lsp-ping-interval statement at the [edit protocols ldp oam] hierarchy level. For more information, see the Junos OS MPLS Applications Configuration Guide. In asymmetric MTU scenarios, the echo response may be dropped. For example, if the MTU from System A to System B is 1000 bytes, the MTU from System B to System A is 500 bytes, and the ping request packet size is 1000 bytes, the echo response is dropped because the PAD TLV is included in the echo response, making it too large.


Output Fields

network

ping mpls ldp fec count on page 4968 ping mpls ldp p2mp root-addr lsp-id on page 4968 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code. Packets with error codes are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls ldp fec count

ping mpls ldp p2mp root-addr lsp-id

4968

user@host> ping mpls ldp 10.255.245.222 count 10 !!!xxx...x--- lsping statistics ---10 packets transmitted, 3 packets received, 70% packet loss 4 packets received with error status, not counted as received. user@host>ping mpls ldp p2mp root-addr 10.1.1.1/32 lsp-id 1 count 1 Request for seq 1, to interface 71, no label stack. Request for seq 1, to interface 70, label 299786 Reply for seq 1, egress 10.1.1.3, return code: Egress-ok, time: 18.936 ms Local transmit time: 2009-01-12 03:50:03 PST 407.281 ms Remote receive time: 2009-01-12 03:50:03 PST 426.217 ms Reply for seq 1, egress 10.1.1.4, return code: Egress-ok, time: 18.936 ms Local transmit time: 2009-01-12 03:50:03 PST 407.281 ms Remote receive time: 2009-01-12 03:50:03 PST 426.217 ms Reply for seq 1, egress 10.1.1.5, return code: Egress-ok, time: 18.936 ms



Local transmit time: 2009-01-12 03:50:03 PST 407.281 ms Remote receive time: 2009-01-12 03:50:03 PST 426.217 ms


4969

®


ping mpls lsp-end-point Syntax

Release Information

Description

Options

ping mpls lsp-end-point prefix-name

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. The size and sweep options were introduced in Junos OS Release 9.6. The instance option was introduced in Junos OS Release 10.0. Check the operability of MPLS label-switched path (LSP) endpoint connections. Type Ctrl+c to interrupt a ping mpls command. count count—(Optional) Number of ping requests to send. If count is not specified, five ping


for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. instance routing-instance-name—(Optional) Ping a combination of the routing instance

and forwarding equivalence class (FEC) associated with an LSP connection. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. prefix-name—LDP forwarding equivalence class (FEC) prefix or RSVP LSP endpoint

address. size bytes—(Optional) Size of the LSP ping request packet. If the endpoint is LDP-based,

the minimum size of the packet is 88 bytes. If the endpoint is RSVP-based, the minimum size of the packet is 100 bytes. The maximum size in either case is 65468 bytes. source source-address—(Optional) IP address of the outgoing interface. This address is


(MTU).

4970




If the LSP changes, the label and interface information displayed when you issued the ping command continues to be used. You must configure MPLS at the [edit protocols mpls] hierarchy level on the remote router or switch to ping an LSP terminating there. You must configure MPLS even if you intend to ping only LDP forwarding equivalence classes (FECs). In asymmetric MTU scenarios, the echo response may be dropped. For example, if the MTU from System A to System B is 1000 bytes, the MTU from System B to System A is 500 bytes, and the ping request packet size is 1000 bytes, the echo response is dropped because the PAD TLV is included in the echo response, making it too large.


network

ping mpls lsp-end-point detail on page 4971 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code these packets are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls lsp-end-point detail

user@host> ping mpls lsp-end-point 10.255.245.119 detail Route to end point address is via LDP FEC Request for seq 1, to interface 67, label 100032 Reply for seq 1, return code: Egress-ok Request for seq 2, to interface 67, label 100032 Reply for seq 2, return code: Egress-ok Request for seq 3, to interface 67, label 100032 Reply for seq 3, return code: Egress-ok Request for seq 4, to interface 67, label 100032 Reply for seq 4, return code: Egress-ok Request for seq 5, to interface 67, label 100032 Reply for seq 5, return code: Egress-ok --- lsping statistics --5 packets transmitted, 5 packets received, 0% packet loss


4971

®


ping mpls rsvp Syntax

ping mpls rsvp

Release Information

Command introduced before Junos OS Release 7.4. The egress and multipoint options were introduced in Junos OS Release 9.2. The size and sweep options were introduced in Junos OS Release 9.6. The dynamic-bypass and manual-bypass options were introduced in Junos OS Release 10.2.

Description

Check the operability of MPLS RSVP-signaled label-switched path (LSP) connections. Type Ctrl+c to interrupt a ping mpls command.

Options

count count—(Optional) Number of ping requests to send. If count is not specified, five ping


for the ping echo requests. The address can be anything within the 127/8 subnet. detail—(Optional) Display detailed information about the echo requests sent and received.

NOTE: When using the detail option, the reported time is based on the system time configured on the local and remote routers. Differences in these system times can result in inaccurate one way ping trip times being reported. In practice, it is difficult to synchronize the system times of independent Juniper Networks routers with sufficient accuracy to provide a meaningful time value for the detail option (even when synchronized using NTP).

dynamic-bypass—(Optional) Ping dynamically generated bypass LSPs, used for protecting

other LSPs.

4972



egress egress-address—(Optional) Only the specified egress router or switch responds

to the ping request. exp forwarding-class—(Optional) Value of the forwarding class for the MPLS ping packets. interface—(Optional) Specify the name of the interface protected by the manual bypass

LSP. This option is only available when you have also used the manual-bypass option. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on the specified logical system. lsp-name—Ping an RSVP-signaled LSP using an LSP name. manual-bypass—(Optional) Ping manually configured bypass LSPs, used for protecting

other LSPs. For this option, you must also specify the interface protected by the manual bypass LSP using the interface option. multipoint—(Optional) Send ping requests to each of the egress routers or switches

participating in a point-to-multipoint LSP. You can also include the egress option to ping a specific egress router or switch participating in a point-to-multipoint LSP. size bytes—(Optional) Size of the LSP ping request packet (100 through 65468 bytes).

Packets are 4-byte aligned. For example, if you enter a size of 101, 102, 103, or 104, the router or switch uses a size value of 104 bytes. If you enter a packet size that is smaller than the minimum size, an error message is displayed reminding you of the 100-byte minimum. source source-address—(Optional) IP address of the outgoing interface. This address is

sent in the IP source address field of the ping request. If this option is not specified, the default address is usually the loopback interface. standby standby-path-name—(Optional) Name of the standby path. sweep —(Optional) Automatically determine the size of the maximum transmission unit


If the LSP changes, the label and interface information displayed when you issued the ping command continues to be used. You must configure MPLS at the [edit protocols mpls] hierarchy level on the remote router or switch to ping an LSP terminating there. You must configure MPLS even if you intend to ping only LDP forwarding equivalence classes (FECs). In asymmetric MTU scenarios, the echo response may be dropped. For example, if the MTU from System A to System B is 1000 bytes, the MTU from System B to System A is 500 bytes, and the ping request packet size is 1000 bytes, the echo response is dropped because the PAD TLV is included in the echo response, making it too large.


network

ping mpls rsvp (Echo Reply Received) on page 4974 ping mpls rsvp (Echo Reply with Error Code) on page 4974


4973

®


ping mpls rsvp detail on page 4974 ping mpls rsvp multipoint egress detail count on page 4974 ping mpls rsvp multipoint detail count on page 4974 ping mpls rsvp destination detail count size on page 4975 ping mpls rsvp destination detail sweep size on page 4975 Output Fields

When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code these packets are not counted in the received packets count. They are accounted for separately.

Sample Output ping mpls rsvp (Echo Reply Received)

ping mpls rsvp (Echo Reply with Error Code)

ping mpls rsvp detail

ping mpls rsvp multipoint egress detail count

user@host> ping mpls rsvp test1 !!!!!--- lsping statistics ---5 packets transmitted, 5 packets received, 0% packet loss user@host> ping mpls rsvp test2 !!xxx--- lsping statistics ---5 packets transmitted, 2 packets received, 60% packet loss3 packets received with error status, not counted as received. user@host> ping mpls rsvp to-green detail Request for seq 1, to interface 67, labels Reply for seq 1, return code: Egress-ok Request for seq 2, to interface 67, labels Reply for seq 2, return code: Egress-ok user@host>ping mpls rsvp sample-lsp multipoint egress 192.168.1.3 detail count 1 Request for seq 1, to interface 70, label 299952 Request for seq 1, to interface 70, no label stack. Request for seq 1, to interface 67, no label stack. Reply for seq 1, egress 192.168.1.3, return code: Egress-ok, time: 0.242 ms Local transmit time: 1205310695s 215737us Remote receive time: 1205310695s 215979us --- lsping, egress 192.168.1.3 statistics --1 packets transmitted, 1 packets received, 0% packet loss

ping mpls rsvp multipoint detail count

user@host>ping mpls rsvp sample-lsp multipoint detail count 1 Request for seq 1, to interface 70, label 299952 Request for seq 1, to interface 70, no label stack. Request for seq 1, to interface 67, no label stack. Reply for seq 1, return code: Unknown TLV, time: 9.877 ms Local transmit time: 1205310615s 347317us Remote receive time: 1205310615s 357194us Reply for seq 1, egress 192.168.1.3, return code: Egress-ok, time: 0.351 ms Local transmit time: 1205310615s 347262us Remote receive time: 1205310615s 347613us Reply for seq 1, egress 192.168.1.13, return code: Egress-ok, time: 0.301 ms Local transmit time: 1205310615s 347167us Remote receive time: 1205310615s 347468us Timeout for seq 1, egress 192.168.1.1 Timeout for seq 1, egress 192.168.1.4 Timeout for seq 1, egress 192.168.1.14

4974



--- lsping, egress 192.168.1.1 statistics --1 packets transmitted, 0 packets received, 100% packet loss --- lsping, egress 192.168.1.3 statistics --1 packets transmitted, 1 packets received, 0% packet loss --- lsping, egress 192.168.1.4 statistics --1 packets transmitted, 0 packets received, 100% packet loss --- lsping, egress 192.168.1.13 statistics --1 packets transmitted, 1 packets received, 0% packet loss --- lsping, egress 192.168.1.14 statistics --1 packets transmitted, 0 packets received, 100% packet loss

ping mpls rsvp destination detail count size

user@host>ping mpls rsvp chaser-access destination 192.168.0.1 detail count 1 size 4468 Request for seq 1, to interface 88, label 299984, packet size 4468 Reply for seq 1, return code: Egress-ok, time: 44.804 ms Local transmit time: 2009-03-30 22:05:02 CEST 408.629 ms Remote receive time: 2009-03-30 22:05:02 CEST 453.433 ms --- lsping statistics --1 packets transmitted, 1 packets received, 0% packet loss

ping mpls rsvp destination detail sweep size

user@router> ping mpls rsvp chaser-access destination 192.168.0.1 detail sweep size 4500 Request for seq 1, to interface 86, no label stack., packet size 100 Reply for seq 1, return code: Egress-ok, time: -39.264 ms Local transmit time: 2009-04-24 14:05:40 CEST 541.423 ms Remote receive time: 2009-04-24 14:05:40 CEST 502.159 ms Request for seq 2, to interface 86, no label stack., packet size 2300 Reply for seq 2, return code: Egress-ok, time: -38.179 ms Local transmit time: 2009-04-24 14:05:41 CEST 544.240 ms Remote receive time: 2009-04-24 14:05:41 CEST 506.061 ms Request for seq 3, to interface 86, no label stack., packet size 4500 Timeout for seq 3 Request for seq 4, to interface 86, no label stack., packet size 3400 Reply for seq 4, return code: Egress-ok, time: -37.545 ms Local transmit time: 2009-04-24 14:05:45 CEST 549.953 ms Remote receive time: 2009-04-24 14:05:45 CEST 512.408 ms Request for seq 5, to interface 86, no label stack., packet size 3952 Reply for seq 5, return code: Egress-ok, time: -37.176 ms Local transmit time: 2009-04-24 14:05:46 CEST 555.881 ms Remote receive time: 2009-04-24 14:05:46 CEST 518.705 ms Request for seq 6, to interface 86, no label stack., packet size 4228 Reply for seq 6, return code: Egress-ok, time: -36.962 ms Local transmit time: 2009-04-24 14:05:47 CEST 561.809 ms Remote receive time: 2009-04-24 14:05:47 CEST 524.847 ms Request for seq 7, to interface 86, no label stack., packet size 4368 Reply for seq 7, return code: Egress-ok, time: -36.922 ms Local transmit time: 2009-04-24 14:05:48 CEST 568.738 ms Remote receive time: 2009-04-24 14:05:48 CEST 531.816 ms Request for seq 8, to interface 86, no label stack., packet size 4440 Reply for seq 8, return code: Egress-ok, time: -36.855 ms Local transmit time: 2009-04-24 14:05:49 CEST 575.669 ms Remote receive time: 2009-04-24 14:05:49 CEST 538.814 ms Request for seq 9, to interface 86, no label stack., packet size 4476 Timeout for seq 9 Request for seq 10, to interface 86, no label stack., packet size 4460 Reply for seq 10, return code: Egress-ok, time: -36.906 ms


4975

®


Local transmit time: 2009-04-24 14:05:53 CEST 584.382 ms Remote receive time: 2009-04-24 14:05:53 CEST 547.476 ms Request for seq 11, to interface 86, no label stack., packet size Timeout for seq 11 Request for seq 12, to interface 86, no label stack., packet size Timeout for seq 12 Request for seq 13, to interface 86, no label stack., packet size Reply for seq 13, return code: Egress-ok, time: -36.943 ms Local transmit time: 2009-04-24 14:06:00 CEST 594.884 ms Remote receive time: 2009-04-24 14:06:00 CEST 557.941 ms Request for seq 14, to interface 86, no label stack., packet size Timeout for seq 14 Request for seq 15, to interface 86, no label stack., packet size Timeout for seq 15

4480 4472 4468

4476 4472

--- lsp ping sweep result--Maximum Transmission Unit (MTU) is 4468 bytes

4976



request mpls lsp adjust-autobandwidth Syntax


Description

request mpls lsp adjust-autobandwidth request mpls lsp adjust-autobandwidth

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Manually trigger a bandwidth allocation adjustment for active label-switched paths (LSPs). Without running this command, the bandwidth adjustment is recomputed at a configurable interval. The default interval is 5 minutes. If you do not want to wait for the periodic adjustment (for example, during a software demonstration), this command is useful. During bandwidth allocation adjustment, the LSP stays up to enable the bandwidth to be changed without dropping any traffic. This functionality is often referred to as make-before-break.

Options

none—Manually trigger a bandwidth allocation adjustment for all active LSP paths. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name lsp-name—(Optional) Manually trigger a bandwidth allocation adjustment on the

specified LSP only. Additional Information



For this command to work properly, the following conditions must exist: •

Automatic bandwidth allocation must be enabled on the LSP. The parameters for adjustment interval and maximum average bandwidth are not reset after you issue the request mpls lsp adjust-autobandwidth command.

•

The difference between the adjusted bandwidth and the current LSP path bandwidth must be greater than the threshold limit.

maintenance

•

auto-bandwidth

•

Configuring Automatic Bandwidth Allocation for LSPs

request mpls lsp adjust-auto-bandwidth on page 4978 When you enter this command, you are provided feedback on the status of your request.


4977

®


Sample Output request mpls lsp adjust-auto-bandwidth

4978

user@host> request mpls lsp adjust-auto-bandwidth



show connections Syntax

show connections


show connections

Release Information

Description Options

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display information about the configured circuit cross-connect (CCC) connections. none—Display the standard level of output for all configured CCC connections. all—(Optional) Display all connections. brief | extensive—(Optional) Display the specified level of output. Use history to display

information about connection history. Use labels to display labels used for transmit and receive LSPs. Use status to display information about the connection and interface status. interface-switch—(Optional) Display interface switch connections only. lsp-switch—(Optional) Display LSP switch connections only. p2mp-receive-switch—(Optional) Display point-to-multipoint LSP to local interfaces

switch connections only. p2mp-transmit-switch—(Optional) Display local interface to point-to-multipoint LSP

switch connections only. remote-interface-switch—(Optional) Display remote interface switch connections only. down | up | up-down—(Optional) Display nonoperational, operational, or both kinds of

connections. history—(Optional) Display information about connection history.


4979

®


labels—(Optional) Display labels used for transmit and receive. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. name—(Optional) Display information about the specified connection only. status—(Optional) Display information about the connection and interface status.

Required Privilege Level Output Fields

view

Table 570 on page 4980 describes the output fields for the show connections command. Output fields are listed in the approximate order in which they appear.

Table 570: show connections Output Fields Field Name

Field Description

CCC and TCC connections [Link Monitoring On I Off]

Whether link monitoring is enabled: On or Off.

Legend for Status (St)

Connection or circuit status. See the output's legend for an explanation of the status field values.

Legend for connection types

Type of connection:

Legend for circuit types

4980

•

if-sw—Layer 2 switching cross-connect.

•

rmt-if—Remote interface switch. While graceful restart is in progress, rmt-if will display a state (St) of Restart.

•

lsp-sw—LSP stitching cross-connect. While graceful restart is in progress, lsp-sw will display a state (St) of Restart.

Type of circuits: •

intf—Interface circuit.

•

tlsp—Transmit LSP circuit.

•

rlsp—Receive LSP circuit.

Connection/Circuit

Name of the configured CCC connection.

Type

Type of connection.

St

State of the connection.

Time last up

Time that the connection or circuit last transitioned to the Up (operational) state.

# Up trans

Number of times that the connection or circuit has transitioned to the Up (operational) state.



Sample Output show connections

user@switch> show connections CCC and TCC connections [Link Monitoring On] Legend for status (St) Legend for connection types UN -- uninitialized if-sw: interface switching NP -- not present rmt-if: remote interface switching WE -- wrong encapsulation lsp-sw: LSP switching DS -- disabled Dn -- down Legend for circuit types -> -- only outbound conn is up intf -- interface show mpls lsp defaults MPLS-TE LSP Defaults LSP Holding Priority LSP Setup Priority Hop Limit

0 7 255



Bandwidth LSP Retry Timer

show mpls lsp descriptions

show mpls lsp detail

0 30 seconds

user@host> show mpls lsp descriptions Ingress LSP: 3 sessions To LSP name 10.0.0.195 to-sanjose 10.0.0.195 to-sanjose-other-desc Total 2 displayed, Up 2, Down 0

Description to-sanjose-desc other-desc

user@host> show mpls lsp detail Ingress LSP: 1 sessions 10.255.245.3 From: 10.255.245.5, State: Up, ActiveRoute: 1, LSPname: lsp-ec ActivePath: long-path (primary) LoadBalance: Random Autobandwidth MaxBW: 5Mbps AdjustTimer: 4800 secs AdjustThreshold: 1% Max AvgBW util: 0bps, Bandwidth Adjustment in 3383 second(s). Overflow limit: 5, Overflow sample count: 0 Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary long-path State: Up SmartOptimizeTimer: 180 Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 5) 192.168.37.89 S 192.168.37.87 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt): 192.168.37.89 192.168.37.87 Total 1 displayed, Up 1, Down 0 Egress LSP: 0 sessions Total 0 displayed, Up 0, Down 0

show mpls lsp extensive

user@host> show mpls lsp extensive Ingress LSP: 1 sessions 50.0.0.1 From: 10.0.0.1, State: Up, ActiveRoute: 0, LSPname: test ActivePath: (primary) LSPtype: Static Configured LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary State: Up Priorities: 7 0 OptimizeTimer: 300 SmartOptimizeTimer: 180 Reoptimization in 255 second(s). Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2) 2.2.2.2 S 3.3.3.2 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID): 2.2.2.2 3.3.3.2 7 Aug 3 12:39:52.834 CSPF: computation result ignored, new path no benefit 6 5 4 3


Aug Aug Aug Aug

3 3 3 3

12:35:03.830 12:35:03.828 12:35:03.827 12:35:03.814

Selected as active path Record Route: 2.2.2.2 3.3.3.2 Up Originate Call

5015

®


2 Aug 3 12:35:03.814 CSPF: computation result accepted 2.2.2.2 3.3.3.2 1 Aug 3 12:34:34.921 CSPF failed: no route toward 50.0.0.1 Created: Tue Aug 3 12:34:34 2010 Total 1 displayed, Up 1, Down 0 Egress LSP: 0 sessions Total 0 displayed, Up 0, Down 0 Transit LSP: 0 sessions Total 0 displayed, Up 0, Down 0

show mpls lsp ingress extensive

user@host> show mpls lsp ingress extensive Ingress LSP: 1 sessions 50.0.0.1 From: 10.0.0.1, State: Up, ActiveRoute: 0, LSPname: test ActivePath: (primary) LSPtype: Static Configured LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary State: Up Priorities: 7 0 OptimizeTimer: 300 SmartOptimizeTimer: 180 Reoptimization in 240 second(s). Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 3) 1.1.1.2 S 4.4.4.1 S 5.5.5.2 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID): 1.1.1.2 4.4.4.1 5.5.5.2 17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3 times] 16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times] 15 Aug 3 12:54:36.678 Selected as active path 14 Aug 3 12:54:36.676 Record Route: 1.1.1.2 4.4.4.1 5.5.5.2 13 Aug 3 12:54:36.676 Up 12 Aug 3 12:54:33.924 Deselected as active 11 Aug 3 12:54:33.924 Originate Call 10 Aug 3 12:54:33.923 Clear Call 9 Aug 3 12:54:33.923 CSPF: computation result accepted 1.1.1.2 4.4.4.1 5.5.5.2 8 Aug 3 12:54:33.922 2.2.2.2: No Route toward dest 7 Aug 3 12:54:28.177 CSPF: computation result ignored, new path no benefit[4 times] 6 Aug 3 12:35:03.830 Selected as active path 5 Aug 3 12:35:03.828 Record Route: 2.2.2.2 3.3.3.2 4 Aug 3 12:35:03.827 Up 3 Aug 3 12:35:03.814 Originate Call 2 Aug 3 12:35:03.814 CSPF: computation result accepted 2.2.2.2 3.3.3.2 1 Aug 3 12:34:34.921 CSPF failed: no route toward 50.0.0.1 Created: Tue Aug 3 12:34:35 2010 Total 1 displayed, Up 1, Down 0

show mpls lsp p2mp

5016

user@host> show mpls lsp p2mp Ingress LSP: 2 sessions P2MP name: p2mp-lsp1, P2MP branch count: To From State Rt 10.255.245.51 10.255.245.50 Up 0 P2MP name: p2mp-lsp2, P2MP branch count: To From State Rt

1 ActivePath path1 1 ActivePath

P *

LSPname p2mp-branch-1

P

LSPname



10.255.245.51 10.255.245.50 Up Total 2 displayed, Up 2, Down 0

0 path1

*

p2mp-st-br1

Egress LSP: 0 sessions Total 0 displayed, Up 0, Down 0 Transit LSP: 0 sessions Total 0 displayed, Up 0, Down 0

show mpls lsp p2mp detail

user@host> show mpls lsp p2mp detail Ingress LSP: 2 sessions P2MP name: p2mp-lsp1, P2MP branch count: 1 10.255.245.51 From: 10.255.245.50, State: Up, ActiveRoute: 0, LSPname: p2mp-branch-1 ActivePath: path1 (primary) P2MP name: p2mp-lsp1 LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary path1 State: Up Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 25) 192.168.208.17 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt): 192.168.208.17 P2MP name: p2mp-lsp2, P2MP branch count: 1 10.255.245.51 From: 10.255.245.50, State: Up, ActiveRoute: 0, LSPname: p2mp-st-br1 ActivePath: path1 (primary) P2MP name: p2mp-lsp2 LoadBalance: Random Encoding type: Packet, Switching type: Packet, GPID: IPv4 *Primary path1 State: Up Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 25) 192.168.208.17 S Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt): 192.168.208.17 Total 2 displayed, Up 2, Down 0


5017

®


show mpls path Syntax


Description Options

show mpls path show mpls path

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display dynamic Multiprotocol Label Switching (MPLS) label-switched paths (LSPs). none—Display standard information about all MPLS LSPs. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. path-name—(Optional) Display information about the specified LSP only.


view

show mpls path on page 5018 Table 584 on page 5018 describes the output fields for the show mpls path command. Output fields are listed in the approximate order in which they appear.

Table 584: show mpls path Output Fields Field Name

Field Description

Path name

Information about ingress LSPs. Each path has one line of output.

Address

Addresses of the routing devices that form the LSP.

Strict/loose address

Whether the address is a configured as a strict or loose address.

Sample Output show mpls path

5018

user@host> show mpls path Path name Address p1 123.456.55.6 123.456.1.6 p2 191.456.1.4

Strict/loose address Strict Loose Strict



show route forwarding-table Syntax


Options

show route forwarding-table

Command introduced in Junos OS Release 9.5 for EX Series switches. Display the Routing Engine's forwarding table, including the network-layer prefixes and their next hops. This command is used to help verify that the routing protocol process has relayed the correction information to the forwarding table. The Routing Engine constructs and maintains one or more routing tables. From the routing tables, the Routing Engine derives a table of active routes, called the forwarding table. none—Display the routes in the forwarding table. detail | extensive | summary—(Optional) Display the specified level of output. ccc—(Optional) Display the specified circuit cross-connect interface name for entries to

match. destination —(Optional) Display the destination prefix. family family-name —(Optional) Display routing table entries for the specified family: ethernet-switching, inet, inet6, iso, mpls, vlan classification. label label —(Optional) Display route entries for the specified label name. matching ip_prefix —(Optional) Display route entries for the specified IP prefix. multicast—(Optional) Display route entries for multicast routes. vpn vpn —(Optional) Display route entries for the specified VPN.



view

•


•


•


show route forwarding-table on page 5021 show route forwarding-table summary on page 5022 show route forwarding-table extensive on page 5022


5019

®


show route forwarding-table ccc on page 5023 show route forwarding-table family on page 5024 show route forwarding-table label on page 5024 show route forwarding-table matching on page 5025 show route forwarding-table multicast on page 5025 Output Fields

Table 585 on page 5020 lists the output fields for the show route forwarding-table command. Output fields are listed in the approximate order in which they appear. Field names might be abbreviated (as shown in parentheses) when no level of output is specified or when the detail keyword is used instead of the extensive keyword.

Table 585: show route forwarding-table Output Fields Field Name

Field Description

Level of Output

Routing table

Name of the routing table (for example, inet, inet6, mpls).

All levels

Address family

Address family (for example, IP, IPv6, ISO, MPLS).

All levels

Destination


detail, extensive

Route Type (Type)

How the route was placed into the forwarding table. When the detail keyword is used, the route type might be abbreviated (as shown in parentheses):

All levels

•

cloned (clon)—(TCP or multicast only) Cloned route.

•

destination (dest)—Remote addresses directly reachable through an interface.

•

destination down (iddn)—Destination route for which the interface is

unreachable. •

interface cloned (ifcl)—Cloned route for which the interface is unreachable.

•

route down (ifdn)—Interface route for which the interface is unreachable.

•

ignore (ignr)—Ignore this route.

•

interface (intf)—Installed as a result of configuring an interface.

•

permanent (perm)—Routes installed by the kernel when the routing table is

initialized. •

user—Routes installed by the routing protocol process or as a result of the

configuration. Route reference (RtRef)

Number of routes to reference.

detail, extensive

Flags

Route type flags:

extensive

Nexthop

5020

•

none—No flags are enabled.

•

accounting—Route has accounting enabled.

•

cached—Cache route.

•

incoming-iface interface-number —Check against incoming interface.

•

prefix load balance—Load balancing is enabled for this prefix.

•

sent to PFE—Route has been sent to the Packet Forwarding Engine.

•

static—Static route.

IP address of the next hop to the destination.

detail, extensive



Table 585: show route forwarding-table Output Fields (continued) Field Name

Field Description

Level of Output

Next hop type (Type)

Next-hop type. When the detail keyword is used, the next-hop type might be abbreviated (as indicated in parentheses):

detail, extensive

•

broadcast (bcst)—Broadcast.

•

deny—Deny.

•

hold—Next hop is waiting to be resolved into a unicast or multicast type.

•

indexed (idxd)—Indexed next hop.

•

indirect (indr)—Indirect next hop.

•

local (locl)—Local address on an interface.

•

routed multicast (mcrt)—Regular multicast next hop

•

multicast (mcst)—Wire multicast next hop (limited to the LAN).

•

multicast discard (mdsc)—Multicast discard.

•

multicast group (mgrp) —Multicast group member.

•

receive (recv)—Receive.

•

reject (rjct) Discard. An ICMP unreachable message was sent.

•

resolve (rslv)—Resolving the next hop.

•

unicast (ucst)—Unicast.

•

unilist (ulst)—List of unicast next hops. A packet sent to this next hop goes

to any next hop in the list. Index

Software index of the next hop that is used to route the traffic for a given prefix.

detail, extensive none

Route interface-index

Logical interface index from which the route is learned. For example, for interface routes, this is the logical interface index of the route itself. For static routes, this field is zero. For routes learned through routing protocols, this is the logical interface index from which the route is learned.

extensive

Reference (NhRef)

Number of routes that refer to this next hop.

none detail, extensive

Next-hop interface (Netif)

Interface used to reach the next hop.

none detail, extensive

Alternate forward nh index

Index number of the alternate next hop interface. Seen with multicast option only.

extensive

Next-hop L3 Interface

The next hop layer 3 interface. This option can be expressed as a VLAN name and is only seen with the multicast option.

extensive

Next-hop L2 Interfaces

The next hop layer 2 interfaces. Seen with multicast option only.

extensive

Sample Output show route forwarding-table

user@switch> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef Next hop


Type Index NhRef Netif

5021

®


default default 0.0.0.0/32 2.2.2.0/24 2.2.2.0/32 2.2.2.1/32 2.2.2.2/32 2.2.2.2/32 2.2.2.255/32 3.3.3.0/24 3.3.3.0/32 3.3.3.1/32 3.3.3.1/32 3.3.3.2/32 3.3.3.255/32 4.4.4.0/24 8.8.8.8/32 9.9.9.9/32 10.10.10.10/32 10.93.8.0/21 10.93.8.0/32 10.93.13.238/32 10.93.13.238/32 10.93.15.254/32 10.93.15.255/32 14.14.14.0/24 14.14.14.0/32 14.14.14.2/32 14.14.14.2/32 14.14.14.2/32 14.14.14.255/32 224.0.0.0/4 224.0.0.1/32 224.0.0.5/32 255.255.255.255/32

user perm perm intf dest dest intf dest dest intf dest intf dest dest dest user user intf user intf dest intf dest dest dest ifdn iddn user intf iddn iddn perm perm user perm

2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0

0:12:f2:21:cf:0

2.2.2.0 0:21:59:cc:89:c0 2.2.2.2 2.2.2.2 2.2.2.255 3.3.3.0 3.3.3.1 3.3.3.1 0:21:59:cc:89:c1 3.3.3.255 3.3.3.2 3.3.3.2 9.9.9.9 3.3.3.2 10.93.8.0 10.93.13.238 10.93.13.238 0:12:f2:21:cf:0 10.93.15.255 14.14.14.0 14.14.14.2 14.14.14.2 14.14.14.255 224.0.0.1 224.0.0.5

show route forwarding-table summary

user@switch> show route forwarding-table summary

show route forwarding-table extensive

user@switch> show route forwarding-table summary

333 36 34 1309 1307 1320 1308 1308 1306 1313 1311 1312 1312 1321 1310 1321 1321 1280 1321 323 321 322 322 333 320 1319 1317 36 1318 1318 1316 35 31 31 32

5 2 1 1 1 1 2 2 1 1 1 2 2 24 1 24 24 1 24 1 1 2 2 5 1 1 1 2 2 2 1 1 3 3 1

me0.0

ae0.0 ae0.0 ae0.0

ae0.0 ae1.0 ae1.0

ae1.0 ae1.0 ae1.0 ae1.0 ae1.0 me0.0 me0.0

me0.0 me0.0 ge-0/0/25.0 ge-0/0/25.0

ge-0/0/25.0

Routing table: default.inet Internet: user: 6 routes perm: 5 routes intf: 8 routes dest: 12 routes ifdn: 1 routes iddn: 3 routes

Routing table: default.inet [Index 0] Internet: Destination: default Route type: user Route reference: 2 Flags: sent to PFE, rt nh decoupled Nexthop: 0:12:f2:21:cf:0 Next-hop type: unicast Next-hop interface: me0.0 Destination:

5022

ucst rjct dscd rslv recv ucst locl locl bcst rslv recv locl locl ucst bcst ucst ucst locl ucst rslv recv locl locl ucst bcst rslv recv rjct locl locl bcst mdsc mcst mcst bcst

Route interface-index: 0

Index: 333

Reference: 5

default



Route type: permanent Route reference: 0 Flags: none Next-hop type: reject Destination: 0.0.0.0/32 Route type: permanent Route reference: 0 Flags: sent to PFE Next-hop type: discard Destination: 2.2.2.0/24 Route type: interface Route reference: 0 Flags: sent to PFE Next-hop type: resolve Next-hop interface: ae0.0 Destination: 2.2.2.0/32 Route type: destination Route reference: 0 Flags: sent to PFE Nexthop: 2.2.2.0 Next-hop type: receive Next-hop interface: ae0.0 Destination: 2.2.2.1/32 Route type: destination Route reference: 0 Flags: sent to PFE Nexthop: 0:21:59:cc:89:c0 Next-hop type: unicast Next-hop interface: ae0.0 Destination: 2.2.2.2/32 Route type: interface Route reference: 0 Flags: sent to PFE Nexthop: 2.2.2.2 Next-hop type: local Destination: 2.2.2.2/32 Route type: destination Route reference: 0 Flags: none Nexthop: 2.2.2.2 Next-hop type: local Destination: 2.2.2.255/32 Route type: destination Route reference: 0 Flags: sent to PFE Nexthop: 2.2.2.255 Next-hop type: broadcast Next-hop interface: ae0.0

show route forwarding-table ccc

Route interface-index: 0 Index: 36

Reference: 2


Reference: 1


Reference: 1


Index: 1307

Reference: 1


Index: 1320

Reference: 1


Index: 1308

Reference: 2


Index: 1308

Reference: 2


Index: 1306

Reference: 1

user@switch> show route forwarding-table ccc ge-0/0/0.10 Routing table: default.mpls MPLS:


5023

®


Destination ge-0/0/0.10

show route forwarding-table family

show route forwarding-table label

Type RtRef Next hop (CCC) user 0 3.3.3.2

user@switch> show route forwarding-table family mpls Routing table: default.mpls MPLS: Destination Type RtRef default perm 0 0 user 0 1 user 0 2 user 0 299776 user 0 299792 user 0 299808 user 0 299824 user 0 299840 user 0 299856 user 0 299872 user 0 299888 user 0 299904 user 0 299920 user 0 299936 user 0 299952 user 0 299968 user 0 299984 user 0 300000 user 0 300016 user 0 300032 user 0 300048 user 0 300064 user 0 ge-0/0/0.1 (CCC) user 0 ge-0/0/0.2 (CCC) user 0 ge-0/0/0.3 (CCC) user 0 ge-0/0/0.4 (CCC) user 0 ge-0/0/0.5 (CCC) user 0 ge-0/0/0.7 (CCC) user 0 ge-0/0/0.8 (CCC) user 0 ge-0/0/0.9 (CCC) user 0 ge-0/0/0.10 (CCC) user 0 ge-0/0/0.11 (CCC) user 0 ge-0/0/0.12 (CCC) user 0 ge-0/0/0.13 (CCC) user 0 ge-0/0/0.14 (CCC) user 0 ge-0/0/0.15 (CCC) user 0 ge-0/0/0.16 (CCC) user 0 ge-0/0/0.17 (CCC) user 0 ge-0/0/0.18 (CCC) user 0 ge-0/0/0.19 (CCC) user 0 ge-0/0/0.20 (CCC) user 0

Next hop

3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2 3.3.3.2

Type Index NhRef Netif dscd 50 1 recv 49 3 recv 49 3 recv 49 3 Pop 1334 2 ge-0/0/0.10 Pop 1339 2 ge-0/0/0.14 Pop 1341 2 ge-0/0/0.2 Pop 1344 2 ge-0/0/0.11 Pop 1345 2 ge-0/0/0.13 Pop 1346 2 ge-0/0/0.18 Pop 1347 2 ge-0/0/0.16 Pop 1348 2 ge-0/0/0.7 Pop 1349 2 ge-0/0/0.20 Pop 1350 2 ge-0/0/0.19 Pop 1351 2 ge-0/0/0.17 Pop 1352 2 ge-0/0/0.9 Pop 1353 2 ge-0/0/0.1 Pop 1354 2 ge-0/0/0.12 Pop 1355 2 ge-0/0/0.8 Pop 1356 2 ge-0/0/0.4 Pop 1357 2 ge-0/0/0.5 Pop 1358 2 ge-0/0/0.3 Pop 1359 2 ge-0/0/0.15 Push 300064 1340 2 ae1.0 Push 299872 1328 2 ae1.0 Push 299792 1323 2 ae1.0 Push 300016 1337 2 ae1.0 Push 299824 1325 2 ae1.0 Push 299920 1331 2 ae1.0 Push 299840 1326 2 ae1.0 Push 299888 1329 2 ae1.0 Push 300112 1343 2 ae1.0 Push 299776 1322 2 ae1.0 Push 299952 1333 2 ae1.0 Push 300096 1342 2 ae1.0 Push 299984 1335 2 ae1.0 Push 299936 1332 2 ae1.0 Push 299808 1324 2 ae1.0 Push 300000 1336 2 ae1.0 Push 300032 1338 2 ae1.0 Push 299904 1330 2 ae1.0 Push 299856 1327 2 ae1.0

user@switch> show route forwarding-table label 29976 Routing table: default.mpls MPLS: Destination Type RtRef Next hop 299776 user 0

5024

Type Index NhRef Netif Push 300112 1343 2 ae1.0

Type Index NhRef Netif Pop 1334 2 ge-0/0/0.10



show route forwarding-table matching

user@switch> show route forwarding-table matching 3

show route forwarding-table multicast

user@switch> show route forwarding-table multicast

Routing table: default.inet Internet:

Routing table: default.inet Internet: Destination Type RtRef Next hop 224.0.0.0/4 perm 1 224.0.0.1/32 perm 0 224.0.0.1 224.0.0.5/32 user 1 224.0.0.5

Type Index NhRef Netif mdsc 35 1 mcst 31 3 mcst 31 3

Routing table: __master.anon__.inet Internet: Destination Type RtRef Next hop 224.0.0.0/4 perm 0 224.0.0.1/32 perm 0 224.0.0.1

Type Index NhRef Netif mdsc 1289 1 mcst 1285 1

Routing table: default.inet6 Internet6: Destination Type RtRef Next hop ff00::/8 perm 0 ff02::1/128 perm 0 ff02::1

Type Index NhRef Netif mdsc 43 1 mcst 39 1


5025

®


show rsvp interface Syntax


Release Information

Description

Options

show rsvp interface show rsvp interface

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display the status of Resource Reservation Protocol (RSVP)-enabled interfaces and packet statistics. none—Display standard information about the status of RSVP-enabled interfaces and

packet statistics. brief | detail | extensive | link-management—(Optional) Display the specified level of

output. link-management—(Optional) Use the link-management option to display the control

peers and corresponding TE-link information created by the Link Management Protocol (LMP). logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show rsvp interface brief on page 5029 show rsvp interface detail on page 5029 show rsvp interface extensive on page 5029 show rsvp interface link-management on page 5030 Table 586 on page 5026 lists the output fields for the show rsvp interface command. Output fields are listed in the approximate order in which they appear.

Table 586: show rsvp interface Output Fields Field Name

Field Description

Level of Output

RSVP interface

Number of interfaces on which RSVP is active. Each interface has one line of output.

All levels

Interface


All levels

Index

Index of the interface.

detail

5026



Table 586: show rsvp interface Output Fields (continued) Field Name

Field Description

Level of Output

State

State of the interface.

All levels

•

Disabled—No traffic engineering information is displayed.

•

Down—Interface is not operational.

•

Enabled—Displays traffic engineering information.

•

Up—Interface is operational.

NoAuthentication

Interface does not support RSVP authentication.

detail

NoAggregate

Interface does not support refresh reduction.

detail

NoReliable

Interface does not support refresh reduction message ID extension.

detail

NoLinkProtection

Interface does not support link protection.

detail

HelloInterval

Frequency at which RSVP hellos are sent on this interface (in seconds).

detail

Address

IP address of the local interface.

detail

Active control channel

Next-hop link address to transmit messages.

None specified

TElink

Traffic-engineered links that are managed by the peer they are associated with.

None specified

Active resv

Number of reservations that are actively reserving bandwidth on the interface.

All levels

PreemptionCnt

Number of times an RSVP session was preempted on this interface.

detail

Update threshold

Percentage change in reserved bandwidth to trigger an IGP update.

detail

Subscription

User-configured subscription factor.

All levels

bc number

Bandwidth allocated for the specified bandwidth constraint.

extensive

ct number

Bandwidth allocated for the specified class type.

extensive

Static BW

Total interface bandwidth, in bps.

All levels

Available BW

Amount of bandwidth that RSVP is allowed to reserve, in bps. It is equal to (static bandwidth * subscription factor).

al levels

Reserved BW

Currently reserved bandwidth, in bps.

All levels

SoftPreemptionCnt

Number of times a soft preemption occurred on this interface. This number is not included in the PreemptionCnt value.

detail

Overbooked BW

Currently overbooked bandwidth, in bps, by class type (ct0 through ct3).

detail


5027

®



Field Description

Level of Output

Highwater mark

Highest bandwidth that has ever been reserved on this interface, in bps.

brief

PacketType

Type of RSVP packet.

detail

Total Sent

Total number of packets sent.

detail

Total Received

Total number of packets received since RSVP was enabled.

detail

Last 5 seconds Sent

Number of packets sent in the last 5 seconds.

detail

Last 5 seconds Received

Number of packets received in the last 5 seconds.

detail

Path

Statistics about Path messages, which are sent from the RSVP sender along the data paths and store path state information in each node along the path.

detail

PathErr

Statistics about PathErr messages, which are advisory messages that are sent upstream to the sender.

detail

PathTear

Statistics about PathTear messages, which remove path states and dependent reservation states in any routers along a path.

detail

Resv

Statistics about Resv messages, which are sent from the RSVP receiver along the data paths and store reservation state information in each node along the path.

detail

ResvErr

Statistics about ResvErr messages, which are advisory messages that are sent when an attempt to establish a reservation fails.

detail

ResvTear

Statistics about ResvTear messages, which remove reservation states along a path.

detail

Hello

Number of RSVP hello packets that have been sent to and received from the neighbor.

detail

Ack

Acknowledge message for refresh reductions.

detail

Srefresh

Summary refresh messages.

detail

EndtoEnd RSVP

Statistics for the number of end-to-end RSVP messages sent.

detail

Queue

CoS transmit queue number and its associated forwarding class designation.

extensive

TxRate

Configured bandwidth in Mbps and configured bandwidth as a percentage of the specified queue.

extensive

Priority

Weight of the queue relative to other configured queues, in percentage.

extensive

5028




Field Description

Level of Output

queue-priority-value

Low, High, None, or Exact. None indicates no rate limiting. Exact indicates the

extensive

queue transmits at the configured rate only.

Sample Output show rsvp interface brief

user@host> show rsvp interface brief RSVP interface: 1 active Active Subscr- Static Interface State resv iption BW de0.0 Up 1 23% 10Mbps

Available Reserved BW BW 989.992kbps 1.31Mbps

Highwater mark 1.31Mbps

show rsvp interface detail

user@host> show rsvp interface detail so-0/1/1.0 Index 6, State: Ena/Up NoAuthentication, NoAggregate, NoReliable, NoLinkProtection HelloInterval 3(second) Address 192.168.207.29, 10.255.245.194 ActiveResv 0, PreemptionCnt 0, Update threshold 10% Subscription 100%, StaticBW 155.52Mbps, AvailableBW 155.52Mbps ReservedBW [0] 155Mbps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps SoftPreemptionCnt1 OverbookedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 155Mbps[5] 0bps[6] 0bps[7] 0bps PacketType Total Last 5 seconds Sent Received Sent Received Path 16 0 1 0 PathErr 0 0 0 0 PathTear 1 0 0 0 Resv 0 11 0 1 ResvErr 0 0 0 0 ResvTear 0 0 0 0 Hello 66 67 1 1 Ack 0 0 0 0 Srefresh 0 0 0 0 EndtoEnd RSVP 0 0 0 0 ...

show rsvp interface extensive

user@host> show rsvp interface extensive so-1/0/0.0 Index 72, State Ena/Up NoAuthentication, NoAggregate, NoReliable, NoLinkProtection HelloInterval 9(second) Address 192.168.213.22, 10.255.240.175 ActiveResv 1, PreemptionCnt 0, Update threshold 10% Subscription 100%, bc0 = (ct0+ct1+ct2+ct3), StaticBW 622.08Mbps bc1 = (ct1+ct2+ct3), StaticBW 466.56Mbps bc2 = (ct2+ct3), StaticBW 311.04Mbps bc3 = ct3, StaticBW 155.52Mbps ct0: StaticBW 155.52Mbps, AvailableBW 522.08Mbps ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps ct1: StaticBW 155.52Mbps, AvailableBW 366.56Mbps ReservedBW [0] 100Mbps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps ct2: StaticBW 155.52Mbps, AvailableBW 311.04Mbps ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps ct3: StaticBW 155.52Mbps, AvailableBW 155.52Mbps


5029

®


ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps Queue TxRate Priority Exact 0 155.52Mbps 25% Low 1 155.52Mbps 25% Low 2 155.52Mbps 25% Low 3 155.52Mbps 25% Low

show rsvp interface link-management

user@host> show rsvp interface link-management RSVP interface: 2 active PEER-C State: Up Active Control Channel: so-0/1/0.0 TElink: TElnk1, Link ID: 37811 ActiveResv 0, PreemptionCnt 0 StaticBW 155.52Mbps, ReservedBW: 0bps, AvailableBW: 155.52Mbps TElink: TElnk2, Link ID: 37808 ActiveResv 1, PreemptionCnt 0 StaticBW 155.52Mbps, ReservedBW: 0bps, AvailableBW: 155.52Mbps PEER-B State: Up Active Control Channel: so-1/0/0.0 TElink: TElnkAB1, Link ID: 1598 ActiveResv 0, PreemptionCnt 0 StaticBW 622.08Mbps, ReservedBW: 0bps, AvailableBW: 622.08Mbps TElink: TElnkAB2, Link ID: 1597 ActiveResv 0, PreemptionCnt 0 StaticBW 622.08Mbps, ReservedBW: 0bps, AvailableBW: 622.08Mbps

5030



show rsvp neighbor Syntax


Description

Options

show rsvp neighbor show rsvp neighbor

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display Resource Reservation Protocol (RSVP) neighbors that were discovered dynamically during the exchange of RSVP packets. none—Display standard information about RSVP neighbors. brief | detail—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show rsvp neighbor on page 5035 show rsvp neighbor detail on page 5035 Table 587 on page 5031 lists the output fields for the show rsvp neighbor command. Output fields are listed in the approximate order in which they appear.

Table 587: show rsvp neighbor Output Fields Field Name

Field Description

Level of Output

RSVP neighbor

Number of neighbors that the routing device has learned of. Each neighbor has one line of output.

All levels

via

Name of the interface where the neighbor has been detected. In the case of generalized MPLS (GMPLS) LSPs, the name of the peer where the neighbor has been detected.

detail

Address

Address of a learned neighbor.

All levels

Idle

Length of time the neighbor has been idle, in seconds.

All levels

Up/Dn

Number of neighbor up or down transitions detected by RSVP hello packets. If the up count is 1 greater than the down count, the neighbor is currently up. Otherwise, the neighbor is down. Neighbors that do not support RSVP hello packets, such as routers running Junos OS Release 3.2 or earlier, are not reported as up or down.

All levels


5031

®


Table 587: show rsvp neighbor Output Fields (continued) Field Name

Field Description

Level of Output

Up cnt and Down cnt

Number of neighbor up or down transitions detected by RSVP hello packets. If the up count is 1 greater than the down count, the neighbor is currently up. Otherwise, the neighbor is down. Neighbors that do not support RSVP hello packets, such as routers running Junos OS Release 3.2 or earlier, are not reported as up or down.

detail

status

State of the RSVP neighbor:

detail

•

Up—Routing device can detect RSVP Hello messages from the neighbor.

•

Down—Routing device has received one of the following indications:

•

•

Communication failure from the neighbor.

•

Communication from IGP that the neighbor is unavailable.

•

Change in the sequence numbers in the RSVP Hello messages sent by the neighbor.

Restarting—RSVP neighbor is unavailable and might be restarting. The

neighbor remains in this state until it has restarted or is declared dead. This state is possible only when graceful restart is enabled. •

Restarted—RSVP neighbor has restarted and is undergoing state recovery

(graceful restart) procedures. •

Dead—Routing device has lost all communication with the RSVP neighbor.

Any RSVP sessions with that neighbor are torn down. LastChange

Time elapsed since the neighbor state changed either from up to down or from down to up. The format is hh:mm:ss.

All levels

Last changed time

Time elapsed since the neighbor state changed either from up to down or from down to up.

detail

HelloInt

Frequency at which RSVP hellos are sent on this interface (in seconds).

All levels

HelloTx/Rx

Number of hello packets sent to and received from the neighbor.

All levels

Hello


detail

Message received

Number of Path and Resv messages that this routing device has received from the neighbor.

detail

Remote Instance

Identification provided by the remote routing device during Hello message exchange.

detail

Local Instance

Identification sent to the remote routing device during Hello message exchange.

detail

5032




Field Description

Level of Output

Refresh reduction

Measure of processing overhead requests of refresh messages. Refresh reduction extensions improve routing device performance by reducing the process overhead, thus increasing the number of LSPs a routing device can support. Refresh reduction can have the following values:

detail

•

operational—All four RSVP refresh reduction extensions—message ack,

bundling, summary refresh, and staged refresh timer—are functional between the two neighboring routing devices. For a detailed explanation of these extensions, see RFC 2961. •

incomplete—Some RSVP refresh reduction extensions are functional between

the two neighboring routing devices. •

no operational—Either the refresh reduction feature has been turned off, or

the remote routing device cannot support the refresh reduction extensions. Remote end

Neighboring routing device’s status with regard to refresh reduction: •

detail

enabled—Remote routing device has requested refresh reduction during RSVP

message exchanges. •

Ack-extension

disabled—Remote routing device does not require refresh reduction.

An RSVP refresh reduction extension: •

detail

enabled—Both local and remote routing devices support the ack-extension

(RFC 2961). •

Link protection

disabled—Remote routing device does not support the ack-extension.

Status of the MPLS fast reroute mechanism that protects traffic from link failure: •

detail

enabled—Link protection feature has been turned on, protecting the neighbor

with a bypass LSP. •

disabled—No link protection feature has been enabled for this neighbor.

LSP name

Name of the bypass LSP.

detail

Bypass LSP

Status of the bypass LSP. It can have the following values:

detail

•

does not exist—Bypass LSP is not available.

•

connecting—Routing device is in the process of establishing a bypass LSP,

and the LSP is not available for link protection at the moment. •

operational—Bypass LSP is up and running.

•

down—Bypass LSP has gone down, with the most probable cause a node or

a link failure on the bypass path. Backup routes

Number of user LSPs (or routes) that are being protected by a bypass LSP (before link failure).

detail

Backup LSPs

Number of LSPs that have been temporarily established to maintain traffic by refreshing the downstream LSPs during link failure (not a one-to-one correspondence).

detail

Bypass explicit route

Explicit route object's (ERO) path that is taken by the bypass LSP.

detail


5033

®



Field Description

Level of Output

Restart time

Length of time a neighbor waits to receive a Hello from the restarting node before declaring the node dead and deleting the states (in milliseconds).

detail

Recovery time

Length of time during which the restarting node attempts to recover its lost states with help from its neighbors (in milliseconds). Recovery time is advertised by the restarting node to its neighbors, and applies to nodal faults. The restarting node considers its graceful restart complete after this time has elapsed.

detail

5034



Sample Output show rsvp neighbor

user@host> show rsvp neighbor RSVP neighbor: 2 learned Address Idle Up/Dn LastChange HelloInt HelloTx/Rx 192.168.207.203 0 3/2 13:01 3 366/349 192.168.207.207 0 1/0 22:49 3 448/448

show rsvp neighbor detail

user@host> show rsvp neighbor detail RSVP neighbor: 2 learned Address: 192.168.207.203 via: ecstasyl status: Up Last changed time: 28:47, Idle: 0 sec, Up cnt: 3, Down cnt: 2 Message received: 632 Hello: sent 673, received 656, interval 3 sec Remote instance: 0x6432838a, Local instance: 0x74b72e36 Refresh reduction: operational Remote end: enabled, Ack-extension: enabled Link protection: enabled LSP name: Bypass_to_192.168.207.203 Bypass LSP: operational, Backup routes: 1, Backup LSPs: 0 Bypass explicit route: 192.168.207.207 192.168.207.224 Restart time: 60000 msec, Recovery time: 0 msec


5035

®


show rsvp session Syntax


show rsvp session

Command introduced in Junos OS Release 9.5 for EX Series switches. Display information about Resource Reservation Protocol (RSVP) sessions. none—Display standard information about all RSVP sessions. brief | detail | extensive | terse—(Optional) Display the specified level of output. bidirectional | unidirectional—(Optional) Display information about bidirectional or

unidirectional RSVP sessions only, respectively. down | up—(Optional) Display only LSPs that are inactive or active, respectively. interface interface-name—(Optional) Display RSVP sessions for the specified interface

only. lsp-type —(Optional) Display information about RSVP sessions with regard to LSPs: •

bypass—Sessions used for bypass LSPs.

•

lsp—Sessions used to set up LSPs.

•

nolsp—Sessions not used to set up LSPs.

name session-name—(Optional) Display information about the named session. session-type—(Optional) Display information about a particular session type: •

egress—Sessions that terminate on this switch.

•

ingress—Sessions that originate from this switch.

•

transit—Sessions that transit through this switch.

statistics—(Optional) Display packet statistics. te-link te-link—(Optional) Display sessions with reservations on the specified

traffic-engineered link name. Required Privilege Level

5036

view





Output Fields

•


•


•


•


•


show rsvp session on page 5039 show rsvp session statistics on page 5039 show rsvp session detail on page 5039 show rsvp session extensive on page 5039 Table 588 on page 5037 describes the output fields for the show rsvp session command. Output fields are listed in the approximate order in which they appear.

Table 588: show rsvp session Output Fields Field Name

Field Description

Level of Output

Ingress RSVP

Information about ingress RSVP sessions.

detail

Ingress RSVP

Information about ingress RSVP sessions. Each session has one line of output.

All levels

Egress RSVP

Information about egress RSVP sessions.

All levels

Transit RSVP

Information about the transit RSVP sessions.

All levels

To

Destination (egress switch) of the session.

All levels

From

Source (ingress switch) of the session.

All levels

State

State of the path: Up, Down, or AdminDn. AdminDn indicates that the LSP is being taken down gracefully.

All levels

Address

Destination (egress switch) of the LSP.

detail

LSPstate

State of the LSP that is being handled by this RSVP session. It can be either Up, Dn (down), or AdminDn. AdminDn indicates that the LSP is being taken down gracefully.

brief, detail

Rt

Number of active routes (prefixes) that have been installed in the routing table. For ingress RSVP sessions, the routing table is the primary IPv4 table (inet.0). For transit and egress RSVP sessions, the routing table is the primary MPLS table mpls.0).

brief

ActiveRoute

Number of active routes (prefixes) that have been installed in the forwarding table. For ingress RSVP sessions, the forwarding table is the primary IPv4 table (inet.0). For transit and egress RSVP sessions, the forwarding table is the primary MPLS table (mpls.0).

detail


5037

®


Table 588: show rsvp session Output Fields (continued) Field Name

Field Description

Level of Output

LSPname

Name of the LSP.

brief, detail

LSPpath

Indicates whether the RSVP session is for the primary or secondary LSP path. LSPpath can be either primary or secondary and can be displayed on the ingress, egress, and transit switches. LSPpath can also indicate when a graceful LSP deletion has been triggered.

detail

Recovery label received

(When LSP is bidirectional) Label the upstream node suggests for use in the Resv message that is sent.

detail

Recovery label sent

(When LSP is bidirectional) Label the downstream node suggests for use in its Resv messages that is returned.

detail

Suggested label received


detail

Suggested label sent

(When LSP is bidirectional) Label the downstream node suggests for use in its Resv message that is returned.

detail

Resv style or Style

RSVP reservation style. This field consists of two parts. The first is the number of active reservations. The second is the reservation style, which can be FF (fixed filter), SE (shared explicit), or WF (wildcard filter).

brief detail

Label in

Incoming label for this LSP.

brief, detail

Label out

Outgoing label for this LSP.

brief, detail

Time left

Number of seconds remaining in the lifetime of the reservation.

brief, detail

Since

Date and time when the RSVP session was initiated.

detail

Tspec

Sender's traffic specification, which describes the sender's traffic parameters.

detail

Port number

Protocol ID and sender/receiver port used in this RSVP session.

detail

Creating backup LSP, link down

A link down event occurred, and traffic is being switched over to the bypass LSP.

extensive

Deleting backup LSP, protected LSP restored

Link has come back up and the LSP has been restored. Because the backup LSP is no longer needed, it is deleted.

extensive

PATH rcvfrom

Address of the previous-hop (upstream) switch or client, interface the neighbor used to reach this switch, and number of packets received from the upstream neighbor.

detail

5038



Sample Output show rsvp session

user@switch> show rsvp session Ingress RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.214 10.255.245.212 AdminDn 0 1 FF 22293 LSP Bidir Total 1 displayed, Up 1, Down 0 Egress RSVP: 2 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.194 10.255.245.195 Up 0 1 FF 39811 - Gpro3-ba Bidir 10.255.245.194 10.255.245.195 Up 0 1 FF 3 - pro3-ba Total 2 displayed, Up 2, Down 0 Transit RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.198 10.255.245.197 Up 0 1 SE 100000 3 pro3-de Total 1 displayed, Up 1, Down 0

show rsvp session statistics

user@switch> show rsvp session statistics Ingress RSVP: 2 sessions To From State 10.255.245.24 10.255.245.22 Up 10.255.245.24 10.255.245.22 Up Total 2 displayed, Up 2, Down 0 Egress RSVP: 2 sessions To From State 10.255.245.22 10.255.245.24 Up 10.255.245.22 10.255.245.24 Up Total 2 displayed, Up 2, Down 0 Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0

Packets 0 44868

Bytes 0 2333136

LSPname pro3-bd pro3-bd-2

Packets 0 0

Bytes 0 0

LSPname pro3-db pro3-db-2

show rsvp session detail

user@switch> show rsvp session detail Ingress RSVP: 1 sessions 1.1.1.1 From: 2.2.2.2, LSPstate: Up, ActiveRoute: 0 LSPname: to-a, LSPpath: Primary Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 3 Resv style: 1 FF, Label in: -, Label out: 3 Time left: -, Since: Fri Mar 26 18:42:42 2004 Tspec: rate 300kbps size 300kbps peak Infbps m 20 M 1500 DiffServ info: diffServ-TE LSP, bandwidth: Port number: sender 1 receiver 15876 protocol 0 PATH rcvfrom: localclient Adspec: sent MTU 1500 PATH sentto: 192.168.37.16 (t1-0/2/1.0) 1 pkt

show rsvp session extensive

user@switch> show rsvp session extensive 8.8.8.8 From: 9.9.9.9, LSPstate: Up, ActiveRoute: 0 LSPname: lsp_to_240, LSPpath: Primary Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 322832 Resv style: 1 FF, Label in: -, Label out: 322832 Time left: -, Since: Thu Feb 26 16:25:39 2009


5039

®


Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500 Port number: sender 2 receiver 44542 protocol 0 PATH rcvfrom: localclient Adspec: sent MTU 1500 Path MTU: received 1500 PATH sentto: 3.3.3.2 (xe-0/1/0.0) 238 pkts RESV rcvfrom: 3.3.3.2 (xe-0/1/0.0) 234 pkts Explct route: 3.3.3.2 4.4.4.2

5040



show rsvp session Syntax


Release Information

Description Options

show rsvp session show rsvp session

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display information about Resource Reservation Protocol (RSVP) sessions. none—Display standard information about all RSVP sessions. brief | detail | extensive | terse—(Optional) Display the specified level of output. bidirectional | unidirectional—(Optional) Display information about bidirectional or

unidirectional RSVP sessions only, respectively. bypass—(Optional) Display RSVP sessions for bypass LSPs. down | up—(Optional) Display only LSPs that are inactive or active, respectively. interface interface-name—(Optional) Display RSVP sessions for the specified interface


systems or on a particular logical system. lsp-type—(Optional) Display information about RSVP sessions with regard to LSPs: •


bypass—Sessions used for bypass LSPs.

5041

®


•

lsp—Sessions used to set up LSPs.

•

nolsp—Sessions not used to set up LSPs.

name session-name—(Optional) Display information about the named session. p2mp—(Optional) Display point-to-multipoint information. session-type—(Optional) Display information about a particular session type: •

egress—Sessions that terminate on this routing device.

•

ingress—Sessions that originate from this routing device.

•

transit—Sessions that transit through this routing device.

statistics—(Optional) Display packet statistics. te-link te-link—(Optional) Display sessions with reservations on the specified TE link.


Output Fields

view

•

clear rsvp session on page 4956

show rsvp session on page 5046 show rsvp session statistics on page 5046 show rsvp session detail on page 5046 show rsvp session detail (Path MTU Output Field) on page 5047 show rsvp session detail (GMPLS) on page 5047 show rsvp session extensive on page 5047 show rsvp session p2mp (Ingress Router) on page 5048 show rsvp session p2mp (Transit Router) on page 5048 Table 589 on page 5042 describes the output fields for the show rsvp session command. Output fields are listed in the approximate order in which they appear.

Table 589: show rsvp session Output Fields Field Name

Field Description

Level of Output

Ingress RSVP

Information about ingress RSVP sessions.

detail

Ingress RSVP

Information about ingress RSVP sessions. Each session has one line of output.

All levels

Egress RSVP

Information about egress RSVP sessions.

All levels

Transit RSVP

Information about the transit RSVP sessions.

All levels

P2MP name

(Appears only when the p2mp option is specified). Name of the point-to-multipoint LSP path.

All levels

5042




Field Description

Level of Output

P2MP branch count

(Appears only when the p2mp option is specified). Number of LSPs receiving packets from the point-to-multipoint LSP.

All levels

To

Destination (egress routing device) of the session.

All levels

From

Source (ingress routing device) of the session.

All levels

State

State of the path: Up, Down, or AdminDn. AdminDn indicates that the LSP is being taken down gracefully.

All levels

Address

Destination (egress routing device) of the LSP.

detail

From

Source (ingress routing device) of the session.

detail

LSPstate

State of the LSP that is being handled by this RSVP session. It can be either Up, Dn (down), or AdminDn. AdminDn indicates that the LSP is being taken down gracefully.

brief detail

Rt

Number of active routes (prefixes) that have been installed in the routing table. For ingress RSVP sessions, the routing table is the primary IPv4 table (inet.0). For transit and egress RSVP sessions, the routing table is the primary MPLS table mpls.0).

brief

Active Route

Number of active routes (prefixes) that have been installed in the forwarding table. For ingress RSVP sessions, the forwarding table is the primary IPv4 table (inet.0). For transit and egress RSVP sessions, the forwarding table is the primary MPLS table (mpls.0).

detail

LSPname

Name of the LSP.

brief detail

LSPpath

Indicates whether the RSVP session is for the primary or secondary LSP path. LSPpath can be either primary or secondary and can be displayed on the ingress, egress, and transit routing devices. LSPpath can also indicate when a graceful LSP deletion has been triggered.

detail

Bypass

(Egress routing device) Destination address for the bypass LSP.

detail

Bidir

(When LSP is bidirectional) LSP will allow data to travel in both directions between GMPLS devices.

detail

Bidirectional

(When LSP is bidirectional) LSP will allow data to travel both ways between GMPLS devices.

detail

Upstream label in

(When LSP is bidirectional) Incoming label for reverse direction traffic for this LSP.

detail

Upstream label out

(When LSP is bidirectional) Outgoing label for reverse direction traffic for this LSP.

detail


5043

®



Field Description

Level of Output

Recovery label received


detail

Recovery label sent

(When LSP is bidirectional) Label the downstream node suggests for use in its Resv messages that is returned.

detail

Suggested label received


detail

Suggested label sent

(When LSP is bidirectional) Label the downstream node suggests for use in its Resv message that is returned.

detail

Resv style or Style

RSVP reservation style. This field consists of two parts. The first is the number of active reservations. The second is the reservation style, which can be FF (fixed filter), SE (shared explicit), or WF (wildcard filter).

brief detail

Label in

Incoming label for this LSP.

brief detail

Label out

Outgoing label for this LSP.

brief detail

Time left

Number of seconds remaining in the lifetime of the reservation.

brief detail

Since

Date and time when the RSVP session was initiated.

detail

Tspec

Sender's traffic specification, which describes the sender's traffic parameters.

detail

DiffServ info

Indicates whether the LSP is a multiclass LSP (multiclass diffServ-TE LSP) or a Differentiated-Services-aware traffic engineering LSP (diffServ-TE LSP).

detail

bandwidth

Bandwidth for each class type (ct0, ct1, ct2, or ct3).

detail

Port number

Protocol ID and sender/receiver port used in this RSVP session.

detail

FastReroute desired

Fast reroute has been requested by the ingress routing device.

detail

Soft preemption desired

Soft preemption has been requested by the ingress routing device.

detail

FastReroute desired

(Data [not a bypass or backup] LSP when the protection scheme has been requested) Fast reroute (one-to-one backup) has been requested by the ingress routing device.

detail extensive

Link protection desired

(Data [not a bypass or backup] LSP when the protection scheme has been requested) Link protection (many-to-one backup) has been requested by the ingress routing device.

detail extensive

5044




Field Description

Level of Output

Node/Link protection desired

(Data [not a bypass or backup] LSP when the protection scheme has been requested) Node and link protection (many-to-one backup) has been requested by the ingress routing device.

detail extensive

Type

LSP type:

detail extensive

•

Link protected LSP—LSP has been protected by link protection at the outgoing interface. The name of the bypass used is also listed here (extensive).

•

Node/Link protected LSP—LSP has been protected by node and link protection

at the outgoing interface. The name of the bypass used is also listed here (extensive). •

Protection down—LSP is not currently protected.

•

Bypass LSP—LSP that is used to protected one or more user LSPs in case of

link failure. •

Backup LSP at Point-of-Local-Repair (PLR)—LSP that has been temporarily

established to protected a user LSP at the ingress of a failed link. •

Backup LSP at Merge Point (MP)—LSP that has been temporarily established

to protected a user LSP at the egress of a failed link. New bypass

New bypass (the bypass name is also displayed) has been activated to protect the LSP.

extensive

Link protection up, using bypass-name

Link protection (the bypass name is also displayed) has been activated for the LSP.

extensive

Creating backup LSP, link down

A link down event occurred, and traffic is being switched over to the bypass LSP.

extensive

Deleting backup LSP, protected LSP restored

Link has come back up and the LSP has been restored. Because the backup LSP is no longer needed, it is deleted.

extensive

Path mtu

Displays the value of the path MTU received from the network (through signaling) and the value used for forwarding. This value is only displayed on ingress routing devices with the allow-fragmentation statement configured at the [edit protocols mpls path-mtu] hierarchy level. If there is a detour LSP, the path MTU for the detour is also displayed.

detail

PATH rcvfrom

Address of the previous-hop (upstream) routing device or client, interface the neighbor used to reach this routing device, and number of packets received from the upstream neighbor.

detail

Adspec

MTU signaled from the ingress routing device to the egress routing device by means of the adspec object.

detail

PATH sentto

Address of the next-hop (downstream) routing device or client, interface used to reach this neighbor (or peer-name in the GMPLS LSP case), and number of packets sent to the downstream routing device.

detail


5045

®



Field Description

Level of Output

Explct route

Explicit route for the session. Normally this value will be the same as that of record route. Differences indicate that path rerouting has occurred, typically during fast reroute.

detail

Record route

Recorded route for the session, taken from the record route object. Normally this value will be the same as that of explct route. Differences indicate that path rerouting has occurred, typically during fast reroute.

detail

Sample Output show rsvp session

user@host> show rsvp session Ingress RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.214 10.255.245.212 AdminDn 0 1 FF 22293 LSP Bidir Total 1 displayed, Up 1, Down 0 Egress RSVP: 2 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.194 10.255.245.195 Up 0 1 FF 39811 - Gpro3-ba Bidir 10.255.245.194 10.255.245.195 Up 0 1 FF 3 - pro3-ba Total 2 displayed, Up 2, Down 0 Transit RSVP: 1 sessions To From State Rt Style Labelin Labelout LSPname 10.255.245.198 10.255.245.197 Up 0 1 SE 100000 3 pro3-de Total 1 displayed, Up 1, Down 0

show rsvp session statistics

show rsvp session detail

5046

user@host> show rsvp session statistics Ingress RSVP: 2 sessions To From State 10.255.245.24 10.255.245.22 Up 10.255.245.24 10.255.245.22 Up Total 2 displayed, Up 2, Down 0 Egress RSVP: 2 sessions To From State 10.255.245.22 10.255.245.24 Up 10.255.245.22 10.255.245.24 Up Total 2 displayed, Up 2, Down 0 Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0

Packets 0 44868

Bytes 0 2333136

LSPname pro3-bd pro3-bd-2

Packets 0 0

Bytes 0 0

LSPname pro3-db pro3-db-2

user@host> show rsvp session detail Ingress RSVP: 1 sessions 1.1.1.1 From: 2.2.2.2, LSPstate: Up, ActiveRoute: 0 LSPname: to-a, LSPpath: Primary Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 3 Resv style: 1 FF, Label in: -, Label out: 3 Time left: -, Since: Fri Mar 26 18:42:42 2004 Tspec: rate 300kbps size 300kbps peak Infbps m 20 M 1500 DiffServ info: diffServ-TE LSP, bandwidth: Port number: sender 1 receiver 15876 protocol 0 PATH rcvfrom: localclient



Adspec: sent MTU 1500 PATH sentto: 192.168.37.16 (t1-0/2/1.0) 1 pkt

show rsvp session detail (Path MTU Output Field)

user@host> show rsvp session detail Ingress RSVP: 1 sessions 10.255.245.3 From: 10.255.245.5, LSPstate: Up, ActiveRoute: 3 LSPname: to-c, LSPpath: Primary Suggested label received: -, Suggested label sent: Recovery label received: -, Recovery label sent: 100432 Resv style: 1 FF, Label in: -, Label out: 100432 Time left: -, Since: Mon Aug 16 17:54:40 2006 Tspec: rate 0bps size 0bps peak Infbps m 20 M 9192 Port number: sender 1 receiver 57843 protocol 0 FastReroute desired PATH rcvfrom: localclient Adspec: sent MTU 4470 Path mtu: received 4470, using 4458 for forwarding PATH sentto: 192.168.37.89 (so-0/2/3.0) 11 pkts RESV rcvfrom: 192.168.37.89 (so-0/2/3.0) 10 pkts Explct route: 192.168.37.89 Record route: 192.168.37.89 192.168.37.87 Detour is Up Detour Tspec: rate 0bps size 0bps peak Infbps m 20 M 9192 Detour adspec: sent MTU 1512 Path mtu: received 1512, using 1500 for forwarding

show rsvp session detail (GMPLS)

user@host> show rsvp session detail Ingress RSVP: 1 sessions 192.168.4.1 From: 192.168.1.1, LSPstate: Dn, ActiveRoute: 0 LSPname: gmpls-r1–to-r3, LSPpath: Primary Bidirectional, Upstream label in: 21253, Upstream label out: — Suggested label received: -, Suggested label sent: 21253 Recovery label received: -, Recovery label sent: — Resv style: 0 —, Label in: -, Label out: — Time left: -, Since: Mon Aug 16 17:54:40 2006 Tspec: rate 0bps size 0bps peak 155.52Mbps m 20 M 1500 Port number: sender 2 receiver 46115 protocol 0 PATH rcvfrom: localclient Adspec: sent MTU 1500 PATH MTU: received 0 PATH sentto: 10.35.1.5 (so-0/2/3.0) 11 pkts Explct route: 100.100.100.100 93.93.93.93 Record route: 100.100.100.100 93.93.93.93 Total 1 displayed, Up 0, Down 1 Egress RSVP: 0 sessions Total 0 displayed, Up 0, Down 0 Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0

show rsvp session extensive

user@host> show rsvp session extensive 10.255.245.13 From: 10.255.245.48, LSPstate: Up, ActiveRoute: 0 .... Link protection desired Type: Link protected LSP, using p2 11 Feb 6 15:24:16 Backup LSP: Call was cleared by RSVP 10 Feb 6 15:24:16 Backup LSP: Session preempted 9 Feb 6 15:24:16 Deleting backup LSP, protected LSP restored


5047

®


8 7 6 5 4 3 2 1

show rsvp session p2mp (Ingress Router)

Feb Feb Feb Feb Feb Feb Feb Feb

6 6 6 6 6 6 6 6

15:23:22 15:23:22 15:23:19 15:23:19 12:36:03 12:35:56 12:35:47 12:35:39

Backup LSP: Up 192.168.208.117(Label=3) Backup LSP: Record Route: 192.168.208.117(Label=3) Backup LSP: Explicit Route: wrong delivery Creating backup LSP, link down Link protection up, using p2 New bypass p2 Bypass state down, p1[2 times] New bypass p1

user@host> show rsvp session p2mp Ingress RSVP: 3 sessions P2MP name: test, P2MP branch count: 1 To From State 10.255.10.95 10.255.10.2 Up P2MP name: test2, P2MP branch count: 2 To From State 10.255.10.23 10.255.10.2 Up 10.255.10.16 10.255.10.2 Up Total 3 displayed, Up 3, Down 0

Rt Style Labelin Labelout LSPname 0 1 SE 3 to-pe1 Rt Style Labelin Labelout LSPname 0 1 SE 299776 to-pe3 0 1 SE 299776 to-pe4

Egress RSVP: 0 sessions Total 0 displayed, Up 0, Down 0 Transit RSVP: 0 sessions Total 0 displayed, Up 0, Down 0

show rsvp session p2mp (Transit Router)

user@host> show rsvp session p2mp Ingress RSVP: 1 sessions P2MP name: test, P2MP branch count: 1 To From State 10.255.10.23 10.255.10.95 Up Total 1 displayed, Up 1, Down 0 Egress RSVP: 1 sessions P2MP name: test, P2MP branch count: 1 To From State 10.255.10.95 10.255.10.2 Up Total 1 displayed, Up 1, Down 0 Transit RSVP: 2 sessions P2MP name: test2, P2MP branch count: 2 To From State 10.255.10.23 10.255.10.2 Up 10.255.10.16 10.255.10.2 Up Total 2 displayed, Up 2, Down 0

5048

Rt Style Labelin 0 1 SE -

Labelout LSPname 299792 to-pe2

Rt Style Labelin Labelout 0 1 SE 3 -

LSPname to-pe1

Rt Style Labelin Labelout 0 1 SE 299776 299808 0 1 SE 299776 299856

LSPname to-pe3 to-pe4



show rsvp statistics Syntax


Description Options

show rsvp statistics show rsvp statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display Resource Reservation Protocol (RSVP) packet and error statistics. none—Display RSVP packet and error statistics. logical-system (all |logical-system-name)—(Optional) Perform this operation on all logical


view

•

clear rsvp statistics on page 4958

show rsvp statistics on page 5051 Table 590 on page 5049 describes the output fields for the show rsvp statistics command. Output fields are listed in the approximate order in which they appear.

Table 590: show rsvp statistics Output Fields Field Name

Field Description

Packet Type

Statistics about different RSVP messages.

Total Sent

Total number of packets sent since RSVP was enabled.

Total Received

Total number of packets received since RSVP was enabled.

Last 5 seconds Sent

Total number of packets sent in the last 5 seconds.

Last 5 seconds Received

Number of packets received in the last 5 seconds.

Path

Statistics about Path messages, which are sent from the RSVP sender along the data paths and which store path state information in each node along the path.

PathErr

Statistics about PathErr messages, which are advisory messages that are sent upstream to the sender.

PathTear

Statistics about PathTear messages, which remove path states and dependent reservation states in any routing devices along a path.


5049

®


Table 590: show rsvp statistics Output Fields (continued) Field Name

Field Description

Resv FF

Statistics about fixed-filter reservation style messages, which consist of distinct reservations among explicit senders.

Resv WF

Statistics about wildcard-filter reservation style messages, which consist of shared reservations among wildcard senders.

Res SE

Statistics about shared-explicit reservation style messages, which consist of shared reservations among explicit senders.

ResvErr

Statistics about ResvErr messages, which are advisory messages that are sent when an attempt to establish a reservation fails.

ResvTear

Statistics about ResvTear messages, which remove reservation states along a path.

ResvConf

Statistics about ResvConfirm messages, which are responses to confirm a reservation request.

Ack

Acknowledge message for refresh reductions.

SRefresh

Summary refresh messages.

Hello


EndtoEnd RSVP

Statistics for the number of End-to-end RSVP messages.

Errors

Statistics about errored RSVP packets.

Rcv pkt bad length

The packet was not processed because its length is inappropriate.

Rcv pkt unknown type

The packet is not one of the well-known RSVP types, as defined in RFC 2205, Resource ReSerVation Protocol (RSVP).

Rcv pkt bad version

The packet is not an RSVP version 1 packet.

Rcv pkt auth fail

The packet failed authentication checks.

Rcv pkt bad checksum

The RSVP checksum check failed.

Rcv pkt bad format

General packet processing failed because the packet was badly formed.

Memory allocation fail

An internal resource failure occurred.

No path information

A reservation was received, but no sender is active.

Resv style conflict

The same session contains inconsistent reservation styles.

Port conflict

There were inconsistent port numbers for the same session.

Resv no interface

An interface for the receive reservation packets cannot be located.

5050



Table 590: show rsvp statistics Output Fields (continued) Field Name

Field Description

PathErr to client

Number of PathErr packets delivered to the local client.

ResvErr to client

Number of ResvErr packets delivered to the local client.

Path timeout

Number of times the sender timed out because the path was removed.

Resv timeout

Number of times the receiver timed out because the reservation was removed.

Message out-of-order

Records the number of RSVP incoming messages that are considered out of order. This is detected from the message ID object’s sequence number.

Unknown ack msg

A neighboring routing device replies with an ACK object that contains an unknown message ID. This can indicate a message ID handshake problem. For example, a router receives an ACK for message IDs 1, 2, and 3. However, it only has state for message IDs 1 and 3. The router increments the unknown ack counter by 1.

Recv nack

If a neighboring router receives an unknown message ID in an RSVP refresh message, the router sends a Resv nack message back to the sender. This can happen if that neighbor has been rebooted. For this case, the router sends a regular RSVP refresh message to recover the state and start the message-ID handshake process again.

Recv duplicated msg-id

Number of times the same message ID is used by two different RSVP messages. This duplication is usually caused when a neighboring routing device restarts.

No TE-link to recv Hop

Counter of packets discarded because a TE link was not found.

Rcv pkt disabled interface

Number of RSVP packets received on an interface that is not enabled for RSVP.

Transmit buffer full

Number of times the buffer for assembling an outgoing RSVP message was not large enough.

Transmit failure

Number of times the RSVP task failed to send out a packet.

Receive failure

Number of times the RSVP task failed to read an incoming packet.

P2MP RESV discarded by appl

Number of Resv messages discarded because the MPLS label is not valid for the P2MP LSP application.

Rate limit

Number of RSVP packets dropped due to rate limiting.

Err msg loop detected

Number of RSVP error messages that have looped back to their originator. This is detected by checking the error node address in the ERROR_SPEC object.

Sample Output show rsvp statistics

user@host> show rsvp statistics PacketType Total Sent Received Path 355 408


Last 5 seconds Received 0 0

Sent

5051

®


PathErr PathTear Resv FF Resv WF Resv SE ResvErr ResvTear ResvConf Ack SRefresh Hello EndtoEnd RSVP

2 101 0 0 419 0 0 0 682 395198 578809 0

Errors Rcv pkt bad length Rcv pkt unknown type Rcv pkt bad version Rcv pkt auth fail Rcv pkt bad checksum Rcv pkt bad format Memory allocation fail No path information Resv style conflict Port conflict Resv no interface PathErr to client ResvErr to client Path timeout Resv timeout Message out-of-order Unknown ack msg Recv nack Recv duplicated msg-id No TE-link to recv Hop Rcv pkt disabled interface Transmit buffer full Transmit failure Receive failure P2MP RESV discarded by appl Rate limit Err msg loop detected

5052

13 139 0 0 225 0 13 0 1414 236030 578221 0 Total 0 0 0 0 0 0 0 10 0 0 0 38 0 8 57 0 2978 86 5 0 0 0 0 0 0 306 0

0 0 0 0 0 0 0 0 0 5 4 0

0 0 0 0 0 0 0 0 0 2 4 0 Last 5 seconds 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0



show rsvp version Syntax


Description

Options

show rsvp version show rsvp version

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display information about the Resource Reservation Protocol (RSVP) protocol settings, such as the version of the RSVP software, the refresh timer and keep multiplier, and local RSVP graceful restart capabilities on a routing device. none—Display RSVP protocol settings. logical-system (all |logical-system-name)—(Optional) Perform this operation on all logical


view

show rsvp version on page 5054 Table 591 on page 5053 describes the output fields for the show rsvp version command. Output fields are listed in the approximate order in which they appear.

Table 591: show rsvp version Output Fields Field Name

Field Description

Resource ReSerVation Protocol, version

RSVP software version.

RSVP protocol

Status of RSVP: Enabled or Disabled.

R(refresh timer)

Configured time interval used to generate periodic RSVP messages.

K(keep multiplier)

Number of RSVP messages that can be lost before an RSVP state is declared stale.

Preemption

Currently configured preemption capability: Aggressive, Disabled, or Normal. The default is Normal.

Soft-preemption cleanup

Time, in seconds, that an LSP is kept after it has been soft preempted. This is a global property of the RSVP protocol.

Graceful deleting timeout

Currently configured value for the graceful-deletion-timeout statement. The router that initiates the graceful deletion procedure for an RSVP session waits for the graceful deletion timeout interval to ensure that all routers along the path (especially the ingress and egress routers) have prepared for the LSP to be taken down.


5053

®


Table 591: show rsvp version Output Fields (continued) Field Name

Field Description

NSR Mode

Status of the nonstop active routing feature for RSVP on the restarting device: Disabled, Enabled/Master, or Enabled/Standby.

NSR State

State of the nonstop active routing feature for RSVP on the restarting device. Possible values are: •

Idle

•

TE-link sync complete

•

Neighbor sync complete

•

Path state sync complete

•

Resv state sync complete

•

Bypass sync complete

•

Init sync complete

Graceful restart

Status of the graceful restart feature for RSVP on the restarting routing device: Enabled or Disabled.

Restart helper mode

Status of the helper mode feature: Enabled or Disabled. When this feature is enabled, the restarting routing device can help the neighbor with its RSVP restart procedures.

Maximum helper restart time

Number of milliseconds (ms) configured for the maximum helper restart time. The maximum helper restart time is the length of time the routing device waits before declaring that an RSVP neighbor attempting to restart gracefully is down.

Maximum helper recovery time

Number of milliseconds configured for the maximum helper recovery time. The maximum helper recovery time is the amount of time the routing device maintains the state of an RSVP neighbor attempting to restart gracefully.

Restart time

Number of milliseconds that a neighbor waits to receive a Hello message from the restarting node before declaring the node dead and deleting the states.

Recovery time

Number of milliseconds during which the restarting node attempts to recover its lost states with help from its neighbors. Recovery time is advertised by the restarting node to its neighbors, and applies to nodal faults. The restarting node considers its graceful restart complete after this time has elapsed.

Sample Output show rsvp version

5054

user@host> show rsvp version Resource ReSerVation Protocol, version 1. rfc2205 RSVP protocol: Enabled R(refresh timer): 30 seconds K(keep multiplier): 3 Preemption: Normal Soft-preemption cleanup: 30 seconds Graceful deletion timeout: 30 seconds Graceful restart: Disabled Restart helper mode: Enabled Maximum helper restart time: 20000 msec Maximum helper recovery time: 180000 msec Restart time: 0 msec




5055

®


show ted database Syntax


Release Information

Description

Options

show ted database show ted database

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display the entries in the Multiprotocol Label Switching (MPLS) traffic engineering database. none—Display standard information about all entries in the traffic engineering database. brief | detail | extensive—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. system-name—(Optional) Display traffic engineering database information for a particular

system. Required Privilege Level List of Sample Output

Output Fields

view

show ted database brief on page 5058 show ted database detail system-name on page 5059 show ted database extensive on page 5059 Table 592 on page 5056 describes the output fields for the show ted database command. Output fields are listed in the approximate order in which they appear.

Table 592: show ted database Output Fields Field Name

Field Description

Level of Output

TED database

Number of nodes and pseudonodes participating in IS-IS and OSPF domain routing.

All levels

ID

Hostname and address of the node that the link is coming from. An address of .00 indicates that the node is the routing device itself. An address in the range 0.01 through 0.FF indicates that the node is a pseudonode. If the node contains a router ID, it is displayed in parentheses.

brief

NodeID

Hostname and address of the node that the link is coming from. An address of .00 indicates that the node is the routing device itself. An address in the range 0.01 through 0.FF indicates that the node is a pseudonode.

extensive

5056



Table 592: show ted database Output Fields (continued) Field Name

Field Description

Level of Output

Type

Type of node. It can be either Rtr (router) or Net (pseudonode).

All levels

Age(s)

How long since the node was last refreshed, in seconds.

All levels

LnkIn

Number of nodes pointing toward this node.

All levels

LnkOut

Number of nodes to which this node points.

All levels

Protocol

Protocol that reported the node information:

All levels

•

IS-IS(1)—IS-IS Level 1.

•


•

OSPF (area-number)—OSPF from the specified area.

To

Address on the far end of a link.

detail extensive

Local

Address of the local interface being used to reach the remote node.

detail extensive

Remote

Address of the interface on the remote node.

detail extensive

Metric

Configured traffic engineering metric.

extensive

Static BW

Total interface bandwidth in bps.

extensive

Reservable bandwidth

Subscription factor for the interface, which is the percentage of the link bandwidth that can be used for the RSVP reservation process. You configure this by including the subscription statement when configuring RSVP.

extensive

Available BW [priority]

(Must include diffserv-te statement when configuring LSPs) Amount of bandwidth actually reserved by RSVP for each priority level. The bandwidth shown is for the entire interface, not for each individual LSP.

extensive

Diffserv-TE BW Model

Bandwidth constraint model used by the LSPs.

extensive

Available BW [TE-class]

(Must include the diffserv-te statement when configuring LSPs) Amount of bandwidth actually reserved by RSVP for each traffic engineering class.

extensive

Static BW [CT-class]

Total interface bandwidth used by an MPLS traffic class, in bps.

extensive


5057

®


Table 592: show ted database Output Fields (continued) Field Name

Field Description

Level of Output

Interface Switching Capability Descriptor (n)

Information about the interface switching capability descriptor, which is a subtype length value (TLV) of the link TLV. n is the index number.

extensive

•

•

•

Switching type—Type of switching to be performed on a particular link: •

PSC-1—Packet switch-capable 1

•


•


•


•

L2SC—Layer-2-switch-capable

•

TDM—Time-division-multiplexing-capable

•

LSC—Lambda switch-capable

•

FSC—Fiber switch-capable

Encoding type—Encoding of the LSP being requested: •

Packet

•

Ethernet

•

ANSI/ETSI PDH

•

Reserved

•

SDH /SONET

•

Digital Wrapper

•

Lambda (photonic)

•

Fiber

•

FiberSDH/SONET

Maximum LSP BW [priority] bps—Maximum LSP bandwidth information.

Amount of bandwidth actually reserved for each priority level. The bandwidth shown is for the entire interface.

•

•

[n]—Priority level. The range is from 0 (high) through 7 (low).

•

n Mbps—Amount of the maximum bandwidth.

Minimum LSP BW—Minimum LSP bandwidth in Mbps. Amount of bandwidth

actually reserved for each priority level. The bandwidth shown is for the entire interface. Minimum LSP BW is displayed only when switching type is PSC-1 or TDM. •

Interface MTU—Displayed only when switching type is TDM.

•

Interface supports standard SONET/SDH—Displayed only when switching type is TDM.

Sample Output show ted database brief

5058

user@host> show ted database brief TED database: 6 ISIS nodes 6 INET nodes ID Type Age(s) LnkIn LnkOut Protocol cheviot.00(123.456.1.10) Rtr 383 1 1 IS-IS(2) IS-IS(1) corriedale.00(123.456.1.11) Rtr 36 2 0 IS-IS(2) IS-IS(1) wolff.00(123.456.1.12) Rtr 399 0 0 IS-IS(2) IS-IS(1) perendale.00(123.456.1.13) Rtr 385 2 0 IS-IS(2) IS-IS(1)



merino.00(123.456.1.14) romney.00(123.456.1.15)

show ted database detail system-name

Rtr Rtr

379 427

1 0

3 IS-IS(2) IS-IS(1) 2 IS-IS(2) IS-IS(1)

user@host> show ted database detail merino TED database: 6 ISIS nodes 6 INET nodes NodeID: merino.00(123.456.1.14) Type: Rtr, Age: 507 secs, LinkIn: 1, LinkOut: 3 Protocol: IS-IS(2) To: corriedale.00(123.456.1.11), Local: 123.456.8.206, Remote: 123.456.8.207 To: perendale.00(123.456.1.13), Local: 123.456.8.204, Remote: 123.456.8.205 To: cheviot.00(123.456.1.10), Local: 123.456.10.65, Remote: 123.456.10.66 Protocol: IS-IS(1) To: corriedale.00(123.456.1.11), Local: 123.456.8.206, Remote: 123.456.8.207 To: perendale.00(123.456.1.13), Local: 123.456.8.204, Remote: 123.456.8.205 To: cheviot.00(123.456.1.10), Local: 123.456.10.65, Remote: 123.456.10.66

show ted database extensive

user@host> show ted database extensive TED database: 0 ISIS nodes 2 INET nodes NodeID: 10.255.245.196 Type: Rtr, Age: 46 secs, LinkIn: 1, LinkOut: 1 Protocol: OSPF(0.0.0.0) To: 10.255.245.24, Local: 4.4.4.4, Remote: 5.5.5.5 Metric: 1 Static BW: 155.52Mbps Reservable BW: 155.52Mbps Available BW [TE-class] bps: [te0] 155.52Mbps [te1] 155.52Mbps [te2] 155.52Mbps [te4] 155.52Mbps

[te5] 155.52Mbps

[te3] 155.52Mbps

[te6] 155.52Mbps

[te7] 155.52Mbps

Diffserv-TE BW model: Maximum allocation model Static BW [CT-class] bps: [ct0] 155.52Mbps [ct1] 155.52Mbps [ct2] 155.52Mbps

[ct3] 155.52Mbps

Interface Switching Capability Descriptor(1): Switching type: PSC-1 Encoding type: SDH/SONET Maximum LSP BW [priority] bps: [0] 155.52Mbps [1] 155.52Mbps [2] 155.52Mbps [4] 155.52Mbps [5] 155.52Mbps [6] 155.52Mbps Minimum LSP BW: 155.52Mbps Interface MTU: 1285 Interface Switching Capability Descriptor(2): Switching type: TDM Encoding type: SDH/SONET Maximum LSP BW [priority] bps: [0] 155.52Mbps [1] 155.52Mbps [2] 155.52Mbps [4] 155.52Mbps [5] 155.52Mbps [6] 155.52Mbps Minimum LSP BW: 155.52Mbps Interface supports standard SONET/SDH


[3] 155.52Mbps [7] 155.52Mbps

[3] 155.52Mbps [7] 155.52Mbps

5059

®


show ted link Syntax


Description

Options

show ted link show ted link

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display Multiprotocol Label Switching (MPLS) traffic engineering database link information. none—Display standard information about traffic engineering database link information. brief | detail—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


Output Fields

view

show ted link brief on page 5061 show ted link detail on page 5061 Table 593 on page 5060 describes the output fields for the show ted link command. Output fields are listed in the approximate order in which they appear.

Table 593: show ted link Output Fields Field Name

Field Description

Level of Output

ID


brief

-->ID

Hostname and address of the node that the link is going to. An address of .00 indicates that the node is the routing device itself. An address in the range 0.01 through 0.FF indicates that the node is a pseudonode.

brief

hostname


detail

hostname

Hostname and address of the node that the link is going to. An address of .00 indicates that the node is the routing device itself. An address in the range 0.01 through 0.FF indicates that the node is a pseudonode.

detail

Local Path

Number of paths CSPF on the local routing device has placed on the link.

All levels

5060



Table 593: show ted link Output Fields (continued) Field Name

Field Description

Level of Output

Local BW

Amount of bandwidth the local routing device has placed on the link.

All levels

Sample Output show ted link brief

show ted link detail

user@host> show ted link brief TED link: ID ->ID LocalPath LocalBW cheviot.00(123.456.1.10) merino.00(123.456.1.14) 0 0bps merino.00(123.456.1.14) corriedale.00(123.456.1.11) 0 0bps merino.00(123.456.1.14) perendale.00(123.456.1.13) 0 0bps merino.00(123.456.1.14) cheviot.00(123.456.1.10) 0 0bps romney.00(123.456.1.15) corriedale.00(123.456.1.11) 0 0bps romney.00(123.456.1.15) perendale.00(123.456.1.13) 0 0bps user@host> show ted link detail TED link: cheviot.00(123.456.1.10)->merino.00(123.456.1.14), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps merino.00(123.456.1.14)->corriedale.00(123.456.1.11), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps merino.00(123.456.1.14)->perendale.00(123.456.1.13), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps merino.00(123.456.1.14)->cheviot.00(123.456.1.10), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps romney.00(123.456.1.15)->corriedale.00(123.456.1.11), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps romney.00(123.456.1.15)->perendale.00(123.456.1.13), LocalPath 0 localBW [0] 0bps [1] 0bps [2] 0bps [3] 0bps localBW [4] 0bps [5] 0bps [6] 0bps [7] 0bps


5061

®


show ted protocol Syntax


Description

Options

show ted protocol show ted protocol

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.5 for EX Series switches. Display information about the protocols from which the Multiprotocol Label Switching (MPLS) traffic engineering database learned about its nodes. none—Display standard information about the protocols from which the traffic engineering

database learned about its nodes. brief | detail—(Optional) Display the specified level of output. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical


view

show ted protocol on page 5062 Table 594 on page 5062 describes the output fields for the show ted protocol command. Output fields are listed in the approximate order in which they appear.

Table 594: show ted protocol Output Fields Field Name

Field Description

Protocol name

Protocol that reported the node information: •


•


•

OSPF (area-number)—OSPF from the specified area.

Credibility

If the protocols provide conflicting information about a node, the protocol with the highest credibility value is the one that the traffic engineering database uses.

Self node

Address the protocol uses as the local address.

Sample Output show ted protocol

5062

user@host> show ted protocol



Protocol name IS-IS(2) IS-IS(1)


Credibility Self node 2 (highest) corriedale.00(123.456.1.11) 1 corriedale.00(123.456.1.11)

5063

®


5064


PART 27

Network Management and Monitoring •

Port Mirroring on page 5067

•

sFlow Monitoring Technology on page 5131

•

SNMP on page 5161

•

Real-Time Performance Monitoring (RPM) on page 5263

•

Ethernet OAM Link Fault Management on page 5305

•

Ethernet OAM Connectivity Fault Management on page 5347

•

Uplink Failure Detection on page 5431

•

Monitoring General Network Traffic and Hosts on page 5441

•

Configuration Statements for General Network Management and Monitoring on page 5445

•

Operational Commands for General Network Management and Monitoring on page 5461


5065

®


5066


CHAPTER 143

Port Mirroring •

Port Mirroring—Overview on page 5067

•

Examples: Port Mirroring Configuration on page 5073

•

Configuring Port Mirroring on page 5104

•

Verifying Port Mirroring Configuration on page 5109

•

Troubleshooting Port Mirroring Configuration on page 5110

•

Configuration Statements for Port Mirroring on page 5112

•

Operational Commands for Port Mirroring on page 5127

Port Mirroring—Overview •


Understanding Port Mirroring on EX Series Switches You can use port mirroring to facilitate analyzing traffic on your Juniper Networks EX Series Ethernet Switch on a packet level. You might use port mirroring as part of monitoring switch traffic for such purposes as enforcing policies concerning network usage and file sharing and for identifying sources of problems on your network by locating abnormal or heavy bandwidth usage by particular stations or applications. Port mirroring copies packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •

Packets entering or exiting a port

•

Packets entering a VLAN on Juniper Networks EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 Ethernet Switches

•

Packets exiting a VLAN on Juniper Networks EX8200 Ethernet Switches


Port Mirroring Overview on page 5068

•

Port Mirroring Terminology on page 5069

•

Configuration Guidelines for Port Mirroring on the Switches on page 5070


5067

®


Port Mirroring Overview Port mirroring might be needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to every port on the destination device. The switch sends packets only to the port to which the destination device is connected. You configure port mirroring on the switch to send copies of unicast traffic to either a local analyzer port or an analyzer VLAN. Then you can analyze the mirrored traffic using a protocol analyzer application. The protocol analyzer application can run either on a computer connected to the analyzer output interface or on a remote monitoring station. You can use port mirroring on a switch to mirror any of the following: •

Packets entering or exiting a port—You can mirror the packets in any combination (on up to 256 ports). For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.

•

Packets entering a VLAN on an EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 switch—You can mirror the packets entering a VLAN on these switches to either a local analyzer port or to an analyzer VLAN. On EX3200, EX4200, and EX4500 switches, you can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as ingress input to an analyzer.

•

Packets exiting a VLAN on an EX8200 switch—You can mirror the packets exiting a VLAN on an EX8200 switch to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to 256 VLANs), including a VLAN range and PVLANs, as egress input to an analyzer.

•

Statistical samples—You can mirror a statistical sample of packets that are •

Entering or exiting a port

•

Entering a VLAN on an EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 switch

•

Exiting a VLAN on an EX8200 switch

You specify the sample number of packets by setting the ratio. You can send the sample to either a local analyzer port or to an analyzer VLAN. •

Policy-based sample—You can mirror a policy-based sample of packets that are entering a port or a VLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored. You can send the sample to a local analyzer port or to an analyzer VLAN.

NOTE: Juniper Networks Junos operating system (Junos OS) for EX Series switches implements port mirroring differently than other Junos OS packages. Junos OS for EX Series switches does not include the port-mirroring statement found in the edit forwarding-options level of the hierarchy of other Junos OS packages, or the port-mirror action in firewall filter terms.

5068


Chapter 143: Port Mirroring

Port Mirroring Terminology Table 595 on page 5069 lists some port mirroring terms and their descriptions.

Table 595: Port Mirroring Terminology Term

Description

Analyzer

A port mirroring configuration on an EX Series switch. The analyzer includes:

Analyzer output interface

•

The name of the analyzer

•

Source (input) ports or VLAN (optional)

•

A destination for mirrored packets (either a monitor port or a monitor VLAN)

•

Ratio field for specifying statistical sampling of packets (optional)

•

Loss-priority setting

Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected.

(Also known as monitor port) NOTE: Interfaces used as output for an analyzer must be configured as family ethernet-switching. Analyzer output interfaces have the following limitations: •

Cannot also be a source port.

•

Cannot be used for switching.

•

Do not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when part of a port mirroring configuration.

•

Do not retain any VLAN associations they held before they were configured as analyzer output interfaces.

If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped. Analyzer VLAN (Also known as monitor VLAN)

VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN are spread across the switches in your network.

Firewall-based analyzer

An analyzer whose configuration does not specify an input source; it specifies only an output destination. A firewall-based analyzer must be used with a firewall filter to achieve the functionality of an analyzer.

Global analyzer (on EX4500 switches only)

An analyzer that is based on a firewall filter, VLAN, or link aggregation group (LAG) or an analyzer in which interfaces are on different port groups on the switch. A port group is a logical group of ports on the switch.

Input interface

An interface on the switch that is being mirrored, on traffic that is either entering or exiting the interface. An input interface cannot also be an output interface for an analyzer.

(Also known as mirrored ports or monitored interfaces) LAG-based analyzer

An analyzer that has a LAG specified as the input (ingress) interface in the analyzer configuration.

Local port mirroring

An analyzer configuration in which packets are mirrored to a local analyzer port.


5069

®


Table 595: Port Mirroring Terminology (continued) Term

Description

Mirror ratio

See statistical sampling.

Monitoring station

A computer running a protocol analyzer application.

Native analyzer session

An analyzer session that has both input and output definitions in its analyzer configuration.

Policy-based mirroring

Mirroring of packets that match the match items in the defined firewall filter term. The action item analyzer analyzer-name is used in the firewall filter to send the packets to the analyzer.

Port-based analyzer

An analyzer session whose configuration defines interfaces for both input and output.

Protocol analyzer application

An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe.

Remote port mirroring

Functions the same as local port mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic. If you are using an intermediate (transit) switch, you can avoid flooding of the mirrored traffic to member interfaces of the VLAN by setting the ingress option to specify an interface of the VLAN for ingress-only traffic and the egress option to specify an interface of the VLAN for egress-only traffic in the [edit vlans] hierarchy level. See “Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX Series Switches” on page 5097.

Statistical sampling

You can configure the system to mirror a sampling of the packets by setting a ratio of 1:x, where x is a value from 1 through 2047. For example, when x is set to 1, all packets are copied to the analyzer. When x is set to 200, 1 of every 200 packets is copied.

VLAN-based analyzer

An analyzer session whose configuration uses VLANs for both input and output or for either input or output.

Configuration Guidelines for Port Mirroring on the Switches When you configure port mirroring, we recommend that you follow certain guidelines to ensure that you obtain optimum benefit from the port mirroring feature. Additionally, we recommend that you disable port mirroring when you are not using it and that you select specific interfaces for which packets must be mirrored (that is, select specific interfaces as input to the analyzer) in preference to using the all keyword option, which will enable port mirroring on all interfaces. You can also limit the amount of mirrored traffic by using statistical sampling, setting a ratio to select a statistical sample, or using a firewall filter. Mirroring only the necessary packets reduces any potential performance impact. With local port mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.

5070



Table 596 on page 5071 summarizes further configuration guidelines for port mirroring on the switches.

Table 596: Configuration Guidelines for Port Mirroring Guideline

Description

Comment

NOTE: “All other switches” or “All switches” in the Description column applies to switch platforms that support port mirroring. For details on platform support, see “EX Series Switch Software Features Overview” on page 3. Number of VLANs that you can use as ingress input to an analyzer

Number of analyzers that you can enable concurrently

•

1—EX2200 switches

•

256—EX3200, EX4200, EX4500, and EX6200 switches

•

Does not apply—EX8200 switches

•

1—EX2200, EX3200, EX4200, EX3300, and EX6200 switches

•

7 port-based or 1 global—EX4500 switches

•

7 total, with one based on a VLAN, firewall filter, or LAG and with the remaining 6 based on firewall filters—EX8200 switches

NOTE: An analyzer configured using a firewall filter does not support mirroring of packets that are egressing ports.

Number of firewall-filter–based analyzers that you can configure on an EX4500 switch

•

1—EX4500 switches

Types of ports on which you cannot mirror traffic

•

Virtual Chassis ports (VCPs)

•

Management Ethernet ports (me0 or vme0)

•


•

VLAN-tagged Layer 3 interfaces

If port mirroring is configured to mirror packets exiting 10-Gigabit Ethernet ports on EX8200 switches, packets are dropped in both network and mirrored traffic when the mirrored packets exceed 60 percent of the 10-Gigabit Ethernet port traffic.

•

EX8200 switches

Traffic directions for which you can specify a ratio

•

Ingress only—EX8200 switches

•

Ingress and egress—All other switches

Protocol families that you can include in a firewall-filter-based remote analyzer

•

Any except inet and inet6—EX8200 switches

•

Any—All other switches


•

You can configure more than the specified number of analyzers on the switch, but you can enable only the specified number for a session. Use disable ethernet-switching-options analyzer name to disable an analyzer.

•

See Table 595 on page 5069 for a description of global analyzers.

•

See the next row entry in this table for the exception to the number of firewall-filter–based analyzers allowed on EX4500 switches.

If you configure multiple analyzers, you cannot attach any of them to a firewall filter.

You can use inet and inet6 on EX8200 switches in a local analyzer.

5071

®


Table 596: Configuration Guidelines for Port Mirroring (continued) Guideline

Description

Traffic directions that you can configure for mirroring on ports in firewall-filter–based configurations

•

Ingress only—All switches

Mirrored packets on tagged interfaces might contain an incorrect VLAN ID or Ethertype.

•

Both VLAN ID and Ethertype—EX2200 switches

•

VLAN ID only—EX3200 and EX4200 switches

•

Ethertype only—EX4500 switches

•

Does not apply—EX8200 switches

Mirrored packets exiting an interface do not reflect rewritten class-of-service (CoS) DSCP or 802.1p bits.

•

All switches

The analyzer appends an incorrect 802.1Q (dot1q) header to the mirrored packets on the routed traffic or does not mirror any packets on the routed traffic when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for that analyzer.

•

EX8200 switches

•

Does not apply—All other switches

Packets with physical layer errors are not sent to the local or remote analyzer.

•

All switches

Port mirroring configuration on a Layer 3 interface with the output configured to a VLAN is not available on EX8200 switches.

•

EX8200 switches

•


Port mirroring does not support line-rate traffic.

•

All switches

Port mirroring for line-rate traffic is done on a best-effort basis.

A port-based analyzer does not work if the interfaces configured in the input and output definitions exist across members of an EX8200 Virtual Chassis. If a link aggregation group (LAG) is defined in the input definition of a port-based analyzer and the LAG contains interfaces across members of an EX8200 Virtual Chassis, the analyzer does not work.

•


•


The following error message is displayed when a port-based analyzer is configured with interfaces across members of an EX8200 Virtual Chassis: "Interfaces configured in input and output are across chassis". (This message is not displayed if a LAG is configured in the input definition of the analyzer.)

When the input to an analyzer is a LAG and the members of the LAG are spread across a virtual chassis, traffic only from input LAG interfaces belonging to the same chassis as that of the analyzer output port are mirrored.

•


•

Does not apply — All other switches

5072

Comment

As a workaround, configure an analyzer that uses each port (member interface) of the VLAN as egress input.

Packets with these errors are filtered out and thus are not sent to the analyzer.




•

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches on page 5073

•


•

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 5108 or Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 5104

•


Examples: Port Mirroring Configuration •


•


•

Example: Configuring Port Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX Series Switches on page 5088

•

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX Series Switches on page 5097

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX Series Switches EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •


•

Packets entering a VLAN on EX2200, EX3200, EX4200, or EX4500 switches

•

Packets exiting a VLAN on EX8200 switches

You can analyze the mirrored traffic using a protocol analyzer application installed on a system connected to the local destination interface (or a running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN). This example describes how to configure an EX Series switch to mirror traffic entering interfaces connected to employee computers to an analyzer output interface on the same switch. This example describes how to configure local port mirroring: •


•


•

Mirroring All Employee Traffic for Local Analysis on page 5075


5073

®


•

Mirroring Employee-to-Web Traffic for Local Analysis on page 5076

•




•


Before you configure port mirroring, be sure you have an understanding of port mirroring concepts.

Overview and Topology This topic includes two related examples that describe how to mirror traffic entering ports on the switch to a destination interface on the same switch. The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario, but includes a filter to mirror only the employee traffic going to the Web. Network Topology In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers. In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic. Connect a PC running a protocol analyzer application to the analyzer output interface to analyze the mirrored traffic.

NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets.

Figure 138 on page 5075 shows the network topology for this example.

5074



Figure 138: Network Topology for Local Port Mirroring Example

Mirroring All Employee Traffic for Local Analysis To configure port mirroring for all employee traffic for local analysis, perform these tasks: CLI Quick Configuration

To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into the switch terminal window: [edit] set interfaces ge-0/0/0 unit 0 family ethernet-switching set interfaces ge-0/0/1 unit 0 family inet 192.1.1.1/24 set interfaces ge-0/0/10 unit 0 family ethernet-switching set ethernet-switching options analyzer employee–monitor input ingress interface ge-0/0/0.0 set ethernet-switching options analyzer employee–monitor input ingress interface ge-0/0/1.0 set ethernet-switching options analyzer employee–monitor output interface ge-0/0/10.0


To configure an analyzer called employee-monitor and specify the input (source) interfaces and the analyzer output interface: 1.

Configure each interface connected to employee computers as an input interface for the port-mirror analyzer that we are calling employee-monitor: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge–0/0/0.0 user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0

2.

Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor output (Port Mirroring) interface ge-0/0/10.0

Results

Check the results of the configuration: [edit] user@switch# show ethernet-switching-options { analyzer employee-monitor { input {


5075

®


ingress { interface ge-0/0/0.0; interface ge-0/0/1.0; } } output { interface { ge-0/0/10.0; } } } }

Mirroring Employee-to-Web Traffic for Local Analysis To configure port mirroring for employee to web traffic, perform these tasks: CLI Quick Configuration

To quickly configure local port mirroring of traffic from the two ports connected to employee computers, filtering so that only traffic to the external Web is mirrored, copy the following commands and paste them into the switch terminal window: [edit] set ethernet-switching-options analyzer employee–web–monitor output interface ge-0/0/10.0 set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employee-web-monitor set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee


To configure local port mirroring of employee-to-web traffic from the two ports connected to employee computers: 1.

Configure the local analyzer interface: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching

2.

Configure the employee-web-monitor analyzer output (the input to the analyzer comes from the action of the filter): [edit ethernet-switching-options] user@switch# set analyzer employee-web-monitor output interface ge-0/0/10.0

3.

Configure a firewall filter called watch-employee to send mirrored copies of employee requests to the Web to the employee-web-monitor analyzer. Accept all traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28). Send mirrored copies of all packets destined for the Internet (destination port 80) to the employee-web-monitor analyzer. [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) watch-employee term employee-to-corp from destination-address 192.0.2.16/28 user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28

5076



user@switch# set filter watch-employee term employee-to-corp then accept user@switch# set filter watch-employee term employee-to-web from destination-port 80 user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor 4.

Apply the watch-employee filter to the appropriate ports: [edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input (Port Mirroring) watch-employee user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee

Results

Check the results of the configuration: [edit] user@switch# show ethernet-switching-options { analyzer employee-web-monitor { output { interface ge-0/0/10.0; } } } ... firewall family ethernet-switching { filter watch-employee { term employee-to-corp { from { destination-address 192.0.2.16/28; source-address 192.0.2.16/28; } then accept { } term employee-to-web { from { destination-port 80; } then analyzer employee-web-monitor; } } } ... interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan members [employee-vlan, voice-vlan]; filter { input watch-employee; } } } } ge-0/0/1 { family ethernet-switching { filter { input watch-employee;


5077

®


} } } }


Verifying That the Analyzer Has Been Correctly Created on page 5078

Verifying That the Analyzer Has Been Correctly Created Purpose

Action

Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces, and appropriate output interface. You can verify the port mirror analyzer is configured as expected using the show analyzer command. user@switch> show analyzer Analyzer name Output interface Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces Egress monitored interfaces

Meaning


: : : : : : :

employee-monitor ge-0/0/10.0 1 Low ge-0/0/0.0 ge-0/0/1.0 None

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default setting), a loss priority of low (set this option to high only when the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0 and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.

•


•

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 5104

•

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 5108

•


Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX Series Switches EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets:

5078

•


•




•


You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN. This topic includes two related examples that describe how to mirror traffic entering ports on the switch to the remote-analyzer VLAN so that you can perform analysis from a remote monitoring station. The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario but includes a filter to mirror only the employee traffic going to the Web.

BEST PRACTICE: Mirror only necessary packets to reduce potential performance impact. We recommend that you: •

Disable your configured port mirroring analyzers when you are not using them.

•

Specify individual interfaces as input to analyzers rather than specifying all interfaces as input.

•

Limit the amount of mirrored traffic by: •

Using statistical sampling.

•

Setting ratios to select statistical samples.

•

Using firewall filters.

This example describes how to configure remote port mirroring: •


•


•

Mirroring All Employee Traffic for Remote Analysis on page 5080

•

Mirroring Employee-to-Web Traffic for Remote Analysis on page 5084

•




•

EX Series switch connected to another EX Series switch

Before you configure remote port mirroring, be sure that: •

You have an understanding of port-mirroring concepts.

•

The interfaces that the analyzer will use as input interfaces have been configured on the switch.


5079

®


Overview and Topology This topic includes two related examples that describe how to configure port mirroring to the remote-analyzer VLAN so that analysis can be performed from a remote monitoring station. The first example shows how to configure a switch to mirror all traffic from employee computers. The second example shows the same scenario, but the setup includes a filter to mirror only the employee traffic going to the Web. Figure 139 on page 5080 shows the network topology for both these example scenarios.

Figure 139: Remote Port Mirroring Example Network Topology

In this example: •

Interface ge-0/0/0 is a Layer 2 interface, and interface ge-0/0/1 is a Layer 3 interface (both interfaces on the source switch) that serve as connections for employee computers.

•

Interface ge-0/0/10 is a Layer 2 interface that connects the source switch to the destination switch.

•

Interface ge-0/0/5 is a Layer 2 interface that connects the destination switch to the remote monitoring station.

•

VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Mirroring All Employee Traffic for Remote Analysis To configure port mirroring for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks: CLI Quick Configuration

5080

To quickly configure port mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window:



•

Copy and paste the following commands in the source switch terminal window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set vlans remote-analyzer interface ge-0/0/10 egress set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor loss-priority high set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer

•

Copy and paste the following commands in the destination switch terminal window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/5.0


To configure basic remote port mirroring: 1.

On the source switch: •

Configure the VLAN tag ID for the remote-analyzer VLAN: [edit vlans] user@switch# set remote-analyzer vlan-id 999

•

Configure the interface on the network port connected to the destination switch for trunk mode and associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999

•

Configure the ge-0/0/10 interface for egress-only traffic so that traffic can only egress from the interface: [edit vlans] user@switch# set remote-analyzer interface ge-0/0/10 egress

•

Configure the employee-monitor analyzer: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0 user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0 user@switch# set analyzer employee-monitor input egress interface ge-0/0/0.0 user@switch# set analyzer employee-monitor input egress interface ge-0/0/1.0 user@switch# set analyzer employee-monitor loss-priority high user@switch# set analyzer employee-monitor output vlan remote-analyzer

2.

On the destination switch: •



5081

®


•

Configure the interface on the destination switch for trunk mode and associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999

•

Configure the interface connected to the destination switch for trunk mode: [edit interfaces] user@switch# set ge-0/0/5 unit 0 family ethernet-switching port-mode trunk

•

Configure the employee-monitor analyzer: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress vlan remote-analyzer user@switch# set analyzer employee-monitor loss-priority high output interface ge-0/0/5.0

Results

Check the results of the configuration on the source switch: [edit] user@switch# show ethernet-switching-options { analyzer employee-monitor { loss-priority high; input { ingress { interface ge-0/0/0.0; interface ge-0/0/1.0; } egress { interface ge-0/0/0.0; interface ge-0/0/1.0; } } output { vlan { remote-analyzer; } } } } interfaces { ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 999; } } } } } vlans { remote-analyzer { vlan-id 999;

5082



interface { ge-0/0/10.0 egress; } } } }

Check the results of the configuration on the destination switch: [edit] user@switch# show interfaces { ge0/0/5 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 999; } } } } } vlans { remote-analyzer { vlan-id 999; interface { ge-0/0/10.0 egress; } } } } ethernet-switching-options{ analyzer employee-monitor { loss-priority high; input { ingress { vlan remote-analyzer; } } output { interface { ge-0/0/5.0; } } } }


5083

®


Mirroring Employee-to-Web Traffic for Remote Analysis To configure port mirroring for remote traffic analysis of employee to web traffic, perform these tasks: CLI Quick Configuration

To quickly configure port mirroring to mirror employee traffic to the external Web, copy the following commands and paste them into the switch terminal window: •

Copy and paste the following commands in the source switch terminal window: [edit] set ethernet-switching-options analyzer employee-web-monitor loss-priority high output vlan 999 set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employee-web-monitor set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee

•

Copy and paste the following commands in the destination switch terminal window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk set ethernet-switching-options analyzer employee-web-monitor input ingress vlan remote-analyzer set ethernet-switching-options analyzer employee-web-monitor loss-priority high output interface ge-0/0/5.0


To configure port mirroring of all traffic from the two ports connected to employee computers to the remote-analyzer VLAN for use from a remote monitoring station: 1.


Configure the employee-web-monitor analyzer: [edit ethernet-switching-options] user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching port mode trunk user@switch# set analyzer employee-web-monitor loss-priority high output vlan 999

•


•

Configure the interface to associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999

5084



•

Configure the firewall filter called watch-employee: [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) watch-employee term employee-to-corp from destination-address 192.0.2.16/28 user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 user@switch# set filter watch-employee term employee-to-corp then accept user@switch# set filter watch-employee term employee-to-web from destination-port 80 user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor

•

Apply the firewall filter to the employee interfaces: [edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input (Port Mirroring) watch-employee user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee

2.



•

Configure the interface on the destination switch for trunk mode and associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999

•

Configure the interface connected to the destination switch for trunk mode: [edit interfaces] user@switch# set ge-0/0/5 unit 0 family ethernet-switching port-mode trunk

•

Configure the employee-monitor analyzer: [edit ethernet-switching-options] user@switch# set analyzer employee-web-monitor input ingress vlan remote-analyzer user@switch# set analyzer employee-web-monitor loss-priority high output interface ge-0/0/5.0

Results

Check the results of the configuration on the source switch: [edit] user@switch# show interfaces { ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members remote-analyzer; } } } } ge-0/0/0 {


5085

®


unit 0 { family ethernet-switching { filter { input watch-employee; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { filter { input watch-employee; } } } } } firewall { family ethernet-switching { filter watch-employee { term employee-to-corp { from { source-address { 192.0.2.16/28; } destination-address { 192.0.2.16/28; } } then accept; } term employee-to-web { from { destination-port 80; } then analyzer employee-web-monitor; } } } } ethernet-switching-options { analyzer employee-web-monitor { loss-priority high; output { vlan { 999; } } } vlans { remote-analyzer { vlan-id 999; } }

5086



Check the results of the configuration on the destination switch: [edit] user@switch# show vlans { remote-analyzer { vlan-id 999; } } interfaces { ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members remote-analyzer; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { port-mode trunk; } } } } ethernet-switching-options { analyzer employee-web-monitor { loss-priority high; input { ingress { vlan remote-analyzer; } } output { interface { ge-0/0/5.0; } } }




Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface.


5087

®


Action

You can verify the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface. To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration: user@switch> show analyzer Analyzer name Output VLAN Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces

Meaning


: : : : : :

employee-monitor remote-analyzer 1 High ge-0/0/0.0 ge-0/0/1.0

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), has a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and is sending the mirrored traffic to the analyzer called remote-analyzer.

•


•


•


•


•


Example: Configuring Port Mirroring to Multiple Interfaces for Remote Monitoring of Employee Resource Use on EX Series Switches EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •


•


•


NOTE: The feature of mirroring traffic to multiple VLAN interfaces is available only on EX8200 switches.

You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN.

5088



This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN so that you can perform analysis from a remote monitoring station. The remote-analyzer VLAN in this example contains multiple member interfaces. Therefore, the same traffic is mirrored to all member interfaces of the remote-analyzer VLAN so that mirrored packets can be sent to different remote monitoring stations. You can install applications, such as sniffers and intrusion detection systems, on remote monitoring stations to analyze these mirrored packets and to obtain useful statistical data. For instance, if there are two remote monitoring stations, you can install a sniffer on one remote monitoring station and an intrusion detection system on the other station. You can use a firewall filter analyzer configuration to forward a specific type of traffic to a remote monitoring station.



•


•



•


•


This example describes how to configure remote port mirroring to multiple interfaces on an analyzer VLAN: •


•


•

Mirroring All Employee Traffic to Multiple VLAN Member Interfaces for Remote Analysis on page 5091

•




•




•



5089

®


Overview and Topology This example describes how to configure port mirroring to multiple interfaces in the remote-analyzer VLAN so that traffic is sent to different remote monitoring stations for analysis. Figure 140 on page 5090 shows the network topology for this example.

Figure 140: Remote Port Mirroring Example Network Topology Using Multiple VLAN Member Interfaces

5090





•

Interfaces ge-0/0/10 and ge-0/0/11 are Layer 2 interfaces that are connected to different destination switches.

•

Interface ge-0/0/12 is a Layer 2 interface that connects the Destination 1 switch to the remote monitoring station.

•

Interface ge-0/0/13 is a Layer 2 interface that connects the Destination 2 switch to the remote monitoring station.

•


Mirroring All Employee Traffic to Multiple VLAN Member Interfaces for Remote Analysis To configure port mirroring to multiple VLAN member interfaces for remote traffic analysis for all incoming and outgoing employee traffic, perform these tasks: CLI Quick Configuration

To quickly configure port mirroring for remote traffic analysis for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window: •

In the source switch terminal window, copy and paste the following commands: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set vlans remote-analyzer interface ge-0/0/10 egress set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 999 set vlans remote-analyzer interface ge-0/0/11 egress set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor loss-priority high set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer

•

In the Destination 1 switch terminal window, copy and paste the following commands: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set vlans remote-analyzer interface ge-0/0/10 ingress set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode trunk set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/12.0

•

In the Destination 2 switch terminal window, copy and paste the following commands: [edit] set vlans remote-analyzer vlan-id 999


5091

®


set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set vlans remote-analyzer interface ge-0/0/11 ingress set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/13.0


To configure basic remote port mirroring to two VLAN member interfaces: 1.



•

Configure the interfaces on the network port connected to destination switches for trunk mode and associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999 user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/11 unit 0 family ethernet-switching vlan members 999

•

Configure ge-0/0/10 and ge-0/0/11 for egress-only traffic so that traffic can only exit from the interface: [edit vlans] user@switch# set remote-analyzer interface ge-0/0/10 egress user@switch# set remote-analyzer interface ge-0/0/11 egress

•


2.

On the Destination 1 switch: •


•

Configure the ge-0/0/10 interface on the Destination 1 switch for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set vlans remote-analyzer interface ge-0/0/10 ingress

•

Configure the interface connected to the remote monitoring station for trunk mode: [edit interfaces] user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode trunk

5092



•


3.

On the Destination 2 switch: •


•

Configure the ge-0/0/11 interface on the Destination 2 switch for trunk mode, associate it with the remote-analyzer VLAN, and set the interface only for ingress traffic: [edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set vlans remote-analyzer interface ge-0/0/11 ingress

•


•


Results

Check the results of the configuration on the source switch: [edit] user@switch# show ethernet-switching-options { analyzer employee-monitor { loss-priority high; input { ingress { interface ge-0/0/0.0; interface ge-0/0/1.0; } egress { interface ge-0/0/0.0; interface ge-0/0/1.0; } } output { vlan { remote-analyzer; } } } } vlans {


5093

®


remote-analyzer { vlan-id 999; interface { ge-0/0/10.0 { egress; } ge-0/0/11.0 { egress; } } } } interfaces { ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 999; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { member 999; } } } } }

Check the results of the configuration on the Destination 1 switch: [edit] user@switch# show vlans { remote-analyzer { vlan-id 999; interface { ge-0/0/10.0 { ingress; } } } } interfaces { ge-0/0/10 { unit 0 { ethernet-switching { port-mode trunk; } }

5094



} ge-0/0/12 { unit 0 { family ethernet-switching { port-mode trunk; } } } } ethernet-switching-options { analyzer employee-monitor { loss-priority high; input { ingress { vlan remote-analyzer; } } output { interface { ge-0/0/12.0; } } } }

Check the results of the configuration on the Destination 2 switch: [edit] user@switch# show vlans { remote-analyzer { vlan-id 999; interface { ge-0/0/11.0 { ingress; } } } } interfaces { ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode trunk; } } } } ethernet-switching-options {


5095

®


employee-monitor { loss-priority high; input { ingress { vlan remote-analyzer; } } output { interface { ge-0/0/13.0; } } } }




Action

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and appropriate output interface. You can verify the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface. To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration: user@switch> show analyzer Analyzer name Output VLAN Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces

Meaning


5096

: : : : : :



•


•


•




•


•


•


Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use Through a Transit Switch on EX Series Switches EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •


•


•


You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN. This topic includes an example that describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch, so that you can perform analysis from a remote monitoring station.



•


•



•


•


This example describes how to configure remote port mirroring through a transit switch: •


•


•

Mirroring All Employee Traffic for Remote Analysis Through a Transit Switch on page 5099

•



5097

®




•

EX3200 or EX4200 switch connected to another EX3200 or EX4200 switch through a third EX3200 or EX4200 switch



•


Overview and Topology This example describes how to mirror traffic entering ports on the switch to the remote-analyzer VLAN through a transit switch so that you can perform analysis from a remote monitoring station. The example shows how to configure a switch to mirror all traffic from employee computers to a remote analyzer. In this configuration, an analyzer session is required on the destination switch to mirror incoming traffic from the analyzer VLAN to the egress interface to which the remote monitoring station is connected. You must disable MAC learning on the transit switch for the remote-analyzer VLAN so that MAC learning is disabled for all member interfaces of the remote-analyzer VLAN on the transit switch. Figure 141 on page 5098 shows the network topology for this example.

Figure 141: Remote Port Mirroring Example Through a Transit Switch Network Topology

5098





•

Interface ge-0/0/10 is a Layer 2 interface that connects to the transit switch.

•

Interface ge-0/0/11 is a Layer 2 interface on the transit switch.

•

Interface ge-0/0/12 is a Layer 2 interface on the transit switch and connects to the destination switch.

•

Interface ge-0/0/13 is a Layer 2 interface on the destination switch .

•

Interface ge-0/0/14 is a Layer 2 interface on the destination switch and connects to the remote monitoring station.

•


Mirroring All Employee Traffic for Remote Analysis Through a Transit Switch To configure port mirroring for remote traffic analysis through a transit switch, for all incoming and outgoing employee traffic, perform these tasks: CLI Quick Configuration

To quickly configure port mirroring for remote traffic analysis through a transit switch, for incoming and outgoing employee traffic, copy the following commands and paste them into the switch terminal window: •

Copy and paste the following commands in the source switch (monitored switch) terminal window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 999 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input egress interface ge-0/0/1.0 set ethernet-switching-options analyzer employee-monitor output vlan remote-analyzer

•

Copy and paste the following commands in the transit switch window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set vlans remote-analyzer interface ge-0/0/11 ingress set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode trunk set vlans remote-analyzer interface ge-0/0/12 egress set vlans remote-analyzer no-mac-learning

•

Copy and paste the following commands in the destination switch window: [edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk set vlans remote-analyzer interface ge-0/0/13 ingress set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk


5099

®


set ethernet-switching-options analyzer employee-monitor input ingress vlan remote-analyzer set ethernet-switching-options analyzer employee-monitor loss-priority high output interface ge-0/0/14.0


To configure remote port mirroring through a transit switch: 1.



•

Configure the interfaces on the network port connected to transit switch for trunk mode and associate it with the remote-analyzer VLAN: [edit interfaces] user@switch# set ge-0/0/10 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/10 unit 0 family ethernet-switching vlan members 999

•


2.

On the transit switch: •


•

Configure the ge-0/0/11 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only: [edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set vlans remote-analyzer interface ge-0/0/11 ingress

•

Configure the ge-0/0/12 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for egress traffic only: [edit interfaces] user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode trunk user@switch# set vlans remote-analyzer interface ge-0/0/12 egress

•

Configure the no-mac-learning option for the remote-analyzer VLAN to disable MAC learning on all interfaces that are members of the remote-analyzer VLAN: [edit interfaces] user@switch# set vlans remote-analyzer no-mac-learning

3.



5100



•

Configure the ge-0/0/13 interface for trunk mode, associate it with the remote-analyzer VLAN, and set the interface for ingress traffic only: [edit interfaces] user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode trunk user@switch# set vlans remote-analyzer interface ge-0/0/13 ingress

•


•


Results

Check the results of the configuration on the source switch: [edit] user@switch# show ethernet-switching-options { analyzer employee-monitor { input { ingress { interface ge-0/0/0.0; interface ge-0/0/1.0; } egress { interface ge-0/0/0.0; interface ge-0/0/1.0; } } output { vlan { remote-analyzer; } } } } vlans { remote-analyzer { vlan-id 999; } } interfaces { ge-0/0/10 { unit 0 { family ethernet-switching { port-mode trunk; vlan { member 999; } }


5101

®


} } }

Check the results of the configuration on the transit switch: [edit] user@switch# show vlans { remote-analyzer { vlan-id 999; interface { ge-0/0/11.0 { ingress; } ge-0/0/12.0 { egress; } } no-mac-learning; } } interfaces { ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode trunk; } } } }

Check the results of the configuration on the destination switch: [edit] user@switch# show vlans { remote-analyzer { vlan-id 999; interface { ge-0/0/13.0 { ingress; } } } } interfaces { ge-0/0/13 { unit 0 { family ethernet-switching {

5102



port-mode trunk; } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode trunk; } } } } ethernet-switching-options { analyzer employee-monitor { loss-priority high; input { ingress { vlan remote-analyzer; } } output { interface { ge-0/0/14.0; } } } }




Action

Verify that the analyzer named employee-monitor has been created on the switch with the appropriate input interfaces and the appropriate output interface. You can verify the analyzer is configured as expected by using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface. To verify that the analyzer is configured as expected while monitoring all employee traffic on the source switch, run the show analyzer command on the source switch. The following output is displayed for this example configuration: user@switch> show analyzer Analyzer name Output VLAN Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces


: : : : : :


5103

®


Meaning



•


•


•


•


•


•


Configuring Port Mirroring •


•


Configuring Port Mirroring to Analyze Traffic (CLI Procedure) EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •


•

Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, or EX6200 switches

•


BEST PRACTICE: Mirror only necessary packets to reduce potential performance impact. We recommend that you:

5104

•


•


•



•




•


NOTE: If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.

NOTE: Interfaces used as output for an analyzer must be configured as family ethernet-switching.

•

Configuring Port Mirroring for Local Traffic Analysis on page 5105

•

Configuring Port Mirroring for Remote Traffic Analysis on page 5106

•

Filtering the Traffic Entering an Analyzer on page 5106

Configuring Port Mirroring for Local Traffic Analysis To mirror interface traffic or VLAN traffic on the switch to an interface on the switch: 1.

Choose a name for the analyzer—in this case, employee-monitor—and specify the input—in this case, packets entering ge-0/0/0 and ge-0/0/1: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input (Port Mirroring) ingress interface ge–0/0/0.0 [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge–0/0/1.0

2. Optionally, you can specify a statistical sampling of the packets by setting a ratio: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch. On EX8200 switches, you can set a ratio only for ingress packets. 3. Configure the destination interface for the mirrored packets: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor output (Port Mirroring) interface ge-0/0/10.0


5105

®


Configuring Port Mirroring for Remote Traffic Analysis To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location: 1.

Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this documentation: [edit] user@switch# set vlans remote-analyzer vlan-id 999

2. Set the uplink module interface that is connected to the distribution switch to trunk

mode and associate it with the remote-analyzer VLAN: [edit] user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999 3. Configure the analyzer: a. Choose a name and set the loss priority to high. Loss priority should always be set

to high when configuring for remote port mirroring: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor loss-priority (Port Mirroring) high b. Specify the traffic to be mirrored—in this example the packets entering ports

ge-0/0/0 and ge-0/0/1: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge-0/0/0.0 [edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge-0/0/1.0 c. Specify the remote-analyzer VLAN as the output for the analyzer: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor output (Port Mirroring) vlan 999 4. Optionally, you can specify a statistical sampling of the packets by setting a ratio: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

Filtering the Traffic Entering an Analyzer To filter which packets are mirrored to an analyzer, create the analyzer and then use it as the action in the firewall filter. You can use firewall filters in both local and remote port mirroring configurations. If the same analyzer is used in multiple filters or terms, the packets are copied to the analyzer output port or analyzer VLAN only once. To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter can use any of the available match conditions and must have an action of analyzer analyzer-name. The action of the firewall filter provides the input to the analyzer.

5106



To configure port mirroring with filters: 1.

Configure the analyzer name (here, employee-monitor) and the output: a. For local analysis, set the output to the local interface to which you will connect

the computer running the protocol analyzer application: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor output interface ge-0/0/10.0 b. For remote analysis, set the loss priority to high and set the output to the

remote-analyzer VLAN: [edit ethernet-switching-options] user@switch# set analyzer employee-monitor loss-priority high output vlan 999 2. Create a firewall filter using any of the available match conditions and specify the

action as analyzer employee-monitor: This step shows a firewall filter called example-filter, with two terms: a. Create the first term to define the traffic that should not pass through to the

analyzer: [edit firewall family ethernet-switching] user@switch# set filter (Firewall Filters) example-filter term no-analyzer from source-address ip-address [edit firewall family ethernet-switching] user@switch# set filter example-filter term no-analyzer from destination-address ip-address [edit firewall family ethernet-switching] user@switch# set filter example-filter term no-analyzer then accept b. Create the second term to define the traffic that should pass through to the

analyzer: [edit firewall family ethernet-switching] user@switch# set filter example-filter term to-analyzer from destination-port 80 [edit firewall family ethernet-switching] user@switch# set filter example-filter term to-analyzer then analyzer employee–monitor [edit firewall family ethernet-switching] user@switch# set filter example-filter term to-analyzer then accept 3. Apply the firewall filter to the interfaces or VLAN that are input to the analyzer: [edit] user@switch# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input example-filter [edit] user@switch# set vlan (802.1Q Tagging) remote-analyzer filter input example-filter


•


•


•


•


•



5107

®


•


Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) EX Series switches allow you to configure port mirroring to send copies of packets to either a local interface for local monitoring or to a VLAN for remote monitoring. You can use port mirroring to copy these packets: •


•

Packets entering a VLAN on EX2200, EX3200, EX3300, EX4200, EX4500, EX6200 switches

•


To configure port mirroring on an EX Series switch using the J-Web interface: 1.

Select Configure > Security > Port Mirroring. The first part of the screen displays analyzer details such as the name, status, analyzer port, ratio, and loss priority. The second part of the screen lists ingress and egress ports of the selected analyzer.


2. Click one: •

Add—Add an analyzer. Enter information as specified in Table 597 on page 5109.

•

Edit—Modify details of the selected analyzer. Enter information as specified in Table 597 on page 5109.

•

Delete—Delete the selected analyzer.

•

Enable/Disable—Enable or disable the selected analyzer (toggle).

NOTE: On EX2200, EX3200, EX4200, and EX4500 switches, only one analyzer can be enabled at a time. On EX8200 switches, a maximum of seven analyzers can be enabled.

NOTE: When an analyzer is deleted or disabled, any filter association is removed.

5108



Table 597: Port Mirroring Configuration Settings Field

Function

Your Action

Analyzer Name

Specifies the name of the analyzer.

Type a name for the analyzer.

Ratio

Specifies the ratio of packets to be mirrored. For example:

Enter a number from 0 through 2047.

Loss Priority

•

A ratio of 1 sends copies of all packets.

•

A ratio of 2047 sends copies of 1 out of every 2047 packets.

Specifies the loss priority of the mirrored packets.

Keep the default of low, unless the output is to a VLAN.

By default, the switch applies a lower priority to mirrored data than to regular port-to-port data—mirrored traffic is dropped in preference to regular traffic when capacity is exceeded. For port mirroring configurations with output to an analyzer VLAN, set the loss priority to high. Analyzer Port

Specifies a local interface or VLAN to which mirrored packets are sent. NOTE: A VLAN must have only one associated interface to be specified as an analyzer interface.

Ingress

Specifies interfaces or VLANs for which entering traffic is mirrored.

Click Select. In the Select Analyzer Port/VLAN window, select either port or VLAN as the Analyzer Type. Next, select the required port or VLAN.

Click Add and select Port or VLAN. Next, select the interfaces or VLANs. Click Remove to delete an ingress interface or VLAN.

Egress

Specifies interfaces for which exiting traffic is mirrored.

Click Add to add egress interfaces. Click Remove to remove egress interfaces.


•


•


•


•


Verifying Port Mirroring Configuration •

Verifying Input and Output for Port Mirroring Analyzers on EX Series Switches on page 5109

Verifying Input and Output for Port Mirroring Analyzers on EX Series Switches Purpose

Verify that an analyzer has been created on the switch and has the appropriate output interfaces, and appropriate output interface.


5109

®


Action

You can verify the port mirror analyzer is configured as expected using the show analyzer command. [edit] user@switch> show analyzer Analyzer name Output VLAN Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces

: : : : : :


You can view all of the port mirror analyzers configured on the switch, including any that are disabled, using the show ethernet-switching-options command in configuration mode. user@switch# show ethernet-switching-options inactive: analyzer employee-web-monitor { loss-priority high; output { analyzer employee-monitor { loss-priority high; input { ingress { interface ge-0/0/0.0; interface ge-0/0/1.0; } } output { vlan { remote-analyzer; } } }

Meaning


This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and sending the mirrored traffic to the analyzer called remote-analyzer.

•


•


•


•


•


Troubleshooting Port Mirroring Configuration •

5110

Troubleshooting Port Mirroring Configuration Error Messages on page 5111



Troubleshooting Port Mirroring Configuration Error Messages Troubleshooting issues with port mirroring on EX Series switches: 1.

An Analyzer Configuration Returns a “Multiple interfaces cannot be configured as a member of Analyzer output VLAN” Error Message on page 5111

An Analyzer Configuration Returns a “Multiple interfaces cannot be configured as a member of Analyzer output VLAN” Error Message Problem

In an analyzer configuration, if the VLAN to which mirrored traffic is sent contains more than one member interface, the following error message is displayed in the CLI when you commit the analyzer configuration and the commit fails: Multiple interfaces cannot be configured as a member of Analyzer output VLAN

Solution

You must direct the mirrored traffic to a VLAN that has a single member interface. You can do this by completing either of these tasks: •

Reconfigure the existing VLAN to contain a single member interface. You can choose this method if you want to use the existing VLAN.

•

Create a new VLAN with a single member interface and associate the VLAN with the analyzer.

To reconfigure the existing VLAN to contain only one member interface: 1.

Remove member interfaces from the VLAN repeatedly by using either the delete vlan command or the delete interface command until the VLAN contains a single member interface: •

[edit] user@switch# delete vlan vlan-id interface interface-name

•

[edit] user@switch# delete interface interface-name unit 0 family family-name vlan member vlan-id

2. (Optional) Confirm that the VLAN contains only one interface: [edit] user@switch# show vlans vlan-name

The output for this command must display only one interface. To create a new VLAN with a single member interface: 1.

Configure a VLAN to carry the mirrored traffic: [edit] user@switch# set vlans vlan-name

2. Associate an interface with the VLAN: [edit] user@switch# set interfaces interface-name unit logical-unit-number family family-name vlan members vlan-name 3. Associate the VLAN with the analyzer:


5111

®


[edit ethernet-switching-options] user@switch# set analyzer analyzer-name output vlan vlan-name


•


•


•


•


Configuration Statements for Port Mirroring •


[edit ethernet-switching-options] Configuration Statement Hierarchy ethernet-switching-options { analyzer { name { loss-priority (Port Mirroring) priority; ratio number; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } bpdu-block { disable-timeout (Spanning Trees) timeout; interface (BPDU Block) (all | [interface-name]); } dot1q-tunneling (Ethernet Switching) { ether-type (0x8100 | 0x88a8 | 0x9100); } interfaces (Q-in-Q Tunneling) interface-name { no-mac-learning (Q-in-Q Interfaces); } mac-notification { notification-interval seconds; } mac-table-aging-time seconds;

5112



nonstop-bridging; port-error-disable { disable-timeout timeout; } redundant-trunk-group { group name { preempt-cutover-timer seconds; interface primary; } interface } } secure-access-port { dhcp-snooping-file { location (DHCP Snooping Database) local_pathname | remote_URL; timeout seconds; write-interval seconds; } interface (Access Port Security) (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); fcoe-trusted; mac-limit (Access Port Security) limit action action; no-allowed-mac-log; persistent-learning; static-ip ip-address { vlan (DHCP Bindings on Access Ports) vlan-name; mac mac-address; } } vlan (Access Port Security) (all | vlan-name) { (arp-inspection | no-arp-inspection) [ forwarding-class (for DHCP Snooping or DAI Packets) class-name; } dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (Remote ID for Option 82) hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp) { forwarding-class (for DHCP Snooping or DAI Packets) class-name; } examine-fip { fc-map fc-map-value; }


5113

®


(ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } static { vlan name { mac mac-address { next-hop interface-name; } } } storm-control { action-shutdown; interface (Storm Control) (all | interface-name) { bandwidth bandwidth; no-broadcast; no-multicast; no-registered-multicast; no-unknown-unicast; no-unregistered-multicast; } } traceoptions (Access Port Security) { file filename ; flag flag ; } unknown-unicast-forwarding { vlan (Unknown Unicast Forwarding) (all | vlan-name) { interface (Unknown Unicast Forwarding) interface-name; } } voip { interface (VoIP) (all | [interface-name | access-ports]) { vlan (VoIP) vlan-name ; forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding | network-control); } } }


5114

•


•


•


•


•


•


•


•




•


•


•


•



5115

®


analyzer Syntax


Default Options

analyzer { name { ratio number; loss-priority (Port Mirroring) priority; input (Port Mirroring) { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output (Port Mirroring) { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } } } [edit ethernet-switching-options]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure port mirroring. One analyzer (port mirroring configuration) can be configured on an EX2200, EX3200, EX4200, or EX4500 switch and seven analyzers (port mirroring configurations) can be configured on an EX8208 or EX8216 switch at a time. Other analyzers can be present and disabled. Port mirroring is disabled and Junos OS creates no default analyzers. name—Name that identifies the analyzer. The name can be up to 125 characters long,

must begin with a letter, and can include uppercase letters, lowercase letters, numbers, dashes, and underscores. No other special characters are allowed. The remaining statements are explained separately. Required Privilege Level Related Documentation

5116



•


•




egress Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

egress; [edit vlans vlan-name vlan-id number interface interface-name]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify that the member interface of the VLAN allows only egress traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


egress (Interface or VLAN) Syntax


egress { interface (all | interface-name); vlan (vlan-id | vlan-name); } [edit ethernet-switching-options analyzer name input (Port Mirroring)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify ports or VLANs for which traffic exiting the interface or VLAN is mirrored in a port mirroring configuration. You can define the egress VLAN ID or VLAN name for port mirroring only for EX8200 switches. The remaining statements are explained separately.





5117

®



5118






5119

®




[edit]



5120



•


•


•


•


•


•


•


•


•


•




ingress Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

ingress; [edit vlans vlan-name vlan-id number interface interface-name]

Statement introduced in Junos OS Release 10.0 for EX Series switches. Specify that the member interface of the VLAN allows only ingress traffic. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


ingress (Interface or VLAN) Syntax


ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } [edit ethernet-switching-options analyzer name input (Port Mirroring)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure ports or VLANs for which the entering traffic is mirrored as part of a port mirroring configuration. You can define the ingress VLAN ID or VLAN name for port mirroring for all switches except EX8200 switches. The remaining statements are explained separately.





5121

®


input Syntax


input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } } [edit ethernet-switching-options analyzer name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Define the traffic to be mirrored in a port mirroring configuration—the definition can be a combination of: •


•

Packets entering a VLAN on an EX2200, EX3200, EX4200, or EX4500 switch

•

Packets exiting a VLAN on an EX8200 switch


5122

No default. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•






interface (all | interface-name); [edit ethernet-switching-options analyzer name input (Port Mirroring) egress], [edit ethernet-switching-options analyzer name input (Port Mirroring) ingress], [edit ethernet-switching-options analyzer name output (Port Mirroring)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the interfaces for which traffic is mirrored. all—Apply port mirroring to all interfaces on the switch. Mirroring a high volume of traffic can be performance intensive for the switch. Therefore, you should generally select specific input interfaces in preference to using the all keyword, or use the all keyword in combination with setting a ratio for statistical sampling. interface-name—Apply port mirroring to the specified interface only.




•


•



5123

®


loss-priority Syntax Hierarchy Level Release Information Description

loss-priority priority; [edit ethernet-switching-options analyzer name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a loss priority for mirrored packets. By default, the switch applies a lower priority to mirrored data than to regular port-to-port data—mirrored traffic is dropped in preference for regular traffic when capacity is exceeded. For port mirroring configurations with output to an analyzer VLAN, set the loss priority to high.

Default

Low

Options

priority—The value for priority can be low or high. Default: low




•


no-tag Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation

5124

no-tag; [edit ethernet-switching-options analyzer name output vlan (vlan-id | vlan-name)]

Statement introduced in Junos OS Release 11.3 for EX Series switches. Specify that remote port mirroring packets are not tagged. system—To view this statement in the configuration. system-control—To add this statement to the configuration. •


•


•




output Syntax


output { interface interface-name; vlan (vlan-id | vlan-name) { no-tag; } } [edit ethernet-switching-options analyzer name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the destination for mirrored traffic, either an interface on the switch, for local monitoring, or a VLAN, for remote monitoring. You can optionally configure the no-tag statement so that remote port mirroring packets are not tagged. The remaining statements are explained separately.




•



5125

®


ratio Syntax Hierarchy Level Release Information Description

ratio number; [edit ethernet-switching-options analyzer name]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure port mirroring to copy a sampling of packets, by setting a ratio of 1:x. A value of 1 for x mirrors every packet, and 2047 mirrors 1 out of every 2047 packets. On EX8200 switches, you can set a ratio only for ingress packets. On EX4500 switches, if you configure a ratio for any one of the port-based analyzers, that ratio automatically applies to all port-based analyzers.

Default Options

1 number—The number of packets in the sample, out of which 1 packet is mirrored.


5126





vlan Syntax

Hierarchy Level


Options

vlan (vlan-id | vlan-name) { no-tag; } [edit ethernet-switching-options analyzer name input (Port Mirroring) egress], [edit ethernet-switching-options analyzer name input (Port Mirroring) ingress], [edit ethernet-switching-options analyzer name output (Port Mirroring)]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure mirrored traffic to be sent to a VLAN for remote monitoring. On a destination (output) VLAN, you can also configure the no-tag statement. vlan-id—Numeric VLAN identifier. vlan-name—Name of the VLAN. The remaining statement is explained separately.


system—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


Operational Commands for Port Mirroring


5127

®


show analyzer Syntax Release Information Description Options Required Privilege Level Related Documentation List of Sample Output Output Fields

show analyzer analyzer-name

Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about analyzers configured for port mirroring. analyzer-name—(Optional) Displays the status of a specific analyzer on the switch.

view

•


show analyzer on page 5128 Table 598 on page 5128 lists the output fields for the command-name command. Output fields are listed in the approximate order in which they appear.

Table 598: show analyzer Output Fields Field Name

Field Description

Analyzer name

Displays the name of the analyzer.

Output interface

Specifies a local interface to which mirrored packets are sent. An analyzer can have output to either an interface or a VLAN, not both.

Output VLAN

Specifies a VLAN to which mirrored packets are sent. An analyzer can have output to either an interface or a VLAN, not both.

Mirror ratio

Displays the ratio of packets to be mirrored, between 1 and 2047 where 1 sends copies of all packets and 2047 sends copies of 1 out of every 2047 packets.

Loss priority

Displays the loss priority of mirrored packets. By default, loss priority is set to low, with mirrored traffic dropped in preference for regular traffic when capacity is exceeded. For analyzers with output to a VLAN, set the loss priority to high.

Egress monitored interfaces

Displays interfaces for which traffic exiting the interfaces is mirrored.

Ingress monitored interfaces

Displays interfaces for which traffic entering the interfaces is mirrored.

Ingress monitored VLANs

Displays VLANs for which traffic entering the VLAN is mirrored.

Sample Output show analyzer

5128

user@host> show analyzer Analyzer name Output interface Output VLAN

: employee-monitor : ge-0/0/10.0 : remote-analyzer



Mirror ratio Loss priority Egress monitored interfaces Ingress monitored interfaces Ingress monitored interfaces


: : : : :

1 High ge-0/0/3.0 ge-0/0/0.0 ge-0/0/1.0

5129

®


5130


CHAPTER 144

sFlow Monitoring Technology •

sFlow Technology—Overview on page 5131

•

Example: sFlow Technology Configuration on page 5134

•

Configuring sFlow Technology on page 5138

•

Configuration Statements for sFlow Technology on page 5140

•

Operational Commands for sFlow Technology on page 5154

sFlow Technology—Overview •


Understanding How to Use sFlow Technology for Network Monitoring on an EX Series Switch The sFlow technology is a monitoring technology for high-speed switched or routed networks. sFlow monitoring technology randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow technology on a Juniper Networks EX Series Ethernet Switch to continuously monitor traffic at wire speed on all interfaces simultaneously. This topic describes: •

Sampling Mechanism and Architecture of sFlow Technology on EX Series Switches on page 5131

•

Adaptive Sampling on page 5132

•

sFlow Agent Address Assignment on page 5133

Sampling Mechanism and Architecture of sFlow Technology on EX Series Switches sFlow technology uses the following two sampling mechanisms: •

Packet-based sampling: Samples one packet out of a specified number of packets from an interface enabled for sFlow technology.

•

Time-based sampling: Samples interface statistics at a specified interval from an interface enabled for sFlow technology.

The sampling information is used to create a network traffic visibility picture. The Juniper Networks Junos operating system (Junos OS) fully supports the sFlow standard described


5131

®


in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see http://faqs.org/rfcs/rfc3176.html).

NOTE: sFlow technology on the switches samples only raw packet headers. A raw Ethernet packet is the complete Layer 2 network frame.

An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector in UDP datagrams, directing those datagrams to the IP address and UDP destination port of the collector. Each datagram contains the following information: •

The IP address of the sFlow agent

•

The number of samples

•

The interface through which the packets entered the agent

•

The interface through which the packets exited the agent

•

The source and destination interface for the packets

•

The source and destination VLAN for the packets

EX Series switches adopt the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each Packet Forwarding Engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overhead associated with sFlow technology is significantly reduced at the collector.

NOTE: If the mastership assignment changes in a Virtual Chassis setup, sFlow technology continues to function.

Adaptive Sampling The switches use adaptive sampling to ensure both sampling accuracy and efficiency. Adaptive sampling is a process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt their sampling rate to the traffic conditions. Interfaces on which incoming traffic exceeds the system threshold are checked so that all violations can be regulated without affecting the traffic on other interfaces. Every 5 seconds the agent checks interfaces to get the number of samples, and interfaces are grouped based on the slot that they belong to. The top five interfaces that produce the highest number of samples are selected. Using the binary backoff algorithm, the sampling load on these interfaces is reduced by half and allotted to interfaces that have a lower sampling rate. Therefore when the processor

5132


Chapter 144: sFlow Monitoring Technology

limit is reached, the sampling rate is adapted such that it does not load the processor any further. If the switch is rebooted, the adaptive sampling rate is reset to the user-configured sampling rate. Also, if you modify the sampling rate, the adaptive sampling rate changes. The advantage of adaptive sampling is that the switch continues to operate at its optimum level even when there is a change in the traffic patterns in the interfaces. You do not need to make any changes. Because the sampling rate adapts dynamically to changing network conditions, the resources are utilized optimally resulting in a high performance network. Infrequent sampling flows are not reported in the sFlow information, but over time the majority of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A user-configured polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent can also schedule polling.

NOTE: sFlow technology on EX Series switches does not support graceful restart. When a graceful restart occurs, the adaptive sampling rate is set to the user-configured sampling rate.

sFlow Agent Address Assignment The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. You can configure the IP address of the sFlow agent to ensure that the agent ID for the sFlow agent remains constant. If you do not specify the IP address to be assigned to the agent, an IP address is automatically assigned to the agent based on the following order of priority of interfaces configured on the switch: 1. Virtual management Ethernet (VME) interface 2. Management Ethernet interface If neither of the preceding interfaces has been configured, the IP address of any Layer 3 interface or the routed VLAN interface (RVI) is assigned to the agent. At least one interface must be configured on the switch for an IP address to be automatically assigned to the agent. When the agent’s IP address is assigned automatically, the IP address is dynamic and changes when the switch reboots. sFlow data can be used to provide network traffic visibility information. You can explicitly configure the IP address to be assigned to source data (sFlow datagrams). If you do not explicitly configure that address, the IP address of the configured Gigabit Ethernet interface, 10-Gigabit Ethernet interface, or the routed VLAN interface (RVI) is used as the source IP address. Related Documentation

•

Example: Configuring sFlow Technology to Monitor Network Traffic on EX Series Switches on page 5134

•

Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 5138

•



5133

®


Example: sFlow Technology Configuration •


Example: Configuring sFlow Technology to Monitor Network Traffic on EX Series Switches You can configure sFlow technology, designed for monitoring high-speed switched or routed networks, to continuously monitor traffic at wire speed on all interfaces simultaneously. You can specify sample rates for ingress and egress packets. sFlow data can be used to provide network traffic visibility information. This example describes how to configure and use sFlow technology to monitor network traffic. Junos OS fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see http://faqs.org/rfcs/rfc3176.html). •


•


•


•




•


Overview and Topology sFlow technology is a statistical-sampling–based network monitoring technology for high-speed switched or routed networks. sFlow technology samples network packets and sends the samples to a monitoring station. You can specify sample rates for ingress and egress packets. The information gathered is used to create a network traffic visibility picture. An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent runs on the switch. It combines interface counters and flow samples and sends them across the network to the sFlow collector. Figure 142 on page 5135 depicts the basic elements of the sFlow system.

5134



Figure 142: sFlow Technology Monitoring System

Configuration To configure sFlow technology, perform the following tasks: CLI Quick Configuration

To quickly configure sFlow technology, copy the following commands and paste them into the switch terminal window: [edit protocols] set sflow collector 10.204.32.46 udp-port 5600 set sflow interfaces ge-0/0/0 set sflow polling-interval 20 set sflow sample-rate egress 1000


To configure sFlow technology: 1.

Configure the IP address and UDP port of the collector: [edit protocols] user@switch# set sflow collector 10.204.32.46 udp-port 5600

NOTE: You can configure a maximum of 4 collectors.

2.

Enable sFlow technology on a specific interface:


5135

®


[edit protocols sflow] user@switch# set interfaces (sFlow Monitoring Technology) ge-0/0/0

NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface. You cannot enable sFlow technology on a link aggregation group (LAG) interface—that is, an aggregated Ethernet interface with a name such as ae0. You can enable sFlow technology on the member interfaces that make up the LAG.

3.

Specify how often the sFlow agent polls the interface: [edit protocols sflow] user@switch# set polling-interval 20

NOTE: The polling interval can be specified as a global parameter also. Specify 0 if you do not want to poll the interface.

4.

Specify the rate at which egress packets must be sampled:

NOTE: The sample-rate number (the global sample-rate) statement has been deprecated and might be removed from future product releases. We strongly recommend that you phase out its use.

[edit protocols sflow] user@switch# set sample-rate egress 1000

NOTE: If you set only the egress sample rate, the ingress sample rate will be disabled.

Results

Check the results of the configuration: [edit protocols sflow] user@switch# show polling-interval 20; sample-rate egress 1000; collector 10.204.32.46 { udp-port 5600; } interfaces ge-0/0/0.0;

5136




Verifying That sFlow Technology Has Been Configured Properly on page 5137

•

Verifying That sFlow Technology Is Enabled on the Intended Interface on page 5137

•

Verifying the sFlow Collector Configuration on page 5138

Verifying That sFlow Technology Has Been Configured Properly Purpose Action

Verify that sFlow technology has been configured properly. Use the show sflow command: user@switch> show sflow sFlow: Enabled Sample limit: 300 packets/second Polling interval: 20 seconds Sample rate egress: 1:1000: Enabled Sample rate ingress: 1:2048: Disabled Agent ID: 10.204.96.222

NOTE: The sample limit cannot be configured and is set to 300 packets/second.

Meaning

The output shows that sFlow technology is enabled and specifies the values for the sample limit, polling interval, and sample rate. Verifying That sFlow Technology Is Enabled on the Intended Interface

Purpose

Action

Verify that sFlow technology is enabled on interfaces and display the sampling parameters. Use the show sflow interface command: user@switch> show sflow interface Interface Status Sample rate

ge-0/0/0.0

Adapted sample rate

Egress Ingress Egress Ingress Enabled Disabled 1000 2048

Polling-interval

Egress Ingress 1000 2048

20

NOTE: The sample limit cannot be configured and is set to 300 packets/second.

Meaning

The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface with an egress sample rate of 1000, a disabled ingress sample rate, a sampling limit of 300 packets per second and a polling interval of 20 seconds.


5137

®


Verifying the sFlow Collector Configuration Purpose Action

Verify the sFlow collector's configuration. Use the show sflow collector command: user@switch> show sflow collector Collector address 10.204.32.46 10.204.32.76

Meaning


Udp-port

No. of samples

5600 3400

1000 1000

The output displays the IP address of the collectors and the UDP ports. It also displays the number of samples.

•


•


Configuring sFlow Technology •


Configuring sFlow Technology for Network Monitoring (CLI Procedure) You can configure sFlow technology, designed for monitoring high-speed switched or routed networks, to continuously monitor traffic at wire speed on all interfaces simultaneously. Junos OS fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see http://faqs.org/rfcs/rfc3176.html).` To configure sFlow features: 1.

Configure the IP address and the UDP port of the collector: [edit protocols] user@switch# set sflow collector ip-address udp-port port-number

2. Enable sFlow technology on a specific interface: [edit protocols sflow] user@switch# set interfaces (sFlow Monitoring Technology) interface-name

NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface. You cannot enable sFlow technology on a link aggregation group (LAG), but you can enable it on the member interfaces of a LAG.

3. Specify how often the sFlow agent polls the interface: [edit protocols sflow]

5138



user@switch# set polling-interval seconds

NOTE: Specify 0 if you do not want to poll the interface.

4. Specify the rate at which packets must be sampled. You can specify either an egress

or an ingress qualifier, or both.

NOTE: The sample-rate number (the global sample rate) statement has been deprecated and might be removed from future product releases. We strongly recommend that you phase out its use.

NOTE: We recommend that you configure the same sample rates for both ingress and egress. If the sample rates are different, the lower value is used.

To specify an egress sample rate: [edit protocols sflow] user@switch# set sample-rate egress number

To specify an ingress sample rate: [edit protocols sflow] user@switch# set sample-rate ingress number 5. To configure the polling interval and the egress and ingress sample rates at the

interface level: [edit protocols sflow interfaces (sFlow Monitoring Technology) interface-name] user@switch# set polling-interval seconds [edit protocols sflow interfaces (sFlow Monitoring Technology)] user@switch# set sample-rate egress number [edit protocols sflow interfaces (sFlow Monitoring Technology)] user@switch# set sample-rate ingress number

NOTE: The interface-level configuration overrides the global configuration.

6. To specify an IP address to be used as the agent ID for the sFlow agent: [edit protocols sflow] user@switch# set agent-id ip-address 7. To specify the source IP address to be used for sFlow datagrams: [edit protocols sflow] user@switch# set source-ip ip-address


•


•



5139

®


Configuration Statements for sFlow Technology •


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; }

5140



} lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } }


5141

®


mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress {

5142



description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees);


5143

®


cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name;

5144



remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees);


5145

®


bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) {

5146



block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority;


5147

®


} max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


5148

•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•




collector Syntax


collector { ip-address; udp-port port-number; } [edit protocols sflow]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure a remote collector for sFlow network traffic monitoring. The switch sends sFlow UDP datagrams to this collector for analysis. You can configure up to four collectors on the switch. You configure a collector by specifying its IP address and a UDP port. The remaining statements are explained separately.



[edit protocols] Configuration Statement Hierarchy on EX Series Switches on page 96

•


•





disable; [edit protocols sflow], [edit protocols sflow interfaces (sFlow Monitoring Technology) interface-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Disable the sFlow monitoring protocol on all interfaces on the switch or on the specified interface. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•



5149

®


interfaces Syntax


interfaces interface-name { polling-interval seconds; sample-rate { egress number; ingress number; } } [edit protocols sflow]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure sFlow network traffic monitoring on the specified interface on the switch. You can configure sFlow parameters such as polling interval and sample rate with different values on different interfaces, and you can also disable sFlow monitoring on individual interfaces. The remaining statements are explained separately.


5150

interface-name—Name of the interface on which to configure sFlow parameters.



•


•




polling-interval Syntax Hierarchy Level

Release Information

polling-interval seconds; [edit protocols sflow], [edit protocols sflow interfaces (sFlow Monitoring Technology) interface-name]


Description

Configure the interval (in seconds) that the switch waits between port statistics update messages. “Polling” refers to the switch’s gathering various statistics for the network interfaces configured for sFlow monitoring and exporting the statistics to the configured sFlow collector.

Default

If no polling interval is configured for a particular interface, the switch waits the number of seconds that is configured for the global sFlow configuration. If no global interval is configured, the switch waits 20 seconds between messages.

Options

seconds—Number of seconds between port statistics update messages. A 0 (zero) value

specifies that polling is disabled. Range: 0–3600 seconds Default: 20 seconds Required Privilege Level Related Documentation



•


•



5151

®


sample-rate Syntax

Hierarchy Level

Release Information

sample-rate { egress number; ingress number; } [edit protocols sflow], [edit protocols sflow interfaces (sFlow Monitoring Technology) interface-name]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Option number (directly following sample-rate) deprecated and options egress number and ingress number added in Junos OS Release 10.4 for EX Series switches.

Description

Set the ratios of the number of packets to be sampled in sFlow network traffic monitoring. For example, if you specify a rate of 1000, every thousandth packet (1 packet out of 1000) is sampled.

Default

By default, both ingress and egress sample rates are disabled if no global sample rate is configured.

NOTE: The sample-rate number (the global sample-rate) statement has been deprecated and might be removed from future product releases. We strongly recommend that you phase out its use.

Options

egress number—Egress qualifier for the sample rate.

Range: 100–1073741823 Default: 2048 ingress number—Ingress qualifier for the sample rate.


5152



•


•




sflow Syntax


Description

sflow { agent-id ip-address; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; source-ip ip-address; } [edit protocols]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Options agent-id and source-ip added in Junos OS Release 10.2 for EX Series switches. Configure sFlow technology, designed for monitoring high-speed switched or routed networks, to continuously monitor traffic at wire speed on specified interfaces simultaneously. sFlow data can be used to provide network traffic visibility information. The remaining statements are explained separately.


The sFlow protocol is disabled by default. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


•



5153

®


udp-port Syntax Hierarchy Level Release Information Description

Options

udp-port port-number; [edit protocols sflow collector]

Statement introduced in Junos OS Release 9.3 for EX Series switches. Configure the UDP port for a remote collector for sFlow network traffic monitoring. The switch sends sFlow UDP datagrams to the collector for analysis. port-number—UDP port number for this collector.




•


•


Operational Commands for sFlow Technology

5154



show sflow Syntax


show sflow

Command introduced in Junos OS Release 9.3 for EX Series switches. Display default sFlow technology configuration information. none—Display default sFlow technology configuration information. collector—(Optional) Display standard status information about the specified sFlow

collector. interface—(Optional) Display standard status information about the specified sFlow



view

•

show sflow interface on page 5158

•

show sflow collector on page 5157

•


•


show sflow on page 5156 Table 599 on page 5155 lists the output fields for the show sflow command. Output fields are listed in the approximate order in which they appear.

Table 599: show sflow Output Fields Field Name

Field Description

Level of Output

sFlow

Status of the feature: enabled or disabled.

All levels

Sample rate egress

Rate at which egress packets are sampled.

All levels

Sample rate ingress

Rate at which ingress packets are sampled.

All levels

Sample limit

Number of packets sampled per second. The sample limit cannot be configured and is set to 300 packets/second.

All levels

Polling interval

Interval at which the sFlow agent polls the interface.

All levels

Agent ID

The IP address assigned to the sFlow agent.

All levels


5155

®


Sample Output show sflow

5156

sFlow : Enabled Sample rate egress : 1:1000 Sample rate ingress : 1: 2048: Disabled Sample limit : 300 packets/second Polling interval : 20 seconds Agent ID : 10.93.54.7 Source IP address : 10.93.54.7



show sflow collector Syntax Release Information Description Required Privilege Level Related Documentation


show sflow collector

Command introduced in Junos OS Release 9.3 for EX Series switches. Displays a list of configured sFlow collectors and their properties. view

•

show sflow on page 5155

•

show sflow interface on page 5158

•


•


show sflow collector on page 5157 Table 600 on page 5157 lists the output fields for the show sflow collector command. Output fields are listed in the approximate order in which they appear.

Table 600: show sflow collector Output Fields Field Name

Field Description

Level of Output

IP address

IP address of the collector.

All levels

UDP port

UDP port number.

All levels

No of samples

Packet sampling rate.

All levels

Sample Output show sflow collector

IP-address 10.204.32.46 100.204.32.76


UDP-Port No of samples 5600 1000 3400 1000

5157

®


show sflow interface Syntax Release Information Description Required Privilege Level Related Documentation


show sflow interface

Command introduced in Junos OS Release 9.3 for EX Series switches. Display the interfaces on which sFlow technology is enabled and the sampling parameters. view

•

show sflow on page 5155

•

show sflow collector on page 5157

•


•


show sflow interface on page 5158 Table 601 on page 5158 lists the output fields for the show sflow interface command. Output fields are listed in the approximate order in which they appear.

Table 601: show sflow interface Output Fields Field Name

Field Description

Level of Output

Interface

Interfaces on which sFlow technology is enabled.

All levels

Status Egress

Indicates whether egress sample rate is enabled.

All levels

Status Ingress

Indicates whether ingress sample rate is enabled.

All levels

Sample rate Egress

Rate at which egress packets are sampled.

All levels

Sample rate Ingress

Rate at which ingress packets are sampled.

All levels

Adapted sample rate Egress

Adapted rate at which egress packets are sampled.

All levels

Adapted sample rate Ingress

Adapted rate at which ingress packets are sampled.

All levels

Polling-interval

The interval at which the sFlow agent polls the interface.

All levels

Sample Output show sflow interface

Interface

ge-0/0/0.0

5158

Status

Sample rate

Adapted sample rate

Egress Ingress Egress Ingress Enabled Disabled 1000 2048

Egress Ingress 1000 2048

Polling-interval

20




5159

®


5160


CHAPTER 145

SNMP •

Configuring SNMP on page 5161

•

Configuration Statements for SNMP on page 5164

•

Operational Commands for SNMP on page 5229

•


Configuring SNMP

Configuring SNMP (J-Web Procedure) You can use the J-Web interface to define system identification information, create SNMP communities, create SNMP trap groups, and configure health monitor options for EX Series switches. To configure SNMP features: 1.

Select Configure > Services > SNMP.

2. Enter information into the configuration page for SNMP as described in Table 602 on

page 5161. 3. To apply the configuration click Apply.


Table 602: SNMP Configuration Page Field

Function

Your Action

Free-form text string that specifies an administrative contact for the system.

Type contact information for the administrator of the system (such as name and phone number).

Identification Contact Information


5161

®


Table 602: SNMP Configuration Page (continued) Field

Function

Your Action

System Description

Free-form text string that specifies a description for the system.

Type information that describes the system

Local Engine ID

Provides an administratively unique identifier of an SNMPv3 engine for system identification.

Type the MAC address of Ethernet management port 0.

The local engine ID contains a prefix and a suffix. The prefix is formatted according to specifications defined in RFC 3411. The suffix is defined by the local engine ID. Generally, the local engine ID suffix is the MAC address of Ethernet management port 0. System Location

Free-form text string that specifies the location of the system.

Type location information for the system (lab name or rack name, for example).

System Override Name

Free-form text string that overrides the system hostname.

Type the hostname of the system.

Communities To add a community, click Add Community Name

Specifies the name of the SNMP community.

Type the name of the community being added.

Authorization

Specifies the type of authorization (either read-only or read-write) for the SNMP community being configured.

Select the authorization (either read-only or read-write) from the list.

Traps To add a trap group, click Add. Trap Group Name

5162

Specifies the name of the SNMP trap group being configured.

Type the name of the group being added.


Chapter 145: SNMP


Function

Your Action

Categories

Specifies which trap categories are added to the trap group being configured.

•

To generate traps for authentication failures, select Authentication.

•

To generate traps for chassis and environment notifications, select Chassis.

•

To generate traps for configuration changes, select Configuration.

•

To generate traps for link-related notifications (up-down transitions), select Link.

•

To generate traps for remote operation notifications, select Remote operations.

•

To generate traps for remote network monitoring (RMON), select RMON alarm.

•

To generate traps for routing protocol notifications, select Routing.

•

To generate traps on system warm and cold starts, select Startup.

•

To generate traps on Virtual Router Redundancy Protocol (VRRP) events (such as new-master or authentication failures), select VRRP events.

1.

Enter the hostname or IP address, in dotted decimal notation, of the target system to receive the SNMP traps.

Targets

Specifies one or more hostnames or IP addresses for the systems to receive SNMP traps generated by the trap group being configured.

2. Click Add. Health Monitoring Enable Health Monitoring

Interval

Enables the SNMP health monitor on the switch. The health monitor periodically (over the time you specify in the interval field) checks the following key indicators of switch health: •

Percentage of file storage used

•

Percentage of Routing Engine CPU used

•

Percentage of Routing Engine memory used

•

Percentage of memory used for each system process

•

Percentage of CPU used by the forwarding process

•

Percentage of memory used for temporary storage by the forwarding process

Specifies the sampling frequency, in seconds, over which the key health indicators are sampled and compared with the rising and falling thresholds.

Select the check box to enable the health monitor and configure options. Clear the check box to disable the health monitor. NOTE: If you select the Enable Health Monitoring check box and do not specify options, then SNMP health monitoring is enabled with default values.

Enter an interval time, in seconds, from 1 through 2147483647. The default value is 300 seconds (5 minutes).

For example, if you configure the interval as 100 seconds, the values are checked every 100 seconds.


5163

®



Function

Your Action

Rising Threshold

Specifies the value at which SNMP generates an event (trap and system log message) when the value of a sampled indicator is increasing.

Enter a value from 0 through 100. The default value is 90.

For example, if the rising threshold is 90 (the default), SNMP generates an event when the value of any key indicator reaches or exceeds 90 percent. Falling Threshold

Specifies the value at which SNMP generates an event (trap and system log message) when the value of a sampled indicator is decreasing. For example, if the falling threshold is 80 (the default), SNMP generates an event when the value of any key indicator falls back to 80 percent or less.


Enter a value from 0 through 100. The default value is 80. NOTE: The falling threshold value must be less than the rising threshold value.

•


•


Configuration Statements for SNMP •

[edit snmp] Configuration Statement Hierarchy on page 5164

[edit snmp] Configuration Statement Hierarchy snmp { rmon { history index { bucket-size number; interface (SNMP RMON History) interface-name; interval seconds; owner owner-name; } } }


5164

•


•



Chapter 145: SNMP

address Syntax Hierarchy Level Release Information

Description Options

address address; [edit snmp v3 target-address target-address-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the SNMP target address. address—IPv4 address of the system to receive traps or informs. You must specify an

address, not a hostname. Required Privilege Level Related Documentation

snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration. •

Configuring the Address

address-mask Syntax Hierarchy Level Release Information


address-mask address-mask; [edit snmp v3 target-address target-address-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Verify the source addresses for a group of target addresses. address-mask combined with the address defines a range of addresses.


Configuring the Address Mask


5165

®


agent-address Syntax Hierarchy Level Release Information

Description

Options

agent-address outgoing-interface; [edit snmp trap-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the agent address of all SNMPv1 traps generated by this router or switch. Currently, the only option is outgoing-interface, which sets the agent address of each SNMPv1 trap to the address of the outgoing interface of that trap. outgoing-interface—Value of the agent address of all SNMPv1 traps generated by this

router or switch. The outgoing-interface option sets the agent address of each SNMPv1 trap to the address of the outgoing interface of that trap. Default: disabled (the agent address is not specified in SNMPv1 traps). Required Privilege Level Related Documentation

5166


Configuring the Agent Address for SNMP Traps


Chapter 145: SNMP

alarm Syntax


Description Options

alarm index { description description; falling-event-index index; falling-threshold integer; falling-threshold-interval seconds; interval seconds; request-type (get-next-request | get-request | walk-request); rising-event-index index; rising-threshold integer; sample-type (absolute-value | delta-value); startup-alarm (falling-alarm | rising-alarm | rising-or-falling alarm); syslog-subtag syslog-subtag; variable oid-variable; } [edit snmp rmon]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure RMON alarm entries. index—Identifies this alarm entry as an integer.




•

event on page 5178


5167

®


authorization Syntax Hierarchy Level Release Information

Description Options

authorization authorization; [edit snmp community community-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Set the access authorization for SNMP Get, GetBulk, GetNext, and Set requests. authorization—Access authorization level: •

read-only—Enable Get, GetNext, and GetBulk requests.

•

read-write—Enable all requests, including Set requests. You must configure a view to

enable Set requests. Default: read-only Required Privilege Level Related Documentation


Configuring the SNMP Community String

bucket-size Syntax Hierarchy Level Release Information Description


5168

bucket-size number; [edit snmp rmon history]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the sampling of Ethernet statistics for network fault diagnosis, planning, and performance tuning. 50 number—Number of discrete samples of Ethernet statistics requested.

snmp—To view this statement in the configuration. snmp–control—To add this statement to the configuration. •


•



Chapter 145: SNMP

categories Syntax



categories { category; } [edit snmp trap-group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define the types of traps that are sent to the targets of the named trap group. If you omit the categories statement, all trap types are included in trap notifications. category—Name of a trap type: authentication, chassis, configuration, link, remote-operations, rmon-alarm, routing, sonet-alarms, startup, or vrrp-events.



Configuring SNMP Trap Groups

client-list Syntax


Description Options

client-list client-list-name { ip-addresses; } [edit snmp]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for QFX Series switches. Define a list of SNMP clients. client-list-name—Name of the client list. ip-addresses—IP addresses of the SNMP clients to be added to the client list,



Adding a Group of Clients to an SNMP Community


5169

®


client-list-name Syntax Hierarchy Level Release Information

client-list-name client-list-name; [edit snmp community community-name]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for FX Series switches.

Description

Add a client list or prefix list to an SNMP community.

Options

client-list-name—Name of the client list or prefix list.



Adding a Group of Clients to an SNMP Community

clients Syntax


Description

Default

Options

clients { address ; } [edit snmp community community-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for FX Series switches. Specify the IPv4 or IPv6 addresses of the SNMP client hosts that are authorized to use this community. If you omit the clients statement, all SNMP clients using this community string are authorized to access the router. address—Address of an SNMP client that is authorized to access this router. You must

specify an address, not a hostname. To specify more than one client, include multiple address options. restrict—(Optional) Do not allow the specified SNMP client to access the router.


5170




Chapter 145: SNMP

commit-delay Syntax

commit-delay seconds;

Hierarchy Level

[edit snmp nonvolatile]

Release Information

Description Options

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the timer for the SNMP Set reply and start of the commit. seconds—Delay between an affirmative SNMP Set reply and start of the commit.

Default: 5 seconds Required Privilege Level Related Documentation


Configuring the Commit Delay Timer


5171

®


community Syntax


Description

community community-name { authorization authorization; client-list-name client-list-name; clients { address restrict; } view view-name; } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define an SNMP community. An SNMP community authorizes SNMP clients based on the source IP address of incoming SNMP request packets. A community also defines which MIB objects are available and the operations (read-only or read-write) allowed on those objects. The SNMP client application specifies an SNMP community name in Get, GetBulk, GetNext, and Set SNMP requests.

Default Options

If you omit the community statement, all SNMP requests are denied. community-name—Community string. If the name includes spaces, enclose it in quotation

marks (" "). The remaining statements are explained separately. Required Privilege Level Related Documentation

5172




Chapter 145: SNMP

community Syntax

community community-name;

Hierarchy Level

[edit snmp rmon event index]

Release Information

Description

Options

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. The trap group that is used when generating a trap (if eventType is configured to send traps). If that trap group has the rmon-alarm trap category configured, a trap is sent to all the targets configured for that trap group. The community string in the trap matches the name of the trap group (and hence, the value of eventCommunity). If nothing is configured, traps are sent to each group with the rmon-alarm category set. community-name—Identifies the trap group that is used when generating a trap if the

event is configured to send traps. Required Privilege Level Related Documentation


Configuring an Event Entry and Its Attributes


5173

®


community-name Syntax Hierarchy Level Release Information

Description

Options

community-name community-name; [edit snmp v3 snmp-community community-index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. The community name defines an SNMP community. The SNMP community authorizes SNMPv1 or SNMPv2 clients. The access privileges associated with the configured security name define which MIB objects are available and the operations (notify, read, or write) allowed on those objects. community-name—Community string for an SNMPv1 or SNMPv2c community. If

unconfigured, it is the same as the community index. If the name includes spaces, enclose it in quotation marks (" ").

NOTE: Community names must be unique. You cannot configure the same community name at the [edit snmp community] and [edit snmp v3 snmp-community community-index] hierarchy levels. The community name at the [edit snmp v3 snmp-community community-index] hierarchy level is encrypted and not displayed in the command-line interface (CLI).


5174


Configuring the SNMPv3 Community


Chapter 145: SNMP

contact Syntax Hierarchy Level Release Information

Description

Options

contact contact; [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define the value of the MIB II sysContact object, which is the contact person for the managed system. contact—Name of the contact person. If the name includes spaces, enclose it in quotation

marks (" "). Required Privilege Level Related Documentation


Configuring the System Contact on a Device Running Junos OS

description Syntax Hierarchy Level Release Information

Description

Options

description description; [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Define the value of the MIB II sysDescription object, which is the description of the system being managed. description—System description. If the name includes spaces, enclose it in quotation



Configuring the System Description on a Device Running Junos OS


5175

®



Release Information

Description Options

description description; [edit snmp rmon alarm index], [edit snmp rmon event index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Text description of alarm or event. description—Text description of an alarm or event entry. If the description includes spaces,

enclose it in quotation marks (" "). Required Privilege Level Related Documentation


Configuring the Description

•


destination-port Syntax Hierarchy Level Release Information

[edit snmp trap-group]


Description

Assign a trap port number other than the default.

Default

If you omit this statement, the default port is 162.


5176

destination-port port-number;

port-number—SNMP trap port number.




Chapter 145: SNMP

engine-id Syntax


Description

engine-id { (local engine-id-suffix | use-default-ip-address | use-mac-address); } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.1 for EX Series switches. The local engine ID is defined as the administratively unique identifier of an SNMPv3 engine, and is used for identification, not for addressing. There are two parts of an engine ID: prefix and suffix. The prefix is formatted according to the specifications defined in RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. You can configure the suffix here.

NOTE: SNMPv3 authentication and encryption keys are generated based on the associated passwords and the engine ID. If you configure or change the engine ID, you must commit the new engine ID before you configure SNMPv3 users. Otherwise the keys generated from the configured passwords are based on the previous engine ID. For the engine ID, we recommend using the MAC address of the management port.

Options

local engine-id-suffix—Explicit setting for the engine ID suffix. use-default-ip-address—The engine ID suffix is generated from the default IP address. use-mac-address—The SNMP engine identifier is generated from the MAC address of

the management interface on the router. Default: use-default-ip-address Required Privilege Level Related Documentation


Configuring the Local Engine ID


5177

®


event Syntax


Description Options

event index { community community-name; description description; type type; } [edit snmp rmon]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure RMON event entries. index—Identifier for a specific event entry.




•

alarm (SNMP RMON) on page 5167

falling-event-index Syntax Hierarchy Level Release Information

Description

Options

falling-event-index index; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. The index of the event entry that is used when a falling threshold is crossed. If this value is zero, no event is triggered. index—Index of the event entry that is used when a falling threshold is crossed.

Range: 0 through 65,535 Default: 0 Required Privilege Level Related Documentation

5178


Configuring the Falling Event Index or Rising Event Index

•

rising-event-index on page 5199


Chapter 145: SNMP

falling-threshold Syntax Hierarchy Level Release Information

Description

Options

falling-threshold percentage; [edit snmp ]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. The lower threshold is expressed as a percentage of the maximum possible value for the sampled variable. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval is greater than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is less than or equal to this threshold. After a falling event is generated, another falling event cannot be generated until the sampled value rises above this threshold and reaches the rising-threshold. percentage—The lower threshold for the alarm entry.

Range: 1 through 100 Default: 70 percent of the maximum possible value Required Privilege Level Related Documentation


Configuring the Falling Threshold or Rising Threshold

•

rising-threshold on page 5200


5179

®


falling-threshold Syntax Hierarchy Level Release Information

Description

Options

falling-threshold integer; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. The lower threshold for the sampled variable. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval is greater than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is less than or equal to this threshold, and the associated startup-alarm value is equal to falling-alarm value or rising-or-falling-alarm value. After a falling event is generated, another falling event cannot be generated until the sampled value rises above this threshold and reaches the rising-threshold. integer—The lower threshold for the alarm entry.

Range: -2,147,483,648 through 2,147,483,647 Default: 20 percent less than rising-threshold Required Privilege Level Related Documentation

5180



•

rising-threshold on page 5201


Chapter 145: SNMP

falling-threshold-interval Syntax Hierarchy Level Release Information

Description

Options

falling-threshold-interval seconds; [edit snmp rmon alarm index]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Interval between samples when the rising threshold is crossed. Once the alarm crosses the falling threshold, the regular sampling interval is used. seconds—Time between samples, in seconds.



Configuring the Falling Threshold Interval

•

interval (SNMP RMON) on page 5188

filter-duplicates Syntax Hierarchy Level Release Information


filter-duplicates; [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Filter duplicate Get, GetNext, or GetBulk SNMP requests. snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration. •

Filtering Duplicate SNMP Requests


5181

®


filter-interfaces Syntax


Description

Options

filter-interfaces { interfaces { all-internal-interfaces; interface 1; interface 2; } } [edit snmp]

Statement introduced in Junos OS Release 9.4. Statement introduced in Junos OS Release 9.4 for EX Series Switches. Filter out information related to specific interfaces from the output of SNMP Get and GetNext requests performed on interface-related MIBs. all-internal-interfaces—Filters out information from SNMP Get and GetNext requests for

the specified interfaces. interfaces—Specifies the interfaces to filter out from the output of SNMP Get and GetNext

requests. Required Privilege Level Related Documentation

5182


Filtering Interface Information Out of SNMP Get and GetNext Output


Chapter 145: SNMP

group (Configuring Group Name) Syntax


Description

group group-name { (default-context-prefix | context-prefix context-prefiix){ security-model (any | usm | v1 | v2c) { security-level (authentication | none | privacy) { notify-view view-name; read-view view-name; write-view view-name; } } } } [edit snmp v3 vacm access]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Assign the security name to a group, and specify the SNMPv3 context applicable to the group. The default-context-prefix statement, when included, adds all the contexts configured on the device to the group, whereas the context-prefix context-prefix statement enables you to specify a context and to add that particular context to the group. When the context prefix is specified as default (for example, context-prefix default), the context associated with the master routing instance is added to the group. The remaining statements under this hierarchy are documented in separate topics.


group-name—SNMPv3 group name created for the SNMPv3 group.


Configuring the Group


5183

®


group (Defining Access Privileges for an SNMPv3 Group) Syntax Hierarchy Level

Release Information

Description Options

group group-name; [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name security-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define access privileges granted to a group. group-name—Identifies a collection of SNMP security names that belong to the same

access policy SNMP. Required Privilege Level Related Documentation


Configuring the Group

health-monitor Syntax


Description

health-monitor { falling-threshold percentage; interval seconds; rising-threshold percentage; } [edit snmp]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure health monitoring. The remaining statements are explained separately.


5184


Configuring Health Monitoring on Devices Running Junos OS


Chapter 145: SNMP

history Syntax


history history-index { bucket-size number; interface (SNMP RMON History) interface-name; interval seconds; owner owner-name; } [edit snmp rmon]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure RMON history group entries. This RMON feature can be used with the Simple Network Management Protocol (SNMP) agent in the switch to monitor all the traffic flowing among switches on all connected LAN segments. It collects statistics in accordance with user-configurable parameters. The history group controls the periodic statistical sampling of data from various types of networks. This group contains configuration entries that specify an interface, polling period, and other parameters. The interface (SNMP RMON History) interface-name statement is mandatory. Other statements in the history group are optional.

Default Options

Not configured. history-index—Identifies this history entry as an integer.




•



5185

®


interface Syntax Hierarchy Level Release Information

Description Default

interface [ interface-names ]; [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the interfaces on which SNMP requests can be accepted. If you omit this statement, SNMP requests entering the router or switch through any interface are accepted.

Options

interface-names—Names of one or more logical interfaces.


snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration.


•

Configuring the Interfaces on Which SNMP Requests Can Be Accepted

interface Syntax Hierarchy Level Release Information Description

interface interface-name; [edit snmp rmon history history-index]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the interface to be monitored in the specified RMON history entry. Only one interface can be specified for a particular RMON history index. There is a one-to-one relationship between the interface and the history index. The interface must be specified in order for the RMON history to be created.

Options

interface-name—Specify the interface to be monitored within the specified entry of the

RMON history of Ethernet statistics. Required Privilege Level Related Documentation

5186



•



Chapter 145: SNMP

interval Syntax Hierarchy Level Release Information Description Default Options Required Privilege Level

interval seconds; [edit snmp rmon history]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the interval over which data is to be sampled for the specified interface. 1800 sec seconds—Interval at which data is to be sampled for the specified interface.

snmp—To view this statement in the configuration. snmp–control—To add this statement to the configuration.

interval Syntax Hierarchy Level Release Information

Description Options

interval seconds; [edit snmp health-monitor]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. Interval between samples. seconds—Time between samples, in seconds.



Configuring the Interval


5187

®


interval Syntax Hierarchy Level Release Information

Description Options

interval seconds; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Interval between samples. seconds—Time between samples, in seconds.



Configuring the Interval

location Syntax Hierarchy Level Release Information

location location; [edit snmp]


Description

Define the value of the MIB II sysLocation object, which is the physical location of the managed system.

Options

location—Location of the local system. You must enclose the name within quotation


5188


Configuring the System Location for a Device Running Junos OS


Chapter 145: SNMP

logical-system Syntax

Hierarchy Level

Release Information

logical-system logical-system-name { routing-instance routing-instance-name; } [edit snmp community community-name], [edit snmp trap-group], [edit snmp trap-options] [edit snmp v3target-address target-address-name]

Statement introduced in Junos OS Release 9.3 Statement introduced in Junos OS Release 9.0 for EX Series switches.

NOTE: The logical-system statement replaces the logical-router statement, and is backward-compatible with Junos OS Release 8.3 and later.

Description

Specify a logical system name for SNMP v1 and v2c clients. Include at the [edit snmp trap-options] hierarchy level to specify a logical-system address as the source address of an SNMP trap. Include at the [edit snmp v3 target-address] hierarchy level to specify a logical-system name as the destination address for an SNMPv3 trap or inform.

Options

logical-system-name–Name of the logical system. routing-instance routing-instance-name–Statement to specify a routing instance associated

with the logical system. Required Privilege Level Related Documentation


Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community

•

Configuring the Trap Target Address


5189

®


message-processing-model Syntax Hierarchy Level Release Information

Description Options

message-processing-model (v1 | v2c | v3); [edit snmp v3 target-parameters target-parameter-name parameters]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the message processing model to be used when generating SNMP notifications. v1—SNMPv1 message process model. v2c—SNMPv2c message process model. v3—SNMPv3 message process model.



Configuring the Message Processing Model

name Syntax

name name;

Hierarchy Level

[edit snmp]

Release Information


5190

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the system name from the command-line interface. name—System name override.


Configuring the System Name


Chapter 145: SNMP

nonvolatile Syntax


Description

nonvolatile { commit-delay seconds; } [edit snmp]

Statement introduced before Junos OS Release 7.4. The commit-delay statement introduced in Junos OS Release 9.0 for EX Series switches. Configure options for SNMP Set requests. The statement is explained separately.



Configuring the Commit Delay Timer

•

commit-delay on page 5171


5191

®


notify Syntax


Description

Options

notify name { tag tag-name; type (trap | inform); } [edit snmp v3]

Statement introduced before Junos OS Release 7.4. type inform option added in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Select management targets for SNMPv3 notifications as well as the type of notifications. Notifications can be either traps or informs. name—Name assigned to the notification. tag-name—Notifications are sent to all targets configured with this tag. type—Notification type is trap or inform. Traps are unconfirmed notifications. Informs are

confirmed notifications. Required Privilege Level Related Documentation

5192


Configuring the Inform Notification Type and Target Address

•

Configuring the SNMPv3 Trap Notification


Chapter 145: SNMP

notify-filter (Configuring the Profile Name) Syntax


Description

Options

notify-filter profile-name { oid oid (include | exclude); } [edit snmp v3]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Specify a group of MIB objects for which you define access. The notify filter limits the type of traps or informs sent to the network management system. profile-name—Name assigned to the notify filter.



Configuring the Trap Notification Filter

•

oid (SNMP) on page 5195

notify-filter (Applying to the Management Target) Syntax Hierarchy Level Release Information


notify-filter profile-name; [edit snmp v3 target-parameters target-parameters-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the notify filter to be used by a specific set of target parameters. profile-name—Name of the notify filter to apply to notifications.


Applying the Trap Notification Filter


5193

®


notify-view Syntax Hierarchy Level

Release Information

Description


notify-view view-name; [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Associate the notify view with a community (for SNMPv1 or SNMPv2c clients) or a group name (for SNMPv3 clients). view-name—Name of the view to which the SNMP user group has access.


Configuring MIB Views

•

Configuring the Notify View

oid Syntax Hierarchy Level Release Information

Description Options

oid object-identifier (exclude | include); [edit snmp view view-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify an object identifier (OID) used to represent a subtree of MIB objects. exclude—Exclude the subtree of MIB objects represented by the specified OID. include—Include the subtree of MIB objects represented by the specified OID. object-identifier—OID used to represent a subtree of MIB objects. All MIB objects

represented by this statement have the specified OID as a prefix. You can specify the OID using either a sequence of dotted integers or a subtree name. Required Privilege Level Related Documentation

5194




Chapter 145: SNMP

oid Syntax Hierarchy Level Release Information

Description

Options

oid oid (include | exclude); [edit snmp v3 notify-filter profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify an object identifier (OID) used to represent a subtree of MIB objects. This OID is a prefix that the represented MIB objects have in common. exclude—Exclude the subtree of MIB objects represented by the specified OID. include—Include the subtree of MIB objects represented by the specified OID. oid—Object identifier used to represent a subtree of MIB objects. All MIB objects

represented by this statement have the specified OID as a prefix. You can specify the OID using either a sequence of dotted integers or a subtree name. Required Privilege Level Related Documentation


Configuring the Trap Notification Filter

owner Syntax Hierarchy Level Release Information Description Options

owner owner-name; [edit snmp rmon history]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the user or group responsible for this configuration. owner-name—The user or group responsible for this configuration.

Range: 0 through 32 alphanumeric characters Required Privilege Level Related Documentation



•



5195

®


parameters Syntax


Description

parameters { message-processing-model (v1 | v2c | v3); security-level (none | authentication | privacy); security-model (usm | v1 | v2c); security-name security-name; } [edit snmp v3 target-parameters target-parameters-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure a set of target parameters for message processing and security. The remaining statements are explained separately.



Defining and Configuring the Trap Target Parameters

port Syntax Hierarchy Level Release Information


5196

port port-number; [edit snmp v3 target-address target-address-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure a UDP port number for an SNMP target. If you omit this statement, the default port is 162. port-number—Port number for the SNMP target.


Configuring the Port


Chapter 145: SNMP

read-view Syntax Hierarchy Level

Release Information

Description


read-view view-name; [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Associate the read-only view with a community (for SNMPv1 or SNMPv2c clients) or a group name (for SNMPv3 clients). view-name—The name of the view to which the SNMP user group has access.


Configuring the Read View

•



5197

®


request-type Syntax Hierarchy Level Release Information

Description

Options

request-type (get-next-request | get-request | walk-request); [edit snmp rmon alarm index]

Statement introduced in Junos OS Release 8.3. Statement introduced in Junos OS Release 9.0 for EX Series switches. Extend monitoring to a specific SNMP object instance (get-request), or extend monitoring to all object instances belonging to a MIB branch (walk-request), or extend monitoring to the next object instance after the instance specified in the configuration (get-next-request). get-next-request—Performs an SNMP get next request. get-request—Performs an SNMP get request. walk-request—Performs an SNMP walk request.

Default: walk-request Required Privilege Level Related Documentation

5198


Configuring the Request Type

•

variable on page 5227


Chapter 145: SNMP

rising-event-index Syntax Hierarchy Level Release Information

Description

Options

rising-event-index index; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Index of the event entry that is used when a rising threshold is crossed. If this value is zero, no event is triggered. index—Index of the event entry that is used when a rising threshold is crossed.

Range: 0 through 65,535 Default: 0 Required Privilege Level Related Documentation


Configuring the Falling Event Index or Rising Event Index

•

falling-event-index on page 5178


5199

®


rising-threshold Syntax Hierarchy Level Release Information

Description

Options

rising-threshold percentage; [edit snmp ]

Statement introduced in Junos OS Release 8.0. Statement introduced in Junos OS Release 9.0 for EX Series switches. The upper threshold is expressed as a percentage of the maximum possible value for the sampled variable. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval is less than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is greater than or equal to this threshold. After a rising event is generated, another rising event cannot be generated until the sampled value falls below this threshold and reaches the falling-threshold. percentage—The lower threshold for the alarm entry.

Range: 1 through 100 Default: 80 percent of the maximum possible value Required Privilege Level Related Documentation

5200


falling-threshold on page 5179

•



Chapter 145: SNMP

rising-threshold Syntax Hierarchy Level Release Information

Description

Options

rising-threshold integer; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Upper threshold for the sampled variable. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval is less than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is greater than or equal to this threshold, and the associated startup alarm value is equal to the falling alarm or rising or falling alarm value. After a rising event is generated, another rising event cannot be generated until the sampled value falls below this threshold and reaches the falling threshold. integer—The lower threshold for the alarm entry.

Range: –2,147,483,648 through 2,147,483,647 Required Privilege Level Related Documentation



•

falling-threshold on page 5180

rmon Syntax Hierarchy Level Release Information


rmon { ... } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure Remote Monitoring. snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration. •



5201

®


rmon Syntax


rmon { history history-index { interface (SNMP RMON History) interface-name; bucket-size number; interval seconds; owner owner-name; } } [edit snmp]

Statement introduced in Junos OS Release 9.0 for EX Series switches. RMON is an existing feature of Junos OS. The RMON specification provides network administrators with comprehensive network fault diagnosis, planning, and performance tuning information. It delivers this information in nine groups of monitoring elements, each providing specific sets of data to meet common network monitoring requirements. Each group is optional, so that vendors do not need to support all the groups within the MIB. Junos OS supports RMON Statistics, History, Alarm, and Event groups. The EX Series documentation describes only the rmon history statement, which was added with this release. The statements are explained separately.


5202

Disabled. snmp—To view this statement in the configuration. snmp–control—To add this statement to the configuration. •


•



Chapter 145: SNMP


Release Information

Description

routing-instance routing-instance-name; [edit snmp community community-name], [edit snmp community community-name logical-system logical-system-name], [edit snmp trap-group group]

Statement introduced in Junos OS Release 8.3. Added to the [edit snmp community community-name] hierarchy level in Junos OS Release 8.4. Added to the [edit snmp community community-name logical-system logical-system-name] hierarchy level in Junos OS Release 9.1. Statement introduced in Junos OS Release 9.1 for EX Series switches. Specify a routing instance for SNMPv1 and SNMPv2 trap targets. All targets configured in the trap group use this routing instance. If the routing instance is defined within a logical system, include the logical-system logical-system-name statement at the [edit snmp community community-name] hierarchy level and specify the routing-instance statement under the [edit snmp community community-name logical-system logical system-name] hierarchy level.


routing-instance-name—Name of the routing instance.



•

Configuring the Source Address for SNMP Traps

•

Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community


5203

®


routing-instance Syntax Hierarchy Level Release Information

routing-instance routing-instance-name; [edit snmp v3 target-address target-address-name]


Description

Specify a routing instance for an SNMPv3 trap target.

Options

routing-instance-name—Name of the routing instance.

To configure a routing instance within a logical system, specify the logical system name followed by the routing instance name. Use a slash ( / ) to separate the two names (for example, test-ls/test-ri). To configure the default routing instance on a logical system, specify the logical system name followed by default (for example, test-ls/default). Required Privilege Level Related Documentation



sample-type Syntax Hierarchy Level Release Information

Description Options

sample-type (absolute-value | delta-value); [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Method of sampling the selected variable. absolute-value—Actual value of the selected variable is used when comparing against

the thresholds. delta-value—Difference between samples of the selected variable is used when comparing

against the thresholds. Required Privilege Level Related Documentation

5204


Configuring the Sample Type


Chapter 145: SNMP

security-level (Generating SNMP Notifications) Syntax Hierarchy Level Release Information


security-level (authentication | none | privacy); [edit snmp v3 target-parameters target-parameters-name parameters]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the security level to use when generating SNMP notifications. none authentication—Provide authentication but no encryption. none—No authentication and no encryption. privacy—Provide authentication and encryption.



Configuring the Security Level


5205

®


security-level (Defining Access Privileges) Syntax

Hierarchy Level

Release Information


security-level (authentication | none | privacy) { notify-view view-name; read-view view-name; write-view view-name; } [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Define the security level used for access privileges. none authentication—Provide authentication but no encryption. none—No authentication and no encryption. privacy—Provide authentication and encryption.


5206


Configuring the Security Level


Chapter 145: SNMP

security-model (Access Privileges) Syntax Hierarchy Level

Release Information

Description

Options

security-model (usm | v1 | v2c); [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the security model for an SNMPv3 group. The security model is used to determine access privileges for the group. usm—SNMPv3 security model. v1—SNMPv1 security model. v2c—SNMPv2c security model.



Configuring the Security Model


5207

®


security-model (Group) Syntax


Description Options

security-model (usm | v1 | v2c) { security-name security-name { group group-name; } } [edit snmp v3 vacm security-to-group]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define a security model for a group. usm—SNMPv3 security model. v1—SNMPv1 security model. v2c—SNMPv2c security model.




security-model (SNMP Notifications) Syntax Hierarchy Level Release Information

Description

Options

security-model (usm | v1 | v2c); [edit snmp v3 target-parameters target-parameters-name parameters]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the security model for an SNMPv3 group. The security model is used for SNMP notifications. usm—SNMPv3 security model. v1—SNMPv1 security model. v2c—SNMPv2c security model.


5208




Chapter 145: SNMP

security-name (Security Group) Syntax


Description Options

security-name security-name { group group-name; } [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate a group or a community string with a configured security group. security-name—Username configured at the [edit snmp v3 usm local-engine user username]

hierarchy level. For SNMPv1 and SNMPv2c, the security name is the community string configured at the [edit snmp v3 snmp-community community-index] hierarchy level. Required Privilege Level Related Documentation


Assigning Security Names to Groups

security-name (Community String) Syntax Hierarchy Level Release Information

Description

Options

security-name security-name; [edit snmp v3 snmp-community community-index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate the community string configured at the [edit snmp v3 snmp-community community-index] hierarchy level to a security name. security-name—Name used when performing access control.

NOTE: The security name must match the configured security name at the [edit snmp v3 target-parameters target-parameters-name parameters] hierarchy level when you configure traps or informs.



Configuring the Security Names


5209

®


security-name (SNMP Notifications) Syntax Hierarchy Level Release Information

Description Options

security-name security-name; [edit snmp v3 target-parameters target-parameters-name parameters]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the security name used when generating SNMP notifications. security-name—If the SNMPv3 USM security model is used, identify the user when

generating the SNMP notification. If the v1 or v2c security models are used, identify the SNMP community used when generating the notification.

NOTE: The access privileges for the group associated with this security name must allow this notification to be sent. If you are using the v1 or v2 security models, the security name at the [edit snmp v3 vacm security-to-group] hierarchy level must match the security name at the [edit snmp v3 snmp-community community-index] hierarchy level.


5210


Configuring the Security Name


Chapter 145: SNMP

security-to-group Syntax


Description

security-to-group { security-model (usm | v1 | v2c) { group group-name; security-name security-name; } } [edit snmp v3 vacm]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the group to which a specific SNMPv3 security name belongs. The security name is used for messaging security. The remaining statements are explained separately.



Assigning Security Model and Security Name to a Group

snmp Syntax Hierarchy Level Release Information


snmp { ... } [edit]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure SNMP. snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration. •

Configuring SNMP on a Device Running Junos OS


5211

®


snmp Syntax


snmp { rmon { history index { interface (SNMP RMON History) interface-name; bucket-size number; interval seconds; owner owner-name; } } } [edit]

Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure SNMP. The statements are explained separately.




snmp-community Syntax


Description Options

snmp-community community-index { community-name community-name; security-name security-name; tag tag-name; } [edit snmp v3]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the SNMP community. community-index—(Optional) String that identifies an SNMP community.


5212


Configuring the SNMPv3 Community


Chapter 145: SNMP

source-address Syntax Hierarchy Level Release Information

Description

Options

source-address address; [edit snmp trap-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Set the source address of every SNMP trap packet sent by this router to a single address regardless of the outgoing interface. If the source address is not specified, the default is to use the address of the outgoing interface as the source address. address—Source address of SNMP traps. You can configure the source address of trap

packets two ways: lo0 or a valid IPv4 address configured on one of the router interfaces. The value lo0 indicates that the source address of all SNMP trap packets is set to the lowest loopback address configured at interface lo0. Default: Disabled. (The source address is the address of the outgoing interface.) Required Privilege Level Related Documentation


Configuring the Source Address for SNMP Traps


5213

®


startup-alarm Syntax Hierarchy Level Release Information

Description Options

startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm); [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. The alarm that can be sent upon entry startup. falling-alarm—Generated if the first sample after the alarm entry becomes active is less

than or equal to the falling threshold. rising-alarm—Generated if the first sample after the alarm entry becomes active is greater

than or equal to the rising threshold. rising-or-falling-alarm—Generated if the first sample after the alarm entry becomes active

satisfies either of the corresponding thresholds. Default: rising-or-falling-alarm Required Privilege Level Related Documentation


Configuring the Sample Type

syslog-subtag Syntax Hierarchy Level Release Information

Description Options

syslog-subtag syslog-subtag; [edit snmp rmon alarm index]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.0 for EX Series switches. Add a tag to the system log message. syslog-subtag syslog-subtag—Tag of not more than 80 uppercase characters to be added

to syslog messages. Default: None Required Privilege Level Related Documentation

5214


Configuring the System Log Tag


Chapter 145: SNMP

tag Syntax Hierarchy Level

Release Information

Description Options

tag tag-name; [edit snmp v3 notify name], [edit snmp v3 snmp-community community-index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure a set of targets to receive traps or informs (for IPv4 packets only). tag-name—Identifies the address of managers that are allowed to use a community

string. Required Privilege Level Related Documentation


Configuring the Tag

•


tag-list Syntax Hierarchy Level Release Information

Description Options

tag-list tag-list; [edit snmp v3 target-address target-address-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure an SNMP tag list used to select target addresses. tag-list—Define sets of target addresses (tags). To specify more than one tag, specify

the tag names as a space-separated list enclosed within double quotes. Required Privilege Level Related Documentation




5215

®


target-address Syntax


Description

Options

target-address target-address-name { address (SNMP) address; address-mask address-mask; logical-system logical-system; port (SNMP) port-number; retry-count (SNMPv3) number; routing-instance (SNMPv3) instance; tag-list tag-list; target-parameters target-parameters-name; timeout seconds; } [edit snmp v3]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure the address of an SNMP management application and the parameters to be used in sending notifications. target-address-name—String that identifies the target address.


5216




Chapter 145: SNMP

target-parameters Syntax

At the [edit snmp v3] hierarchy level: target-parameters target-parameters-name { profile-name; parameters { message-processing-model (v1 | v2c | V3); security-level (authentication | none | privacy); security-model (usm | v1 | v2c); security-name security-name; } }

At the [edit snmp v3 target-address target-address-name] hierarchy level: target-parameters target-parameters-name;

Hierarchy Level

Release Information

Description

[edit snmp v3] [edit snmp v3 target-address target-address-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the message processing and security parameters for sending notifications to a particular management target. The target parameters are configured at the [edit snmp v3] hierarchy level. The remaining statements at this level are explained separately. Then apply the target parameters configured at the [edit snmp v3 target-parameters target-parameters-name] hierarchy level to the target address configuration at the [edit snmp v3] hierarchy level.



Defining and Configuring the Trap Target Parameters

•

Applying Target Parameters


5217

®


targets Syntax


Description Options

targets { address; } [edit snmp trap-group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure one or more systems to receive SNMP traps. address—IPv4 or IPv6 address of the system to receive traps. You must specify an address,

not a hostname. Required Privilege Level Related Documentation

5218




Chapter 145: SNMP

traceoptions Syntax


Description

Options

traceoptions { file filename ; flag flag; no-remote-trace; } [edit snmp]

Statement introduced before Junos OS Release 7.4. file filename option added in Junos OS Release 8.1. world-readable | no-world-readable option added in Junos OS Release 8.1. match regular-expression option added in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.0 for EX Series switches. The output of the tracing operations is placed into log files in the /var/log directory. Each log file is named after the SNMP agent that generates it. Currently, the following logs are created in the /var/log directory when the traceoptions statement is used: •

chassisd

•

craftd

•

ilmid

•

mib2d

•

rmopd

•

serviced

•

snmpd

file filename—By default, the name of the log file that records trace output is the name

of the process being traced (for example, mib2d or snmpd). Use this option to specify another name. files number—(Optional) Maximum number of trace files per SNMP subagent. When a

trace file (for example, snmpd) reaches its maximum size, it is archived by being renamed to snmpd.0. The previous snmpd.1 is renamed to snmpd.2, and so on. The oldest archived file is deleted. Range: 2 through 1000 files Default: 10 files flag flag—Tracing operation to perform. To specify more than one tracing operation,

include multiple flag statements: •

all—Log all SNMP events.

•

configuration—Log reading of configuration at the [edit snmp] hierarchy level.


5219

®


•

database—Log events involving storage and retrieval in the events database.

•

events—Log important events.

•

general—Log general events.

•

interface-stats—Log physical and logical interface statistics.

•

nonvolatile-sets—Log nonvolatile SNMP set request handling.

•

pdu—Log SNMP request and response packets.

•

policy—Log policy processing.

•

protocol-timeouts—Log SNMP response timeouts.

•

routing-socket—Log routing socket calls.

•

server—Log communication with processes that are generating events.

•

subagent—Log subagent restarts.

•

timer-events—Log internally generated events.

•

varbind-error—Log variable binding errors.

match regular-expression—(Optional) Refine the output to include lines that contain the

regular expression. size size—(Optional) Maximum size, in kilobytes (KB), of each trace file before it is closed

and archived. Range: 10 KB through 1 GB Default: 1000 KB world-readable | no-world-readable—(Optional) By default, log files can be accessed

only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option. Required Privilege Level Related Documentation

5220


Tracing SNMP Activity on a Device Running Junos OS


Chapter 145: SNMP

trap-group Syntax


Description

Options

trap-group group-name { categories { category; } destination-port port-number; routing-instance instance; targets { address; } version (all | v1 | v2); } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a named group of hosts to receive the specified trap notifications. The name of the trap group is embedded in SNMP trap notification packets as one variable binding (varbind) known as the community name. At least one trap group must be configured for SNMP traps to be sent. group-name—Name of the trap group. If the name includes spaces, enclose it in quotation

marks (" "). The remaining statements are explained separately. Required Privilege Level Related Documentation




5221

®


trap-options Syntax


Description

trap-options { agent-address outgoing-interface; source-address address; } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Using SNMP trap options, you can set the source address of every SNMP trap packet sent by the router or switch to a single address, regardless of the outgoing interface. In addition, you can set the agent address of each SNMPv1 trap. For more information about the contents of SNMPv1 traps, see RFC 1157. The remaining statements are explained separately.


Disabled snmp—To view this statement in the configuration. snmp-control—To add this statement to the configuration. •

Configuring SNMP Trap Options

type Syntax Hierarchy Level Release Information

Description Options

type (inform | trap); [edit snmp v3 notify name]

Statement introduced before Junos OS Release 7.4. inform option added in Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Configure the type of SNMP notification. inform—Defines the type of notification as an inform. SNMP informs are confirmed

notifications. trap—Defines the type of notification as a trap. SNMP traps are unconfirmed notifications.


5222


Configuring SNMP Informs

•



Chapter 145: SNMP

type Syntax Hierarchy Level Release Information

Description Options

type type; [edit snmp rmon event index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Type of notification generated when a threshold is crossed. type—Type of notification: •

log—Add an entry to logTable.

•

log-and-trap—Send an SNMP trap and make a log entry.

•

none—No notifications are sent.

•

snmptrap—Send an SNMP trap.

Default: log-and-trap Required Privilege Level Related Documentation




5223

®


v3 Syntax

5224

v3 { notify name { tag tag-name; type trap; } notify-filter profile-name { oid object-identifier (include | exclude); } snmp-community community-index { community-name community-name; security-name security-name; tag tag-name; } target-address target-address-name { address address; address-mask address-mask; logical-system logical-system; port port-number; retry-count number; routing-instance instance; tag-list tag-list; target-parameters target-parameters-name; timeout seconds; } target-parameters target-parameters-name { notify-filter profile-name; parameters { message-processing-model (v1 | v2c | V3); security-level (authentication | none | privacy); security-model (usm | v1 | v2c); security-name security-name; } } usm { local-engine { user username { authentication-md5 { authentication-password authentication-password; } authentication-sha { authentication-password authentication-password; } authentication-none; privacy-aes128 { privacy-password privacy-password; } privacy-des { privacy-password privacy-password; } privacy-des { privacy-password privacy-password; }


Chapter 145: SNMP

privacy-none; } } remote-engine engine-id { user username { authentication-md5 { authentication-password authentication-password; } authentication-sha { authentication-password authentication-password; } authentication-none; privacy-aes128 { privacy-password privacy-password; } privacy-des { privacy-password privacy-password; } privacy-3des { privacy-password privacy-password; } privacy-none { privacy-password privacy-password; } } } } vacm { access { group group-name { (default-context-prefix | context-prefix context-prefix){ security-model (any | usm | v1 | v2c) { security-level (authentication | none | privacy) { notify-view view-name; read-view view-name; write-view view-name; } } } } } security-to-group { security-model (usm | v1 | v2c) { security-name security-name { group group-name; } } } } }


[edit snmp]



5225

®


Description

Configure SNMPv3. The remaining statements are explained separately.



Minimum SNMPv3 Configuration on a Device Running Junos OS

vacm Syntax


Description

vacm { access { group group-name { (default-context-prefix | context-prefix context-prefix){ security-model (any | usm | v1 | v2c) { security-level (authentication | none | privacy) { notify-view view-name; read-view view-name; write-view view-name; } } } } } security-to-group { security-model (usm | v1 | v2c); security-name security-name { group group-name; } } } [edit snmp v3]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure view-based access control model (VACM) information. The remaining statements are explained separately.


5226


Defining Access Privileges for an SNMP Group


Chapter 145: SNMP

variable Syntax Hierarchy Level Release Information

Description Options

variable oid-variable; [edit snmp rmon alarm index]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Object identifier (OID) of MIB variable to be monitored. oid-variable—OID of the MIB variable that is being monitored. The OID can be a dotted

decimal (for example, 1.3.6.1.2.1.2.1.2.2.1.10.1). Alternatively, use the MIB object name (for example, ifInOctets.1). Required Privilege Level Related Documentation


Configuring the Variable

version Syntax Hierarchy Level Release Information

Description

version (all | v1 | v2); [edit snmp trap-group group-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the version number of SNMP traps.

Default

all—Send an SNMPv1 and SNMPv2 trap for every trap condition.

Options

all—Send an SNMPv1 and SNMPv2 trap for every trap condition. v1—Send SNMPv1 traps only. v2—Send SNMPv2 traps only.





5227

®


view (Configuring a MIB View) Syntax


Description

view view-name { oid object-identifier (include | exclude); } [edit snmp]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Define a MIB view. A MIB view identifies a group of MIB objects. Each MIB object in a view has a common OID prefix. Each object identifier represents a subtree of the MIB object hierarchy. The view statement uses a view to specify a group of MIB objects on which to define access. To enable a view, you must associate the view with a community by including the view statement at the [edit snmp community community-name] hierarchy level.

NOTE: To remove an OID completely, use the delete view all oid oid-number command but omit the include parameter.

Options

view-name—Name of the view.


5228



•

Associating MIB Views with an SNMP User Group

•

community (SNMP) on page 5172


Chapter 145: SNMP

view (Associating a MIB View with a Community) Syntax Hierarchy Level Release Information

Description Options

view view-name; [edit snmp community community-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Associate a view with a community. A view represents a group of MIB objects. view-name—Name of the view. You must use a view name already configured in the view

statement at the [edit snmp] hierarchy level. Required Privilege Level Related Documentation



write-view Syntax Hierarchy Level

Release Information

Description


write-view view-name; [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series switches. Associate the write view with a community (for SNMPv1 or SNMPv2c clients) or a group name (for SNMPv3 clients). view-name—Name of the view for which the SNMP user group has write permission.



•

Configuring the Write View

Operational Commands for SNMP


5229

®


clear snmp rmon history Syntax Release Information Description

clear snmp rmon history

Command introduced in Junos OS Release 9.0 for EX Series switches. Delete the samples of Ethernet statistics collected, but do not delete the RMON history configuration. The clear snmp rmon history command deletes all the samples collected for the interface configured for the history group, but not the configuration of that group. If you want to delete the RMON history group configuration, you must use the delete snmp rmon history configuration-mode command.

Options

interface-name—Delete the samples of Ethernet statistics collected for this interface. all—Delete the samples of Ethernet statistics collected for all interfaces that have been

configured for RMON monitoring. Required Privilege Level Related Documentation

5230

clear

•

show snmp rmon history on page 5252


Chapter 145: SNMP

clear snmp statistics Syntax Release Information

Description Options Required Privilege Level Related Documentation List of Sample Output Output Fields

clear snmp statistics

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Clear Simple Network Management Protocol (SNMP) statistics. This command has no options. clear

•

show snmp statistics on page 5256

clear snmp statistics on page 5231 See show snmp statistics for an explanation of output fields.

Sample Output clear snmp statistics

In the following example, SNMP statistics are displayed before and after the clear snmp statistics command is issued: user@host> show snmp statistics SNMP statistics: Input: Packets: 8, Bad versions: 0, Bad community names: 0, Bad community uses: 0, ASN parse errors: 0, Too bigs: 0, No such names: 0, Bad values: 0, Read onlys: 0, General errors: 0, Total request varbinds: 8, Total set varbinds: 0, Get requests: 0, Get nexts: 8, Set requests: 0, Get responses: 0, Traps: 0, Silent drops: 0, Proxy drops 0 Output: Packets: 2298, Too bigs: 0, No such names: 0, Bad values: 0, General errors: 0, Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 8, Traps: 2290

user@host> clear snmp statistics

user@host> show snmp statistics SNMP statistics: Input: Packets: 0, Bad versions: 0, Bad community names: 0, Bad community uses: 0, ASN parse errors: 0, Too bigs: 0, No such names: 0, Bad values: 0, Read onlys: 0, General errors: 0, Total request varbinds: 0, Total set varbinds: 0,


5231

®


Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 0, Traps: 0, Silent drops: 0, Proxy drops 0 Output: Packets: 0, Too bigs: 0, No such names: 0, Bad values: 0, General errors: 0, Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 0, Traps: 0

5232


Chapter 145: SNMP

request snmp spoof-trap Syntax

Release Information

Description Options

request snmp spoof-trap variable-bindings

Command introduced in Junos OS Release 8.2. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Spoof (mimic) the behavior of a Simple Network Management Protocol (SNMP) trap. —Name of the trap to spoof. variable-bindings —(Optional) List of variables and values

to include in the trap. Each variable binding is specified as an object name, the object instance, and the value (for example, ifIndex[14] = 14). Enclose the list of variable bindings in quotation marks (“ “) and use a comma to separate each object name, instance, and value definition (for example, variable-bindings “ifIndex[14] = 14, ifAdminStatus[14] = 1, ifOperStatus[14] = 2”). Objects included in the trap definition that do not have instances and values specified as part of the command are included in the trap and spoofed with automatically generated instances and values. —A dummy trap name to display the list of available traps. Question mark (?)—Question mark? to display possible completions.


request

request snmp spoof-trap (with Variable Bindings) on page 5233 request snmp spoof-trap (Illegal Trap Name) on page 5233 request snmp spoof-trap (Question Mark ?) on page 5237

Sample Output request snmp spoof-trap (with Variable Bindings)

user@host> request snmp spoof-trap linkUp variable-bindings “ifIndex[14] = 14, ifAdminStatus[14] = 1, ifOperStatus[14] = 2” Spoof trap request result: trap sent successfully

request snmp spoof-trap (Illegal Trap Name)

user@host> request snmp spoof-trap xx Spoof trap request result: trap not found Allowed Traps: adslAtucInitFailureTrap adslAtucPerfESsThreshTrap adslAtucPerfLofsThreshTrap adslAtucPerfLolsThreshTrap adslAtucPerfLossThreshTrap adslAtucPerfLprsThreshTrap adslAtucRateChangeTrap adslAturPerfESsThreshTrap adslAturPerfLofsThreshTrap adslAturPerfLossThreshTrap adslAturPerfLprsThreshTrap


5233

®


adslAturRateChangeTrap apsEventChannelMismatch apsEventFEPLF apsEventModeMismatch apsEventPSBF apsEventSwitchover authenticationFailure bfdSessDown bfdSessUp bgpBackwardTransition bgpEstablished coldStart dlswTrapCircuitDown dlswTrapCircuitUp dlswTrapTConnDown dlswTrapTConnPartnerReject dlswTrapTConnProtViolation dlswTrapTConnUp dsx1LineStatusChange dsx3LineStatusChange entConfigChange fallingAlarm frDLCIStatusChange ggsnTrapChanged ggsnTrapCleared ggsnTrapNew gmplsTunnelDown ifMauJabberTrap ipv6IfStateChange isisAreaMismatch isisAttemptToExceedMaxSequence isisAuthenticationFailure isisAuthenticationTypeFailure isisCorruptedLSPDetected isisDatabaseOverload isisIDLenMismatch isisLSPTooLargeToPropagate isisManualAddressDrops isisMaxAreaAddressesMismatch isisOriginatingLSPBufferSizeMismatch isisOwnLSPPurge isisProtocolsSupportedMismatch isisRejectedAdjacency isisSequenceNumberSkip isisVersionSkew jnxAccessAuthServerDisabled jnxAccessAuthServerEnabled jnxAccessAuthServiceDown jnxAccessAuthServiceUp jnxBfdSessDetectionTimeHigh jnxBfdSessTxIntervalHigh jnxBgpM2BackwardTransition jnxBgpM2Established jnxCmCfgChange jnxCmRescueChange jnxCollFlowOverload jnxCollFlowOverloadCleared jnxCollFtpSwitchover jnxCollMemoryAvailable jnxCollMemoryUnavailable jnxCollUnavailableDest

5234


Chapter 145: SNMP

jnxCollUnavailableDestCleared jnxCollUnsuccessfulTransfer jnxDfcHardMemThresholdExceeded jnxDfcHardMemUnderThreshold jnxDfcHardPpsThresholdExceeded jnxDfcHardPpsUnderThreshold jnxDfcSoftMemThresholdExceeded jnxDfcSoftMemUnderThreshold jnxDfcSoftPpsThresholdExceeded jnxDfcSoftPpsUnderThreshold jnxEventTrap jnxExampleStartup jnxFEBSwitchover jnxFanFailure jnxFanOK jnxFruCheck jnxFruFailed jnxFruInsertion jnxFruOK jnxFruOffline jnxFruOnline jnxFruPowerOff jnxFruPowerOn jnxFruRemoval jnxHardDiskFailed jnxHardDiskMissing jnxJsAvPatternUpdateTrap jnxJsChassisClusterSwitchover jnxJsFwAuthCapacityExceeded jnxJsFwAuthFailure jnxJsFwAuthServiceDown jnxJsFwAuthServiceUp jnxJsNatAddrPoolThresholdStatus jnxJsScreenAttack jnxJsScreenCfgChange jnxLdpLspDown jnxLdpLspUp jnxLdpSesDown jnxLdpSesUp jnxMIMstCistPortLoopProtectStateChangeTrap jnxMIMstCistPortRootProtectStateChangeTrap jnxMIMstErrTrap jnxMIMstGenTrap jnxMIMstInvalidBpduRxdTrap jnxMIMstMstiPortLoopProtectStateChangeTrap jnxMIMstMstiPortRootProtectStateChangeTrap jnxMIMstNewRootTrap jnxMIMstProtocolMigrationTrap jnxMIMstRegionConfigChangeTrap jnxMIMstTopologyChgTrap jnxMacChangedNotification jnxMplsLdpInitSesThresholdExceeded jnxMplsLdpPathVectorLimitMismatch jnxMplsLdpSessionDown jnxMplsLdpSessionUp jnxOspfv3IfConfigError jnxOspfv3IfRxBadPacket jnxOspfv3IfStateChange jnxOspfv3LsdbApproachingOverflow jnxOspfv3LsdbOverflow jnxOspfv3NbrRestartHelperStatusChange


5235

®


jnxOspfv3NbrStateChange jnxOspfv3NssaTranslatorStatusChange jnxOspfv3RestartStatusChange jnxOspfv3VirtIfConfigError jnxOspfv3VirtIfRxBadPacket jnxOspfv3VirtIfStateChange jnxOspfv3VirtNbrRestartHelperStatusChange jnxOspfv3VirtNbrStateChange jnxOtnAlarmCleared jnxOtnAlarmSet jnxOverTemperature jnxPMonOverloadCleared jnxPMonOverloadSet jnxPingEgressJitterThresholdExceeded jnxPingEgressStdDevThresholdExceeded jnxPingEgressThresholdExceeded jnxPingIngressJitterThresholdExceeded jnxPingIngressStddevThresholdExceeded jnxPingIngressThresholdExceeded jnxPingRttJitterThresholdExceeded jnxPingRttStdDevThresholdExceeded jnxPingRttThresholdExceeded jnxPortBpduErrorStatusChangeTrap jnxPortLoopProtectStateChangeTrap jnxPortRootProtectStateChangeTrap jnxPowerSupplyFailure jnxPowerSupplyOK jnxRedundancySwitchover jnxRmonAlarmGetFailure jnxRmonGetOk jnxSecAccessIfMacLimitExceeded jnxSecAccessdsRateLimitCrossed jnxSonetAlarmCleared jnxSonetAlarmSet jnxSpSvcSetCpuExceeded jnxSpSvcSetCpuOk jnxSpSvcSetZoneEntered jnxSpSvcSetZoneExited jnxStormEventNotification jnxSyslogTrap jnxTemperatureOK jnxVccpPortDown jnxVccpPortUp jnxVpnIfDown jnxVpnIfUp jnxVpnPwDown jnxVpnPwUp jnxl2aldGlobalMacLimit jnxl2aldInterfaceMacLimit jnxl2aldRoutingInstMacLimit linkDown linkUp lldpRemTablesChange mfrMibTrapBundleLinkMismatch mplsLspChange mplsLspDown mplsLspInfoChange mplsLspInfoDown mplsLspInfoPathDown mplsLspInfoPathUp mplsLspInfoUp

5236


Chapter 145: SNMP

mplsLspPathDown mplsLspPathUp mplsLspUp mplsNumVrfRouteMaxThreshExceeded mplsNumVrfRouteMidThreshExceeded mplsNumVrfSecIllglLblThrshExcd mplsTunnelDown mplsTunnelReoptimized mplsTunnelRerouted mplsTunnelUp mplsVrfIfDown mplsVrfIfUp mplsXCDown mplsXCUp msdpBackwardTransition msdpEstablished newRoot ospfIfAuthFailure ospfIfConfigError ospfIfRxBadPacket ospfIfStateChange ospfLsdbApproachingOverflow ospfLsdbOverflow ospfMaxAgeLsa ospfNbrStateChange ospfOriginateLsa ospfTxRetransmit ospfVirtIfAuthFailure ospfVirtIfConfigError ospfVirtIfRxBadPacket ospfVirtIfStateChange ospfVirtIfTxRetransmit ospfVirtNbrStateChange pethMainPowerUsageOffNotification pethMainPowerUsageOnNotification pethPsePortOnOffNotification pingProbeFailed pingTestCompleted pingTestFailed ptopoConfigChange risingAlarm rpMauJabberTrap sdlcLSStatusChange sdlcPortStatusChange topologyChange traceRoutePathChange traceRouteTestCompleted traceRouteTestFailed vrrpTrapAuthFailure vrrpTrapNewMaster warmStart

request snmp spoof-trap (Question Mark ?)

user@host> request snmp spoof-trap ? Possible completions: The name of the trap to spoof adslAtucInitFailureTrap adslAtucPerfESsThreshTrap adslAtucPerfLofsThreshTrap adslAtucPerfLolsThreshTrap adslAtucPerfLossThreshTrap adslAtucPerfLprsThreshTrap


5237

®


adslAtucRateChangeTrap adslAturPerfESsThreshTrap adslAturPerfLofsThreshTrap adslAturPerfLossThreshTrap adslAturPerfLprsThreshTrap adslAturRateChangeTrap apsEventChannelMismatch apsEventFEPLF apsEventModeMismatch apsEventPSBF apsEventSwitchover authenticationFailure bfdSessDown bfdSessUp bgpBackwardTransition bgpEstablished coldStart dlswTrapCircuitDown dlswTrapCircuitUp ---(more 10%)---

5238


Chapter 145: SNMP

show snmp health-monitor Syntax

Release Information

Description

Options

show snmp health-monitor |

Command introduced in Junos OS Release 8.0. Command introduced in Junos OS Release 9.0 for EX Series switches. Statement introduced in Junos OS Release 11.1 for the QFX Series. Display information about Simple Network Management Protocol (SNMP) health monitor alarms and logs. none—Display information about all health monitor alarms and logs. alarms —(Optional) Display detailed information about health monitor alarms. logs—(Optional) Display information about health monitor logs.


Output Fields

view

show snmp health-monitor on page 5241 show snmp health-monitor alarms detail on page 5243 Table 603 on page 5239 describes the output fields for the show snmp health-monitor command. Output fields are listed in the approximate order in which they appear.

Table 603: show snmp health-monitor Output Fields Field Name

Field Description

Level of Output

Alarm Index

Alarm identifier.

All levels

Variable description

Description of the health monitor object instance being monitored.

All levels

Variable name

Name of the health monitor object instance being monitored.

All levels

Value

Current value of the monitored variable in the most recent sample interval.

All levels


5239

®


Table 603: show snmp health-monitor Output Fields (continued) Field Name

Field Description

Level of Output

State

State of the alarm or event entry:

All levels

•

Alarms: •

active—Entry is fully configured and activated.

•

falling threshold crossed—Value of the variable has crossed the lower

threshold limit. •

rising threshold crossed—Value of the variable has crossed the upper

threshold limit. •

under creation—Entry is being configured and is not yet activated.

•

startup—Alarm is waiting for the first sample of the monitored variable.

•

object not available—Monitored variable of that type is not available to the

health monitor agent. •

instance not available—Monitored variable's instance is not available to

the health monitor agent. •

object type invalid—Monitored variable is not a numeric value.

•

object processing errored—An error occurred when the monitored variable

was processed. •

unknown—State is not one of the above.

Variable OID

Object ID to which the variable name is resolved. The format is x.x.x.x.

detail

Sample type

Method of sampling the monitored variable and calculating the value to compare against the upper and lower thresholds. It can have the value of absolute value or delta value.

detail

Startup alarm

Alarm that might be sent when this entry is first activated, depending on the following criteria:

detail

•

•

Alarm is sent when one of the following situations exists: •

Value of the alarm is above or equal to the rising threshold and the startup type is either rising alarm or rising or falling alarm.

•

Value of the alarm is below or equal to the falling threshold and the startup type is either falling alarm or rising or falling alarm.

Alarm is not sent when one of the following situations exists: •

Value of the alarm is above or equal to the rising threshold and the startup type is falling alarm.

•

Value of the alarm is below or equal to the falling threshold and the startup type is rising alarm.

•

Value of the alarm is between the thresholds.

Owner

Name of the entry configured by the user. If the entry was created through the CLI, the owner has monitor prepended to it.

detail

Creator

Mechanism by which the entry was configured (Health Monitor).

detail

Sample interval

Time period between samples (in seconds).

detail

Rising threshold

Upper limit threshold value as a percentage of the maximum possible value.

detail

5240


Chapter 145: SNMP

Table 603: show snmp health-monitor Output Fields (continued) Field Name

Field Description

Level of Output

Falling threshold

Lower limit threshold value as a percentage of the maximum possible value.

detail

Rising event index

Event triggered when the rising threshold is crossed.

detail

Falling event index

Event triggered when the falling threshold is crossed.

detail

Sample Output show snmp health-monitor

user@host> show snmp health-monitor Alarm Index

Variable description

32768 Health Monitor: root file system utilization jnxHrStoragePercentUsed.1

Value State

58 active

32769 Health Monitor: /config file system utilization jnxHrStoragePercentUsed.2

0 active

32770 Health Monitor: RE 0 CPU utilization jnxOperatingCPU.9.1.0.0

0 active

32773 Health Monitor: RE 0 Memory utilization jnxOperatingBuffer.9.1.0.0

35 active

32775 Health Monitor: jkernel daemon CPU utilization Init daemon Chassis daemon Firewall daemon Interface daemon SNMP daemon MIB2 daemon Sonet APS daemon VRRP daemon Alarm daemon PFE daemon CRAFT daemon Traffic sampling control daemon Ilmi daemon Remote operations daemon CoS daemon Pic Services Logging daemon Internal Routing Service Daemon Network Access Service daemon Forwarding UDP daemon Routing socket proxy daemon Disk Monitoring daemon Inet daemon Syslog daemon Adaptive Services PIC daemon ECC parity errors logging Daemon Layer 2 Tunneling Protocol daemon PPPoE daemon Redundancy device daemon

0 50 0 5 11 42 0 0 3 0 0 0 0 0 0 0 3 0 0 0 1 0 0 0 0 0 3 0


active active active active active active active active active active active active active active active active active active active active active active active active active active active active

5241

®


PPP daemon Dynamic Flow Capture Daemon

0 active 0 active

32776 Health Monitor: jroute daemon CPU utilization Routing protocol daemon Management daemon Management daemon Command line interface Periodic Packet Management daemon Link Management daemon Pragmatic General Multicast daemon Bidirectional Forwarding Detection daemon SRC daemon audit daemon Event daemon

1 0 0 4 0 0 0 0 0 0 0

32777 Health Monitor: jcrypto daemon CPU utilization IPSec Key Management daemon

0 active

32779 Health Monitor: jkernel daemon Memory utilization Init daemon 47384 Chassis daemon 20204 Firewall daemon 1956 Interface daemon 3340 SNMP daemon 4540 MIB2 daemon 3880 Sonet APS daemon 2632 VRRP daemon 2672 Alarm daemon 1856 PFE daemon 2600 CRAFT daemon 2000 Traffic sampling control daemon 3164 Ilmi daemon 2132 Remote operations daemon 2964 CoS daemon 3044 Pic Services Logging daemon 1944 Internal Routing Service Daemon 1392 Network Access Service daemon 1992 Forwarding UDP daemon 1876 Routing socket proxy daemon 1296 Disk Monitoring daemon 1180 Inet daemon 1296 Syslog daemon 1180 Adaptive Services PIC daemon 3220 ECC parity errors logging Daemon 1100 Layer 2 Tunneling Protocol daemon 3372 PPPoE daemon 1424 Redundancy device daemon 1820 PPP daemon 2060 Dynamic Flow Capture Daemon 10740 32780 Health Monitor: jroute daemon Memory utilization Routing protocol daemon 8104 Management daemon 13360 Management daemon 19252 Command line interface 9912 Periodic Packet Management daemon 1484 Link Management daemon 2016 Pragmatic General Multicast daemon 1968 Bidirectional Forwarding Detection daemon 1956 SRC daemon 1772 audit daemon 1772

5242

active active active active active active active active active active active

active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active active


Chapter 145: SNMP

Event daemon

1808 active

32781 Health Monitor: jcrypto daemon Memory utilization IPSec Key Management daemon 5600 active

show snmp health-monitor alarms detail

user@host> show snmp health-monitor alarms detail Alarm Index 32768: Variable name Variable OID Sample type Startup alarm Owner Creator State Sample interval Rising threshold Falling threshold Rising event index Falling event index Instance Value: 58 Instance State: active Alarm Index 32769: Variable name Variable OID Sample type Startup alarm Owner Creator State Sample interval Rising threshold Falling threshold Rising event index Falling event index Instance Value: 0 Instance State: active Alarm Index 32770: Variable name Variable OID Sample type Startup alarm Owner

Creator State Sample interval Rising threshold Falling threshold Rising event index Falling event index Instance Value: 0 Instance State: active Alarm Index 32773: Variable name


jnxHrStoragePercentUsed.1 1.3.6.1.4.1.2636.3.31.1.1.1.1.1 absolute value rising alarm Health Monitor: root file system utilization Health Monitor active 300 seconds 80 70 32768 32768

jnxHrStoragePercentUsed.2 1.3.6.1.4.1.2636.3.31.1.1.1.1.2 absolute value rising alarm Health Monitor: /config file system utilization Health Monitor active 300 seconds 80 70 32768 32768

jnxOperatingCPU.9.1.0.0 1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0 absolute value rising alarm Health Monitor: RE 0 CPU utilization

Health Monitor active 300 seconds 80 70 32768 32768

jnxOperatingBuffer.9.1.0.0

5243

®


Variable OID Sample type Startup alarm Owner

Creator State Sample interval Rising threshold Falling threshold Rising event index Falling event index Instance Value: 35 Instance State: active

1.3.6.1.4.1.2636.3.1.13.1.11.9.1.0.0 absolute value rising alarm Health Monitor: RE 0 Memory utilization

Health Monitor active 300 seconds 80 70 32768 32768

Alarm Index 32775: Variable name Variable OID Sample type Startup alarm Owner

sysApplElmtRunCPU.3 1.3.6.1.2.1.54.1.2.3.1.9.3 delta value rising alarm Health Monitor: jkernel daemon CPU utilization Creator Health Monitor State active Sample interval 300 seconds Rising threshold 24000 Falling threshold 21000 Rising event index 32768 Falling event index 32768 Instance Name: sysApplElmtRunCPU.3.1.1 Instance Description: Init daemon Instance Value: 0 Instance State: active Instance Instance Instance Instance

Name: sysApplElmtRunCPU.3.2.2786 Description: Chassis daemon Value: 50 State: active

Instance Instance Instance Instance

Name: sysApplElmtRunCPU.3.3.2938 Description: Firewall daemon Value: 0 State: active


Name: sysApplElmtRunCPU.3.4.2942 Description: Interface daemon Value: 5 State: active


Name: sysApplElmtRunCPU.3.7.7332 Description: SNMP daemon Value: 11 State: active


Name: sysApplElmtRunCPU.3.9.2914 Description: MIB2 daemon Value: 42 State: active

Instance Name: sysApplElmtRunCPU.3.12.2916

5244


Chapter 145: SNMP

Instance Description: Sonet APS daemon Instance Value: 0 Instance State: active Instance Instance Instance Instance

Name: sysApplElmtRunCPU.3.13.2917 Description: VRRP daemon Value: 0 State: active


Name: sysApplElmtRunCPU.3.14.2787 Description: Alarm daemon Value: 3 State: active


Name: sysApplElmtRunCPU.3.15.2940 Description: PFE daemon Value: 0 State: active


Name: sysApplElmtRunCPU.3.16.2788 Description: CRAFT daemon Value: 0 State: active

Instance Name: sysApplElmtRunCPU.3.17.2918 Instance Description: Traffic sampling control daemon ---(more 23%)---


5245

®


show snmp inform-statistics Syntax Release Information

Description


show snmp inform-statistics

Command introduced in Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display information about Simple Network Management Protocol (SNMP) inform requests. This command has no options. view

show snmp inform-statistics on page 5246 Table 604 on page 5246 describes the output fields for the show snmp inform-statistics command. Output fields are listed in the approximate order in which they appear.

Table 604: show snmp inform-statistics Output Fields Field Name

Field Description

Target Name

Name of the device configured to receive and respond to SNMP informs.

Address

IP address of the target device.

Sent

Number of informs sent to the target device and acknowledged by the target device.

Pending

Number of informs held in memory pending a response from the target device.

Discarded

Number of informs discarded after the specified number of retransmissions to the target device were attempted.

Timeouts

Number of informs that did not receive an acknowledgement from the target device within the timeout specified.

Probe Failures

Connection failures that occurred (for example, when the target server returned invalid content or you incorrectly configured the target address).

Sample Output show snmp inform-statistics

5246

user@host> show snmp inform-statistics Inform Request Statistics: Target Name: TA1_v3_md5_none Address: 172.17.20.184 Sent: 176, Pending: 0 Discarded: 0, Timeouts: 0, Probe Failures: 0 Target Name: TA2_v3_sha_none Address: 192.168.110.59 Sent: 0, Pending: 4 Discarded: 84, Timeouts: 0, Probe Failures: 258


Chapter 145: SNMP

Target Name: TA5_v2_none Address: 172.17.20.184 Sent: 0, Pending: 0 Discarded: 2, Timeouts: 10, Probe Failures: 0


5247

®


show snmp rmon Syntax

Release Information

Description

Options

show snmp rmon

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display information about Simple Network Management Protocol (SNMP) Remote Monitoring (RMON) alarms and events. none—Display information about all RMON alarms and events. alarms—(Optional) Display information about RMON alarms. brief | detail—(Optional) Display brief or detailed information about RMON alarms or

events. events—(Optional) Display information about RMON events. logs—(Optional) Display information about RMON monitoring logs.


Output Fields

view

show snmp rmon on page 5250 show snmp rmon alarms detail on page 5250 show snmp rmon events detail on page 5251 Table 605 on page 5248 describes the output fields for the show snmp rmon command. Output fields are listed in the approximate order in which they appear.

Table 605: show snmp rmon Output Fields Field Name

Field Description

Level of Output

Alarm Index

Alarm identifier.

All levels

5248


Chapter 145: SNMP

Table 605: show snmp rmon Output Fields (continued) Field Name

Field Description

Level of Output

State

State of the alarm or event entry:

All levels

Alarms: •

active—Entry is fully configured and activated.

•

falling threshold crossed—Value of the variable has crossed the lower threshold

limit. •

rising threshold crossed—Value of the variable has crossed the upper threshold

limit. •


•

startup—Alarm is waiting for the first sample of the monitored variable.

•

object not available—Monitored variable of that type is not available to the

SNMP agent. •

instance not available—Monitored variable's instance is not available to the

SNMP agent. •

object type invalid—Monitored variable is not a numeric value.

•

object processing errored—An error occurred when the monitored variable

was processed. •


Events: •

active—Entry has been fully configured and activated.

•


•


Variable name

Name of the SNMP object instance being monitored.

All levels

Event Index

Event identifier.

All levels

Type

Type of notification made when an event is triggered. It can be one of the following:

detail

•

log—A system log message is generated and an entry is made to the log table.

•

snmptrap—An SNMP trap is sent to the configured destination.

•

log and trap—A system log message is generated, an entry is made to the log

table, and an SNMP trap is sent to the configured destination. •

none—Neither log nor trap will be sent.

Last Event

Date and time of the last event. It has the format yyyy-mm-dd hh:mm:ss timezone.

brief

Community

Identifies the trap group used for sending the SNMP trap.

detail

Variable OID

Object ID to which the variable name is resolved. The format is x.x.x.x.

detail

Sample type

Method of sampling the monitored variable and calculating the value to compare against the upper and lower thresholds. It can have the value of absolute value or delta value.

detail


5249

®


Table 605: show snmp rmon Output Fields (continued) Field Name

Field Description

Level of Output

Startup alarm

Alarm that might be sent when this entry is first activated, depending on the following criteria:

detail

•

•

Alarm is sent when one of the following situations exists: •

Value of the alarm is above or equal to the rising threshold and the startup type is either rising alarm or rising or falling alarm.

•

Value of the alarm is below or equal to the falling threshold and the startup type is either falling alarm or rising or falling alarm.

Alarm is not sent when one of the following situations exists: •

Value of the alarm is above or equal to the rising threshold and the startup type is falling alarm.

•

Value of the alarm is below or equal to the falling threshold and the startup type is rising alarm.

•

Value of the alarm is between the thresholds.

Owner

Name of the entry configured by the user. If the entry was created through the CLI, the owner has monitor prepended to it.

detail

Creator

Mechanism by which the entry was configured (CLI or SNMP).

detail

Sample interval

Time period between samples (in seconds).

detail

Rising threshold

Upper limit threshold value configured by the user.

detail

Falling threshold

Lower limit threshold value configured by the user.

detail

Rising event index

Event triggered when the rising threshold is crossed.

detail

Falling event index

Event triggered when the falling threshold is crossed.

detail

Current value

Current value of the monitored variable in the most recent sample interval.

detail

Sample Output show snmp rmon

show snmp rmon alarms detail

user@host> show snmp rmon Alarm Index State 1 falling threshold crossed

Variable name ifInOctets.1

Event Index 1

Last Event 2002-01-30 01:13:01 PST

Type log and trap

user@host> show snmp rmon alarms detail Alarm Index 1: Variable name Variable OID

5250

ifInOctets.1 1.3.6.1.2.1.2.2.1.10.1


Chapter 145: SNMP

Sample type Startup alarm Owner Creator State Sample interval Rising threshold Falling threshold Rising event index Falling event index Current value

show snmp rmon events detail

delta value rising or falling alarm monitor CLI falling threshold crossed 60 seconds 100000 80000 1 1 0

user@host> show snmp rmon events detail Event Index 1: Type Community Last event Creator State


log and trap boy-elroy 2002-01-30 01:13:01 PST CLI active

5251

®


show snmp rmon history Syntax


show snmp rmon history

Command introduced in Junos OS Release 9.0 for EX Series switches. Display the contents of the RMON history group. none—Display all the entries in the RMON history group. history-index—(Optional) Display the contents of the specified entry in the RMON history

group. sample-index—(Optional) Display the statistics collected for the specified sample within

the specified entry in the RMON history group. Required Privilege Level Related Documentation List of Sample Output

Output Fields

view

•

clear snmp rmon history on page 5230

show snmp rmon history 1 on page 5253 show snmp rmon history 1 sample 15 on page 5254 Table 606 on page 5252 lists the output fields for the show smp rmon history command. Output fields are listed in the approximate order in which they appear.

Table 606: show smp rmon history Output Fields Field Name

Field Description

History Index

Identifies this RMON history entry within the RMON history group.

Owner

The entity that configured this entry. Range is 0 to 32 alphanumeric characters.

Status

The status of the RMON history entry.

Interface or Data Source

The ifndex object that identifies the interface that is being monitored.

Interval

The interval (in seconds) configured for this RMON history entry.

Buckets Requested

The requested number of buckets (intervals) configured for this RMON history entry.

Buckets Granted

The number of buckets granted for this RMON history entry.

5252


Chapter 145: SNMP

Table 606: show smp rmon history Output Fields (continued) Field Name

Field Description

Sample Index

The sample statistics taken at the specified interval. •

Drop Events—Number of packets dropped by the input queue of the I/O

Manager ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism. •

Octets—Total number of octets and packets. For Gigabit Ethernet IQ PICs,

the received octets count varies by interface type. •

Packets—Total number of packets.

•

Broadcast Packets—Number of broadcast packets.

•

Multicast Packets—Number of multicast packets.

•

CRC errors—Total number of packets received that had a length (excluding

framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS error) or a bad FCS with a nonintegral number of octets (alignment error). •

Undersize Pkts—Number of packets received during this sampling interval

that were less than 64 octets long (excluding framing bits but including FCS octets) and were otherwise well formed. •

Oversize Pkts—Number of packets received during the sampling interval that

were longer than 1518 octets (excluding framing bits, but including FCS octets) but were otherwise well formed. •

Fragments—Total number of packets that were less than 64 octets in length

(excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted. •

Jabbers—Number of frames that were longer than 1518 octets (excluding


Collisions—Number of Ethernet collisions. The Gigabit Ethernet PIC supports

only full-duplex operation, so for Gigabit Ethernet PICs, this number should always remain 0. If it is nonzero, there is a software bug. •

Utilization(%)—The best estimate of the mean physical layer network

utilization on this interface during this sampling interval, in hundredths of a percent.

Sample Output show snmp rmon history 1

user@host> show snmp rmon history 1 History Index 1: Interface Requested Buckets Interval

171 50 10

Sample Index 1: Interval Start: Tue Feb 12 04:12:32 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2


5253

®


CRC errors Undersize Pkts Oversize Pkts Fragments Jabbers Collisions Utilization(%)

0 0 0 0 0 0 0

Sample Index 2: Interval Start: Tue Feb 12 04:12:42 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2 CRC errors 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 Collisions 0 Utilization(%) 0 Sample Index 3: Interval Start: Tue Feb 12 04:12:52 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2 CRC errors 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 Collisions 0 Utilization(%) 0

show snmp rmon history 1 sample 15

user@host> show snmp rmon history 1 sample 15 Index 1 Owner = monitor Status = valid Data Source = ifIndex.17 Interval = 1800 Buckets Requested = 50 Buckets Granted = 50

Sample Index 44: Interval Start: Thu Jan Drop Events = 0 Octetes = 0 Packets = 0 Broadcast Pkts = 0 Multicast Pkts = 0 CRC Errors = 0 Undersize Pkts = 0 Oversize Pkts = 0 Fragments = 0 Jabbers = 0 Collisions = 0

5254

1 00:08:35 1970


Chapter 145: SNMP

Utilization (%)


= 0

5255

®


show snmp statistics Syntax

show snmp statistics

Release Information


Description

Display statistics about Simple Network Management Protocol (SNMP) packets sent and received by the router or switch.

Options



view


•


clear snmp statistics on page 5231

show snmp statistics on page 5259

Output Fields

Table 607 on page 5256 describes the output fields for the show snmp statistics command. Output fields are listed in the approximate order in which they appear.

Table 607: show snmp statistics Output Fields Field Name

Field Description

Input

Information about received packets: •

Packets(snmpInPkts)—Total number of messages delivered to the SNMP entity from the transport

service. •

Bad versions—(snmpInBadVersions) Total number of messages delivered to the SNMP entity that

were for an unsupported SNMP version. •

Bad community names—(snmpInBadCommunityNames) Total number of messages delivered to

the SNMP entity that used an SNMP community name not known to the entity. •

Bad community uses—(snmpInBadCommunityUses) Total number of messages delivered to the

SNMP entity that represented an SNMP operation that was not allowed by the SNMP community named in the message. •

ASN parse errors—(snmpInASNParseErrs) Total number of ASN.1 or BER errors encountered by the

SNMP entity when decoding received SNMP messages.

5256

•

Too bigs—(snmpInTooBigs) Total number of SNMP PDUs delivered to the SNMP entity with an error status field of tooBig.

•

No such names—(snmpInNoSuchNames) Total number of SNMP PDUs delivered to the SNMP entity with an error status field of noSuchName.

•

Bad values—(snmpInBadValues) Total number of SNMP PDUs delivered to the SNMP entity with an error status field of badValue.

•

Read onlys—(snmpInReadOnlys) Total number of valid SNMP PDUs delivered to the SNMP entity with an error status field of readOnly. Only incorrect implementations of SNMP generate this error.


Chapter 145: SNMP

Table 607: show snmp statistics Output Fields (continued) Field Name

Field Description

Input (continued)

•

General errors—(snmpInGenErrs) Total number of SNMP PDUs delivered to the SNMP entity with an error status field of genErr.

•

Total requests varbinds—(snmpInTotalReqVars) Total number of MIB objects retrieved successfully by the SNMP entity as a result of receiving valid SNMP GetRequest and GetNext PDUs.

•

Total set varbinds—(snmpInSetVars) Total number of MIB objects modified successfully by the SNMP entity as a result of receiving valid SNMP SetRequest PDUs.

•

Get requests—(snmpInGetRequests) Total number of SNMP GetRequest PDUs that have been

accepted and processed by the SNMP entity. •

Get nexts—(snmpInGetNexts) Total number of SNMP GetNext PDUs that have been accepted and

processed by the SNMP entity. •

Set requests—(snmpInSetRequests) Total number of SNMP SetRequest PDUs that have been


Get responses—(snmpInGetResponses) Total number of SNMP GetResponse PDUs that have been


Traps—(snmpInTraps) Total number of SNMP traps generated by the SNMP entity.

•

Silent drops—(snmpSilentDrops) Total number of GetRequest, GetNextRequest, GetBulkRequest, SetRequests, and InformRequest PDUs delivered to the SNMP entity that were silently dropped

because the size of a reply containing an alternate response PDU with an empty variable-bindings field was greater than either a local constraint or the maximum message size associated with the originator of the requests. •

Proxy drops—(snmpProxyDrops) Total number of GetRequest, GetNextRequest, GetBulkRequest, SetRequests, and InformRequest PDUs delivered to the SNMP entity that were silently dropped

because the transmission of the message to a proxy target failed in such a way (other than a timeout) that no response PDU could be returned. •

Commit pending drops—Number of SNMP packets for Set requests dropped because of a previous pending SNMP Set request on the committed configuration.

•

Throttle drops—Number of SNMP packets for any requests dropped reaching the throttle limit.


5257

®



Field Description

V3 Input

Information about SNMP version 3 packets: •

Unknown security models—(snmpUnknownSecurityModels) Total number of packets received by

the SNMP engine that were dropped because they referenced a security model that was not known to or supported by the SNMP engine. •

Invalid messages—(snmpInvalidMsgs) Number of packets received by the SNMP engine that were

dropped because there were invalid or inconsistent components in the SNMP message. •

Unknown pdu handlers—(snmpUnknownPDUHandlers) Number of packets received by the SNMP

engine that were dropped because the PDU contained in the packet could not be passed to an application responsible for handling the PDU type. •

Unavailable contexts—(snmpUnavailableContexts) Number of requests received for a context that

is known to the SNMP engine, but is currently unavailable. •

Unknown contexts—(snmpUnknownContexts) Total number of requests received for a context that

is unknown to the SNMP engine. •

Unsupported security levels—(usmStatsUnsupportedSecLevels) Total number of packets received

by the SNMP engine that were dropped because they requested a security level unknown to the SNMP engine (or otherwise unavailable). •

Not in time windows—(usmStatsNotInTimeWindows) Total number of packets received by the

SNMP engine that were dropped because they appeared outside the authoritative SNMP engine’s window. •

Unknown user names—(usmStatsUnknownUserNames) Total number of packets received by the

SNMP engine that were dropped because they referenced a user that was not known to the SNMP engine. •

Unknown engine ids—(usmStatsUnknownEngineIDs) Total number of packets received by the SNMP

engine that were dropped because they referenced an SNMP engine ID that was not known to the SNMP engine. •

Wrong digests—(usmStatsWrongDigests) Total number of packets received by the SNMP engine

that were dropped because they did not contain the expected digest value. •

Decryption errors—(usmStatsDecryptionErrors) Total number of packets received by the SNMP

engine that were dropped because they could not be decrypted.

5258


Chapter 145: SNMP


Field Description

Output

Information about transmitted packets: •

Packets—(snmpOutPkts) Total number of messages passed from the SNMP entity to the transport

service. •

Too bigs—(snmpOutTooBigs) Total number of SNMP PDUs generated by the SNMP entity with an error status field of tooBig.

•

No such names—(snmpOutNoSuchNames) Total number of SNMP PDUs delivered to the SNMP entity with an error status field of noSuchName.

•

Bad values—(snmpOutBadValues) Total number of SNMP PDUs generated by the SNMP entity with an error status field of badValue.

•

General errors—(snmpOutGenErrs) Total number of SNMP PDUs generated by the SNMP entity with an error status field of genErr.

•

Get requests—(snmpOutGetRequests) Total number of SNMP GetRequest PDUs generated by the

SNMP entity. •

Get nexts—(snmpOutGetNexts) Total number of SNMP GetNext PDUs generated by the SNMP

entity. •

Set requests—(snmpOutSetRequests) Total number of SNMP SetRequest PDUs generated by the

SNMP entity. •

Get responses—(snmpOutGetResponses) Total number of SNMP GetResponse PDUs generated by

the SNMP entity. •

Traps—(snmpOutTraps) Total number of SNMP traps generated by the SNMP entity.

Sample Output show snmp statistics

user@host> show snmp statistics SNMP statistics: Input: Packets: 246213, Bad versions: 12, Bad community names: 12, Bad community uses: 0, ASN parse errors: 96, Too bigs: 0, No such names: 0, Bad values: 0, Read onlys: 0, General errors: 0, Total request varbinds: 227084, Total set varbinds: 67, Get requests: 44942, Get nexts: 190371, Set requests: 10712, Get responses: 0, Traps: 0, Silent drops: 0, Proxy drops: 0, Commit pending drops: 0, Throttle drops: 0, V3 Input: Unknown security models: 0, Invalid messages: 0 Unknown pdu handlers: 0, Unavailable contexts: 0 Unknown contexts: 0, Unsupported security levels: 1 Not in time windows: 0, Unknown user names: 0 Unknown engine ids: 44, Wrong digests: 23, Decryption errors: 0 Output: Packets: 246093, Too bigs: 0, No such names: 31561, Bad values: 0, General errors: 2, Get requests: 0, Get nexts: 0, Set requests: 0, Get responses: 246025, Traps: 0


5259

®


show snmp v3 Syntax

Release Information

Description

Options

show snmp v3

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the Simple Network Management Protocol version 3 (SNMPv3) operating configuration. none—Display all of the SNMPv3 operating configuration. access—(Optional) Display SNMPv3 access information. brief | detail—(Optional) Display brief or detailed information about SNMPv3 access

information. community—(Optional) Display SNMPv3 community information. general—(Optional) Display SNMPv3 general information. groups—(Optional) Display SNMPv3 security-to-group information. notify —(Optional) Display SNMPv3 notify and, optionally, notify filter information. target —(Optional) Display SNMPv3 target and, optionally, either

target address or target parameter information. users—(Optional) Display SNMPv3 user information.



5260

To edit the default display of the show snmp v3 command, specify options in the show statement at the [edit snmp v3] hierarchy level. view

show snmp v3 on page 5262 Table 608 on page 5261 describes the output fields for the show snmp v3 command. Output fields are listed in the approximate order in which they appear.


Chapter 145: SNMP

Table 608: show snmp v3 Output Fields Field Name

Field Description

Access control

Information about access control: •

Group—Group name for which the configured access privileges apply. The group, together with the

context prefix and the security model and security level, forms the index for this table. •

Context prefix—SNMPv3 context for which the configured access privileges apply.

•

Security model/level—Security model and security level for which the configuration access privileges

apply.

Engine

•

Read view—Identifies the MIB view applied to SNMPv3 read operations.

•

Write view—Identifies the MIB view applied to SNMPv3 write operations.

•

Notify view—Identifies the MIB view applied to outbound SNMP notifications.

Information about local engine configuration: •

Local engine ID—Identifier that uniquely and unambiguously identifies the local SNMPv3 engine.

•

Engine boots—Number of times the local SNMPv3 engine has rebooted or reinitialized since the

engine ID was last changed.

Engine ID

•

Engine time—Number of seconds since the local SNMPv3 engine was last rebooted or reinitialized.

•

Max msg size—Maximum message size the sender can accommodate.

Information about engine ID: •

Local engine ID—Identifier that uniquely and unambiguously identifies the local SNMPv3 engine.

•

Engine boots—Number of times the local SNMPv3 engine has rebooted or reinitialized since the

engine ID was last changed. •

Engine time—Number of seconds since the local SNMPv3 engine was last rebooted or reinitialized.

•

Max msg size—Maximum message size the sender can accommodate.

•

Engine ID—SNMPv3 engine ID associated with each user.

•

User—SNMPv3 user.

•

Auth/Priv—Authentication and encryption algorithm available for use by each user.

•

Storage—Indicates whether a user is saved to the configuration file (nonvolatile) or not (volatile).

Applies only to users with active status. •

Status—Status of the conceptual row. Only rows with an active status are used by the SNMPv3

engine. Group name

Name of the group to which this entry belongs.

Security model

Identifies the security model context for the security name.

Security name

Used with the security model; identifies a specific security name instance. Each security model/security name combination can be assigned to a specific group.

Storage type

Indicates whether a user is saved to the configuration file (nonvolatile) or not (volatile). Applies only to users with active status.

Status

Status of the conceptual row. Only rows with active status are used by the SNMPv3 engine.


5261

®


Sample Output show snmp v3

user@host> show snmp v3 Local engine ID: 80 00 0a 4c e04 31 32 33 34 Engine boots: 38 Engine time: 64583 seconds Max msg size: 2048 bytes Engine ID: local User user1 user2 user3

Auth/Priv md5/des sha/none none/none

Engine ID: 81 00 0a 4c 04 64 64 64 64 User Auth/Priv UNEW md5/none Group name Security Security model name g1 usm user1 g2 usm user2 g3 usm user3 Access control: Group g1 g2 g3

5262

Context Security prefix model/level usm/privacy usm/authent usm/none

Read view v1 v1 v1

Storage nonvolatile nonvolatile nonvolatile

Status active active active

Storage Status nonvolatile active Storage Status type nonvolatile active nonvolatile active nonvolatile active

Write view v1 v1 v1

Notify view


CHAPTER 146

Real-Time Performance Monitoring (RPM) •

RPM—Overview on page 5263

•

Configuring Real-Time Performance Monitoring (RPM) on page 5267

•

Verifying Real-Time Performance Monitoring on page 5276

•

Configuration Statements for Real-Time Performance Monitoring on page 5276

•

Operational Commands for Real-Time Performance Monitoring on page 5294

•

Understanding Real-Time Performance Monitoring on EX Series Switches on page 5264

RPM—Overview


5263

®


Understanding Real-Time Performance Monitoring on EX Series Switches Real-time performance monitoring (RPM) enables you to configure active probes to track and monitor traffic across the network and to investigate network problems. You can use RPM with Juniper Networks EX Series Ethernet Switches. The ways in which you can use RPM include: •

Monitor time delays between devices.

•

Monitor time delays at the protocol level.

•

Set thresholds to trigger SNMP traps when values are exceeded. You can configure thresholds for round-trip time, ingress or egress delay, standard deviation, jitter, successive lost probes, and total lost probes per test. (SNMP trap results are stored in pingResultsTable, jnxPingResultsTable, jnxPingProbeHistoryTable, and pingProbeHistoryTable.)

•

Determine automatically whether a path exists between a host router or switch and its configured BGP neighbors. You can view the results of the discovery using an SNMP client.

•

Use the history of the most recent 50 probes to analyze trends in your network and predict future needs.

RPM provides MIB support with extensions for RFC 2925, Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup Operations. This topic includes: •

RPM Packet Collection on page 5264

•

Tests and Probe Types on page 5264

•

Hardware Timestamps on page 5265

•

Limitations of RPM on EX Series Switches on page 5267

RPM Packet Collection Probes collect packets per destination and per application, including ping Internet Control Message Protocol (ICMP) packets, User Datagram Protocol and Transmission Control Protocol (UDP/TCP) packets with user-configured ports, user-configured Differentiated Services code point (DSCP) type-of-service (ToS) packets, and Hypertext Transfer Protocol (HTTP) packets.

Tests and Probe Types A test can contain multiple probes. The probe type specifies the packet and protocol contents of the probe. EX Series switches support the following tests and probe types: •

Ping tests: •

5264

ICMP echo probe


Chapter 146: Real-Time Performance Monitoring (RPM)

• •

•

ICMP timestamp probe

HTTP tests: •

HTTP get probe (not available for BGP RPM services)

•

HTTP get metadata probe

UDP and TCP tests with user-configured ports: •

UDP echo probe

•

TCP connection probe

•

UDP timestamp probe

Hardware Timestamps To account for latency or jitter in the communication of probe messages, you can enable timestamping of the probe packets (hardware timestamps). If hardware timestamps are not configured, then timers are generated at the software level and are less accurate than they would have been with hardware timestamps.

NOTE: EX Series switches support hardware timestamps for UDP and ICMP probes. EX Series switches do not support hardware timestamps for HTTP or TCP probes.

You can timestamp the following RPM probes to improve the measurement of latency or jitter: •

ICMP ping

•

ICMP ping timestamp

•

UDP ping

•

UDP ping timestamp

You should configure the requester (the RPM client) with hardware timestamps (see Figure 143 on page 5266) to get more meaningful results than you would get without the timestamps.The responder (the RPM server) does not need to be configured to support hardware timestamps. If the responder supports hardware timestamps, it timestamps the RPM probes. If the responder does not support hardware timestamps, RPM can only report round-trip measurements that include the processing time on the responder.

NOTE: Hardware timestamps are supported on all EX Series switches.

Figure 143 on page 5266 shows the timestamps:


5265

®


Figure 143: RPM Timestamps

•

T1 is the time the packet leaves the requester port.

•

T2 is the time the responder receives the packet.

•

T3 is the time the responder sends the response.

•

T4 is the time the requester receives the response.

The round-trip time is (T2 – T1) + (T4 – T3). If the responder does not support hardware timestamps, then the round-trip time is (T4 – T1) / 2, and thus includes the processing time of the responder. You can use RPM probes to find the following time measurements: •

Minimum round-trip time

•

Maximum round-trip time

•

Average round-trip time

•

Standard deviation of the round-trip time

•

Jitter of the round-trip time—Difference between the minimum and maximum round-trip time

NOTE: See “Configuring the Interface for RPM Timestamping for Client/Server on an EX Series Switch (CLI Procedure)” on page 5274 for information on how to configure hardware timestamps on the requester.

The RPM feature provides a configuration option to set one-way hardware timestamps. Use one-way timestamps when you want information about one-way time, rather than round-trip times, for packets to traverse the network between the requester and the responder. As shown in Figure 143 on page 5266, one-way timestamps represent the time T2 – T1 and the time from T4 – T3. Use one-way timestamps when you want to gather information about delay in each direction and to find egress and ingress jitter values.

NOTE: For correct one-way measurement, the clocks of the requester and responder must be synchronized. If the clocks are not synchronized, one-way jitter measurements and calculations can include significant variations, in some cases orders of magnitude greater than the round-trip times.

5266



When you enable one-way timestamps in a probe, the following one-way measurements are reported: •

Minimum, maximum, standard deviation, and jitter measurements for egress and ingress times

•

Number of probes sent

•

Number of probe responses received

•

Percentage of lost probes

Limitations of RPM on EX Series Switches


•

Two-Way Active Measurement Protocol (TWAMP) is not supported on EX Series switches.

•

EX Series switches do not support user-configured class-of-service (CoS) classifiers or prioritization of RPM packets over regular data packets received on an input interface.

•

Timestamps: •

If the responder does not support hardware timestamps, RPM can only report the round-trip measurements and cannot calculate round-trip jitter.

•

EX Series switches do not support hardware timestamps for HTTP and TCP probes.

•

Timestamps apply only to IPv4 traffic.

•

For further details about RPM, see Junos OS Services Interfaces Configuration Guide

•

Configuring the Interface for RPM Timestamping for Client/Server on an EX Series Switch (CLI Procedure) on page 5274

•

Configuring Real-Time Performance Monitoring (J-Web Procedure) on page 5267

•


•

Monitoring Network Traffic Using Traceroute on page 5443

Configuring Real-Time Performance Monitoring (RPM) •


•

Configuring the Interface for RPM Timestamping for Client/Server on an EX Series Switch (CLI Procedure) on page 5274

Configuring Real-Time Performance Monitoring (J-Web Procedure) Real-time performance monitoring (RPM) in EX Series switches enables you to configure and send probes to a specified target and monitor the analyzed results to determine packet loss, round-trip time, and jitter. Jitter is the difference in relative transit time between two consecutive probes. You can set up probe owners and configure one or more performance probe tests under each probe owner. The ways in which you can use RPM include:


5267

®


•

Monitor time delays between devices.

•

Monitor time delays at the protocol level.

•

Set thresholds to trigger SNMP traps when threshold values are exceeded. You can configure thresholds for round-trip time, ingress or egress delay, standard deviation, jitter, successive lost probes, and total lost probes per test.

•

Determine automatically whether a path exists between a host switch and its configured Border Gateway Protocol (BGP) neighbors. You can view the results of the discovery using an SNMP client.

•

Use the history of the most recent 50 probes to analyze trends in your network and predict future needs.

Probes collect packets per destination and per application, including PING Internet Control Message Protocol (ICMP) packets, User Datagram Protocol and Transmission Control Protocol (UDP/TCP) packets with user-configured ports, user-configured Differentiated Services code point (DSCP) type-of-service (ToS) packets, and Hypertext Transfer Protocol (HTTP) packets. EX Series switches support the following tests and probe types: •

•

Ping tests: •

ICMP echo

•

ICMP timestamp

HTTP tests: •

•

HTTP get (not available for BGP RPM services)

UDP and TCP tests with user-configured ports: •

UDP echo

•

TCP connection

•

UDP timestamp

To account for latency in the communication of probe messages, you can enable timestamping of the probe packets. You should configure both the requester and the responder to timestamp the RPM packets. The RPM features provides an additional configuration option to set one-way hardware timestamps. Use one-way timestamps when you want information about one-way, rather than round-trip, times for packets to traverse the network between the requester and the responder.

5268



NOTE: •

EX Series switches support hardware timestamps for UDP and ICMP probes. EX Series switches do not support hardware timestamps for HTTP or TCP probes.

•

If the responder does not support hardware timestamps, RPM can only report the round-trip measurements, it cannot calculate round-trip jitter.

•

In EX Series switches timestamps apply only to IPv4 traffic.

To configure RPM using the J-Web interface: 1.

Select Troubleshoot > RPM > Configure RPM .

2. In the Configure RPM page, enter information as specified in Table 609 on page 5269. a. Click Add to set up the Owner Name and Performance Probe Tests. b. Select a probe owner from Probe Owners list and click Delete to remove the selected

probe owner c. Double-click one of the probe owners in Probe Owners list to display the list of

performance probe tests. d. Double-click one of the performance probe tests to edit the test parameters. 3. Enter the Maximum Number of Concurrent Probes and specify the Probe Servers. 4. Click Apply to apply the RPM probe settings.

Table 609: RPM Probe Owner, Concurrent Probes, and Probe Servers Configuration Fields Field

Function

Your Action

Probe Owners

Identifies a owner for whom one or more RPM tests are configured. In most implementations, the owner name identifies a network on which a set of tests is being run.

1.

Click Add and type an owner name.

2. In Performance Probe Tests, click Add to define the RPM test parameters. See Table 610 on page 5270 for information on configuring RPM test parameters. 3. Click OK to save the settings or Cancel to exit from the window without saving the changes.

Maximum Number of Concurrent Probes


Specifies the maximum number of concurrent probes allowed.

Type a number from 1 through 500.

5269

®


Table 609: RPM Probe Owner, Concurrent Probes, and Probe Servers Configuration Fields (continued) Field

Function

Your Action

Probe Servers

Specifies the servers that act as receivers and transmitters for the probes.

Set up the following servers: •

TCP Probe Server—Specifies the port on which the device is to receive and transmit TCP probes. Type the number 7 (a standard TCP port number) or a port number from 49160 through 65535.

•

UDP Probe Server—Specifies the port on which the device is to receive and transmit UDP probes. Type the number 7 (a standard TCP port number) or a port number from 49160 through 65535.

Table 610: Performance Probe Tests Configuration Fields Field

Function

Your Action

Test Name

Identifies the RPM test.

Type a test name.

Target (Address or URL)

Specifies the IP address or the URL of the probe target.

Type the IP address in dotted decimal notation or the URL of the probe target. If the target is a URL, type a fully formed URL that includes http://.

Source Address

Specifies the IP address to be used as the probe source address.

Type the source address to be used for the probe. If you do not supply this value, the packet uses the outgoing interface's address as the probe source address.

Routing Instance

Specifies the routing instance over which the probe is sent.

Type the routing instance name. The routing instance applies only to icmp-ping and icmp-ping-timestamp probe types. The default routing instance is inet.0.

History Size

Specifies the number of probe results to be saved in the probe history.

Type a number from 0 through 255. The default history size is 50.

Identification

Request Information

5270



Table 610: Performance Probe Tests Configuration Fields (continued) Field

Function

Your Action

Probe Type

Specifies the type of probe to send as part of the test.

Select a probe type from the list: •

http-get

•

http-get-metadata

•

icmp-ping

•

icmp-ping-timestamp

•

tcp-ping

•

udp-ping

•

udp-ping-timestamp

Interval

Sets the wait time (in seconds) between probe transmissions.

Type a number from 1 through 255 .

Test Interval

Sets the wait time (in seconds) between tests.

Type a number from 0 through 86400 .

Probe Count

Sets the total number of probes to be sent for each test.


Moving Average Size

Specifies the number of samples to be used in the statistical calculation operations to be performed across a number of the most recent samples.


Destination Port

Specifies the TCP or UDP port to which probes are sent.

Type the number 7 (a standard TCP or UDP port number) or a port number from 49160 through 65535.

To use TCP or UDP probes, you must configure the remote server as a probe receiver. Both the probe server and the remote server must be Juniper Networks network devices configured to receive and transmit RPM probes on the same TCP or UDP port. DSCP Bits

Specifies the Differentiated Services code point (DSCP) bits. This value must be a valid 6-bit pattern.

Type a valid 6-bit pattern.

Data Size

Specifies the size (in bytes) of the data portion of the ICMP probes.


Data Fill

Specifies the hexadecimal value of the data portion of the ICMP probes.

Type a hexadecimal value from 1h through 800h .

Enables one-way hardware timestamp.

To enable timestamping, select the check box.

Hardware Timestamp One Way Hardware Timestamp


5271

®



Function

Your Action

Destination Interface

Enables hardware timestamp on the specified interface.

Select an interface from the list.

Successive Lost Probes

Sets the number of probes that can be lost successively, if exceeded, triggers a probe failure and generates a system log message.


Lost Probes

Sets the number of probes that can be lost , if exceeded, triggers a probe failure and generates a system log message.


Round Trip Time

Sets the round-trip time (in microseconds), from the switch to the remote server, if exceeded, triggers a probe failure and generates a system log message.


Jitter

Sets the jitter (in microseconds), if exceeded, triggers a probe failure and generates a system log message.


Standard Deviation

Sets the maximum allowable standard deviation (in microseconds), if exceeded, triggers a probe failure and generates a system log message.


Egress Time

Sets the one-way time (in microseconds), from the switch to the remote server, if exceeded, triggers a probe failure and generates a system log message.


Ingress Time

Sets the one-way time (in microseconds), from the remote server to the switch, if exceeded, triggers a probe failure and generates a system log message.

Type a number from 0 through 60000000 (microseconds).

Jitter Egress Time

Sets the outbound-time jitter (in microseconds), if exceeded triggers a probe failure and generates a system log message.


Jitter Ingress Time

Sets the inbound-time jitter (in microseconds), if exceeded, triggers a probe failure and generates a system log message.

Type a number from 0 and 60000000.

Maximum Probe Thresholds

5272




Function

Your Action

Egress Standard Deviation

Sets the maximum allowable standard deviation of outbound times (in microseconds), if exceeded, triggers a probe failure and generates a system log message.


Ingress Standard Deviation

Sets the maximum allowable standard deviation of inbound times (in microseconds), if exceeded, triggers a probe failure and generates a system log message.


Generates SNMP traps when the threshold for jitter in outbound time is exceeded.

•

To enable SNMP traps for this condition, select the check box.

•

To disable SNMP traps, clear the check box.

Generates SNMP traps when the threshold for standard deviation in outbound times is exceeded.

•


•


Generates SNMP traps when the threshold for maximum outbound time is exceeded.

•


•


Generates SNMP traps when the threshold for jitter in inbound time is exceeded.

•


•


Generates SNMP traps when the threshold for standard deviation in inbound times is exceeded.

•


•


Generates SNMP traps when the threshold for maximum inbound time is exceeded.

•


•


Generates SNMP traps when the threshold for jitter in round-trip time is exceeded.

•


•


Traps Egress Jitter Exceeded

Egress Standard Deviation Exceeded

Egress Time Exceeded

Ingress Jitter Exceeded

Ingress Standard Deviation Exceeded

Ingress Time Exceeded

Jitter Exceeded


5273

®



Function

Your Action

Probe Failure

Generates SNMP traps when the threshold for the number of successive lost probes is exceeded.

•


•


Generates SNMP traps when the threshold for maximum round-trip time is exceeded.

•


•


Generates SNMP traps when the threshold for standard deviation in round-trip times is exceeded.

•


•


Generates SNMP traps when a test is completed.

•


•


•


•


RTT Exceeded

Standard Deviation Exceeded

Test Completion

Test Failure


Generates SNMP traps when the threshold for the total number of lost probes is exceeded.

•


•

Viewing Real-Time Performance Monitoring Information on page 5276

Configuring the Interface for RPM Timestamping for Client/Server on an EX Series Switch (CLI Procedure) Use real-time performance monitoring (RPM) to configure active probes to track and monitor traffic across the network and to investigate network problems. To configure basic RPM probes on the EX Series switch, you must configure the probe owner, the test, and the specific parameters of the RPM probe. You can also set a timestamp to improve the measurement of latency or jitter. The probe is timestamped by the device originating the probe (the RPM client). If you do not enable hardware timestamps, the timer values are set. You should configure both the RPM client (the requester) and the RPM server (the responder) to timestamp the RPM packets. However, if the RPM server does not support hardware timestamps, RPM can only report the round-trip measurements. Timestamps apply only to IPv4 traffic. You can enable hardware timestamps for the following RPM probe types:

5274



•

icmp-ping

•

icmp-ping-timestamp

•

udp-ping

•

udp-ping-timestamp

To configure RPM probes and enable hardware timestamping: 1.

Specify the probe owner: [edit services rpm] user@switch# set probe owner

2. Specify a test name. A test represents the range of probes over which the standard

deviation, average, and jitter are calculated. [edit services rpm probe owner] user@switch# set test test-name 3. Specify the packet and protocol contents of the probe: [edit services rpm probe owner test test-name] user@switch# set probe-type type 4. Specify the destination IPv4 address to be used for the probes: [edit services rpm probe owner test test-name] user@switch# set target address 5. Specify the number of probes within a test: [edit services rpm probe owner test test-name] user@switch# set probe-count count 6. Specify the time, in seconds, to wait between sending packets: [edit services rpm probe owner test test-name] user@switch# set probe-interval interval 7. Specify the time, in seconds, to wait between tests: [edit services rpm probe owner test test-name] user@switch# set test-interval interval 8. Specify the source IP address to be used for probes. If the source IP address is not

one of the switch’s assigned addresses, the packet uses the outgoing interface’s address as its source. [edit services rpm probe owner test test-name] user@switch# set source-address address 9. Specify the value of the Differentiated Services (DiffServ) field within the IP header.

The DiffServ code point (DSCP) bits value must be set to a valid 6-bit pattern. [edit services rpm probe owner test test-name] user@switch# set dscp-code-point dscp-bits 10. If you are using ICMP probes, specify the size of the data portion of ICMP probes: [edit services rpm probe owner test test-name] user@switch# set data-size size 11. Enable hardware timestamping of RPM probe messages: [edit services rpm probe owner test test-name] user@switch# set hardware-timestamp


•



5275

®


•

Understanding Real-Time Performance Monitoring on EX Series Switches on page 5264

Verifying Real-Time Performance Monitoring •

Viewing Real-Time Performance Monitoring Information on page 5276

Viewing Real-Time Performance Monitoring Information Real-time performance monitoring (RPM) on EX Series switches enables you to configure and send probes to a specified target and monitor the analyzed results to determine packet loss, round-trip time, and jitter. The J-Web interface provides a graphical view of RPM information for EX Series switches. To view the RPM information using the J-Web interface: 1.

Select Troubleshoot >RPM >View RPM.

2. Select the Round Trip Time check box to display the graph with round-trip time

included. Clear the check-box to view the graph without the round-trip time. 3. From the Refresh Time list, select a refresh time interval for the graph.


•


Configuration Statements for Real-Time Performance Monitoring data-fill Syntax Hierarchy Level

Release Information

Description

Options Usage Guidelines


5276

data-fill data; [edit services rpm bgp], [edit services (RPM) rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the contents of the data portion of Internet Control Message Protocol (ICMP) probes. data—A hexadecimal value; for example, 0-9, A-F.

The data-fill statement is not valid with the http-get or http-metadata-get probe types. See Configuring BGP Neighbor Discovery Through RPM or Configuring Real-Time Performance Monitoring. system—To view this statement in the configuration. interface-control—To add this statement to the configuration.



data-size Syntax Hierarchy Level

Release Information

Description Options

data-size size; [edit services rpm bgp], [edit services (RPM) rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the size of the data portion of ICMP probes. data—The size can be from 0 through 65507

Default: 0

NOTE: If you configure the hardware timestamp feature (see Configuring Real-Time Performance Monitoring), the data-size default value is 32 bytes and 32 is the minimum value for explicit configuration. The UDP timestamp probe type is an exception; it requires a minimum data size of 52 bytes.

Usage Guidelines


The data-size statement is not valid with the http-get or http-metadata-get probe type. See Configuring BGP Neighbor Discovery Through RPM or Configuring Real-Time Performance Monitoring. system—To view this statement in the configuration. interface-control—To add this statement to the configuration.


5277

®


destination-port Syntax Hierarchy Level

Release Information

Description

Options Usage Guidelines


5278

destination-port port; [edit services rpm bgp], [edit services (RPM) rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) port to which a probe is sent. This statement is used only for TCP or UDP probe types. port—The port number can be 7 or from 49,160 to 65,535.

See Configuring BGP Neighbor Discovery Through RPM or Configuring Real-Time Performance Monitoring. system—To view this statement in the configuration. interface-control—To add this statement to the configuration.



dscp-code-point Syntax Hierarchy Level Release Information

Description

Options

dscp-code-point dscp-bits; [edit services (RPM) rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the value of the Differentiated Services (DiffServ) field within the IP header. The DiffServ code point (DSCP) bits value must be set to a valid 6-bit pattern. dscp-bits—A valid 6-bit pattern; for example, 001111, or one of the following configured

DSCP aliases: •

af11—Default: 001010

•


•


•


•


•

af23 —Default: 010110

•


•


•


•


•

af42 —Default:100100

•

af43 —Default:100110

•

be—Default: 000000

•

cs1—Default: 001000

•


•


•


•


•


•


•

ef—Default: 101110

•

nc1—Default: 110000

•

nc2—Default: 111000


5279

®


Usage Guidelines Required Privilege Level

See Configuring Real-Time Performance Monitoring. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

hardware-timestamp Syntax Hierarchy Level Release Information

Description


hardware-timestamp; [edit services rpm probe owner test test-name]

Statement introduced in Junos OS Release 8.1. Statement applied to MX Series routers in Junos OS Release 10.0. Statement introduced in Junos OS Release 10.3 for EX Series switches. On MX Series routers and EX Series switches only, enable timestamping of RPM probe messages in the Packet Forwarding Engine host processor. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. See Configuring RPM Timestamping. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

history-size Syntax Hierarchy Level

Release Information

Description Options

history-size size; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the number of stored history entries. size—A value from 0 to 255.

Default: 50 Usage Guidelines Required Privilege Level

5280

See Configuring BGP Neighbor Discovery Through RPM or Configuring RPM Probes. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.



moving-average-size Syntax Hierarchy Level

Release Information

Description

Options

moving-average-size number; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.3 for EX Series switches. Enable statistical calculation operations to be performed across a configurable number of the most recent samples. number—Number of samples to be used in calculations.

Range: 0 through 255 Usage Guidelines Required Privilege Level

See Configuring RPM Probes. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

one-way-hardware-timestamp Syntax Hierarchy Level Release Information

Description

Usage Guidelines Required Privilege Level Related Documentation

one-way-hardware-timestamp; [edit services rpm probe owner test test-name]

Statement introduced in Junos OS Release 8.5. Statement introduced in Junos OS Release 9.3 for EX Series switches. Enable timestamping of RPM probe messages for one-way delay and jitter measurements. You must configure this statement along with the destination-interface statement to invoke timestamping. This feature is supported only with icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. See Configuring RPM Timestamping. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. •

destination-interface, hardware-timestamp on page 5280


5281

®


port (RPM) Syntax Hierarchy Level Release Information

Description Options Usage Guidelines Required Privilege Level

5282

port number; [edit services rpm probe-server (tcp | udp)]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port number for the probe server. number—Port number for the probe server. The value can be 7 or 49,160 through 65,535.

See Configuring RPM Receiver Servers. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.



probe Syntax


Description

Options

probe owner { test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url | address); test-interval interval; thresholds thresholds; traps traps; } } [edit services rpm]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify an owner name. The owner name combined with the test name represent a single RPM configuration instance. owner—Specify an owner name up to 32 characters in length.


See Configuring RPM Probes. system—To view this statement in the configuration. interface-control—To add this statement to the configuration.


5283

®


probe-count Syntax Hierarchy Level

Release Information


probe-count count; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the number of probes within a test. count—A value from 1 through 15.


probe-interval Syntax Hierarchy Level

Release Information


5284

probe-interval interval; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the time to wait between sending packets, in seconds. interval—Number of seconds, from 1 through 255.




probe-limit Syntax Hierarchy Level Release Information

Description Options

probe-limit limit; [edit services rpm]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the maximum number of concurrent probes allowed. limit—A value from 1 through 500.

Default: 100. Usage Guidelines Required Privilege Level

See Limiting the Number of Concurrent RPM Probes. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

probe-server Syntax


Description

probe-server { tcp { destination-interface interface-name; port number; } udp { destination-interface interface-name; port number; } } [edit services rpm]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the server to act as a receiver for the probes. The remaining statements are explained separately.




5285

®


probe-type Syntax Hierarchy Level

Release Information

probe-type type; [edit services rpm bgp], [edit services rpm probe owner test test-name]


Description

Specify the packet and protocol contents of a probe.

Options

type—Specify one of the following probe type values: •

http-get—(Not available at the [edit services rpm bgp] hierarchy level.) Sends a

Hypertext Transfer Protocol (HTTP) get request to a target URL. •

http-metadata-get—(Not available at the [edit services rpm bgp] hierarchy level.)

Sends an HTTP get request for metadata to a target URL.


5286

•

icmp-ping—Sends ICMP echo requests to a target address.

•

icmp-ping-timestamp—Sends ICMP timestamp requests to a target address.

•

tcp-ping—Sends TCP packets to a target.

•

udp-ping—Sends UDP packets to a target.

•

udp-ping-timestamp—Sends UDP timestamp requests to a target address.




routing-instance Syntax Hierarchy Level Release Information

Description Options

routing-instance instance-name; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the routing instance used by the probes. instance-name—A routing instance configured at the [edit routing-instance] hierarchy level.

Default: Internet routing table inet.0. Usage Guidelines Required Privilege Level


routing-instances Syntax Hierarchy Level

Release Information

Description Options

routing-instances instance-name; [edit services rpm bgp], [edit services rpm bgp logical-system logical-system-name]

Statement introduced in Junos OS Release 7.6. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the routing instance used by the probes. instance-name—A routing instance configured at the [edit routing-instances] hierarchy

level. Default: Internet routing table inet.0. Usage Guidelines Required Privilege Level

See Configuring BGP Neighbor Discovery Through RPM. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.


5287

®


rpm Syntax Hierarchy Level Release Information

Description

Options

rpm (client | server); [edit interfaces interface-name unit logical-unit-number]

Statement introduced in Junos OS Release 8.1. Statement introduced in Junos OS Release 9.3 for EX Series switches. Associate an RPM client (router or switch that originates RPM probes) or RPM server with a specified interface. client—Identifier for RPM client router or switch. server—Identifier for RPM server.


See Configuring RPM Timestamping. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

source-address Syntax Hierarchy Level Release Information

Description

Options Usage Guidelines Required Privilege Level

5288

source-address address; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the source IP address used for probes. If the source IP address is not one of the router’s or switch’s assigned addresses, the packet will use the outgoing interface’s address as its source. address—Valid IP address.




target Syntax Hierarchy Level Release Information

Description Options

target (url url | address address); [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the destination address used for the probes. url url—For HTTP probe types, specify a fully formed URL that includes http:// in the URL

address. address address—For all other probe types, specify an IPv4 address for the target host.



tcp Syntax


Description

tcp { destination-interface interface-name; port port; } [edit services rpm probe-server]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port information for the TCP server. The remaining statements are explained separately.




5289

®


test Syntax


Description

Options

test test-name { data-fill data; data-size size; destination-interface interface-name; destination-port port; dscp-code-point dscp-bits; hardware-timestamp; history-size size; moving-average-size number; one-way-hardware-timestamp; probe-count count; probe-interval seconds; probe-type type; routing-instance instance-name; source-address address; target (url url | address address); test-interval interval; thresholds thresholds; traps traps; } [edit services rpm probe owner]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the range of probes over which the standard deviation, average, and jitter are calculated. The test name combined with the owner name represent a single RPM configuration instance. test-name—Specify a test name. The name can be up to 32 characters in length.


5290




test-interval Syntax Hierarchy Level

Release Information


test-interval frequency; [edit services rpm bgp], [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the time to wait between tests, in seconds. frequency—Number of seconds, from 0 through 86400.



5291

®


thresholds Syntax Hierarchy Level Release Information

Description

Options

thresholds thresholds; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify thresholds used for the probes. A system log message is generated when the configured threshold is exceeded. Likewise, an SNMP trap (if configured) is generated when a threshold is exceeded. thresholds—Specify one or more threshold measurements. The following options are

supported: •

egress-time—Measures maximum source-to-destination time per probe.

•

ingress-time—Measures maximum destination-to-source time per probe.

•

jitter-egress—Measures maximum source-to-destination jitter per test.

•

jitter-ingress—Measures maximum destination-to- source jitter per test.

•

jitter-rtt—Measures maximum jitter per test, from 0 through 60,000,000 microseconds.

•

rtt—Measures maximum round-trip time per probe, in microseconds.

•

std-dev-egress—Measures maximum source-to-destination standard deviation per

test. •

std-dev-ingress—Measures maximum destination-to-source standard deviation per

test.


5292

•

std-dev-rtt—Measures maximum standard deviation per test, in microseconds.

•

successive-loss—Measures successive probe loss count, indicating probe failure.

•

total-loss—Measures total probe loss count indicating test failure, from 0 through 15.




traps Syntax Hierarchy Level Release Information

Description

Options

traps traps; [edit services rpm probe owner test test-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Set the trap bit to generate traps for probes. Traps are sent if the configured threshold is met or exceeded. traps—Specify one or more traps. The following options are supported: •

egress-jitter-exceeded—Generates traps when the jitter in egress time threshold is met

or exceeded. •

egress-std-dev-exceeded—Generates traps when the egress time standard deviation

threshold is met or exceeded. •

egress-time-exceeded—Generates traps when the maximum egress time threshold is

met or exceeded. •

ingress-jitter-exceeded—Generates traps when the jitter in ingress time threshold is

met or exceeded. •

ingress-std-dev-exceeded—Generates traps when the ingress time standard deviation

threshold is met or exceeded. •

ingress-time-exceeded—Generates traps when the maximum ingress time threshold

is met or exceeded. •

jitter-exceeded—Generates traps when the jitter in round-trip time threshold is met or

exceeded. •

probe-failure—Generates traps for successive probe loss thresholds crossed.

•

rtt-exceeded—Generates traps when the maximum round-trip time threshold is met

or exceeded. •

std-dev-exceeded—Generates traps when the round-trip time standard deviation

threshold is met or exceeded.


•

test-completion—Generates traps when a test is completed.

•

test-failure—Generates traps when the total probe loss threshold is met or exceeded.



5293

®


udp Syntax


Description

udp { destination-interface interface-name; port port; } [edit services rpm probe-server]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.3 for EX Series switches. Specify the port information for the UDP server. The remaining statements are explained separately.



Operational Commands for Real-Time Performance Monitoring

5294



show services rpm active-servers Syntax Release Information

Description


show services rpm active-servers

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the protocols and corresponding ports for which a router or switch is configured as a real-time performance monitoring (RPM) server. This command has no options. view

show services rpm active-servers on page 5295 Table 611 on page 5295 lists the output fields for the show services rpm active-servers command. Output fields are listed in the approximate order in which they appear.

Table 611: show services rpm active-servers Output Fields Field Name

Field Description

Protocol

Protocol configured on the receiving probe server. The protocol can be the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).

Port

Port configured on the receiving probe server.

Destination interface name

Output interface name for the probes.

Sample Output show services rpm active-servers

user@host> show services rpm active-servers Protocol: TCP, Port: 50000, Destination interface name: lt-0/0/0.0 Protocol: UDP, Port: 50001, Destination interface name: lt-0/0/0.0


5295

®


show services rpm history-results Syntax

Release Information

Description

Options

show services rpm history-results

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display standard information about the results of the last 50 probes for each real-time performance monitoring (RPM) instance. none—Display the results of the last 50 probes for all RPM instances. brief | detail—(Optional) Display the specified level of output. owner owner—(Optional) Display information for the specified probe owner. since time—(Optional) Display information from the specified time. Specify time as yyyy-mm-dd.hh:mm:ss. test name—(Optional) Display information for the specified test.


Output Fields

view

show services rpm history-results on page 5297 show services rpm history-results detail on page 5297 Table 612 on page 5296 lists the output fields for the show services rpm history-results command. Output fields are listed in the approximate order in which they appear.

Table 612: show services rpm history-results Output Fields Field Name

Field Description

Level of Output

Owner

Probe owner.

All levels

Test

Name of a test for a probe instance.

All levels

Probe received

Timestamp when the probe result was determined.

All levels

Round trip time

Average ping round-trip time (RTT), in microseconds.

All levels

Probe results

Result of a particular probe performed by a remote host. The following information is contained in the results:

detail

5296

•

Response received—Timestamp when the probe result was determined.

•

Rtt—Average ping round-trip time (RTT), in microseconds.



Table 612: show services rpm history-results Output Fields (continued) Field Name

Field Description

Level of Output

Results over current test

Displays the results for the current test by probe at the time each probe was completed, as well as the status of the current test at the time the probe was completed.

detail

Probes sent

Number of probes sent with the current test.

detail

Probes received

Number of probe responses received within the current test.

detail

Loss percentage

Percentage of lost probes for the current test.

detail

Measurement

Increment of measurement. Possible values are round-trip time delay and, for the probe type icmp-pin-timestamp, the egress and ingress delay:

detail

•

Minimum—Minimum RTT, ingress delay, or egress delay measured over the

course of the current test. •

Maximum—Maximum RTT, ingress delay, or egress delay measured over the


Average—Average RTT, ingress delay, or egress delay measured over the


Jitter—Difference, in microseconds, between the maximum and minimum

RTT measured over the course of the current test. •

Stddev—Standard deviation of the round-trip time, in microseconds, measured

over the course of the current test.

Sample Output show services rpm history-results

show services rpm history-results detail

user@host> show services rpm history-results Owner, Test Probe received p1, t1 Wed Aug 12 01:02:35 p1, t1 Wed Aug 12 01:02:36 p1, t1 Wed Aug 12 01:02:37 p1, t1 Wed Aug 12 01:02:38 p1, t1 Wed Aug 12 01:02:39 p1, t1 Wed Aug 12 01:02:40 p1, t1 Wed Aug 12 01:02:41 p1, t1 Wed Aug 12 01:02:42

2009 2009 2009 2009 2009 2009 2009 2009

Round trip time 315 usec 266 usec 314 usec 388 usec 316 usec 271 usec 314 usec 1180 usec

user@host> show services rpm history-results detail Owner: p1, Test: t1, Probe type: icmp-ping-timestamp Probe results: Response received, Wed Aug 12 01:02:35 2009, Client and server hardware timestamps Rtt: 315 usec Results over current test: Probes sent: 1, Probes received: 1, Loss percentage: 0 Measurement: Round trip time Samples: 1, Minimum: 315 usec, Maximum: 315 usec, Average: 315 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 315 usec Owner: p1, Test: t1, Probe type: icmp-ping-timestamp Probe results:


5297

®


Response received, Wed Aug 12 01:02:36 2009, Client and server hardware timestamps Rtt: 266 usec, Round trip jitter: -50 usec, Round trip interarrival jitter: 3 usec Results over current test: Probes sent: 2, Probes received: 2, Loss percentage: 0 Measurement: Round trip time Samples: 2, Minimum: 266 usec, Maximum: 315 usec, Average: 291 usec, Peak to peak: 49 usec, Stddev: 24 usec, Sum: 581 usec Measurement: Negative round trip jitter Samples: 1, Minimum: 50 usec, Maximum: 50 usec, Average: 50 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 50 usec Owner: p1, Test: t1, Probe type: icmp-ping-timestamp Probe results: Response received, Wed Aug 12 01:02:37 2009, Client and server hardware timestamps Rtt: 314 usec, Round trip jitter: 49 usec, Round trip interarrival jitter: 6 usec Results over current test: Probes sent: 3, Probes received: 3, Loss percentage: 0 Measurement: Round trip time Samples: 3, Minimum: 266 usec, Maximum: 315 usec, Average: 298 usec, Peak to peak: 49 usec, Stddev: 23 usec, Sum: 895 usec Measurement: Positive round trip jitter Samples: 1, Minimum: 49 usec, Maximum: 49 usec, Average: 49 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 49 usec Measurement: Negative round trip jitter Samples: 1, Minimum: 50 usec, Maximum: 50 usec, Average: 50 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 50 usec Owner: p1, Test: t1, Probe type: icmp-ping-timestamp Probe results: Response received, Wed Aug 12 01:02:38 2009, Client and server hardware timestamps Rtt: 388 usec, Round trip jitter: 74 usec, Round trip interarrival jitter: 10 usec Results over current test: Probes sent: 4, Probes received: 4, Loss percentage: 0 Measurement: Round trip time Samples: 4, Minimum: 266 usec, Maximum: 388 usec, Average: 321 usec, Peak to peak: 122 usec, Stddev: 44 usec, Sum: 1283 usec Measurement: Positive round trip jitter Samples: 2, Minimum: 49 usec, Maximum: 74 usec, Average: 62 usec, Peak to peak: 25 usec, Stddev: 12 usec, Sum: 123 usec Measurement: Negative round trip jitter Samples: 1, Minimum: 50 usec, Maximum: 50 usec, Average: 50 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 50 usec

5298



show services rpm probe-results Syntax

Release Information

Description Options

show services rpm probe-results

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Display the results of the most recent real-time performance monitoring (RPM) probes. none—Display all results of the most recent RPM probes. owner owner—(Optional) Display information for the specified probe owner. test name—(Optional) Display information for the specified test.


Output Fields

view

show services rpm probe-results on page 5302 show services rpm probe-results (BGP Neighbor Discovery) on page 5303 Table 613 on page 5299 lists the output fields for the show services rpm probe-results command. Output fields are listed in the approximate order in which they appear.

Table 613: show services rpm probe-results Output Fields Field Name

Field Description

Owner

Owner name. When you configure the probe owner statement at the [edit services rpm] hierarchy level, this field displays the configured owner name. When you configure BGP neighbor discovery through RPM, the output for this field is Rpm-Bgp-Owner.

Test

Name of a test representing a collection of probes. When you configure the test test-name statement at the [edit services rpm probe owner] hierarchy level, the field displays the configured test name. When you configure BGP neighbor discovery through RPM, the output for this field is Rpm-BGP-Testn, where n is a cumulative number.

Target address

Destination address used for the probes.

Source address

Source address used for the probes.

Probe type

Protocol configured on the receiving probe server: http-get, http-metadata-get, icmp-ping, icmp-ping-timestamp, tcp-ping, udp-ping, or udp-ping-timestamp.

Test size

Number of probes within a test.


5299

®


Table 613: show services rpm probe-results Output Fields (continued) Field Name

Field Description

Routing Instance Name

(BGP neighbor discovery) Name of the configured (if any) routing instance, logical system name, or both, in which the probe is configured:

Probe results

Results over current test

•

When a routing instance is defined within a logical system, the logical system name is followed by the routing instance name. A slash ( / ) is used to separate the two entities. For example, if the routing instance called R1 is configured within the logical system called LS, the name in the output field is LS/R1.

•

When a routing instance is configured but the default logical system is used, the name in the output field is the name of the routing instance.

•

When a logical system is configured but the default routing instance is used, the name in the output field is the name of the logical system followed by default. A slash (/) is used to separate the two entities. For example, LS/default.

Raw measurement of a particular probe sample done by a remote host. This data is provided separately from the calculated results. The following information is contained in the raw measurement: •

Response received—Timestamp when the probe result was determined.

•

Client and server hardware timestamps—If timestamps are configured, an entry appears at this point.

•

Rtt—Average ping round-trip time (RTT), in microseconds.

•

Egress jitter—Egress jitter, in microseconds.

•

Ingress jitter—Ingress jitter, in microseconds.

•

Round trip jitter—Round-trip jitter, in microseconds.

•

Egress interarrival jitter—Egress interarrival jitter, in microseconds.

•

Ingress interarrival jitter—Ingress interarrival jitter, in microseconds.

•

Round trip interarrival jitter—Round-trip interarrival jitter, in microseconds.

Probes are grouped into tests, and the statistics are calculated for each test. If a test contains 10 probes, the average, minimum, and maximum results are calculated from the results of those 10 probes. If the command is issued while the test is in progress, the statistics use information from the completed probes. •

Probes sent—Number of probes sent within the current test.

•

Probes received—Number of probe responses received within the current test.

•

Loss percentage—Percentage of lost probes for the current test.

•

Measurement—Measurement type. Possible values are round-trip time, positive round-trip jitter,

negative round-trip jitter, egress time, positive egress jitter, negative egress jitter, ingress time, positive ingress jitter, negative ingress jitter, and, for the probe type icmp-ping-timestamp, the egress delay and ingress delay. For each measurement type, the following individual calculated results are provided: •

Samples—Number of probes.

•

Minimum—Minimum RTT, ingress delay, or egress delay measured over the course of the current

test. •

Maximum—Maximum RTT, ingress delay, or egress delay measured over the course of the current

test. •

Average—Average RTT, ingress delay, or egress delay measured over the course of the current

test.

5300

•

Peak to peak—Peak-to-peak difference, in microseconds.

•

Stddev—Standard deviation, in microseconds.

•

Sum—Statistical sum.



Table 613: show services rpm probe-results Output Fields (continued) Field Name

Field Description

Results over last test

Results for the most recently completed test. If the command is issued while the first test is in progress, this information is not displayed •

Probes sent—Number of probes sent for the most recently completed test.

•

Probes received—Number of probe responses received for the most recently completed test.

•

Loss percentage—Percentage of lost probes for the most recently completed test.

•

Test completed—Time the most recent test was completed.

•


negative round-trip jitter, egress time, positive egress jitter, negative egress jitter, ingress time, positive ingress jitter, negative ingress jitter, and, for the probe type icmp-ping-timestamp, the egress delay and ingress delay. For each measurement type, the following individual calculated results are provided: •


•

Minimum—Minimum RTT, ingress delay, or egress delay measured for the most recently completed

test. •

Maximum—Maximum RTT, ingress delay, or egress delay measured for the most recently

completed test. •

Average—Average RTT, ingress delay, or egress delay measured for the most recently completed

test.

Results over all tests

•


•


•


Displays statistics made for all the probes, independently of the grouping into tests, as well as statistics for the current test. •

Probes sent—Number of probes sent in all tests.

•

Probes received—Number of probe responses received in all tests.

•

Loss percentage—Percentage of lost probes in all tests.

•


negative round-trip jitter, egress time, positive egress jitter, negative egress jitter, ingress time, positive ingress jitter, negative ingress jitter, and, for the probe types icmp-ping-timestamp and udp-ping-timestamp, the egress delay and ingress delay. For each measurement type, the following individual calculated results are provided: •


•

Minimum—Minimum RTT, ingress delay, or egress delay measured over the course of the current

test. •

Maximum—Maximum RTT, ingress delay, or egress delay measured over the course of the current

test. •

Average—Average RTT, ingress delay, or egress delay measured over the course of the current

test. •


•


•



5301

®


Sample Output show services rpm probe-results

user@host> show services rpm probe-results Owner: ADSN-J4300.ADSN-J2300.D2, Test: 75300002 Target address: 172.16.54.172, Source address: 10.206.0.1, Probe type: udp-ping-timestamp, Test size: 10 probes Probe results: Response received, Tue Feb 6 14:53:15 2007, Client and server hardware timestamps Rtt: 575 usec, Egress jitter: 5 usec, Ingress jitter: 8 usec, Round trip jitter: 12 usec, Egress interarrival jitter: 8 usec, Ingress interarrival jitter: 7 usec, Round trip interarrival jitter: 7 usec, Round trip interarrival jitter: 669 usec Results over current test: Probes sent: 10, Probes received: 10, Loss percentage: 0 Measurement: Round trip time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive round trip jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative round trip jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Measurement: Egress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Measurement: Ingress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Results over last test: Probes sent: 10, Probes received: 10, Loss percentage: 0 Test completed on Tue Feb 6 14:53:16 2007 Measurement: Round trip time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive round trip jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative round trip jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Measurement: Egress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec,

5302



Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Measurement: Ingress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Results over all tests: Probes sent: 560, Probes received: 560, Loss percentage: 0 Measurement: Round trip time Samples: 560, Minimum: 805 usec, Maximum: 3114 usec, Average: 1756 usec, Peak to peak: 2309 usec, Stddev: 519 usec, Sum: xxxx usec Measurement: Positive round trip jitter Samples: 257, Minimum: 0 usec, Maximum: 2054 usec, Average: 597 usec, Peak to peak: 2054 usec, Stddev: 427 usec, Sum: xxxx usec Measurement: Negative round trip jitter Samples: 302, Minimum: 1 usec, Maximum: 1812 usec, Average: 511 usec, Peak to peak: 1811 usec, Stddev: 408 usec, Sum: xxxx usec Measurement: Egress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Egress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec Measurement: Ingress time Samples: 10, Minimum: 805 usec, Maximum: 2859 usec, Average: 1644 usec, Peak to peak: 2054 usec, Stddev: 738 usec, Sum: xxxx usec Measurement: Positive Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 2054 usec, Average: 876 usec, Peak to peak: 2049 usec, Stddev: 679 usec, Sum: xxxx usec Measurement: Negative Ingress jitter Samples: 5, Minimum: 5 usec, Maximum: 1812 usec, Average: 926 usec, Peak to peak: 1807 usec, Stddev: 665 usec, Sum: xxxx usec

show services rpm probe-results (BGP Neighbor Discovery)

user@host> show services rpm probe-results Owner: Rpm-Bgp-Owner, Test: Rpm-Bgp-Test-1 Target address: 10.209.152.37, Probe type: icmp-ping, Test size: 5 probes Routing Instance Name: LS1/RI1 Probe results: Response received, Fri Oct 28 05:20:23 2005 Rtt: 662 usec Results over current test: Probes sent: 5, Probes received: 5, Loss percentage: 0 Measurement: Round trip time Minimum: 529 usec, Maximum: 662 usec, Average: 585 usec, Jitter: 133 usec, Stddev: 53 usec Results over all tests: Probes sent: 5, Probes received: 5, Loss percentage: 0 Measurement: Round trip time


5303

®


Minimum: 529 usec, Maximum: 662 usec, Average: 585 usec, Jitter: 133 usec, Stddev: 53 usec

5304


CHAPTER 147

Ethernet OAM Link Fault Management •

Ethernet OAM Link Fault Management—Overview on page 5305

•

Example of Ethernet OAM Link Fault Management Configuration on page 5306

•

Configuring Ethernet OAM Link Fault Management on page 5309

•

Configuration Statements for Ethernet OAM Link Fault Management on page 5311

•

Operational Commands for Ethernet OAM Link Fault Management on page 5340

Ethernet OAM Link Fault Management—Overview •


Understanding Ethernet OAM Link Fault Management for an EX Series Switch Juniper Networks Junos operating system (Junos OS) for Juniper Networks EX Series Ethernet Switches allows the Ethernet interfaces on these switches to support the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for OAM capabilities even as Ethernet moves from being solely an enterprise technology to a WAN and access technology, and the standard remains backward-compatible with existing Ethernet technology. Ethernet OAM provides the tools that network management software and network managers can use to determine how a network of Ethernet links is functioning. Ethernet OAM should: •

Rely only on the media access control (MAC) address or virtual LAN identifier for troubleshooting.

•

Work independently of the actual Ethernet transport and function over physical Ethernet ports or a virtual service such as pseudowire.

•

Isolate faults over a flat (or single operator) network architecture or nested or hierarchical (or multiprovider) networks.

The following OAM LFM features are supported on EX Series switches:


5305

®


•

Discovery and Link Monitoring The discovery process is triggered automatically when OAM is enabled on the interface. The discovery process permits Ethernet interfaces to discover and monitor the peer on the link if it also supports the IEEE 802.3ah standard. You can specify the discovery mode used for IEEE 802.3ah OAM support. In active mode, the interface discovers and monitors the peer on the link if the peer also supports IEEE 802.3ah OAM functionality. In passive mode, the peer initiates the discovery process. After the discovery process has been initiated, both sides participate in discovery. The switch performs link monitoring by sending periodic OAM protocol data units (PDUs) to advertise OAM mode, configuration, and capabilities. You can specify the number of OAM PDUs that an interface can miss before the link between peers is considered down.

•

Remote Fault Detection Remote fault detection uses flags and events. Flags are used to convey the following: Link Fault means a loss of signal, Dying Gasp means an unrecoverable condition such as a power failure, and Critical Event means an unspecified vendor-specific critical event. You can specify the periodic OAM PDU sending interval for fault detection.The EX Series switch uses the Event Notification OAM PDU to notify the remote OAM device when a problem is detected. You can specify the action to be taken by the system when the configured link-fault event occurs.

•

Remote Loopback Mode Remote loopback mode ensures link quality between the switch and a remote peer during installation or troubleshooting. In this mode, when the interface receives a frame that is not an OAM PDU or a pause frame, it sends it back on the same interface on which it was received. The link appears to be in the active state. You can use the returned loopback acknowledgement to test delay, jitter, and throughput. Junos OS can place a remote DTE into loopback mode (if remote loopback mode is supported by the remote DTE). When you place a remote DTE into loopback mode, the interface receives the remote loopback request and puts the interface into remote loopback mode. When the interface is in remote loopback mode, all frames except OAM PDUs are looped back without any changes made to the frames. OAM PDUs continue to be sent and processed.


•

Configuring Ethernet OAM Link Fault Management (CLI Procedure) on page 5309

•

Example: Configuring Ethernet OAM Link Fault Management on EX Series Switches on page 5307

Example of Ethernet OAM Link Fault Management Configuration •

5306



Chapter 147: Ethernet OAM Link Fault Management

Example: Configuring Ethernet OAM Link Fault Management on EX Series Switches Junos OS for EX Series switches allows the Ethernet interfaces on these switches to support the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. This example describes how to enable and configure OAM LFM on a Gigabit Ethernet interface: •


•


•

Configuring Ethernet OAM Link Fault Management on Switch 1 on page 5307

•

Configuring Ethernet OAM Link Fault Management on Switch 2 on page 5308

•




•

Two EX3200 or EX4200 switches connected directly

Overview and Topology Junos OS for EX Series switches allows the Ethernet interfaces on these switches to support the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. This example uses two EX4200 switches connected directly. Before you begin configuring Ethernet OAM LFM on two switches, connect the two switches directly through a trunk interface.

Configuring Ethernet OAM Link Fault Management on Switch 1 CLI Quick Configuration

To quickly configure Ethernet OAM LFM, copy the following commands and paste them into the switch terminal window: [edit protocols oam ethernet link-fault-management] set interface ge-0/0/0 set interface ge-0/0/0 link-discovery active set interface ge-0/0/0 pdu-interval 800 set interface ge-0/0/0 remote-loopback


To configure Ethernet OAM LFM on switch 1: 1.

Enable IEEE 802.3ah OAM support on an interface: [edit protocols oam ethernet link-fault-management] user@switch1# set interface (OAM LFM) ge-0/0/0


5307

®


2.

Specify that the interface initiates the discovery process by configuring the link discovery mode to active: [edit protocols oam ethernet link-fault-management] user@switch1# set interface ge-0/0/0 link-discovery active

3.

Set the periodic OAM PDU-sending interval (in milliseconds) to 800 on switch 1: [edit protocols oam ethernet link-fault-management] user@switch1# set interface pdu-interval 800

4.

Set a remote interface into loopback mode so that all frames except OAM PDUs are looped back without any changes made to the frames. Ensure that the remote DTE supports remote loopback mode. To set the remote DTE in loopback mode [edit protocols oam ethernet link-fault-management] user@switch1# set interface ge-0/0/0.0 remote-loopback

Check the results of the configuration: [edit] user@switch1# show

protocols { oam { ethernet { link-fault-management { interface ge-0/0/0 { pdu-interval 800; link-discovery active; remote-loopback; } } } }

Configuring Ethernet OAM Link Fault Management on Switch 2 CLI Quick Configuration

To quickly configure Ethernet OAM LFM on switch 2, copy the following commands and paste them into the switch terminal window: [edit protocols oam ethernet link-fault-management ] set interface ge-0/0/1 set interface ge-0/0/1 negotiation-options allow-remote-loopback


To configure Ethernet OAM LFM on switch 2: 1.

Enable OAM on the peer interface on switch 2: [edit protocols oam ethernet link-fault-management] user@switch2# set interface ge-0/0/1

2.

Enable remote loopback support for the local interface: [edit protocols oam ethernet link-fault-management] user@switch2# set interface ge-0/0/1 negotiation-options allow-remote-loopback

Results

Check the results of the configuration: [edit] user@switch2# show

5308



protocols { oam { ethernet { link-fault-management { interface ge-0/0/1 { negotiation-options { allow-remote-loopback; } } } } }

Verification Verifying That OAM LFM Has Been Configured Properly Purpose Action

Verify that OAM LFM has been configured properly. Use the show oam ethernet link-fault-management command: user@switch1#show oam ethernet link-fault-management

Sample Output Interface: ge-0/0/0.0 Status: Running, Discovery state: Send Any Peer address: 00:19:e2:50:3b:e1 Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50 Remote entity information: Remote MUX action: forwarding, Remote parser action: forwarding Discovery mode: active, Unidirectional mode: unsupported Remote loopback mode: supported, Link events: supported Variable requests: unsupported

Meaning


When the output displays the MAC address and the discover state is Send Any, it means that OAM LFM has been configured properly.

•


•


Configuring Ethernet OAM Link Fault Management •


Configuring Ethernet OAM Link Fault Management (CLI Procedure) Ethernet OAM link fault management (LFM) can be used for physical link-level fault detection and management. The IEEE 802.3ah LFM works across point-to-point Ethernet links either directly or through repeaters. To configure Ethernet OAM LFM using the CLI:


5309

®


1.

Enable IEEE 802.3ah OAM support on an interface: [edit protocols oam ethernet link-fault-management] user@switch# set interface (OAM LFM) interface-name

NOTE: The remaining steps are optional. You can choose which of these features to configure for Ethernet OAM LFM on your switch.

2. Specify whether the interface or the peer initiates the discovery process by configuring

the link discovery mode to active or passive (active = interface initiates; passive = peer initiates): [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name link-discovery active 3. Configure a periodic OAM PDU-sending interval (in milliseconds) for fault detection: [edit protocols oam ethernet link-fault-management] user@switch# set interface pdu-interval interval 4. Specify the number of OAM PDUs that an interface can miss before the link between

peers is considered down: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name pdu-threshold threshold-value 5. Configure event threshold values on an interface for the local errors that trigger the

sending of link event TLVs: •

Set the threshold value (in seconds) for sending frame-error events or taking the action specified in the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name event-thresholds frame-error count

•

Set the threshold value (in seconds) for sending frame-period events or taking the action specified in the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name event-thresholds frame-period count

•

Set the threshold value (in seconds) for sending frame-period-summary events or taking the action specified in the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name event-thresholds frame-period-summary count

•

Set the threshold value (in seconds) for sending symbol-period events or taking the action specified in the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name event-thresholds symbol-period count

NOTE: You can disable the sending of link event TLVs.

To disable the sending of link event TLVs: [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name negotiation-options no-allow-link-events

5310



6. Create an action profile to define event fault flags and thresholds to be taken when

the link fault event occurs. Then apply the action profile to one or more interfaces. (You can also apply multiple action profiles to a single interface.) a. Name the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set action-profile profile-name b. Specify actions to be taken by the system when the link fault event occurs: [edit protocols oam ethernet link-fault-management] user@switch# set action-profile profile-name action (OAM LFM) syslog user@switch# set action-profile profile-name action link-down c. Specify events for the action profile: [edit protocols oam ethernet link-fault-management] user@switch# set action-profile profile-name event link-adjacency-loss

NOTE: For each action profile, you must specify at least one link event and one action. The actions are taken only when all of the events in the action profile are true. If more than one action is specified, all actions are executed. You can set a low threshold for a specific action such as logging the error and set a high threshold for another action such as system logging.

7. Set a remote interface into loopback mode so that all frames except OAM PDUs are

looped back without any changes made to the frames. Set the remote DTE in loopback mode (the remote DTE must support remote-loopback mode) and then enable remote loopback support for the local interface. [edit protocols oam ethernet link-fault-management] user@switch# set interface interface-name remote-loopback user@switch# set interface interface-name negotiation-options allow-remote-loopback


•


•


Configuration Statements for Ethernet OAM Link Fault Management •


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) { remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; }


5311

®


} dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address; ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send);

5312



} } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) { disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ;


5313

®


} label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps; description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; }

5314



statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ; flag flag; } } mvrp { add-attribute-length-in-pdu; disable;


5315

®


interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable; calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value;

5316



measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority;


5317

®


} max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; }

5318



uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }


•


•



5319

®


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


action Syntax


action { syslog; link-down; } [edit protocols oam ethernet (OAM LFM) link-fault-management]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Define the action or actions to be taken when the OAM link fault management (LFM) fault event occurs. The remaining statements are explained separately.


5320





action-profile Syntax


action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } } [edit protocols oam ethernet (OAM LFM) link-fault-management]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure an Ethernet OAM link fault management (LFM) action profile by specifying a profile name. The remaining statements are explained separately.


profile-name—Name of the action profile. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



5321

®


allow-remote-loopback Syntax Hierarchy Level



5322

allow-remote-loopback; [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Advertise that the interface is capable of getting into loopback mode. Enable remote loopback in Ethernet OAM link fault management (LFM) on all Ethernet interfaces or the specified interface on the EX Series switch. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•




ethernet Syntax

ethernet { connectivity-fault-management { action-profile profile-name { action { interface-down; } default-actions { interface-down; } event { adjacency-loss; } } esp-traceoptions { file filename ; flag (all |error | esp | interface | krt | lib |normal |task |timer); } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } mep mep-id { auto-discovery; direction down; interface interface-name; priority remote-mep mep-id { action-profile profile-name; sla-iterator-profile profile-name { data-tlv-size size; iteration-count count-value; priority priority-value; } } } short-name-format (character-string | vlan | 2octet | rfc-2685-vpn-id); } } performance-monitoring {


5323

®


sla-iterator-profiles (OAM LFM) { profile-name { calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; passive; } } } traceoptions { file filename ; flag flag ; no-remote-trace; } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; pdu-threshold threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } negotiation-options { allow-remote-loopback; no-allow-link-events; } } traceoptions { file filename ; flag flag ; no-remote-trace;

5324



} } }

Hierarchy Level

[edit protocols oam]

Release Information

Statement introduced in Junos OS Release 9.4 for EX Series switches. connectivity-fault-management introduced in Junos OS Release 10.2 for EX Series switches.

Description

Provide IEEE 802.3ah Operation, Administration, and Maintenance (OAM) support for Ethernet interfaces on EX Series switches or configure connectivity fault management (CFM) for IEEE 802.1ag Operation, Administration, and Management (OAM) support on the switches. The remaining statements are explained separately.




•

Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series Switches on page 5351

•


•

Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) on page 5354


5325

®


event Syntax


event { link-adjacency-loss; link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } } [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile profile-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure link events in an action profile for Ethernet OAM link fault management (LFM). The remaining statements are explained separately.




event-thresholds Syntax

Hierarchy Level

event-thresholds { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Release Information


Description

Configure threshold limit values for link events in periodic OAM PDUs. The remaining statements are explained separately.


5326





frame-error Syntax Hierarchy Level


frame-error count; [edit protocols oam ethernet (OAM LFM) link-fault-management event link-event-rate], [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name event-thresholds]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the threshold value for sending frame error events or taking the action specified in the action profile. Frame errors occur on the underlying physical layer. The threshold is reached when the number of frame errors reaches the configured value.

Options

count—Threshold count in seconds for frame error events. Range: 1 through 100 seconds Default: 1 second




frame-period Syntax Hierarchy Level


frame-period count; [edit protocols oam ethernet (OAM LFM) link-fault-management event link-event-rate], [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name event-thresholds]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the number of frame errors within the last N frames that has exceeded a threshold. Frame errors occur on the underlying physical layer. The threshold is reached when the number of frame errors reaches the configured value.

Options

count—Threshold count in seconds for frame error events. Range: 1 through 100 seconds





5327

®


frame-period-summary Syntax Hierarchy Level


frame-period-summary count; [edit protocols oam ethernet (OAM LFM) link-fault-management event link-event-rate], [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name event-thresholds]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the threshold value for sending frame period summary error events or taking the action specified in the action profile. An errored frame second is any 1-second period that has at least one errored frame. This event is generated if the number of errored frame seconds is equal to or greater than the specified threshold for that period.

Options

count—Threshold count in seconds for frame period summary error events. Range: 1 through 100 seconds


5328





interface Syntax


interface interface-name { link-discovery (active | passive); pdu-interval interval; pdu-threshold threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } negotiation-options { allow-remote-loopback; no-allow-link-events; } } [edit protocols oam ethernet (OAM LFM) link-fault-management]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure Ethernet OAM link fault management (LFM) for all interfaces or for specific interfaces. The remaining statements are explained separately.

Options


interface-name—Name of the interface to be enabled for IEEE 802.3ah OAM link fault management (LFM) support. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



5329

®


link-adjacency-loss Syntax Hierarchy Level Release Information Description


link-adjacency-loss; [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile event]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure loss of adjacency event with the IEEE 802.3ah link fault management (LFM) peer. When included, the loss of adjacency event triggers the action specified under the action (OAM LFM) statement. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


link-discovery Syntax Hierarchy Level


Options

link-discovery (active | passive); [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify the discovery mode used for IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) support. The discovery process is triggered automatically when OAM 802.3ah functionality is enabled on an interface. Link monitoring is done when the interface sends periodic OAM PDUs. active—In active mode, the interface discovers and monitors the peer on the link if the peer also supports IEEE 802.3ah OAM functionality. passive—In passive mode, the peer initiates the discovery process. Once the discovery process is initiated, both sides participate in discovery.


5330





link-down Syntax Hierarchy Level


link-down; [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile action (OAM LFM)]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Mark the interface as down for transit traffic. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


link-event-rate Syntax


link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile event]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the number of link fault management (LFM) events per second. The remaining statements are explained separately.





5331

®


link-fault-management Syntax


link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; pdu-threshold threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } [edit protocols oam ethernet (OAM LFM)]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure Ethernet OAM link fault management (LFM) for all interfaces or for specific interfaces. The remaining statements are explained separately.


5332



•




negotiation-options Syntax

Hierarchy Level


negotiation-options { allow-remote-loopback; no-allow-link-events; } [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Enable and disable IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) features for Ethernet interfaces. The remaining statements are explained separately.




no-allow-link-events Syntax Hierarchy Level


no-allow-link-events; [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name negotiation-options]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Disable the sending of link event TLVs. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •



5333

®


oam Syntax

5334

oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { action { interface-down; } default-actions { interface-down; } event { adjacency-loss; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; passive; }



} } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate { frame-error count; frame-period count; frame-period-summary count; symbol-period count; } } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; pdu-threshold threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } }


Description

[edit protocols]

Statement introduced in Junos OS Release 9.4 for EX Series switches. connectivity-fault-management introduced in Junos OS Release 10.2 for EX Series switches. Provide IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) support for Ethernet interfaces on EX Series switches or configure connectivity fault management (CFM) for IEEE 802.1ag Operation, Administration, and Management (OAM) support on the switches. The remaining statements are explained separately.




5335

®



•


•


•


•


pdu-interval Syntax Hierarchy Level


Options

pdu-interval interval; [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Specify the periodic OAM PDU sending interval for fault detection. It is used for IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) support. interval—Periodic OAM PDU sending interval. Range: 400 through 1000 milliseconds Default: 1000 milliseconds


5336



•




pdu-threshold Syntax Hierarchy Level


Options

pdu-threshold threshold-value; [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure how many protocol data units (PDUs) are missed before declaring the peer lost in Ethernet OAM link fault management (LFM) for all interfaces or for specific interfaces. threshold-value —Number of PDUs missed before declaring the peer lost.

Range: 3 through 10 PDUs Default: 3 PDUs Required Privilege Level Related Documentation



remote-loopback Syntax Hierarchy Level



remote-loopback; [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Set the data terminal equipment (DTE) in loopback mode. Remove the statement from the configuration to take the DTE out of loopback mode. It is used for IEEE 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) support. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



5337

®


symbol-period Syntax Hierarchy Level


symbol-period count; [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile profile-name; event link-event-rate] , [edit protocols oam ethernet (OAM LFM) link-fault-management interface (OAM LFM) interface-name event-thresholds]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Configure the threshold for sending symbol period events or taking the action specified in the action profile. Symbol code errors occur on the underlying physical layer. The symbol period threshold is reached when the number of symbol errors reaches the configured value within the period. You cannot configure the default value to a different value.

Options

count—Threshold count in seconds for symbol period events. Range: 1 through 100 seconds




syslog Syntax Hierarchy Level



5338

syslog; [edit protocols oam ethernet (OAM LFM) link-fault-management action-profile profile-name; action (OAM LFM)]

Statement introduced in Junos OS Release 9.4 for EX Series switches. Generate a system log message for the Ethernet Operation, Administration, and Maintenance (OAM) link fault management (LFM) event. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •




traceoptions (OAM LFM, for EX Series Switch Only) Syntax

traceoptions { file filename ; flag flag ; no-remote-trace; }

Release Information

Statement introduced in JUNOS OS Release 10.2 for EX Series switches.

Description Options

Configure tracing options the link fault management. file filename—Name of the file to receive the output of the tracing operation. Enclose the




action-profile—Trace action profile invocation events.

•

all—Trace all events.

•


•

protocol—Trace protocol processing events.

•

routing socket—Trace routing socket events.

match—(Optional) Refine the output to log only those lines that match the given regular

expression. no-world-readable—(Optional) Restrict file access to the user who created the file. no-remote-trace—(Optional) Disable the remote trace. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB


5339

®


Range: 10 KB through 1 GB Default: 128 KB Default: If you do not include this option, tracing output is appended to an existing trace file. world-readable—(Optional) Enable unrestricted file access.




•


Operational Commands for Ethernet OAM Link Fault Management

5340



show oam ethernet link-fault-management Syntax


Options

show oam ethernet link-fault-management

Command introduced in Junos OS Release 9.4 for EX Series switches. Displays Operation, Administration, and Maintenance (OAM) link fault management (LFM) information for Ethernet interfaces. brief | detail—(Optional) Display the specified level of output. interface-name —(Optional) Display link fault management information for the specified

Ethernet interface only. Required Privilege Level Related Documentation


Output Fields

view

•


•


show oam ethernet link-fault-management brief on page 5345 show oam ethernet link-fault-management detail on page 5345 Table 614 on page 5341 lists the output fields for the show oam ethernet link-fault-management command. Output fields are listed in the approximate order in which they appear.

Table 614: show oam ethernet link-fault-management Output Fields Field Name

Field Description

Level of Output

Status

Indicates the status of the established link.

All levels

Discovery state

Peer address

•

Fail—A link fault condition exists.

•

Running—A link fault condition does not exist.

State of the discovery mechanism: •

Passive Wait

•

Send Any

•

Send Local Remote

•

Send Local Remote Ok

Address of the OAM peer.


All levels

All levels

5341

®


Table 614: show oam ethernet link-fault-management Output Fields (continued) Field Name

Field Description

Level of Output

Flags


All levels

•

Remote-Stable—Indicates remote OAM client acknowledgment of, and satisfaction with local OAM state information. False indicates that remote DTE has either not seen or is unsatisfied with local state information. True

indicates that remote DTE has seen and is satisfied with local state information. •

Local-Stable—Indicates local OAM client acknowledgment of, and satisfaction with remote OAM state information. False indicates that local DTE either has not seen or is unsatisfied with remote state information. True indicates that

local DTE has seen and is satisfied with remote state information. •

Remote-State-Valid—Indicates the OAM client has received remote state

information found within Local Information TLVs of received Information OAM PDUs. False indicates that OAM client has not seen remote state information. True indicates that the OAM client has seen remote state information. Remote loopback status

Indicates the remote loopback status. An OAM entity can put its remote peer into loopback mode using the Loopback control OAM PDU. In loopback mode, every frame received is transmitted back on the same port (except for OAM PDUs, which are needed to maintain the OAM session).

All levels

Remote entity information

Remote entity information.

All levels

•

Remote MUX action—Indicates the state of the multiplexer functions of the

OAM sublayer. Device is forwarding non-OAM PDUs to the lower sublayer or discarding non-OAM PDUs. •

Remote parser action—Indicates the state of the parser function of the OAM

sublayer. Device is forwarding non-OAM PDUs to higher sublayer, looping back non-OAM PDUs to the lower sublayer, or discarding non-OAM PDUs. •

Discovery mode—Indicates whether discovery mode is active or inactive.

•

Unidirectional mode—Indicates the ability to operate a link in a unidirectional

mode for diagnostic purposes. •

Remote loopback mode—Indicates whether remote loopback is supported or

not supported. •

Link events—Indicates whether interpreting link events is supported or not

supported on the remote peer. •

Variable requests—Indicates whether variable requests are supported or not

supported. The Variable Request OAM PDU, is used to request one or more MIB variables from the remote peer.

OAM Receive Statistics Information

The number of information PDUs received.

detail

Event

The number of loopback control PDUs received.

detail

Variable request

The number of variable request PDUs received.

detail

Variable response

The number of variable response PDUs received.

detail

Loopback control

The number of loopback control PDUs received.

detail

5342




Field Description

Level of Output

Organization specific

The number of vendor organization specific PDUs received.

detail

OAM Transmit Statistics Information

The number of information PDUs transmitted.

detail

Event

The number of event notification PDUs transmitted.

detail

Variable request

The number of variable request PDUs transmitted.

detail

Variable response

The number of variable response PDUs transmitted.

detail

Loopback control

The number of loopback control PDUs transmitted.

detail

Organization specific

The number of vendor organization specific PDUs transmitted.

detail

OAM Received Symbol Error Event information Events

The number of symbol error event TLVs that have been received after the OAM sublayer was reset.

detail

Window

The symbol error event window in the received PDU.

detail

The protocol default value is the number of symbols that can be received in one second on the underlying physical layer. Threshold

The number of errored symbols in the period required for the event to be generated.

detail

Errors in period

The number of symbol errors in the period reported in the received event PDU.

detail

Total errors

The number of errored symbols that have been reported in received event TLVs after the OAM sublayer was reset.

detail

Symbol errors are coding symbol errors.

OAM Received Frame Error Event Information Events

The number of errored frame event TLVs that have been received after the OAM sublayer was reset.

detail

Window

The duration of the window in terms of the number of 100 ms period intervals.

detail

Threshold

The number of detected errored frames required for the event to be generated.

detail

Errors in period

The number of detected errored frames in the period.

detail


5343

®



Field Description

Level of Output

Total errors

The number of errored frames that have been reported in received event TLVs after the OAM sublayer was reset.

detail

A frame error is any frame error on the underlying physical layer.

OAM Received Frame Period Error Event Information Events

The number of frame seconds errors event TLVs that have been received after the OAM sublayer was reset.

detail

Window

The duration of the frame seconds window.

detail

Threshold

The number of frame seconds errors in the period.

detail

Errors in period

The number of frame seconds errors in the period.

detail

Total errors

The number of frame seconds errors that have been reported in received event TLVs after the OAM sublayer was reset.

detail

OAM Transmitted Symbol Error Event Information Events

The number of symbol error event TLVs that have been transmitted after the OAM sublayer was reset.

detail

Window

The symbol error event window in the transmitted PDU.

detail

Threshold

The number of errored symbols in the period required for the event to be generated.

detail

Errors in period

The number of symbol errors in the period reported in the transmitted event PDU.

detail

Total errors

The number of errored symbols reported in event TLVs that have been transmitted after the OAM sublayer was reset.

detail

OAM Transmitted Frame Error Event Information Events

The number of errored frame event TLVs that have been transmitted after the OAM sublayer was reset.

detail

Window

The duration of the window in terms of the number of 100 ms period intervals.

detail

Threshold

The number of detected errored frames required for the event to be generated.

detail

Errors in period

The number of detected errored frames in the period.

detail

Total errors

The number of errored frames that have been detected after the OAM sublayer was reset.

detail

5344



Sample Output show oam ethernet link-fault-management brief

user@host> show oam ethernet link-fault-management brief Interface: ge-0/0/1 Status: Running, Discovery state: Send Any Peer address: 00:90:69:72:2c:83 Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50 Remote loopback status: Disabled on local port, Enabled on peer port Remote entity information: Remote MUX action: discarding, Remote parser action: loopback Discovery mode: active, Unidirectional mode: unsupported Remote loopback mode: supported, Link events: supported Variable requests: unsupported

show oam ethernet link-fault-management detail

user@host> show oam ethernet link-fault-management detail Interface: ge-0/0/1 Status: Running, Discovery state: Send Any Peer address: 00:90:69:0a:07:14 Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50 OAM receive statistics: Information: 186365, Event: 0, Variable request: 0, Variable response: 0 Loopback control: 0, Organization specific: 0 OAM transmit statistics: Information: 186347, Event: 0, Variable request: 0, Variable response: 0 Loopback control: 0, Organization specific: 0 OAM received symbol error event information: Events: 0, Window: 0, Threshold: 0 Errors in period: 0, Total errors: 0 OAM received frame error event information: Events: 0, Window: 0, Threshold: 0 Errors in period: 0, Total errors: 0 OAM received frame period error event information: Events: 0, Window: 0, Threshold: 0 Errors in period: 0, Total errors: 0 OAM transmitted symbol error event information: Events: 0, Window: 0, Threshold: 1 Errors in period: 0, Total errors: 0 OAM transmitted frame error event information: Events: 0, Window: 0, Threshold: 1 Errors in period: 0, Total errors: 0 Remote entity information: Remote MUX action: forwarding, Remote parser action: forwarding Discovery mode: active, Unidirectional mode: unsupported Remote loopback mode: supported, Link events: supported Variable requests: unsupported


5345

®


5346


CHAPTER 148

Ethernet OAM Connectivity Fault Management •

Ethernet OAM Connectivity Fault Management—Overview on page 5347

•

Example of Ethernet OAM Connectivity Fault Management Configuration on page 5351

•

Configuring Ethernet OAM Connectivity Fault Management on page 5354

•

Configuration Statements for Ethernet OAM Connectivity Fault Management on page 5362

•

Operational Commands for Ethernet OAM Connectivity Fault Management on page 5396

Ethernet OAM Connectivity Fault Management—Overview •


•


Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch Ethernet interfaces on Juniper Networks EX Series Ethernet Switches and Juniper Networks Junos operating system (Junos OS) for EX Series switches support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM). CFM monitors Ethernet networks that might comprise one or more service instances for network-compromising connectivity faults. The major features of CFM are: •

Fault monitoring using the continuity check protocol. This is a neighbor discovery and health check protocol that discovers and maintains adjacencies at the VLAN or link level.

•

Path discovery and fault verification using the linktrace protocol.

•

Fault isolation using the loopback protocol.

CFM partitions the service network into various administrative domains. For example, operators, providers, and customers might be part of different administrative domains. Each administrative domain is mapped into one maintenance domain providing enough


5347

®


information to perform its own management, thus avoiding security breaches and making end-to-end monitoring possible. In a CFM maintenance domain, each service instance is called a maintenance association. A maintenance association can be thought of as a full mesh of maintenance association endpoints (MEPs) having similar characteristics. MEPs are active CFM entities generating and responding to CFM protocol messages. There is also a maintenance intermediate point (MIP), which is a CFM entity similar to the MEP, but more passive (MIPs only respond to CFM messages). Each maintenance domain is associated with a maintenance domain level from 0 through 7. Level allocation is based on the network hierarchy, where outer domains are assigned a higher level than the inner domains. Configure customer end points to have the highest maintenance domain level. The maintenance domain level is a mandatory parameter that indicates the nesting relationships between various maintenance domains. The level is embedded in each CFM frame. CFM messages within a given level are processed by MEPs at that same level. To enable CFM on an Ethernet interface, you must configure maintenance domains, maintenance associations, and maintenance association end points (MEPs). Figure 144 on page 5348 shows the relationships among maintenance domains, maintenance association end points (MEPs), and maintenance intermediate points (MIPs) configured on a switch.

Figure 144: Relationship Among MEPs, MIPs, and Maintenance Domain Levels


•


•


Understanding Ethernet Frame Delay Measurements on Switches Performance management depends on the accurate measurement of service-level agreement (SLA) objective parameters, which can include bandwidth and reliability. In

5348


Chapter 148: Ethernet OAM Connectivity Fault Management

many cases, a service provider could be subject to penalties imposed by regulation, statute, or contract if network performance is not within the bounds established for the service. One key performance objective is delay, along with its close relative, delay variation (often called jitter). Some applications (such as bulk file transfer) will function just as well with high delays across the network and high delay variations, while other applications (such as voice) can function only with low and stable delays. Many networks invoke protocols or features available at Layer 3 (the packet layer) or higher to measure network delays and jitter link by link. However, when the network consists of many Ethernet links, there are few protocols and features available at Layer 2 (the frame layer) that allow routers and switches to measure frame delay and jitter. This is where the ability to configure and monitor Ethernet frame delay is helpful. This topic includes: •

Ethernet Frame Delay Measurements on page 5349

•

Types of Ethernet Frame Delay Measurements on page 5350

•

Limitations on page 5350

Ethernet Frame Delay Measurements You can perform Ethernet frame delay measurements (referred to as ETH-DM in Ethernet specifications) on Juniper Networks EX Series Ethernet Switches. This feature allows you to configure on-demand Operation, Administration, and Maintenance (OAM) statements for the measurement of frame delay and frame delay variation (jitter). You can configure Ethernet frame delay measurement in either one-way or two-way (round-trip) mode to gather frame delay statistics simultaneously from multiple sessions. Ethernet frame delay measurement provides fine control to operators for triggering delay measurement on a given service and can be used to monitor SLAs. Ethernet frame delay measurement also collects other useful information, such as worst and best case delays, average delay, and average delay variation. It supports software-assisted timestamping in the receive direction for delay measurements. It also provides runtime display of delay statistics when two-way delay measurement is triggered. Ethernet frame delay measurement records the last 100 samples collected per remote maintenance association end point (MEP) or per connectivity fault management (CFM) session. You can retrieve the history at any time using simple commands. You can clear all Ethernet frame delay measurement statistics and PDU counters. Ethernet frame delay measurement is fully compliant with the ITU-T Y.1731 (OAM Functions and Mechanisms for Ethernet-based Networks) specification. Ethernet frame delay measurement uses the IEEE 802.1ag CFM infrastructure. Generally, Ethernet frame delay measurements are made in a peer fashion from one MEP or CFM session to another. However, these measurements are not made to maintenance association intermediate points (MIPs). For a complete description of Ethernet frame delay measurement, see the ITU-T Y.1731 Ethernet Service OAM topics in the Junos OS Network Interfaces Configuration Guide.


5349

®


Types of Ethernet Frame Delay Measurements There are two types of Ethernet frame delay measurements: •

One-way

•

Two-way (round-trip)

For one-way Ethernet frame delay measurement, either MEP can send a request to begin a one-way delay measurement to its peer MEP. However, the statistics are collected only at the receiver MEP. This feature requires the clocks at the transmitting and receiving MEPs to be synchronized. If these clocks fall out of synchronization, only one-way delay variation and average delay variation values are computed correctly (and will, therefore, be valid). Use the show commands at the receiver MEP to display one-way delay statistics. For two-way (round-trip) Ethernet frame delay measurement, either MEP can send a request to begin a two-way delay measurement to its peer MEP, which responds with timestamp information. Run-time statistics are collected and displayed at the initiator MEP. The clocks do not need to be synchronized at the transmitting and receiving MEPs. Junos OS supports timestamps in delay measurement reply (DMR) frames to increase the accuracy of delay calculations. Use the show commands at the initiator MEP to display two-way delay statistics, and at the receiver MEP to display one-way delay statistics. You can create an iterator profile to periodically transmit SLA measurement packets in the form of ITU-Y.1731-compliant frames for delay measurement or loss measurement.

Limitations The following are some limitations with regard to using Ethernet frame delay measurement:


5350

•

Ethernet frame delay measurements are available only when distributed periodic packet management (PPM) is enabled.

•

The statistics collected are lost after a graceful Routing Engine switchover (GRES).

•

You can monitor only one session to the same remote MEP or MAC address.

•

Accuracy is compromised when the system configuration changes (such as from reconfiguration). We recommend performing Ethernet frame delay measurements on a stable system.

•

Configuring MEP Interfaces on Switches to Support Ethernet Frame Delay Measurements (CLI Procedure) on page 5358

•

Configuring One-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) on page 5359

•

Configuring Two-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) on page 5362

•

Triggering an Ethernet Frame Delay Measurement Session on a Switch on page 5361



Example of Ethernet OAM Connectivity Fault Management Configuration •


Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series Switches Ethernet interfaces on Juniper Networks EX Series Ethernet Switches and Juniper Networks Junos OS for EX Series switches support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM). This example describes how to enable and configure OAM CFM on a Gigabit Ethernet interface: •


•


•

Configuring Ethernet OAM Connectivity Fault Management on Switch 1 on page 5351

•

Configuring Ethernet OAM Connectivity Fault Management on Switch 2 on page 5352

•




•

Two EX Series switches connected by a point-to-point Gigabit Ethernet link

Overview and Topology CFM can be used to monitor the physical link between two switches. In the following example, two switches are connected by a point-to-point Gigabit Ethernet link. The link between these two switches is monitored using CFM.

Configuring Ethernet OAM Connectivity Fault Management on Switch 1 CLI Quick Configuration

To quickly configure Ethernet OAM CFM, copy the following commands and paste them into the switch terminal window: [edit protocols oam ethernet connectivity-fault-management maintenance-domain]set name-format character-string set maintenance-domain private level 0set maintenance-association private-maset continuity-check hold-interval 1s


To enable and configure OAM CFM on switch 1: 1.

Specify the maintenance domain name format: [edit protocols oam ethernet connectivity-fault-management maintenance-domain]user@switch1# set name-format character-string

2.

Specify the maintenance domain name and the maintenance domain level: [edit protocols oam ethernet connectivity-fault-management]user@switch1# set maintenance-domain private level 0


5351

®


3.

Create a maintenance association: [edit protocols oam ethernet connectivity-fault-management maintenance-domain private]user@switch1# set maintenance-association private-ma

4.

Enable the continuity check protocol and specify the continuity check hold interval: [edit protocols oam ethernet connectivity-fault-management maintenance-domain private maintenance-association private-ma]user@switch1# set continuity-check hold-interval 1s

5.

Configure the maintenance association end point (MEP): [edit protocols oam ethernet connectivity-fault-management maintenance-domain private maintenance-association private-ma] user@switch1# set mep 100 interface ge-1/0/1 auto-discovery direction down

Check the results of the configuration. [edit] user@switch1# show

protocols { oam { ethernet { connectivity-fault-management { maintenance-domain private { level 0; maintenance-association private-ma { continuity-check { interval 1s; } mep 100 { interface ge-1/0/1; auto-discovery; direction down; } } } } }

Configuring Ethernet OAM Connectivity Fault Management on Switch 2 CLI Quick Configuration

To quickly configure Ethernet OAM CFM, copy the following commands and paste them into the switch terminal window: [edit protocols oam ethernet connectivity-fault-management maintenance-domain]set name-format character-string set maintenance-domain private level 0set maintenance-association private-maset continuity-check hold-interval 1s


The configuration on switch 2 mirrors that on switch 2. 1.

Specify the maintenance domain name format: [edit protocols oam ethernet connectivity-fault-management]user@switch2# set name-format character-string

2.

Specify the maintenance domain name and the maintenance domain level: [edit protocols oam ethernet connectivity-fault-management]user@switch2# set maintenance-domain private level 0

3.

5352

Create a maintenance association:



[edit protocols oam ethernet connectivity-fault-management maintenance-domain private]user@switch2# set maintenance-association private-ma 4.

Enable the continuity check protocol and specify the continuity check hold interval: [edit protocols oam ethernet connectivity-fault-management maintenance-domain private maintenance-association private-ma]user@switch2# set continuity-check hold-interval 1s

5.

Configure the maintenance association end point (MEP) [edit protocols oam ethernet connectivity-fault-management maintenance-domain private maintenance-association private-ma] user@switch2# set mep 100 interface ge-0/2/5 auto-discovery direction down

Check the results of the configuration. [edit] user@switch2# show

protocols { oam { ethernet { connectivity-fault-management { maintenance-domain private { level 0; maintenance-association private-ma { continuity-check { interval 1s; } mep 100 { interface ge-0/2/5; auto-discovery; direction down; } } } } }


Verifying That OAM CFM Has Been Configured Properly on page 5353

Verifying That OAM CFM Has Been Configured Properly Purpose Action

Verify that OAM CFM has been configured properly. Use the show oam ethernet connectivity-fault-management interfaces detail command: user@switch1# show oam ethernet connectivity-fault-management interfaces detail

Sample Output Interface name: ge-1/0/1.0, Interface status: Active, Link status: Up Maintenance domain name: private, Format: string, Level: 0 Maintenance association name: private-ma, Format: string Continuity-check status: enabled, Interval: 1ms, Loss-threshold: 3 frames MEP identifier: 100, Direction: down, MAC address: 00:90:69:0b:4b:94


5353

®


MEP status: running Defects: Remote MEP not receiving CCM Erroneous CCM received Cross-connect CCM received RDI sent by some MEP Statistics: CCMs sent CCMs received out of sequence LBMs sent Valid in-order LBRs received Valid out-of-order LBRs received LBRs received with corrupted data LBRs sent LTMs sent LTMs received LTRs sent LTRs received Sequence number of next LTM request Remote MEP count: 2 Identifier MAC address State 2001 00:90:69:0b:7f:71 ok

Meaning


: : : :

no yes no yes

: : : : : : : : : : : :

76 0 0 0 0 0 0 0 0 0 0 0


When the output displays continuity-check status is enabled and displays details of the remote MEP, it means that connectivity fault management (CFM) has been configured properly.

•


•


Configuring Ethernet OAM Connectivity Fault Management •


•


•


•

Configuring an Iterator Profile on a Switch (CLI Procedure) on page 5360

•


•


Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) Ethernet interfaces on Juniper Networks EX Series Ethernet Switches and Juniper Networks Junos OS for EX Series switches support the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM).

5354



This topic describes these tasks: 1.

Creating the Maintenance Domain on page 5355

2. Configuring the Maintenance Domain MIP Half Function on page 5355 3. Creating a Maintenance Association on page 5356 4. Configuring the Continuity Check Protocol on page 5356 5. Configuring a Maintenance Association End Point on page 5356 6. Configuring a Connectivity Fault Management Action Profile on page 5357 7. Configuring the Linktrace Protocol on page 5358

Creating the Maintenance Domain A maintenance domain comprises network entities such as operators, providers, and customers. To enable connectivity fault management (CFM) on an Ethernet interface, you must create a maintenance domains, maintenance associations, and MEPs. To create a maintenance domain: 1.

Specify a name for the maintenance domain: [edit protocols oam ethernet connectivity-fault-management] user@switch# set maintenance-domain domain-name

2. Specify a format for the maintenance domain name. If you specify none, no name is

configured: •

A plain ASCII character string

•

A domain name service (DNS) format

•

A media access control (MAC) address plus a two-octet identifier in the range 0 through 65,535

•

none

[edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name] user@switch# set name-format format

For example, to specify the name format as MAC address plus a two-octet identifier: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name] user@switch# set name-format mac+2oct 3. Configure the maintenance domain level, which is used to indicate the nesting

relationship between this domain and other domains. Use a value from 0 through 7: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name] user@switch# set level level

Configuring the Maintenance Domain MIP Half Function MIP Half Function (MHF) divides the maintenance association intermediate point (MIP) functionality into two unidirectional segments, improves visibility with minimal configuration, and improves network coverage by increasing the number of points that can be monitored. MHF extends monitoring capability by responding to loop-back and


5355

®


link-trace messages to help isolate faults. Whenever a MIP is configured, the MIP half function value for all maintenance domains and maintenance associations must be the same. To configure the MIP half function: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name] user@switch# set mip-half-function (none | default | explicit)

Creating a Maintenance Association In a CFM maintenance domain, each service instance is called a maintenance association. To create a maintenance association: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name] user@switch# set maintenance-association ma-name

Configuring the Continuity Check Protocol The continuity check protocol is used for fault detection by a maintenance association end point (MEP) within a maintenance association. The MEP periodically sends continuity check multicast messages. The receiving MEPs use the continuity check messages (CCMs) to build a MEP database of all MEPs in the maintenance association. To configure the continuity check protocol: 1.

Enable the continuity check protocol: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name] user@switch# set continuity-check

2. Specify the continuity check hold interval. The hold interval is the number of minutes

to wait before flushing the MEP database if no updates occur. The default value is 10 minutes. [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check] user@switch# set hold-interval number 3. Specify the CCM interval. The interval is the time between the transmission of CCMs.

You can specify 10 minutes (10m), 1 minute (1m), 10 seconds (10s), 1 second (1s), 100 milliseconds (100ms), or 10 milliseconds (10ms). [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check] user@switch# set interval number 4. Specify the number of CCMs (that is, protocol data units) that can be lost before the

MEP is marked as down. The default number of protocol data units (PDUs) is 3. [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check] user@switch# set loss-threshold number

Configuring a Maintenance Association End Point To configure a maintenance association end point:

5356



1.

Specify an ID for the MEP. The value can be from 1 through 8191. [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name] user@switch# set mep mep-id]

2. Enable maintenance endpoint automatic discovery if you want to have the MEP accept

continuity check messages (CCMs) from all remote MEPs of the same maintenance association: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id user@switch# set auto-discovery 3. You can specify that CFM packets (CCMs) be transmitted only in one direction for the

MEP, that is, the direction be set as down so that CCMs are transmitted only out of (not into) the interface configured on this MEP. [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id] user@switch# set direction down 4. Specify the logical interface to which the MEP is attached. It can be either an access

interface or a trunk interface. If you specify a trunk interface, the VLAN associated with that interface must have a VLAN ID.

NOTE: You cannot associate an access interface that belongs to multiple VLANs with the MEP.

[edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id] user@switch# set interface interface-name 5. You can configure a remote MEP from which CCMs are expected. If autodiscovery is

not enabled, the remote MEP must be configured under the mep statement. If the remote MEP is not configured under the mep statement, the CCMs from the remote MEP are treated as errors. [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id] user@switch# set remote-mep mep-id

Configuring a Connectivity Fault Management Action Profile You can configure an action profile and specify the action to be taken when any of the configured events occur. Alternatively, you can configure an action profile and specify default actions when connectivity to a remote MEP fails. To configure an action profile: 1.

Specify a name for an action profile: [edit protocols oam ethernet connectivity-fault-management] user@switch# set action-profile profile-name

2. Configure the action of the action profile: [edit protocols oam ethernet connectivity-fault-management action-profile profile-name] user@switch# set action interface-down


5357

®


3. Configure one or more events under the action profile, the occurrence of which will

trigger the corresponding action to be taken: [edit protocols oam ethernet connectivity-fault-management action-profile profile-name] user@switch# set event event

See Junos OS Network Interfaces Configuration Guide

Configuring the Linktrace Protocol The linktrace protocol is used for path discovery between a pair of maintenance points. Linktrace messages are triggered by an administrator using the traceroute command to verify the path between a pair of MEPs under the same maintenance association. Linktrace messages can also be used to verify the path between a MEP and a MIP under the same maintenance domain. To configure the linktrace protocol: 1.

Configure the linktrace path age timer. If no response to a linktrace request is received, the request and response entries are deleted after the age timer expires: [edit protocols oam ethernet connectivity-fault-management] user@switch# set linktrace age time

2. Configure the number of linktrace reply entries to be stored per linktrace request: [edit protocols oam ethernet connectivity-fault-management] user@switch# set linktrace path-database-size path-database-size


•


•


•


Configuring MEP Interfaces on Switches to Support Ethernet Frame Delay Measurements (CLI Procedure) Ethernet frame delay measurement is a useful tool for providing performance statistics or supporting or challenging service-level agreements (SLAs). By default, Ethernet frame delay measurement uses software for timestamping and delay calculations. You can configure an EX Series switch to perform and display Ethernet frame delay measurements on Ethernet interfaces. The switches support software-assisted timestamping. Before you can begin configuring MEP interfaces to support Ethernet frame delay measurements on switches, ensure that you have:

5358

•

Configured Operation, Administration, and Maintenance (OAM) connectivity fault management (CFM) correctly

•

Enabled distributed periodic packet management (PPM) (distributed PPM is enabled by default)



To configure MEP interfaces on switches to support Ethernet frame delay measurements: 1.

Enable the Ethernet frame delay measurement by issuing the monitor ethernet delay-measurement operational mode command. In this command, you must specify one measurement type (either one-way or two-way measurement), and you must specify either the unicast MAC address of the peer MEP or its numeric identifier. Optionally, you can also specify the following parameters: •

Number of frames to send to the peer MEP (count count)

•

Number of seconds to wait between sending frames (wait time)

•

Priority value of the delay measurement request frame (priority value)

•

Size of the data in the data TLV of the request packet (size value)

•

Suppression of the insertion of the session ID TLV in the request packet (no-session-id-tlv)

user@switch> monitor ethernet delay-measurement maintenance-domain md-name maintenance-association ma-name one-way mep remote-mep-id count count wait time priority value size value no-session-id-tlv


•


•


•


•


Configuring One-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) Ethernet frame delay measurement is a useful tool for providing performance statistics or supporting or challenging service-level agreements (SLAs). You can configure the frame delay measurements in either a one-way mode or a two-way (round-trip) mode to gather frame delay statistics. For one-way Ethernet frame delay measurement, clocks at the local and remote MEPs need to be synchronized. However, clock synchronization is not required for two-way Ethernet frame delay measurement. Before you begin configuring one-way Ethernet frame delay measurements on two EX Series switches, ensure that you have: •

Configured Operation, Administration, and Maintenance (OAM) connectivity fault management (CFM) correctly on both the switches

•

Synchronized the system clocks of both the switches

To configure one-way Ethernet frame delay measurements: 1.

Configure the maintenance domain, maintenance association, and MEP ID on both the switches.


5359

®


2. From either switch, start a one-way Ethernet frame delay measurement: user@switch> monitor ethernet delay-measurement maintenance-domain md-name maintenance-association ma-name one-way mep remote-mep-id count count wait time

You can view the result on the other switch: user@switch> show oam ethernet connectivity-fault-management delay-statistics maintenance-domain md-name maintenance-association ma-name local-mep mep-id remote-mep mep-id


•


•


•


•


Configuring an Iterator Profile on a Switch (CLI Procedure) Ethernet frame delay measurement provides fine control to operators for triggering delay measurement on a given service and can be used to monitor service-level agreements (SLAs). You can create an iterator profile with its parameters to periodically transmit SLA measurement packets in the form of ITU-Y.1731-compliant frames for two-way delay measurement. To create an iterator profile: 1.

Specify a name for an SLA iterator profile—for example, i1: [edit protocols oam ethernet connectivity-fault-management performance-monitoring] user@switch# edit sla-iterator-profiles i1

2. (Optional) Configure the cycle time, which is the time (in milliseconds) between

back-to-back transmissions of SLA frames. [edit protocols oam ethernet connectivity-fault-management performance-monitoring sla-iterator-profiles i1] user@switch# set cycle-time cycle-time-value 3. (Optional) Configure the iteration period, which indicates the maximum number of

cycles per iteration (the number of connections registered to an iterator cannot exceed this value). [edit protocols oam ethernet connectivity-fault-management performance-monitoring sla-iterator-profiles i1] user@switch# set iteration-period iteration-period-value 4. Configure the measurement type as two-way delay measurement.

[edit protocols oam ethernet connectivity-fault-management performance-monitoring sla-iterator-profiles i1] user@switch# set measurement-type two-way-delay 5. (Optional) Configure the calculation weight for delay.

5360



[edit protocols oam ethernet connectivity-fault-management performance-monitoring sla-iterator-profiles i1] user@switch# set calculation-weight delay delay-value 6. (Optional) Configure the calculation weight for delay variation.

[edit protocols oam ethernet connectivity-fault-management performance-monitoring sla-iterator-profiles i1] user@switch# set calculation-weight delay-variation delay-variation-value 7. Configure a remote MEP with the iterator profile.

[edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep remote-mep-id] user@switch# set sla-iterator-profiles i1


•


•


•


•


•


Triggering an Ethernet Frame Delay Measurement Session on a Switch To trigger Ethernet frame delay measurement, use the monitor ethernet delay-measurement operational command and specify the following values: •

Either one-way (one-way) or two-way (two-way) measurement

•

Either the MAC address (remote-mac-address) or the MEP ID (mep) of the remote host

•

The maintenance domain (maintenance-domain)

•

The maintenance association (maintenance-association)

•

(Optional) Any or all of these options: count, size, wait, no-session-id-tlv, priority

For example: user@switch> monitor ethernet delay-measurement one-way 00:05:85:73:39:4a maintenance-domain md6 maintenance-association ma6 count 10 size 50 wait 5 no-session-id-tlv priority 1


•


•



5361

®


•


•


Configuring Two-Way Ethernet Frame Delay Measurements on Switches (CLI Procedure) Ethernet frame delay measurement is a useful tool for providing performance statistics or supporting or challenging service-level agreements (SLAs). You can configure the frame delay measurements in either a one-way mode or a two-way (round-trip) mode to gather frame delay statistics. For one-way Ethernet frame delay measurement, clocks at the local and remote MEPs need to be synchronized. However, clock synchronization is not required for two-way Ethernet frame delay measurement. Before you begin configuring two-way Ethernet frame delay measurements on two EX Series switches, ensure that you have: •

Configured Operation, Administration, and Maintenance (OAM) connectivity fault management (CFM) correctly on both the switches

To configure two-way Ethernet frame delay measurements: 1.

Configure the maintenance domain, maintenance association, and MEP ID on both the switches.

2. From either switch, start a two-way Ethernet frame delay measurement: user@switch> monitor ethernet delay-measurement maintenance-domain md-name maintenance-association ma-name two-way mep remote-mep-id count count wait time

You can view the result on the other switch: user@switch> show oam ethernet connectivity-fault-management delay-statistics maintenance-domain md-name maintenance-association ma-name local-mep mep-id remote-mep mep-id


•


•


•


•


Configuration Statements for Ethernet OAM Connectivity Fault Management •


[edit protocols] Configuration Statement Hierarchy protocols { connections (MPLS) {

5362



remote-interface-switch connection-name { interface interface-name.unit-number; transmit-lsp label-switched-path; receive-lsp label-switched-path; no-autonegotiation; } } dcbx { disable; interface (all | interface-name) { disable; priority-flow-control { no-auto-negotiation; } } } igmp-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { data-forwarding { source { groups group-prefix; } receiver { source-vlans vlan-list; install ; } } disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } proxy { source-address ip-address; } robust-count number; version version; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } lldp-configuration-notification-interval seconds; management-address ip-management-address;


5363

®


ptopo-configuration-maximum-hold-time seconds; ptopo-configuration-trap-interval seconds; traceoptions { file filename ; flag flag (detail | disable | receive | send); } } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mld-snooping { traceoptions { file filename ; flag flag ; } vlan (all | vlan-name) { disable; immediate-leave; interface (all | interface-name) { multicast-router-interface; static { group ip-address; } } robust-count number; version version; } } mpls (EX Series) { disable; class-of-service cos-value; no-cspf; no-decrement-ttl; advertisement-hold-time seconds; explicit-null; icmp-tunneling; interface (interface-name | all) {

5364



disable; } ipv6-tunneling; no-propagate-ttl; path path-name { (address | hostname) ; } label-switched-path lsp-name { disable; auto-bandwidth { adjust-interval seconds; adjust-threshold percentage; adjust-threshold-overflow-limit count; adjust-threshold-underflow-limit maximum-bandwidth bps; minimum-bandwidth bps; monitor-bandwidth; } description text-string; from address; install destination-prefix ; ldp-tunneling; no-cspf; no-decrement-ttl; primary path-name { adaptive; select (manual | unconditional); } secondary path-name { adaptive; select (manual | unconditional); } to address; traceoptions { file filename ; flag flag; } } static-label-switched-path lsp-name { bypass bypass-name { description text-string; next-hop (address | interface-name | address/interface-name); to address; } ingress { description string; install { destination-prefix ; } link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); to address; } transit incoming-label { bandwidth bps;


5365

®


description text-string; link-protection bypass-name name; next-hop (address | interface-name | address/interface-name); pop; swap out-label; } statistics { auto-bandwidth; file filename ; interval seconds; } traceoptions { file filename ; flag flag; } traffic-engineering (bgp | bgp-igp); } mstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; configuration-name (Spanning Trees) name; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees); } cost (Spanning Trees) cost; disable; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; max-hops (Spanning Trees) hops; msti (Spanning Trees) msti-id { vlan (Spanning Trees) (vlan-id | vlan-name); interface (Spanning Trees) interface-name { disable (Spanning Trees); cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; priority (Spanning Trees) priority; } } revision-level (Spanning Trees) revision-level; traceoptions (Spanning Trees) { file filename ;

5366



flag flag; } } mvrp { add-attribute-length-in-pdu; disable; interface (all | interface-name) { disable; join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; registration (forbidden | normal); } no-dynamic-vlan; traceoptions (Spanning Trees) { file filename ; flag flag; } } oam { ethernet (OAM LFM){ connectivity-fault-management { action-profile profile-name { default-actions { interface-down; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { disable;


5367

®


calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; } } } } link-fault-management { action-profile profile-name; action (OAM LFM) { syslog; link-down; } event { link-adjacency-loss; link-event-rate; frame-error count; frame-period count; frame-period-summary count; symbol-period count; } interface (OAM LFM) interface-name { link-discovery (active | passive); pdu-interval interval; event-thresholds threshold-value; remote-loopback; event-thresholds { frame-errorcount; frame-period count; frame-period-summary count; symbol-period count; } } negotiation-options { allow-remote-loopback; no-allow-link-events; } } } } rstp (Spanning Trees) { disable (Spanning Trees); bpdu-block-on-edge; bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log (Spanning Trees);

5368



} cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; } traceoptions (Spanning Trees) { file filename ; flag flag; } } sflow { agent-id; collector { ip-address; udp-port port-number; } disable (sFlow Monitoring Technology); interfaces (sFlow Monitoring Technology) interface-name { disable (sFlow Monitoring Technology); polling-interval seconds; sample-rate { egress number; ingress number; } } polling-interval seconds; sample-rate { egress number; ingress number; } source-ip; } stp (Spanning Trees) { disable (Spanning Trees); bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { disable (Spanning Trees); arp-on-stp bpdu-timeout-action (Spanning Trees) { block (Spanning Trees); log; } cost (Spanning Trees) cost; edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds;


5369

®


} traceoptions (Spanning Trees) { file filename ; flag flag; } uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) { group-name { link-to-monitor { interface-name; } link-to-disable { interface-name; } } } traceoptions (Uplink Failure Detection) { file filename ; flag (all | dcd | groups | interface | parse ); } } vstp { bpdu-block-on-edge; disable (Spanning Trees); force-version (Spanning Trees) stp; vlan (Spanning Trees) (all | vlan-id | vlan-name) { bridge-priority (Spanning Trees) priority; forward-delay (Spanning Trees) seconds; hello-time (Spanning Trees) seconds; interface (Spanning Trees) (all | interface-name) { arp-on-stp bpdu-timeout-action (Spanning Trees) { log (Spanning Trees); block (Spanning Trees); } cost (Spanning Trees) cost; disable (Spanning Trees); edge (Spanning Trees); mode (Spanning Trees) mode; no-root-port (Spanning Trees); priority (Spanning Trees) priority; } max-age (Spanning Trees) seconds; traceoptions (Spanning Trees) { file filename ; flag flag; } } } }

5370




•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•


•



5371

®


action-profile (Applying to OAM CFM, for EX Series Switch Only) Syntax

Hierarchy Level

action-profile profile-name { action { interface-down; } default-actions { interface-down; } event { adjacency-loss; } } [edit protocols oam ethernet connectivity-fault-management] [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id remote-mep mep-id]


Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure a name and default action for an action profile. profile-name—Name of the action profile. action—Defines the action to be taken when connectivity to the remote MEP is lost. interface-down—Brings the interface down when a remote MEP connectivity failure. is

detected. default-actions—Defines the default action to be taken when connectivity to the remote

MEP is lost. interface-down—Brings the interface down when a remote MEP connectivity failure is

detected. event—Defines the event to be monitored when a remote MEP connectivity failure is

detected. adjacency-loss—Defines the connectivity loss to the remote MEP.


5372



•




age (EX Series Switch Only) Syntax

age (30m | 10m | 1m | 30s | 10s);

Hierarchy Level

[edit protocols oam ethernet connectivity-fault-management linktrace]

Release Information


Description


Configure the time to wait (in minutes or seconds) for a response. If no response is received, the request and response entry is deleted from the linktrace database. 10 minutes routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•


auto-discovery (EX Series Switch Only) Syntax Hierarchy Level


auto-discovery; [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Enable the MEP to accept continuity check messages from all remote MEPs. routing—To view this statement in the configuration. routing-control—To add this statement to the configuration. •


•



5373

®


connectivity-fault-management (EX Series Switch Only) Syntax

5374

connectivity-fault-management { action-profile profile-name { action { interface-down; } default-actions { interface-down; } event { adjacency-loss; } } linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; passive; } } }



}


Description

[edit protocols oam ethernet]

Statement introduced in Junos OS Release 10.2 for EX Series switches. performance-monitoring introduced in Junos OS Release 11.4 for EX Series switches. Configure connectivity fault management for IEEE 802.1ag Operation, Administration, and Management (OAM) support. The remaining statements are explained separately.




•


continuity-check (EX Series Switch Only) Syntax

Hierarchy Level


continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Specify continuity check protocol options. The remaining statements are explained separately.

Options

interface-status-tlv—Includes interface status TLV in CCM. port-status-tlv—Includes port status TLV in CCM.




•



5375

®


data-tlv-size Syntax Hierarchy Level


data-tlv-size size; [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep remote-mep-id sla-iterator-profile profile-name]

Statement introduced in Junos OS Release 11.1. Configure the size of the data TLV portion of the Y.1731 data frame. size—Size of the data TLV portion of the Y.1731 data frame.

NOTE: This option is applicable only for two-way delay measurement. Range: 1 through 1400 bytes Default: 1 Required Privilege Level Related Documentation

Configure—To enter configuration mode. Control—To modify any configuration. •

sla-iterator-profile on page 5394

•

Configuring a Remote MEP with an Iterator Profile

direction (EX Series Switch Only) Syntax Hierarchy Level


Options

direction down; [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Specify that connectivity fault management (CFM) packets (CCMs) be transmitted only in one direction for the MEP, that is, the direction be set as down so that CCMs are transmitted only out of (not into) the interface configured on this MEP. down—Down MEP CCMs are transmitted only out (not into) of the interface configured

on this MEP. Required Privilege Level Related Documentation

5376



•




esp-traceoptions Syntax


esp-traceoptions { file filename ; flag (all |error | esp | interface | krt | lib |normal |task |timer); } [edit protocols oam ethernet connectivity-fault-management]]

Statement introduced in Junos OS Release 11.4 for EX Series switches. Define esp tracing operations for connectivity fault management. file filename —Name of the file to receive the output of the tracing operation. Enclose the

name within quotation marks. files number —(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and

so on, until the maximum number of trace files is reached ( xk to specify KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files flag flag —Tracing operation to perform. To specify more than one tracing operation,


all—Trace everything.

•

error—Trace events related to catestrophic errors in daemon.

•

esp—Trace esp events.

•

interface—Trace interface events.

•

krt—Trace routing socket events.

•

lib—Trace lib events.

•

normal—Trace lib events.

•

task—Trace task events.

•

timer—Trace timer events.

no-stamp—(Optional) Do not place a timestamp on any trace file. no-world-readable—(Optional) Restricted file access to the user who created the file. size size —(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of


5377

®


trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes Range: 10 KB through 4 GB world-readable—(Optional) Enable unrestricted file access.




hold-interval (OAM CFM, for EX Series Switch Only) Syntax Hierarchy Level



5378

hold-interval minutes; [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the time to wait before flushing the maintenance association end point (MEP) database, if no updates occur. minutes—Time to wait, in minutes.



•




interface (OAM CFM, for EX Series Switch Only) Syntax

Hierarchy Level


Options

interface (interface-name | ((ge- | xe-) (fpc/pic/port | fpc/pic/port.unit-number | fpc/pic/port.unit-number vlan vlan-id))); [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure IEEE 802.1ag Operation, Administration, and Management (OAM) Connectivity Fault Management (CFM) support for the specified interface. interface-name—Interface to which the MEP is attached. It can be a physical Ethernet

interface or a logical interface. If the interface is a trunk interface, the VLAN associated with the interface must have a VLAN ID. Required Privilege Level Related Documentation



•



5379

®


interval (EX Series Switch Only) Syntax Hierarchy Level


interval (10m | 10s | 1m | 1s | 100ms | 10ms); [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the time between continuity check messages. 10m—10 minutes. 10s—10 seconds. 1m—1 minute. 1s—1 second. 100ms—100 milliseconds. 10ms—10 milliseconds.


5380



•




iteration-count Syntax Hierarchy Level


Options

iteration-count count-value; [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep remote-mep-id sla-iterator-profile profile-name]

Statement introduced in Junos OS Release 11.1. Configure the number of iterations for which the connection partakes in the iterator for acquiring SLA measurements. count-value—Number of iterations for which the connection should partake in the iterator

for acquiring SLA measurements. Range: 1 through 65,535 Default: 0 (or infinite iterations) Required Privilege Level Related Documentation



•


level (EX Series Switch Only) Syntax Hierarchy Level

Release Information

level number; [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]


Description

Configure a number to be used in CFM messages to identify the maintenance association.

Options

number—Number used to identify the maintenance domain to which the CFM message

belongs. Range: 0 through 7 Required Privilege Level Related Documentation



•



5381

®


linktrace (EX Series Switch Only) Syntax


linktrace { age (30m | 10m | 1m | 30s | 10s); path-database-size path-database-size; } [edit protocols oam ethernet connectivity-fault-management]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure connectivity fault management linktrace parameters. The remaining statements are explained separately.




•


loss-threshold (EX Series Switch Only) Syntax Hierarchy Level


Options

loss-threshold number; [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the number of continuity check messages that can be lost before the remote MEP is marked as down. number—Number of continuity check messages that can be lost before the remote MEP

is marked down. Required Privilege Level Related Documentation

5382



•




maintenance-association (EX Series Switch Only) Syntax

Hierarchy Level


maintenance-association ma-name { continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the name of the maintenance association in IEEE-compliant format. ma-name—The name of the maintenance association within the maintenance domain.




•



5383

®


maintenance-domain (EX Series Switch Only) Syntax


maintenance-domain domain-name { level number; mip-half-function (none | default |explicit); name-format (character-string | none | dns | mac+2oct); maintenance-association ma-name { continuity-check { hold-interval minutes; interface-status-tlv; interval (10m | 10s | 1m | 1s| 100ms); loss-threshold number; port-status-tlv; } mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } } } [edit protocols oam ethernet connectivity-fault-management ]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the name of the maintenance domain in IEEE-compliant format. domain-name—The name for the maintenance domain.


5384



•




measurement-type Syntax Hierarchy Level

Release Information

measurement-type two-way-delay; [edit protocols oam ethernet connectivity-fault-management performance-monitoring (OAM LFM) sla-iterator-profiles (OAM LFM) profile-name]


Description

Configure the measurement type for the service-level agreement (SLA) frames. An SLA frame is a type of packet used to measure frame loss in Ethernet connections.

Options

two-way-delay—Use Y.1731-compliant two-way ETH-DM frames to measure frame loss.




•


•



5385

®


mep (EX Series Switch Only) Syntax

Hierarchy Level


Options

mep mep-id { auto-discovery; direction down; interface interface-name; remote-mep mep-id { action-profile profile-name; } } [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Configure the numeric identifier of the maintenance association end point (MEP) within the maintenance association. mep-id—Numeric identifier of the MEP.

Range: 1 through 8191 The remaining statements are explained separately. Required Privilege Level Related Documentation

5386



•




mip-half-function (EX Series Switch Only) Syntax Hierarchy Level


mip-half-function (none | default | explicit); [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Specify the OAM Ethernet CFM maintenance domain MIP half functions.

NOTE: Whenever a MIP is configured, the MIP half function value for all maintenance domains and maintenance associations must be the same.

Options

none—Specify to not use the mip-half-function. default—Specify to use the default mip-half-function. explicit—Specify an explicit mip-half-function.




•



5387

®


name-format (EX Series Switch Only) Syntax Hierarchy Level


name-format (character-string | none | dns | mac+2oct); [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Specify the format of the maintenance domain name. character-string—The name is an ASCII character string. none—Name format none means that maintenance domain name is not used. dns—Name is in domain name service (DNS) format. For example: www.juniper.net. mac+2oct—Name is the MAC address plus a two-octet maintenance association identifier.

For example: 08:00:22:33:44:55.100. Default: character-string Required Privilege Level Related Documentation



•


path-database-size (EX Series Switch Only) Syntax

path-database-size path-database-size;

Hierarchy Level

[edit protocols oam ethernet connectivity-fault-management linktrace]

Release Information


Description Options

Specify the number of linktrace reply entries to be stored per linktrace request. path-database-size—Database size (number of entries stored per request).


5388



•




performance-monitoring Syntax


performance-monitoring { sla-iterator-profiles (OAM LFM) { profile-name { calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; passive; } } } [edit protocols oam ethernet connectivity-fault-management]

Statement introduced in Junos OS Release 11.4 for EX Series switches. Specify performance monitoring support for Ethernet frame delay measurement. The remaining statements are explained separately.




•


•



5389

®




Options

priority priority-value; [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep remote-mep-id sla-iterator-profile profile-name]

Statement introduced in Junos OS Release 11.1. Configure the priority of the iterator profile, which is the vlan-pcp value that is sent in the Y.1731 data frames. priority-value—Priority value, which is the vlan-pcp value that is sent in the Y.1731 data

frames. Range: 0 through 7 Default: 0 Required Privilege Level Related Documentation



•


priority (OAM Connectivity-Fault Management) Syntax Hierarchy Level

priority number; [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id]

For EX Series Switches: [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id]


Statement introduced in Junos OS Release 8.4. IEEE 802.1p priority bits used by the continuity check messages. number—Configure the IEEE 802.1p priority bits to be used in the VLAN header of the CFM

packets. Range: 0 through 7 Required Privilege Level Related Documentation

5390


Configuring a Maintenance Endpoint



remote-mep (EX Series Switch Only) Syntax

Hierarchy Level


Options

remote-mep mep-id { action-profile profile-name; } [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name mep mep-id ]

Statement introduced in Junos OS Release 10.2 for EX Series switches. Specify the numeric identifier of the remote maintenance association end point (MEP) within the maintenance association. mep-id—Specify the numeric identifier of the MEP.

Range: 1 through 8191 The remaining statement is explained separately. Required Privilege Level Related Documentation



•



5391

®


short-name-format Syntax Hierarchy Level

Release Information

Description Options

short-name-format (character-string | vlan | 2octet | rfc-2685-vpn-id); [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name]

Statement introduced in Junos OS Release 8.4. Statement introduced in Junos OS Release 12.1 for PTX Series Packet Transport Switches. Specify the name format of the maintenance association name. character-string—The name is an ASCII character string. vlan—The primary VLAN identifier. 2octet—A number in the range 0 through 65,535. rfc-2685-vpn-id—A VPN identifier that complies with RFC 2685.

Default: character-string

NOTE: The PTX Series Packet Transport Switches support the vlan and 2octet options only.


5392


Creating a Maintenance Association

•

Configuring Ethernet 802.1ag OAM on PTX Series Packet Transport Switches



sla-iterator-profiles Syntax

Hierarchy Level


sla-iterator-profiles { profile-name { calculation-weight { delay delay-value; delay-variation delay-variation-value; } cycle-time cycle-time-value; iteration-period iteration-period-value; measurement-type (OAM LFM) two-way-delay; passive; } } [edit protocols oam ethernet connectivity-fault-management performance-monitoring (OAM LFM)]

Statement introduced in Junos OS Release 11.4 for EX Series switches. Configure an iterator application and specify the iterator profile options. profile-name—Name of the iterator profile.





5393

®


sla-iterator-profile Syntax

Hierarchy Level


sla-iterator-profile profile-name { data-tlv-size size; iteration-count count-value; priority priority-value; } [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep remote-mep-id]

Statement introduced in Junos OS Release 11.1. Configure a remote MEP with an iterator profile and specify the options. profile-name—Name of the iterator profile configured for a remote MEP. For more

information about configuring a remote MEP with an iterator profile, see Configuring a Remote MEP with an Iterator Profile. The remaining statements are explained separately. Required Privilege Level Related Documentation

5394


Clearing Iterator Statistics

•

Configuring an Iterator Profile

•


•

Example: Configuring an Iterator

•

Displaying Iterator Statistics

•

Managing Iterator Statistics

•

sla-iterator-profiles



traceoptions (OAM CFM, for EX Series Switch Only) Syntax

traceoptions { file filename ; flag flag ; no-remote-trace; }

Release Information

Statement introduced in JUNOS OS Release 10.2 for EX Series switches.

Description Options

Configure tracing options the connectivity fault management. file filename—Name of the file to receive the output of the tracing operation. Enclose the




all—Trace all events.

•


•

error—Trace events related to catastrophic errors in daemon.

•

init—Trace events related to protocol daemon start-up.

•

protocol—Trace protocol processing events.

•

routing socket—Trace routing socket events.

match—(Optional) Refine the output to log only those lines that match the given regular

expression. no-world-readable—(Optional) Restrict file access to the user who created the file. no-remote-trace—(Optional) Disable the remote trace. size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),

or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option.


5395

®


Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB Default: If you do not include this option, tracing output is appended to an existing trace file. world-readable—(Optional) Enable unrestricted file access.




Operational Commands for Ethernet OAM Connectivity Fault Management

5396



clear oam ethernet connectivity-fault-management delay-statistics Syntax

Release Information

Description

Options

clear oam ethernet connectivity-fault-management delay-statistics maintenance-association maintenance-association-name maintenance-domain maintenance-domain-name

Command introduced in Junos OS Release 9.6. Command introduced in Junos OS Release 11.4 for EX Series switches. On MX Series routers and EX Series switches, clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay statistics and ETH-DM frame counts. maintenance-association maintenance-association-name—Clear ETH-DM delay statistics

and ETH-DM frame counts for the specified maintenance association. maintenance-domain maintenance-domain-name—Clear ETH-DM delay statistics and

ETH-DM frame counts for the specified maintenance domain. logical-system logical-system-name—(MX Series routers only) (Optional) Clear ETH-DM

delay statistics and ETH-DM frame counts for the specified logical system. one-way—(Optional) Clear one-way ETH-DM delay statistics and ETH-DM frame counts

for the specified maintenance association, maintenance domain, or (on the routers only) logical system. two-way—(Optional) Clear two-way ETH-DM delay statistics and ETH-DM frame counts

for the specified maintenance association, maintenance domain, or (on the routers only) logical system. Required Privilege Level Related Documentation


view

•

clear oam ethernet connectivity-fault-management statistics

•

show oam ethernet connectivity-fault-management delay-statistics on page 5404

•

show oam ethernet connectivity-fault-management interfaces

clear oam ethernet connectivity-fault-management delay statistics on page 5397 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear oam ethernet connectivity-faultmanagement delay statistics

user@switch> clear oam ethernet connectivity-fault-management delay-statistics maintenance-domain md1 maintenance-association ma1 Delay statistics entries cleared


5397

®


clear oam ethernet connectivity-fault-management sla-iterator-statistics Syntax


Options

clear oam ethernet connectivity-fault-management sla-iterator-statistics maintenance-association maintenance-association-name maintenance-domain maintenance-domain-name sla-iterator sla-iterator

Command introduced in Junos OS Release 11.4 for EX Series switches. Clear Ethernet Operation, Administration, and Maintenance (OAM) service-level agreement (SLA) iterator statistics. maintenance-association maintenance-association-name—Name of the maintenance

association. maintenance-domain maintenance-domain-name—Name of the maintenance domain. local-mep local-mep-id—(Optional) Identifier of the local MEP. remote-mep remote-mep-id—(Optional) Identifier of the remote MEP. sla-iterator sla-iterator— Name of the SLA iterator profile.


view

•


•

show oam ethernet connectivity-fault-management sla-iterator-statistics on page 5427


clear oam ethernet connectivity-fault-management sla-iterator- statistics on page 5398

Output Fields


Sample Output clear oam ethernet connectivity-fault -management sla-iterator- statistics

5398

user@switch> clear oam ethernet connectivity-fault-management sla-iterator-statistics maintenance-domain md1 maintenance-association ma1 local-mep 1 remote-mep 2 sla-iterator i1 Iterator statistics entries cleared



clear oam ethernet connectivity-fault-management statistics Syntax



Command introduced in Junos OS Release 10.2 for EX Series switches. Clear all statistics maintained by CFM. interface ethernet-interface-name—(Optional) Clear CFM statistics only for MEPs attached

to the specified Ethernet physical interface. level level—(Optional) Clear CFM statistics only for MEPs within CFM maintenance

domains (MDs) of the specified level. Required Privilege Level Related Documentation


clear

•

show oam ethernet connectivity-fault-management interfaces on page 5412

•

show oam ethernet connectivity-fault-management linktrace path-database on page 5418

•

show oam ethernet connectivity-fault-management mip on page 5426

clear oam ethernet connectivity-fault-management statistics on page 5399 When you enter this command, you are provided feedback on the status of your request.

Sample Output clear oam ethernet connectivity-faultmanagement statistics

user@host> clear oam ethernet connectivity-fault-management statistics Cleared statistics of all CFM sessions


5399

®


monitor ethernet delay-measurement Syntax


monitor ethernet delay-measurement maintenance-domain md-name maintenance-association ma-name (one-way | two-way) (remote-mac-address | mep remote-mep-id)

Command introduced in Junos OS Release 11.4 for EX Series switches. Start an ITU-T Y.1731 Ethernet frame delay measurement session between the specified local connectivity fault management (CFM) maintenance association end point (MEP) and the specified remote MEP, and display a summary of the frames exchanged in the measurement session. Frame delay measurement statistics are stored at one of the MEPs for later retrieval.

NOTE: If you attempt to monitor delays to a nonexistent MAC address, you must type Ctrl +C to explicitly quit the monitor ethernet delay-measurement command and return to the CLI command prompt.

To start an Ethernet frame delay measurement session, the switch initiates an exchange of frames carrying one-way or two-way frame delay measurement protocol data units (PDUs) between the local and remote MEPs. The frame counts—the types of and number of Ethernet frame delay measurement PDU frames exchanged to measure frame delay times—are displayed as the run-time output of the monitor ethernet delay-measurement command and are also stored at both the initiator and receiver MEPs for later retrieval. Ethernet frame delay measurement statistics, described below, are measured and stored at only one of the MEPs: Frame delay—The difference, in microseconds, between the time a frame is sent and

when it is received. Frame delay variation—The difference, in microseconds, between consecutive frame delay

values. Frame delay variation is sometimes called “frame jitter.” For one-way Ethernet frame delay measurement, only the receiver MEP (on the remote system) collects statistics. For two-way Ethernet frame delay measurement, only the initiator MEP (on the local system) collects statistics. Options

count count—(Optional) Number of frames to send to the specified peer MEP. The range

of values is 1 through 65,535 frames. The default value is 10 frames. maintenance-association ma-name—Name of an existing CFM maintenance association. maintenance-domain md-name—Name of an existing CFM maintenance domain. mep remote-mep-id—Numeric identifier of the peer MEP with which to perform Ethernet

frame delay measurement. The discovered MAC address of the peer MEP is used. The range of values is 1 through 8191.

5400



no-session-id-tlv—(Optional) Prevent insertion of the session ID TLV in the request frame. one-way—Measurement type is one-way Ethernet frame delay measurement, which is

based on the difference between the time at which the initiator MEP sends a one-way delay measurement request (1DM) frame and the time at which the receiver MEP receives the frame. priority 802.1p value—(Optional) Priority of the delay measurement request frame

supported by both one-way delay measurement and two-way delay measurement. The range of values is from 0 through 7. The default value is zero. remote-mac-address—Unicast MAC address of the peer MEP with which to perform

Ethernet frame delay measurement. Specify the MAC address as six hexadecimal bytes in nn:nn:nn:nn:nn:nn format. Multicast MAC addresses are not supported. size size —(Optional) Size of the data TLV to be included in the request frame. The range

of values is from 1 through 1400 bytes. two-way—Measurement type is two-way Ethernet frame delay measurement, which is

based on the difference between the time at which the initiator MEP sends a two-way delay measurement message (DMM) frame and the time at which the initiator MEP receives an associated two-way delay measurement reply (DMR) frame from the responder MEP, subtracting the time elapsed at the responder MEP. wait time—(Optional) Number of seconds to wait between sending frames. The range

of values is from 1 through 255 seconds. The default value is 1 second. Required Privilege Level Related Documentation


Output Fields

trace and maintenance

•


•

show oam ethernet connectivity-fault-management mep-database on page 5420

•

show oam ethernet connectivity-fault-management mep-statistics

•

show oam ethernet connectivity-fault-management delay-statistics on page 5404

•

clear oam ethernet connectivity-fault-management statistics on page 5399

monitor ethernet delay-measurement one-way on page 5403 monitor ethernet delay-measurement two-way on page 5403 monitor ethernet delay-measurement two-way (Invalid DMR Frames Received) on page 5403 The monitor ethernet delay-measurement command displays different output at the CLI, depending on whether you start a one-way or two-way frame delay measurement: •

Table 615 on page 5402 lists the run-time output fields for the monitor ethernet delay-measurement one-way command.

•

Table 616 on page 5402 lists the run-time output fields for the monitor ethernet delay-measurement two-way command.


5401

®


Output fields are listed in the approximate order in which they appear.

Table 615: monitor ethernet delay-measurement one-way Output Fields Output Field Name

Output Field Description

One-way ETH-DM request to

Unicast MAC address of the remote peer MEP.

Interface

Name of the Ethernet physical, logical, or trunk interface to which the local MEP is attached.

1DM Frames sent

PDU frames sent to the remote MEP in this ETH-DM session.

Packets transmitted

Total number of 1DM PDU frames sent to the remote MEP during this measurement session.

Average delay

Average two-way frame delay measured in this session.

Average delay variation

Average frame jitter measured in this session.

Best case delay

Lowest two-way frame delay measured in this session.

Worst case delay

Highest two-way frame delay measured in this session.

NOTE: For one-way delay measurement, these CLI output fields display NA (“not applicable”) at the initiator MEP because one-way frame delay measurements occur at the receiver MEP.

Table 616: monitor ethernet delay-measurement two-way Output Fields Output Field Name


Two-way Ethernet frame delay measurement request to

Unicast MAC address of the remote peer MEP.

Interface

Name of the Ethernet physical, logical, or trunk interface to which the local MEP is attached.

DMR received from

Unicast MAC address of the remote MEP that transmitted this DMR frame in response to a DMM frame.

Delay

Two-way delay, in microseconds, for the initiator-transmitted DMM frame.

Delay variation

Difference, in microseconds, between the current and previous delay values. This is also known as jitter.

Packets transmitted

Total number of DMM PDU frames sent to the remote MEP in this measurement session.

Valid packets received

Total number of DMR PDU frames received from the remote MEP in this measurement session.

Average delay

Average two-way frame delay measured in this session.

Average delay variation

Average frame jitter measured in this session.

5402



Table 616: monitor ethernet delay-measurement two-way Output Fields (continued) Output Field Name


Best case delay

Lowest two-way frame delay measured in this session.

Worst case delay

Highest two-way frame delay measured in this session.

Sample Output monitor ethernet delay-measurement one-way

user@switch> monitor ethernet delay-measurement one-way 00:05:85:73:39:4a maintenance-domain md6 maintenance-association ma6 count 10 One-way ETH-DM request to 00:05:85:73:39:4a, Interface xe-5/0/0.0 1DM Frames sent : 10 --- Delay measurement statistics --Packets transmitted: 10 Average delay: NA, Average delay variation: NA Best case delay: NA, Worst case delay: NA

monitor ethernet delay-measurement two-way

user@switch> monitor ethernet delay-measurement two-way 00:05:85:73:39:4a maintenance-domain md6 maintenance-association ma6 count 10 Two-way ETH-DM request to 00:05:85:73:39:4a, Interface xe-5/0/0.0 DMR received from 00:05:85:73:39:4a Delay: 100 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 111 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 110 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 119 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 122 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 108 usec Delay variation:

0 usec 8 usec 0 usec 19 usec 1 usec 9 usec 3 usec 30 usec 0 usec 16 usec

--- Delay measurement statistics --Packets transmitted: 10, Valid packets received: 10 Average delay: 103 usec, Average delay variation: 8 usec Best case delay: 92 usec, Worst case delay: 122 usec

monitor ethernet delay-measurement two-way (Invalid DMR Frames Received)

user@switch> monitor ethernet delay-measurement two-way 00:05:85:73:39:4a maintenance-domain md6 maintenance-association ma6 count 10 Two-way ETH-DM request to 00:05:85:73:39:4a, Interface xe-5/0/0.0 DMR received from 00:05:85:73:39:4a Delay: 100 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 111 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 110 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 119 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 122 usec Delay variation: DMR received from 00:05:85:73:39:4a Delay: 92 usec Delay variation: DMR received from 00:05:85:73:39:4a with invalid timestamp(s). DMR received from 00:05:85:73:39:4a Delay: 108 usec Delay variation:

0 usec 8 usec 0 usec 19 usec 1 usec 9 usec 3 usec 30 usec 16 usec

--- Delay measurement statistics --Packets transmitted: 10, Valid packets received: 9, Invalid packets received: 1 Average delay: 105 usec, Average delay variation: 9 usec Best case delay: 92 usec, Worst case delay: 122 usec


5403

®


show oam ethernet connectivity-fault-management delay-statistics Syntax

Release Information

Description

show oam ethernet connectivity-fault-management delay-statistics maintenance-domain md-name maintenance-association ma-name

Command introduced in Junos OS Release 9.5. Command introduced in Junos OS Release 11.4 for EX Series switches. On MX Series routers with Ethernet interfaces on Dense Port Concentrators (DPCs), display ETH-DM delay statistics. On EX Series switches, display delay measurement results.

Options

maintenance-domain md-name—Name of an existing connectivity fault management

(CFM) maintenance domain. maintenance-association ma-name—Name of an existing CFM maintenance association. count entry-count—(Optional) Number of entries to display from the statistics table. The

range of values is 1 through 100. The default value is 100 entries. local-mep local-mep-id—(Optional) Numeric identifier of the local MEP. On MX Series

routers, the range of values is 1 through 8192. On EX Series switches, the range of values is 1 through 8191. remote-mep remote-mep-id—(Optional) Numeric identifier of the remote MEP. On MX

Series routers, the range of values is 1 through 8192. On EX Series switches, the range of values is 1 through 8191. Required Privilege Level Related Documentation

view

•


•

clear oam ethernet connectivity-fault-management delay-statistics on page 5397

•


•

show oam ethernet connectivity-fault-management mep-database

•

show oam ethernet connectivity-fault-management mep-statistics


show oam ethernet connectivity-fault-management delay-statistics on page 5406 show oam ethernet connectivity-fault-management delay-statistics remote-mep on page 5406

Output Fields

Table 617 on page 5405 lists the output fields for the show oam ethernet connectivity-fault-management delay-statistics command and the show oam ethernet

5404



connectivity-fault-management mep-statistics command. Output fields are listed in the

approximate order in which they appear.

Table 617: show oam ethernet connectivity-fault-management delay-statistics and mep-statistics Output Fields Output Field Name

Field Description

MEP identifier

Maintenance association end point (MEP) numeric identifier.

MAC address

Unicast MAC address configured for the MEP.

Remote MEP count

Number of remote MEPs (unless you specify the remote-mep option).

Remote MEP identifier

Numeric identifier of the remote MEP.

Remote MAC address

Unicast MAC address of the remote MEP.

Index

Index number that corresponds to the ETH-DM entry in the CFM database.

One-way delay (usec)

For a one-way ETH-DM session, the frame delay time, in microseconds, measured at the receiver MEP. For a detailed description of one-way Ethernet frame delay measurement, see the ITU-T Y.1731 Ethernet Service OAM topics in the Junos OS Network Interfaces Configuration Guide.

Two-way delay (usec)

For a two-way ETH-DM session, the frame delay time, in microseconds, measured at the initiator MEP. For a detailed description of two-way Ethernet frame delay measurement, see the ITU-T Y.1731 Ethernet Service OAM topics in the Junos OS Network Interfaces Configuration Guide.

Average one-way delay

Average one-way frame delay for the statistics displayed.

Average one-way delay variation

Average one-way “frame jitter” for the statistics displayed.

Best-case one-way delay

Lowest one-way frame delay for the statistics displayed.

Worst-case one-way delay

Highest one-way frame delay for the statistics displayed.

Average two-way delay

Average two-way frame delay for the statistics displayed.

Average two-way delay variation

Average two-way “frame jitter” for the statistics displayed.

Best-case two-way delay

Lowest two-way frame delay for the statistics displayed.

Worst-case two-way delay

Highest two-way frame delay calculated in this session.


5405

®


Sample Output show oam ethernet connectivity-faultmanagement delay-statistics

user@switch> show oam ethernet connectivity-fault-management delay-statistics maintenance-domain md6 maintenance-association ma6 MEP identifier: 100, MAC address: 00:05:85:73:7b:39 Remote MEP count: 2 Remote MEP identifier: 101 Remote MAC address: 00:05:85:73:39:4a Delay measurement statistics: Index One-way delay Two-way delay (usec) (usec) 1 259 519 2 273 550 3 287 571 4 299 610 5 313 650 Average one-way delay : 286 usec Average one-way delay variation: 62 usec Best case one-way delay : 259 usec Worst case one-way delay : 313 usec Average two-way delay : 580 usec Average two-way delay variation: 26 usec Best case two-way delay : 519 usec Worst case two-way delay : 650 usec Remote MEP identifier: 102 Remote MAC address: 00:04:55:63:39:5a Delay measurement statistics: Index One-way delay Two-way delay (usec) (usec) 1 29 58 2 23 59 3 27 56 4 29 62 5 33 68 Average one-way delay : 28 usec Average one-way delay variation: 3 usec Best case one-way delay : 23 usec Worst case one-way delay : 33 usec Average two-way delay : 60 usec Average two-way delay variation: 3 usec Best case two-way delay : 56 usec Worst case two-way delay : 68 usec

show oam ethernet connectivity-faultmanagement delay-statistics remote-mep

5406

user@switch> show oam ethernet connectivity-fault-management delay-statistics maintenance-domain md6 maintenance-association ma6 remote-mep 101 MEP identifier: 100, MAC address: 00:05:85:73:7b:39 Remote MEP identifier: 101 Remote MAC address: 00:05:85:73:39:4a Delay measurement statistics: Index One-way delay Two-way delay (usec) (usec) 1 259 519 2 273 550 3 287 571 4 299 610 5 313 650 Average one-way delay : 286 usec Average one-way delay variation: 62 usec



Best case one-way delay : Worst case one-way delay : Average two-way delay : Average two-way delay variation: Best case two-way delay : Worst case two-way delay :


259 usec 313 usec 580 usec 26 usec 519 usec 650 usec

5407

®


show oam ethernet connectivity-fault-management forwarding-state Syntax


Options

show oam ethernet connectivity-fault-management forwarding-state

Command introduced in Junos OS Release 10.2 for EX Series switches. Display IEEE 802.1ag Operation, Administration, and Management (OAM) connectivity fault management forwarding state information for Ethernet interfaces. interface interface-name—Display forwarding state information for the specified Ethernet

interface only. brief | detail | extensive—(Optional) Display the specified level of output.



Output Fields

view

•


•


•


show oam ethernet connectivity-fault-management forwarding-state on page 5409 show oam ethernet connectivity-fault-management forwarding-state interface on page 5409 show oam ethernet connectivity-fault-management forwarding-state interface detail on page 5410 show oam ethernet connectivity-fault-management forwarding-state interface interface-name on page 5410 Table 618 on page 5408 lists the output fields for the show oam ethernet connectivity-fault-management forwarding-state command. Output fields are listed in the approximate order in which they appear.

Table 618: show oam ethernet connectivity-fault-management forwarding-state Output Fields Field Name

Field Description

Level of Output

Interface name

Interface identifier.

All levels

Filter action

Filter action for messages at the level.

All levels

Nexthop type

Next-hop type.

All levels

Nexthop index

Next-hop index number.

brief

Level

Maintenance domain (MD) level.

detail

5408



Table 618: show oam ethernet connectivity-fault-management forwarding-state Output Fields (continued) Field Name

Field Description

Level of Output

Direction

MEP direction configured.

none

CEs

Number of customer edge (CE) interfaces.

All levels

Sample Output show oam ethernet connectivity-faultmanagement forwardingstate

user@host> show oam ethernet connectivity–fault-management forwarding-state CEs: 3 Maintenance domain forwarding state: Level

Direction

0 1 2 3 4 5 6 7

show oam ethernet connectivity-faultmanagement forwardingstate interface

Filter action Drop Drop Drop Drop Drop Drop Drop Drop

Nexthop type none none none none none none none none

Nexthop index

user@host> show oam ethernet connectivity-fault-management forwarding-state interface Interface name: ge-3/0/0.0 Maintenance domain forwarding state: Level 0 1 2 3 4 5 6 7

Direction

Filter action

down

Drop Drop Drop Drop Drop Drop Drop Receive


Nexthop index


Nexthop index

Interface name: xe-0/0/0.0 Instance name: __+bd1__ Maintenance domain forwarding state: Level 0 1 2 3 4 5 6 7


Direction

Filter action

down

Drop Drop Drop Drop Drop Drop Drop Receive

5409

®


show oam ethernet connectivity-faultmanagement forwardingstate interface detail

user@host> show oam ethernet connectivity-fault-management forwarding-state interface detail Interface name: ge-3/0/0.0 Level: 0 Filter action: Drop Nexthop type: none Level: 1 Filter action: Drop Nexthop type: none Level: 2 Filter action: Drop Nexthop type: none Level: 3 Filter action: Drop Nexthop type: none Level: 4 Filter action: Drop Nexthop type: none Level: 5 Filter action: Drop Nexthop type: none Level: 6 Filter action: Drop Nexthop type: none Level: 7 Direction: down Filter action: Receive Nexthop type: none Interface name: xe-0/0/0.0 Level: 0 Filter action: Drop Nexthop type: none Level: 1 Filter action: Drop Nexthop type: none ...

show oam ethernet connectivity-faultmanagement forwardingstate interface interface-name

user@host> show oam ethernet connectivity-fault-management forwarding-state interface interface-name ge-3/0/0.0 Interface name: ge-3/0/0.0 Maintenance domain forwarding state: Level 0 1 2 3

5410

Direction

Filter action Drop Drop Drop Drop

Nexthop type none none none none

Nexthop index



4 5 6 7


down

Drop Drop Drop Receive

none none none none

5411

®


show oam ethernet connectivity-fault-management interfaces Syntax


Options


Command introduced in Junos OS Release 10.2 for EX Series switches. Display IEEE 802.1ag Operation, Administration, and Management (OAM) connectivity fault management (CFM) database information for Ethernet interfaces. brief | detail | extensive—(Optional) Display the specified level of output. ethernet-interface-name—(Optional) Display CFM information only for CFM entities

attached to the specified Ethernet interface. level md-level—(Optional) Display CFM information for CFM identities enclosed within

a maintenance domain of the specified level. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


show oam ethernet connectivity-fault-management interfaces on page 5415 show oam ethernet connectivity-fault-management interfaces detail on page 5416 show oam ethernet connectivity-fault-management interfacesextensive on page 5416 show oam ethernet connectivity-fault-management interfaces level on page 5417 show oam ethernet connectivity-fault-management interfaces (Trunk Interfaces) on page 5417 Table 619 on page 5412 lists the output fields for the show oam ethernet connectivity-fault-management interfaces command. Output fields are listed in the approximate order in which they appear.

Table 619: show oam ethernet connectivity-fault-management interfaces Output Fields Field Name

Field Description

Level of Output

Interface


All levels

Interface status

Local interface status.

All levels

Link status

Local link status. Up, down, or oam-down.

All levels

5412



Table 619: show oam ethernet connectivity-fault-management interfaces Output Fields (continued) Field Name

Field Description

Level of Output

Maintenance domain name

Maintenance domain name.

detail extensive

Format (Maintenance domain)

Maintenance domain name format configured.

detail extensive

Level

Maintenance domain level configured.

All levels

Maintenance association name

Maintenance association name.

detail extensive

Format (Maintenance association)

Maintenance association name format configured.

detail extensive

Continuity-check status

Continuity-check status.

detail extensive

Interval

Continuity-check message interval.

detail extensive

Loss-threshold

Lost continuity-check message threshold.

detail extensive

MEP identifier

Maintenance association end point (MEP) identifier.

All levels

Neighbours

Number of MEP neighbors.

All levels

Direction


detail extensive

MAC address

MAC address configured for the MEP.

detail extensive

MEP status

Indicates the status of the Connectivity Fault Management (CFM) protocol running on the MEP: Running, inactive, disabled, or unsupported.

detail extensive

Remote MEP not receiving CCM

Whether the remote MEP is not receiving connectivity check messages (CCMs).

detail extensive

Erroneous CCM received

Whether erroneous CCMs have been received.

detail extensive

Cross-connect CCM received

Whether cross-connect CCMs have been received.

detail extensive

RDI sent by some MEP

Whether the remote defect indication (RDI) bit is set in messages that have been received. The absence of the RDI bit in a CCM indicates that the transmitting MEP is receiving CCMs from all configured MEPs.

detail extensive

CCMs sent

Number of CCMs transmitted.

detail extensive


5413

®



Field Description

Level of Output

CCMs received out of sequence

Number of CCMs received out of sequence.

detail extensive

LBMs sent

Number of loopback request messages (LBMs) sent.

detail extensive

Valid in-order LBRs received

Number of loopback response messages (LBRs) received that were valid messages and in sequence.

detail extensive

Valid out-of-order LBRs received

Number of LBRs received that were valid messages and not in sequence.

detail extensive

LBRs received with corrupted data

Number of LBRs received that were corrupted.

detail extensive

LBRs sent

Number of LBRs transmitted.

detail extensive

LTMs sent

Linktrace messages (LTMs) transmitted.

detail extensive

LTMs received

Linktrace messages received.

detail extensive

LTRs sent

Linktrace responses (LTRs) transmitted.

detail extensive

LTRs received

Linktrace responses received.

detail extensive

Sequence number of next LTM request

Sequence number of next LTM request to be transmitted.

detail extensive

1DMs sent

If the interface is attached to an initiator MEP for a one-way ETH-DM session: Number of one-way delay measurement (1DM) PDU frames sent to the peer MEP in this session.

detail extensive

For all other cases, this field displays 0. Valid 1DMs received

If the interface is attached to a receiver MEP for a one-way ETH-DM session: Number of valid 1DM frames received.

detail extensive

For all other cases, this field displays 0. Invalid 1DMs received

If the interface is attached to a receiver MEP for a one-way ETH-DM session: Number of invalid 1DM frames received.

detail extensive

For all other cases, this field displays 0. DMMs sent

If the interface is attached to an initiator MEP for a two-way ETH-DM session: Number of Delay Measurement Message (DMM) PDU frames sent to the peer MEP in this session.

detail extensive

For all other cases, this field displays 0.

5414




Field Description

Level of Output

DMRs sent

If the interface is attached to a responder MEP for a two-way ETH-DM session: Number of Delay Measurement Reply (DMR) frames sent.

detail extensive

For all other cases, this field displays 0. Valid DMRs received

If the interface is attached to an initiator MEP for a two-way ETH-DM session: Number of valid DMRs received.

detail extensive

For all other cases, this field displays 0. Invalid DMRs received

If the interface is attached to an initiator MEP for a two-way ETH-DM session: Number of invalid DMRs received.

detail extensive

For all other cases, this field displays 0. Remote MEP count

Number of remote MEPs.

extensive

Identifier (remote

MEP identifier of the remote MEP.

extensive

MAC address of the remote MEP.

extensive

State of the remote MEP.

extensive

Interface of the remote MEP.

extensive

MEP) MAC address

(remote MEP) State (remote

MEP) Interface (remote

MEP)

Sample Output show oam ethernet connectivity-faultmanagement interfaces

user@host> show oam ethernet connectivity-fault-management interfaces Interface Link Status Level MEP Identifier ge-1/1/0.0 Up Active 0 2 ge-1/1/0.1 Up Active 0 2 ge-1/1/0.10 Up Active 0 2 ge-1/1/0.100 Up Active 0 2 ge-1/1/0.101 Up Active 0 2 ge-1/1/0.102 Up Active 0 2 ge-1/1/0.103 Up Active 0 2 ge-1/1/0.104 Up Active 0 2 ge-1/1/0.105 Up Active 0 2 ge-1/1/0.106 Up Active 0 2

Neighbours 1 1 1 1 1 1 1 1 1 1

...


5415

®


show oam ethernet connectivity-faultmanagement interfaces detail

user@host> show oam ethernet connectivity-fault-management interfaces detail Interface name: ge-5/2/9.0, Interface status: Active, Link status: Up Maintenance domain name: md0, Format: string, Level: 5 Maintenance association name: ma1, Format: string Continuity-check status: enabled, Interval: 100ms, Loss-threshold: 3 frames MEP identifier: 1, Direction: down, MAC address: 00:90:69:0b:4b:94 MEP status: running Defects: Remote MEP not receiving CCM : no Erroneous CCM received : yes Cross-connect CCM received : no RDI sent by some MEP : yes Statistics: CCMs sent : 76 CCMs received out of sequence : 0 LBMs sent : 0 Valid in-order LBRs received : 0 Valid out-of-order LBRs received : 0 LBRs received with corrupted data : 0 LBRs sent : 0 LTMs sent : 0 LTMs received : 0 LTRs sent : 0 LTRs received : 0 Sequence number of next LTM request : 0 1DMs sent : 0 Valid 1DMs received : 0 Invalid 1DMs received : 0 DMMs sent : 0 DMRs sent : 0 Valid DMRs received : 0 Invalid DMRs received : 0 Remote MEP count: 2 Identifier MAC address State Interface 2001 00:90:69:0b:7f:71 ok ge-5/2/9.0 4001 00:90:69:0b:09:c5 ok ge-5/2/9.0

show oam ethernet connectivity-faultmanagement interfaces extensive

user@host> show oam ethernet connectivity-fault-management interfaces extensive Interface name: ge-5/2/9.0, Interface status: Active, Link status: Up Maintenance domain name: md0, Format: string, Level: 5 Maintenance association name: ma1, Format: string Continuity-check status: enabled, Interval: 100ms, Loss-threshold: 3 frames MEP identifier: 1, Direction: down, MAC address: 00:90:69:0b:4b:94 MEP status: running Defects: Remote MEP not receiving CCM : no Erroneous CCM received : yes Cross-connect CCM received : no RDI sent by some MEP : yes Statistics: CCMs sent : 76 CCMs received out of sequence : 0 LBMs sent : 0 Valid in-order LBRs received : 0 Valid out-of-order LBRs received : 0 LBRs received with corrupted data : 0 LBRs sent : 0 LTMs sent : 0 LTMs received : 0 LTRs sent : 0 LTRs received : 0

5416



Sequence number of next LTM request 1DMs sent Valid 1DMs received Invalid 1DMs received DMMs sent DMRs sent Valid DMRs received Invalid DMRs received Remote MEP count: 2 Identifier MAC address State 2001 00:90:69:0b:7f:71 ok 4001 00:90:69:0b:09:c5 ok

: : : : : : : :

0 0 0 0 0 0 0 0


show oam ethernet connectivity-faultmanagement interfaces level

user@host> show oam ethernet connectivity-fault-management interfaces level 7 Interface Link Status Level MEP Neighbours Identifier ge-3/0/0.0 Up Active 7 201 0 xe-0/0/0.0 Up Active 7 203 1

show oam ethernet connectivity-faultmanagement interfaces (Trunk Interfaces)

user@host> show oam ethernet connectivity-fault-management interfaces Interface

Link

Status

Level

MEP

Neighbours

ge-4/0/1.0, vlan 100 ge-10/3/10.4091, vlan 4091 ge-4/0/0.0

Up Down Up

Active Inactive Active

5 4 6

Identifier 100 400 200

0 0 0

user@host> show oam ethernet connectivity-fault-management interfaces ge-4/0/0.0 Interface

Link

Status

Level

MEP

Neighbours

ge-4/0/0.0

Up

Active

6

Identifier 200

0

user@host> show oam ethernet connectivity-fault-management interfaces ge-4/0/1.0 vlan 100 Interface

Link

Status

Level

MEP

Neighbours

ge-4/0/1.0, vlan 100

Up

Active

5

Identifier 100

0

user@host> show oam ethernet connectivity-fault-management interfaces ge-10/3/10.4091 vlan 4091 Interface

Link

Status

Level

MEP

Neighbours

ge-10/3/10.4091, vlan 4091

Down

Inactive

4

Identifier 400

0


5417

®


show oam ethernet connectivity-fault-management linktrace path-database Syntax


Options

show oam ethernet connectivity-fault-management path-database host maintenance-association ma-name maintenance-domain md-name mac-address

Command introduced in Junos OS Release 10.2 for EX Series switches. Display IEEE 802.1ag Operation, Administration, and Management (OAM) connectivity fault management maintenance linktrace database information. mac-address—Display connectivity fault management path database information for

the specified MAC address of the remote host. maintenance-association ma-name—Display connectivity fault management path

database information for the specified maintenance association. maintenance-domain md-name—Display connectivity fault management path database

information for the specified maintenance domain. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


show oam ethernet connectivity-fault-management path-database on page 5419 show oam ethernet connectivity-fault-management linktrace path-database (Two traceroute Commands) on page 5419 Table 620 on page 5418 lists the output fields for the show oam ethernet connectivity-fault-management path-database command. Output fields are listed in the approximate order in which they appear.

Table 620: show oam ethernet connectivity-fault-management linktrace path-database Output Fields Field Name

Field Description

Linktrace to

MAC address of the 802.1ag node to which the linktrace message is targeted.

Interface

Interface used by the local MEP to send the linktrace message (LTM).

Maintenance Domain

Maintenance domain identifier specified in the traceroute command.

Maintenance Association

Maintenance association identifier specified in the traceroute command.

Level

Maintenance domain level configured for the maintenance domain.

5418



Table 620: show oam ethernet connectivity-fault-management linktrace path-database Output Fields (continued) Field Name

Field Description

Local Mep

MEP identifier of the local MEP originating the linktrace.

Hop

Sequential hop count of the linktrace path.

TTL

Number of hops remaining in the linktrace message (LTM). The time to live (TTL) is decremented at each hop.

Source MAC address

MAC address of the 802.1ag maintenance intermediate point (MIP) that is forwarding the LTM.

Next hop MAC address

MAC address of the 802.1ag node that is the next hop in the LTM path.

Transaction Identifier

4-byte identifier maintained by the MEP. Each LTM uses a transaction identifier. The transaction identifier is maintained globally across all maintenance domains. Use the transaction identifier to match an incoming linktrace responses (LTR), with a previously sent LTM.

Sample Output show oam ethernet connectivity-faultmanagement path-database

user@host> show oam ethernet connectivity-fault-management path-database maintenance-domain MD1 maintenance-association MA1 00:01:02:03:04:05 Linktrace to 00:01:02:03:04:05, Interface : ge-5/0/0.0 Maintenance Domain: MD1, Level: 7 Maintenance Association: MA1, Local Mep: 1 Hop TTL Source MAC address Transaction Identifier:100001 1 63 00:00:aa:aa:aa:aa 2 62 00:00:bb:bb:bb:bb 3 61 00:00:cc:cc:cc:cc 4 60 00:01:02:03:04:05

show oam ethernet connectivity-faultmanagement linktrace path-database (Two traceroute Commands)

Next hop MAC address 00:00:bb:bb:bb:bb 00:00:cc:cc:cc:cc 00:01:02:03:04:05 00:00:00:00:00:00

user@host> show oam ethernet connectivity-fault-management path-database maintenance-domain MD2 maintenance-association MA2 00:06:07:08:09:0A Linktrace to 00:06:07:08:09:0A, Interface : ge-5/0/1.0 Maintenance Domain: MD2, Level: 6 Maintenance Association: MA2, Local Mep: 10


Hop TTL Source MAC address Transaction Identifier:100002 1 63 00:00:aa:aa:aa:aa 2 62 00:00:bb:bb:bb:bb 3 61 00:00:cc:cc:cc:cc 4 60 00:06:07:08:09:0A Transaction Identifier:100003 1 63 00:00:aa:aa:aa:aa 2 62 00:00:bb:bb:bb:bb 3 61 00:00:cc:cc:cc:cc 4 60 00:06:07:08:09:0A

Next hop MAC address 00:00:bb:bb:bb:bb 00:00:cc:cc:cc:cc 00:06:07:08:09:0A 00:00:00:00:00:00 00:00:bb:bb:bb:bb 00:00:cc:cc:cc:cc 00:06:07:08:09:0A 00:00:00:00:00:00

5419

®


show oam ethernet connectivity-fault-management mep-database Syntax


Options

show oam ethernet connectivity-fault-management mep-database maintenance-domain domain-name maintenance-association ma-name

Command introduced in Junos OS Release 10.2 for EX Series switches. Display IEEE 802.1ag Operation, Administration, and Management (OAM) connectivity fault management (CFM) database information for CFM maintenance association end points (MEPs) in a CFM session. maintenance-association ma-name—Display connectivity fault management information

for the specified maintenance association. maintenance-domain domain-name—Display connectivity fault management information

for the specified maintenance domain. local-mep local-mep-id—(Optional) Display connectivity fault management information

for the specified local MEP only. remote-mep remote-mep-id—(Optional) Display connectivity fault management

information for the specified remote MEP only. Required Privilege Level Related Documentation


Output Fields

view

•


•


•


show oam ethernet connectivity-fault-management mep-database on page 5424 show oam ethernet connectivity-fault-management mep-database local-mep remote-mep on page 5424 show oam ethernet connectivity-fault-management mep-database remote-mep (Action Profile Event) on page 5424 Table 621 on page 5420 lists the output fields for the show oam ethernet connectivity-fault-management mep-database command. Output fields are listed in the approximate order in which they appear.

Table 621: show oam ethernet connectivity-fault-management mep-database Output Fields Field Name

Field Description

Maintenance domain name

Maintenance domain name.

5420



Table 621: show oam ethernet connectivity-fault-management mep-database Output Fields (continued) Field Name

Field Description

Format (Maintenance domain)

Maintenance domain name format configured.

Level

Maintenance domain level configured.

Maintenance association name

Maintenance association name.

Format (Maintenance association)

Maintenance association name format configured.

Continuity-check status

Continuity-check status.

Interval

Continuity-check message interval.

MEP identifier

Maintenance association end point (MEP) identifier.

Direction


MAC address

MAC address configured for the MEP.

Auto-discovery

Whether automatic discovery is enabled or disabled.

Priority

Priority used for CCMs and linktrace messages transmitted by the MEP.

Interface name


Interface status

Local interface status.

Link status

Local link status.

Remote MEP not receiving CCM

Whether the remote MEP is not receiving CCMs.

Erroneous CCM received

Whether erroneous CCMs have been received.

Cross-connect CCM received

Whether cross-connect CCMs have been received.

RDI sent by some MEP

Whether the remote defect indication (RDI) bit is set in messages that have been received. The absence of the RDI bit in a CCM indicates that the transmitting MEP is receiving CCMs from all configured MEPs.

CCMs sent

Number of CCMs transmitted.

CCMs received out of sequence

Number of CCMs received out of sequence.


5421

®



Field Description

LBMs sent

Number of loopback messages (LBMs) sent.

Valid in-order LBRs received

Number of loopback response messages (LBRs) received that were valid messages and in sequence.

Valid out-of-order LBRs received

Number of LBRs received that were valid messages and not in sequence.

LBRs received with corrupted data

Number of LBRs received that were corrupted.

LBRs sent

Number of LBRs transmitted.

LTMs sent

Linktrace messages (LTMs) transmitted.

LTMs received

Linktrace messages received.

LTRs sent

Linktrace responses (LTRs) transmitted.

LTRs received

Linktrace responses received.

Sequence number of next LTM request

Sequence number of the next linktrace message request to be transmitted.

1DMs sent

If the MEP is an initiator for a one-way ETH-DM session: Number of one-way delay measurement (1DM) PDU frames sent to the peer MEP in this session. For all other cases, this field displays 0.

Valid 1DMs received

If the MEP is a receiver for a one-way ETH-DM session: Number of valid 1DM frames received. For all other cases, this field displays 0.

Invalid 1DMs received

If the MEP is a receiver for a one-way ETH-DM session: Number of invalid 1DM frames received. For all other cases, this field displays 0.

DMMs sent

If the MEP is an initiator for a two-way ETH-DM session: Number of Delay Measurement Message (DMM) PDU frames sent to the peer MEP in this session. For all other cases, this field displays 0.

DMRs sent

If the MEP is a responder for a ETH-DM session: Number of Delay Measurement Reply (DMR) frames sent. For all other cases, this field displays 0.

5422




Field Description

Valid DMRs received

If the MEP is an initiator for a two-way ETH-DM session: Number of valid DMRs received. For all other cases, this field displays 0.

Invalid DMRs received

If the MEP is an initiator for a two-way ETH-DM session: Number of invalid DMRs received. For all other cases, this field displays 0.

Remote MEP identifier

MEP identifier of the remote MEP.

State (remote MEP)

State of the remote MEP: idle, start, ok, or failed.

MAC address

MAC address of the remote MEP.

Type

Whether the remote MEP MAC address was learned using automatic discovery or configured.

Interface

Interface of the remote MEP. A seven-digit number is appended if CFM is configured to run on a routing instance of type VPLS.

Last flapped

Date, time, and how long ago the remote MEP interface went from down to up. The format is Last flapped: year-month-day hours:minutes:seconds timezone (hours:minutes:seconds ago). For example, Last flapped: 2002-04-26 10:52:40 PDT (04:33:20 ago).

Remote defect indication

Whether the remote defect indication (RDI) bit is set in messages that have been received or transmitted.

Port status TLV

•

In the Maintenance domain section, displays the last transmitted port status TLV value.

•

In the Remote MEP section, displays the last value of port status TLV received from the remote MEP. In the Action profile section, displays, the last occurred event port-status-tlv blocked event. This event occurred due to the reception of blocked value in the port status TLV from remote MEP.

Interface status TLV

•

In the Maintenance domain section, displays the last transmitted interface status TLV value.

•

In the Remote MEP section, displays the last value of interface status TLV received from the remote MEP. In the Action profile section, if displays, the last occurred event interface-status-tlv event ( either lower-layer-down or down). This event occurred due to the reception of either lower or down value in the interface status TLV from remote MEP.

Action profile

Name of the action profile occurrence associated with a remote MEP.

Last event

When an action profile occurs, displays the last event that triggered it.

Last event cleared

When all the configured and occurred events (under action profile) are cleared, then the action taken gets reverted (such as down interface is made up) and the corresponding time is noted and displayed.

Action

Action taken and the corresponding time of the action occurrence.


5423

®


Sample Output show oam ethernet connectivity-faultmanagement mep-database

user@host> show oam ethernet connectivity-fault-management mep-database maintenance-domain vpls-vlan2000 maintenance-association vpls-vlan200 Maintenance domain name: vpls-vlan2000, Format: string, Level: 5 Maintenance association name: vpls-vlan200, Format: string Continuity-check status: enabled, Interval: 100ms, Loss-threshold: 3 frames MEP identifier: 200, Direction: up, MAC address: 00:19:e2:b0:74:01 Auto-discovery: enabled, Priority: 0 Interface name: ge-0/0/1.0, Interface status: Active, Link status: Up Defects: Remote MEP not receiving CCM : no Erroneous CCM received : no Cross-connect CCM received : no RDI sent by some MEP : no Statistics: CCMs sent : 1476 CCMs received out of sequence : 0 LBMs sent : 85 Remote MEP count: 1 Identifier MAC address State Interface 100 00:19:e2:b2:81:4b ok vt-0/1/10.1049088

show oam ethernet connectivity-faultmanagement mep-database local-mep remote-mep

user@host> show oam ethernet connectivity-fault-management mep-database maintenance-domain vpls-vlan2000 maintenance-association vpls-vlan200 local-mep 200 remote-mep 100 Maintenance domain name: vpls-vlan2000, Format: string, Level: 5 Maintenance association name: vpls-vlan200, Format: string Continuity-check status: enabled, Interval: 100ms, Loss-threshold: 3 frames MEP identifier: 200, Direction: up, MAC address: 00:19:e2:b0:74:01 Auto-discovery: enabled, Priority: 0 Interface name: ge-0/0/1.0, Interface status: Active, Link status: Up Remote MEP identifier: 100, State: ok MAC address: 00:19:e2:b2:81:4b, Type: Learned Interface: vt-0/1/10.1049088 Last flapped: Never Remote defect indication: false Port status TLV: none Interface status TLV: none

show oam ethernet connectivity-faultmanagement mep-database remote-mep (Action Profile Event)

user@host> show oam ethernet connectivity-fault-management mep-database maintenance-domain md5 maintenance-association ma5 remote-mep 200 Maintenance domain name: md5, Format: string, Level: 5 Maintenance association name: ma5, Format: string Continuity-check status: enabled, Interval: 1s, Loss-threshold: 3 frames MEP identifier: 100, Direction: down, MAC address: 00:05:85:73:e8:ad Auto-discovery: enabled, Priority: 0 Interface status TLV: none, Port status TLV: none Interface name: ge-1/0/8.0, Interface status: Active, Link status: Up Remote MEP identifier: 200, State: ok MAC address: 00:05:85:73:96:1f, Type: Configured Interface: ge-1/0/8.0 Last flapped: Never Remote defect indication: false Port status TLV: none Interface status TLV: lower-layer-down Action profile: juniper

5424



Last event: Interface-status-tlv lower-layer-down Action: Interface-down, Time: 2009-03-27 14:25:10 PDT (00:00:02 ago)


5425

®


show oam ethernet connectivity-fault-management mip Syntax




show oam ethernet connectivity-fault-management mip

Command introduced in Junos OS Release 10.2 for EX Series switches. Display all the maintenance association intermediate points (MIPs) created in the system. Specify qualifiers to display specific MIPs. qualifier—(Optional) Display the specified MIP.

view

•


•


show oam ethernet connectivity-fault-management mip on page 5426 Table 622 on page 5426 lists the output fields for the show oam ethernet connectivity-fault-management mip command. Output fields are listed in the approximate order in which they appear.

Table 622: show oam ethernet connectivity-fault-management mip Output Fields Field Name

Field Description

MIP information for instance

Header for the MIP information showing the MIP name.

Interface

Interface type-dpc/pic/port.unit-number.

Level

MIP level configured.

Sample Output show oam ethernet connectivity-fault -management mip

user@host> show oam ethernet connectivity-fault-management mip MIP information for __mip_name__ MIP information for Interface ge-3/0/0.0 ge-3/0/1.0 ge-3/0/3.0

5426

default-switch bd1

Level 7 6 6



show oam ethernet connectivity-fault-management sla-iterator-statistics Syntax


Options

show oam ethernet connectivity-fault-management sla-iterator-statistics maintenance-domain md-name maintenance-association ma-name sla-iterator sla-iterator

Command introduced in Junos OS Release 11.4 for EX Series switches. Display the Ethernet Operation, Administration, and Maintenance (OAM) service-level agreement (SLA) iterator statistics. maintenance-domain md-name—Name of an existing connectivity fault management

(CFM) maintenance domain. maintenance-association ma-name—Name of an existing CFM maintenance association. sla-iterator sla-iterator— Name of the iterator profile. local-mep local-mep-id—(Optional) Numeric identifier of the local MEP. The range of

values is 1 through 8191. remote-mep remote-mep-id—(Optional) Numeric identifier of the remote MEP. The range

of values is 1 through 8192. Required Privilege Level Related Documentation

view

•


•

clear oam ethernet connectivity-fault-management sla-iterator-statistics on page 5398


show oam ethernet connectivity-fault-management sla-iterator-statistics on page 5429

Output Fields

Table 623 on page 5427 lists the output fields for the show oam ethernet connectivity-fault-management sla-iterator-statistics command. Output fields are listed in the approximate order in which they appear.

Table 623: show oam ethernet connectivity-fault-management sla-iterator-statistics Output Fields Output Field Name


Maintenance domain

Name of the maintenance domain.

Level

Level of the maintenance domain level configured.

Maintenance association

Name of the maintenance association.

Local MEP id

Numeric identifier of the local MEP.


5427

®


Table 623: show oam ethernet connectivity-fault-management sla-iterator-statistics Output Fields (continued) Output Field Name


Remote MEP id

Numeric identifier of the remote MEP.

Remote MAC address

Unicast MAC address of the remote MEP.

Iterator name

Name of iterator.

Iterator Id

Numeric identifier of the iterator.

Iterator cycle time

Number of cycles (in milliseconds) taken between back-to-back transmission of SLA frames for this connection

Iteration period

Maximum number of cycles per iteration

Iterator status

Current status of iterator whether running or stopped.

Infinite iterations

Status of iteration as infinite or finite.

Counter reset time

Date and time when the counter was reset.

Reset reason

Reason to reset counter.

Delay weight

Calculation weight of delay.

Delay variation weight

Calculation weight of delay variation.

DMM sent

Delay measurement message (DMM) PDU frames sent to the peer MEP in this session.

DMM skipped for threshold hit

Number of DMM frames sent to the peer MEP in this session skipped during threshold hit.

DMM skipped for threshold hit window

Number of DMM frames sent to the peer MEP in this session skipped during the last threshold hit window.

DMR received

Number of delay measurement reply (DMR) frames received.

DMR out of sequence

Total number of DMR out of sequence packets received.

DMR received with invalid time stamps

Total number of DMR frames received with invalid timestamps.

Average two-way delay

Average two-way frame delay for the statistics displayed.

Average two-way delay variation

Average two-way “frame jitter” for the statistics displayed.

Average one-way forward delay variation

Average one-way forward delay variation for the statistics displayed in microseconds.

5428



Table 623: show oam ethernet connectivity-fault-management sla-iterator-statistics Output Fields (continued) Output Field Name


Average one-way backward delay variation

Average one-way backward delay variation for the statistics displayed in microseconds.

Weighted average two-way delay

Weighted average two-way delay for the statistics displayed in microseconds.

Weighted average two-way delay variation

Weighted average two-way delay variation for the statistics displayed in microseconds.

Weighted average one-way forward delay variation

Weighted average one-way forward delay variation for the statistics displayed in microseconds.

Weighted average one-way backward delay variation

Weighted average one-way backward delay variation for the statistics displayed in microseconds.

Sample Output show oam ethernet connectivity-fault -management sla-iterator-statistics

user@switch> show oam ethernet connectivity-fault-management sla-iterator-statistics sla-iterator i1 maintenance-domain default-1 maintenance-association ma1 local-mep 1 remote-mep 2 Iterator statistics: Maintenance domain: md6, Level: 6 Maintenance association: ma6, Local MEP id: 1000 Remote MEP id: 103, Remote MAC address: 00:90:69:0a:43:92 Iterator name: i1, Iterator Id: 1 Iterator cycle time: 10ms, Iteration period: 1 cycles Iterator status: running, Infinite iterations: true Counter reset time: 2010-03-19 20:42:39 PDT (2d 18:24 ago) Reset reason: Adjacency flap Iterator delay measurement statistics: Delay weight: 1, Delay variation weight: 1 DMM sent DMM skipped for threshold hit DMM skipped for threshold hit window DMR received DMR out of sequence DMR received with invalid time stamps Average two-way delay Average two-way delay variation Average one-way forward delay variation Average one-way backward delay variation Weighted average two-way delay Weighted average two-way delay variation Weighted average one-way forward delay variation Weighted average one-way backward delay variation


: : : : : : : : : : : : : :

23898520 11000 0 23851165 1142 36540 129 usec 15 usec 22 usec 22 usec 134 usec 8 usec 6 usec 2 usec

5429

®


5430


CHAPTER 149

Uplink Failure Detection •

Uplink Failure Detection—Overview on page 5431

•

Configuring Uplink Failure Detection on page 5433

•

Verifying Uplink Failure Detection on page 5434

•

Configuration Statements for Uplink Failure Detection on page 5435

•

Operational Commands for Uplink Failure Detection on page 5437

Uplink Failure Detection—Overview •


Understanding Uplink Failure Detection Uplink failure detection allows Juniper Networks EX Series Ethernet Switches to detect link failure on uplink interfaces and to propagate the failure to the downlink interfaces so that servers connected to those downlink interfaces can switch over to secondary interfaces. Uplink failure detection supports network adapter teaming and provides network redundancy. In network adapter teaming, all the network interface cards (NICs) on a server are configured in a primary or secondary relationship and share the same IP address. When the primary link goes down, the server transparently shifts the connection to the secondary link. With uplink failure detection, the switch monitors uplink interfaces for link failures. When it detects a failure, it disables the downlink interfaces. When the server detects disabled downlink interfaces, it switches over to the secondary link to help ensure balanced traffic flow on switches. This topic describes: •

Uplink Failure Detection Overview on page 5431

•

Failure Detection Pair on page 5432

Uplink Failure Detection Overview Uplink failure detection allows switches to monitor uplink interfaces to spot link failures. When a switch detects a link failure, it automatically disables the downlink interfaces in that group. The server that is connected to the disabled downlink interfaces triggers a network-adapter failover to a secondary link to avoid any information drop.


5431

®


Figure 145 on page 5432 illustrates a typical setup for uplink failure detection.

Figure 145: Uplink Failure Detection Configuration on Switches Switch

Switch

link-to-monitor

Switch 1

Switch 2

link-to-disable

Server

NIC 2 g040577

NIC 1

For uplink failure detection, you specify a group of uplink interfaces to be monitored and downlink interfaces to be brought down when an uplink fails. The downlink interfaces are bound to the uplink interfaces within the group. If all uplink interfaces in a group go down, then the switch brings down all downlink interfaces within that group. If any uplink interface returns to service, then the switch brings all downlink interfaces in that group back to service.

NOTE: Routed VLAN interfaces (RVIs) cannot be configured as uplink interfaces to be monitored.

The switch can monitor both physical-interface links and logical-interface links for uplink failures, but you must put the two types of interfaces in separate groups.

NOTE: To detect failure of logical interfaces, the server must run some high level protocol such as keepalives between the switch and the server.

Failure Detection Pair Uplink failure detection requires that you create groups that contain uplink interfaces and downlink interfaces. Each group includes one of each of the following: •

5432

A link-to-monitor interface—The link-to-monitor interfaces specify the uplink interfaces the switch monitors. You can configure a maximum of 48 uplink interfaces as link-to-monitor in a group.


Chapter 149: Uplink Failure Detection

•

A link-to-disable interface—The link-to-disable interfaces specify the downlink interfaces the switch disables when the switch detects an uplink failure. You can configure a maximum of 48 downlink interfaces as link-to-disable in a group.

The link-to-disable interfaces are bound to the link-to-monitor interfaces within the group. When a link-to-monitor interface returns to service, the switch automatically enables all link-to-disable interfaces in the group. Related Documentation

•

Configuring Interfaces for Uplink Failure Detection (CLI Procedure) on page 5433

Configuring Uplink Failure Detection •


Configuring Interfaces for Uplink Failure Detection (CLI Procedure) You can configure uplink failure detection on EX Series switches to help ensure balanced traffic flow. Using this feature, switches can monitor and detect link failure on uplink interfaces and can propagate the failure to downlink interfaces so that servers connected to those downlink interfaces can switch over to secondary interfaces. Follow these configuration guidelines: •

You can configure a maximum of 48 groups for each switch.

•

You can configure a maximum of 48 uplink interfaces and 48 downlink interfaces in each group.

•

You can configure physical links and logical links in separate groups.

•

Ensure that all the interfaces in the group are up. If the interfaces are down, uplink failure detection does not work.

NOTE: Routed VLAN interfaces (RVIs) cannot be configured as uplink interfaces to be monitored.

To configure uplink failure detection on a switch: 1.

Specify a name for the group: [edit protocols] user@switch# set uplink-failure-detection group (Uplink Failure Detection) group-name

2. Add an uplink interface to the group: [edit protocols] user@switch# set uplink-failure-detection group (Uplink Failure Detection) group-name link-to-monitor interface-name 3. Repeat Step 2 for adding each uplink interface to the group.

NOTE: An interface can be configured as link-to-monitor in multiple groups.


5433

®


4. Add a downlink interface to the group: [edit protocols] user@switch# set uplink-failure-detection group (Uplink Failure Detection) group-name link-to-disable interface-name 5. Repeat Step 4 for adding each downlink interface to the group.

NOTE: After you have configured a group, use the show uplink-failure-detection group (Uplink Failure Detection) group-name command to verify that all interfaces in the group are up.


•

Verifying That Uplink Failure Detection Is Working Correctly on page 5434

•


Verifying Uplink Failure Detection •

Verifying That Uplink Failure Detection Is Working Correctly on page 5434

Verifying That Uplink Failure Detection Is Working Correctly Purpose

Action

Verify that the switch disables the downlink interface when it detects an uplink failure.

1.

View the current uplink-failure-detection status: user@switch> show uplink-failure-detection Group : group1 Uplink : ge-0/0/0* Downlink : ge-0/0/1* Failure Action : Inactive

NOTE: The asterisk (*) indicates that the link is up.

2. Disable the uplink interface: [edit] user@switch# set interface ge-0/0/0 disable 3. Save the configuration on the switch. 4. View the current uplink-failure-detection status: user@switch> show uplink-failure-detection Group : group1 Uplink : ge-0/0/0 Downlink : ge-0/0/1 Failure Action : Active

Meaning

5434

The output in Step 1 shows that the uplink interface is up, and hence that the downlink interface is also up, and that the status of Failure Action is Inactive.



The output in Step 4 shows that both the uplink and downlink interfaces are down and that the status of Failure Action is changed to Active. This output shows that uplink failure detection is working.


•


•


Configuration Statements for Uplink Failure Detection group Syntax


group group-name { link-to-monitor interface-name; link-to-disable interface-name; } [edit protocols uplink-failure-detection]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Configure a group of uplink and downlink interfaces for uplink failure detection. group-name—Name of the uplink-failure-detection group.





5435

®


link-to-disable Syntax Hierarchy Level Release Information

link-to-disable interface-name; [edit protocols uplink-failure-detection group group-name]


Description

Configure the downlink interfaces to be disabled when the switch detects an uplink failure. The switch can monitor a maximum of 48 downlink interfaces in a group.

Options

interface-name—Name of the downlink interface or interface range in the group. The

interface can be a physical interface or a logical interface. Required Privilege Level Related Documentation



link-to-monitor Syntax Hierarchy Level Release Information Description

link-to-monitor interface-name; [edit protocols uplink-failure-detection group group-name]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Configure the uplink interfaces to be monitored for uplink failure detection. The switch can monitor a maximum of 48 uplink interfaces in a group. An interface can be configured as link-to-monitor in multiple groups.

Options

interface-name—Name of the uplink interface or interface range in the group. The interface

can be a physical interface or a logical interface. Required Privilege Level Related Documentation

5436





uplink-failure-detection Syntax


uplink-failure-detection { action (Uplink Failure Detection) { log; } group (Uplink Failure Detection) group-name { link-to-monitor interface-name; link-to-disable interface-name; } traceoptions (Uplink Failure Detection) { file filename ; flag flag); } } [edit protocols]

Statement introduced in Junos OS Release 11.1 for EX Series switches. Configure uplink and downlink interfaces in a group to monitor uplink failures and to propagate uplink failures to the downlink interfaces. The remaining statements are explained separately.




Operational Commands for Uplink Failure Detection


5437

®


show uplink-failure-detection Syntax


Options

show uplink-failure-detection

Command introduced in Junos OS Release 11.1 for EX Series switches. Display information about the uplink-failure-detection group, the member interfaces, and their status. none—Display information about all groups configured for uplink failure detection. group group-name—(Optional) Display information about the specified group only.


view

•


show uplink-failure-detection on page 5438 Table 624 on page 5438 lists the output fields for the show uplink-failure-detection command. Output fields are listed in the approximate order in which they appear.

Table 624: show uplink-failure-detection Output Fields Field Name

Field Description

Group

Name of the group.

Uplink

The uplink interface or interfaces configured as link-to-monitor. NOTE: The asterisk (*) indicates that the link is up.

Downlink

The downlink interface or interfaces configured as link-to-disable. NOTE: The asterisk (*) indicates that the link is up.

Failure Action

Status of uplink failure detection: •

Active—The switch has detected an uplink failure and has brought the downlink down.

•

Inactive—The uplink or uplinks are up.

Sample Output show uplink-failure-detection

user@switch> show uplink-failure-detection Group : group1 Uplink : ge-0/0/0* Downlink : ge-0/0/1* Failure Action : Inactive Group

5438

: group2



Uplink Downlink Failure Action


: : :

ge-0/0/3.0 ge-0/0/4.0 Active

5439

®


5440


CHAPTER 150

Monitoring General Network Traffic and Hosts •

Monitoring Hosts Using the J-Web Ping Host Tool on page 5441

•

Monitoring Network Traffic Using Traceroute on page 5443

Monitoring Hosts Using the J-Web Ping Host Tool Purpose

Action

Use the J-Web ping host tool to verify that the host can be reached over the network. The output is useful for diagnosing host and network connectivity problems. The switch sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. To use the J-Web ping host tool: 1.

Select Troubleshoot>Ping Host.

2. Next to Advanced options, click the expand icon. 3. Enter information into the Ping Host page, as described in Table 625 on page 5441.

The Remote Host field is the only required field. 4. Click Start.

The results of the ping operation are displayed in the main pane . If no options are specified, each ping response is in the following format: bytes bytes from ip-address: icmp_seq=number ttl=number time=time 5. To stop the ping operation before it is complete, click OK.

Meaning

Table 625 on page 5441 lists the fields.

Table 625: J-Web Ping Host Field Summary Field

Function

Your Action

Remote Host

Identifies the host to ping.

Type the hostname or IP address of the host to ping.

Advanced Options


5441

®


Table 625: J-Web Ping Host Field Summary (continued) Field

Function

Your Action


Determines whether to display hostnames of the hops along the path.

•

To suppress the display of the hop hostnames, select the check box.

•

To display the hop hostnames, clear the check box.

Interface

Specifies the interface on which the ping requests are sent.

Select the interface on which ping requests are sent from the list. If you select any, the ping requests are sent on all interfaces.

Count

Specifies the number of ping requests to send.

Select the number of ping requests to send from the list.

Don't Fragment

Specifies the Don't Fragment (DF) bit in the IP header of the ping request packet.

•

To set the DF bit, select the check box.

•

To clear the DF bit, clear the check box.

Sets the record route option in the IP header of the ping request packet. The path of the ping request packet is recorded within the packet and displayed in the main pane.

•

To record and display the path of the packet, select the check box.

•

To suppress the recording and display of the path of the packet, clear the check box.

Type-of-Service

Specifies the type-of-service (TOS) value in the IP header of the ping request packet.

Select the decimal value of the TOS field from the list.

Routing Instance

Name of the routing instance for the ping attempt.

Select the routing instance name from the list.

Interval

Specifies the interval, in seconds, between transmissions of individual ping requests.

Select the interval from the list.

Packet Size

Specifies the size of the ping request packet.

Type the size, in bytes, of the packet. The size can be from 0 through 65468. The switch adds 8 bytes of ICMP header to the size.

Source Address

Specifies the source address of the ping request packet.

Type the source IP address.

Time-to-Live

Specifies the time-to-live (TTL) hop count for the ping request packet.

Select the TTL value from the list.

Bypass Routing

Determines whether ping requests are routed by means of the routing table.

•

To bypass the routing table and send the ping requests to hosts on the specified interface only, select the check box.

•

To route the ping requests using the routing table, clear the check box.

Record Route

If the routing table is not used, ping requests are sent only to hosts on the interface specified in the Interface box. If the host is not on that interface, ping responses are not sent.


5442

•



Chapter 150: Monitoring General Network Traffic and Hosts

Monitoring Network Traffic Using Traceroute Purpose

Action

Use the Traceroute page in the J-Web interface to trace a route between the switch and a remote host. You can use a traceroute task to display a list of waypoints between the switch and a specified destination host. The output is useful for diagnosing a point of failure in the path from the switch platform to the destination host and addressing network traffic latency and throughput problems. To use the traceroute tool: 1.

Select Troubleshoot > Traceroute.

2. Next to Advanced options, click the expand icon. 3. Enter information into the Traceroute page.

The Remote Host field is the only required field. 4. Click Start. 5. To stop the traceroute operation before it is complete, click OK while the results of

the traceroute operation are being displayed. Meaning

The switch generates the list of waypoints by sending a series of ICMP traceroute packets in which the time-to-live (TTL) value in the messages sent to each successive waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to 1.) In this manner, each waypoint along the path to the destination host replies with a Time Exceeded packet from which the source IP address can be obtained. The results of the traceroute operation are displayed in the main pane. If no options are specified, each line of the traceroute display is in the following format: hop-number host (ip-address) [as-number] time1 time2 time3

The switch sends a total of three traceroute packets to each waypoint along the path and displays the round-trip time for each traceroute operation. If the switch times out before receiving a Time Exceeded message, an asterisk (*) is displayed for that round-trip time.

Table 626: Traceroute field summary Field

Function

Your Action

Remote Host

Identifies the destination host of the traceroute.

Type the hostname or IP address of the destination host.


Determines whether hostnames of the hops along the path are displayed, in addition to IP addresses.

To suppress the display of the hop hostnames, select the check box.

Gateway

Specifies the IP address of the gateway to route through.

Type the gateway IP address.

Advanced Options


5443

®


Table 626: Traceroute field summary (continued) Field

Function

Your Action

Source Address

Specifies the source address of the outgoing traceroute packets.

Type the source IP address.

Bypass Routing

Determines whether traceroute packets are routed by means of the routing table. If the routing table is not used, traceroute packets are sent only to hosts on the interface specified in the Interface box. If the host is not on that interface, traceroute responses are not sent.

To bypass the routing table and send the traceroute packets to hosts on the specified interface only, select the check box.

Interface

Specifies the interface on which the traceroute packets are sent.

From the list, select the interface on which traceroute packets are sent. If you select any, the traceroute requests are sent on all interfaces.

Time-to-live

Specifies the maximum time-to-live (TTL) hop count for the traceroute request packet.

From the list, select the TTL.

Type-of-Service

Specifies the type-of-service (TOS) value to include in the IP header of the traceroute request packet.

From the list, select the decimal value of the TOS field.

Resolve AS Numbers

Determines whether the autonomous system (AS) number of each intermediate hop between the router and the destination host is displayed.

To display the AS numbers, select the check box.


5444

•


•


•


•



CHAPTER 151

Configuration Statements for General Network Management and Monitoring archive-sites Syntax


Description

Options

archive-sites { site-name; } [edit accounting-options file filename]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Configure an archive site. If more than one site name is configured, an ordered list of archive sites for the accounting-data log files is created. When a file is archived, the router or switch attempts to transfer the file to the first URL in the list, moving to the next site only if the transfer does not succeed. The log file is stored at the archive site with a filename of the format router-name_log-filename_timestamp. site-name—Any valid FTP URL to a destination. For information about specifying valid

FTP URLs, see the Junos System Basics Configuration Guide. Required Privilege Level Related Documentation


Configuring Archive Sites


5445

®


class-usage-profile Syntax


Description

class-usage-profile profile-name { file filename; interval minutes; source-classes { source-class-name; } destination-classes { destination-class-name; } } [edit accounting-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a class usage profile, which is used to log class usage statistics to a file in the /var/log directory. The class usage profile logs class usage statistics for the configured source classes on every interface that has destination-class-usage configured. For information about configuring source classes, see the Junos Routing Protocols Configuration Guide. For information about configuring source class usage, see the Junos Network Interfaces Configuration Guide.

Options

profile-name—Name of the destination class profile.


5446


Configuring Class Usage Profiles


Chapter 151: Configuration Statements for General Network Management and Monitoring

counters Syntax


Description


counters { counter-name; } [edit accounting-options filter-profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Names of counters for which filter profile statistics are collected. The packet and byte counts for the counters are logged to a file in the /var/log directory. counter-name—Name of the counter.


Configuring the Counters

destination-classes Syntax


Description Options

destination-classes { destination-class-name; } [edit accounting-options class-usage-profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the destination classes for which statistics are collected. destination-class-name—Name of the destination class to include in the source class

usage profile. Required Privilege Level Related Documentation


Configuring a Class Usage Profile


5447

®


fields (for Interface Profiles) Syntax


Description Options


5448

fields { field-name; } [edit accounting-options interface-profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Statistics to collect in an accounting-data log file for an interface. field-name—Name of the field: •

input-bytes—Input bytes

•

input-errors—Generic input error packets

•

input-multicast—Input packets arriving by multicast

•

input-packets—Input packets

•

input-unicast—Input unicast packets

•

output-bytes—Output bytes

•

output-errors—Generic output error packets

•

output-multicast—Output packets sent by multicast

•

output-packets—Output packets

•

output-unicast—Output unicast packets


Configuring the Interface Profile



file (Associating with a Profile) Syntax Hierarchy Level

Release Information

Description Options

file filename; [edit accounting-options class-usage-profile profile-name], [edit accounting-options filter-profile profile-name], [edit accounting-options interface-profile profile-name], [edit accounting-options mib-profile profile-name], [edit accounting-options routing-engine-profile profile-name]

Statement introduced before Junos OS Release 7.4. The [edit accounting-options mib-profile profile-name] hierarchy added in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series Switches. Specify the accounting log file associated with the profile. filename—Name of the log file. You must specify a filename already configured in the file

statement at the [edit accounting-options] hierarchy level. Required Privilege Level Related Documentation



•

Configuring the Filter Profile

•

Configuring the MIB Profile

•

Configuring the Routing Engine Profile


5449

®


file (Configuring a Log File) Syntax


Description Options

file filename { archive-sites { site-name; } files number; nonpersistent; size bytes; source-classes time; transfer-interval minutes; } [edit accounting-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify a log file to be used for accounting data. filename—Name of the file in which to write accounting data.


5450


Configuring Accounting-Data Log Files



files Syntax Hierarchy Level Release Information

Description Options

files number; [edit accounting-options file filename]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the maximum number of log files to be used for accounting data. number—The maximum number of files. When a log file (for example, profilelog) reaches

its maximum size, it is renamed profilelog.0, then profilelog.1, and so on, until the maximum number of log files is reached. Then the oldest log file is overwritten. The minimum value for number is 3 and the default value is 10. Required Privilege Level Related Documentation


Configuring Accounting-Data Log Files


5451

®


filter-profile Syntax


Description

Options

filter-profile profile-name { counters { counter-name; } file filename; interval minutes; } [edit accounting-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a profile to filter and collect packet and byte count statistics and write them to a file in the /var/log directory. To apply the profile to a firewall filter, you include the accounting-profile statement at the [edit firewall filter filter-name] hierarchy level. For more information about firewall filters, see the Junos Network Interfaces Configuration Guide. profile-name—Name of the filter profile.


5452





interface-profile Syntax


Description

Options

interface-profile profile-name { fields { field-name; } file filename; interval minutes; } [edit accounting-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a profile to filter and collect error and packet statistics and write them to a file in the /var/log directory. You can specify an interface profile for either a physical or a logical interface. profile-name—Name of the interface profile.





5453

®


interval Syntax Hierarchy Level

Release Information

Description Options

interval minutes; [edit accounting-options class-usage-profile profile-name], [edit accounting-options filter-profile profile-name], [edit accounting-options interface-profile profile-name], [edit accounting-options mib-profile profile-name], [edit accounting-options routing-engine-profile profile-name]

Statement introduced before Junos OS Release 7.4. The [edit accounting-options mib-profile profile-name] hierarchy level added in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify how often statistics are collected for the accounting profile. minutes—Length of time between each collection of statistics.

Range: 1 through 2880 minutes Default: 30 minutes Required Privilege Level Related Documentation

5454



•


•


•




mib-profile Syntax


Description

Options

mib-profile profile-name { file filename; interval minutes; object-names { mib-object-name; } operation operation-name; } [edit accounting-options]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a MIB profile to collect selected MIB statistics and write them to a file in the /var/log directory. profile-name—Name of the MIB statistics profile.





5455

®


object-names Syntax


Description

Options

object-names { mib-object-name; } [edit accounting-options mib-profile profile-name]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the name of each MIB object for which MIB statistics are collected for an accounting-data log file. mib-object-name—Name of a MIB object. You can specify more than one MIB object

name. Required Privilege Level Related Documentation



operation Syntax Hierarchy Level Release Information

Description

Options

operation operation-name; [edit accounting-options mib-profile profile-name]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the name of the operation used to collect MIB statistics for an accounting-data log file. operation-name—Name of the operation to use. You can specify a get, get-next, or walk

operation. Default: walk Required Privilege Level Related Documentation

5456





routing-engine-profile Syntax


Description

Options

routing-engine-profile profile-name { fields { field-name; } file filename; interval minutes; } [edit accounting-options]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Create a Routing Engine profile to collect selected Routing Engine statistics and write them to a file in the /var/log directory. profile-name—Name of the Routing Engine statistics profile.





5457

®


size Syntax Hierarchy Level Release Information

Description Options

size bytes; [edit accounting-options file filename]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify attributes of an accounting-data log file. bytes—Maximum size of each log file, in bytes, kilobytes (KB), megabytes (MB), or

gigabytes (GB). When a log file (for example, profilelog) reaches its maximum size, it is renamed profilelog.0, then profilelog.1, and so on, until the maximum number of log files is reached. Then the oldest log file is overwritten. If you do not specify a size, the file is closed, archived, and renamed when the time specified for the transfer interval is exceeded. Syntax: x to specify bytes, xk to specify KB, xm to specify MB, xg to specify GB Range: 256 KB through 1 GB Required Privilege Level Related Documentation


Configuring the Maximum Size of the File

source-classes Syntax



5458

source-classes { source-class-name; } [edit accounting-options class-usage-profile profile-name]

Statement introduced before Junos OS Release 7.4. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the source classes for which statistics are collected. source-class-name—Name of the source class to include in the class usage profile.


Configuring a Class Usage Profile



start-time Syntax Hierarchy Level Release Information

Description Options

start-time time; [edit accounting-options file filename]

Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 9.0 for EX Series switches. Specify the start time for transfer of an accounting-data log file. time—Start time for file transfer.

Syntax: YYYY-MM-DD.hh:mm Required Privilege Level Related Documentation


Configuring the Start Time for File Transfer

transfer-interval Syntax Hierarchy Level Release Information

transfer-interval minutes; [edit accounting-options file filename]


Description

Specify the length of time the file remains open and receives new statistics before it is closed and transferred to an archive site.

Options

minutes—Time the file remains open and receives new statistics before it is closed and

transferred to an archive site. Range: 5 through 2880 minutes Default: 30 minutes Required Privilege Level Related Documentation


Configuring the Transfer Interval of the File


5459

®


5460


CHAPTER 152

Operational Commands for General Network Management and Monitoring


5461

®


monitor traffic Syntax

Release Information

Description

monitor traffic

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display packet headers or packets received and sent from the Routing Engine.

NOTE: •

Using the monitor-traffic command can degrade router or switch performance.

•

Delays from DNS resolution can be eliminated by using the no-resolve option.

NOTE: This command is not supported on the QFX3000 QFabric switch.

Options

none—(Optional) Display packet headers transmitted through fxp0. On a TX Matrix Plus

router, display packet headers transmitted through em0. brief | detail | extensive—(Optional) Display the specified level of output. absolute-sequence—(Optional) Display absolute TCP sequence numbers. count count—(Optional) Specify the number of packet headers to display (0 through

1,000,000). The monitor traffic command quits automatically after displaying the number of packets specified.

5462


Chapter 152: Operational Commands for General Network Management and Monitoring

interface interface-name—(Optional) Specify the interface on which the monitor traffic

command displays packet data. If no interface is specified, the monitor traffic command displays packet data arriving on the lowest-numbered interface. layer2-headers—(Optional) Display the link-level header on each line. matching matching—(Optional) Display packet headers that match a regular expression.

Use matching expressions to define the level of detail with which the monitor traffic command filters and displays packet data. no-domain-names—(Optional) Suppress the display of the domain portion of hostnames.

With the no-domain-names option enabled, the monitor traffic command displays only team for the hostname team.company.net. no-promiscuous—(Optional) Do not put the interface into promiscuous mode. no-resolve—(Optional) Suppress reverse lookup of the IP addresses. no-timestamp—(Optional) Suppress timestamps on displayed packets. print-ascii—(Optional) Display each packet in ASCII format. print-hex—(Optional) Display each packet, except the link-level header, in hexadecimal

format. resolve-timeout timeout—(Optional) Amount of time the router or switch waits for each

reverse lookup before timing out. You can set the timeout for 1 through 4,294,967,295 seconds. The default is 4 seconds. To display each packet, use the print-ascii, print-hex, or extensive option. size size—(Optional) Read but do not display up to the specified number of bytes for

each packet. When set to brief output, the default packet size is 96 bytes and is adequate for capturing IP, ICMP, UDP, and TCP packet data. When set to detail and extensive output, the default packet size is 1514. The monitor traffic command truncates displayed packets if the matched data exceeds the configured size. Additional Information

In the monitor traffic command, you can specify an expression to match by using the matching option and including the expression in quotation marks: monitor traffic matching "expression"

Replace expression with one or more of the match conditions listed in Table 627 on page 5464.


5463

®


Table 627: Match Conditions for the monitor traffic Command Match Type

Condition

Description

Entity

host [address | hostname]

Matches packets that contain the specified address or hostname. The protocol match conditions arp, ip, or rarp, or any of the directional match conditions can be prepended to the host match condition.

net address

Matches packets with source or destination addresses containing the specified network address.

net address mask mask

Matches packets containing the specified network address and subnet mask.

port (port-number | port-name)

Matches packets containing the specified source or destination TCP or UDP port number or port name. In place of the numeric port address, you can specify a text synonym, such as bgp (179), dhcp (67), or domain (53) (the port numbers are also listed).

Directional

Packet Length

5464

dst

Matches packets going to the specified destination. This match condition can be prepended to any of the entity type match conditions.

src

Matches packets from a specified source. This match condition can be prepended to any of the entity type match conditions.

src and dst

Matches packets that contain the specified source and destination addresses. This match condition can be prepended to any of the entity type match conditions.

src or dst

Matches packets containing either of the specified addresses. This match condition can be prepended to any of the entity type match conditions.

less value

Matches packets shorter than or equal to the specified value, in bytes.

greater value

Matches packets longer than or equal to the specified value, in bytes.



Table 627: Match Conditions for the monitor traffic Command (continued) Match Type

Condition

Description

Protocol

amt

Matches all AMT packets. Use the extensive level of output to decode the inner IGMP packets in addition to the AMT outer packet.

arp

Matches all ARP packets.

ether

Matches all Ethernet packets.

ether (broadcast | multicast)

Matches broadcast or multicast Ethernet frames. This match condition can be prepended withsrc and dst.

ether protocol (address | (arp | ip | rarp))

Matches packets with the specified Ethernet address or Ethernet packets of the specified protocol type. The ether protocol arguments arp, ip, and rarp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ether protocol match condition.

icmp

Matches all ICMP packets.

ip

Matches all IP packets.

ip (broadcast | multicast)

Matches broadcast or multicast IP packets.

ip protocol (address | (icmp | igrp | tcp | udp))

Matches packets with the specified address or protocol type. The ip protocol arguments icmp, tcp, and udp are also independent match conditions, so they must be preceded by a backslash (\) when used in the ip protocol match condition.

isis

Matches all IS-IS routing messages.

rarp

Matches all RARP packets.

tcp

Matches all TCP datagrams.

udp

Matches all UDP datagrams.

To combine expressions, use the logical operators listed in Table 628 on page 5465.

Table 628: Logical Operators for the monitor traffic Command Logical Operator (Highest to Lowest Precedence)

Description

!

Logical NOT. If the first condition does not match, the next condition is evaluated.


5465

®


Table 628: Logical Operators for the monitor traffic Command (continued) Logical Operator (Highest to Lowest Precedence)

Description

&&

Logical AND. If the first condition matches, the next condition is evaluated. If the first condition does not match, the next condition is skipped.

||

Logical OR. If the first condition matches, the next condition is skipped. If the first condition does not match, the next condition is evaluated.

()

Group operators to override default precedence order. Parentheses are special characters, each of which must be preceded by a backslash (\).

You can use relational operators to compare arithmetic expressions composed of integer constants, binary operators, a length operator, and special packet data accessors. The arithmetic expression matching condition uses the following syntax: monitor traffic matching "ether[0] & 1 != 0""arithmetic_expression relational_operator arithmetic_expression"

The packet data accessor uses the following syntax: protocol [byte-offset ]

The optional size field represents the number of bytes examined in the packet header. The available values are 1, 2, or 4 bytes. The following sample command captures all multicast traffic: user@host> monitor traffic matching "ether[0] & 1 != 0"

To specify match conditions that have a numeric value, use the arithmetic and relational operators listed in Table 629 on page 5467.

NOTE: Because the Packet Forwarding Engine removes Layer 2 header information before sending packets to the Routing Engine:

5466

•

The monitor traffic command cannot apply match conditions to inbound traffic.

•

The monitor traffic interface command also cannot apply match conditions for Layer 3 and Layer 4 packet data, resulting in the match pipe option (| match) for this command for Layer 3 and Layer 4 packets not working either. Therefore, ensure that you specify match conditions as described in this command summary. For more information about match conditions, see Table 627 on page 5464.

•

The 802.1Q VLAN tag information included in the Layer 2 header is removed from all inbound traffic packets. Because the monitor traffic interface ae[x] command for aggregated Ethernet interfaces (such as ae0) only shows inbound traffic data, the command does not show VLAN tag information in the output.



Table 629: Arithmetic and Relational Operators for the monitor traffic Command Arithmetic or Relational Operator

Description

Arithmetic Operator +

Addition operator.

-

Subtraction operator.

/

Division operator.

&

Bitwise AND.

*

Bitwise exclusive OR.

|

Bitwise inclusive OR.

Relational Operator (Highest to Lowest Precedence)


Output Fields

=

If the first expression is greater than or equal to the second, the packet matches.

If the first expression is greater than the second, the packet matches.

=

If the compared expressions are equal, the packet matches.

!=

If the compared expressions are unequal, the packet matches.

trace maintenance monitor traffic count on page 5468 monitor traffic detail count on page 5468 monitor traffic extensive (Absolute Sequence) on page 5468 monitor traffic extensive (Relative Sequence) on page 5468 monitor traffic extensive count on page 5468 monitor traffic interface on page 5469 monitor traffic matching on page 5469 monitor traffic (TX Matrix Plus Router) on page 5469 monitor traffic (QFX3500 Switch) on page 5470 When you enter this command, you are provided feedback on the status of your request.


5467

®


Sample Output monitor traffic count

user@host> monitor traffic count 2 listening on fxp0 04:35:49.814125 In my-server.home.net.1295 > my-server.work.net.telnet: . ack 4122529478 win 16798 (DF) 04:35:49.814185 Out my-server.work.net.telnet > my-server.home.net.1295: P 1:38(37) ack 0 win 17680 (DF) [tos 0x10]

monitor traffic detail count

user@host> monitor traffic detail count 2 listening on fxp0 04:38:16.265864 In my-server.home.net.1295 > my-server.work.net.telnet: . ack 4122529971 win 17678 (DF) (ttl 121, id 6812) 04:38:16.265926 Out my-server.work.net.telnet.telnet > my-server.home.net.1295: P 1:38(37) ack 0 win 17680 (DF) [tos 0x10] (ttl 6)

monitor traffic extensive (Absolute Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" absolute-sequence listening on fxp0 In 207.17.136.193.179 > 192.168.4.227.1024: . 4042780859:4042780859(0) ack 1845421797 win 16384 [tos 0xc0] (ttl ) In 207.17.136.193.179 > 192.168.4.227.1024: P 4042780859:4042780912(53) ack 1845421797 win 16384 : BGP [|BGP UPDAT) In 192.168.4.227.1024 > 207.17.136.193.179: P 1845421797:1845421852(55) ack 4042780912 win 16384 : BGP [|BGP UPDAT) ...

monitor traffic extensive (Relative Sequence)

user@host> monitor traffic extensive no-domain-names no-resolve no-timestamp count 20 matching "tcp" listening on fxp0 In 172.24.248.221.1680 > 192.168.4.210.23: . 396159737:396159737(0) ack 1664980689 win 17574 (DF) (ttl 121, id 50003) Out 192.168.4.210.23 > 172.24.248.221.1680: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10] (ttl 64, id 5394) In 207.17.136.193.179 > 192.168.4.227.1024: P 4042775817:4042775874(57) ack 1845416593 win 16384 : BGP [|BGP UPDAT) ...

monitor traffic extensive count

5468

user@host> monitor traffic extensive count 5 no-domain-names no-resolve listening on fxp013:18:17.406933 In 192.168.4.206.2723610880 > 172.17.28.8.2049: 40 null (ttl 64, id 38367)13:18:17.407577 In 172.17.28.8.2049 > 192.168.4.206.2723610880: reply ok 28 null (ttl 61, id 35495)13:18:17.541140 In 0:e0:1e:42:9c:e0 0:e0:1e:42:9c:e0 9000 60: 0000 0100 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 000013:18:17.591513



In 172.24.248.156.4139 > 192.168.4.210.23: 3556964918:3556964918(0) ack 295526518 win 17601 (DF) (ttl 121, id 14)13:18:17.591568 Out 192.168.4.210.23 > 172.24.248.156.4139: P 1:40(39) ack 0 win 17680 (DF) [tos 0x10] (ttl 64, id 52376)

monitor traffic interface

user@host> monitor traffic interface fxp0 listening on fxp0.0 18:17:28.800650 In server.home.net.723 > host1-0.lab.home.net.log 18:17:28.800733 Out host2-0.lab.home.net.login > server.home.net.7 18:17:28.817813 In host30.lab.home.net.syslog > host40.home0 18:17:28.817846 In host30.lab.home.net.syslog > host40.home0 ...

monitor traffic matching

user@host> monitor traffic matching "net 192.168.1.0/24" verbose output suppressed, use or for full protocol decode Address resolution is ON. Use to avoid any reverse lookup delay. Address resolution timeout is 4s. Listening on fxp0, capture size 96 bytes Reverse lookup for 192.168.1.255 failed (check DNS reachability). Other reverse lookup failures will not be reported. Use no-resolve to avoid reverse lookups on IP addresses. 21:55:54.003511 In IP truncated-ip - 18 bytes missing! 192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50 21:55:54.003585 Out IP truncated-ip - 18 bytes missing! 192.168.1.17.netbios-ns > 192.168.1.255.netbios-ns: UDP, length 50 21:55:54.003864 In arp who-has 192.168.1.17 tell 192.168.1.9 ...

monitor traffic (TX Matrix Plus Router)

user@host> monitor traffic verbose output suppressed, use or for full protocol decode Address resolution is ON. Use to avoid any reverse lookup delay. Address resolution timeout is 4s. Listening on em0, capture size 96 bytes 04:11:59.862121 Out IP truncated-ip - 25 bytes missing! summit-em0.englab.juniper.net.syslog > sv-log-01.englab.juniper.net.syslog: SYSLOG kernel.info, length: 57 04:11:59.862303 Out IP truncated-ip - 25 bytes missing! summit-em0.englab.juniper.net.syslog > sv-log-02.englab.juniper.net.syslog: SYSLOG kernel.info, length: 57 04:11:59.923948 In IP aj-em0.englab.juniper.net.65235 > summit-em0.englab.juniper.net.telnet: . ack 1087492766 win 33304 04:11:59.923983 Out IP truncated-ip - 232 bytes missing! summit-em0.englab.juniper.net.telnet > aj-em0.englab.juniper.net.65235: P 1:241(240) ack 0 win 33304 04:12:00.022900 In IP aj-em0.englab.juniper.net.65235 > summit-em0.englab.juniper.net.telnet: . ack 241 win 33304 04:12:00.141204 In IP truncated-ip - 40 bytes missing!


5469

®


ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: P 2950530356:2950530404(48) ack 485494987 win 63712 04:12:00.141345 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 1:6(5) ack 48 win 33304 04:12:00.141572 In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 6 win 63712 04:12:00.141597 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 6:10(4) ack 48 win 33304 04:12:00.141821 In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 10 win 63712 04:12:00.141837 Out IP truncated-ip - 2 bytes missing! summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 10:20(10) ack 48 win 33304 04:12:00.142072 In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 20 win 63712 04:12:00.142089 Out IP summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 20:28(8) ack 48 win 33304 04:12:00.142321 In IP ipg-lnx-shell1.juniper.net.46182 > summit-em0.englab.juniper.net.telnet: . ack 28 win 63712 04:12:00.142337 Out IP truncated-ip - 1 bytes missing! summit-em0.englab.juniper.net.telnet > ipg-lnx-shell1.juniper.net.46182: P 28:37(9) ack 48 win 33304 ...

monitor traffic (QFX3500 Switch)

5470

user@switch> monitor traffic verbose output suppressed, use or for full protocol decode Address resolution is ON. Use to avoid any reverse lookup delay. Address resolution timeout is 4s. Listening on me4, capture size 96 bytes Reverse lookup for 172.22.16.246 failed (check DNS reachability). Other reverse lookup failures will not be reported. Use to avoid reverse lookups on IP addresses. 16:35:32.240873 Out IP truncated-ip - 112 bytes missing! labqfx-me0.lab4.juniper.net.ssh > 172.22.16.246.telefinder: P 4200727624:4200727756(132) ack 2889954831 win 65535 16:35:32.240900 Out IP truncated-ip - 176 bytes missing! labqfx-me0.lab4.juniper.net.ssh > 172.22.16.246.telefinder: P 132:328(196) ack 1 win 65535 ...



ping Syntax

ping host

Syntax (QFX Series)

ping host < strict-source value>

Release Information



5471

®


Description

Options

Check host reachability and network connectivity. The ping command sends Internet Control Message Protocol (ICMP) ECHO_REQUEST messages to elicit ICMP ECHO_RESPONSE messages from the specified host. Type Ctrl+c to interrupt a ping command. host—IP address or hostname of the remote system to ping. bypass-routing—(Optional) Bypass the normal routing tables and send ping requests

directly to a system on an attached network. If the system is not on a directly attached network, an error is returned. Use this option to ping a local system through an interface that has no route through it. count requests—(Optional) Number of ping requests to send. The range of values is 1

through 2,000,000,000. The default value is an unlimited number of requests. detail—(Optional) Include in the output the interface on which the ping reply was received. do-not-fragment—(Optional) Set the do-not-fragment (DF) flag in the IP header of the

ping packets. For IPv6 packets, this option disables fragmentation.

NOTE: In Junos OS Release 11.1 and later, when issuing the ping command for an IPv6 route with the do-not-fragment option, the maximum ping packet size is calculated by subtracting 48 bytes (40 bytes for the IPV6 header and 8 bytes for the ICMP header) from the MTU. Therefore, if the ping packet size (including the 48-byte header) is greater than the MTU, the ping operation might fail.

inet—(Optional) Ping Packet Forwarding Engine IPv4 routes. inet6—(Optional) Ping Packet Forwarding Engine IPv6 routes. interface source-interface—(Optional) Interface to use to send the ping requests. interval seconds—(Optional) How often to send ping requests. The range of values, in

seconds, is 1 through infinity. The default value is 1. loose-source value—(Optional) Intermediate loose source route entry (IPv4). Open a set

of values. mac-address mac-address—(Optional) Ping the physical or hardware address of the

remote system you are trying to reach. no-resolve—(Optional) Do not attempt to determine the hostname that corresponds to

the IP address. pattern string—(Optional) Specify a hexadecimal fill pattern to include in the ping packet. rapid—(Optional) Send ping requests rapidly. The results are reported in a single message,

not in individual messages for each ping request. By default, five ping requests are

5472



sent before the results are reported. To change the number of requests, include the count option. record-route—(Optional) Record and report the packet’s path (IPv4). routing-instance routing-instance-name—(Optional) Name of the routing instance for the

ping attempt. size bytes—(Optional) Size of ping request packets. The range of values, in bytes, is 0

through 65,468. The default value is 56, which is effectively 64 bytes because 8 bytes of ICMP header data are added to the packet. source source-address—(Optional) IP address of the outgoing interface. This address is

sent in the IP source address field of the ping request. If this option is not specified, the default address is usually the loopback interface (lo.0). strict—(Optional) Use the strict source route option (IPv4). strict-source value—(Optional) Intermediate strict source route entry (IPv4). Open a set

of values. tos type-of-service—(Optional) Set the type-of-service (ToS) field in the IP header of the

ping packets. The range of values is 0 through 255. ttl value—(Optional) Time-to-live (TTL) value to include in the ping request (IPv6). The

range of values is 0 through 255. verbose—(Optional) Display detailed output. vpls instance-name—(Optional) Ping the instance to which this VPLS belongs. wait seconds—(Optional) Maximum wait time, in seconds, after the final packet is sent.

If this option is not specified, the default delay is 10 seconds. If this option is used without the count option, a default count of 5 packets is used. Required Privilege Level Related Documentation List of Sample Output

Output Fields

network

•


ping hostname on page 5474 ping hostname size count on page 5474 ping hostname rapid on page 5474 When you enter this command, you are provided feedback on the status of your request. An exclamation point (!) indicates that an echo reply was received. A period (.) indicates that an echo reply was not received within the timeout period. An x indicates that an echo reply was received with an error code. These packets are not counted in the received packets count. They are accounted for separately.


5473

®


Sample Output ping hostname

ping hostname size count

user@host> ping skye PING skye.net (192.168.169.254): 56 data bytes 64 bytes from 192.168.169.254: icmp_seq=0 ttl=253 64 bytes from 192.168.169.254: icmp_seq=1 ttl=253 64 bytes from 192.168.169.254: icmp_seq=2 ttl=253 64 bytes from 192.168.169.254: icmp_seq=3 ttl=253 64 bytes from 192.168.169.254: icmp_seq=4 ttl=253 64 bytes from 192.168.169.254: icmp_seq=5 ttl=253 ^C [abort]

time=1.028 time=1.053 time=1.025 time=1.098 time=1.032 time=1.044

user@host> ping skye size 200 count 5 PING skye.net (192.168.169.254): 200 data bytes 208 bytes from 192.168.169.254: icmp_seq=0 ttl=253 208 bytes from 192.168.169.254: icmp_seq=1 ttl=253 208 bytes from 192.168.169.254: icmp_seq=2 ttl=253 208 bytes from 192.168.169.254: icmp_seq=3 ttl=253 208 bytes from 192.168.169.254: icmp_seq=4 ttl=253

ms ms ms ms ms ms

time=1.759 ms time=2.075 ms time=1.843 ms time=1.803 ms time=17.898 ms

--- skye.net ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.759/5.075/17.898 ms

ping hostname rapid

5474

user@host> ping skye rapid PING skye.net (192.168.169.254): 56 data bytes !!!!! --- skye.net ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.956/0.974/1.025/0.026 ms



show pfe statistics bridge Syntax Release Information Description



show pfe statistics bridge

Command introduced in Junos OS Release 12.1 for EX Series switches. Display information about the number of packets discarded in the ingress pipeline of the Packet Forwarding Engine (PFE), packets discarded due to egress filtering or congestion filtering, number of control packets, and general counters for dropped packets. You can use this information to inform troubleshooting investigations. view

•


•

Monitoring Switch Control Traffic on page 856

show pfe statistics bridge on page 5476 Table 272 on page 2387 lists the output fields for the show pfe statistics bridge command. Output fields are listed in the approximate order in which they appear. The number of data columns displayed is either two or four, depending on the line card or switch model. On a switch or line card that has two Packet Forwarding Engines, each column shows the data for the first or second half of the interfaces, corresponding with each Packet Forwarding Engine. On a switch or line card with four Packet Forwarding Engines, output is divided into four columns with each containing the data for a sequential quarter of the interfaces. For each Packet Forwarding Engine, two sets of data are displayed and by default these sets are identical. You cannot configure these sets through the Junos OS CLI; however, experienced users might choose to explicitly configure these sets, using a virtual terminal (vty) session, to show subsets of data defined by a variety of criteria.

Table 630: show pfe statistics bridge Output Fields Field Name

Field Description

Setn-Received

Number of packets received by the Packet Forwarding Engine.

Setn-VLAN filtered

Number of packets discarded in the ingress pipeline due to VLAN ingress filtering. For example, packets is discarded if the ingress interface is not a VLAN member, if the VLAN is not in the range, or if the VLAN is invalid.

Setn-Security filtered

Number of packets discarded in the ingress pipeline due to security filtering.

Setn-Other discards

Number of packets dropped in the ingress pipeline for reasons other than VLAN or security filtering.

Setn-Unicast

Number of unicast packets transmitted.


5475

®


Table 630: show pfe statistics bridge Output Fields (continued) Field Name

Field Description

Setn-Multicast

Number of multicast packets transmitted.

Setn-Broadcast

Number of broadcast packets transmitted.

Setn-Egress filtered

Number of packets that were filtered on the egress interfaces (regardless of port, priority, or mode).

Setn-Congestion filetered

Number of packets dropped due to congestion.

Setn-Control packets

Number of control protocol packets destined to the Routing Engine or received from the Routing Engine or number of ARP broadcast request packets sent by the switch prior to unicast forwarding.

Drop Mode

For values other than 0, indicates a specific category of dropped packets. By default, the drop mode is set to 0 (that is, no specific drop mode is configured). Experienced users might choose to configure a specific drop mode through a vty session.

Drop Counter

Tally of all packets dropped by the Packet Forwarding Engine or, if a drop mode is configured, the number of packets dropped of the type defined by the drop mode.

Source Not Learnt

The number of packets for which the switch did not find the MAC address in the forwarding table. You might see a value other than 0 in this field if the rate of MAC learning is faster than the CPU can process.

MUX PFE:

For line cards that provide oversubscribed interfaces, such as the EX8200-2XS-40P line card, you see two additional fields that show drop mode and drop count in the MUX device. The MUX device processes the aggregated packets from two Packet Forwarding Engines.

Drop Mode Drop Count

Sample Output show pfe statistics bridge

5476

user@switch> show pfe statistics bridge PFE: 0 1 ---------------------------------------------------------------------- Ingress Counters ---Set0-Received: 77101 1 Set0-VLAN filtered: 0 0 Set0-Security filtered: 0 1 Set0-Other discards: 0 0 Set1-Received: 77101 1 Set1-VLAN filtered: 0 0 Set1-Security filtered: 0 1 Set1-Other discards: 0 0 ---- Egress Counters ---Set0-Unicast: 0 0 Set0-Multicast: 45001 0 Set0-Broadcast: 12 0 Set0-Egress filtered: 0 0 Set0-Congestion filtered: 0 0 Set0-Control packets: 66615 21 Set1-Unicast: 0 0



Set1-Multicast: Set1-Broadcast: Set1-Egress filtered: Set1-Congestion filtered: Set1-Control packets: ---- General Counters ---Drop Mode: Drop Counter: Src Not Learnt: ---- MUX PFE ---Drop Mode: Drop Count:


45001 12 0 0 66615

0 0 0 0 21

0 65310 0

0 1 0

0 0

0 0

5477

®


show snmp mib Syntax Release Information

Description

Options

show snmp mib (get | get-next | walk) (ascii | decimal) object-id

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. ascii and decimal options introduced in Junos OS Release 9.6. ascii and decimal options introduced in Junos OS Release 9.6 for EX Series switches. Command introduced in Junos OS Release 11.1 for the QFX Series. Display local Simple Network Management Protocol (SNMP) Management Information Base (MIB) object values. get—Retrieve and display one or more SNMP object values. get-next—Retrieve and display the next SNMP object values. walk—Retrieve and display the SNMP object values that are associated with the requested

object identifier (OID). When you use this option, the Junos OS displays the objects below the subtree that you specify. ascii—Display the SNMP object’s string indices as an ASCII-key representation. decimal—Display the SNMP object values in the decimal (default) format. The decimal

option is the default option for this command. Therefore, issuing the show snmp mib (get | get-next | walk) decimal object-id and the show snmp mib (get | get-next | walk) object-id commands display the same output. object-id—The object can be represented by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its subtree name (such as interfaces). When entering multiple

objects, enclose the objects in quotation marks. Required Privilege Level List of Sample Output

Output Fields

5478

snmp—To view this statement in the configuration.

show snmp mib get on page 5479 show snmp mib get (Multiple Objects) on page 5479 show snmp mib get-next on page 5479 show snmp mib get-next (Specify an OID) on page 5479 show snmp mib walk on page 5479 show snmp mib walk (QFX Series) on page 5479 show snmp mib walk decimal on page 5479 show snmp mib walk (ASCII) on page 5479 show snmp mib walk (Multiple Indices) on page 5479 show snmp mib walk decimal (Multiple Indices) on page 5480 Table 631 on page 5479 describes the output fields for the show snmp mib command. Output fields are listed in the approximate order in which they appear.



Table 631: show snmp mib Output Fields Field Name

Field Description

name

Object name and numeric instance value.

object value

Object value. The Junos OS translates OIDs into the corresponding object names.

Sample Output show snmp mib get

user@host> show snmp mib get sysObjectID.0 sysObjectID.0 = jnxProductNameM20

show snmp mib get (Multiple Objects)

user@host> show snmp mib get ?sysObjectID.0 sysUpTime.0? sysObjectID.0 = jnxProductNameM20 sysUpTime.0 = 1640992

show snmp mib get-next show snmp mib get-next (Specify an OID)

user@host> show snmp mib get-next jnxMibs jnxBoxClass.0 = jnxProductLineM20.0 user@host> show snmp mib get-next 1.3.6.1 sysDescr.0 = Juniper Networks, Inc. m20 internet router, kernel Junos OS Release: 2004-1 Build date: build date UTC Copyright (c) 1996-2004 Juniper Networks, Inc.

show snmp mib walk

user@host> show snmp mib walk system sysDescr.0 = Juniper Networks, Inc. m20 internet router, kernel Junos OS Release #0: 2004-1 Build date: build date UTC Copyright (c) 1996-2004 Juniper Networks, Inc. sysObjectID.0 = jnxProductNameM20 sysUpTime.0 = 1640992 sysContact.0 = Your contact sysName.0 = my router sysLocation.0 = building 1 sysServices.0 = 4

show snmp mib walk (QFX Series)

user@switch> show snmp mib walk system sysDescr.0 = Juniper Networks, Inc. qfx3500s internet router, kernel JUNOS 11.1-20100926.0 #0: 2010-09-26 06:17:38 UTC Build date: 2010-09-26 06:00:10 sysObjectID.0 = jnxProductQFX3500 sysUpTime.0 = 138980301 sysContact.0 = System Contact sysName.0 = LabQFX3500 sysLocation.0 = Lab sysServices.0 = 4

show snmp mib walk decimal

user@host show snmp mib walk decimal jnxUtilData jnxUtilCounter32Value.102.114.101.100 = 100

show snmp mib walk (ASCII)

show snmp mib walk ascii jnxUtilData jnxUtilCounter32Value."fred" = 100

show snmp mib walk (Multiple Indices)

show snmp mib walk ascii jnxFWCounterByteCount jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_BE-fe-1/3/0.0-i".2 = 0 jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_CC-fe-1/3/0.0-i".2 = 0


5479

®


jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_RT-fe-1/3/0.0-i".2 = 0 .......

show snmp mib walk decimal (Multiple Indices)

5480

show snmp mib walk ascii jnxFWCounterByteCount jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_BE-fe-1/3/0.0-i".2 = 0 jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_CC-fe-1/3/0.0-i".2 = 0 jnxFWCounterByteCount."fe-1/3/0.0-i"."CLASS_RT-fe-1/3/0.0-i".2 = 0 .......



traceroute Syntax

traceroute host

Syntax (QFX Series)

traceroute host

Release Information

Command introduced before Junos OS Release 7.4. Command introduced in Junos OS Release 9.0 for EX Series switches. mpls option introduced in Junos OS Release 9.2. propagate-ttl option introduced in Junos OS Release 12.1. Command introduced in Junos OS Release 11.1 for the QFX Series.

Description

Options

Display the route that packets take to a specified network host. Use traceroute as a debugging tool to locate points of failure in a network. host—IP address or name of remote host. as-number-lookup—(Optional) Display the autonomous system (AS) number of each

intermediate hop on the path from the host to the destination. bypass-routing—(Optional) Bypass the normal routing tables and send requests directly

to a system on an attached network. If the system is not on a directly attached network, an error is returned. Use this option to display a route to a local system through an interface that has no route through it.


5481

®


clns—(Optional) Trace the route belonging to Connectionless Network Service (CLNS). gateway address—(Optional) Address of a router or switch through which the route

transits. inet | inet6—(Optional) Trace the route belonging to IPv4 or IPv6, respectively. interface interface-name—(Optional) Name of the interface over which to send packets. logical-system (all | logical-system-name)—(Optional) Perform this operation on all logical

systems or on a particular logical system. monitor host—(Optional) Display real-time monitoring information for the specified host. monitorhost—(Optional) Perform this operation to display real-time monitoring

information. monitorhost—(Optional) Perform this operation to display real-time monitoring

information. mpls (ldp FEC address | rsvp label-switched-path name)—(Optional) See traceroute mpls

ldp and traceroute mpls rsvp. no-resolve—(Optional) Do not attempt to determine the hostname that corresponds to

the IP address. propagate-ttl—(Optional) On the PE router, use this option to view locally-generated

Routing Engine transit traffic. This is applicable for MPLS L3VPN traffic only. Use for troubleshooting, when you want to view hop-by-hop information from the local provider router to the remote provider router, when TTL decrementing is disabled on the core network using the no-proagate-ttl configuration statement.

NOTE: Using propagate-ttl with traceroute on the CE router does not show hop-by-hop information.

routing-instance routing-instance-name—(Optional) Name of the routing instance for the

traceroute attempt. source source-address—(Optional) Source address of the outgoing traceroute packets. tos value—(Optional) Value to include in the IP type-of-service (ToS) field. The range of

values is 0 through 255. ttl value—(Optional) Maximum time-to-live value to include in the traceroute request.

The range of values is 0 through 128. wait seconds—(Optional) Maximum time to wait for a response to the traceroute request.


5482

network



Related Documentation List of Sample Output

Output Fields

•

traceroute monitor

traceroute on page 5483 traceroute as-number-lookup host on page 5483 traceroute no-resolve on page 5483 traceroute propogate-ttl on page 5484 traceroute (Between CE Routers, Layer 3 VPN) on page 5484 traceroute (Through an MPLS LSP) on page 5484 Table 632 on page 5483 describes the output fields for the traceroute command. Output fields are listed in the approximate order in which they appear.

Table 632: traceroute Output Fields Field Name

Field Description

traceroute to


hops max

Maximum number of hops allowed.

byte packets

Size of packets being sent.

number-of-hops


router-name


address


Round trip time


Sample Output traceroute

traceroute as-number-lookup host

traceroute no-resolve

user@host> traceroute 1 blue23 2 red14 3 yellow

traceroute santacruz to green.company.net (10.156.169.254), 30 hops max, 40 byte packets (10.168.1.254) 2.370 ms 2.853 ms 0.367 ms (10.168.255.250) 0.778 ms 2.937 ms 0.446 ms (10.156.169.254) 7.737 ms 89.905 ms 0.834 ms

user@host> traceroute as-number-lookup 10.100.1.1 traceroute to 10.100.1.1 (10.100.1.1), 30 hops max, 40 byte packets 1 10.39.1.1 (10.39.1.1) 0.779 ms 0.728 ms 0.562 ms 2 10.39.1.6 (10.39.1.6) [AS 32] 0.657 ms 0.611 ms 0.617 ms 3 10.100.1.1 (10.100.1.1) [AS 10, 40, 50] 0.880 ms 0.808 ms 0.774 ms

user@host> traceroute santacruz no-resolve traceroute to green.company.net (10.156.169.254), 30 hops max, 40 byte packets 1 10.168.1.254 0.458 ms 0.370 ms 0.365 ms 2 10.168.255.250 0.474 ms 0.450 ms 0.444 ms


5483

®


3

traceroute propogate-ttl

2 3

traceroute (Through an MPLS LSP)

5484

0.931 ms

0.876 ms

0.862 ms

user@host> traceroute propagate-ttl 100.200.2.2 routing-instance VPN-A traceroute to 100.200.2.2 (100.200.2.2) from 1.1.0.2, 30 hops max, 40 byte packets 1

traceroute (Between CE Routers, Layer 3 VPN)

10.156.169.254

1.2.0.2 (1.2.0.2) 2.456 ms 1.753 ms 1.672 ms MPLS Label=299776 CoS=0 TTL=1 S=0 MPLS Label=299792 CoS=0 TTL=1 S=1 1.3.0.2 (1.3.0.2) 1.213 ms 1.225 ms 1.166 ms MPLS Label=299792 CoS=0 TTL=1 S=1 100.200.2.2 (100.200.2.2) 1.422 ms 1.521 ms 1.443 ms

user@host> traceroute vpn09 traceroute to vpn09.skybank.net (10.255.14.179), 30 hops max, 40 byte packets 1 10.39.10.21 (10.39.10.21) 0.598 ms 0.500 ms 0.461 ms 2 10.39.1.13 (10.39.1.13) 0.796 ms 0.775 ms 0.806 ms MPLS Label=100006 CoS=0 TTL=1 S=1 3 vpn09.skybank.net (10.255.14.179) 0.783 ms 0.716 ms 0.686

user@host> traceroute mpls1 traceroute to 10.168.1.224 (10.168.1.224), 30 hops max, 40 byte packets 1 mpls1-sr0.company.net (10.168.200.101) 0.555 ms 0.393 ms 0.367 ms MPLS Label=1024 CoS=0 TTL=1 2 mpls5-lo0.company.net (10.168.1.224) 0.420 ms 0.394 ms 0.401 ms


Suggest Documents

Junos OS Installation and Upgrade Guide - Juniper Networks

Read more

(Junos OS) MPLS Network Operations Guide - Juniper Networks

Read more

Junos OS System Basics Configuration Guide - Juniper Networks

Read more

Junos OS 15.1X49-D45 Release Notes - Juniper Networks

Read more

Junos Node Slicing - Juniper Networks

Read more

Junos OS 15.1X49-D45 Release Notes - Juniper Networks

Read more

Junos Node Slicing - Juniper Networks

Read more

Juniper Networks Certified Associate Junos (JNCIA-Junos ... - ITCAP

Read more

JUNIPER NETWORKS CURRICULUM— JUNOS-BASED TRACKS

Read more

Junos Pulse 2.0R4 for Apple iOS - Juniper Networks

Read more

Junos Pulse 2.0R4 for Apple iOS - Juniper Networks

Read more

Junos NAT Config Examples - Juniper Networks

Read more

Junos OS High Availability Configuration Guide - Juniper.net

Read more

CTP 5.2 Software Configuration Guide - Juniper Networks

Read more

Junos® OS NETCONF Java Toolkit Developer Guide

Read more

Junos OS Routing Protocols Configuration Guide - Juniper.net

Read more

Junos OS High Availability Configuration Guide - Juniper.net

Read more

High Availability for EX Series Switches - Junos

Read more

Junos Pulse Secure Access Service 7.3R1 ... - Juniper Networks

Read more

JunosÂ® OS 12.3 Release Notes - Juniper Networks

Read more

JunosÂ® OS 12.3 Release Notes - Juniper Networks

Read more

Junos Pulse Secure Access Service 7.3R1 ... - Juniper Networks

Read more

Junos Pulse Secure Access Service 7.3R1 ... - Juniper Networks [PDF]

Read more

Preparing for the New Junos JNCIP and JNCIE ... - Juniper Forum

Read more

Report "Complete Software Guide for Junos® OS for EX ... - Juniper Networks"

Your name

Email

Reason

Description

Copyright © 2025 M.MOAM.INFO. All rights reserved.
| About Us | Privacy Policy | Terms of Service | Help | Copyright | Contact Us | Cookie Policy

Sign In

Email

Password

Remember me Forgot password?

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close